Common Security Exploit and Vulnerability Matrix

cfingerd a web document can execute

/var/opt/SUNWconn/ldap/log/
Microsoft JET 3.5X commands on the client workstation IIS script can capture domain
remote buffer overflow - *.asp 80 tcp
slapd.log local user can link .forward, passwords via AUTH_PASSWORD variable
execute arbitrary code
.plan, or .project and fingerd Excel CALL statement can call any
Stores cleartext passwords will read linked file as uid 0 DLL function buffer overflow in cookie Excel
SIMS/SDS world readable (i.e., read /etc/shadow file, etc) Document *.xls Excel Scripting Engine asp dot bug
tcp/ip Application Excel Scripting Engine Apache shows raw source asp interpreter
Uses /etc/shadow
Protocol user@host@host redirection
cleartext
passwords 4000 udp
.plan Excel Document *.xls
rpcbind 22 tcp
rusers
.@host reveals users who have never logged in
anyform cgi files not in web root

fingerd reveal logged on users GNU fingerd cachemgr.cgi execute any command some versions of rpcbind will
!(c:\inetpub\wwwroot\*)

unauthenticated
1024-
2000 udp
from remote listen on ports other than RPC service will leak
remote user information
MDAC RDS asp pages can access files
traffic 110 tcp pop3
0@ reveals users who have never
logged in ICQ\NewDB\uin#.dat
send user#999999
overflow
cachemgr_passwd formmail cgi 111, and possibly defeat any
firewall port filtering including source addresses user.db Cmail 2.3
DataFactory not in web root
pseudoencrypts
of remote users. (allow parent paths)
112 tcp

udp
auth
/winnt/system32/fm20.dll
Forms 2.0 Control can paste user
password is sent in cleartext

stores cleartext password in

Wingate
password is stored in
cleartext and file is
world readable
will proxy port connections guestbook can be used to find
vulnerable RPC services
sgi_fam
passwords into
user.db file object
Eudora scripting ?
53 dns tunnel ODBC requests through
IP Packet clipboard ICQ\NewDB\uin#.dat script access permissions virtual site
MDAC, bypass firewalls engine What is a content based
Active X can access other virtual sites content phf remote attacker can get
79 tcp finger
FileSystemObject sequence numbers
ICQ overflow filename window to give user (IIS 3.0 and misconfigured IIS 4.0
can view any file on target
complete list of files &
directories on target
Dr. Watson Log File
attack?
alter filesystem easily guessable
invalid information about file ODBCJT32.DLL servers) (Scripting.FileSystemObject,
OpenTextFile)
rstatd can use shell() VBA command to execute
ConSeal PC 80 tcp http
/winnt/system32/msdxm
extension. Could be used to cause
trojan files to be executed.
test-cgi leaks
arbitrary commands from remote. Get root email attachment Servers may perform analysis of incoming data.
SSH access Dr. Watson on server. trojan a hostile applet or script Many times they will have interpreters that read
Firewall 8080 tcp
ActiveMovie log in without password by using
80 tcp list files anywhere on machine information
about system
log File (may contain
passwords/keys)
incoming data and perform tasks based upon
keywords, symbols, and other data. Web servers do
file:///aux more than 9 character password configuration this with the URL. Sendmail does this with email
65589 tcp dns DoS buffer overflow in ICQ read any file overflow VRFY, denial of
nph-test-cgi some SSH installations will
give potential attackers the Remote Control sdr headers. When the server analyzes the incoming
flood overloads
machine
CIFS challenge Microsoft Scripting Runtime webserver causes crash. http://host/carbo. service, possible execute SSH version, Key sizes, data, it may misinterpret some symbols or symbol
combinations (sometimes called meta-characters or
(http://XXX.XXX.XXX.XXX/....... dll?icatcommand code from remote
perl if perl or any other and Encryption method
CIFS challenge
run as /winnt/system32/sccrun.dll ..(and so on..../)) =..\..\*z command interpreter is used. escape-characters). When this happens, the server
encrypted with users
password hash 135 tcp loc-srv
interactive
download any file
execute remote code as
process (NT/Unix) through
Website Server directly located in /cgi-bin
remote users can execute SunOS X.25 Carbon Copy
Execute remote code as
process (NT/Unix)
will perform unintended tasks. An attacker can feed
special commands into the server coaxing it to run
user numerous buffer overflows execute arbitrary
(http://<yourIP>/.html/............/config.sys) any command commands or alter files & databases.
get ../../* commands via args.cmd
139 tcp netbios-ssn accounts registry key set world
read any file ICQ packet leaks internal IP addresses UDP packets with
PIX IIS on multi-homed machines writable (HKLM\Software\Seattle
Bay Networks Annex
read any file on the system
( sendmail -oEfilename_to_read )
514
strange options can X.25 gateways are often

