Advertisement
Promo

Security threats Toolkit in association with http://ad.doubleclick.net/clk;214682528;14505427;f?http://uk.blackberry.com/ataglance/security/

Vulnerability found in Yoggie Pico

Tom Espiner ZDNet.co.uk

Published: 04 Jul 2007 17:08 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A vulnerability has been found in Linux-based USB security device Yoggie Pico.

Yoggie Pico sits on a device, such as a laptop, and monitors web traffic to detect and block malware.

The zero-day vulnerability was disclosed on Monday by vulnerability researcher Cody Brocious.

Sentry Posts Blog

Sentry Posts Blog
Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

Read more +

Brocious said in his post that remote code execution was possible by subverting the "ping" function in the Yoggie web interface. "They expose a 'ping' function in their web interface for diagnostic purposes, which passes the IP/hostname given directly to ping in the form of 'ping -c 10 '. They do basic checking for ampersands, semicolons and pipes, but do not check for backticks, which allows you to execute commands as root on the device," wrote Brocious.

Avi Dardick, Yoggie's senior director of product management and support, said that the vulnerability had been fixed and that an update was released within 30 minutes of being disclosed.

Dardick played down the vulnerability, and denied that remote code execution was possible. "This was not remote execution, as the vulnerability requires access from the computer the device is supposed to connect to, to begin with, which requires an SSL handshake, and to begin processing you need to enter the username and password," he said. "With this in mind, yes, you could have hacked our Linux, but the exploit was by no means remote."

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
38 out of 38 people found this useful


Talkback

Post a comment


Full Talkback thread

1 comment

  1. Linux-based USB security device ator1940

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:







Related Jobs

Art Director / Creative Director - Gaming

Promotions Manager

Principal Software Engineer- Technical Lead

Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Behind the Scenes: Next Gen Mobile Tec...

Behind the Scenes: Next Gen Mobile Technology Author: Eric Everson, Founder MyMobiSafe.com With infrastructure speeds continually improving at the network level of the world’s leading... More

Post a comment

Nasa hacker petition presented to Numb...

Sting's wife Trudie Styler and Janis Sharp have presented a petition to Number 10 calling for Nasa hacker Gary McKinnon not to be extradited to the US. Styler, and Sharp, who is... More

Post a comment

UK to appoint cyber-sec tsar?

The UK is to appoint a cyber security tsar along the lines of the US, according to a story in the Telegraph this morning. The story is similar to one that appeared in the Guardian... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters