GET YOUR VULNERABILITY AND THREAT DATABASE SUBSCRIPTION
EKOLABS 2016


News

Published on October 11th, 2014 | by NJ Ouchn

0

vFeed Python API v0.5.0 and introduction of the Search module

vFeed framework is an open source naming scheme concept that provides extra structured detailed third-party references and technical characteristics for a CVE entry through an extensible XML schema.

It also improves the reliability of CVEs by providing a flexible and comprehensive vocabulary for describing the relationship with other security references and standards

openstandard2

Key features

  • Built using open source technologies
  • Fully downloadable SQLite local vulnerability database
  • Structured and flexible XML-based schema to describe vulnerabilities
  • Based on major open standards CVE, CPE, CWE, CAPEC …
  • Support correlation with 3rd party security references (IAVA, OSVDB, OVAL…)
  • Extended to support correlation with security assessment and patch vendors (Nessus, Metasploit, Exploit-DB, Redhat, Microsoft..)
  • Simple & ready-to-use Python module with more than 30 methods

Finally i reached the ‘search’ class in my long roadmap. I apologize for those who were asking for it during months.  Now it is available in early stage. But during all this time, the idea to bring something more consistent grew up in my mind. And the search class is a kind of  proof of concept. But now, let’s stick to this basic search version and i hope you will find it useful. For sure, feel free to send me your suggestions to improve it or worst case roll up your sleeves and do it yourself 😉

The search class has been introduced with  this newest version 0.5.0. It uses basic search techniques (only one keyword cve or cpe) but looks very promising especially when it comes to digging into CPEs information. In fact, as i mentioned above this class will evolve into a decent and sophisticated CPE api with support of several methods (as the CVE api)

For now, it could be useful to search for CPEs and CVE by leveraging the existence of exploits (Metasploit and ExploitDB). In fact, the search method acts like a decision maker and the trigger is the availability of exploits.

One more thing, you need to be familiar with the CPE (Common Platform Enumeration) syntaxes. If you are not, it’s never late to learn something new. Point your browser to CPE Mitre website (http://cpe.mitre.org/specification/#naming).

Let’s now search for the following CVE-2014-0160

 python vfeedcli.py search CVE-2014-0160
[+] Querying information for CVE-2014-0160 ...
    [-] The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g ....
    [!] 2 Metasploit Exploit(s) Found
    [!] 4 Exploit DB sploits Found

[INFO] Try vfeedcli.py export CVE-2014-0160 for more information !!

As shown above, the method returns CVE information and leverages the availability of exploits. As a matter of fact, the get_cve and get_msf may give the same level of information. As for myself, I would prefer to export the CVE into the vFeed XML format. But again, you need to dive into the XML and extract the useful info (btw, something new in the roadmap will come to the rescue)

Now let’s see how we can leverage the search to get CPEs information. For this first example, i choose an Industrial Switch RuggedCom (http://w3.siemens.com/mcms/industrial-communication/en/rugged-communication/products/pages/product-overview.aspx) . The CPEs for Ruggedcom switches may look like cpe:/o:ruggedcom or cpe:/o:siemens:ruggedcom_rugged_operating_system. Let’s say your are facing a RuggedCom switch during a pentesting. Here where the search class comes into play. Let’s start with the first CPE.

