Ok, so this will prevent a modified "acrobat.exe" from running without a prompt. But running a properly-signed "acrobat.exe" to open evil.pdf still pwns the machine.
You can also completely pwn a system by interacting with PowerShell. Wanna bet that in a corporate environment (which this is intended to help) powershell.exe will be allowed to run?
(and thirdly, this functionality already exists since XP, in the form of "Parental Controls" and/or AppLocker.)
--Joe
Print your password in Barcode3of9 font and tattoo that on your hand (or stick the printout in your wallet if there's a password change policy)
When you want to "log in" to the scanner, just blip, and you're in.
Bash is still executed even with the multi-argument call to system.
The file/usr/bin/xzgrep is a shell script (note the #!/usr/bin/bash as the first line of the file). It inherits the CGI environment variables from its parent process, in this case the Perl interpreter. And since some of those CGI environment variables are controlled by the attacker (such as the Referrer: and Cookie: headers) the arbitrary code is executed.
And Bash is even executed when you open(INFILE, "/usr/bin/xzgrep error/var/log/my.log|","r") -- because the thing you're running isn't an ELF executable, it's a #!/usr/bin/bash text file.
Yes, there are other ways to do this (call xz directly without the xzgrep wrapper, use IO::Compress::xz, etc).
Ok, perhaps I undermined the importance, but if you are using 'xzgrep' in cgi context in a serious situation, I would say that is still a mistake. Forking and execing in response to an http request is terrible performance wise before getting to the security dubious of it all.
The dhclient-script stuff is pretty significant and I think I would be in a weak position saying that those have no business execing system commands/scripts. However it does suggest it may be worthwhile to have a helper that is non-root with capabilities to allow it to do key stuff to limit it's ability.
# run under mod_perl
print "Content-Type: text/plain\n\n";
system("/usr/bin/xzgrep error/var/log/my.log");
Can you see how this prefectly secure quick CGI to find errors in your log file would result in a system compromise?
Except for the system "utilities" that are actually bash scripts, such as/usr/bin/xzgrep. These are vulnerable to inheriting malicious environment variables from the parent processes even if the overlying process is not a shell script.
The other reasonable vector is the use of environment variables set by your dhcp client before running/etc/sysconfig/if-up.d/* based on whatever is contained in the first DHCPOFFER packet it receives.
In addition, ANY CGI that calls out to the system may call something that is actually a bash script even if it doesn't look like one.
For example, xzgrep on my Ubuntu system is a bash script, so this is vulnerable:
#!/usr/bin/perl
print("Content-type: text/plain\n\n");
system("xzgrep info/var/log/mylog.xz");
No, the tax is on engineering results. It would laundered through the NIH for funding the basic research that NIH would fund now if congress would give it the money it has in the past.
Tax patents/royalties to fund basic research
on
When Scientists Give Up
·
· Score: 4, Interesting
I heard this piece on NPR yesterday, and the thing that kept running through my mind is how the pharmaceutical industry is extorting huge profits based on fundamental research-- with much of that happening under NIH grants. Why not set a tax rate on drug patent royalties and use that to fund the NIH?
You have a multi-billion-dollar-sales patented drug? Chip in 0.5% of the revenue to fund NIH grants. Or make your own equivalent grants to truly independant researchers.
Enter into a licensing deal on a drug patent? Chip in 0.5% of the revenue to fund grants.
If the implanted device is running an IPv6-only stack, nobody will be able to talk to it for years and years.
I don't expect to see broad rollout of pure IPv6 in my lifetime.
Isolate out the caffiene genes, and start adding it to other plants. There are times I'm eating breakfast, and I'm thinking "Why am I only getting caffiene from the coffee? Buzz up them hashbrowns! Perk up that toast! If we can introduce it into animals, think about caffinated eggs, or butter, or cheese. We can finally jitter up the world.
To heck with that, splice that gene into a retrovirus, and let me caffeinate every cell in my body!
You're right, officer, Clippy should not have been driving.
Now, what to do when my Explorer crashes...
Click on the Start button, go to "All Programs", then go to "Brakes", right-click on the "Apply Brakes" button, and choose "Run as Administrator". After the 15-second splash screen (now with Ads by Bing), choose "Decelerate Safely".
I, for one, welcome our new virii overl...oh forget it, this meme is no longer funny.
Virii? Nitpicking, I know, but that particular abuse of the language makes me cringe, it really does, because it is so bizarrely and emphatically wrong on far too many levels.
