Vulnerability Development mailing list archives
Re: Exploit Ease Level
From: dullien () GMX DE (Thomas Dullien)
Date: Sat, 29 Apr 2000 16:10:41 +0200
On Thu, 27 Apr 2000 10:39:42 +0200, Sebastian wrote: Hey Sebastian,
The idea isn't new, for example in the NAI CyberCop handbook there is a great list with all checks CyberCop does together with a rating how popular and how difficult it is to exploit this vulnerability. Btw, I think, a knowledgeable reader of this mailing list might have a rough impression of the difficulty after having checked out the situation for a couple of minutes. For the really wicked tricks used in exploits the reader has to check the exploits comments anyway in case he understands them.
Actually, the only kind of 'difficulty level' I think one could reliably mention is the fact whether a relatively reliable exploit can be written at all :) I mean isn't that fact enough for anyone ? If the exploit can be written, then it will be written to be easily usable. Thats the way life is :) If on the other hand an exploit can only be written with substantial information about a target system (which _exakt_ patch he has installed or perhabs which exact base address the kernel has or whatever) or a lot of guesswork, one can mention it. But I think a rating system is not ... well ... useful :) Thomas Dullien
Current thread:
- Re: Exploit Ease Level Thomas Dullien (Apr 29)