 python vfeedcli.py search cpe:/o:ruggedcom
[+] Querying information for cpe:/o:ruggedcom ...
     [-] Total Unique CVEs        [2] 
     [-] Total Found CPEs         [6] 
[+] Gathering information ... 
    [-] cpe:/o:ruggedcom:ros:3.9
        [-] CVE-2012-1803 | CVSS Base :8.5
            [->] RuggedCom Rugged Operating System (ROS) 3.10.x and ....
            [!] 1 Metasploit Exploit(s) Found
            [!] 1 Exploit DB sploits Found
    [-] cpe:/o:ruggedcom:ros:3.8
        [-] CVE-2012-1803 | CVSS Base :8.5
            [->] RuggedCom Rugged Operating System (ROS) 3.10.x and ....
            [!] 1 Metasploit Exploit(s) Found
            [!] 1 Exploit DB sploits Found
    [-] cpe:/o:ruggedcom:ros:3.7
        [-] CVE-2012-1803 | CVSS Base :8.5
            [->] RuggedCom Rugged Operating System (ROS) 3.10.x and ....
            [!] 1 Metasploit Exploit(s) Found
            [!] 1 Exploit DB sploits Found
    [-] cpe:/o:ruggedcom:ros:3.3
        [-] CVE-2012-1803 | CVSS Base :8.5
            [->] RuggedCom Rugged Operating System (ROS) 3.10.x and ....
            [!] 1 Metasploit Exploit(s) Found
            [!] 1 Exploit DB sploits Found
    [-] cpe:/o:ruggedcom:ros:3.2
        [-] CVE-2012-1803 | CVSS Base :8.5
            [->] RuggedCom Rugged Operating System (ROS) 3.10.x and ....
            [!] 1 Metasploit Exploit(s) Found
            [!] 1 Exploit DB sploits Found
        [-] CVE-2012-2441 | CVSS Base :8.5
            [->] RuggedCom Rugged Operating System (ROS) before 3.3 ....
    [-] cpe:/o:ruggedcom:ros:3.10
        [-] CVE-2012-1803 | CVSS Base :8.5
            [->] RuggedCom Rugged Operating System (ROS) 3.10.x and ....
            [!] 1 Metasploit Exploit(s) Found
            [!] 1 Exploit DB sploits Found

Bingo. Let’s see what it says. First, the method does a quick stats and displays the total unique CVEs and CPEs. It will gather all CPEs that look like the input. In SQLite query language, it means i used the like statement. This could be seen as a limitation by some folks since the class supports only 1 keyword. This will be enhanced in the coming releases.

Anyways the search enumerates the 6 found CPEs :

  • cpe:/o:ruggedcom:ros:3.9
  • cpe:/o:ruggedcom:ros:3.8
  • cpe:/o:ruggedcom:ros:3.7
  • cpe:/o:ruggedcom:ros:3.3
  • cpe:/o:ruggedcom:ros:3.2
  • cpe:/o:ruggedcom:ros:3.10

and identifies 2 unique CVEs

  • CVE-2012-1803
  • CVE-2012-2441

The best part here is we know that exploits can be leveraged to break into the RuggedCom switch if it fits the version you found during your engagement. Again to gather more information, we will use the other methods that come with vFeed such as:

python vfeedcli.py get_msf CVE-2012-1803 
msf_id: telnet_ruggedcom.rb
msf_title: RuggedCom Telnet Password Generator
msf_file: metasploit-framework/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb

[stats] 1 Metasploit Exploits/Plugins

Et voila, you know what exploit you can use metasploit-framework/modules/auxiliary/scanner/telnet/telnet_ruggedcom.rb

The search class should be very useful for those who are looking to gather information on CPEs and specially the exploitable versions. Some enhancements will be soon available such as

  • search for exact occurrence instead of SQLite like statement,
  • search for only exploitable versions,
  • search for text free (in the CVE description for ex. “Java” or “default password”).

At this stage, i’d prefer to keep it simple since i’m willing to refactore it into a rich CPE api class.

Besides the addition of the search class, vFeed 0.5.0 supports the CWE (Common Weakness Enumeration) version 2.8. Mitre Corp has added 58 new nodes. So, vFeed will report any vulnerability mapped with newest CWEs identifiers. Check here the full Mitre report http://cwe.mitre.org/data/reports/diff_reports/v2.7_v2.8.html
Happy CPE digging  !!

 


Tags: , , , , , , , , , , , , , , ,


About the Author

“Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses”



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