Vulnerability Development mailing list archives
Re: Remote vs Local vulnerabilities (Was: Re: [VULN-DEV] ping -i (TTL) Vulnerability)
From: Ryan Permeh <ryan () EEYE COM>
Date: Fri, 23 Feb 2001 09:41:38 -0800
i absoluetly agree. our bug (asphack 1.5) was 100% local, and if you took the code and wanked it a little bit, you could pretty easily just genearate a .asp file that you could upload via any method. all of our code relied on being able to get a .asp there, the unicode bug was just an interesting injection vector for us. in this case, fixing the unicode bug denies this vector for a "remote" attack, and even if it didn't, you could write a heavy multithreaded app that you use unicode to upload (you can upload _SOME_ binaries using unicode, as evidenced by our uploader, but it requires parsing the file and obfuscating via % codes and using \ when nessecary so your shell doesn't crap out). a app that just spins threads and does something wanky like this: /*pseudocode, i'm not in my ide so i didn't test this, it may or may not work, don't go writing scripts on this crap*/ DWORD threadme() { HANDLE t[64]; DWORD tid,i; for(i=0,i<64;i++) t[i]=CreateThread(NULL,NULL,(void *)threadme,NULL,NULL,tid); while(1) if(WaitForMultipleObjects(64,t,TRUE,0) != WAIT_TIMEOUT) break; } this is pretty similar to the standard unix forkbomb(there are thousands of ways to do this, this is just a simple one); this isn't even really a local bug, it's a resource depletion. process quotas properly implemented would stop this(and likely the ping bug too). running this on a server will deplete resources and whatnot, tied with remote bugs like unicode would effectively dos the server, BUT THIS IS A LOCAL PROBLEM(if a problem at all)!!! Sorry if this is incoherent, too little sleep will do that to you. Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "syzop" <syz () DDS NL> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Friday, February 23, 2001 7:43 AM Subject: Remote vs Local vulnerabilities (Was: Re: [VULN-DEV] ping -i (TTL) Vulnerability)
-No Strezzz Cazzz wrote: -- snip --I thought that when a bug could get triggered from a remote location the
bug
itself is considered a remote-bug. In this case its a remote aswell as a local bug. I want a p0ny...No, the IIS unicode bug is a remote one, the ping -i a local one (_if_ you call it a bug [which I don't, also see
rpc's answer]).
A remote bug (or remotely exploitable bug) is a bug which let you do
'nasty things'
from a remote location like executing code, crashing a program, etc etc. A local bug is a bug which let you do 'nasty things' by doing something at
the
box locally (for example: overflowing some buffer in a suid root program
by
carefully crafted parameters and gaining a root shell). You are only able to exploit a local vulnerability when you have a shell; like an account, or, as you described, to use a remote vulnerability to
exploit a
local vulnerability. Another (well known) example of such a combination is using the (remote) IIS unicode bug combined with the (local) IIS asp bug [iishack
1.5].
Syzop.
Current thread:
- Re: ping -i (TTL) Vulnerability, (continued)
- Re: ping -i (TTL) Vulnerability Knud Erik Højgaard - CyberCity Support (Feb 22)
- Re: ping -i (TTL) Vulnerability Jeff Oliver (Feb 21)
- Re: ping -i (TTL) Vulnerability Niels Vaes (Feb 21)
- Re: ping -i (TTL) Vulnerability Mark Villanova (Feb 21)
- Re: ping -i (TTL) Vulnerability Leo R. Lundgren (Feb 21)
- Re: ping -i (TTL) Vulnerability Reverend Lola (Feb 21)
- Re: ping -i (TTL) Vulnerability rpc (Feb 22)
- Re: ping -i (TTL) Vulnerability Reddog Hummer (Feb 22)
- Re: ping -i (TTL) Vulnerability -No Strezzz Cazzz (Feb 22)
- Remote vs Local vulnerabilities (Was: Re: [VULN-DEV] ping -i (TTL) Vulnerability) syzop (Feb 23)
- Re: Remote vs Local vulnerabilities (Was: Re: [VULN-DEV] ping -i (TTL) Vulnerability) Ryan Permeh (Feb 23)
- Remote vs Local vulnerabilities (Was: Re: [VULN-DEV] ping -i (TTL) Vulnerability) syzop (Feb 23)