lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 09 Oct 2009 14:24:02 +0000
From: Paul Schmehl <pschmehl_lists@...rr.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: When is it valid to claim that a
 vulnerability	leads to a remote attack?

--On Thursday, October 08, 2009 22:16:01 -0500 Jonathan Leffler 
<jleffler@...ibm.com> wrote:

>
> A reputable security defect reporting organization is claiming that a Windows
> program is subject to a remote attack because:
>
> * The vulnerable program (call it 'pqrminder') is registered as the 'handler'
> for files with a specific extension (call it '.pqr').
> * If the user downloads a '.pqr' file (or is sent on in the mail and clicks
> on it), then 'pqrminder' is invoked.
> * If the file is malformed, then arbitrary code can be executed (buffer
> overflow).
>
> While recognizing that there is a bug here, that does not strike me as being
> what is normally meant by a 'remote attack'.

In fact it's very typical of the types of attacks we see every day now.  By far 
the most routinely successful attacks now are initiated through some sort of 
social engineering trick that requires user interaction to trigger the 
compromise.

If by remote you mean "live interaction by the hacker at the point of attack" 
(as in a "traditional" hack), then no, it's not a remote attack.  I think the 
more normal undertstanding of remote attack (although it's usually worded 
remote compromise) is that the result of a successful attack is the opening of 
a gateway that can lead to additional compromise or complete takeover of a 
machine.  Given the details you've offered,  think this qualifies as 
"potentially leading to a remote compromise" of a machine.

The attack begins when the unsuspecting user clicks on a link to either open an 
attachment or view a webpage or video.  In the background the compromise takes 
place, after which the malicious software "phones home", downloads additional 
tools, etc. until the host is completely and utterly compromised.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