Firewall
25 tcp sendmail
fpcount.exe <EXCH-VERIFY>: ExchAuthenticate() called with
Lab\SLMail\Users) udp cause reboot targets of attack. X.25
PC Anywhere /usr/lib/fs/ufs/ufsdump
dictionary NTServerName:[KBJV_SRV1] Terminal Server sendmail -d bug gets root
syslog
PADS should have access

FIN fragments can crack NTDomainName[KBJV_PERTH] Seattle Labs buffer overflow

( sendmail -d3294967296 )
controls.

DoS over firewall Allaire Forums Alibaba

adminMailbox:[xxxxxx]
adminLoginName:[xxxxxx] password:[xxxxxx] sendmail
DoS by sending incomplete
send/vrfy/expn/mail from:/rcpt
(http://annex.www.server/ping?query=<buffer>) rpc.ypupdated
users allowed httpd GetFile.cfm to: commands buffer overflow in cgi-
local user GECOS
overflow, get root
if DNS record doesn't exist for
declared host, syslogd crashes remote user execute
rpc.ypupdated rtools /usr/lib/fs/ufs/ufsrestore
to bind to read any file carbo.dll shl/win-c-sample.exe -
privileged http://host/GetFile.cfm?FT=Text&FST=P queue files inserting newlines into queue files causes commands as root
execute code from remote
ports lain&FilePath=C:\*.* Cheyenne arbitrary commands to be run
upload and run any
groups are not set properly -
11 execute commands as stores cleartext
IP Header iCat Carbo Suite ArcServe EXPN can be used to code via uploader.exe
link to a file another owns, get
targets groups
get remote root access
root from remote password in test.log local user gets root
6050 tcp
25 tcp
decode find destination
addresses of aliases &
udp

2080 tcp sendmail allows mail Guest user can change

pipe mail through
decode alias and create lists Wizard mode backdoor gives root
REHUP attack causes any
program to be run as root
tcp systat Livingston RADIUS test.log

Linux Kernel 1031 tcp inetinfo

relaying

Ascend can force max of 2 session to

stay open, will no longer
has default accounts:
monitor,monitor
manager,manager
admin,<blank>
password

Wingate has blank

Sendmail DEBUG mode allows remote execution of
commands as root
MIME buffer overflow - get root
aliases piped to programs
may allow common attacks
systat will give away system
state information to an
can sniff radius client/server
interaction and recover shared
Screen Saver
?
1029 tcp accept TCP connections security,security
password Sendmail
relaying allows Outlook
attacker, including which
software is running on the
secret rpc.cmsd What is a relative
invalid IP options
File
access/execution
../..* Any File
Guest account has blank password VRFY can be anonymous if username is a filename,
Majordomo 'REPLY TO:' backtick
attack - execute arbitrary
machine overflow reverse name (*.scr)
cause seg fault 1038 tcp Password/session/audio/ used to identify spamming can mail to file commands 98/Express lookup field - get root on path?
video/keystroke sniffing 3Com 23 tcp
Wingate valid user target certain versions of NT run
screensaver under
execute remote code as root
(SunOS) Programs which do not fully qualify file
23 tcp telnet accounts mail can be overflow syslog() function and get Email
send user#999999 overflow Sendmail relaying allows 253 byte password buffer copied SYSTEM account. Can paths (absolute path) can be tricked
can list files forged from any root Header
add normal user to admin
invalid fragmentation *
(31337)
tcp Back Orifice from remote
Mail to program (
address
anonymous spamming
Windows
into 128 byte stack buffer
group.
into running trojan programs. If the
original executable is running in an
causes network stack to Port Redirection bounced mail with a piped FROM

