Post Thu Feb 22, 2007 12:13 am

Vulnerability Search FU

I have been very busy lately and so I haven't been able to monitor or post as much as I would like to this forum.  Here is a post I just put up on my blog that might help (or get a laugh :) ).

-------------------------------

Yesterday I learned that my Vulnerability Search FU is weak. Weak enough to be embarrassing. Sure I know where to look.

  • Mitre’s Common Vulnerabilities and Exploits
  • Security Focus Bugtrac
  • The Open Source Vulnerability Database
  • US-CERT National Vulnerability Database
  • IBM’s Internet Security System X-Force Database

If you cannot find a vulnerability here then the vulnerability does not exist or it is not known in the wild and it is possibly a 0-day. Hmm, speaking of 0-day.

  • eEye Research Zero-Day Tracker
  • Tipping Point’s Zero Day Initiative
  • Zeroday Emergency Response Team

Like I said, I know where to look, or at least where to start but where to start. Okay, lets pick something. Apache web server….GO. Wait, there are a ton of vulnerabilities associated with Apache, what version are we talking about. Easy, mmmm, 1.3.26. So, I go to the OSVDB and type in Apache 1.3.26 into the search box titled Title Search. Here is what the search returned:

OSVDB Search:
No vulnerabilities containing all your search terms were found.
Suggestions:

* Make sure all words are spelled correctly.
* Try different words
* Try more general words
* Try fewer words


Not the answer I expected. Well, what about SecurityFocus? Good luck type in Apache 1.3.26 because you don’t have that choice. You need either a CVE number or you need to drill into the drop down boxes they provide for you: Vendor, Title, Version. In this case I select Vendor=”Apache”, Title=”HTTP Server”, and Version=”1.3.34″ (the only other option was 2.2.2). Here is what the search returned:

Security Focus Search:
No matching vulnerabilities found
Vulnerabilities (Page 1 of 0)


Apparently I am getting nowhere fast or this might mean, as I stated earlier, “If you cannot find a vulnerability here then the vulnerability does not exist.” But that cannot be true, because Apache 1.3.26 is a really old version. I decided to try one more search. This time I picked on the X-Force Database. In the text box “search for” I typed “Apache 1.3.26 and here is what was returned.

X-Force Database Search:
Keyword Search Results

316 documents match your search for “Apache 1.3.26″ in the X-Force database.
Displaying results 1 to 10 Next

ISS X-Force Database: apache-chunked-encoding-bo(9249): Apache HTTP Server chunked encoding heap buffer overflow ****
ISS X-Force Database: apache-chunked-encoding-bo(9249): Apache HTTP Server chunked encoding heap buffer overflow

ISS X-Force Database: apache-header-hrs(21195): Apache HTTP Server header HTTP request smuggling ****
ISS X-Force Database: apache-header-hrs(21195): Apache HTTP Server header HTTP request smuggling

ISS X-Force Database: apache-modalias-modrewrite-bo(13400): Apache HTTP server mod_alias and mod_rewrite buffer overflow ****
ISS X-Force Database: apache-modalias-modrewrite-bo(13400): Apache HTTP server mod_alias and mod_rewrite buffer overflow

ISS X-Force Database: apache-apachebench-response-bo(10281): Apache HTTP Server ab.c ApacheBench long response buffer overflow ****
ISS X-Force Database: apache-apachebench-response-bo(10281): Apache HTTP Server ab.c ApacheBench long response buffer overflow

ISS X-Force Database: apache-modproxy-contentlength-bo(16387): Apache HTTP Server mod_proxy Content-Length buffer overflow ****
ISS X-Force Database: apache-modproxy-contentlength-bo(16387): Apache HTTP Server mod_proxy Content-Length buffer overflow

ISS X-Force Database: apache-modrewrite-offbyone-bo(28063): Apache mod_rewrite off-by-one buffer overflow ****
ISS X-Force Database: apache-modrewrite-offbyone-bo(28063): Apache mod_rewrite off-by-one buffer overflow

ISS X-Force Database: apache-modssl-htaccess-bo(9415): Apache HTTP Server mod_ssl .htaccess off-by-one buffer overflow ****
ISS X-Force Database: apache-modssl-htaccess-bo(9415): Apache HTTP Server mod_ssl .htaccess off-by-one buffer overflow

