lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200402222340.i1MNe53B024911@linus.mitre.org>
Date: Sun, 22 Feb 2004 18:40:05 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: is predicatable file location a vuln? (was RE: Aol Instant Messenger/Microsoft



Stuart Moore said:

>An interesting category, for sure.  I think this point deserves
>discussion.  Is the use of predictable file locations really a
>vulnerability?  We know that it can certainly facilitate exploits, but
>is it a vulnerability in and of itself?  (Or is it even an "exposure"
>as CVE defines?)

The CVE definition of "exposure" generally involves issues that can be
building blocks or stepping stones for the exploitation of other
issues.  Our classic example is running the finger daemon, which
allows someone to guess valid usernames on the server.  In general,
knowing these usernames is not in and of itself a major problem, but
it can be an important component of the exploitation of a more serious
issue.  A bug that leaks the absolute pathname for a web server isn't
necessarily a huge risk itself, except it greatly simplifies (or even
enables) the exploitation of directory traversal vulnerabilities.
These types of problems are generally included in CVE.

Note: the "exposure" term has been used in other ways in the security
community (e.g. the "Windows of Exposure" concept), so we don't try to
push our own definition in any real fashion.

>I think they are not vulnerabilities, but instead are a few of many,
>many leverage points for porous MS IE/OS security boundaries.  But
>maybe you could make an argument that some popular Win apps make
>little or no use of OS security features and so are at fault.  Or
>maybe you could say that an application written for an OS that is
>known to have security boundary issues is negligent in using
>predictable locations.  Uh oh, I guess I could really start chasing my
>tail here ...

As the editor for CVE, I've generally taken your last position.  You
often have a "design choice" and a number of "implementation errors"
that do not account for security-critical aspects of that design
choice (in fact it's an unproven theory of mine that many
implementation errors are directly facilitated by design choices).

  - if a design choice enables certain classes of implementation
    errors, then it might be regarded as a "design flaw."  People may
    disagree as to whether it's a vulnerability or an "exposure."
    Consider the design choice of including strcpy() in standard C
    libraries: strcpy(), IF PROPERLY USED, is secure; but as we all
    know, it's quite prone to misuse that leads to overflows (and we
    could extend this to general design choices in C itself).

  - any piece of software that does not work around this design flaw,
    itself has an "implementation error" that poses a vulnerability or
    exposure.  In the strcpy() case, we have many developers who don't
    work within the constraints of the design flaw (i.e. "don't give
    strcpy() a source that's bigger than the destination"), leading to
    an implementation error.  For PHP, we have a design choice that
    facilitates "remote file inclusion" vulnerabilities in a variety
    of PHP applications.

CVE identifiers are frequently assigned for implementation errors, and
sometimes for design flaws.  Note that many "application vendors" will
fix the implementation bugs that are facilitated by the design
flaw/choice (consider MS-DOS device names, for example).

In this case, I think that the reliance on unpredictable file
locations for enforcing security boundaries is a design choice that
has a growing number of implementation vulnerabilities when the file
location becomes predictable.  Just like there isn't a CVE name for
"strcpy is in the standard C libraries," there isn't a name for
"dependency on unpredictable file location," nor is there a name for
"PHP has a remote file inclusion feature."

>What happens when two issues *must* be combined inorder for a
>security impact to occur?

For CVE, we treat it like this:

  - if each issue is a security risk ON ITS OWN, then we try to assign
    separate identifiers (the general question we ask is: "if you fix
    issue A, then does issue B still pose a problem?  And vice
    versa?")

  - if the problem is an INTERACTION between 2 issues, but the
    interaction MUST be present to be security-related, then the bug
    is in the interaction itself, so we assign a single identifier and
    try to write the CVE description in a way that emphasizes the
    interaction.



Steve Christey
CVE Editor


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