April 21, 2014

The difference between an expoit and vulnerability

(LiveHacking.Com) – Any reader of this blog will inevitably come across words like vulnerability, exploit, malware, Trojan and so on. Some of these words have connected meanings but in themselves they have clear and separate definitions.  For example a Trojan is a type of malware, but not all malware is a Trojan. What about ‘vulnerability’ and ‘exploit’, are they they same thing? If not, what is the connection?

A vulnerability is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness which if attacked could provide a way in.

Exploiting is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. A vulnerability can therefore be ‘exploited’ to turn it into viable method to attack a system.

In software (rather than whole systems including the people, the computers, the firewalls and the networks etc), the most common type of vulnerability is a memory error. These can be buffer overflows, heap corruptions or NULL pointer de-references. Once a memory issue has been discovered an attacker will try to exploit it by manipulating how the memory is corrupted in the hope to alter some aspect of the addressing (maybe a return address). This can then be used to make the CPU run code in another part of memory. If arbitrary code execution is achieved then the system can be exploited. The extent of the exploit will depend on the nature of the vulnerability,  if privilege elevation was achieved and the extent of technologies such as sand-boxing or address space layout randomization (ASLR).

Turning a software vulnerability into an exploit can be hard. Google, for example, rewards security researchers for finding vulnerabilities in its Chrome web browser. The payouts Google make are in the range of $500 to $3000. However it also runs competitions for security specialists to present exploited vulnerabilities. These exploits are rewarded much larger sums, as much as $60,000. The difference in payouts reflects the magnitude of the task when trying to exploit a vulnerability.

Google updates Chrome after successful exploit at Pwnium 2

(LiveHacking.Com) – Google has released a rapid update to its Chrome web browser after it was successfully exploited at the Google run Pwnium 2 hacking competition. Chrome 22.0.1229.94, which is available for Windows, Mac, and Linux, fixes a SVG use-after-free and IPC arbitrary file write bug that was successfully used by Pinkie Pie to fully exploit Chrome. The prize money was $60,000 which is the top amount awarded for a full Chrome exploit on a fully patched Windows 7  PC using only bugs in Chrome itself.

“We’re delighted at the success of Pwnium 2, and anticipate additional hardening and future improvements to Chrome as a result of the competition,” wrote Jason Kersey from Google’s Chrome team.

The official bug list is as follows:

  • [$60,000][154983][154987] Critical CVE-2012-5112: SVG use-after-free and IPC arbitrary file write. Credit to Pinkie Pie.

PinkiePie (aka PwniePie) is no stranger to exploiting Chrome. Back in March he also received $60,000 after successfully demonstrating an exploit at the first Pwnium competition. Shortly after Google issued 17.0.963.79 to fix the vulnerability used. At the time, Jason Kersey from the Google Chrome team is quoted as calling the exploit “a beautiful piece of work.”

Google ups bounties for finding vulnerabilities in Chrome and offers over $2 million in prize money for Pwnium 2

(LiveHacking.Com) – Many people have benefited from Google’s Chrome Vulnerability Rewards Program which was created to reward security researchers who invest their time and effort in helping find security vulnerabilities in Chrome and its open source counterpart Chromium. Not only do Google get a securer browser, not only do users get a safer web experience but browers like Safari benefit as it is built on the same WebKit rendering engine.

Google, which has paid out over $1 million dollars in rewards, has recently made two big announcements with regards to the rewards it is offering researchers. First, three new $1000 rewards have been announced which will be added to the base reward for finding vulnerabilities that are at least particularly exploitable, for bugs in stable areas of the code base and for serious bugs which impact a significantly wider range of products than just Chrome (e.g. open source libraries).

Google has also announced that it will host a second Pwnium competition. Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia. The prize money up for grabs totals $2 million:

  • $60,000: ‘Full Chrome exploit’: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
  • $50,000: ‘Partial Chrome exploit’: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
  • $40,000: ‘Non-Chrome exploit’: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
  • $Panel decision: ‘Incomplete exploit’: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation.

“For Pwnium 2, we want to reward people who get ‘part way’ as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can,” wrote  Chris Evans, a software engineer at Google.