lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat Jul 15 14:18:57 2006
From: kokanin at gmail.com (Knud Erik Højgaard)
Subject: Linux Privilege Escalation exploits

Until someone makes an official rating scale and everyone follows it
it will suck as much as it does now. All the extremely highly
superduper critical bla bla buzzwords are a load of crap in
marketing-style proportions - after all it's all about remote command
execution, remote data alteration, local priv escalation, file
destruction and so on. People need to decide for themselved how
critical it is. My 2krone.

On 7/15/06, David Taylor <ltr@....upenn.edu> wrote:
> I know various security research sites that release advisories on new
> vulnerabilities have their own way they determine what is critical or not.
> Privilege escalation exploits are usually local and require a local account
> to exploit. So, it seems that security research sites label these as 'less
> critical'.  But at the same time they will label a Mambo exploit that lets
> you have access to a system as 'highly critical'.  If I can launch a Mambo
> exploit against a system that has a vulnerable version of OS susceptible to
> the priv esc isn't that now extremely critical?  With all of the exploits
> out that the defacer kiddies use could a local priv esc exploit be
> integrated into these?  If so then shouldn't these vulnerabilities be rated
> higher than 'less critical'?
>
> I'm just thinking that people aren't looking at the big picture when they
> rate these vulnerabilities.
>
> ==================================================
> David Taylor //Sr. Information Security Specialist
> University of Pennsylvania Information Security
> Philadelphia PA USA
> (215) 898-1236
> http://www.upenn.edu/computing/security/
> ==================================================
>
> Penn Information Security RSS feed
> http://www.upenn.edu/computing/security/rss/rssfeed.xml
> Add link to your favorite RSS reader
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