ISS X-Force Database: apache-socket-starvation-dos(15540): Apache HTTP Server socket starvation denial of service ****
ISS X-Force Database: apache-socket-starvation-dos(15540): Apache HTTP Server socket starvation denial of service

ISS X-Force Database: apache-esc-seq-injection(11412): Apache HTTP Server error log terminal escape sequence injection ****
ISS X-Force Database: apache-esc-seq-injection(11412): Apache HTTP Server error log terminal escape sequence injection

ISS X-Force Database: apache-modssl-bo(8308): Apache ‘mod_ssl’ authentication module buffer overflow ****
ISS X-Force Database: apache-modssl-bo(8308): Apache ‘mod_ssl’ authentication module buffer overflow


Pay dirt. I decided to start looking into the vulnerabilities. Of course, I wanted to find something nice and juicy. The first on looks promising as it mentions “buffer overflow” so I followed the link and we given this discription.

Apache HTTP Server chunked encoding heap buffer overflow
apache-chunked-encoding-bo (9249) The risk level is classified as HighHigh Risk

Description:

Apache HTTP Server versions 1.2.2 and later, 1.3 up to and including 1.3.24, and 2.0 up to and including 2.0.36 are vulnerable to a heap buffer overflow in the mechanism that calculates the size of “chunked” encoding. Chunked encoding is a process by which a client generates a variable sized “chunk” of data and notifies the Web server of the data’s size before transferring it, so that the Web server can allocate a buffer of the correct size. The Apache HTTP Server has a software flaw that misinterprets the size of incoming data chunks. A remote attacker can use this vulnerability to overflow a buffer and execute arbitrary code or cause a denial of service against the affected Web server.


Wait….did I read that correctly? “1.3 up to and including 1.3.24?” But I wanted vulnerabilities in version 1.3.26. Okay, nothing here. Damn, move on down the list. Ahh, the third one also has the words “buffer overflow”. Great, upon further review I was greeted with the statement: “Apache HTTP Server versions prior to 1.3.29.” Excellent.

Scroll….read….scroll….read…scroll….Ahh, “Standards associated with this entry.” It looks like I have found links to other vulnerability databases. One of which links to SecurityFocus. Follow the link and a little searching reveals “Apache Software Foundation Apache 1.3.26″. Wait, isn’t this the same site I already searched for Apache 1.3.26 and the only option I was given was 1.3.34? Now I am getting frustrated. Of course I have found what I am looking for but I had to go through three different website’s search engines to get there. Not cost effect.

What to do? Hmm, google is your friend. Google text box = “site:osvdb.org apache 1.3.26″

862: Apache SSI Error Page XSS
Apache Software Foundation Apache 1.3.26; Apache Software Foundation Apache 2.0.35; Apache Software Foundation Apache 2.0.36 …
osvdb.org/displayvuln.php?osvdb_id=862 - 21k - Cached - Similar pages

838: Apache Chunked Encoding Overflow
Apache Software Foundation Web Server 2.0.36. Solution:. Upgrade to version 1.3.26, 2.0.39 or higher, as it has been reported to fix this vulnerability. …
osvdb.org/displayvuln.php?osvdb_id=838 - 25k - Cached - Similar pages

7611: Apache mod_alias Local Overflow
Apache Software Foundation HTTP Server 1.3.24; Apache Software Foundation HTTP Server 1.3.25; Apache Software Foundation HTTP Server 1.3.26 …
osvdb.org/displayvuln.php?osvdb_id=7611 - 25k - Cached - Similar pages

3877: Apache-SSL Client Certificate Forging
Ben Laurie Apache-SSL 1.3.22+1.4x; Ben Laurie Apache-SSL 1.3.24+1.48; Ben Laurie Apache-SSL 1.3.26+1.48; Ben Laurie Apache-SSL 1.3.27+1.48 …
osvdb.org/displayvuln.php?osvdb_id=3877 - 16k - Cached - Similar pages

4037: Apache Cygwin Encoded GET Request Arbitrary File Access
Apache Software Foundation Web Server (Win32) on Cygwin 1.3.25; Apache Software Foundation Web Server (Win32) on Cygwin 1.3.26 …
osvdb.org/displayvuln.php?osvdb_id=4037 - 19k - Cached - Similar pages

3322: Apache mod_php HTTP Server Hijack
Apache Software Foundation mod_php 1.3.26. Solution:. Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the …
osvdb.org/displayvuln.php?osvdb_id=3322 - 14k - Cached - Similar pages

