[Owasp-leaders] Consensus on arbitrary code execution flagged remote or local?
antonio.fontes at owasp.org
Tue Nov 30 05:33:45 EST 2010
Some exploits/vulns databases differentiate remote execution flaws
from local execution flaws in which they don't require actions to be
initiated locally (typically: buffer overflows on internet listening
According to the wikipedia arbitrary code execution page
is simply defined as "the ability to trigger arbitrary code execution
from one machine on another".
This is typically a definition I haven't been looking in dictionaries
for years now and I've thought there would still be some clear
differentiation, especially when dealing with risk assessments,
between the requirement of a "local action" and the requirement of a
Coincidentally, this discussion was raised with a chapter member, who
noticed the increasing prevalence of pdf/flash vulnerabilities being
flagged under "remote code execution".
When looking at the CVE-2010-3654 (Adobe PDF/flash code execution), I
see a CVSS score of 9.3, with attribute "level of authentication
needed" set to "none" and "exploit range" set to "network".
The recently disclosed proftpd remote code execution (ZDI-10-229,
CVSS=10), which requires no "user action" at all, receives a CVSS of
10 and also has an exploit range set to "network".
I am a bit surprised that a flaw requiring a local user to download a
file through a local execution handler (pdf/flash plugin) is ranked
the same as a flaw that only requires some guy somewhere to enter an
ip address and get root, remotely, on a system.
Moreover, if we update CVE-2010-3654 to "local" range, the CVSS score
goes down to 6.9.
My question: what is our current consensus at OWASP on the definitions
of remote arbitrary code execution and local arbitrary code execution?
OWASP Geneva Chapter
Join the mailing list: https://lists.owasp.org/mailman/listinfo/owasp-Geneva
More information about the OWASP-Leaders