Digital Undercurrents

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Exploits.

Many times, when reading security alerts on a mailing list like bugtraq, you will see the word “exploit”. What exactly is an exploit, and why is it important?

It’s important to remember that many of the security vulnerabilities that are discovered by third party researchers, particularly in the open source world, are theoretical. That is, a particular piece of code may appear to have a security hole because of the way that it is written, but that does not necessarily mean that the security hole can be taken advantage of by an adversary. If that piece of code is never exposed to the adversary, or if it has some other routine protecting it, or if the means of taking advantage of it cannot actually happen, then the hole remains theoretical.

For example, imagine a piece of software that controls an industrial metal router in a factory. It is entirely possible that the software requires an old version of Microsoft Windows, and that updating Windows will cause the metal router to stop working. That version of Windows may have a security vulnerability when exposed to a hostile network. But if the computer running the metal router is never attached to a network, then there is no way to take advantage of the vulnerability. It ceases to be a problem.

(I know that this sounds like some metaphysical tree-falling-in-the-forest stuff. Is a vulnerability that can’t be attacked still a vulnerability? I’ll leave that to the philosophers – I have enough on my plate worrying about the systems that are exposed to pontificate on those that aren’t.)

On the other hand, if a security vulnerability can be taken advantage of, and if it can be done in a reliable, repeatable fashion, then the  code that attacks it is referred to as an “exploit”.

For example, take a look at this posting on the bugtraq list from two days ago. The poster has identified a Cross-Site Request Forgery (CSRF) vulnerability in a particular model of Linksys home router. In addition to discovering the flaw, he has also included exploit code in the form of an HTML snippet that takes advantage of the vulnerability – this can be used to add an administrative user to the Linksys router configuration, under certain conditions, without the user being aware of the addition. And since all of the traffic on a home or small business network passes through this router, it’s probably not a great place for your adversary to have administrative privileges.

So, to put it succinctly, an exploit is a piece of software or an explanation of how to take advantage of, or exploit, a security hole.

Other terms that you might run across:

Proof of Concept (PoC) Exploit – This is a crude exploit intended to demonstrate that a security vulnerability exists, but is not as reliable or as professionally produced as a normal exploit. You will often see these in environments like bugtraq, where the author doesn’t want to provide something that can be “weaponized” and used to attack systems but still wants to prove the existence of a bug.

Zero-Day Exploit – This is an exploit for a security vulnerability that the vendor has not yet released a patch for. A newly discovered hole in Microsoft Windows 7, which is still present even when all vendor patches are applied, would be a zero-day exploit. Here is an example of a zero-day in the Cisco Secure Desktop product.

Metasploit – The Metasploit Framework is a penetration testing tool that provides a plugin architecture for running multiple exploits. Generally speaking, each exploit is its own little program; with Metasploit, they are all launchable from a common command shell. This is a boon for both penetration testers and computer criminals, both of whom make a business of taking advantage of security vulnerabilities.