Buy your exploits here?

Exploits

Are you in the market for a previously undisclosed exploit and/or vulnerability? If so, maybe you should check out the WabiSabiLabi MarketPlace, an online exploit auction site (or not).

So far, I have only seen four exploits listed for sale with only two receiving bids. Supposedly, I can become the high-bidder on a Yahoo! Messenger 8.1 remote buffer overflow exploit for only 2000 Euro (~$2720 US).

Let’s take a look at this.

The Site

If you have used eBay or U-Bid before, you already understand how online auctions work so I won’t explain any of that.

What sets this online auction site apart from others is the commerce, previously undisclosed exploits. Upon first examination of the site it appears to be legitimate, but due to my nature I want to dig a little more.

Call me naïve, but I gotta tell ya I am a bit suspicious.

First off, I had not heard of “WabiSabiLabi Ltd.” before this encounter. Before I do business with anyone, I certainly want to know who they are and rarely will I take their word for it.

There is little or no history of the company presumably because they are a startup. DNS provides little information as it is a GoDaddy private registration. The site itself (http://www.wslabi.com/) is hosted through California Regional Intranet, Inc. (cari.net).

Let’s say for a second that I have a “zero-day” exploit that I would like to profit from, and let’s say that I am a good guy (I am!). Should I sell my work through WabiSabiLabi and trust that they will make sure it is sold to another good guy?

WabiSabiLabi FAQ:
Q: Can everybody purchase vulnerabilities from the market place?

A: No, all purchasers will be carefully evaluated before granting them access to the market platform to minimize the risk of selling the right stuff to the wrong people.

Personally, I would like a little more disclosure on “how” WabiSabiLabi will evaluate a purchaser.

Now let’s say that I am a bad guy with a zero-day exploit to sell. Should I sell my work through WabiSabiLabi and risk disclosure of my identity or should I sell it to the highest bidder within “my network”? This is a simple question to answer!

Hey, maybe I am a bad guy with money to buy a zero-day exploit. Will the exploit be worth squat after the extensive “hinting” that takes place by disclosing even trivial details on http://www.wslabi.com/.

And lastly, let’s say I am a good guy again (following me?) and I work for one of the vendors mentioned with an exploit on http://www.wslabi.com/. Would I buy? What happens if I don't buy the exploit when I could have and it turns out to be a good one that causes harm to my customers? This scenario could hurt. Tough decision, but almost sounds like blackmail by WSLabi.

There is just not enough information on http://www.wslabi.com/ for me to make the decision to disclose anything, i.e. submit any zero-day information I had on hand. I agree that security researchers need to get paid for their work as I know the work can be extremely detailed, time-consuming, and stressful. I am just not convinced that this is the place to do it. I will take a wait and see approach to this one.

You will have to make your own decision.

WabiSabiLabi Information, According to the site:
“WSLabi laboratory in Switzerland covers a large quantity of high-severity ITSEC issues through its global research network of independent security researchers and third part organizations”

Their moto: “The art of continuous improvement of imperfect security “

Their Blog: http://wabisabilabi.blogspot.com/

Read more!

Over 2000 are actively exploiting Microsoft .ani flaw

2000+? That is a heckuva lot of sites!

"The number of Web sites engineered to exploit the problem has jumped considerably since the vulnerability was publicly disclosed by Microsoft on March 29. It will likely continue to rise until patches are applied across corporate and consumer PCs, said Ross Paul, senior product manager for Websense. " - IDG News Service, Over 2,000 sites now exploit .ani security flaw

If you have not applied this patch, you are implored to do so now! This is a serious flaw and exploits are rampant. Also, reference my earlier post labeled "Microsoft to Release OOB (Out of Band Patch) Tommorow"

Although there have been a few reported application incompatibility issues with this patch, the potential consequences of not patching should outweigh these issues. Read more!

Microsoft to Release OOB (Out of Band) Patch Tomorrow

This is a little rare, but I am glad to see it! Microsoft made the announcement today that they would issue a patch for what has been called "Microsoft Windows Animated Cursor Handling Buffer Overflow". That's a mouthful. For those of you who don't know, Microsoft releases patches to the general public every second Tuesday of the month (AKA "Patch Tuesday"). Last month, Microsoft did not release any patches, which is also quite rare.

What is the "Microsoft Windows Animated Cursor Handling Buffer Overflow"?
This vulnerability was announced on various information security sites more than four (4) days ago. The issue stems from the method in which Microsoft operating systems (Windows 2000 SP4 - Vista) handle the processing of malformed .ani, cur, and .ico files, resulting in possible memory corruption and buffer overflow.

Should I Care?
Yes, you should. The is a remotely exploitable vulnerability which could lead to the ability to execute arbitrary commands and/or denial of service.

What does The Trusted Toolkit recommend?
Apply the patch tomorrow when it becomes available from Microsoft. In the meantime, follow other good security practices.

More Info:
Microsoft: http://www.microsoft.com/technet/security/advisory/935423.mspx
Secunia (rated "Extremely critical"): http://secunia.com/advisories/24659/

Read more!