Software Exploits vs Network

Okay, I was reading the article that Rob posted. What is the purpose of finding a software exploit. I mean, if a network is somewhat secure, and its hard to gain access to these programs why concentrate on the software side of the house?

Do these exploits cause just a program to shut down, run malicous code, etc.,

Someone explain it to the network guys side of the house please.

exploits on software can give a user a higher level of authorization than they should have. say a proggie runs as some twit user level where you have your own home space etc but can't really do anything else but run a few programs and check email. if you can find an exploit to a program it could give you root access to that server/box what not meaning you can basically do anything with it. that anything can range from...well anything :)
lol sorry man i've been up all day but i'll leave someone to leave a better explanation

I mean, if a network is somewhat secure, and its hard to gain access to these programs why concentrate on the software side of the house?

Some servers HAVE to be exposed to the public Internet, that's their purpose in life. A firewall can't help protect those. In addition, a lot of the exploits found were in programs that read data files, not servers. An example of this is there's actually a recent buffer overflow attack in Wordpad, of all programs. http://www.microsoft.com/technet/security/bulletin/MS04-041.mspx

If you downloaded a malicious rtf file and opened it with wordpad, a firewall wouldn't help.

Do these exploits cause just a program to shut down, run malicous code, etc.,

You can usually run arbitrary code. Usually this means a remote shell available to the attacker.

If you exploit a program, the best you can get is the ability to run arbitrary code with privilege level equal to the user running the program.

For example, exploiting a program that you write and compile using your account is useless, because you can only run code with the same privileges you already had.

If you could get someone logged in as root to run your program, then you could escalate your privileges.

So exploits for programs which are suid root are much more valuable. If a program has the suid bit set, that means it runs with the privileges of its owner(root in this case). You could run this program from your regular user account, and if you exploited it you would have root privileges.

And this is also why as much as possible you should not let programs be suid root, and those which are suid root should be heavily audited.

There are practical considerations to be made. For example, I have a friend that runs SQL Server on his Web Server and doesn't block the SQL Server port. He's running all of the latest patches, etc. So I had him give me a regular user account, which some of his "users" have for their own databases. I wasn't able to fire up a command shell and start doing some nasty stuff, which I would be able to do because a HUGE amount of people run SQL Server under the system account - thank you very much. I was, however able to fire an extended stored proc and get read access to the server's registry, which gives me even more info to try and get in.

Point being, don't expose software that you don't have to on the network and you avoid crap like this and SQL Slammer. However, code red was a buffer overrun for IIS. Other than good patch management how do you stop that? Write more secure software.

That is the point of IPS software. When you have to open up the port in the firewall, the IPS will at least help check for attack signatures in the payload and drop them.

Firewalls exists to protect only the network layers. It only does filtering for source/destination: IP, Protocol, Port and subnet. That's it. For everything else, you need an IPS and also proxies to protect the application layer.

IPS sits on layer 2, but is able to 'see' up to layer 7, it has to be able to, otherwise it wouldn't be able to catch exploits. Whereas a pure proxy sits on layer 7, and catches only application layer attacks (virii, trojans, worms, URLs, spam, etc).

no prob. ;-)