Hi Dan, DK> There are a substantial number of file formats that are code-execution DK> equivalent with no exploits necessary -- .exe, .com, .bat, etc. You thus DK> can't say that an executed file must not execute code, because there's no DK> way for the user to know whether a file on his desktop is an .exe or DK> something else.
Maybe I misunderstand what you are saying but - Isn't the point in this case is that running binary files mapped as executables is not exploiting a vulnerability in a third party application ? I understood that Jonathan was asking whether the exploitation of a file format vulnerability in Product X can be categorized as remotely exploitable - even though it is not exposed to the outside and one can only reach arbitrary control by indirect means. I think we can agree that yes, it is remotely exploitable and as such should be categorized as "remote" in Risk/Impactt scoring systems ? Does anybody disagree ? I'd be interested to hear your point of view. DK> The key here is "escalation of privilege". At the point you're launching DK> formats, the privilege has already been granted. If you could dive into this a bit more as I can't follow you here. I frankly don't know any Access control logic where running a format leads to the escalation of a privilege, per se. -- http://blog.zoller.lu Thierry Zoller _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
