Is Metasploit Too Good?

[iago]

I love Metasploit, and I love H.D.Moore.  But I admit that it can be a thorn in the side of vendors. 

http://www.infosecnews.org/pipermail/isn/2006-October/013789.html

The whole article is good, but this is my favorite part:

This summer, Moore placed the browser community in his crosshairs,
dubbing July as his "month of browser bugs" and promising to publish a
new exploit for a major browser every day. Moore estimates he discovered
80 to 120 flaws in browsers during the month. Mozilla responded quickly
and tested certain areas of its code, using tools Metasploit developed.
"They even sent me a T-shirt," Moore says. Opera also responded weekly.

No T-shirt from Apple, though. It didn't respond to Safari bugs
Metasploit published, though the company in September patched one
problem Moore flagged.

[Mythix]

That was a neat article, I wish I could get free t-shirts!

[mynameistmp]

Did you see this yet ? HDM is planning on releasing kernel mode exploits (via poor 802.11b proto implementation) in the next Metasploit release...

http://www.eweek.com/article2/0,1895,2040914,00.asp

I think that's getting a little bit unnecessary. It's one thing to develop tools that make operating in a specialized field (pen testing) more effective/efficient, it's another to release point-and-click, easy-to-use exploits to the public. Sure we need trained people who can (and should) perform pen testing so we can all be ensured by secure data networks. To make an analogy, we also need trained government soldiers to protect from global threats. It doesn't mean the tools/training provided for the trained soldier should be widely available to every Jon, Dick, and Harry who feels like becoming a lethal weapon. Compsec IS important, HDM is correct there. But that's all the more reason an individual  should have to perform the necessary training before they know how to operate within the field.

There are many industries that practice a sense of confidentiality in the tools that are deemed 'sensitive' in the hands of the masses. A Doctor would be severely chastised for releasing the tools to create a potentially harmful virus and thoroughly publishing and documenting usage. It's interesting how such a similarly parallel situation can sway so far to the other side of the moral spectrum.

Or, should engineers widely distribute sensitive information regarding our aeroplanes, along with very specific, detailed, step-by-step HOW-TOs on how to circumvent the security features? They'd be doing us a favor by allowing us to know how insecure the system is, and letting us choose for ourselves. Awareness, right? And in HDMs case, not only is the engineer releasing the information to create awareness (which is a highly questionable practice), he's handing over the tools needed to exploit the insecurities to the general public. There just isn't a good reason for that.


As far as I'm concerned, he's personally/corporately irresponsible.

[iago]

I agree that it's irresponsible in a way, but I think your analogy is flawed. 

You compare HDM's actions to an engineer pointing out weak spots in airplanes.  However, unlike computer security, airplanes are difficult to fix and can cause mass death if the weaknesses are taken advantage of.  Computer software can easily be fixed, and the fixes are often automatic. 

The point of HDM's software is two-fold, at least:

1) To force vendors to fix their software a quickly as possible.

Yes, he's putting people in danger as a result.  But at the same time, he's putting the burden of a strict deadline on the software creators (I'll call them vendors for now, even though that may not be exactly correct).  Once a public exploit is released, the vendor is forced to fix the problem on a much stricter time-line. 

The assumption that blackhats already have an exploit is one that must be made.  Blackhats work at least as hard as security researchers to find their own vulnerabilities and write their own exploits.  But the blackhats aren't reporting or publicizing the vulnerabilities that find, that would be counter-productive. 

I think it's very important, once a security researcher finds a vulnerability, to report it and do everything in his (or her) power to make sure the fix is released as quicly as possible.


2) To allow security experts and pen-testers to test for problems. 

There are actually several reasons why this is important.  Sometimes, a vendor says they fix problems that they haven't (Oracle comes to mind).  After patching mission-critical systems, it's important to make sure it's actually safe.  Because, yet again, the black-hats may be trying the same thing, and you don't want to be caught with a system that you think is patched but isn't. 

Other times, you are in charge of a network where you don't have access to the end-points.  The only way to force another department to do an update (this is from a government standpoint) is to prove that there's a problem.  I'm sure other pen-testers have similar experiences. 



The fact that he's releasing kernel exploits instead of software exploits is probably a good thing.  It forces kernel/hardware developers to be more careful.  It's easy to get sloppy with systems that aren't being targeted (Apple comes to mind), but once a system gets in front of the crosshairs, it's far less sloppy.