A Web site that bills itself as a place where independent and open source software developers can hire each other has secured promises to award at least $1,435 to the first person who can develop a working exploit that takes advantage of newly disclosed and dangerous security hole in all supported versions of Microsoft Windows.
That reward, which is sure to only increase with each passing day, is offered to any developer who can devise an exploit for one of two critical vulnerabilities that Microsoft patched on Tuesday in its Remote Desktop Protocol (RDP is designed as a way to let administrators control and configure machines remotely over a network).
Update, 8:47 a.m.: The RDP exploit may already be available. There are unconfirmed reports that a working exploit for the RDP bug has been posted to Chinese-language forums.
Original post:
The bounty comes courtesy of contributors to gun.io (pronounced gun-yo), a site that advances free and open software. The current bounty offered for the exploit is almost certainly far less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company like TippingPoint might pay for such research. But the site shows promise for organizing a grassroots effort at crafting exploits that can be used by attackers and defenders alike to test the security of desktops and the networks in which they run.
“We’re trying to advance the culture of independent software development – so we’ve made a place where indie developers can find other devs to help work on their projects and find gigs to work on when they need cash,” gun.io explains on the About section of the site.
Gun.io is the brainchild of Rich Jones, a 23-year-old Bostonite who just moved to Berkeley, Calif. Most recently, Jones ran a research P2P project called Anomos, which is an anonymous variant of the BitTorrent protocol. He also runs the OpenWatch Project, which uses mobile technology as a way of surveilling the police and other people in positions of power.
“I started Gun.io after working for a few years as a freelance developer and open source programmer,” Jones said in an email interview. “I wanted a way to get high quality, short term freelance jobs while also continuing to contribute back to the open source community. I’m particularly interested in the things that happen when people pool their money together, so we provide a free group fundraising platform for open source projects.”
Gun.io quietly launched about six months ago, and has already gained thousands of contributors. Until this week it had never offered a bounty for a software exploit, Jones said.
In fact, the RDP exploit is hardly the most lucrative coding project up for bid on the site. A project posted by user “Sushee” to develop a Flash game social network is offering $4,000. Another promises $2,000 for an open source Android Youtube application in support of individuals who are blind.
It’s not clear yet whether the open-source bounty model has a future for encouraging the development of software exploits. Most of the money for the RDP project was put up by Rapid7’s HD Moore. The Gun.io reward is for an exploit that can run as a module in Metasploit, an open source penetration testing platform that Moore created.
Jones said Moore’s donation brought with it a suggestion about a new nickname for Gun.io: “KiddieStarter.”
“If GitHub and oDesk had a baby, and then that baby had a baby with KickStarter, that baby would be Gun.io,” Jones joked. “Kickstarter for coders isn’t far off, but it’s not quite on the mark either. KickStarter is a person saying ‘Hey, give me money!,’ but Gun.io is a group of people saying ‘Hey! Somebody do this and take our money!'”
As I understand this, it appears to me that not only is a major TORT being committed here, but perhaps also a major CRIME.
Now admitably the FBI has only so much manpower they can focus on computer crime, but wave something in their face and don’t be too surprised if they come visiting.
I was unaware that people are supposed to capitalize the words TORT and CRIME, mainly due to the fact no dictionary or encyclopaedia does. Thank you for the Engrish lesson.
He’s asking them to write a module for a penetration testing tool for a known vulnerability. I’m no lawyer, but I don’t see anything illegal about that.
“open source Android Youtube application in support of individuals who are blind.”
… not sure if troll …
For the Android Youtube for the blind, it’s a real project, if you read the description. Permits to give description commentary on youtube videos… Problem is I don’t think it’s realistic.
I agree, the headline is misleading, this is a legit site, and metasploit is not crimeware. Yes, it can be abused, but so can MS excel.
I like the concept of offering money to independent programmers to develop code. And this seems a cool platform with a decent philosophy behind it. my 2 cents.
TippingPoint buy 0-day flaws, not exploits..
maybe he is thinking of things like Pwn2Own, where TP puts up rewards for people to find and exploit 0days. seems like a fine line.
http://www.wired.com/threatlevel/2012/03/how-to-pwn-the-pwn2own-contest/
Looks like there is a fake version of the exploit out there, using what appears to be legit screenshots and video from the actual exploit. Appearing on several sites. So far I haven’t seen any functional code, just screen shots of what appear to be a valid exploit.
So just to be clear, are you saying that the published code is a fake but you think someone has actually accomplished a working exploit purely based on the screenshots? If so, how can you tell that the screenshots are not forged as well?
I haven’t really been able to verify anything, but based on the screen shots and the video that exploit looks more promising than the code being pushed out. It will be interesting to see how things develop, certainly a fair number of people are checking the code over to see if its valid or not now.
The video is courtesy of brk@dis9Team who I’m not all that familiar with, but as I understand it they have a relatively solid reputation in this area.
Legitimate POC code has now been published, python version works very well.
Is it me or does it seem like call centers in that region don’t like to do support properly? When I used to use verizon if I had a complaint, wanted to talk to a manager, or got mad they’d hang up immediately on me forcing me to call back. I also recall dealing with clients who were scammed as well. I even got to be on the phone during one clients problem and it is more of a pushy sales pitch with lots of misleading baseless statements.
Side note: Anyone noticing that any posts that speak very negatively about this iYogi company are mysteriously negatively flagged so much that they are hidden?
http://pastebin.com/fFWkezQH
I would strongly caution against running random shellcode unless you can read shellcode or know someone that can confirm that it is safe.
It would not be the first time that someone posted shellcode on the Internet that really targeted the user that ran it. I don’t have time to check it right now, and I’m not saying that it IS malicious. I’m just saying that due caution is wise when running anything from the Internet.
well, the “sabu@fbi.gov” comment is pretty funny regardless…