? fail *
(12345) tcp
Netbus
read any file on system
(http://www.server.com:8010/c:/ - NT/Win9x
http://www.server.com:8010// - NT/Win9x
Can bounce TCP sessions RCPT TO: |
<program> )
link /var/tmp/dead.letter to any
file, appends data (get root on
( MAIL FROM: |/bin/sed'1,/^$/d|/bin/sh )

filename field
NT SNMP crash server through bogus
accounting messages
ipop3d elevated context (such as suid), the
trojan may be executed with the same
privileges. Initialization files, shared
libraries such as DLL's, and
Can connect to self causing DoS
What is dictionary 8010 tcp wingate
LogFile service http://www.server.com:8010/..../ - Win9x) ../..* Any File
Third packet during setup contains
cleartext username/password
system locally via /etc/passwd) overflow, execute
remote code
dump all usernames in
domain
If coredump, it has encrypted temporary files may all be subject to
passwords, if /core already exists, this type of attack.
cracking? EHLO command will reveal what X11R4 Cistron RADIUS Cold Fusion Server permissions are retained

A cryptographic hash can be obtained and cracked via

21 tcp ftp
PASV DoS -
SITE EXEC command allows send XXXXXX issue many PASV in AMaVIS extended SMTP commands are
accepted by the server. delete all WINS records
commands to executed from remote buffer overflow succession and use replace trusted relative
brute force. Although it cannot be "decrypted", a
20 tcp ftp-data
consume all
connections
IIS FTPd anonymous (~4000 chars) up all ports scanmails script path with Trojan, exec upload any file
program can encrypt every word in the dictionary suid, get root
user can
against the hash, and if they match, the password has
rename files
script will expand the subject heading of
email and execute it. Malicious subject Citrix Winframe
default 'public' write
community
c:\winnt\*
insmod
been found. This is computationally expensive, but is
a very effective attack against encrypted passwords. tcp winroute
Execute code as process (CWD using RNFR wu-ftpd /etc/shadow headings could cause arbitrary read or delete any file
3129 xxxxxxxxxxxx... [155 characters or more] )
With faster processing available, programs can even
crack every possible character combination.
admin
ftpd tar commands to be run as root.
stores psuedoencrypted password in
//CFDOCS/
if a fully qualified path is not supplied, insmod will search the
Serv-U FTP 2.5 FTP Bounce Attack -
bounce TCP
exec chmod on ftp
root directory
/usr/lib/ICAClient/config mode 777 or
NTP read any file, bounce http requests,
local and /lib/modules directories for the module - possibly
resulting in a non-root module being loaded into memory
in ~/.ICAClient mode 755
connections
Dump core and
see cached
su Real Media
//CFDOCS/expeval cause DoS (user supplied trojan)
incorrect messages cause DoS copy of QUOTE CWD command to get .cshrc
ICMP Microsoft /etc/shadow file actual filesystem path to ftp
NTP will leak internal system
Server
161 udp core directory
SITE EXEC the tar
when su is successful, the shells dot information to potential /usr/sbin/crond
SNMP
Exchange LDAP Bind Request Buffer Overflow LIST command dump
core - core file has
command and execute
arbitrary commands
file (i.e., .cshrc) will be executed. If a
dtappgather attackers
user can write to another users dot file cleartext password stored in world readable file
137 udp netbios name Server SNMP read community 'public', SNMP write community CWD ~root to get root shadowed password
hashes
SIGINT then it is possible to get elevated
/var/dt/appconfig/appmanager/generic-display-0
/usr/local/rmserver/rmserver.cfg
service 'write' by default access privileges (even root)
can 'cd ..' to unexported Local users can get root
Gauntlet lack of trapping of SIGINT results
Ascend can set the 'sysConfigTftp' variables to allow remote ftp incorrectly configured ftp servers will many FTP servers will open data ports in sequential order, in no logging of invalid su doesn't check whether
NFS
parent filesystem

Firewall 5.0 configuration, including download of telnet password,

enhanced access passwords, and RADIUS and OSPF
allow users write access to directories making it easier to hijack PASV connections attempts (must send ^C before
syslog occurs)
/var/dt/appconfig/appmanager/generic-
display-0 is a symlink and will chown() it to /dev/hd[abcd…]
keys, and user's numbers/passwords the user. - local user gets root. Exported .rhosts or .rc
8383 tcp GUEST account allows liberal access
FTP password file may contain hashes 161 udp
disk devices world readable
(get any file) feles /usr/sbin/dip
ICMP_PARAMPROB packets can brute force passwords with out logging
with invalid IP protocol & options 123 udp export lists create files with '/' slash in filename
will cause firewall to hang 8181 tcp NULL password backdoor anonymous FTP Access larger than 256 can lead to DoS (i.e., tmp file to be local users can get root via
LDAP Buffer Overflow (dip -k -l <buffer>)
../..* Any File characters deleted is named /etc/passwd )
9 7 udp tcp cause everyone
143 tcp Imail 4.06 PASV Hijacking - steal files & Get Remote Root via to be able to can supply 32 bit UID to a 16 bit UID
Firewall-1 directory listings [AUTHENTICATE] overflow PIX Private Link sdtcm_convert mount shared server, get root dip can read consoles in /dev (sniff passwords,
150 tcp Any SNMP user can read the rpc.bootparamd Cisco Resource directories etc) (i.e., port tty1.. Etc)

doesn't perform stateful

143 tcp imapd community strings of other
users, therefore getting full 56 bit key VPN solution has only service can be tricked into
Manager execute local code as root
27 tcp (SunOS/Solaris)
inspection on ICMP
SLMail Ascend Max Telnet to port 150 161 udp
write access to the SNMP an effective 48 bit key giving out NIS domain name,
1.0/1.1 Firewall-1
?
(attackers can inject ICMP database. and attackers can use this to
into target network) 389 tcp
SLMail 3.1 buffer overflow on port 27 and reboot get NIS password maps FSP Session Agent
HELO/VRFY/EXPN commands /var/adm/CSCOpx/files/schedule/jo can overwrite /etc/shadow and get
3Com HiPer rpc.admind b-id/swim_swd.log root (Solaris) FSP is a commonly used tool
ICMP can be used to determine 180 tcp Firewall-1 rpc.mountd What is denial of communications
internal netmasks Seattle Labs
Can cause Max to reboot
Arc cards in the underground to move
illicit files. This is suspicious.
are not encrypted,

by default - all ICMP (except

C:\Program
Files\CSCOpx\files\schedule\job- echo chargen service (DoS)?
protocol can be
replayed - no
19 tcp chargen specially formed packet to UDP port 9
causes Ascend to lock up
Remote Admin redirect), RIP (UDP 520), and
lack of authentication allows
remote access to target
by analyzing error codes,
attacker can enumerate files id\swim_swd.log authentication on
read any file as SYSTEM account, including DNS (UDP/TCP 53) are Sometimes it is possible to exploit a buffer modules
on the remote host
ICMP can be used to determine
the system time on a remote
1024-
1029 udp router will identify it's symbolic name in SAM database, via setting users "finger file" to allowed over firewall ufsrestore local users can chmod
overflow to crash a process. In other cases it
Cisco Catalyst
response to special probe point to target file /tmp/dbi_debug.log spoofed chargen source to is possible to fill up the work queue of a
machine portscanning will fill up arbitrary directories localhost's echo port causes process, such as making too many
nsd connection buffers DoS connections or requesting too many services. Switch
nsd filesystem can be mounted via NFS. Execute local code pr_cancel buffer overflow - rpc.pcnfsd C:\Program This effectively locks the process out from
TCP packet 666 tcp as root (Solaris) exec arbitrary commands Files\CSCOpx\temp\ legitimate users. DoS attacks are often the
This directory can leak passwords and state
information about NIS requests. from remote remote users can execute dbi_debug.log easiest to perform, and the most common. B-DASH svgalib
109 tcp POP2 arbitrary commands as root sending CR causes
bnc irc proxy bnc can be attacked from remote
Cisco
reboot

tcpip stack 111 tcp portmap

to create shell
arrayd.auth mapid() call reveals list of
/tmp/DPR_*
uses relative path: suid root
by default, arrayd does not
authenticate, allowing any remote rpc.rexd users on system Gigabit Cisco IOS suid root, buffer overflow

9099-
pseudo random file handles can be guessed,
remote access gained
user to become root on the host.
109 tcp ipop2d C:\Program
Files\CSCOpx\temp\DPR_* Switch runs "undrv" as root

Syn Flooding
9100 tcp
Irix arrayd remote use can
can brute force passwords broken CHAP authentication,
get Remote Root via [FOLD] with out logging established unauthorized PPP
6549 udp
portmapper UDP spoofing allows attacker to
register/unregister services from portmapper overflow
impersonate any user
access-list parser does not connection
./undrv
RIP fsdump can be used to change the permissions
except root Stores logins/passwords in world readable file work - may allow all tcp
portmapper can be used to find vulnerable on any file to that of a local user. Hence, get root traffic over firewall "service password-encryption" uses trivial
HP rpc services via passwd file. (/var/rfindd/fsdump -L/etc/passwd
Program Files/Microsoft
rpc.ttbdserver
encryption, can be decrypted /usr/lib/games/abuse/abuse.console
?
-F/tmp/dump /)
RIP will give up routing
tables to potential attackers. Printer pmap_call to bounce remove/add requests,
BackOffice/Reboot.ini rpc.rquotad
bypass security long password string causes reload
This information can be
used to design attacks. contains cleartext overflow stack and execute Cmail 2.3
/var/rfindd/fsdump What is pseudo- amd does not honor the nodev option for

