[Owasp-leaders] Consensus on arbitrary code execution flagged remote or local?

Antonio Fontes antonio.fontes at owasp.org
Tue Nov 30 05:33:45 EST 2010


Some exploits/vulns databases differentiate remote execution flaws
from local execution flaws in which they don't require actions to be
initiated locally (typically: buffer overflows on internet listening

According to the wikipedia arbitrary code execution page
(http://en.wikipedia.org/wiki/Talk:Arbitrary_code_execution), "remote"
is simply defined as "the ability to trigger arbitrary code execution
from one machine on another".

This is typically a definition I haven't been looking in dictionaries
for years now and I've thought there would still be some clear
differentiation, especially when dealing with risk assessments,
between the requirement of a "local action" and the requirement of a
"listening service".

Coincidentally, this discussion was raised with a chapter member, who
noticed the increasing prevalence of pdf/flash vulnerabilities being
flagged under "remote code execution".

When looking at the CVE-2010-3654 (Adobe PDF/flash code execution), I
see a CVSS score of 9.3, with attribute "level of authentication
needed" set to "none" and "exploit range" set to "network".

The recently disclosed proftpd remote code execution (ZDI-10-229,
CVSS=10), which requires no "user action" at all, receives a CVSS of
10 and also has an exploit range set to "network".

I am a bit surprised that a flaw requiring a local user to download a
file through a local execution handler (pdf/flash plugin) is ranked
the same as a flaw that only requires some guy somewhere to enter an
ip address and get root, remotely, on a system.

Moreover, if we update CVE-2010-3654 to "local" range, the CVSS score
goes down to 6.9.

My question: what is our current consensus at OWASP on the definitions
of remote arbitrary code execution and local arbitrary code execution?

Antonio Fontes

OWASP Geneva Chapter
Join the mailing list: https://lists.owasp.org/mailman/listinfo/owasp-Geneva

More information about the OWASP-Leaders mailing list