Why would an attacker ever want to sit on a zero-day exploit?

  • I am trying to understand why an attacker would want to wait to use a zero-day exploit.

    I have read that an attacker does not want to waste the zero-day because they are typically very expensive to obtain in the first place, but it is not clear to me what is meant by “waste” here. Zero-days can be discovered by the community (e.g. security researchers) which would render it useless. In this sense, the zero-day has been wasted by the inaction of the attacker. Is there a risk with using the zero-day exploit too soon? It seems that an attacker would want to minimize the chances of the zero-day being discovered, and thus use it as quickly as possible.

    Question: What factors would cause the attacker to wait to use a zero-day exploit?

    Besides being randomly discovered by others two things can spoil a zero day. First of all you use it and it gets detected. And secondly you sell it which also increases likelihood of disclosure or detection. The more you use or share it, the bigger the risk. (That being said it can be a long time until a used zero day is discovered if you are careful)

    One reason I can think of is they have just enough morals not to use it themselves but not enough to prevent them from selling it and getting the highest price.

    Because certain countries are paying good money for them... Evil foreign countries, obviously, certainly not the USA, because we are not a foreign country...

    @Chloe Some people sell exploits, but only sell it to private buyers and never governments (even though government contractors pay higher prices). That makes it far more ethical.

    If you get a 10% discount on your next purchase, would you rather use it for your £10 grocery shopping tomorrow, or the new £10000 car next month?

    @Harper Ha ha... Everyone is foreign to someone... :-)

    "cause the **attacker**" - this is your first misconception. Attackers are almost NEVER the people who discover zero day exploits. They are people who want to hack other people's computer for various reasons. Discoverers of exploits on the other hand are typically coders who are curious to see if they can break a piece of software. Sometimes these two personas can be the same person but at different points in time. The moment I myself discover a security bug is almost never at the same time I'm angry at someone

    If I gave you an illegal gun, would you just start shooting it immediately? Alerting the cops and emptying the clip? No, you would wait for something worth shooting at to come by.

    @slebetman That's actually not always true. With the exception of big exploit kits like CANVAS and Core Impact, the ones finding 0days very often use them themselves. In fact everyone I know who has found 0days (who hasn't reported them) used it themselves or are keeping it for their own use.

    Why did the American chess grandmaster Frank Marshall wait several years to unveil his dangerous Marshall Attack in the Ruy Lopez? He wanted a good target for it. He could have used it as soon as he discovered it against weaker players, but kept it for a game against Capablanca (the strongest player in the world at the time). Capablanca won easily, but that is another story. (There is a debate on whether or not Marshall keeping his open secret for years is apocryphal, but it is a standard bit of chess lore).

    Why are the comments here all being used to provide analogies?

    @forest You missed my point about the attacker and discoverer may be the same person but at different points in time. I've personally never managed to find an exploit right when I need to use one and I bet it's the same for the people you know

    @slebetman Ah you're right, I did miss that. Good point.

    @forest because analogies are (arguably) fun and potentially enlightening, but are manifestly not answers.

    @forest Suppose your comment was a biscuit, and you wanted to put some butter on it...

    Just the comments here give enough data to plot a good graph of what people on this site would do. Interestingly, not a single person said they'd just spend time trying to find the right honest person to tell so it can get fixed and not exploited.

    @CL22 Personally, I'll report a bug I find in an open source project that works against any reasonably secure configuration. If it's for some project that doesn't take security seriously or is out to sue security researchers, then I'll just keep it and it'll get discovered eventually in the form of an in-the-wild exploit.

  • forest

    forest Correct answer

    3 years ago

    It's more likely that you'll burn a 0day by using it than by sitting on it.

    There's a fine balance between sitting on a 0day so long that it gets discovered by someone else and patched, and using it too early and unnecessarily, burning it. The balance tends to weigh in favor of waiting longer, since a good 0day is going to be obscure enough that it won't be quickly found. The biggest risk actually isn't discovery in that case, but obsolescence when the vulnerable code is re-written or removed for completely unrelated reasons, and the 0day exploit no longer works.

    Most of the time, however, an attacker simply doesn't need to use it. If I have a valuable Linux local privilege escalation exploit, why would I use it when a little bit of extra reconnaissance tells me I can use an old exploit against an improperly patched privileged daemon? Better to keep it in the rainy day fund.

    There are a few other reasons 0days may be kept for long periods:

    1. Some people simply hoard 0days for the sake of it. This is all too common.

    2. Maybe you borrowed the 0day from someone, in which case burning it would piss them off.

    3. Sometimes a 0day broker is sitting on them while waiting for the right client.

    4. The 0day may be useless on its own, needing to be chained with other exploits to work.

    There was some interesting research presented at BH US which analyzed the life of 0days.

    "The 0day may be useless on its own, needing to be chained with other exploits to work." This is a big one. With today's complex and layered systems, maximally compromising a target will often take more than one exploit. (Maybe a 0-day, maybe a known, maybe a human exploit, etc.)

    What does it mean to "borrow" an exploit?

    @Oddthinking Someone might trust you enough to give you a 0day that you can use safely (maybe just once), under the condition that you don't keep using it.

    @Oddthinking - Just like stackexchange where people solve issues for "fun" for no material gain, people who tinker with software vulnerabilities sometimes feel the need to share their knowledge for "fun". It's no fun if you cannot show off your knowledge.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used