Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/9/2010
04:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NSS Labs To Open Marketplace For Buying And Selling Exploits

No zero-days on 'Exploit Hub'

NSS Labs late next month will open up a new online marketplace for researchers to sell their exploits to penetration testers and other buyers.

Exploit Hub is an iPhone App Store-style type marketplace that will provide researchers with a way to make money for the exploits they write for the open-source Metasploit pen-test framework, according to Rick Moy, director of independent testing lab NSS Labs. "The bad guys already have this stuff. We're trying to level the playing field," Moy says. "As soon as a patch is out there, it only takes a few hours for a competent exploit writer to reverse-engineer it with an exploit they can use."

The online marketplace model hasn't had much success in the past, however. But security researchers say Exploit Hub's approach might fare better because it's aimed at security professionals, and will vet participants as well as test the exploits before they go up for sale. It will only offer exploits for sale, not bugs like the former and now defunct WabiSabiLabi marketplace, and it won't allow exploits for any zero-day flaws -- only known vulnerabilities.

Chris Nickerson, CEO of Lares Consulting, says Exploit Hub could be mutually beneficial to both researchers and penetration testers. It will give researchers compensation for their exploit-writing work and provide in-house penetration testers without the expertise or development resources to purchase the exploits they need, he says. Even seasoned pen testers would have a place to buy exploits when they need them: "From a tester side, I'd be more than happy to invest in this because it's going to save some time of my guys [developing exploits with] Metasploit or Core plug-ins ... And it's going to give developers a more secure place to put" their exploits, he says.

There are times when writing your own exploit for a pen-testing engagement just isn't the best use of time. David Maynor, CTO at Errata Security, says writing exploits from scratch on-site can be time-consuming. "When you have a certain amount of time to test, it's a big decision: Do I write something that may work, or do I move on?" says Maynor, who says he personally prefers to write his own exploits. "I doubt I would be on-site and run into a problem and be like, 'Let me check NSS and see if they have something.' If I were to buy something, I would need to work with it for a while before using it on the client side or even better, look at how it's done, and then reimplement it myself with my own payloads so I know it's clean."

NSS Labs' Moy says Exploit Hub plans to offer an open, safe market for the buying and selling of exploits. He says it also fills a major gap in today's penetration-testing tools. "Over the past five years, there have been over 14,000 high-risk or critical vulnerabilities and if you look at the tools and count how many exploits in them [for these], there are maybe 1,000," Moy says. "So if you buy all three of these tools, you're getting less than 10 percent coverage for these high vulnerabilities.

"Our goal is to help arm pen testers and security firms with better tools. Security vendors can use them to test their products, and pen testers to test their products," he says.

NSS Labs will test and validate the exploits to ensure they work, an element of the marketplace that security researchers say is crucial.

So far financial services and entertainment firms have expressed interest in the marketplace, he says, as well as security researchers. NSS Labs is providing guidelines for pricing based on supply and demand: The going rate for an exploit could range from $50 for a Web browser or Windows client exploit to a few thousand to hundreds of thousands of dollars for a more complex Oracle exploit, he says.

Keeping the bad guys out won't be too hard, he says, because buyers will also be vetted.

Whether Exploit Hub succeeds will have a lot to do with whether pen testers embrace it and if their organizations are willing to pay for the code, experts say.

Lares' Nickerson says it could also ultimately force penetration testing vendors to more quickly turn around exploits, too, with this new exploit venue also offering exploit modules. "They [vendors] now have an unlimited timeline to release that into their framework," he says. This may force them to step up their development turnaround efforts, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.