Comments on: Backdooring File Type X or Making a program do what it’s supposed to do…

By: Tyler Reguly

Tyler Reguly — Fri, 12 Jan 2007 16:42:58 +0000

I don’t consider these backdoors, yes I read your recent post.. I don’t agree entirely agree with it. That’s probably because I don’t always agree with wikipedia definitions and you’ve based yours off the wikipedia definition.

The PDF vuln that I didn’t mention, for example, isn’t a backdoor… It’s an information disclosure vuln. One of the big problems that I have is that calling everything a “backdoor” causes the type of vuln to lose it’s meaning.

I also like other definitions of backdoor, which include “back door: an undocumented way to get access to a computer system or the data it contains” (Princeton Wordnet). Many of these features aren’t undocumented… They are designed to allow links… That’s not an undocumented way… That’s program design.. Poor program design yes… but that’s it… Unfortunately I can’t discuss this more now, but I’d love to have an offline discussion with you on the subject.

By: David Kierznowski

David Kierznowski — Fri, 12 Jan 2007 10:02:55 +0000

HTRegz, you have mentioned some interesting points (flames aside). Unfortunately, I was only able to read this post now – months after its release. It would have been nice to have commented sooner.

I can’t speak for pdp, although I think his work on the above-mentioned has been fantastic. We have already seen sites like MySpace and packages like phpBB being compromised through these techniques.

As for the PDF vulnerability. You have only mentioned one of them. The one that was the real concern (ironically the one you haven’t mentioned) was the ability to “backdoor” a PDF file with code that allows an attacker to remotely enumerate and dump information (via Adobe’s web services functionality) from databases connected to the client’s ODBC.

The other vulnerability exploited a trust relationship between the browser and Acrabat. Great for shared document management applications.

As for the “backdoor” terminology, read my recent post:
http://michaeldaw.org/papers/backdooring-the-web-1/

As they say any publicity is good publicity

By: SELoggOff

SELoggOff — Mon, 25 Sep 2006 13:26:35 +0000

excellent points in there, really makes you wonder how these so called security ‘experts’ actualy got their titles? do they just draw them out of a hat or something? i mean can i call myself a world class chef? why not, i make spaghetti quite well most of the time. and i can make a mean slice of toast…..

By: Dumb

Dumb — Mon, 25 Sep 2006 13:05:50 +0000

Duh…. of cause pdf are evil + can allow files to be backdoored… I call this blog entry more FUD… people should be aware the PDF’s are evil and can trick users into visiting a web site…. since when did opening a pdf = open my web browser without asking me?

By: Tyler Reguly

Tyler Reguly — Mon, 25 Sep 2006 12:30:19 +0000

Thanks for the comment J_K9... For everyone following this story, feel free to jump over and digg this story here. There are also two blogs with ongoing discussions on this topic. These discussions can be found at AntiOnline and TazForums.

By: J_K9

J_K9 — Mon, 25 Sep 2006 06:52:29 +0000

“why not a new one on how to backdoor an exe by writing the source code and compiling it”

LOL!

“Perhaps the message should be — Don’t allow your browser to execute javascript without your permission…. or don’t open files you don’t trust… ”

Which is what we try to tell lusers anyway… And, if they were willing to listen to our advice, they might not fall into half the traps whose consequences we have to fix.

Back to the article – good points. The best: “Another interesting note is that each time they refered to a file format…” and yet it had to do with particular apps opening those files, not the format, and those apps doing what they and the format were designed to do…