Selling Vulnerabilities: Going once..
Posted by jericho
A couple days ago, “fearwall” created an eBay listing for a “Brand new Microsoft Excel Vulnerability”. I have mirrored a screenshot in case the listing is removed, which I expect it to be. One has to wonder if companies like iDefense or Tipping Point will bid, since they (and others) purchase vulnerabilities. Full text of the auction:
The lot: One 0-day Microsoft Excel Vulnerability
Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).
A percentage of this sale will be contributed to various open-source projects.
Vulnerability De ion (read carefully, this is what you bid on).
Microsoft Excel does not perform sufficient data validation when parsing document files. As a result, it is possible to pass a large counter value to msvcrt.memmove() function which causes critical memory regions to be overwritten, including the stack space. The vulnerability can be exploited to compromise a user’s PC. It is feasible to manipulate the data in the document file to get a code of attacker’s choice executed when malicious file is opened by MS Excel. The exploit code is not included in the auction. You must have very advanced skills if you want to further research this vulnerability.
What will be delivered (at no extra charge):
The winning bidder must provide an e-mail address that accepts .xls attachments. Two xls files will be mailed to this e-mail address: one file is the original Microsoft Excel document, the other one is a copy of the same document modified to demonstrate the vulnerability. The demonstration merely triggers the exception causing Excel to crash. It does not do anything malicious. A detailed de ion of the vulnerability will be provided in the message body. At that time you can claim youself to be THE ONLY ONE IN THE WORLD possessing the knowledge about the vulnerability. Wow! Imagine that! (Well, not counting Microsoft, but I really doubt that they’ll share it with anyone.) It is up to you what to do with it, but you may not use it for malicious purposes - see terms and conditions below.
Special offers:
Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.
Terms and conditions of the sale:
Your bid indicates that you agree to the following:
1. You may not use this information for malicious or illegal purposes. The information you receive is for educational and research purposes only.
2. The seller reserves the right to refuse delivery to anyone (a full refund will be issued).
3. The seller will accept no responsibility for anything you do with this information.
4. The seller cannot be held liable under any circumstances.
5. Absolutely no refunds will be provided except for the reason mentioned above.
Disclaimers:
1. All trademarks are the property of their respective owners.
2. No proprietary software products were decompiled or reverse engineered.
3. All information advertised here was used and is to be used to promote the importance and advance the knowlegde in the field of the information security.
4. The seller does not encourage any illegal activity.
Even if this one is a joke, what is to stop this model of vulnerability selling and disclosure from occuring more often in the future? As MadSaxon joked about over two years ago, registering a 0-bay domain might be a fun business to start.
Invalid Item
This listing (7203336538) has been removed by eBay or is no longer available. Please make sure that you’ve entered the item number correctly. If the item was removed by eBay, please consider this transaction canceled. If anybody contacts you to complete the sale, please ignore the request. Completing the sale outside of eBay may be unsafe and will not be covered by eBay purchase protection programs.
Great post, nice you’ve managed to take a screenshot!
I have recently interviewed(a week ago to be precise), Dave Endler, director of security research at TippingPoint, and had exactly the same scenario in mind.
Check out the interview(PDF) at :
http://www.astalavista.com/index.php?section=directory&linkid=5703
0-bay will indeed emerge as sooner or later someone out there(ShadowCrew set the foundations) will bring sellers and buyers together.
Cheers, Dancho
http://www.eweek.com/article2/0,1759,1899697,00.asp?kc=EWRSS03129TX1K0000614
eBay Pulls Bidding for MS Excel Vulnerability By Ryan Naraine December 9, 2005
What’s the retail value of a security vulnerability in Microsoft Corp.’s Excel spreadsheet program? At last check: $53 and counting.
An unknown security researcher chose a novel way to issue a warning for a code execution flaw in Excel—posting it for sale on eBay. But the auction was pulled late Thursday after discussions between Microsoft and eBay Inc.
When the auction was squashed, the bidding had reached $53 and had attracted 19 offers.
A spokeswoman for Microsoft confirmed that the eBay listing was indeed a legitimate security flaw in Excel.
[..]
The one question that appears to have been burried in the news is why the auction got pulled. eBay has a long list of items you are not allowed to put up for auction: http://pages.ebay.com/help/policies/items-ov.html
However, reading the list, which did this auction violate? It doesn’t count as ‘Academic Software’, ‘Anti-circumvention Policy’, ‘Brand Name Misuse’, or ‘Encouraging Infringement Policy’. The description of ‘Downloadable Media’ doesn’t seem to fit based on the examples, but may roughly fall into it: http://pages.ebay.com/help/policies/downloadable.html
Possibly more fitting is the ‘Encouraging Illegal Activity’ category, but reading the examples it provides doesn’t seem the same: http://pages.ebay.com/help/policies/encouraging-illegal-activity.html
The following are examples of listings that are not permitted on eBay:
It would be nice if eBay would list the exact reason an auction was pulled and cite the rule being broke.
I am sure that eBay would alert the seller as to the reasons for closing the auction, in a private email of phone call depending on the circumstances. I assume that alerting the general public to the motivation for shuitting the sale down would go against privacy issues, possibly to save the seller from embarrasment (in the case of an innocent mistake, if at all possible), or to prevent major disclosure should an investigation be started against the seller (which seems to be the case here with Microsoft pulling it’s proverbial strings). Either way, Joe Public won’t be hearing the full story unless there is a major leak from seller, eBay or Microsoft alike, barring open-view court transcripts in a public hearing if prosecution were ever to take place. Would be nice to hear the full story for pulling the sale though, since the seller appears to have a fairly air-tight disclaimer. Perhaps eBay hopes to nip this trend in the bud before less scrupulous sellers start trading 0-day sploits en-masse.
A couple things stick out to me. First, he provides 2 excel files, one which he admits causes the exception to occur, but he says does NOT do anything malicious. Do you really trust him?
Secondly, he seems to be unable to count. He says you can claim to be “THE ONLY ONE IN THE WORLD possessing the knowledge about the vulnerability.” He says Microsoft (whom he told) doesn’t count. Seems to me that still leaves him and the buyer. I was always taught that 1+1=2
Just food for thought.
Pneuma, you make a good point about not hearing the reason, and I agree with you. Often times companies will take an action and not tell the end user/consumer the ‘why’ behind their reasoning.
That said, why does eBay want to nip this trend before more 0-day happens again? If it isn’t explicitly against their policy, who are they to try to play ethics overlord for such auctions? Everything put up for auction on their site can be used for ‘less scrupulous’ activities.
This also leads me to think of what it would be like if 95% of Bugtraq/F-D disclosures were done via eBay or 0-bay, rather than just free posts to the lists. =)
The story continues:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=6588680836
As you already know, my research project to estimate a market value for a 0-day vulnerability and to see who would be interested to receive such information was terminated. The project would result in a paper… Well, no paper for you and less typing for me.
In this auction I’d like to offer you a token of appreciation. I was surprised to receive all the publicity and I really appreciate your interest. So, something nice I have can be yours at (again) a low price of $0.01. Along with my autograph and a frameable poster. Read on for all the details.
Again, a percentage of the sale will be donated to support open-source projects that deal with security. What percentage exactly? Well, of course, it is not 100% since some of you suggested that I should be compensated for the time and efforts devoted to the research, but it is not going to be 1% either. So, somewhere in between.
[..]
And like before, this one gets yanked too. This is quite odd since that style of auction occurs frequently, and most are not shut down..
Invalid Item This listing (6588680836) has been removed by eBay or is no longer available. Please make sure that you’ve entered the item number correctly. If the item was removed by eBay, please consider this transaction canceled. If anybody contacts you to complete the sale, please ignore the request. Completing the sale outside of eBay may be unsafe and will not be covered by eBay purchase protection programs.