GLSA's listed as remote but only locally exploitable

[mikegpitt]

Question for everyone. Why are some GLSA's marked as remotely exploitable, even when they are only locally exploitable? A good example is the latest GLSA for grep: http://www.gentoo.org/security/en/glsa/glsa-201403-07.xml

If a remote attacker requires the user to run something locally, this is a local exploit -- at least that would be my definition. In fact, this is what the reference CVE also states.

I've noticed this in many GLSA's over the years.

This isn't a rant... just wanted to discuss. Maybe future GLSA's should be interpreted different?

[eccerr0r]

I think the difference between remote and local is kind of unclear. My take is that if someone can craft something that can the machine can run during normal operation so that they now can have access to the system, this is remote exploit.

If in order to execute the exploit someone needs to already have an account and usually to escalate privileges, then this would be a local exploit.

With grep it's not so clear but the exploiter does NOT have access to the system and thus is "remote". It's not local as the person running grep already has access to the machine and, well, you're not actually getting higher privileges with the exploit. If running the exploit makes grep suddenly give you root access (or crash the machine), then I'd call that a local exploit.

http://en.wikipedia.org/wiki/Exploit_%28computer_security%29

I guess if one could think of it this way, if you had an apache CGI that ran grep and someone could craft something to gain rights as the apache user of the affected webserver... now that is more clearly a "Remote" exploit, hence that's why it's classified as remote.