Huge exploit found in 2.7

[arivero]

Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

[jæd]

Quote:

Originally Posted by arivero

Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...

[arivero]

Quote:

Originally Posted by jæd

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...

I could ask for a NDA agreement

[Alexander Turcic]

Quote:

Originally Posted by jæd

Up to you whether you think its better to have an unsecured Illiad and to be the only one with this knowledge, or to help the Illiad progress. Congratulations, btw...

And what would be the risk of having an "unsecured" iLiad ATM?

[jæd]

Quote:

Originally Posted by Alexander Turcic

And what would be the risk of having an "unsecured" iLiad ATM?

Someone might hit you over the head with it...?

But seriously... I'm glad this was brought out in the open... I think it shows willingness to work with Irex in making their product better. Lets see how soon they fix this...!

[arivero]

Quote:

Originally Posted by jæd

But seriously... I'm glad this was brought out in the open... I think it shows willingness to work with Irex in making their product better. Lets see how soon they fix this...!

I insist: it is not a security hole, so you do not need to fix it. It *seems* a security hole because it works the way www holes work, but it is a dialog window that only shows in the main console, so it is not a security issue. It is the same thing that claiming that GRUB has security holes!

The PDF hole in 2.4 was a different issue; just because the confirmation window was not drawn in the the screen (it was, but the screen was not updated, remember) there was possible to do a pdf asking the user "click in this cross, then click this one and see what happens", the seconf cross subtly drawn over the OK button. It needs not to be so ovvious, it could be for instance a sudoku square asking two sequencial clicks, or some "start demo" thing. In spain we call this kind of deception a "Cuartango" trick, because this researcher in the CSIC did some work on deception windows over MSWindows.

[design256]

Quote:

Originally Posted by arivero

Ok, I have downloaded the 2.7. Awesome pdf thing, it remembers the zoom between pages, and this is already better than standard xpdf, nice icons, blah blah blah. Ah and yes, I got to execute a ls > /opt/content/books/a.txt command. But on the other hand the remote Xserver approach seems promising. So what do I do? Wait for a crack via Xserver to be done? Do I explain how I did the ls so you people can try to run shell scripts via similar methods, risking to be patched in the security fix? Personally I think that any Xserver exploit will be patched in the future, because it is a real internet security issue.

Perhaps you could use it to help us finish the Xserver exploit. Then make it public when Irex patches that in 2.8...

[arivero]

Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:

Quote:

`ls > /opt/content/books/a.txt`

I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.

[design256]

Quote:

Originally Posted by arivero

Ok I will release it, on second inspection it is so simple that there is no issue.

I backquoted the password in the WEP configuration.

this is, I created a new wireless wep connection (wizard, anyname, Proceed, Wireless, anyssid, proceed, WEP, proceed) and in the wep security key field I used:



I pressed TEST (no proceed anymore).

And yep, it escaped.

I think iRex does not really need to patch this one. It is not a security hole, as the ssh was. Nor a Cuartango trick, as the pdf could be. Here the Owner of the machine must know exactly what he is doing, no argue about being tricked to do it (except if you have got a devilish system admistrator telling you that THAT is the password for your local wlan!).

Besides, you need to retort the trick in order to use it to "open the internet", because most probably this escape is executed at the level of the networking scripts, and man you do not want to call the networking script from the networking script.

neat. Congratulations on thinking of this one.

[arivero]

Quote:

Originally Posted by design256

neat. Congratulations on thinking of this one.

A pleasure. Please remember this trick is under the 75 Euros caveat

[Antartica]

Quote:

Originally Posted by arivero

Ok I will release it, on second inspection it is so simple that there is no issue.

Oh! I'm happy. I'll be upgrading to 2.7 today, then :-).

What's next in my todo list queue: investigate the pageBar protocol and doing a simple viewer using SDL... Now that we can test it :-)~~~! Yipieee!!!

Thanks arivero :-).

[Drops]

Has anyone tried a java --version command yet?

[design256]

Quote:

Originally Posted by Antartica

Oh! I'm happy. I'll be upgrading to 2.7 today, then :-).

Do it quickly! I bet that this and Xserver will be patched on IDS today.

[Antartica]

Quote:

Originally Posted by design256

Do it quickly! I bet that this and Xserver will be patched on IDS today.

Updated! :-)

[arivero]

Quote:

Originally Posted by Antartica

What's next in my todo list queue: investigate the pageBar protocol and doing a simple viewer using SDL... Now that we can test it :-)~~~! Yipieee!!!

Also, we need some hints about the update protocol. We can do single updates of the whole screen by calling the displayMgrClient utility, but I really would like to enable the update mode of the Ink aplications, I mean Scribble and now the new Keyboard. This will happily explained in the open by iRex in the future (and also the pageBar protocol), you could try to ask them first!