VulnDisco bug list made public
Thu, 09/03/2009 - 14:21
Topic Source:
InteVyDis has released a list of exploits included in its VulnDisco exploit pack for CANVAS.
It makes for pretty interesting reading. There are 211 exploits on the list, with 117 of them described as confirmed 0day.
You can find the list here.
As far as Risky.Biz is aware, these guys do not contact vendors and give them details on 0day they acquire. While to most that would seem the right thing to do, it's directly opposed to InteVyDis' commercial interests.
A fixed bug is a dead bug. Why slash the value of your own product?
We would love to hear from readers on this in the forums. Do you think a business model that involves selling 0day without notifying vendors is inherently immoral?
Thu, 09/03/2009 - 14:56
#2
Vulndisco List
As a CANVAS customer I concure with the previous comment. There isn't a heck of a lot that is mainstream or that large enterprises truly are concerned about.
Not to mention, the biggest downfall of CANVAS is that the majority of the exploits do not work and need a lot of "massaging" to actually function.
So, from a business perspective, CANVAS sells for as low as $4500, but depending on who you are / who you work for and how much you are liked by the "company" your price may differ. I have heard quotes as high as six figures in the past. This doesn't even take in to consideration the cost of the early warning "service" which is around 35K last I checked. Plus the cost of VulnDisco. So take all of that and add the skilled labor costs to rewrite half of the exploits and tweak the framework to get it to actually work properly.
Now take the wage/benifets/training cost of a skilled employee who can find/recreate all of the important vulnerabilities for you. CANVAS/VulnDisco quickly starts to lose its value.
Not to mention, why would any legitimate business support another business that acts in an unethical manner basically holding vendors and users hostage with their claimed zero-day that ends up not working half the time.
Thu, 09/03/2009 - 15:28
#3
Well if I was in the business
Well if I was in the business of selling 0day, and was sitting on a bunch of exploits for top shelf software I would not be posting what they are to anyone that was not going to pay for them - It would not take long before many people found the same bugs and they would not be 0day anymore. Its just normal IP protection.
Same with any of the default modules in CANVAS. There are many users of CANVAS with many different requirements. Immunity would be very silly indeed to give out all their best to everyone - not when there are people who will pay the premium for the cream on the top.
It's just economics, people.
As for CANVAS need tweaking.. well yes, first and foremost CANVAS is an attack framework.. It works well for many, but if you really want "right click, shell" there are other options around.
The question of morality is a totally different one, and one that I am reluctant to get into.. but anyone who has dealt with a Vendor about security issues in their products will agree more often that not, its a pointless exercise. YMMV and if you have been rewarded with the vendors glowing sense of responsibility for their past and current customers' security, good on you. And good on them. (and I'm not even being sarcastic here).
In terms of security however, nothing I've posted above matters.
What does matter is that there are still holes in software because it is bad software.
Protecting bad software with more bad software still does not work.
No one will do anything to fix something until you demonstrate that is is broken.
The easiest way of doing this is by exploiting it.
It takes time to do this, so you can out source some of it to immunity etc.
This costs money.
You are protecting assets that are worth money.
If it costs less for someone else to "realize" your assets than they are worth, it is worth their while to do so. (I'm talking financially here, not morally).
Which brings me back to buying 0day.. The days of socialist group hugs about making the world more secure are gone. Its just free market security now.
Thu, 09/03/2009 - 15:29
#4
Vulndisco List - since 2005
Also worth noting that the VulnDisco pack has been available since 2005 - not as complete as today perhaps, but it and had a few vulns that were held back for a while.
The proftpd bug was one example, late 2005 it was in the pack and eventually was out mid 2006 iirc
Thu, 09/03/2009 - 16:16
#5
The 0day exploits are
The 0day exploits are devalued by their descriptions which tell security researchers where to look for bugs. It will be interesting to watch some of these bugs get publically disclosed in the near future.
The pricing from $250 USD with the research license makes this exploit pack affordable and potentially attractive to pentesters who are already using CANVAS and can contribute their own 0day in common software. This assumes that they couldn't sell the 0day exploit to Tipping Point for enough to buy a normal (5 seat) license for $5200 USD.
I recommend Intevydis make their exploit pack compatible with not just CANVAS but also CORE Impact and Metasploit.
Fri, 09/04/2009 - 12:31
#6
secunia
lame - Secunia are writing up advisories referencing the VD list, "unspecified vulnerability".
maybe they should release some more for random pastebin "./0wn" text file snippets ;)
Mon, 09/07/2009 - 22:35
#7
(Posted for, and written by a
(Posted for, and written by a colleague of mine)
This information was always available (it's surprising secunia didn't pick up on it before).. you could email gleg, then intevydis.
What was new in each pack also was posted on a monthly basis to the
immunity forum-- I think this list was made public because that forum is
now gone. not sure if d2sec will follow.
The A/V doses are golden, particularly when clientsiding and some A/V
shit keeps blocking your payload.
It's hard to take a look around a big network without finding a use for
some of the better stuff in here, like the altiris, crystal reports, and the novell stuff. Yeah, you could probably take the description, warez and install the software and spend a week or two writing the exploit yourself. But that's not very good in the middle of a test.
I think the idea behind this pack is lots of useful vulns in all that
little software cruft you see on big networks that you never have time to properly exploit when you have one week to pentest 1000 internal boxes.
Mark: I'm not sure you could pick up IE clientside for 20k, let alone
multiples.(even though I'm sure you spit out a few of these a month..
:P) I'd guess the golden stuff gets sold in single doses to single
buyers ;) (although, I'd wager that a couple of the vulns in D2 are
worth more than the pack)
Steve: Are you for real? I'm not sure how elite you are, but jesus. A
skilled employee reproducing what's in CANVAS? With a little bit of
training? How about midway through a four day pentest? (If so, wanna
job?) I think the dev time for getting MS09-001 to work was several
months, and that's once they have the encoder libraries and mosdef and
all the shellservers and a hundred other exploits to borrow code from.
If you want the polished, point and click and I want to pentest but
don't want to code feeling, that's what Core Impact is for. Still, not
working half the time means 50% of what you attack is a shell. That's
some pretty good leverage to take the other half of the network (if you
need to).
urbanadventurer: VulnDisco was originally written for both CANVAS and
Metasploit, but support was dropped. Aside from private frameworks, I've seen nothing that comes close to CANVAS for ease-of-code, which is where the real value comes in. Your shellcode is now something to fix mem a bit, then you say,
mosdef.you.sweet.thang.socket.reuse.shell(NOW_DAMNIT).. Something fuck up with a new release of vulnerable software and you need an encoder? but too lazy to work out which one? try them all. in minutes. You get a shell and you know if one of them is going to work. No idea how to exploit a particular bug? grep for similar things in /opt/CANVAS...
I read through this list, a couple of thoughts:
1. A fair few of the bugs are not worth considering (DoS's etc)
2. The embedded router ones look kind of interesting to me
3. Curiously there are no bugs for most of the major software you would expect to find in such a list (IE, firefox, flash, java, quicktime, etc).
4. A fair few of the bug descriptions give enough information that it wouldn't be hard to find them yourself. I'm thinking of doing that for a few of them, yoink!