Re: 0-day exploit..do i hear $1000?

From: Markus Kern (markus-kernat_private)
Date: Sun Oct 21 2001 - 02:39:06 PDT

  • Next message: anonpdoxat_private: "sshd exploit & $1,000 whine"

    foobat_private wrote: 
    > 
    > But security companies dont need some 0day script to exploit a
    > vulnerability, they just need to know about the vulnerabilities.  
    
    From reading the pen-test mailing list I've got the impression that
    many penetration testers have their own collection of proprietary
    exploit code. Either because there's no public exploit code for a 
    vulnerability at all or because the code available isn't
    sophisticated enough / only works under certain conditions (e.g.
    it's for Linux when you need it for BSD).
    They need the exploits because they want to penetrate into the LAN
    of their clients and look for other vulnerable systems.
    
    Imagine a company which does nothing but coding exploits. Their
    exploits will all have the same structure, will be scriptable and
    you can get them in different flavors (e.g. one that phones home,
    one that uses a http tunnel,...). Say it takes them 24 hours after
    the bug is made public till they can provide perfect exploit code.
    
    Why should any pen-testing company employ someone for exploit coding
    if it's cheaper to just buy the finished exploit code?
    
    The entire process is inherent to capitalism. People specialize in
    what they can do best and sell it. As long as someone is willing to
    pay for it there'll be someone selling it.
    
    just my 2 cents
    Markus
    



    This archive was generated by hypermail 2b30 : Sun Oct 21 2001 - 16:50:36 PDT