I think there's no debate on that, just that if you enable debugging you would reasonably expect debugging to be enabled. IDA has a debug server too, there's no password by default, you have to specify it on the command line if you want one.
-
-
Replying to @taviso @hackerfantastic and
Debug interfaces need authentication if they take place over an interface like network socket rather than something access controlled like a unix socket. This isn't 1990.
0 replies 2 retweets 8 likes -
Replying to @MalwareTechBlog @taviso and
Not just WAN; even localhost is exposed in all sorts of ways. Browser-based CSRF, sandboxed maybe-malicious processes, possibly-compromised low-privilege local user accounts, etc. Network-based access control is always wrong.
2 replies 1 retweet 2 likes -
Replying to @RichFelker @MalwareTechBlog and
I think all debuggers in common use have an option to enable network-based access control that isn't enabled by default. It sounds like you have a lot of bugs to file if you really believe that, e.g. https://sourceware.org/gdb/onlinedocs/gdb/Server.html …
1 reply 0 retweets 3 likes -
Replying to @taviso @MalwareTechBlog and
Yes I'm aware that's a problem with gdbserver if run listening on a socket, but you can instead hook it up to a pty or something else. Shipping a configuration where it listens on a socket would be a security bug.
2 replies 0 retweets 0 likes -
Replying to @RichFelker @taviso and
Ideal gdbserver setup (and I use this in practice) is over a pty over ssh.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @MalwareTechBlog and
Of course, but isn't the crux of this discussion that you believe if you can enable it somehow, then you consider it a security bug? This only happens if you enable a mode intended for developers, and many applications do that. e.g. here's GNU patch (hah) https://sources.debian.org/src/patch/2.7.6-3/tests/test-lib.sh/?hl=45#L45 …
2 replies 0 retweets 2 likes -
Replying to @taviso @RichFelker and
Here's another example, chrome has many dangerous command line options, like --disable-web-security -- do you consider that a security bug?
3 replies 0 retweets 8 likes -
Replying to @taviso @RichFelker and
I would consider that if --debug opening a service that let's you run arbitrary code remotely on all network interfaces an issue.
1 reply 1 retweet 2 likes
Hmm, there is a --remote-debugging-port, certainly you would be able to read arbitrary files.. I don't know if you can run commands off the top of my head, but I suspect it's possible!
-
-
Replying to @taviso @RichFelker and
"--remote-debug" certainly, very clear and understood yet "--debug"? Enabling remote code execution through such an option by default in my opinion is an issue.
1 reply 0 retweets 6 likes -
Replying to @hackerfantastic @taviso and
You shouldn't justify the thing you found, it's perfectly valid and well-known type of a bug.
0 replies 2 retweets 7 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.