Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/9/2010
04:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NSS Labs To Open Marketplace For Buying And Selling Exploits

No zero-days on 'Exploit Hub'

NSS Labs late next month will open up a new online marketplace for researchers to sell their exploits to penetration testers and other buyers.

Exploit Hub is an iPhone App Store-style type marketplace that will provide researchers with a way to make money for the exploits they write for the open-source Metasploit pen-test framework, according to Rick Moy, director of independent testing lab NSS Labs. "The bad guys already have this stuff. We're trying to level the playing field," Moy says. "As soon as a patch is out there, it only takes a few hours for a competent exploit writer to reverse-engineer it with an exploit they can use."

The online marketplace model hasn't had much success in the past, however. But security researchers say Exploit Hub's approach might fare better because it's aimed at security professionals, and will vet participants as well as test the exploits before they go up for sale. It will only offer exploits for sale, not bugs like the former and now defunct WabiSabiLabi marketplace, and it won't allow exploits for any zero-day flaws -- only known vulnerabilities.

Chris Nickerson, CEO of Lares Consulting, says Exploit Hub could be mutually beneficial to both researchers and penetration testers. It will give researchers compensation for their exploit-writing work and provide in-house penetration testers without the expertise or development resources to purchase the exploits they need, he says. Even seasoned pen testers would have a place to buy exploits when they need them: "From a tester side, I'd be more than happy to invest in this because it's going to save some time of my guys [developing exploits with] Metasploit or Core plug-ins ... And it's going to give developers a more secure place to put" their exploits, he says.

There are times when writing your own exploit for a pen-testing engagement just isn't the best use of time. David Maynor, CTO at Errata Security, says writing exploits from scratch on-site can be time-consuming. "When you have a certain amount of time to test, it's a big decision: Do I write something that may work, or do I move on?" says Maynor, who says he personally prefers to write his own exploits. "I doubt I would be on-site and run into a problem and be like, 'Let me check NSS and see if they have something.' If I were to buy something, I would need to work with it for a while before using it on the client side or even better, look at how it's done, and then reimplement it myself with my own payloads so I know it's clean."

NSS Labs' Moy says Exploit Hub plans to offer an open, safe market for the buying and selling of exploits. He says it also fills a major gap in today's penetration-testing tools. "Over the past five years, there have been over 14,000 high-risk or critical vulnerabilities and if you look at the tools and count how many exploits in them [for these], there are maybe 1,000," Moy says. "So if you buy all three of these tools, you're getting less than 10 percent coverage for these high vulnerabilities.

"Our goal is to help arm pen testers and security firms with better tools. Security vendors can use them to test their products, and pen testers to test their products," he says.

NSS Labs will test and validate the exploits to ensure they work, an element of the marketplace that security researchers say is crucial.

So far financial services and entertainment firms have expressed interest in the marketplace, he says, as well as security researchers. NSS Labs is providing guidelines for pricing based on supply and demand: The going rate for an exploit could range from $50 for a Web browser or Windows client exploit to a few thousand to hundreds of thousands of dollars for a more complex Oracle exploit, he says.

Keeping the bad guys out won't be too hard, he says, because buyers will also be vetted.

Whether Exploit Hub succeeds will have a lot to do with whether pen testers embrace it and if their organizations are willing to pay for the code, experts say.

Lares' Nickerson says it could also ultimately force penetration testing vendors to more quickly turn around exploits, too, with this new exploit venue also offering exploit modules. "They [vendors] now have an unlimited timeline to release that into their framework," he says. This may force them to step up their development turnaround efforts, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.