Full Disclosure mailing list archives

Re: Linux Privilege Escalation exploits

From: "Knud Erik Højgaard" <kokanin () gmail com>
Date: Sat, 15 Jul 2006 15:18:51 +0200

Until someone makes an official rating scale and everyone follows it
it will suck as much as it does now. All the extremely highly
superduper critical bla bla buzzwords are a load of crap in
marketing-style proportions - after all it's all about remote command
execution, remote data alteration, local priv escalation, file
destruction and so on. People need to decide for themselved how
critical it is. My 2krone.

On 7/15/06, David Taylor <ltr () isc upenn edu> wrote:

I know various security research sites that release advisories on new
vulnerabilities have their own way they determine what is critical or not.
Privilege escalation exploits are usually local and require a local account
to exploit. So, it seems that security research sites label these as 'less
critical'.  But at the same time they will label a Mambo exploit that lets
you have access to a system as 'highly critical'.  If I can launch a Mambo
exploit against a system that has a vulnerable version of OS susceptible to
the priv esc isn't that now extremely critical?  With all of the exploits
out that the defacer kiddies use could a local priv esc exploit be
integrated into these?  If so then shouldn't these vulnerabilities be rated
higher than 'less critical'?

I'm just thinking that people aren't looking at the big picture when they
rate these vulnerabilities.

==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Linux Privilege Escalation exploits David Taylor (Jul 14)
- Re: Linux Privilege Escalation exploits Valdis . Kletnieks (Jul 14)
- Re: Linux Privilege Escalation exploits Knud Erik Højgaard (Jul 15)
  - Re: Linux Privilege Escalation exploits Tim (Jul 15)
    - Re: Linux Privilege Escalation exploits Christian Swartzbaugh (Jul 18)