[...]
just like 'one bus, several buses' ('bus' from 'omnibus', but let's not go there). Apart from that, you would use a a nominative singular here: '... our virus overlords...'
Buses? Nitpicking, I know, but that particular abuse of the language makes me cringe, it really does, because it is so bizarrely and emphatically wrong on far too many levels.
The correct plural of bus is bi. (Unless you're talking about the London double-decker variety, in which case it's bii.)
The reasons for the quotation marks would make for a very long rant about ionizing vs. non-ionizing radiation and their complete ignorance of what is actually going on.
If you really want to get the far right riled up about radiation, you could call something different than non-ionizing. Can you imagine if the public were exposed to unionizing radiation?
I'm trying to keep track of what kind of registries are acceptable for each (US) political party
No Fly Registry: It's Our Patriotic Duty (D&R) Gun Owner Registry: Acceptable for (D), Unacceptable for (R) Legal-to-work-in-US Registry: Acceptable for (R), Unacceptable for (D) National ID card: Acceptable for (D), Unacceptable for (R) Vaccination Registry: Acceptable for (D), Unacceptable for (R) Superhero Registry: It's Our Patriotic Duty Mutant Registry: Ditto Windows Registry: Can't run Windows without it, and what else would you run?
I still don't understand why the lethal injection isn't just a bunch of heroin that's been confiscated in the latest raid. People OD on heroin without being horribly uncomfortable.
The 2nd Amendment of the US Constitution guarantees that each citizen has the right to keep and bear arms for self-defense. There are only a very few obvious prohibitions, namely against convicted felons and those declared mentally incompetent or ill.
I have yet to see any constitutional argument that supports these "obvious prohibitions". Either the 2nd amendment allows each citizen to keep and bear arms (including convicted felons and the insane) or there are obvious limits on the scope of the rights enumerated there.
And once you accept that there are obvious limits on the scope of gun rights, then you can't just say "the 2nd amendment allows me to carry whatever firearm I want wherever I want to"
Slashdot Mirror
Ok, so this will prevent a modified "acrobat.exe" from running without a prompt. But running a properly-signed "acrobat.exe" to open evil.pdf still pwns the machine. You can also completely pwn a system by interacting with PowerShell. Wanna bet that in a corporate environment (which this is intended to help) powershell.exe will be allowed to run? (and thirdly, this functionality already exists since XP, in the form of "Parental Controls" and/or AppLocker.) --Joe
Of course they didn't. He's white.
"Outlook not so good."
Outlook is a Microsoft product. This is an article about IBM, so the 8-ball would have to say "Lotus Notes not so good."
No, it went boom, THEN fell down.
So, we built a second one. That one went boom, fell down, then sank into the swamp.
But the third stage stayed up. And that's what you'll have lad, the strongest launch platform in these isles.
Print your password in Barcode3of9 font and tattoo that on your hand (or stick the printout in your wallet if there's a password change policy) When you want to "log in" to the scanner, just blip, and you're in.
The file /usr/bin/xzgrep is a shell script (note the #!/usr/bin/bash as the first line of the file). It inherits the CGI environment variables from its parent process, in this case the Perl interpreter. And since some of those CGI environment variables are controlled by the attacker (such as the Referrer: and Cookie: headers) the arbitrary code is executed.
And Bash is even executed when you open(INFILE, "/usr/bin/xzgrep error /var/log/my.log|","r") -- because the thing you're running isn't an ELF executable, it's a #!/usr/bin/bash text file.
Yes, there are other ways to do this (call xz directly without the xzgrep wrapper, use IO::Compress::xz, etc).
Ok, perhaps I undermined the importance, but if you are using 'xzgrep' in cgi context in a serious situation, I would say that is still a mistake. Forking and execing in response to an http request is terrible performance wise before getting to the security dubious of it all.
The dhclient-script stuff is pretty significant and I think I would be in a weak position saying that those have no business execing system commands/scripts. However it does suggest it may be worthwhile to have a helper that is non-root with capabilities to allow it to do key stuff to limit it's ability.
# run under mod_perl /var/log/my.log");
print "Content-Type: text/plain\n\n";
system("/usr/bin/xzgrep error
Can you see how this prefectly secure quick CGI to find errors in your log file would result in a system compromise?
The other reasonable vector is the use of environment variables set by your dhcp client before running /etc/sysconfig/if-up.d/* based on whatever is contained in the first DHCPOFFER packet it receives.
For example, xzgrep on my Ubuntu system is a bash script, so this is vulnerable: /var/log/mylog.xz");
#!/usr/bin/perl
print("Content-type: text/plain\n\n");
system("xzgrep info
- The universe did not come from nothing. Thermodynamics prevents this.
