Matasano Chargen » Blog Archive » zeroBay Exists: Will The Juice Be Worth The Squeeze?

zeroBay Exists: Will The Juice Be Worth The Squeeze?

Dave G. | July 6th, 2007 | Filed Under: Disclosure

Dark Reading reports that Wabisabilabi is open for business as the first public auction site for vulnerabilities.

From the time I was young, my father would tell me this story about how there was a city that was having a city planning problem. The planning committee worked on the problem and couldn’t come up with a solution. One day, someone said they had the solution to the problem and would gladly tell the city for 1,000,000$. The city refused, but by simply knowing that there a solution, they took another crack at it and eventually found a way to solve the problem. Please believe me that my dad tells this story in a way that is more more compelling, but you get the basic idea.

Vulnerability markets can be like this, except it is a problem people didn’t even know that they had. For example, here is a screen capture:

Picture 51.jpg

Now, GPG plugin is a small amount of PHP code (< 10,000 SLOC). How long do you think it will take for someone with reasonable skill to find out where the bug is? I promise you, it won’t take long. Let alone this guy, who would find it if someone were transferring the source via a WiFi connection near him. Now a retail price of 1000$EU might be worth it, but I guarantee you that this bug is burned just because the title gives away enough for someone to do a code review and find that (and whatever else lurks in there).

Now competitive researchers, the vendor and/or potential buyers can just go and find the vulns themselves.

Viewing 11 Comments

Fionnbharr Davies 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Your post is true for smaller apps imo, but what about one of the other auctions up there now 'Local Linux kernel memory leak'. Pretty big target.

reply edit reblog flag

http://fshypervisor.wordpress.com

dre 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

But, according to the Wikipedia entry on Mr. T, "For about ten years, Mr. T was a bodyguard to the stars, protecting such well-known personalities as Muhammad Ali, Steve McQueen, Michael Jackson, Bruce Lee, Joe Frazier, and Diana Ross. He charged around $3,000 a day and his business card famously read, `Next to God, there is no greater protector than I'. He always boasts that he never lost a client, saying, `I got hurt worse growing up in the ghetto than working as a bodyguard'".

Everybody loves Mr. T! Come on! You gotta love him!

Completely on topic

Notice that I didn't even use the word "iPhone" or mention anyone by the initials "David Maynor" at all in this blog comment.

reply edit reblog flag

Chris R. 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

That linux kernel vulnerability has a CVE #. Soooo its just an exploit for sale?

reply edit reblog flag

http://em386.blogspot.com

Dave G. 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

@Fionnbharr:

It is definitely true that the information isn't as directly valuable. But knowing that something exists and what type of vulnerability definitely gives a competitive researcher a nice head start on finding the vulnerability. If someone were selling an Apache bug, I can think of a couple of researchers who would double their efforts on Apache.

reply edit reblog flag

http://www.matasano.com/log

Bee Binger 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

grep require * | grep -i get
gpg_help.php:require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );
gpg_help_base.php:require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );

------------
if you can break this function .. maybe a good challenge?

function gpg_ckMOD($rMOD){
if (strstr($rMOD, '.')
|| strstr($rMOD, '/')
|| strstr($rMOD, '%')
|| strstr($rMOD, "\\")){
echo _("Cute.");
exit;
}
};

then you would have command exec in these:

gpg_options.php:require_once(SM_PATH."plugins/gpg/modules/$MOD.mod");
gpg_pop_init.php:require_once("modules/$MOD.mod");

------

$pre_pass =" $path_to_gpg --passphrase-fd 0 --armor --batch --no-tty --detach-sign --default-key $key_id
--homedir $gpg_key_dir $filename 2>&1";
$cmd = "echo $passphrase|$pre_pass";
exec($cmd,$output,$returnval);

plus many of these user variables going to many different exec calls

yea this is a joke .. I do not think you need stefan esser to pop these.

reply edit reblog flag

Rhys Kidd 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Not only does has that local Linux kernel memory leak vulnerability from March 2007 been assigned CVE-2007-1000, but PoC code was included in the *original* Linux Bugzilla posting, and is easily found with a moment of Googling.

http://bugzilla.kernel.org/show_bug.cgi?id=8134

So some idiot might wastefully pay for that PoC code, which can be found for free, is old, likely patched and doesn't really have a high impact rating. Woohoo, that sites a great way to print Euros from recycling public domain code.

reply edit reblog flag

Stefan Esser 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

From looking a few minutes onto the code and without a installed version of Squirrelmail I GUESS that there is some code execution through the filename of encrypted attachments.

Atleast the very quick look lets me assume that the filename is copied into the shellcommand without escaping...

lalalala...

reply edit reblog flag

http://www.sektioneins.de

Stefan Esser 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Bee Binger I took your challenge ;)

However gpg_ckMOD($MOD) is not of much use if it is used in this way:

if (!isset($MOD) || !$MOD) {
gpg_ckMOD($MOD);
}

Therefore through gpg_pop_init.php you can include arbitrary files ;)

The help system requires are btw. already fixed in their CVS version.

And yes I was right through the "Decrypt Attachment" function arbitrary shell commands can be injected via the dlfilename parameter.

reply edit reblog flag

http://www.sektioneins.de

JohnGruberIsARobot 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Wow, judging by all the free code auditing done here and Daily Dave, it seems like vendors can get some good free auditing done just by posting a fake vuln on zeroBay and waiting til it's "reversed."

reply edit reblog flag

Marcin 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

@JohnGruberIsARobot:

You can't get any better than this ;) /sarcasm

Q: What guarantees will you give me about the reliability of the security researches listed on the market place?
A: Full guarantee. Every piece of security research is carefully analyzed and replicated in our own laboratories and eventually implemented with our own complementary research material before being placed on the market place.

reply edit reblog flag

http://www.tssci-security.com

JohnGruberIsARobot 1 year ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

@Marcin:

With that guarantee, it might be tricky. Oh well, there's always the old-fashioned way of gathering free code auditing that vendors have been using for years: offending researchers with outlandish claims of having flawless security in a product and seeing what they come up with....

reply edit reblog flag

zeroBay Exists: Will The Juice Be Worth The Squeeze?

Add New Comment

Viewing 11 Comments

Add New Comment

Trackbacks

People We Read

Things We Write

RSS Feed

Archives