Kristian Erik Hermansen on 7 Feb 2008 19:04:39 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] The Vulnerabilites Business....?

On Feb 7, 2008 6:41 PM, Brian Vagnoni <> wrote:
>  Though a windows example security is everyones business and just wondering
> what people think about this sort of operation.
> I'm referring to an EWeek print article Dealing In Vulnerabilities Vol. 25
> #4 Page 14 2/4/08. If you don't have the rag, it's talking about the
> Realplayer exploit discovered 12/16/07 and as of 1/31/08 still un-patched
> and Real Networks can't seem to find the exploit in their own code.

Closed source vendors don't usually write great code, because they
don't have to.  No one on the outside sees it in source form.  Thus,
you get a bunch of junk that "works", but is difficult to debug.  In
this instance, and not very uncommon, the exploiter knows the code
better than the authors of the software.  This actually happens a lot

>  So what do people think about individuals/companies that specialize in
> breaking other peoples software for the purpose of selling the info for
> profit either back to the software manufacturer or other interested parties.

It is an entire industry.  When I worked on the Cisco Security Agent
team from 2005-2007 we subscribed to GLEG.  Yes, you get 0-day for a
lot of money per year.  I don't understand why they won't release
details to Real unless the exploit technique is something very special
or new.  I wonder what is going on with that.  Their page showing the
exploit does appear to be down now though.  You can find other version
on milw0rm and various other exploit repositories.  You might even
find some of my exploit code on milw0rm too :-)

>  Is this fair game, good for software security, bottom feeding, or
> extortion? So what do you think about companies like Gleg featured in the
> article?

This market is not going away.  Do you know about "Zero Bay" --
WabiSabiLabi?  It got shut down for other reasons, but sites like that
still exist.  Did you know that you can sell a 0day for IIS 7.x for $1
million dollars?  How many people are doing this?  The security
researchers that have the ability to find and exploit such flaws are
less than 10 people in the world, perhaps.  Exploits sell for a lot of
money.  Governments use them to penetrate enemy targets.  Our own
governments buys them and uses them as military electronic ammo.  You
should know that this happens.

I have friends that just do this as a full time job.  It is very
fruitful.  I do it on my own time, but my knowledge is very limited in
comparison to many of my friends.  Tools of the trade include IDA Pro,
Ollydbg, BinDiff, and numerous other utilities.  Many of the guys in
vuln research do very very well.  However, you also need to look at it
from another perspective.  Why does anyone care?  Because Windows
users rarely patch, you can easily turn a bunch of machines into your
zombies.  It happens daily.  Check out Storm Worm.  The bot net
industry is a business too, offering private keys to communicate with
an allocated chunk of compromised machines.  It happens.  Even if
everyone patched their machines daily, there would still be a way to
break into your machine.  People don't like to give away all their
secrets :-)  Remote kernel exploits in protocol stacks stay very
private.  What if someone could take down the Internet via DNS and
Cisco router attacks?  It can happen.  It probably will happen at some
Kristian Erik Hermansen
"Know something about everything and everything about something."
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --