18 March 2012

MS12-020, exploits, and words mean things

On Friday, Core Security announced that they had released an exploit for CVE-2012-0002 (patched by Microsoft as MS12-020):
I thought this was great news. I am currently working on a client engagement with a lot of RDP on their network and we use Core as one of our tools. Time to pwn, right?

Not quite.

As subsequent tweets made more clear, the Core exploit was a denial of service module, not code execution. This got me thinking--what does it mean when you call something an exploit? I am a moderately-experienced penetration tester, and I think there's probably a misunderstanding about what this means. To me, an exploit is something that results in arbitrary code execution. Maybe a denial of service that results in a BSoD is an exploit, technically, but that's not what I expect the word to mean.

I hadn't thought about it much this weekend until HD Moore of Rapid 7/Metasploit summed up my feelings earlier today:
So, what do you think?

Is a denial of service module an exploit? Does it really matter, or are we splitting hairs?

EDITED TO ADD: And to add to HD's tweet: what exactly does commercial grade mean in reference to a DoS module? Does it give you an extra special BSoD? It seems the words in Core's original tweet are specifically designed as marketing pull, and as a result, imply that the module is a code execution exploit when it is not. The tweet clarifications made it obvious to me that others were as confused as I was.

Lastly, "Enjoy!" seems to suggest that we will like the result. I don't know about other penetration testers, but I can't think of any clients who have ever asked me to run DoS modules against their systems, and even if they asked me to do it, I'd probably advise them against it. What about you?
Post a Comment