| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Oct 2009 20:26:13 -0400 From: Jeremy Brown <0xjbrown41@...il.com> To: James Matthews <nytrokiss@...il.com>, full-disclosure@...ts.grok.org.uk Subject: Re: When is it valid to claim that a vulnerability leads to a remote attack? What are your thoughts on an exploit for a client that connects to a (malicious) service through the network? I certainly wouldn't call it a local attack... On Sun, Oct 11, 2009 at 8:18 PM, James Matthews <nytrokiss@...il.com> wrote: > If you classify a remote bug (anything that can be exploited remotely) then > you are classifying all bugs (you can use a privilege escalation exploit > remotely) I agree with Thor, anything that exploits a remote service > (HTTP,FTP Etc..) without any user interaction. > > On Sun, Oct 11, 2009 at 12:54 AM, Thor (Hammer of God) > <thor@...merofgod.com> wrote: >> >> >> > I think we can agree that yes, it is remotely exploitable and as such >> > should be categorized as "remote" in Risk/Impactt scoring systems ? >> > >> > Does anybody disagree ? I'd be interested to hear your point of view. >> >> Hey Thierry - I hope all is well... >> >> I'm happy to include "user assisted remote exploitation" as a "remote" >> vulnerability in academic conversations, but I don't categorize it as >> "remote" when assessing overall risk to a particular threat in production >> environments. Like everyone else, my TMs include impact and skill required >> to exploit a particular vulnerability; but they also include "likelihood of >> exploitation." While that may sound like a wildcard metric, I quantify it >> by applying the internal controls in place that may mitigate a particular >> attack. In "my" networks (networks I control, design, or consult for) most >> users couldn't execute [common] exploits even if they wanted to. I won't >> bore you with the controls I deploy as I'm confident you are well aware of >> the options one has, but the fact they exist at all place "user assisted >> remote exploits" in a different category for me when assessing risk. When >> the propensity for a vulnerability to be exploited lies in a particular >> user's response to any given >> trigger, as opposed to any authoritative in-place controls to mitigate >> exposure, then a model's relevant response options are greatly diminished >> (IMO). >> >> As such, I choose to categorize "remote" exploits as those that may be >> executed against a given host that is autonomously running a [vulnerable] >> service that can be connected to by some (any) other network client, device, >> or service for the purposes of ascertaining overall risk. >> >> t >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- > http://www.goldwatches.com > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists