Vulnerability Development mailing list archives

Re: Exploit Ease Level

From: scut () NB IN-BERLIN DE (Sebastian)
Date: Thu, 27 Apr 2000 10:39:42 +0200


Hi Rory :)

On Tue, Apr 25, 2000 at 10:32:05PM -0400, Rory Savage wrote:

I wish there was an `Exploit Ease Refrence Level`, so when one posts an
exploit, they would also post an `Easebility` level to let others know
if it's an easy trick, or a drawn-out project that involves alot of
time.  This is just a suggestion, but I think it would really work out well,


Such `Exploit Easy Reference Level` could only be very rough. Some buffer
overflows that look like they can be exploited easily turn out to be very
difficult to exploit (example: qpopper 2.1.4r3 stack overflow on Linux).
The other way round, sometimes there is a complex situation which can be
reduced by a knowledgeable person to a fully working exploit (example:
wuftpd 2.5.0 heap overflow, where 5 offsets can be reduced to just one).

  Hence it is difficult to set such a level before having digged into the
situation. On the other hand, after you've checked for exploitability you
can set such level, I agree. But what kind of "easebility" do you refer to ?
The one a user of the exploit has, the one the creator had or the one the
creator thinks other people will have in understanding his work ?

especially for these mailing lists. But I know I am farting in the wind
again... and nobody cares... but in a few months, somebody will steal my
idea anyway (and call it their own).


The idea isn't new, for example in the NAI CyberCop handbook there is a
great list with all checks CyberCop does together with a rating how popular
and how difficult it is to exploit this vulnerability. Btw, I think, a
knowledgeable reader of this mailing list might have a rough impression
of the difficulty after having checked out the situation for a couple
of minutes. For the really wicked tricks used in exploits the reader has
to check the exploits comments anyway in case he understands them.

And for the others such a rating is confusing because it still
doesn't tell anything about whether this is really a "ready-for-script-kid"
exploit.

In fact, I just might draft up a proposal... and see that the `scene`
think about it.


I'd like to read that :-)

Cheers!
Rory Savage


ciao,
scut

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -

Current thread:

Re: Using php to bounce scan, (continued)
- - - Re: Using php to bounce scan Omachonu Ogali (Apr 28)
    - Re: Using php to bounce scan Thiebaut (Apr 30)
    - corrupted link JklojLrnzn () AOL COM (Apr 30)
    - Re: Using php to bounce scan Matt Rae (Apr 30)
    - Re: Using php to bounce scan Thiebaut (Apr 30)
    - Re: Exploit Ease Level Max Vision (Apr 28)
    - Re: Exploit Ease Level jms (Apr 29)
    - Re: Exploit Ease Level Rory Savage (Apr 29)
    - Re: Exploit Ease Level Mark L. Jackson (Apr 29)
    - Re: Exploit Ease Level jms (Apr 29)
    - Re: Exploit Ease Level Sebastian (Apr 27)
    - Re: Exploit Ease Level Rory Savage (Apr 28)
  - Re: Securax Security Advisory: Windows98 contains a seriousbufferoverflow with long filenameextensions. Blue Boar (Apr 25)
    - Source code to mstream, a DDoS tool Anonymous User (Apr 29)
    - Re: Securax Security Advisory: Windows98 contains a seriousbufferoverflow with long filenameextensions. Bluefish (Apr 29)
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Zoa_Chien (Apr 25)
  - Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Joel Sing (Apr 26)