[VOIPSEC] Pushed Send before completing thought... Re: trixbox vuln (CVE-2007-6424) - PoC exploit code
Dan York
dyork at voxeo.com
Wed Dec 19 09:10:37 CST 2007
Than,
It seems I pressed "Send" before finishing what I meant to say:
On Dec 19, 2007, at 9:51 AM, Dan York wrote:
> Than,
>
> On Dec 18, 2007, at 10:25 PM, Than Taro wrote:
>
>> Run this in a simple script such as `while :; do netcat -l -p 80 -c
>> "perl trixbox-exploit.pl"; done`, and then a trivial DNS redirection
>> can take it from there.
>
> Something I'm still not clear about it how likely the attack actually
> is to occur. How easily could an attacker use your exploit code to
> compromise a Trixbox system? (i.e. what's the risk?) It seems to me
> that an attacker
It seems to be that an attacker has to get to the right spot in the
network *and* subvert the user's DNS in order to get the Trixbox
system to download the rogue code.
I'm not arguing that it *can't* be done, but I'm trying to understand
how realistic an attack it is.
Regards,
Dan
More information about the Voipsec
mailing list