Leveraging CVE for Web Application Penetration Testing

Leveraging CVE for Web Application Penetration Testing

Jerome AthiasMarch 2014

CVE Common Vulnerability Enumeration is a repository of security software flaws managed

by NIST in the National Vulnerability Database (NVD) as part of SCAP (Security Content Automation Protocol) https://nvd.nist.gov/https://cve.mitre.org/

The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services.

The CVE vulnerability database (60000+ entries) is available as XML feedshttps://nvd.nist.gov/download.cfm

The CVE database is also searchable online https://web.nvd.nist.gov/view/vuln/searchhttps://cve.mitre.org/cve/

CVE Format The NVD/CVE data feed is available as XML files using an XML schema

https://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd

It is available in CVRF (Common Vulnerability Reporting Format) formathttp://www.icasi.org/cvrf

NB: CVRF is derived from IETF’s IODEF http://tools.ietf.org/html/draft-ietf-mile-rfc5070-bis-06See also: https://tools.ietf.org/html/draft-booth-sacm-vuln-model-02

CVE Mappings As part of SCAP, CVE is mapped with various other specifications/standards

using multiple languages

Examples: CWE, CVSS, CPE, CCE, OVAL

Other Repositories http://www.cvedetails.com/

https://www.scaprepo.com

http://oval.secpod.com

http://osvdb.org/

http://www.exploit-db.com/

https://github.com/athiasjerome/XORCISM

CVE Content CVE-ID

Description

References

Impact (CVSS)

Configuration (CPEs)

Leveraging CVE content for WAPT Example: SQL Injection

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sql+injection

Interesting (unstructured) information about the URIs, Parameters, Function names in the description:“execute arbitrary SQL commands via the sortby parameter to admin/moduleinterface.php”

“vulnerability in the manage configuration page (adm_config_report.php) … via the filter_config_id parameter”

“in portal/addtoapplication.php … via the rssurl parameter”

Extracting juicy information from CVE Start your regex engine!

CPEs: easy because in CVE in a structured way. Useful for reconnaissance (information gathering, fingerprinting)

Example: nmap nse script

http://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/

http://www.scip.ch/?labs.20130625

Extracting juicy information from CVE Default credentials

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=default+password“has a default password of admin for the admin account”

“has a default "ditto" username and password”

“Cisco Video Surveillance 4000 IP cameras has hardcoded credentials”

“HTC Droid Incredible has a default WPA2 PSK passphrase of 1234567890”

Enhance your default credentials databasehttp://www.cirt.net/passwords

http://www.virus.org/default-password/

http://www.routerpasswords.com/

Do it right: default credentials + CPEhttps://www.security-database.com/dpe.php

Extracting juicy information from CVE URIs, parameters, functions

Unfortunately, not structured in CVE That should be seriously considered (in a CybOX way), let’s do this

Approach: XML parsing, regex, dissector => storage in a database For the database’s design, use of CybOX HTTP Session Object, URI Object

http://cybox.mitre.org/language/version2.1/xsddocs/objects/HTTP_Session_Object.html

http://cybox.mitre.org/language/version2.1/xsddocs/objects/URI_Object.html

CVE+ In the spirit of IVILhttp

://www.cupfighter.net/index.php/2010/10/ivil-an-xml-schema-to-exchange-vulnerability-information/

XORCISM Vulnerability Data Model (XVDM): standardized structured data specification, data normalization, easy bindingshttps://github.com/athiasjerome/XORCISM

XORCISM Database and Tools Automatic import (download, parsing, storage) of CVEs into the database

The same for CPE, CWE, etc. ;-) all linked automatically together. DOH!

Remember the default credentials? Guess what… stored there with CPEs dude

What else? well… GHDB? :p

Some beta regex to extract the good stuff and store it in the relevant tables

Easy research: sql queries

DEMO The Hackenathon

Usage for WAPT Structured database (automatically updated) for nmap nse scripts

(vulnerability scanner). Yes, we scan!

More effective brute force (reliable default credentials attempt first)

“passive”, reliable automated way to find more vulnerabilities, post web proxy discovery

What about live? Hum, let me think.. Burp and ZAP extensions linked to the database?

DEMO Thriller

Burp extension

ZAP extension

CVE+ and Selenium

Near future: reliable automatic exploitation (because autopwn is noisy)

Questions? Thank you

Happy Hacking!

Coming soon http://xorcism.org/

Early birds http://www.frhack.org/research/xorcism.php