zeroBay Exists: Will The Juice Be Worth The Squeeze?

Dave G. | July 6th, 2007 | Filed Under: Disclosure

Dark Reading reports that Wabisabilabi is open for business as the first public auction site for vulnerabilities.

From the time I was young, my father would tell me this story about how there was a city that was having a city planning problem. The planning committee worked on the problem and couldn’t come up with a solution. One day, someone said they had the solution to the problem and would gladly tell the city for 1,000,000$. The city refused, but by simply knowing that there a solution, they took another crack at it and eventually found a way to solve the problem. Please believe me that my dad tells this story in a way that is more more compelling, but you get the basic idea.

Vulnerability markets can be like this, except it is a problem people didn’t even know that they had. For example, here is a screen capture:

Picture 51.jpg

Now, GPG plugin is a small amount of PHP code (< 10,000 SLOC). How long do you think it will take for someone with reasonable skill to find out where the bug is? I promise you, it won’t take long. Let alone this guy, who would find it if someone were transferring the source via a WiFi connection near him. Now a retail price of 1000$EU might be worth it, but I guarantee you that this bug is burned just because the title gives away enough for someone to do a code review and find that (and whatever else lurks in there).

Now competitive researchers, the vendor and/or potential buyers can just go and find the vulns themselves.

12 Comments so far

  • Fionnbharr Davies

    July 6th, 2007 3:48 am

    Your post is true for smaller apps imo, but what about one of the other auctions up there now ‘Local Linux kernel memory leak’. Pretty big target.

  • dre

    July 6th, 2007 3:49 am

    But, according to the Wikipedia entry on Mr. T, “For about ten years, Mr. T was a bodyguard to the stars, protecting such well-known personalities as Muhammad Ali, Steve McQueen, Michael Jackson, Bruce Lee, Joe Frazier, and Diana Ross. He charged around $3,000 a day and his business card famously read, `Next to God, there is no greater protector than I’. He always boasts that he never lost a client, saying, `I got hurt worse growing up in the ghetto than working as a bodyguard’”.

    Everybody loves Mr. T! Come on! You gotta love him!

    Completely on topic

    Notice that I didn’t even use the word “iPhone” or mention anyone by the initials “David Maynor” at all in this blog comment.

  • Chris R.

    July 6th, 2007 8:10 am

    That linux kernel vulnerability has a CVE #. Soooo its just an exploit for sale?

  • Dave G.

    July 6th, 2007 10:17 am

    @Fionnbharr:

    It is definitely true that the information isn’t as directly valuable. But knowing that something exists and what type of vulnerability definitely gives a competitive researcher a nice head start on finding the vulnerability. If someone were selling an Apache bug, I can think of a couple of researchers who would double their efforts on Apache.

  • Episteme

    July 6th, 2007 10:26 am

    The Laziness of the Blackhat

    No, I’m not calling blackhats lazy. But I was reading Dave G’s post about WabiSabiLabi, where he talked about the idea that by having an auction site that gives enough detail about the vulnerabilities, there’s enough detail that a smart researcher …

  • Bee Binger

    July 6th, 2007 10:51 am

    grep require * | grep -i get
    gpg_help.php:require_once (SM_PATH.’plugins/gpg/help/’ . $_GET[’help’] );
    gpg_help_base.php:require_once (SM_PATH.’plugins/gpg/help/’ . $_GET[’help’] );

    ————
    if you can break this function .. maybe a good challenge?

    function gpg_ckMOD($rMOD){
    if (strstr($rMOD, ‘.’)
    || strstr($rMOD, ‘/’)
    || strstr($rMOD, ‘%’)
    || strstr($rMOD, “\\”)){
    echo _(”Cute.”);
    exit;
    }
    };

    then you would have command exec in these:

    gpg_options.php:require_once(SM_PATH.”plugins/gpg/modules/$MOD.mod”);
    gpg_pop_init.php:require_once(”modules/$MOD.mod”);

    ——

    $pre_pass =” $path_to_gpg –passphrase-fd 0 –armor –batch –no-tty –detach-sign –default-key $key_id
    –homedir $gpg_key_dir $filename 2>&1″;
    $cmd = “echo $passphrase|$pre_pass”;
    exec($cmd,$output,$returnval);

    plus many of these user variables going to many different exec calls

    yea this is a joke .. I do not think you need stefan esser to pop these.

  • Rhys Kidd

    July 6th, 2007 11:52 am

    Not only does has that local Linux kernel memory leak vulnerability from March 2007 been assigned CVE-2007-1000, but PoC code was included in the *original* Linux Bugzilla posting, and is easily found with a moment of Googling.

    http://bugzilla.kernel.org/show_bug.cgi?id=8134

    So some idiot might wastefully pay for that PoC code, which can be found for free, is old, likely patched and doesn’t really have a high impact rating. Woohoo, that sites a great way to print Euros from recycling public domain code.

  • Stefan Esser

    July 6th, 2007 12:24 pm

    From looking a few minutes onto the code and without a installed version of Squirrelmail I GUESS that there is some code execution through the filename of encrypted attachments.

    Atleast the very quick look lets me assume that the filename is copied into the shellcommand without escaping…

    lalalala…

  • Stefan Esser

    July 7th, 2007 9:52 am

    Bee Binger I took your challenge ;)

    However gpg_ckMOD($MOD) is not of much use if it is used in this way:

    if (!isset($MOD) || !$MOD) {
    gpg_ckMOD($MOD);
    }

    Therefore through gpg_pop_init.php you can include arbitrary files ;)

    The help system requires are btw. already fixed in their CVS version.

    And yes I was right through the “Decrypt Attachment” function arbitrary shell commands can be injected via the dlfilename parameter.

  • JohnGruberIsARobot

    July 7th, 2007 3:35 pm

    Wow, judging by all the free code auditing done here and Daily Dave, it seems like vendors can get some good free auditing done just by posting a fake vuln on zeroBay and waiting til it’s “reversed.”

  • Marcin

    July 9th, 2007 10:55 am

    @JohnGruberIsARobot:

    You can’t get any better than this ;) /sarcasm

    Q: What guarantees will you give me about the reliability of the security researches listed on the market place?
    A: Full guarantee. Every piece of security research is carefully analyzed and replicated in our own laboratories and eventually implemented with our own complementary research material before being placed on the market place.

  • JohnGruberIsARobot

    July 9th, 2007 11:21 am

    @Marcin:

    With that guarantee, it might be tricky. Oh well, there’s always the old-fashioned way of gathering free code auditing that vendors have been using for years: offending researchers with outlandish claims of having flawless security in a product and seeing what they come up with….

    • Leave a reply