Security Week in Review (2006-12-10)

Sunday, December 17. 2006

Security Week in Review (2006-12-10)

Tis the holiday season now. I'm traveling about the country to visit the relatives and fix their computers. I suspect the world of security will be rather quiet until after the first of the year. Unless there is something worth commenting on, I don't plan on posting another weekly security commentary until the new year.

gdm
A buffer overflow flaw was found in gdm (CVE-2006-6105). This flaw is a bit interesting when you consider how to exploit it. The gdmchooser application has a format string flaw that can only be exploited by a local user typing into an input box. Since the gdmchooser application is running as the root user, the potential exists for a local user to gain root privileges. The trick here is that there isn't a nice way to paste shellcode into the textbox. The user would have to physically type in the exploit code. This is not a trivial task. This is a good example of where a theoretical flaw collides with the harsh world of reality.

Quite often there are flaws that are sound in theory, but when you look at the exploitability potential, it's more theoretical than practical. Most attacks today are of the automated type. This means that attacks that are more likely to be exploited in an automated manner are of a higher priority than those that would be more of a personalized attack. This doesn't mean that direct attacks should be ignored, simply that flaws should be prioritized and handled accordingly.

D-Bus
A D-Bus denial of service flaw went public last week (CVE-2006-6107). The denial of service isn't the most interesting thing I see here. What I find interesting is how all these desktop bits interact together. As the desktop user experience becomes more rich, the interactions on the back end are going to become more complex. As the complexity increases, the number of potential security flaws increases. Anytime software has to process user supplied input, all values passed to libraries need to be verified. This means that data formats should be as simple as possible. As format complexity increases, libraries tend to stop aggressively checking the user input.

This is easily seen in web browsers. The HTML standard is horribly complex. Checking all possible input combinations is very difficult and the verification code is going to contain bugs as all software does. Such bugs would likely be considered security issues. While HTML is a somewhat unique situation, new data standards would benefit greatly from keeping things as simple as possible if for no other reason than avoiding security flaws.

Well, that's all for this week. Things were pretty slow as was expected.

Posted by Josh Bressers in Security Week in Review at 23:37 | Comments (4) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Just because it seems inconvenient to "type" an exploit it doesn't mean that it will not be used. First don't doubt that a dedicated person could try to enter a exploit by hand. But even worst, a USB device that could emulate a keyboard could easily just send the keys to the computer.

#1 Victor Bogado on 2006-12-18 09:18 (Reply)

Just a PS.: I am not implying that you said that this should not be fixed, only making it clear that only because something seems to be impossible it doesn't mean that no one will ever do it.

#1.1 Victor Bogado on 2006-12-18 09:27 (Reply)

Good point.
I don't actually think the original author's tone is helpful.

It's a security exploit, and he'e playing it down. I can't see why though.

#1.2 anon on 2006-12-18 09:40 (Reply)

My intention is certainly not to downplay the flaw, but rather to note that this is an example of a rather difficult to exploit flaw. A cursory glance of the gdm flaw looks rather bad, but looks are deceiving in this instance. There are flaws that may look bad if you read an initial description of them, but when you look at the big picture, it's not as bad as it sounds.

#1.2.1 Josh Bressers (Homepage) on 2006-12-18 11:28 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed
	Remember Information? Subscribe to this entry