Monday, July 27, 2009

Only whitehat journalists need Metasploit to hack oracle

I'm astounded at the number of crazy articles concerning the release of Oracle exploits for PATCHED vulnerabilities. How is it that oracle in particular gets this kind of response, when Metasploit has been doing this with other vendors for years and years? Never mind the fact that I released a module for my oracle weblogic bug the day it was patched. Metasploit is useful in that it allows sysadmins to demonstrate to their bosses that they need time and money to patch by demonstrating concretely that they are vulnerable. This does NOT mean that if an exploit is not in metasploit that no one can own you. This is not rocket science.

From Olney:

In the end, this whole argument stems from one of the most egregious thought errors in the industry: The absence of PoC code, or worse, the lack of a public exploit, is justification for a delay in patching. Both Patrick and I have been confronted by managers saying "Prove to me this is exploitable" prior to allowing a patch to be applied. The sad truth is, there are more security slots in the world than there are people with the talent and background to PoC every patch Microsoft puts out. This thinking, often complicated by business drivers, also extends into software development. Last month's 0-day in Microsoft's MPEG2TuneRequest was CVE-2008-0015…how long were they aware of this bug before it was found by the bad guys? Why were customers placed at risk when the response in the end was simply to killbit the CLSID?

The fact is, there is always someone out there with more time, knowledge, background, contacts or just raw intelligence working on these issues. The problem is that they are working for the bad guys. While you are setting up the VPN to the new remote office, they are working on 0day. While you are checking firewall logs, they are working on 0-day. While you are writing policy documents on the use of USB memory devices, they are working on 0-day. Very few companies have the time, resources and talent to individually evaluate patches. Yet there are many who attempt to do just that.

In truth, the reaction to the release of the Oracle attack packages for Metasploit should have been a collective yawn. Here is why: for every new Oracle attack in Metasploit there is a patch from Oracle. If you're honestly concerned about this package, and aren't just being a self-serving media whore, then you've already made some very critical errors in your implementation and management of some high value targets. What you should do after reading this blog is go and patch your Oracle system, and every other system that you've declined to patch because it is "behind a firewall" or "there isn't a known attack for it". Because in all honesty, if there wasn't an attack available before the patch, you probably have less than 72 hours before someone out there has one put together. If you're lucky, it will be Carnal0wnage, and it will be in Metasploit for all to see. But most likely, it will be in China, Poland or maybe inside your company. Fact is, you just don't know.

Listen to the cat: The people who are stupid enough to require someone else to write their exploits for them are not the people you need to worry about. If you can't defend against them, you deserve to fail.


  1. >when the response in the end was >simply to killbit the CLSID

    The reason why might be that listing it on the killbit list would have given away the vulnerability.

  2. Any time you respond to a bug you give away the vulnerability... Doesn't that mean that every other killbit they've ever done has given away a vuln?

    I'm not understanding your jive here

    The PATCH was a killbit. Why not release that "patch" a year back?

  3. Olney hits the nail square on the head. It's the release of a patch that should be concerning vulnerable enterprises, as that event is the trumpeting herald of forthcoming exploits. Regarding exploits showing up in Metasploit for patched vulnerabilities, that just means that an exploit has finally reached the masses, not that one or more didn't exist prior. Releasing an exploit via Metasploit, or CANVAS, or milw0rm, or any other way enables administrators to verify vulnerability and demonstrate exploitability. The fact that script kiddies can then exploit the vulnerability as well I consider to be acceptable collateral damage, as the attackers that you really should be worrying about are the ones that likely already had their own exploit, reversed from the patches that had already come out.

  4. Releasing a patch + bindiff is basically giving away 0day this day and age anyway.


Post a Comment