? Powerchute
PLUS UPS
multivariable snmp
getnext request causes
crash
passwords the quota service will give
a potential attacker
information about NFS
mounted file systems
commands as root

encryption &
NFS file systems

What is brute force crash UPS with

repeated connection attempts lock out other
cleartext?
Cmail 2.3 pseudoencrypts
passwords into user.db file
Cisco WCCP
invalid UDP
sessions rpc.ugidd admin-v1.2
follows symlinks in
password guessing? packets midikeys is setuid and can be
rpc.selection_svc Although very unwise, software
/tmp, munge any file
send raw postscript to printer -
cause printing
midikeys used to read any file on the companies sometimes opt to store
automountd no authentication in web caching allows
When there is no password lockout or invalid-password system passwords in cleartext (unencrypted).
can get usernames from remote intruder to intercept all HTTP requests
logging, an attacker can simply try every possible Even if they obfuscate the password
password. Often times this sort of attack works on remote attacker can read any
(store it in a garbled form) it is still
easy to guess passwords - such as passwords that are
derived from the username - or easy to remember modification in transit/
file on system
cleartext because there is no real bnc
passcodes such as '1234' '4321' 'qwerty' etc etc. This bit flipping
encryption. In either case, the password
is trivial to obtain. Passwords can be
execute commands from
remote as root
Citrix Winframe
principle applies to hacking telephones, voicemail
systems, mailbox codes, login & email passwords, and
fdformat execute local code as root
.cshrc
a buffer overflow in the font path can
lead to a root compromise rpc.walld stored like this in files, or in the Windows PS1 environment variable
(SunOS) ../..* Any File Registry.
even physical security mechanisms.
dtappgather stores psuedoencrypted password in buffer overflow
/usr/lib/ICAClient/config mode 777 or in
remote attacker can flood users

?
ff.core
/usr/bin/lpstat Llocal user gets root
(lpstat -c <buffer>)
? rpc.sprayd
with messages
? doesn't check whether
/var/dt/appconfig/appmanager/
~/.ICAClient mode 755
bash autofs
ffbconfig What is "no authentication" ? What is a race generic-display-0 is a symlink
What is a trojan horse? and will chown() it to the user. -
'\w' causes \377 serves as buffer overflow in
can redirect rpc calls
Believe it or not, some programs do not even ask for a
Sprayd will help an attacker build a
gopher condition? local user gets root.
buffer overflow unintended command directory name
An attacker may be able to replace certain programs password before allowing someone to administer or separator (defeat cgi
and shared libraries. The replacement program is rpc.statd through rpc.statd and
configure the system. Sometimes this is a blatant lack of
denial of service attack
/var/dt/appconfig/app filters)

?
bypass security of other Programs which use & create temporary
usually called a trojan horse. The trojan horse may security, and other times a bug allows the circumvention of some gopher servers will allow read manager/generic-
rpc services files need to check whether the file
emulate the original program so that the replacement the authentication mechanism. access to arbitrary files on the target display-0
goes undetected. The trojan may be able to sniff already exists. If a user can pre-create
machine
passwords, provide back door access, and even hide rpc.pcnfsd the file in question, the program can be
fooled into using a trojaned file. If the
dtprintinfo RASMAN.EXE
other programs from the system.
What is a buffer default no password on user
system allows symbolic linking, the
logon.scr
overflow? ? local users can chmod arbitrary directories
remote users can execute arbitrary Gauntlet
program can be tricked into writing to
other files on the system, such as the
execute local code as root (Solaris) RAS API has several buffer

