lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <C0DDCCAF.228B0%ltr@isc.upenn.edu>
Date: Sat Jul 15 03:52:22 2006
From: ltr at isc.upenn.edu (David Taylor)
Subject: Linux Privilege Escalation exploits

I know various security research sites that release advisories on new
vulnerabilities have their own way they determine what is critical or not.
Privilege escalation exploits are usually local and require a local account
to exploit. So, it seems that security research sites label these as 'less
critical'.  But at the same time they will label a Mambo exploit that lets
you have access to a system as 'highly critical'.  If I can launch a Mambo
exploit against a system that has a vulnerable version of OS susceptible to
the priv esc isn't that now extremely critical?  With all of the exploits
out that the defacer kiddies use could a local priv esc exploit be
integrated into these?  If so then shouldn't these vulnerabilities be rated
higher than 'less critical'?

I'm just thinking that people aren't looking at the big picture when they
rate these vulnerabilities.

==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