[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #2341 [Tor Relay]: Shellcode

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #2341 [Tor Relay]: Shellcode
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 05 Jan 2011 18:13:15 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 05 Jan 2011 13:13:25 -0500
In-reply-to: <051.c9d0a6ca162973db7dfd681120d2d037@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <051.c9d0a6ca162973db7dfd681120d2d037@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#2341: Shellcode
---------------------------+------------------------------------------------
 Reporter:  cypherpunks    |         Type:  defect   
   Status:  closed         |     Priority:  normal   
Milestone:                 |    Component:  Tor Relay
  Version:  Tor: 0.2.1.26  |   Resolution:  not a bug
 Keywords:                 |       Parent:           
---------------------------+------------------------------------------------
Changes (by nickm):

  * status:  new => closed
  * type:  task => defect
  * resolution:  => not a bug


Comment:

 Well, this is more of a snort question than a Tor question.  The sequences
 that snort is checking for here are sequences that would be interpreted as
 "Setuid 0" if they were run in a binary.  Some of them are very short , so
 you shouldn't be surprised to see them occur randomly in binary data.  A
 quick search for "shellcode x86 setuid 0" should turn up some more
 information here.

 (And whoever said that "shellcode x86 setuid 0" has no known false
 positives, no known false negatives, or no known false alarms is IMO quite
 mistaken.  If I'm reading the documentation right, it's just a 4-byte
 sequence that you'd expect to occur by chance in encrypted data once every
 GB or so -- so that would be create both positives and false alarms.  It's
 pretty trivial to write obfuscated exploits, so false negatives are also
 expected.)

 Here are some links I found useful:
   http://seclists.org/ids/2000/Jun/36  (explains both why you should
 expect false positives and false negatives)

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2341#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #2341 [Tor Relay]: Shellcode
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #2331 [Tor Relay]: Possible integer overflows in base32_encode, base32_decode
Next by Author: Re: [tor-bugs] #1837 [BridgeDB]: bridgedb learns to load file of which bridges are blocked where
Previous by thread: [tor-bugs] #2341 [Tor Relay]: Shellcode
Next by thread: Re: [tor-bugs] #2338 [Torbutton]: Torbutton doesn't set prefs correctly when started in TBB (was: Geolocation is enabled in Tor Browser Bundles)
Index(es):
- Author
- Thread