? Software bugs exist which allow user-supplied

buffers to overwrite the process stack. In this
case, the program either crashes, or executes
default password of 'NetICs'
What is spoofing?
commands as root
password file. overruns. This can cause hostile
code to be executed. (post SP5
hotfix) this screensaver can be replaced
with a trojan and it will run under
What is a rootkit? code contained in the user's buffer. In the latter Login larger than 256 characters The TCP/IP protocol has no authentication mechanisms. What execute arbitrary code from remote cause reboot with invalid IP options
eeprom the SYSTEM account.
case it is possible to trick the computer into causes reboot this means is that anyone can create a 'fake' packet and
A rootkit is a set or trojan horse programs that can be executing arbitrary code and obtaining remote Bay Networks impersonate someone else. Specifically this means creating a
Password/hash sniffing
installed on a computer. These programs allow the root access. This is perhaps the most common
attacker to hide processes, files, and logins from the type of bug, and potentially the most deadly.
fake IP address. Many attacks can be executed using spoofed
packets. Even if a victim logs all of the packets and uses
can redirect rpc calls through rpc.statd /bin/eject
system administrator. Furthermore, these programs Buffer overflows are difficult to detect or prevent intrusion-detection software, the source of a spoofed packet is
and bypass security of other rpc
services
tcsh bash L0phtcrack
usually leave back doors within the system. It is during software design. While the demand for next to impossible to determine. This makes catching the attacker expreserve inetd
important to use integrity assessment tools to make
sure that files have not been replaced, otherwise a
more and varied software is ever increasing,
the chance of software bugs also increases.
IP sequence numbers are easily
guessed
very difficult. Additionally, some software relies upon the source
address of the IP packet for authentication. Because IP can be
execute local code sniffer
rootkit can be very hard to detect. spoofed, the program in question can sometimes be fooled into
allowing access, running commands, etc. ? PS1 Environment variable had
'\w', can be used to get local
root
as root (SunOS)
executes /bin/mail as root, change
IFS environment variable (IFS=/) to
cause your own file to be run
SYN followed by RST causes inetd
to crash

? Ascend Max
?
What is audit suppression?
(/bin/mail becomes ./bin ./mail )
Microsoft
JET 3.5X
ident
In some cases an attacker can prevent the auditing system from
What is trust Ascend
working. If auditing is maintained on a standalone server, the
/var/adm/SYSLOG /sbin/suid_exec
What is hijacking?
attacker may be able to block access to that server. In other /hw/tape a web document can attacker can use ident to
determine which account
exploitation? MAX4002, User can request any IP address,
cases, a log entry may only be performed under certain
conditions. If an attacker can change those conditions or cause
execute commands
on the client processes are running under.
will be rebroadcast into routing Because of the weaknesses of TCP/IP, it is vulnerable to spoofing an exceptional event to take place, the log entry may never be workstation
A lack of good file permissions and inter-server tape device under Irix will suid_exec will execute shell dot
trust will result in a total systemwide MAX4004, table, can take out DNS server,
router, whatever. Also exploit IP
and hijacking. Hijacking describes a special type of spoofed IP
attack. Normal TCP communications take place over a 'session'.
generated. Lastly, if the attacker knows what facilities are
monitoring the system, they may simply shut those facilities down.
SYSLOG contains names of invalid
logins and is world readable.
often be mode 666, enabling files (i.e., .cshrc), enabling user to
compromise if just one process or account is any user to restore any file get root on system
hacked. The problem arises from liberal trust MAX4048, and based trust relationships and
possibly cause the indirect
if the session can be sniffed, or the sequence numbers can be
guessed, the session can be 'hijacked'. The attacker can insert
from the tape (and possibly
within the network. File permissions should be poisoning of BGP routing table. spoofed packets into the session stream and cause commands to
the /etc/shadow file) midikeys netstat
applied so that users have access to only what MAX4072
they need. Furthermore, since processes
usually execute within a user-context - this
minimizes the chance that an attacker can
be run as the original user.
? midikeys is setuid and
can be used to read any
netstat will give away network state
modify files on the system. Lastly, if an attacker information to an attacker.
gets root on one system, they should not
automatically be root on all other systems. The
What is a excess privilege? file on the system

more liberal the trust in the network - the easier Sometimes software will be installed or run with too much power. An
it is to attack through a single entry-point or
w w w . t r i p w i r e s e c u r i t y. c o m exploit.
example might be a public server daemon running as 'root' (or
SYSTEM in the case of Windows NT). Since processes are complex
../..* Any File

and always have the potential of being exploited, administrators should

'close the window of trust' and give processes only the power that they
need to function. Anything in excess only increases the risk of total
system compromise if the process is exploited.
Copyright© 1999 Tripwire® Security Systems, Inc. Tripwire is a
trademark of the Purdue Research Foundation and is licensed
Matrix Key Service or Application ? Information Exploit or weakness File
exclusively to Tripwire Security Systems, Inc. All reference to
brands or trademarks are the property of their respective owners.