[Kurt B. Kaiser] > An open execution server on an external interface is exploitable at > the privilege level of the user which initiated it. Noting that Win9X systems offer no protection in this sense, then (there aren't any privilege levels -- anyone can do anything). > At GvR request, the connection was reversed so that the execution > server connects to the user's GUI process. > > If the local cracker manages to intercept the loopback interface > (no external packets) he can then access IDLE's stdout and stderr > streams in the user GUI. > > Once the subprocess makes a connection to the user process, no further > connections are accepted. In practice this happens within a second of > when the user process spawns the subprocess. I'm not sure I understand this claim. I just brought up IDLE. Now in a separate DOS box: >>> addr = 'localhost', 8833 >>> import time >>> time.sleep(5) # more than 1 second <wink> >>> import socket >>> s = socket.socket() >>> s.connect(addr) >>> Was that connection expected? > This seems to have limited exploitablility. If further security is > desired, a random number could be passed to the subprocess for > authentication upon connection. I suppose a randomized port number could be used too. I'm not worried -- but I tend not to worry much about such things. if-i-did-i-wouldn't-be-running-windows-ly y'rs - tim
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4