Re: Can server hack client ?



news@xxxxxxxxxxxxxx said:
Kookies is one example of where the server 'writes into' the client,
right ?

Yes.

Redirection is another example where the server 'controls the client',
instead of just being a passive read-only device ?

In a way, yes. Redirect, however, is one of the reply formats to be
expected from a server.

Java [script]: the grossest example of the server messing with you can
of course be disabled. Where is a list of 'actions' whereby a server
can 'control'/write-to eg. my plain lynx client which doesn't want to
be written to ?

If it just was that simple - and if the chain was just that short.
As a naive example, consider the server sending a deliberately
malformed response - f.ex. claiming to send a response of 2000 bytes,
and then sending more than that. A naive client implementation
could f.ex. reserve a receive buffer of 2000 bytes when seeing
the Content-length - and still stream in all of the content sent
by the server, thus overwriting the buffer, and perhaps resulting
in the buffer data flowing over to some executable area.

Further, if I recall correctly, even Lynx can be configured to start
external helper programs for certain data types (such as xpdf,
acroread or something for data declared to be PDF documents). Now,
consider that the servers sends some malformed content that is
then processed by such external program. How does the external
program handle it?

I hope this helps, at least in showing that the issue is not
quite straightforward.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
.



Relevant Pages

  • [NEWS] How to Remotely and Automatically Exploit a Format Bug
    ... Exploiting a format bug remotely is not as difficult as one would think. ... We will use very minimalist server along this paper. ... Since the buffer is directly available to a malicious user, ... Guessing the address of the shellcode in the stack ...
    (Securiteam)
  • Re: smbclient timeout, file truncated / 9.1 Pro (was Re: libpopt.so.0 conflict...
    ... >and the OS/2 machines on the LAN. ... NETBEUI was invented to allow windows clients to use an OS/2 server. ... 9 buffer small read and write requests until the buffer is full ... Acknowledgment Timeout ...
    (alt.os.linux.suse)
  • [UNIX] Multiple Vulnerabilities in Citadel/UX
    ... could allow complete control over a vulnerable server. ... Citadel server as can be seen by this simplistic code snippet: ... configuration buffers, leading to the possibility of carrying out a buffer ... int connect_to_host; ...
    (Securiteam)
  • Re: Samba HOWTO
    ... but I see no reason why eCS or Warp Server ... OS/2 LAN Requester initialization file ... 9 buffer small read and write requests until the buffer is full ... Acknowledgment Timeout ...
    (comp.os.linux.networking)
  • Re: TCPBEUI misbehaving
    ... >> I try to analyse problems on my network. ... The wrkheuristics parameter sets a variety of requester fine-tuning ... 9 buffer small read and write requests until the buffer is full ... 27 force correct open mode when creating files on a core server (reserved ...
    (comp.os.os2.setup.misc)