This is part two of a series of posts about blindspots that I discussed during my LASCON keynote presentation this year. To see the first post about network and host security blindspots, click here.
One thing I have come to notice is that there is a strange tendency in our industry to focus on specific things, just because that’s what’s interesting to us. I definitely encourage enthusiasm, but not when it comes with a blindspot towards other vulns. For instance, one excercise I regularly ask people to do is to give me an off the cuff DREAD severity rating for a particular vuln that they are currently excited about. They start by saying, “It’s horrible” – which is a very strong word in the English language I’d typically say is a high level of risk severity. However, after performing a DREAD analysis by hand, it almost always ends up significantly lower than the person instinctually felt.
Likewise, I see strange blindspot in the industry around buying of vulns. I did an experiment and attempted to sell a half dozen vulns (mostly medium to high level severity) and I was surprised to find that there were no buyers. Let me show you why that’s odd. A buffer overflow in some DNS server might give an attacker a user level access to a machine, and that would be worth $100k on the vuln markets, let’s say. Some of the exploits I discovered would allow an attacker to get a shell on the box in the “www” user context. So both vulns are almost equivalent with the exception of the method of propagation (remote unauthenticated vs CSRF). One is worth $100k and the other is worth $0. Seems odd? Let’s dig in a bit deeper.
I began asking my friends in the underground what a compromised webserver is worth to them. They say somewhere around $500 for what they were doing with it. So if my exploit allowed them to compromise 2,000 CMSs (which it could rather easily) it would be a $1 million pay day for their group. I confirmed with then that even an attack using CSRF would still be easy to monetize – so even the method of propagation wasn’t an issue. There’s a blindspot here. If the security industry is not willing to pay a dime, but attackers are valuing it at $1 million, that’s a discrepancy that makes it extremely difficult to stay on the right side of the law.
I think the problem has always been that there is a misperception in our industry of the importance of what we think is cool or intellectually interesting versus what attackers think is useful and can be leveraged to make money. Admittedly, vuln purchase programs all come down to a supply and demand issue. However, since there is no easy outlet for webappsec vuln research even after all these years, things will continue to stay bad for a very long time. I predict this problem won’t go away any time in the near future — until all vulns are purchased on an equal playing field, using DREAD or something similar. For now though, expect your CMSs to stay vulnerable, unless you’re being extremely proactive.
The point is, I encourage you not focus too much on one target, one vuln, or one vuln class, when there are others with the potential to do equal or greater damage potential or that are easier to exploit. Just because it’s interesting to us as security researchers doesn’t mean attackers see it the same way.