lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200412212125.iBLLP2J3010891@linus.mitre.org>
Date: Tue, 21 Dec 2004 16:25:02 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Re: DJB's students release 44 *nix software vulnerability advisories



>> And this nasm bug is then called a "remotely exploitable 
>> security hole".
>
>Obviously it is not. I don't think it is even locally exploitable.

Many of the DJB-reported issues deal with exploitation of errors in
parsers or converters for specific file formats.  Many files are
typically "shared," such as images, text documents, data exchange
formats, and so on.  So, there can be vectors in which the attacker
can send a crafted file across network-based channels - web, email,
whatever - that then could conceivably be processed by the user,
either manually or automatically.

Granted, this is a different scenario than might be encountered in
what's typically labeled a "remotely exploitable" vulnerability, but I
haven't seen any emerging terminology that's been able to make this
reasonable distinction.  However, with the growing researcher interest
in finding vulnerabilities based on irregularities in file formats,
the need for better terminology is growing.

In addition to modeling the level of authentication needed, I've been
thinking that it might also be important to note how much user/victim
participation is required for activation of the exploit, i.e. whether
the issue can be automatically exploited by normal user activity
(e.g. by simply reading an email message) or whether there's some
social engineering involved.  However, I haven't put much thought into
terminology for this besides:

  - automatic: exploit is automatically activated as a result of
    normal usage of the product

  - complicit: requires some victim participation or inaction

  - opportunistic: can not really control when, or if, the victim
    activates the exploit

Exploitation of web or email client vulnerabilities that happen as
soon as someone reads a message might be called "automatic," e.g. if
there's a buffer overflow when preparing a preview of the message.  If
the user needs to click on a button or two, e.g. to extract something
whose icon shows as a JPG when in fact it's an executable, that might
be "complicit."  If you insert terminal escape sequences into some log
file in the hopes that an admin accidentally runs "more" or "grep" on
that log file from the proper terminal, then that might be
"opportunistic."  Phishing might be regarded as either automatic or
complicit, depending on whether or not you think web client users
should check their browser's status bar every time they click on a
link.  Again, though, these are just rough ideas.

- Steve


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