[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: LDM & XDR vulnerability ?
- Subject: Re: LDM & XDR vulnerability ?
- Date: Thu, 15 Aug 2002 15:01:07 -0600
Karl Hanzel wrote:
>
> Hi Anne -
>
> say, i'm trying to assess this vulnerability issue. I'm thinking:
>
> How likely is it that anyone would bother crafting an exploit
> against an LDM? They'd have to know that it was vulnerable,
> and that you have one running. Wouldn't hackers stick to more
> mainstream services that are apt to be available & vulnerable?
>
> *----->
Hi Karl,
I would think that the likelihood of exploitation of this particular
vulnerability would be pretty low for the reasons that you cited. [My
opinion only.] Wrt the LDM, someone would have to get the LDM code then
go through some iterative process to try to get it to write something
useful to the correct location in memory... Even then it would only run
at the permission level of the LDM, so it wouldn't buy them much.
However, applying the patch is so easy (at least for vendors that have
supplied patches) that you might as well just update the libraries when
they become available. Wrt the LDM, you don't even have to recompile
(although sites may have other applications that use glibc statically,
in which case they'd need to recompile).
Anne
--
***************************************************
Anne Wilson UCAR Unidata Program
address@hidden P.O. Box 3000
Boulder, CO 80307
----------------------------------------------------
Unidata WWW server http://www.unidata.ucar.edu/
****************************************************
