On 8/16/07 7:44 PM, "silky" <[EMAIL PROTECTED]> wrote:

how is this different then sending malformed packets to an rpc interface?

That is the key question. It's different because nothing in the packets is 
malformed! They were correctly assembled by the client, sent at the right time 
in game play, and are semantically legal in every way. The vital distinction is 
that programmers assume only their own code will call a certain API, and 
therefore issue a certain message from the client to the server. When you 
hijack the client, you make the client correctly form messages for you. You 
just supply unexpected parameters, or send messages in an order that would 
never normally occur. Furthermore, if there's a little back and forth between 
the server and the client as a result of your messages, the client handles it 
automatically for you because it is operating normally (albeit under the 

Now I'll gently disagree with Gary, who is my boss, so you know I'll hear about 
it in the hallways... I think this feels more like "privilege escalation" than 
"insider threat." The distinction being that these attacks allow an authorized 
user who has liimited privileges to escalate their privileges and do things 
that they shouldn't be able to do. An insider (to me) is a person who already 
had that privilege and status when they started their attack. (Read Kevin 
Wall's follow-up on darkreading.com he has good things to say on who are 
insiders and outsiders).  Where we are prone to confusion, I think, is that 
outsiders or limited authorized users can have the same IMPACT as an insider, 
when the privilege escalation is sufficiently bad.

So we might say they became an insider by virtue of their attack. I think 
that's playing a bit fast and loose with language. We could say they became the 
EQUIVALENT of an insider (possibly in a very narrow scenario) and that might be 
a bit more accurate.

Let me go out on a limb and say the following: the designation of "insider" is 
almost always due to contractual relationships. I.e. you've been hired, you've 
been subcontracted, assigned, or somehow formally granted access to something. 
You can't hack your way to insider status (unless you hack HR and make yourself 
an employee. :). You can hack your way to the equivalent of an insider, but 
you're still an outsider whose privileges have been escalated.

Paco Hope, CISSP
Technical Manager, Cigital, Inc
http://www.cigital.com/ * +1.703.404.5769
Software Confidence. Achieved.

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to