Vulnerability Development mailing list archives

Re: 0-day exploit..do i hear $1000?

From: H C <keydet89 () yahoo com>
Date: Sat, 20 Oct 2001 05:53:09 -0700 (PDT)

I still dont see why a security company would
buy an exploit if it isnt public knowledge:  what
use to his customer is "look at this root shell, 
you are vulnerable, the vendor doesnt know, 
the underground does, you cant patch"?!?!


Paying for vulnerabilities gives the security company
certain advantages.  

1. Pen testing...having the latest and greatest
vulnerabilities to exploit will set them apart.

2.  Managed Services...being able to detect the latest
and greatest vulnerabilities will set them apart. 
There's nothing that says someone else won't find the
vulnerability themselves...remember, I had posited
that the level of sophistication for finding
vulnerabilties will increase dramatically is
significant funds are involved.

3.  Recognition...the security company itself can then
make all or part of the vulnerability known to the
public, or they can work directly with the vendor, so
that their customers get first access to the patch
before it's released to the general user public. 

Of course, that will also probably lead to 'special'
subscription deals with vendors.  Think about it...if
some security company takes a vulnerability to, say,
Sun Microsystems and works with them on the patch,
don't you think that other users of the vendor's
products, other than the security company's own
customers, would be interested in a patch? 
Particularly if the vulnerability resulted in an
immediate root shell for the attacker?  Sounds like
fertile ground for a 'gold' membership to me...

Sure there are workarounds, but whern a bug is found
the software needs to be fixed.


Agreed.  But if companies start offering money for
exploits on a large scale, and it becomes part of "how
things are", then the landscape is going to change
dramatically.  Right now, some of the folks who find
vulnerabilities aren't doing it for financial gain. 
Many might end up getting job offers as a result of
their activities, but they aren't being paid to find
the holes.  

Heck, it wasn't so long ago that there was still a
heated discussion on the win2ksecadvice list regarding
disclosure...

So how are people going to sell >1 copy of their
exploit?


That's not the point.  They won't have to. Or, it will
depend on the contracts they write and sign.

The first person to buy tells the vendoer, then its
public knowledge (of the vuln. the expolit code is
still rare).


Okay, here's how I see it.  Security companies will
offer a bounty for vulnerabilities...and in doing so,
there will be many conditions.  For example, they'll
want a complete write-up, perhaps even with exploit
code (or that may even be extra).  The conditions will
have to be readily reproduceable.  

Before payment is made, certain legal documentation
will need to be signed.  After all, there is no
benefit in paying for an exploit if the guy who found
is going to sell it to your competitor.  It's easy to
see how the payment for the vulnerability will likely
be in accordance with the level of devastation caused
by the exploit, how widely exploitable it's likely to
be, etc.

Then, it's up to the security company as to when
they'd like to contact the vendor.  They may do so
through some pre-arranged channel partnership.  Credit
for the vulnerability will now go to the security
company...after all, they own the rights to this
particular exploit, so it's theirs.  Of course, they'd
want to take it to the vendor, b/c as it becomes more
and more commonplace to pay for exploits, the
technical sophistication of those looking for and
finding the vulnerabilities will increase.  The
practice will become more methodological, and less
haphazard.

Now 99% of security comapnies can scan
for vuln (even if they dont get a root prompt), and
1% can actually exploit.  To the customer its the
same
"You are vulnerable" (show core dump/root prompt)
"get the patch from here, problem sorted".
None of the security companies need to buy the
exploit.


The selling of exploits may become a huge market, if
it gets off the ground.  It's long-term revenue for
both the security company and the vendor.  Here's
why...there will be lots of individuals and small
groups out there, pounding away at products (most
likely targetting those products w/ the greatest
market share!!), trying to sell their exploits to
security companies.  Security companies, on the other
hand, can create a 'gold' membership for their
customers if they offer such a thing.  This higher
level of subscription membership will get them
informed of the vulnerability and, oh, yeah, since
we're providing security management services, you're
protected.  

Now, I know what you're thinking.  This is a lot of
cruft.  But look at all the security companies out
there now who are selling 'services', when, in fact,
they really aren't providing anything.

Security companies that do pen testing usually charge
a pretty high rate anyway.  Adding the new exploits to
their arsenal will be part of the business plan.  

Vendors can to the same thing with the subscription
services.  They can set up a service such that
customers of theirs, while not being customers of the
security company that submits the exploit, will be
able to get the latest and greatest vulnerabilities
before anyone else...for a fee.  Say, like banks,
financial institutions...pretty much anyone with a big
investment to protect.

Knowledge of the vuln is surely enough?


Is it?  If the security company contacts the vendor
and provides the vulnerability, but retains ownership
of the exploit code, then folks like us will have to
do a lot of work analyzing the patch after it comes
out just to find out what it does.

Security companies pushing some of their cash
back into the underground to fund research, to find
bugs in software is a good idea - but the fruits of
that research must be public.


If the security companies begin a trend of paying for
exploits, who are you (or me, or anyone else) to say
that it 'must be public'?

That leaves the leech comapnies doing no research
and still making a profit - but i guess most clients
would favour the ones perfoming active research,
whose name is known.


Clients will favor those who can provide the best
service.  That may very well be the leech companies,
as they'll be paying for the exploits, and their
clients will receive knowledge of and protection from
them before they are even public.  And it doesn't have
to be an extended period of time, as it was with
sadmin/IIS, for example.  Things will move much more
quickly, as with Code Red.

In fact, I can even see splinter groups that will find
a new vulnerability, and in an effort to keep
everything public, will release a proof of concept
tool, such as Code Red.
 
Carv

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

Current thread:

RE: 0-day exploit..do i hear $1000? (a net admins 2 cents), (continued)
- - - RE: 0-day exploit..do i hear $1000? (a net admins 2 cents) leon (Oct 20)
    - Re: 0-day exploit..do i hear $1000? security curmudgeon (Oct 20)
    - Re: 0-day exploit..do i hear $1000? bacano (Oct 21)
- RE: 0-day exploit..do i hear $1000? Rebecca Kastl (Oct 18)
  - Re: 0-day exploit..do i hear $1000? foob (Oct 19)
    - Re: 0-day exploit..do i hear $1000? Jose Nazario (Oct 19)
    - Re: 0-day exploit..do i hear $1000? H C (Oct 19)
    - Re: 0-day exploit..do i hear $1000? Thiago Conde Figueiro (Oct 19)
    - Re: 0-day exploit..do i hear $1000? Pedro Miller Rabinovitch (Oct 19)
    - Re: 0-day exploit..do i hear $1000? foob (Oct 20)
    - Re: 0-day exploit..do i hear $1000? H C (Oct 20)
    - Re: 0-day exploit..do i hear $1000? Markus Kern (Oct 21)
- RE: 0-day exploit..do i hear $1000? Kayne Ian (Softlab) (Oct 22)