Re: Win32 vulnerability? Or application vulnerability?

From: Deus, Attonbitus (Thor@HAMMEROFGOD.COM)
Date: 08/08/02

Date:         Thu, 8 Aug 2002 11:44:00 -0700
From: "Deus, Attonbitus" <Thor@HAMMEROFGOD.COM>

Hash: SHA1

At 10:45 AM 8/8/2002, Mike Murray wrote:

>The fact is, we've seen a significant number of extremely useful and valid
>tools that run only locally. The LPC Ports vulnerability that was released a
>couple of years ago (and the corresponding exploit) was useful in any
>situation where an exploit gave local unprivileged access.
>Put simply, this is a local root exploit. We don't ignore these types of
>exploit for a *nix box; we shouldn't ignore them for a Windows box.

Excellent points. I agree that trivially exploitable local root
vulnerabilities should be considered.
Though I didn't say so in my previous post, I was thinking primarily about
the requirements to remotely exploit the vulnerability.

Russ's statement is valid as well... I guess I may be a bit quick to rush
to the finality of the 'rootkit' exploit model. It's just that when you
see the things that folks like Greg Hoglund and JD Glaser can do with a
tiny bit of code that dynamically loads in the kernel space, it is easy to
arrive at the superlative mind-set that nothing else matters beyond that

And having said that, I guess I must further substantiate your point by
admitting that when I have the chance to do so, simple, existing tools to
escalate privileges are the first thing I try. This is a similar
discussion I had with Harlan Carvey when I said "just rootkit the box" and
he said "yes, but how many times have you really done that as opposed to
simple priv esc stuff?"

So I acquiesce a bit to your position, but still believe, particularly in
examples like this, that when a remote exploit requires code to be executed
first, that the potential for abuse is greatly mitigated.

Thanks again for the lucid remarks.


Version: PGP 7.1