Why are talented RCE people not flocking to vuln research?

[chickenbutt]

Most of the world wants to pay big money to anyone for any code execution vulnerability in big user-base software and device firmware. I'm curious what talented reverse code engineering people aren't running to this instead of protector and malware research which if you're lucky lands you some cog position at a security company maybe paying you an engineer wage?

 

A single Korean researcher made $280,000 in 15 minutes at the recent pwn2own.

 

In my experience with exploit research and development you basically need to know basic RCE stuff, not even encryption, and then learn how kernel allocation schemes and page, stack, and heap protection tech works. Most productive researchers I've seen use IDA with their own scripts and basically fuzz allocations in binaries and service protocols trying to find reliable code executions.

 

Some code executions have no value because they are for obscure software or can't be made reliable.. I seen one in tcpip.sys once that nobody could reliably exploit because of how the driver randomly accessed the allocation and overwrote it. I've also seen some in IM clients and little obscure HTTP servers that nobody cared about. I'd imagine a lot are like these and this is why we don't see a high frequency of headline vulnerabilities.

 

It seems even if you're extremely talented, the logistics of researching trillions of bytes of binary for subtle bugs that can be leveraged can span a lot of time, but at what is being paid it seems companies are paying enough where you don't have to stay at it constantly to live comfortably with off-time.. Plus the work is actually interesting like a game, especially with embedded firmware.

Edited March 22, 2015 by chickenbutt

[mrexodia]

Well, what can I say? I think people are actually going to vuln research. Personally I plan to get started soon just for the fun of it. It didn't really seem attractive to me before, but now it indeed sounds like an interesting game to play. I'll keep you guys posted on my blog once I start, hopefully people could learn from that

[kao]

researching trillions of bytes of binary for subtle bugs that can be leveraged can span a lot of time

Exactly because of this. I'd be bored to death before I find anything of any value.

Plus, the learning curve these days is extremely steep. Just to get started you'd have to know lots about DEP, ASLR, ROP, EMET, NOP sleds, heap spraying and countless more weird stuff.

I'm not saying vuln.research sucks - it just attracts a very special kind of people..

[Ronar22]

For me, The idea of searching for something that might not be even there .. kills me

[Pancake]

What exactly are exploit finders looking for? Are there any materials how someone actually did something with that?

[Amer]

can u post some links relating, to lead and understand the point from this topic?

[chickenbutt]

Exactly because of this. I'd be bored to death before I find anything of any value.

Plus, the learning curve these days is extremely steep. Just to get started you'd have to know lots about DEP, ASLR, ROP, EMET, NOP sleds, heap spraying and countless more weird stuff.

I'm not saying vuln.research sucks - it just attracts a very special kind of people..

 

I've actually done it. But it was stack, format string, and heap vulnerabilities in shotty obscure stuff. The last was a little single exe HTTP server that had a stack crash that was exploitable but it was from a malformed config file and by chance.. I had the skills at the time I could of probably spent weeks or months in IDA or even olly and selectively found something remote exploitable, like through packet handling allocations.

 

The page, stack, and heap guarding stuff I don't think is the actual speed bump. Those you find a method, document it, and use it every time till a patch(which they don't patch those methods often hardware and software DEP method from 2009(?) still works for example). I think it's learning to actually spot the signs of overflows in dissasembly; typically IDA flow view and probably building IDA scripts to scan for API usuage and signature then back-tracing each. Using crash dump tools too; I've seen some modern tools that automate a lot but can skip some things.

 

For me, The idea of searching for something that might not be even there .. kills me

 

The thing is there is almost always something there but the logic is so multi-level-strategy it's like leveraging long chess plays.. Plus you have to trace alternate threads like with DRM and malware RCE.

 

What exactly are exploit finders looking for? Are there any materials how someone actually did something with that?

Arbitrary code executions and privilege escalations. But also stuff like XSS, SQLi(mostly blind SQLi these days) etc..

 

can u post some links relating, to lead and understand the point from this topic?

just start reading in to "buffer overflow" and "sql injection" and "cross site scripting". Most of these you have to learn cracking and general RCE or you don't stand a chance. That's why I posted here.

[atom0s]

Another thing I would say is the value of what is found. Research places may only offer 'x' amount of money for the bug(s) / vulnerabilities you find where as a third-party that would want that info for other uses/purposes may pay more. So it could be a money thing too.

[chickenbutt]

Another thing I would say is the value of what is found. Research places may only offer 'x' amount of money for the bug(s) / vulnerabilities you find where as a third-party that would want that info for other uses/purposes may pay more. So it could be a money thing too.

 

Yeah browsers are hot because they are the best for propagation. You don't have to scan networks the victims come to you through targeted phishing and bulk email campaigns. Vulpen makes most of their money off of nothing but browser zero-days.

 

Embedded stuff like cars and phones too because of the market statistics, but not as much because there are still air-gaps and EULA..

 

I remember up till about 2007 everything was getting exploits published for it in weekly waves.. The 90s was basically a free for all. I believe it's because binary/code size that it's slowed. Back in those days the most skilled were basically using softice and hex editors which has nothing on IDA. Now the tools are more powerful but the work is still more tedious and time consuming, even to highly skilled people.

 

Still though the only reason I don't jump in is because I know it'll be a couple years bringing my skills up before I could do something like a Chrome zero-day. I can go do little programs and nobody pays anything, and you have to sustain a living so you can't just lay everything on doing it for fun or passion..

Edited March 27, 2015 by chickenbutt