10

More specifically, if a website is using an application already known to have a flaw as part of the larger service it offers (so, say it's using a version of Apache known to have a flaw, and the continued presence of that flaw has been confirmed by the researcher), does that fall under the definition?

More to the point, could it be sold as such to, for example, ZDI (I couldn't find a good definition from their site).

(To clarify, I haven't found anything. Just curious whether, if I did, it would be a better use of my time to e-mail the admin directly, or sell the information to a security company which would deal with the (possibly indignant, probably negligent, hypothetically personally insulting) admin for me.)

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
root
  • 1,547
  • 3
  • 12
  • 20
  • So, would finding an SQLi vuln in someone's cat blog count by definition (though, granted, I'll admit that'd be stretching it a bit). – root Mar 28 '13 at 03:14
  • If it was a new SQLi for that blog software (even if they made it themselves), then yes, it would be a 0day. If it was their own software and not software used by millions, then it'd be a pretty damn minor 0day, but a 0day nonetheless. – forest Dec 27 '17 at 08:22

6 Answers6

8

A 0-day exploit is a vulnerability not known to the public and more particular, the programmers of a particular application.

You don't want to get that confused with bad coding. If someone created a button that said "Click here for admin access", and it would grant admin access, this would not be a 0-day vulnerability.

Most programmers would agree that having this button would be bad and could tell the original programmer the implications of their code.

Lets hypothetically assume that all programmers think this button is okay to have. Of course we know this is a vulnerability now but they don't at the time. Now many programmers start including this button with their program. One day someone may discover this and click the button and instantly get admin access. This would be considered a 0-day because no one else knew about it.

Months later when this button is discovered, it will eventually be patched. If programmers still include this button in their programs, then it is not a 0-day because it doesn't meet the criteria for 0-day exploit anymore because it is known.

In questions example, Apache has a known flaw, so this would not be a 0-day exploit. It is known to the public.

It is already known that SQL vulnerabilities exists from bad coding and without proper escaping or by not using parameterized queries. However, if you found a SQL vulnerability that allowed execution of unwanted statements that has not been addressed before, then this would be a finding.

ponsfonze
  • 1,332
  • 11
  • 13
  • So, a working definition would be that it needs to be the kind of thing which a reasonable person might guess an exploit-finding tool as they currently exist likely wouldn't find (with the possible exception of a fuzzer). This makes sense... And while it may seem like a stupid thing to ask, generally I've found it's better to look stupid anonymously online now, than when someone asks me for a concrete definition, later. – root Mar 28 '13 at 05:43
  • 2
    _"A 0-day exploit is a vulnerability not known to the public"_ New Java or Adobe Reader exploits are always called 0-days even when they're publicized immediately. You're saying this use of the term 0-day is incorrect? – Luc Mar 28 '13 at 09:09
  • Isn't this a grey area - we know buffer overflows exist but that doesn't discount every new buffer overflow because "oh, we know about buffer overflows already". So therefore should we be discounting a new SQL vulnerability in Jon's Cat Blog? It seems odd to refer to that as an 0day, however. – Andy Smith Mar 28 '13 at 13:52
  • If I found a new SQLi in a popular framework such as WordPress, I would refer to that as a 0day. But for some reason an SQLi in a one-off platform (such as a server-side API application) would not count in my mind, odd. – lynks Mar 28 '13 at 14:54
  • @Luc by definition a 0-day is not known by the public, hence when it is released to the public or patched it violates the definition therefore it is not a 0-day exploit anymore. One would just call it a vulnerability because it has been patch and is known. System administrators and security professionals can try to protect themselves by knowing this vulnerability. Good ol' wikipedia has a bunch of sources that reinterate this same idea: http://en.wikipedia.org/wiki/Zero-day_attack – ponsfonze Mar 28 '13 at 15:14
  • 1
    @ponsfonze Who says it already has a patch upon releasing it to he public? Hmm actually I think that might be a good way to define when people use the term zero-day: when there is no patch yet (regardless of whether the leak is public). – Luc Mar 28 '13 at 15:16
  • @Luc I wasn't trying to say that it had to have a patch when it was released, but rather that it could get released to the public some other way than though a patch. This method is usually a forum or a vulnerability website. http://www.exploit-db.com/ – ponsfonze Mar 28 '13 at 15:22
  • A zero-day is a vulnerability that is not known to the developers of the exploited software when it becomes public; an exploit becoming public does not make it no-longer a "zero-day," so that part of this answer is incorrect. This definition is actually the one given by the Wikipedia link ponsfonze linked to. However, exploits that exist but are not publically known are usually also referred to as zero-days, so that part of this answer is still correct. – BlueRaja - Danny Pflughoeft Apr 01 '13 at 23:42
5

No it doesn't count.

