[REBOL] Re: Security hole ? (was: image memory representation)
From: ryanc:iesco-dms at: 24-Aug-2001 12:23
Maybe I missed something here, but as I understand this security issue, you
must have a rebol trojan installed to even take advantage of it. If you
have gotten that far, the memory dump is a big waste of time, as there are
far better things to take advantage of.
--Ryan
Maxim Olivier-Adlhoch wrote:
> Hi Gabrielle!
>
> Have you ever seen how someone reverse engineers code? believe-me,
> scanning such a memory dump is quite a lottery jackpot, unless the user
> and password are heavily cryptic!
>
> It takes any human being about 10 seconds to spot strings in a
> hex-editor and its quite easy to figure out bounds.
>
> Maybe I'm just bull-shitting here, but I don't believe this to be a
> slight issue!
>
> cheers!
>
> -Max
>
> "Contrary to popular belief, Unix IS user-friendly...
> its just picky on who it considers a friend"
>
> > -----Original Message-----
> > From: [rebol-bounce--rebol--com]
> > [mailto:[rebol-bounce--rebol--com]]On Behalf Of
> > Gabriele Santilli
> > Sent: Thursday, August 23, 2001 1:11 PM
> > To: [rebol-list--rebol--com]
> > Subject: [REBOL] Re: Security hole ? (was: image memory
> > representation)
> >
> >
> > Hello Anton!
> >
> > On 23-Ago-01, you wrote:
> >
> > A> Is rebol memory pool the same for the launched program as in
> > A> the console at the first point? If so, then it's possible that
> > A> the evil program can send away user and password. Then evil
> > A> programmer can freely access the ftp site.
> > A> Muhahahahaaa.r.rgg..<cough>
> >
> > This is very unlikely anyway. The evil program has to be lucky
> > enough to get the username and the password in that memory area;
> > the it has to scan that area to find things that look like
> > strings; then it has to convince the user to give it the
> > permission to open some tcp port to send back the data to the evil
> > programmer (ok, by default script are allowed to open tcp ports,
> > so this is not probably a very big problem); the evil programmer
> > then has to scan thru all of this strings to see it he can find
> > something useful. It's like winning a lottery. :)
> >
> > A> Anyway, I can see this bug being fixed pretty soon.
> >
> > Indeed. So hurry up evil programmers! ;-)
> >
> > Regards,
> > Gabriele.
> > --
> > Gabriele Santilli <[giesse--writeme--com]> - Amigan - REBOL programmer
> > Amiga Group Italia sez. L'Aquila -- http://www.amyresource.it/AGI/
> >
> > --
> > To unsubscribe from this list, please send an email to
> > [rebol-request--rebol--com] with "unsubscribe" in the
> > subject, without the quotes.
> >
>
> --
> To unsubscribe from this list, please send an email to
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Ryan Cole
Programmer Analyst
www.iesco-dms.com
707-468-5400