Secure Coding mailing list archives
Re: DJB's students release 44 poorly-worded, overblown advisories
From: dtalk-ml () prairienet org
Date: Mon, 20 Dec 2004 21:53:22 +0000
Paco Hope wrote:
Somebody's gotta come up with a reasonable definition of "remotely exploitable."
Agreed; this lack of an agreed-upon vocabulary is the cause of all sorts of misunderstandings that don't make the news. These days, with everything networked, I'm not sure proximity is a usually a meaningful distinction, so "local" and "remote" aren't useful terms. In my experience, many people tend to use the term "remote" to mean "no prior account access", while "local" tends to be used to mean "privilege escalation" (an existing account is required to take advantage of the flaw). Brain droppings: It seems to me that there are at least three different dimensions of unauthorized access. Interactivity: 1. Gaining access to some security context by means of social engineering or predictable user behavior. 2. Gaining access to some security context without user interaction or social engineering. Proximity: a. Gaining privilege access by means of physical access, or b. Gaining privilege access over a network. Level: I. Gaining access to an interesting, but "unprivileged", context, or II. Gaining access to a privileged "system" context. So what's usually called a "remote root exploit" is an event with characteristics 2, b, and II. Therefore, is a browser bug a "remote" exploit? Well, yes, strictly speaking; the author didn't need physical access to run it. However, it is also interactive and gains a only user context (which on some poorly configured systems might mean system privilege, but that's beside the point). As Paco points out, an "exploit" which is interactive and gains only the context granted by the (presumably ignorant) user isn't necessarily an "exploit", or even a technical problem, though it might grant the malware access to an actual flaw that will allow escalation. - -- David Talkington [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBxzZC5FKhdwBLj4sRAnIRAKCvVYGoOLmXtpheyIprkUEZYkNl+ACghXlY pMrdb8AYA82Nz4Iw8x6/od8=3D =3DkxLN -----END PGP SIGNATURE-----
Current thread:
- [Fwd: DJB's students release 44 *nix software vulnerability advisories] Gadi Evron (Dec 18)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories ljknews (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblownadvisories Paco Hope (Dec 20)
- Re: Re: DJB's students release 44 poorly-worded, overblown advisories Crispin Cowan (Dec 22)
- Re: DJB's students release 44 poorly-worded, overblown advisories Paco Hope (Dec 20)
- Re: DJB's students release 44 poorly-worded, overblown advisories dtalk-ml (Dec 20)
- <Possible follow-ups>
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Shea, Brian A (Dec 20)
- RE: [Fwd: DJB's students release 44 *nix software vulnerability advisories] ljknews (Dec 20)
- Re: [Fwd: DJB's students release 44 *nix software vulnerability advisories] Crispin Cowan (Dec 21)