lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1106502472.37318.38.camel@localhost>
Date: Sun, 23 Jan 2005 11:47:52 -0600
From: Frank Knobbe <frank@...bbe.us>
To: Eric Knight <eric@...rdsoft.com>
Cc: "Steven M. Christey" <coley@...re.org>,
	bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com
Subject: Re: "Local" and "Remote" considered insufficient

On Thu, 2003-10-23 at 11:42 -0600, Eric Knight wrote:
> Remote Authenticated
> Remote Unauthenticated
> Local Authenticated
> Local Unauthenticated.
> 
> This is the beginning of the taxnomy matrix.  


Greetings!

I'm currently catching up with emails and came across this (slightly
aged) thread. The matrix above categorizes on the "locality" of the
attack executor (being remote, exploiting a buffer overflow through the
network, or local, exploiting a suid vulnerability). It also categorizes
on the "condition of the executor" itself (anonymous/unauthenticated or
credentialed/authenticated).

However, I think there is another factor to consider when classifying
vulnerabilities -- that of the "timeliness" of the attack. I believe the
matrix should be enhanced to include:

Immediate: An attack performed will have an immediate impact on the
target. An example is the remote buffer overflow.

Delayed: An attack is initiated now, but executed later. Examples
include most email-borne viruses, trojans, malware, etc.

Including the timeliness of the attack is important, especially when
considering the adverse effects on surrounding infrastructure. An email
virus doesn't spread quite as fast as a worm like SQL slammer.


Given these three criteria, we could classify as follows:

                                     Timeliness / User Level / Locality

Daemon buffer overflow:              Immediate anonymous remote
Setuid exploitation:                 Immediate anonymous local
Emailing a setuid exploit[1]:        Delayed anonymous local
Emailing a rm -rf / script[1]:       Delayed authenticated local
Backdoor script on web page:         Delayed authenticated local
Emailing overflow to virus gateway:  Delayed anonymous remote


[1] The emailed setuid exploit script will elevate privileges by itself
while the rm -rf / requires privileges in order to be effective. This
point is probably debatable :) 


I apologies for bringing this topic up again, but I think it is
important that we find consensus on these classifications.
So I respectfully submit: Immediate/delayed

Regards,
Frank


Download attachment "signature.asc" of type "application/pgp-signature" (188 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