lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8a6b8e350910111718w47cac46bm6723954d04ce9c84@mail.gmail.com>
Date: Sun, 11 Oct 2009 20:18:33 -0400
From: James Matthews <nytrokiss@...il.com>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>,
	Jonathan Leffler <jleffler@...ibm.com>
Subject: Re: When is it valid to claim that a
	vulnerability leads to a remote attack?

If you classify a remote bug (anything that can be exploited remotely) then
you are classifying all bugs (you can use a privilege escalation exploit
remotely) I agree with Thor, anything that exploits a remote service
(HTTP,FTP Etc..) without any user interaction.

On Sun, Oct 11, 2009 at 12:54 AM, Thor (Hammer of God) <thor@...merofgod.com
> wrote:

>
>
> > I  think we can agree that yes, it is remotely exploitable and as such
> > should be categorized as "remote" in Risk/Impactt scoring systems ?
> >
> > Does anybody disagree ? I'd be interested to hear your point of view.
>
> Hey Thierry - I hope all is well...
>
> I'm happy to include "user assisted remote exploitation" as a "remote"
> vulnerability in academic conversations, but I don't categorize it as
> "remote" when assessing overall risk to a particular threat in production
> environments.  Like everyone else, my TMs include impact and skill required
> to exploit a particular vulnerability; but they also include "likelihood of
> exploitation."   While that may sound like a wildcard metric, I quantify it
> by applying the internal controls in place that may mitigate a particular
> attack.  In "my" networks (networks I control, design, or consult for) most
> users couldn't execute [common] exploits even if they wanted to.  I won't
> bore you with the controls I deploy as I'm confident you are well aware of
> the options one has, but the fact they exist at all place "user assisted
> remote exploits" in a different category for me when assessing risk.  When
> the propensity for a vulnerability to be exploited lies in a particular
> user's response to any given
>  trigger, as opposed to any authoritative in-place controls to mitigate
> exposure, then a model's relevant response options are greatly diminished
> (IMO).
>
> As such, I choose to categorize "remote" exploits as those that may be
> executed against a given host that is autonomously running a [vulnerable]
> service that can be connected to by some (any) other network client, device,
> or service for the purposes of ascertaining overall risk.
>
> t
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
http://www.goldwatches.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