A zero-day vulnerability is a previously unknown vulnerability. What you are describing is merely bad patch management if the vulnerability stems from a known exploit for the Apache service that has not been fixed.

  • Okay. Say there was an error in GCC which would generate vulnerable code, and someone compiled an application of theirs with that version of GCC and released it. Subsequently, the flaw in GCC is found and patched. Obviously, the flaw in GCC was a 0day, but GCC was only an optional component of the application released (they could have gone with a different component). Would the error in the compiled product, if/when found, still count as a 0day, after the GCC flaw was known? If not, what's different enough about the situation? – root Mar 28 '13 at 03:24
  • Print format vulnerabilities are a known exploit. If I find something that has a print format vulnerability, does it cease to count because those are known to be exploitable, and the person did a bad job of patching their code? – root Mar 28 '13 at 03:27
  • 1
    Weren't all vulnerabilities "previously unknown" at some point? Aren't they all zero-days then? – Luc Mar 28 '13 at 09:07
  • 1
    @Luc At the point where they were unknown, yes. That's the whole definition of zero-day. –  Mar 28 '13 at 10:48
1

Here's the definition on Wikipedia:

A zero-day (also known as zero-hour or 0-day or day zero) vulnerability is an undisclosed computer-software vulnerability that hackers can exploit to adversely affect computer programs, data, additional computers or a network. It is known as a "zero-day" because it is not publicly reported or announced before becoming active, leaving the software's author with zero days in which to create patches or advise workarounds to mitigate its actions.

An example of a zero-day vulnerability and its fix.

Cyker
  • 1,613
  • 12
  • 17
  • 1
    @Idempotence The US had tens of ships damaged, hundreds of aircrafts destroyed and thousands of people killed in the attack. If you agree with throwing away those absolute nonsense, then it is a zero-day vulnerability because it is not publicly reported or announced before becoming active, leaving the US with zero days in which to advise workarounds. Vague information about potential attacks is not the same as precise knowledge about its advent. Finally, there were indeed many [zeros](https://en.wikipedia.org/wiki/Mitsubishi_A6M_Zero) in the attack which perfectly match the name *zero*-day. – Cyker Dec 08 '16 at 05:31
1

A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.

https://en.wikipedia.org/wiki/Zero-day_attack

Luc
  • 32,378
  • 8
  • 75
  • 137
Thronk
  • 215
  • 3
  • 8
-1

A zero day is finding a new method of exploiting something, not finding a new place to exploit something using a known method.

Peleus
  • 3,827
  • 2
  • 19
  • 20
  • 1
    This isn't true in the strictest sense. If the there is a backdoor that can be exploited through known means, it would still be a zero-day vulnerability if the creators didn't know about it. Also, doesn't have to be new, but instead by definition it would be "undisclosed" (not public knowledge). First paragraph on [this page](https://en.wikipedia.org/wiki/Zero-day_(computing)) explains it in further detail. – esote Dec 08 '16 at 05:12
  • This isn't true at all. If, hypothetically, I knew of a way to exploit an integer overflow in a popular filesystem driver under Linux, it would be a 0day, despite the fact that I am not the one who came up with the concept of integer overflows. – forest Dec 27 '17 at 08:20
-3

I think the answer is simple: A 0-day is any attack where the victim had 0 days to prepare for it.

In legal terms, this could be (nonfeasence) due to lack of due diligence (like not changing default passwords), (misfeasance) due to configuration errors, or (malfeasance) where someone opened the path for the attack vector intentionally.

It comes down to a number of definitions. Here are just a few ideas to consider:

Known default passwords should not be. (but there is that nonfeasance problem).

Unknown default passwords are a bit tougher to nail down. I knew about the hard-coded password used in the particular kind of motor-speed controllers that are in wide use, more than 15 years ago. But I found out about it by doing my own work. It was not published widely. I wasn't the only one to know it but it was not what I would call open source, either. So is that a 0-day? It sure was for a certain famous attack. And that's one part of the attack they can't easily fix if they continue to use the same equipment.

Multiple attack vectors coming together in unique ways can create a 0-day opportunity. (like Stuxnet) Only someone with an extensive library of those vectors with the resources to actually iterate through the combinations would have any chance of finding it. But there is a motto: Use it AND lose it. And there are not an infinite supply to begin with.

Sun Tzu said: Use the ordinary for the attack; use the extraordinary for the victory. To which I would add: with the meager defenses around, the initial ordinary attacks might be all that is necessary for pwnage.

SDsolar
  • 977
  • 1
  • 6
  • 25
  • 2
    I appreciate that you fleshed out the answer, but this is simply incorrect. Default passwords and misconfigurations are ***not*** 0-days. Unless you can provide an authoritative source to back up your assertions. – schroeder Dec 10 '16 at 21:34