Re: "Local" and "Remote" considered insufficient

From: Frank Knobbe (frank_at_knobbe.us)
Date: 01/23/05

  • Next message: Martin Pitt: "[USN-70-1] Perl DBI module vulnerability" 
    To: Eric Knight <eric@swordsoft.com>
Date: Sun, 23 Jan 2005 11:47:52 -0600

    On Thu, 2003-10-23 at 11:42 -0600, Eric Knight wrote:
    > Remote Authenticated
    > Remote Unauthenticated
    > Local Authenticated
    > Local Unauthenticated.
    >
    > This is the beginning of the taxnomy matrix.

    Greetings!

    I'm currently catching up with emails and came across this (slightly
    aged) thread. The matrix above categorizes on the "locality" of the
    attack executor (being remote, exploiting a buffer overflow through the
    network, or local, exploiting a suid vulnerability). It also categorizes
    on the "condition of the executor" itself (anonymous/unauthenticated or
    credentialed/authenticated).

    However, I think there is another factor to consider when classifying
    vulnerabilities -- that of the "timeliness" of the attack. I believe the
    matrix should be enhanced to include:

    Immediate: An attack performed will have an immediate impact on the
    target. An example is the remote buffer overflow.

    Delayed: An attack is initiated now, but executed later. Examples
    include most email-borne viruses, trojans, malware, etc.

    Including the timeliness of the attack is important, especially when
    considering the adverse effects on surrounding infrastructure. An email
    virus doesn't spread quite as fast as a worm like SQL slammer.

    Given these three criteria, we could classify as follows:

                                         Timeliness / User Level / Locality

    Daemon buffer overflow: Immediate anonymous remote
    Setuid exploitation: Immediate anonymous local
    Emailing a setuid exploit[1]: Delayed anonymous local
    Emailing a rm -rf / script[1]: Delayed authenticated local
    Backdoor script on web page: Delayed authenticated local
    Emailing overflow to virus gateway: Delayed anonymous remote

    [1] The emailed setuid exploit script will elevate privileges by itself
    while the rm -rf / requires privileges in order to be effective. This
    point is probably debatable :)

    I apologies for bringing this topic up again, but I think it is
    important that we find consensus on these classifications.
    So I respectfully submit: Immediate/delayed

    Regards,
    Frank

  • Next message: Martin Pitt: "[USN-70-1] Perl DBI module vulnerability"

    Relevant Pages

    • HP notebooks remote code execution vulnerability (multiple series)
      ... Multiple Hewlett-Packard notebook series are prone to a remote code execution attack. ... HP Compaq 8710w ...
      (Bugtraq)
    • RE: On classifying attacks
      ... remote attack involved) - "Simple local attack". ... remote with victim intervention - "Compound social engineered attacks", ... What makes this compound attack "remote" is that the social engineering ...
      (Bugtraq)
    • RE: On classifying attacks
      ... Remote -- control/access of resources occurs from outside the ... Using this definition the email example is local and both bind examples ... The bind vulnerabilities are completely solved by ... But it is a remote *attack*. ...
      (Bugtraq)
    • RE: On classifying attacks
      ... in the LL study) they would all be "remote to local". ... There's no need for trying to define a compound attack -- it serves no ... root" classes was to distinguish the threat level. ... What makes this compound attack "remote" is that the social engineering ...
      (Bugtraq)
    • 0day: Hacking secured CITRIX from outside
      ... integrated remote CITRIX servers. ... any client/server vulnerabilities nor client/server misconfiguration ... The success of the attack relays on the fact that the victim (the ...
      (Bugtraq)