Vulnerability Development mailing list archives

Re: Exploit Ease Level

From: rsavage () CROSSWINDS NET (Rory Savage)
Date: Fri, 28 Apr 2000 17:43:54 -0400


Max,

   I understand your comments, however I think you may have misunderstood
my conern about `an Exploit Easibility Rating`. Though the amount of
impact an exploit may pose vs. the amount of work needed to fix it is
related, my concern was on actually 'Reproducing the Exploit' for test
purposes. Where some are concerned with the impact and ease of fix, some
are concerned with 'reproducing' the exploit and the amout of time and
elbow greese involved.
   Sunch a rating could help System Administrators, and Security officals
with two keys aspects. 1. The amount of effort to casue the exploit on
their systems, and 2. Who is capable of the attack.

   I hope this cleared things up. :)

Rory Savage

--
Systems Administrator
 email: rsavage () crosswinds net
.-.-.-..---..-..-..---.
| | | || | || .` || |'_
`-----'`-^-'`-'`-'`-'-/
-=/ MCI WorldCom/WANG/FAA \=-
 work (919)-377-7702
 beep (800)-PAGE-MCI
 page mail: 1433539 () pagemci com

On Wed, 26 Apr 2000, Max Vision wrote:

On Tue, 25 Apr 2000, Rory Savage wrote:

I wish there was an `Exploit Ease Refrence Level`, so when one posts an
exploit, they would also post an `Easebility` level to let others know
if it's an easy trick, or a drawn-out project that involves alot of
time.  This is just a suggestion, but I think it would really work out well,
especially for these mailing lists. But I know I am farting in the wind
again... and nobody cares... but in a few months, somebody will steal my
idea anyway (and call it their own).

In fact, I just might draft up a proposal... and see that the `scene`
think about it.

Cheers!

Rory,

This is actually a really old idea that has been around at least in
commercial security scanners (such as Ballista/Cybercop) for some number
of years (sometimes refered to as "complexity").  I believe several
security groups are working these sorts of values into metrics of overall
risk levels for various vulnerabilities (alongside impact, popularity,
ease of fix, etc) - so when a hole is found, it gets a certain score for
these traits and an overall threat level is determined.

IMHO many times these values are dangerously wrong and can lead to
problems.  In some products I've seen "ease of exploit" listed as very
complex when I know it to be push-button easy.

Max

Current thread:

Re: Securax Security Advisory: Windows98 contains a seriousbufferoverflow with long filenameextensions., (continued)
- Re: Securax Security Advisory: Windows98 contains a seriousbufferoverflow with long filenameextensions. Markus Kern (Apr 25)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Schockaert, Rudy (Apr 24)
  - Netaddress and amexmail Arturo Busleiman (Apr 25)
    - Re: Netaddress and amexmail Fabio Pietrosanti (Apr 27)
    - Re: Netaddress and amexmail Blue Boar (Apr 27)
    - Re: Netaddress and amexmail Marc Slemko (Apr 28)
    - Re: Netaddress and amexmail Arturo Busleiman (Apr 28)
    - Re: Netaddress and amexmail Stone (Apr 27)
  - Exploit Ease Level Rory Savage (Apr 25)
    - Re: Exploit Ease Level Max Vision (Apr 26)
    - Re: Exploit Ease Level Rory Savage (Apr 28)
    - Using php to bounce scan Thiebaut (Apr 28)
    - Re: Using php to bounce scan Omachonu Ogali (Apr 28)
    - Re: Using php to bounce scan Thiebaut (Apr 30)
    - corrupted link JklojLrnzn () AOL COM (Apr 30)
    - Re: Using php to bounce scan Matt Rae (Apr 30)
    - Re: Using php to bounce scan Thiebaut (Apr 30)
    - Re: Exploit Ease Level Max Vision (Apr 28)
    - Re: Exploit Ease Level jms (Apr 29)
    - Re: Exploit Ease Level Rory Savage (Apr 29)
    - Re: Exploit Ease Level Mark L. Jackson (Apr 29)

(Thread continues...)