Open Source vs. Enterprise: Why Not All Exploits are Created Equal

A common tactic of attackers trying to breach an environment is to use an exploit against a known vulnerability in an application or device present in a targeted infrastructure. Exploiting a vulnerability can provide an attacker with privileges or capabilities they would not normally be granted. In order to provide insight into what threat actors might be able to do, pen testers also use exploits. But where exactly do these exploits come from, and are they all safe to use? Let’s dive deeper into how vulnerabilities and exploits work, who makes them, and how to know which ones can be trusted.

The Relationship Between Exploits and Vulnerabilities

Every infrastructure is made up of different applications and devices. Sometimes, one of these assets is released with an unintentional bug or weakness. Threat actors are constantly on the lookout for them, as they can provide a point of entry that can be used to eventually gain full access.

There are many types of security weaknesses that can be exploited in different ways. Most have been compiled into a list called the Common Weakness Enumeration (CWE). Some examples include cross-site scripting, missing authorization, buffer overflow, and improper privilege management. When one of these weaknesses is found in a specific device or piece of software, this is considered a vulnerability.

When vulnerabilities are found or confirmed by either the manufacturer or a third-party, they can be filed and given a Common Vulnerability and Exposure (CVE) ID number. This increases awareness so organizations can find out if a known vulnerability exists in one of their assets. Typically, an advisory is written alongside the CVE, giving details on what it is, as well as information on whether there is a workaround or a patch.

Exploits are simply the way these vulnerabilities are taken advantage of. They can be a piece of code, software, or a set of commands. Some exploits can be deployed remotely, while others require a threat actor to use phishing or other methods to have them launched internally.

Exploits can also be used by attackers even after a vulnerability has been identified. Many organizations don’t stay up to date on the latest advisories, or fail to properly patch all of their systems. In fact, the Cybersecurity & Infrastructure Security Agency released a list of some of the most commonly exploited vulnerabilities. For example, 2020 has seen an increase in attacks on VPNs, like the arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781 or the arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510.

Who Can Write an Exploit?

Usually, attackers have to write exploits as they find vulnerabilities. Others are readily available on the internet, usually posted anonymously by other attackers. On the ethical hacking side, exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits they find online—oftentimes the same ones attackers use. Because exploit writing takes time and expertise, both attackers and pen testers alike are always looking for exploits or exploit libraries that can save them the effort.

What’s the Problem with Using Open Source Exploits?

There are a few key issues for pen testers using open source exploits:

They may not be secure. Any exploit that is freely available online can’t be instantly trusted. They are often posted anonymously, so it can’t be verified if the exploit is safe to use. If an exploit has been written by a shady threat actor, the exploit may even cause the user’s own system harm.

They may not work. If you’re not sure of the source of the exploit, you also can’t be sure that it will do what it says it will. Pen testers must go through the timely effort of quality assurance testing in order to ensure they are secure and effective. So if it doesn’t work, a free exploit may waste more time than it saves.

The one you need may not exist. Research into a vulnerability and its corresponding exploit may prove fruitless. Pen testers can’t rely on someone they don’t know writing their exploits.

What Are the Benefits of Using Enterprise Exploits?  

Access to enterprise exploit libraries are often a benefit that comes with owning an enterprise pen testing tool. Those who have access to them have three significant advantages.

They’re written by experts. Enterprise libraries allow you to know exactly where you’re getting your exploits from—advanced level pen testers who not only create an exploit for you, but have it validated so that you can be sure it’s both safe to use, and will get the job done.

They’re kept up to date. Just as pen testing tools are intended to save time, so do their exploit libraries. Having researchers regularly tasked with writing and verifying exploits means that pen testers with access to such a library are never delayed by having to stop and figure out how to write an exploit from scratch.

They’re unused by attackers. Threat actors cannot simply purchase exploit libraries for their own gain. For instance, Core Security uses a thorough vetting process and takes care to not allow the purchase of Core Impact and its corresponding exploit library by any organization that intends to use them for malicious purposes.

How Experts Create Exploit Libraries 

While some vulnerabilities can be exploited with minimal effort, others may pose too many difficulties to make them worth utilizing. The most useful exploits for pen testers target vulnerabilities that threat actors can and may already be using in their attacks. However, this still leaves a long list of vulnerabilities to choose from when creating an exploit. Another advantage of using enterprise exploits is that criteria have been carefully established to determine which exploits are the most advantageous to develop. The Core Impact team, for example, uses a selection process that considers several factors. 

Vulnerability Properties 

The composition of a vulnerability should be evaluated first. This may include the details found in the Common Vulnerabilities and Exposure (CVE) program, particularly the CVSS score. Newer exploits are typically more active, so it should be noted how recently the vulnerability was disclosed. Lastly, the access mechanism (remote or local) and privileges needed should also be taken into account. Target 

Environment Setup 

What are the dimensions of the environment in which the vulnerability exists? This could include the operating system and how present the application is on that system. Additionally, the number of versions the vulnerability impacts as well as special configurations needed to exploit it should also be considered. 

Value Provided 

For Core Impact, customer need is a critical factor, and users are encouraged to submit requests. Additionally, active usage of a vulnerability by attackers increases the priority, as does the number of potentially impacted systems. That is, a vulnerability in a common application on a popular operating system may be given more weight. 

Technical Cost vs. Benefit 

In order to maximize resources, an analysis is conducted on how much time and effort is needed to build an exploit with the internal and external knowledge gained in its creation. 

Pen Testing Using Core Impact Exploits 

Ultimately, enterprise exploit libraries are one more way for pen testers to help organizations stay one step ahead of attackers. Each exploit in Core Impact’s library has undergone rigorous testing and validation by our experts, ensuring reliability and trustworthiness. With this extensive library of curated exploits, Core Impact continuously supports pen testers in conducting penetration tests safely and effectively.

Ultimately, enterprise exploit libraries are one more way for pen testers to help organizations stay one step ahead of attackers.