Bugtraq mailing list archives

Re: On classifying attacks

From: Crispin Cowan <crispin () novell com>
Date: Wed, 03 Aug 2005 23:29:11 -0700

Forte Systems - Iosif Peterfi wrote:

Basicaly, compound attacks need the victim intervention.

No; compound attacks need more than one attack vector. In your example
of attacking a web server, the attacker needs a compound attack
comprised of a remote->local attack and a local->root attack to take
over the machine. It is "compound" in that it is comprised of more than
one attack, but does not necessarily involve the victim's intervention.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

Current thread:

RE: On classifying attacks Forte Systems - Iosif Peterfi (Aug 01)
- RE: On classifying attacks Tim Nelson (Aug 04)
  - RE: On classifying attacks Forte Systems - Iosif Peterfi (Aug 06)
- Re: On classifying attacks Thierry Carrez (Aug 06)
- <Possible follow-ups>
- Re: On classifying attacks Daniel Weber (Aug 01)
  - Re: On classifying attacks Shwaine (Aug 06)
  - Re: On classifying attacks Duncan Simpson (Aug 06)
- Re: On classifying attacks Crispin Cowan (Aug 04)