- The universe did not create itself. Thermodynamics prevents this.
- The universe was not created.
You left out the most important 4th point:
- Ergo, the universe does not exist.
I guess that disproves the Big Bang Theory! Now what show am I going to watch?
Maybe try something with a little less scientific rigor... How about COSMOS: A Spacetime Odyssey
No, the tax is on engineering results. It would laundered through the NIH for funding the basic research that NIH would fund now if congress would give it the money it has in the past.
You have a multi-billion-dollar-sales patented drug? Chip in 0.5% of the revenue to fund NIH grants. Or make your own equivalent grants to truly independant researchers.
Enter into a licensing deal on a drug patent? Chip in 0.5% of the revenue to fund grants.
If the implanted device is running an IPv6-only stack, nobody will be able to talk to it for years and years. I don't expect to see broad rollout of pure IPv6 in my lifetime.
Isolate out the caffiene genes, and start adding it to other plants. There are times I'm eating breakfast, and I'm thinking "Why am I only getting caffiene from the coffee? Buzz up them hashbrowns! Perk up that toast! If we can introduce it into animals, think about caffinated eggs, or butter, or cheese. We can finally jitter up the world.
To heck with that, splice that gene into a retrovirus, and let me caffeinate every cell in my body!
Now, what to do when my Explorer crashes...
Click on the Start button, go to "All Programs", then go to "Brakes", right-click on the "Apply Brakes" button, and choose "Run as Administrator". After the 15-second splash screen (now with Ads by Bing), choose "Decelerate Safely".
Please report to level D-10 for reassignment as reactor shielding. The computer is your friend.
I, for one, welcome our new virii overl...oh forget it, this meme is no longer funny.
Virii? Nitpicking, I know, but that particular abuse of the language makes me cringe, it really does, because it is so bizarrely and emphatically wrong on far too many levels.
[...]
just like 'one bus, several buses' ('bus' from 'omnibus', but let's not go there). Apart from that, you would use a a nominative singular here: '... our virus overlords ...'
Buses? Nitpicking, I know, but that particular abuse of the language makes me cringe, it really does, because it is so bizarrely and emphatically wrong on far too many levels.
The correct plural of bus is bi. (Unless you're talking about the London double-decker variety, in which case it's bii.)
Was "revenge porn" non-existant before Tor?
It was mostly limited to scratching "For a Good Time Call Jenny 867-5309" on the bathroom stall of every local truck stop/gas station.
And no more defamatory then, either.
Hint: a cleric sitting in his office somewhere filing lots of reports
Thank goodness we have the separation of church and state in the US. It's only our Patriotic Paladins who get to fill out reports over here.
The reasons for the quotation marks would make for a very long rant about ionizing vs. non-ionizing radiation and their complete ignorance of what is actually going on.
If you really want to get the far right riled up about radiation, you could call something different than non-ionizing. Can you imagine if the public were exposed to unionizing radiation?
I'm trying to keep track of what kind of registries are acceptable for each (US) political party
No Fly Registry: It's Our Patriotic Duty (D&R)
Gun Owner Registry: Acceptable for (D), Unacceptable for (R)
Legal-to-work-in-US Registry: Acceptable for (R), Unacceptable for (D)
National ID card: Acceptable for (D), Unacceptable for (R)
Vaccination Registry: Acceptable for (D), Unacceptable for (R)
Superhero Registry: It's Our Patriotic Duty
Mutant Registry: Ditto
Windows Registry: Can't run Windows without it, and what else would you run?
I still don't understand why the lethal injection isn't just a bunch of heroin that's been confiscated in the latest raid. People OD on heroin without being horribly uncomfortable.
The 2nd Amendment of the US Constitution guarantees that each citizen has the right to keep and bear arms for self-defense. There are only a very few obvious prohibitions, namely against convicted felons and those declared mentally incompetent or ill.
I have yet to see any constitutional argument that supports these "obvious prohibitions". Either the 2nd amendment allows each citizen to keep and bear arms (including convicted felons and the insane) or there are obvious limits on the scope of the rights enumerated there.
And once you accept that there are obvious limits on the scope of gun rights, then you can't just say "the 2nd amendment allows me to carry whatever firearm I want wherever I want to"
Find the people on your team who can be trusted to do the job well. Encourage them to do it. Work with them to build their skills as well as yours.
Find the people on your team who can not be trusted to do the job well, and replace them with shell scripts.