Re: CVSS is the worst compression algorithm ever

[Christian Heinrich <christian.heinrich () cmlh id au>]

Dave,

On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel () gmail com> wrote:
> The issue is simplified to: If an SQLi exists, how does that rank for the
> CVSS Confidentiality, Integrity, and Availability sections. Like, here's
> an example: https://nvd.nist.gov/vuln/detail/CVE-2013-0375 . As you
> can see there is "low" impact on confidentiality and integrity, and NO
> impact on availability.

For the record, Bruce from https://www.first.org/members/teams/oracle
represented their feedback to cvss-sig () lists first org

On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel () gmail com> wrote:
> But how can that be correct? The questions you start to ask as you
> make those decisions are: What user context am I running in on the
> SQL Server (i.e. sa?) and what does that user have access to in
> terms of tables, and what importance is that information? Also what
> clause is the injection running in the SQL statement itself? Does this
> database support sub-queries such that I can alter information? Are
> there functions that do things with side effects I can call? Answering
> these questions is complex and possibly dependent on configuration
> and the CVSS way is to assume the worst, which cannot POSSIBLY
> BE "LOW".

Please refer to the "Addition Of Partial+ Rating" section of
https://www.oracle.com/technetwork/topics/security/cvssscoringsystem-091884.html
under "CVSS Version 2.0" heading.

On Fri, 11 Jan 2019 at 04:51, Dave Aitel <dave.aitel () gmail com> wrote:
> And at a minimum, you would expect possible Availability issues to be
> high, because anyone who's played with an SQL injection tool knows
> that even doing SLEEP statements has a tendency to take down web
> applications. Imagine if your goal was to take down a web application
> with an SQLi...? I think Microsoft Research did a whole paper on doing
> SQL Injection timing attacks just with random function calls? I can't find
> it now though.
>
> Ok, so that brings us to XSS and "HTTPOnly" and the FIRST.org
> assessment: 
> https://www.first.org/cvss/examples#1-phpMyAdmin-Reflected-Cross-site-Scripting-Vulnerability-CVE-2013-1937
>
> I've never run phpMyAdmin, and I've certainly never tried to use BeEF
> with a XSS in an attack against it. But you'd have to imagine that it
> would work fine to drive the interface, and that interface looks like it has
> a full "execute any SQL statement" section in it. Also usually with this
> sort of program you have a whole "install add-on" interface, which if
> driven at the administrator level, is RCE. I don't consider that two bugs,
> because "installing an add-on" is the functionality admin users need to
> have and it's completely built-in.
>
> So the question is: Can phpMyAdmin be driven AS IF FROM THE
> ADMIN by this XSS (aka, is the proper CVSS score an 11?) I would
> guess yes. Or, am I completely wrong, and the impact is quite limited?

Please refer to "3.7. Vulnerability Chaining" section of
https://www.first.org/cvss/user-guide


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave