Netragard 0-day solicitations -------------- -------------- We have an immediate need for the following high-priority items: In need of a solid Privilege Escalation tool on Windows 7 32 as high priority, with 64 and Vista as secondary priority. Low to high, OS based exploit on OS internals (no 3rd party applications are desired for these priorities). Also looking for: Linux Local Privilege Escalation, current kernel (2.6) on Ubuntu and Firefox memory exposures (to leverage ASLR bypass). All, please note that we are no longer considering flash to be a top priority. Dear EAP Member, This email is being provided to you as a member of Netragard's Exploit Acquisition Program (EAP). Please read this email carefully as it contains important information and updates. Our priority list has changed significantly, please review the updated list provided below. We are looking for new EAP members and buyers. If you successfully introduce a new EAP member or buyer then we will provide you with a 10% finders fee based on their first transaction with our program. Note: EAP buyers must be legitimate, non-black market buyers willing to establish a contractual agreement with Netragard. If you submit an illegitimate buyer you will be banned from the EAP. Finally, our buyers have been very active this year. If you have a quality item to submit please fill out the EAF using the PIN and URL provided below. We will let you know if the item is or is not of interest. -------------- -------------- Greetings, You are receiving this email because you are a registered member of Netragard Exploit Acquisition Program. Our current buying prices start at or around $20,000.00 and extend to or around $100,000.00 for items on this list (+ or - $5,000.00). If you have an item for submission then you must follow the EAP process for submission (section's 11 and 12 below). Happy Hunting... You are receiving this message because you are a registered member of Netragard's Exploit Acquisition Program. In order to participate in this program you must have and maintain a current nondisclosure agreement with Netragard. This agreement ensures that the research that you share with us is protected, and that the information that we share with you is protected. If you do not have one please contact eap@netragard.com. Please note, we are looking to hire a new security researcher. The researcher will be required to produce no less than one ideal 0-day exploit per quarter. If you are interested, or know someone who might be, please email eap@netragard.com with a subject of "Job Opportunity Interest". Moving on... We have recently updated our priorities and rules, please see below: We have an updated list of targets to share with you. This list of targets is not by any means all inclusive, but does define what we consider to be top priority items. Should you have discovered any vulnerabilities in any of these targets please contact me directly, or reach out to eap@netragard.com. Confidentiality Notice: If you are receiving this email then you have executed a Confidentiality Agreement with Netragard. This email is being provided to you under the terms of that confidentiality agreement. This email and its respective contents are confidential and may not be redistributed. Netragard is particularly interested in exploits for the following targets: Wireshark WuFTPD Adobe Reader 7 on W2k and XP CoreMail Moving on... Top Exploit Targets As of 05/08/2011 Netragard is only interested in finished and well documented exploits that will provide little to no indication of use during exploitation. We are interested in remote access, privilege escalation, etc. and are not interested in any DoS, DDoS, or unpolished PoC. Exploit Classes of Interest: Remote access and/or privilege escalation Remote arbitrary code execution Local privilege escalation Unauthorized data access Desired methods for delivery: Direct delivery, automatic via Internet/WAN access (e.g. network based service) Browser-based delivery, no interaction required from the target Direct delivery, requiring Local Execution or LAN access (e.g. packet at a port) Items requiring some interaction by the target Primary Target OSes 1. Top Priority Targets A. Windows 7 (x86 - x32, x64) B. Mac OS X 10.6 (x86 - x32, x64) C. iOS (Apple OS for iPod, iPad, iTouch) D. Windows Server 2008 and earlier E. Blackberry and BES F. Unix & Linux variants, Red Hat and Debian/Ubuntu preference 2. Secondary Priority A. Windows Vista (x86 - x32, x64) B. Mac OS X 10.5 (x86 - x32, x64) C. Virtual Machine breakouts to host and guest on current OS D. Android OS 2.x, 3.x E. Microsoft Mobile OS F. Solaris/SunOS 3. Tertiary Priority A. Network Appliances 1. Printers 2. Enterprise routing and switching gear (Cisco, Juniper) 3. Consumer 802.11 g/n wireless access points and client software Targeted Browsers and their respective Helper Applications A. Current IE B. Current Firefox C. Current Chrome E. Current and recent Opera F. Current Safari on Mac OSX only G. Current and recent Maxthon H. Common browser plugins 1. Flash 2. Java 3. Other common plug-ins Other targets of interest to Netragard: 1. Common OS related tools and other applications (examples follow) A. SMB/Samba server or client B. Common Players/Editors/Viewers 1. Adobe Reader 7-X 2. iTunes 3. Media Players (VLC, WMPlayer) 4. Microsoft Office (2007 versions or newer) 5. Mac Preview C. E-mail clients 1. Outlook 2007 or newer 2. Outlook Express (Windows Mail, Windows Live Mail) 3. Mozilla Thunderbird D. SSH2 server and client E. Software Auto-Updaters for software on this list F. Apache or Microsoft IIS HTTP servers, NGINX HTTP/Proxy G. File sharing/P2P clients H. FTP Servers 1. WuFTP 2. Serv-U 3. Apache 2. Instant Messaging clients and servers 1. Gchat 2. Pidgin 3. Adium 3. VoIP clients and servers 1. Skype 4. Common consumer and enterprise anti-virus and/or security software 5. E-Mail servers 1. Microsoft Exchange 2. CoreMail 3. Sendmail 4. Postfix 6. Java, any implementation 7. Web forums, BBS, vbulletin, bSalsa 8. Packet capture platforms - Wireshark, pcap, etc. This notice is intended to provide you with an update on acquisition priorities. Top items that are being acquired fall into one of these three categories. We are still very interested in other items that fall into the master list categories, but these categories are moving very quickly right now. Top Three Categories: Windows 7 64 Bit Remote Driver Signing Bypass General Privilege Escalation As usual, if you have any questions please contact us at eap@netragard.com, or you can also contact your regular EAP representative. Confidentiality Notice: This message and its contents are confidential and protected under your mutually executed Nondisclosure Agreement with Netragard, LLC. You may not distribute or disclose the contents of this message to anyone outside of the EAP. -------------- -------------- You are receiving this email because you have participated in our Exploit Acquisition Program ("EAP"). We've recently expanded our EAP and have incorporated new buyers into our pool. As a direct result of that expansion we have new needs, different priorities, and different rules. This email serves as change notification to all EAP members regarding the program. Our promise to you is that we will work to get you the highest dollar value for your hard work. Last year our average payment price was $38,000.00. Our high was $210,000 and our low was $6,000.00. Most other exploit brokers / buyers can't touch those prices and the best part is that what we are doing is 100% legitimate and legal (no black market stuff welcome). *Note: *Our Exploit Acquisition Form ("EAF") has changed. We are using a new text based form. If you do not have a copy of this form but need to submit a new item to us, please request a copy. This message is confidential and may not be disclosed to any third parties. **Rules** Membership to our EAP is exclusive. Netragard has the right to introduce or reject members without warning or justification. You must have a Mutual Nondisclosure Agreement executed with Netragard. You must provide a scanned copy of your photo ID for verification. You must not have a criminal record. You must have no association with organized crime or terrorist groups. Spelling mistakes happen, we don't care neither should you. Your item must be ideal meaning that it must be stealthy / covert in nature and must not generate any noticeable behavior on the target system. We will not purchase Denial of Service exploits or tools We will not purchase Vulnerability Information We will only purchase ideal, functional and well documented exploits. We will not purchase exploits written by someone else, YOU MUST BE THE RESEARCHER AND THE CODER. Exploit Submissions work as follows: You fill out an Exploit Acquisition Form (the new text based one) You submit that form to adriel@netragard.com signed and encrypted We will use that form to determine interest If there is interest we work out an agreeable price If the price is acceptable you send the exploit to us via encrypted and signed email. We verify that the item works properly and as advertised If it does then we execute the deal with the buyer. The buyer pays us in 3 installments over the course of 3 months. We pay you in 3 installments over the course of 3 months. The transaction is complete. You agree that you will not disclose any information about the item being brokered to public forum. If information about the item is disclosed payments will be terminated immediately. All deals require exclusivity unless otherwise noted. As such you are required to transfer all rights, knowledge, and related materials for the item to Netragard. You retain no rights or authority over the item. If you introduce new EAP members we will provide you with a finders fee that is equal to 10% of the first transaction successfully executed by the new member. **Exploit Acquisition Priorities as of 02/04/2011 ** These priorities are the same across all of our buyers. We are looking for finished and documented items that will provide little or no indication during exploitation, will provide access, privilege escalation, etc. We are not interested in denial of service or rough proof of concept code. **Exploit Types** Remote access and/or privilege escalation Remote arbitrary code execution Local privilege escalation Unauthorized data access **Exploitation Vector Preferences** Direct delivery, via Internet/WAN access (e.g. network based service, email, IM, P2P, etc.) Browser-based delivery, no interaction required from the target Direct delivery, requiring Local Execution or LAN access (e.g.packet at a port) Items requiring some interaction by the target **Targeted Operating Systems / Platforms** **High Priority** Windows 7 (x64, x86) Mac OS X 10.6 (x64, x86) iOS (Apple OS for iPod, iPad, iTouch) Windows Server 2008 and earlier Unix & Linux variants, Red Hat and Debian/Ubuntu preference **Medium Priority** Windows Vista (x86, x64) Mac OS X 10.5 (x86) Virtual Machine breakouts to host and guest on recent OS Droid OS Microsoft Mobile OS Solaris/SunOS **Low Priority** Network Appliances Printers Enterprise routing and switching gear (Cisco, Juniper) Consumer 802.11 g/n wireless access points and client software **Targeted Browsers and browser accessed software for remote attacks** Current IE Current Firefox Current Chrome Common browser plugins Flash (less demand right now, flooded market) Java (less demand right now, flooded market) Etc. - anything commonly installed Current and recent Opera Current and recent Safari on Mac OSX only Current and recent Maxthon **Other Targeted software** Common OS related tools and other applications (examples follow) SMB/Samba server or client Common Players/Editors/Viewers Adobe Reader iTunes Media Players Microsoft Office (2007 versions or newer) Mac Preview E-mail clients Outlook 2007 or newer Outlook Express (Windows Mail, Windows Live Mail) Mozilla Thunderbird SSH2 server or client Software Auto-Updaters for software on this list Apache or Microsoft IIS HTTP servers, NGINX HTTP/Proxy File sharing/P2P clients Instant Messaging clients and servers VoIP clients and servers Java, any implementation Common consumer and enterprise anti-virus and/or security software Microsoft Exchange server Web forums, BBS, vbulletin, bSalsa ------------ Hi Guys, Recently there was a survey published to the following URL about vulnerability brokers and acquirers. Would you be so kind as to fill out the survey with your thoughts on our program? Thank you very much in advance! http://unsecurityresearch.com/survey/public/survey.php?name=Vulnerability_Marketplace Dear EAP Members: I wanted to let you know that there is a significant push for Apple bugs right now. Specifically for Snow Leopard remote access. The starting price for a Snow Leopard exploit (something like a safari or other client-side) is $30,000.00. Of course we can't promise you that we will buy everything, but if you have a Snow Leopard item right now then there is a very good chance that we will buy it. If you have any other bugs that you want to sell, you should submit them to us before you submit them to anyone else. We can not purchase bugs that have been submitted to companies like ZDI or iDefense!!! Once a bug is submitted to one of those companies we consider that bug to be public information (as do our buyers). If you submit a bug to us first and we don't purchase the bug, then the bug is still your property. As such, if we do not purchase a bug we have no rights to it and you can sell it to whoever you like. If you have any questions please feel free to email me directly, or email eap@netragard.com. Talk with you soon! Adriel.