7

I understand the difference between a vulnerability and an exploit, but as I surf the exploit databases, I see more vulnerabilities and less exploits. Shouldn't there be at least one exploit for every vulnerability which is uncovered? Aren't all vulnerabilities exploitable?

What I am trying to say is that, when I search for exploits on exploit database with a particular CVE ID, there is no guarantee that an exploit for that vulnerability would be available. How can a vulnerability be considered a vulnerability if it cannot be exploited?

GypsyCosmonaut
  • 882
  • 1
  • 7
  • 16
  • 5
    Especially for memory corruption bugs it can be much easier to implement a fix than creating a reliable exploit. I'd rather have developers quickly add a missing boundary check to the code than spending hours developing a proof-of-concept for arbitrary code execution. – Arminius Apr 07 '17 at 01:22
  • 3
    why would people develop and publish exploits for free for every vuln that is found ? It would be the Script Kiddie Apocalypse. If you are motivated enough, exploits can be found by yourself based on the public vulnerabilities – niilzon Apr 07 '17 at 07:26

2 Answers2

7

By definition a vulnerability is a weakness in software systems, be it web applications, the network daemon service running over a port or a thick application as a binary. A weakness could be taken advantage of using ex-filtration mechanisms - the primary reason to this could be two:

  1. Extract data which is highly sensitive
  2. Elevate furthermore privileges on top of what is already affected

An Exploit facilitates both of these factors. Hence, by definition an exploit or a exploit code should be an amplifier to an existing vulnerability on systems or set of different kind(s) of system(s).

If a vulnerability is detected during a lexical analysis which might be due to a source code security audit, a reproduction of the which attempts to either get you access to special data or otherwise grant elevated privileges fails, it doesn't mean there would be no vulnerability but what it does mean that there were no exploits readily available which can grant you any of these.

What could it grant?

  • May be chaining multiple vulnerabilities including the particular discovered vulnerability would
  • It might as well be that the vulnerability doesn't affect all systems but a specific instance depending on a platform it is hosted on or other dependencies?
  • The vulnerability is identified & advisories are released but previously it were a 0day which were sold off to the affected vendor which later never disclosed a potential full fledged step-by-step exploit code or any documentation of how a particular 'trigger' factor of the vulnerability would work.

To answer your question,

  1. Vulnerabilities could be considered as a risk factor without a doubt.
  2. Vulnerability does not always end up with exploitation or a working exploit availability.
  3. Some Vulnerabilities are always exploitable depending the right chaining is done or otherwise the undisclosed working exploit code is released. This again depends on the vendor disclosing party.
  4. Vulnerabilities are system weaknesses. It could lead to critical, high, moderate, low, or informational instances depending on how much sensitive data were leaked, how high elevated privileges were obtained.

Other factors might exist including but not limited to that of if the vulnerability could be chained to another potential vulnerability which happen to exist on the same system or set of system(s) affecting the CIA triad of security & hence compromising compliance factor.

Shritam Bhowmick
  • 1,602
  • 14
  • 28
4

My understanding is that there are a few possibilities for why some vulnerabilities do not have exploits:

  1. Somebody may have identified the issue in source code but been unable to reproduce it.
  2. Vulnerabilities are discovered for particular implementations/circumstances and thus a general-purpose exploit may not yet exist.
  3. The exploits may exist but might not have been made public [yet], either due to responsible disclosure programs or just because somebody is keeping their exploits to themselves.

See also this question.

JonRB
  • 393
  • 1
  • 6