[VIM] On classifying attacks (fwd)

security curmudgeon jericho at attrition.org
Fri Jul 15 15:01:19 EDT 2005

---------- Forwarded message ----------
From: Derek Martin <code at pizzashack.org>
To: bugtraq at securityfocus.com
Date: Thu, 14 Jul 2005 22:39:30 -0400
Subject: On classifying attacks

The issue has come up on bugtraq before, but I think it is worth
raising it again.  The question is how to classify attacks against
users' client programs which come from the Internet, e.g. an e-mail
carrying a malicious trojan horse payload.  The reason this is
important is because we judge how serious a particular vulnerability
is based on how it is classified.  We normally ask two main questions:

   - Is this a root vulnerability, i.e. does it have the potential
     grant the attacker the privileges of the system management account?

   - Is the vulnerability remotely exploitable?

The latter is a question which, when an answer is attempted,
sometimes raises debate.  The case of the trojan e-mail is a prime
example of this.

Some are tempted to call this a remote exploit.  The payload finds its
way to the attacker's machine via a network, after all...  The
attacker isn't logged in to the victim's machine.  Security
researchers are also eager to publish remotely exploitable
vulnerabilities, perhaps because such a vulnerability is generally
considered to be much more severe than one that is not, and thus more
notariety comes with publishing such a vulnerability.

This kind of attack has a name already: it is a trojan horse.  A
malicious payload is disguised as an innocuous e-mail, usually with an
attachment.  Once the user views the e-mail, or possibly even when the
mail client tries to display headers in the message index, a bug is
triggered which unleashes the payload on the poor unsuspecting user.
But is this a remote exploit?

Examine what is happening when the exploit is executing.  The payload
is already on the user's system.  It was delivered via some MTA
(possibly the same program the user uses to read mail, possibly not)
onto the user's filesystem.  This is the remote part.  But, usually,
at this point there has been no exploit.  Only after the user opens
the mail, or looks at it in the message index, does the exploit
happen.  The payload is already local to the machine, and it is the
action of a local user which triggers the exploit.  It is a passive
attack, launched by an attacker who can only HOPE that the user will
fall into his trap, even if he knows the user is using vulnerable code.
Nothing the attacker can do remotely will force the exploit to be
triggered.  Only once the user has acted will the payload become an
exploit.  This is not truly a remote exploit.

By contrast, look at a remote exploit against BIND.  An attacker
launches the attack, which is an active attack...  The attacker sends
data directly to the running named daemon, in order to exploit some
bug in the program.  The actions of the attacker, if he is successful,
are the direct cause of the compromise.  Once the DNS server software
has been started, no intervention is required by a user on the local
system to effect the exploit.  This is a true remote exploit.

What is clear is that e-mail trojans, and other kinds of attacks which
are similar in nature, ARE more of a threat than what we normally
think of as local exploits, and should be treated as such.  They have
some similar characteristics to remotely exploitable vulnerabilities:
they can allow an attacker who normally would not have authorized
access, or even physical access, to gain access to the system.  But
they are not as severe as truly remote exploits, because often (if not
most of the time) careful users can avoid the affects of such an
attack, even though they may be running vulnerable code.

So let's return to the questions we ask, when deciding how severe an
attack may be.  Perhaps what we need is not to call these remote
exploits, but to ask a new question:  Does the vulnerability make my
system susceptible to trojan horse attacks?  These vulnerabilities
really should answer "no" to the remote exploit question, but "yes" to
this new question.  A yes answer here clearly indicates a more severe
threat than a local exploit, but somewhat less of a threat than a
truly remote exploit.  Assessing the threat properly helps everyone.

Derek D. Martin
GPG Key ID: 0x81CFE75D

More information about the VIM mailing list