Re: Remote vs Local vulnerabilities (Was: Re: [VULN-DEV] ping -i (TTL) Vulnerability)

[Ryan Permeh <ryan () EEYE COM>]

i absoluetly agree.  our bug (asphack 1.5) was 100% local, and if you took
the code and wanked it a little bit, you could pretty easily just genearate
a .asp file that you could upload via any method.  all of our code relied on
being able to get a .asp there, the unicode bug was just an interesting
injection vector for us.

in this case, fixing the unicode bug denies this vector for a "remote"
attack, and even if it didn't, you could write a heavy multithreaded app
that you use unicode to upload (you can upload _SOME_ binaries using
unicode, as evidenced by our uploader, but it requires parsing the file and
obfuscating via % codes and using \ when nessecary so your shell doesn't
crap out).  a app that just spins threads and does something wanky like
this:
/*pseudocode, i'm not in my ide so i didn't test this, it may or may not
work, don't go writing scripts on this crap*/
DWORD threadme()
{
    HANDLE t[64];
    DWORD tid,i;
    for(i=0,i<64;i++) t[i]=CreateThread(NULL,NULL,(void
*)threadme,NULL,NULL,tid);
    while(1) if(WaitForMultipleObjects(64,t,TRUE,0) != WAIT_TIMEOUT) break;
   }

this is pretty similar to the standard unix forkbomb(there are thousands of
ways to do this, this is just a simple one);  this isn't even really a local
bug, it's a resource depletion.  process quotas properly implemented would
stop this(and likely the ping bug too).  running this on a server will
deplete resources and whatnot, tied with remote bugs like unicode would
effectively dos the server, BUT THIS IS A LOCAL PROBLEM(if a problem at
all)!!!

Sorry if this is incoherent, too little sleep will do that to you.
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "syzop" <syz () DDS NL>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Friday, February 23, 2001 7:43 AM
Subject: Remote vs Local vulnerabilities (Was: Re: [VULN-DEV] ping -i (TTL)
Vulnerability)


> -No Strezzz Cazzz wrote:
> -- snip --
>
> > I thought that when a bug could get triggered from a remote location the
bug
> > itself is considered a remote-bug. In this case its a remote aswell as a
> > local bug. I want a p0ny...
>
> No, the IIS unicode bug is a remote one,
> the ping -i a local one (_if_ you call it a bug [which I don't, also see
rpc's answer]).
> A remote bug (or remotely exploitable bug) is a bug which let you do
'nasty things'
> from a remote location like executing code, crashing a program, etc etc.
>
> A local bug is a bug which let you do 'nasty things' by doing something at
the
> box locally (for example: overflowing some buffer in a suid root program
by
> carefully crafted parameters and gaining a root shell).
> You are only able to exploit a local vulnerability when you have a shell;
> like an account, or, as you described, to use a remote vulnerability to
exploit a
> local vulnerability.
> Another (well known) example of such a combination is using the
> (remote) IIS unicode bug combined with the (local) IIS asp bug [iishack
1.5].
>     Syzop.