[VIM] r0t on "bugtraqs @ all"

security curmudgeon jericho at attrition.org
Mon Jun 19 02:32:52 EDT 2006


: > Actually we don't verify every vulnerability. We're a little late in
: > making entries because many times what is one secunia entry may be 20
: > OSVDB entries (be it 20 files affected by XSS or 20 diff Mozilla
: > advisories).
: 
: Just out of curiosity - in retrospect, do you think that 
: "split-by-executable" has worked well for OSVDB?  It's a clear rule and 
: easily understood, which is a big win.

I can easily argue both methods as far as VDBs go. I have one entry in my 
queue that I groan at and push to another day over and over, because it is 
a huge split (remote file inclusion). Technically, it qualifies for a 
split by our rules as the code is in each .php file, not common code in an 
underlying library. Any one of these php files could exist on a server, 
independant of the others (which is a big reason that lead to our decision 
to split entries). On the flip side, it is obvious the author just 
cut/paste a few lines of common code and replaced the file call as needed.

Does it benefit our users to have 70 entries for this product? Our rules 
state we should split them out, but does it actually benefit anyone? While 
it may clutter up the database a bit, the obvious advantage is come 
analysis/statistic time, when we can be sure we followed standards making 
interpretation of said stats less debatable.

: > You can't just slap the same SQL syntax into every one and have
: > it work. The criteria we use for 'exploit published' is if the exact
: > exploit syntax is published OR if we think any reasonable administrator
: > could duplicate the attack. In a few cases, if the XSS is complex and
: > requires very specliazed character usage or escaping, and the researcher
: > doesn't provide an example, we'll make it 'rumored'.
: 
: Personally, if the researcher has enough clue to note that there are some
: special conditions that prevent this from being garden variety XSS, it's
: slightly more authoritative than "exploit is rumored."  To take it to an
: extreme - EVERYTHING David Litchfield posts could technically be called
: "exploit is rumored" due to the NGS disclosure policy for delayed details,

We categorize that as "Exploit unavailable", meaning we know it exists, it 
just isn't published. This is usually tagged for the likes of Litchfield, 
ZDI, iDefense, ISS etc. The shops that will develop the exploit code for 
various reasons, but not release it.



More information about the VIM mailing list