Re: Where should I put my own perl command scripts ?

Dan Espen wrote:

Central Scrutinizer <nomail@xxxxxxxxxxxx> writes:

Bit Twister wrote:

On Tue, 20 Nov 2007 03:47:06 GMT, Robert M. Riches Jr. wrote:

Nonsense. $HOME/bin should be _before_ the other paths.

Downside is, the security hole which that provides the black hat. Bad
juju can happen there after.

What "security hole"??

Assume a hacker can gain write access to a users file system.
They can't read or execute anything, just write there.

If an attacker can gain write access to a user's files they can change
that path so it doesn't matter. At the very most, they'd have to wait
for a subsequent login.


If they assume the user has a "bin" directory, they can put a trojan
in ~/bin (~/bin/ls) and get the user to execute commands using that users
privileges.

Why assume? If you have write access simply create it. In some
scenarios this itself is enough to get your bogus executable into the
$PATH. Even if it's not the attacker could write/append a modified path
that included any directory they wanted, including $HOME. Which they
know hast to exist, so they can drop their bogus files there.


If ~/bin is at the end of the path, it's harder to get the user
to run the command. They need to rely on typos.

If an attacker has invaded user space to the extent they can write
arbitrary files they can pretty much make the user do anything their
evil heart desires. :-(




.

Relevant Pages

  • phpBB Security Bugs
    ... With the hash, an attacker may ... If a correct password hash digit is guessed, the admin's name will show up ... on any phpbb site. ... allow an attacker to execute arbitrary php code on the system. ...
    (Bugtraq)
  • Re: How regularly is the GnuPG source code examined?
    ... >at it you can eliminate that one particular instance of security hole, ... help a knowledgeable attacker. ... whether say AES really behaves as AES does. ... It is not a backdoor. ...
    (sci.crypt)
  • Re: Microsoft Window Utility Manager Local Elevation of Privileges
    ... The attacker can then search and select ... the file dialog can be made to display a ListView control ... sort function) to execute said code. ... Chris Paget ...
    (Bugtraq)
  • Re: Solution: Asp.Net and Smb shares - without impersonation
    ... Don't you have to give the ASPNET account broad permissions to execute "net ... It seems like that's a pretty big security hole. ... > that exception, then the file will actually not exist, and you get this ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Privilege-escalation attacks on NT-based Windows are unfixable
    ... >stack, and the data there would be code that the attacker has put there. ... and have it copy your code into the heap; ... He still writes data in the stack; he just doesn't execute it. ...
    (comp.security.misc)