Thursday, June 14, 2007

A really good question deserves an answer…

As a comment to our previous Safari post I got a really good question from Jeffrey Hawkins and exploit terminology. His question reads:

“I notice you found 2 remote execution bugs, but said one of them was
"weaponizable". What does that mean?Specifically, how can one remote execution
bug be weaponizable, while the other is not?”
First of all not all software bugs all vulnerabilities, sometimes a bug is just a bug and nothing useful can be done with them. One step up from useless bugs are Denial-of-Service (DoS) bugs that while MAY have some security impact in reality are mostly annoying and are often caused by things like NULL pointer dereferences. Most researchers think a DoS is lame. Then we have code execution vulnerabilities. These are software flaws that allow the flow of execution of a program to be redirected to whatever arbitrary code an attacker chooses. These are what most people search for however just because you find a bug like this doesn’t mean it’s exploitable or reliable. There are several factors that can cause a code execution bug not to be exploitable such as the process dying before execution has been achieved (remember to get execution often times you are overwriting parts of the process memory that may be relied upon later), nothing useful to overwrite, thread problems, and hardware or software based anti-exploitation technology like NX or DEP.

Weaponized basically means you have found a remote execution bug that you can successful and reliable get code execution (not just theoretical or in a lab environment) that requires little or no effort on the part of the attacker to successfully exploit. The exploit will also take application or operating system versions into account and can work on a variety. The Metasploit project is an example of high quality weaponized exploits.

1 comment:

Michael Hendrickx said...

I wouldn't really call a DoS lame. Sure, a DDoS shows of very little skills, and just alot of bandwidth.

But imagine a forged HTTP request header, that would crash Apache's process, or the inetinfo.exe process. Not it's childs processes, but completely, khalas, zip, gone. I'd be scared of that.

Furthermore, many seasoned security researches used to say that X or Y was not exploitable, until others proved them wrong. (Ref the only good thing gobbles ever did, apache)

Code execution is always good, but a DoS could be "dangerous" as well. Imagine, DoS on IDS/IPS systems and the like.