I can’t count how many times I’ve heard vulnerabilities called exploits and exploits called vulnerabilities. I’ve even heard payloads called exploits or vulnerabilities. That’s okay for an exploit if the exploit is a payload.
If you already know all of this stuff, perhaps this blog will help you explain the topic to others. If you don’t know the differences, then you soon will. Analogies can be a great way to explain technical topics, so I’ll go ahead and embarrass myself with the following analogy.
One evening, my wife and I left our house to go out for dinner. We both left our keys in the house. When we returned and saw our predicament, I went to work to find a way that didn’t involve a locksmith or break anything.
Our house had sliding windows, and we placed dowels in the tracks so that the windows couldn’t be opened from the outside. I won’t explain denial of service attacks (DOS), but I DOSed myself.
As it turns out, one window on the ground floor didn’t have a dowel in it. I decided to bypass the clasp “locking” the window closed. With some effort, I was able to push the window in and slide it open! Then I climbed in through the window and opened the door for my wife.
The windows were vulnerable to being opened when it should not have been possible. Even if it had never been opened in the manner I did, the window was always vulnerable. I call the vulnerability CVE-2008-WTF. It’s a windows vulnerability. Believe it or not, the windows vulnerability was never “fixed” in the 11 years I lived in the house, but it was patched. I’ll explain what CVE’s are a bit later.
By opening the window using the method already described, I exploited the vulnerability. Exploits take advantage of vulnerabilities; typically to deliver payloads. Let’s go back to the house for the payload. If I had only opened the window and done nothing else, then there would have been no payload. It remained a “proof of concept at that point. A proof of concept merely exploits a vulnerability to prove it can be done, and the payload is usually a harmless file. But that wasn’t my payload. When I exploited the vulnerable window and climbed inside, the payload was opening the door to let my wife in.
Payload simply means an action taken after exploiting a vulnerability. Payload does not mean good or bad. If somebody had exploited and entered my home via the windows vulnerability, they could have washed the dishes, which would have been a payload. They could have stolen my physical wedding photos and held them for ransom. They could have removed the lock from the backdoor so they could return without crawling through the window. That type of attack in the software world is known as a backdoor.
To “patch” the vulnerability, we put a dowel in the one vulnerable window that hadn’t been “patched.” The vulnerability in the window’s design was still there, but the “patch” prevented it from being exploited. Of course, the window was still vulnerable to rocks and glass cutters.
As promised, a bit more about CVEs. Vulnerabilities are assigned Common Vulnerability Exposure (CVE) numbers. The format for a CVE is CVE-YYYY-####. Here is an example. CVEs are assigned severity scores, based in part on how hard it is to exploit the vulnerability and how bad it can get if the vulnerability is exploited. The windows on the bottom floor would have a high severity score for my house. A 10 on a scale of one to ten. This is because exploiting the vulnerability was pretty easy, and if exploited, an attacker could take everything out of the house, plant contraband, eat the cat’s food, etc.
However, windows upstairs would be difficult to exploit. If the vulnerability only affected the windows on the second floor, then exploitation would be more difficult, and the severity would be somewhat less but still substantial.
To sum it all up with respect to software, a vulnerability means that the software has a bug that can be abused (exploited). An exploit is a code that is used to take advantage of the vulnerable software. A payload is what is done after the vulnerability has been exploited. Fixing the vulnerability is typically done through a patch. Patches are now called updates because marketing departments don’t want to admit they are fixing severe problems.
One last note on vulnerabilities and patching. Although using the wood dowel to make it so that the window couldn’t be opened by bypassing the clasp, the windows were still vulnerable to attacks such as cutting a hole in the glass or simply breaking the glass. If I had installed wrought iron bars outside of the windows, then even though the widows could be broken or cut, the vulnerability could not be exploited very easily in a manner that would allow access to the house.
This blog is based upon a more detailed presentation that discusses four categories of vulnerabilities and touches on a few different types of malware that is commonly delivered when vulnerabilities are exploited. If you would like a complimentary presentation for your organization, just let us know. No strings attached. No sales calls, no spam, etc. Just the joy of sharing security education, with a healthy dose of humor is all it’s about.
Randy “Where are my keys” Abrams
Senior Security Analyst
SecureIQLab