Frameworks are not auto-hackers

I was reading a review of the Yoggie Gatekeeper Pro in this month's SC Magazine. It's a neat little device that hides your PC behind a Linux firewall-appliance when connecting to an untrusted network. The voodoo of how it shims itself into your Windows networking stack so you can connect to a wireless network and still be protected through the Yoggie aside -- one thing about the review really made my hair bristle:

Using our vulnerability assessment tool (NetClarity) and our penetration tool (Core Impact) we were unable to compromisethe Gatekeeper or the computer behind it.
- SC Magazine, April 2007, Pg 63

Well duh.

Both the tools listed are only as strong as their signatures, exploits and platform shellcode. That statement is like running Core Impact against a copy of OpenVMS and saying IMPENETRABLE! when you're done. Technically it's valid but it's no measure of strength.

Maybe these statements are made because of a contractual obligation. "Say our product name five times and we'll give you free copies" sort of thing. Unfortunately there will be InfoSec managers and the like who will listen and wonder if maybe they should use these tools in lieu of hiring security professionals who actually know something.

Maybe I'm just being too overly critical and hypersensitive about this. I don't think I am as I've looked at a number of Web Application Security tools on the market and none of them have been able to find the more serious vulnerabilities vs. a team of two or three highly skilled testers have. We still need good QA but attack Frameworks like CORE Impact, Canvas and Metasploit aren't automated tools. Don't treat them as such.

Exploit frameworks are the best

This week I wrote an exploit for a JRun vulnerability released in 2002! I was proud of myself as we rarely get the chance to write an overflow during a penetration test. Usually it's all web exploits, unpatched windows systems, poor administration, etc. My friend said we found "the oldest box on his network." So much for "no public exploits exist" as a mitigation! HA!

The hardest part of all this was getting a copy of the JRun software installed and running in a VM. It was so old the company (Allaire) had been bought twice so no installers could easily be found! A few hurdles later and within half a day I had a stable module written for Metasploit. Later in the evening I wrapped one up for Canvas. I don't have a copy of CORE Impact - it's a little expensive and, well, we do alright with what we have. :)

Dave Aitel once said he envisioned a future of exploit writing becoming a marketplace where they can be sold by third parties like ActiveX objects were in the early days of IE. Needed to do some video? Here's a library that'll help!

To be honest I don't see that happening. There's little value for me to spend some amount ($100 to $5000?) for a single exploit that may or may not work to "prove" the system is vulnerable. There's so much wiggle area when exploiting a system, even with the protections provided by today's frameworks, that it'll just be too unreliable. I'd have a hard time justifying the cost but maybe that's just me.

There's been talk on the Metasploit mailing list of putting together an exploit module repository. Something centralized that can be maintained by developers. I've been searching for a project, maybe this will be it. :) Anyone else that's interested drop me a line. I envision a Trac Wiki + SVN repository with some core supporters and community submissions/requests. Of course we'll have to weed out the 100s of "writemesumthin 2 hax myspace/yahoo/aim" but that's part of the fun!

Until then.. enjoy my meager contributions: http://grutz.jingojango.net/exploits/

SecurityOPUS is coming up March 19-21 here in San Francisco. It's an awesome conference and I highly recommend coming -- registration is still open. We don't have many get-togethers here for some reason other than big marketing events like RSA. There's a lot of talent in the bay area and this is a great way for the security community to come together more. Come! Learn! Enjoy! Eat some great food on Rich's dime! Then later come to our OWASP meetings. They're lots of fun and free beer when iSEC Partners hosts. :)