|
Other BSD and UNIX/UNIX-like Any other flavour of BSD or UNIX that does not have a section of its own. |
|
Thread Tools | Display Modes |
|
|||
vbox: possible exploit
Problems: VirtualBox compiler kBuild changes permissions on already installed files. USB linked between host and guest allows read/write/acces permissions to such devices. Current flash exploit- cam jacking.
If the guest machine is Windows and the browser is IE or firefox unsecured, a malicious person can take control of the device that is linked to the guest. |
|
|||
Now I am glad for BSD security. These weaknesses open up a world of exploits.
|
|
||||
And VirtualBox doesn't run on most BSDs *yet*
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
|
|||
The first problem I was shown with the vbox was the kbuild system. A good list of binaries it changes permissions. The second problem was that it won't run on amd64. A debian user posted his output and the answer basically was, "Sorry, can't handle it." (He was trying to run a 32bit system with a host that had a 64bit environment. Since vbox needs 32bit libraries to run, it hasn't been ported yet. I had the exact same problem as he did when trying to build it on FreeBSD amd64 release 7. If two different OS's with the same architecture have the same build errors, your application hasn't been ported. This will cause a problem in future releases.) Third problem was shown on an Arch Linux wiki when a developer stated that a security hole is opened up when you give permissions to a possible unsecured source for a USB device. I remembered the flash exploit, the instability of IE, and the fact that Windows has no real user control. Now take all of that plus that Linux allows any user access to root.
The exploit is easy to setup. In fact, any exploit which allows access to a device can be passed to the host. I call these "tunnel exploits." Security holes are not patched by the developers nor are they using the FreeBSD stable release to build. Another problem that was pointed out to me by a FreeBSD hacker is that some of the newer parts of kbuild are similar to FreeBSD make. Code stealing, hmm? License breaking, hmm? Wasn't there something recently about DeRaadt and the GPL and now this? Last edited by Mr-Biscuit; 17th October 2008 at 11:16 AM. |
|
|||
Quote:
Adam |
|
|||
s/now/not ;-)
Just lending you a hand adam. |
|
|||
A little extreme, perhaps but.....
"On the other hand (I'm not a makefile expert), browsing through http://svn.netlabs.org/kbuild/wiki/kmk it looks like most "new" features are present in FreeBSD's make, though in a different form (and were probably implemented ages ago so they just went ahead and reinvented the wheel again). For example: # Explicit multi-target rules, i.e. explicit make rules that output more than one file. make(1): "Dependency lines consist of one or more targets, an operator... " # Prepend assignment operator I think you can do this with regular variable expansion. # The special .NOTPARALLEL goal has been extended... The .NOTPARALLEL goal exists, but it looks like it's not "extended". Anyway it doesn't matter." There is too much in common. "FreeBSD's make doesn't have many builtin functions but arithmetic operations work by default (".if $a < 10"). There are no binary operators. Some string functions are present as operators (like "O - Order every word in the variable alphabetically"). You can simulate many functions and operators by invoking shell scripts. # A bunch of builtin utilities which will be invoked without spawning new process or shell. Most of these are taken from BSD. (cp, echo, cat, append...) Though it says they came from BSD, I can't find anything about builtin utilities in make(1). Just use regular shell utilities." It isn't released under a BSD license. "VirtualBox is a family of powerful x86 virtualization products for enterprise as well as home use. Not only is VirtualBox an extremely feature rich, high performance product for enterprise customers, it is also the only professional solution that is freely available as Open Source Software under the terms of the GNU General Public License (GPL). See "About VirtualBox" for an introduction." This is my opinion. |
|
|||
You can't copyright ideas, when you do, it's called a patent.. and as you know, patents are lame.
Anyway, if you think taking an idea and reimplementing it is bad, you might want to do a little more research.. |
|
|||
I'll end my part in this post with,
"Give credit where credit is due." No BSD license for BSD parts used, no credit given. License isn't followed, sounds like stealing to me. Re-implement? Yes, by all means but refer back to the previous statement. |
|
||||
From the FreeBSD src/COPYRIGHT.
Quote:
Most of the older stuff (cat, head, etc) still has a forth clause about not using the name of the University nor the names of its contributors as an endorsement without permission. Some even older stuff still has the removed 3rd clause still sitting their and a note in src/COPYING that it is nullified. So, as long as they have not forgotten the 2nd clause of the license, they are not likely doing anything wrong IMHO. And apparently, it's fairly obvious there is BSD code used, which aside from the disclaimer serves the main point of the 1st clause. BSD License != RMS License
__________________
My Journal Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Linking and building vbox | Mr-Biscuit | FreeBSD General | 3 | 3rd October 2008 08:27 AM |
Generic PHP Exploit | hunteronline | FreeBSD Security | 9 | 19th August 2008 09:45 PM |
Attention A Nwe Local Root Exploit | t4y4n | OpenBSD General | 6 | 2nd July 2008 01:23 AM |