Apache mod_rewrite Local Overflow OSVDB ID: 2733 Disclosure Date …
A local overflow exists in Apache. The mod_rewrite module fails to handle regular expressions containing … Apache Software Foundation HTTP Server 1.3.10 …
osvdb.org/displayvuln.php?osvdb_id=2733&print - 13k - Supplemental Result - Cached - Similar pages

Stable: Apache Shared Memory Scoreboard DoS | OSVDB Disclosure …
Apache HTTP server contains a flaw that may allow a local denial of service. The issue is triggered when a local user with privileges as the Apache UID …
skateboard.osvdb.org/~vladd/drupal/?q=view_vuln/4552 - 8k - Supplemental Result - Cached - Similar pages

Apache Cygwin Encoded GET Request Arbitrary File Access OSVDB ID …
Apache Webserver contains a flaw that allows a remote attacker to to access arbitrary files … Apache Software Foundation Web Server (Win32) on Cygwin 1.0 …
www.osvdb.org/displayvuln.php?osvdb_id=4037&print - 8k - Supplemental Result - Cached - Similar pages

Stable: Apache Cygwin Encoded GET Request Arbitrary File Access …
Apache Webserver contains a flaw that allows a remote attacker to to access … However, Apache Software Foundation has released a patch to address this …
skateboard.osvdb.org/~vladd/drupal/?q=view_vuln/4037 - 8k - Supplemental Result - Cached - Similar pages


Wow. All this information about Apache 1.3.26 is located within the OSVDB database except their own search engine did not pull it out and display it for me. What about the null return from Security Focus? How would they fair against a Google query?

Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow …
Apache Software Foundation Apache 1.3.26 + Conectiva Linux 8.0 + Conectiva Linux 7.0 + Conectiva Linux 6.0 + Debian Linux 3.0 sparc + Debian Linux 3.0 s/390 …
www.securityfocus.com/bid/10508 - 23k - Cached - Similar pages

Share360 Cross-Site Scripting Vulnerabilities
Apache Software Foundation Apache for Windows 1.3.26 … Apache Software Foundation Apache 1.3.26 - Apache Software Foundation Apache 1.3.25 …
www.securityfocus.com/bid/5151 - 13k - Cached - Similar pages

Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability
IBM HTTP Server 1.3.26 .2 IBM Hardware Management Console (HMC) for pSeries 6.0 R1.0 … Apache Software Foundation Apache 2.0.54 + Debian Linux 3.1 sparc …
www.securityfocus.com/bid/19204 - 23k - Cached - Similar pages

Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow …
Apache Software Foundation Apache 1.3.26 + MandrakeSoft Corporate Server 2.1 x86_64 + MandrakeSoft Corporate Server 2.1 + Slackware Linux 8.1 …
www.securityfocus.com/bid/10355 - 43k - Cached - Similar pages

Mod_SSL Off-By-One HTAccess Buffer Overflow Vulnerability
ftp://atualizacoes.conectiva.com.br/6.0 ... U60_2cl.i3 86.rpm … http://www.trustix.net/pub/Trustix/upda ... 1.3.26-2tr
www.securityfocus.com/bid/5084/solution - 36k - Cached - Similar pages

Apache mod_include Local Buffer Overflow Vulnerability
Apache Software Foundation Apache 1.3.26 … Mandrake apache-1.3.26-7.3.C21mdk.i586.rpm Mandrake Corporate Server 2.1 http://www.mandrakesecure.net/en/ftp. …
www.securityfocus.com/bid/11471/solution - 47k - Cached - Similar pages

Apache Mod_Proxy Remote Negative Content-Length Buffer Overflow …
PQ89899.1.3.26.windows. Apache Software Foundation Apache 1.3.26 … Mandrake apache-modules-1.3.26-7.2.C21mdk.x86_64.rpm Mandrake Corporate Server 2.1/ …
www.securityfocus.com/bid/10508/solution - 46k - Cached - Similar pages

Apache Chunked-Encoding Memory Corruption Vulnerability
Apache Software Foundation Apache for Windows 1.3.26 Apache Software Foundation Apache 2.0.39 Apache Software Foundation Apache 1.3.26 + Conectiva Linux 8.0 …
www.securityfocus.com/bid/5033 - 74k - Cached - Similar pages

Apache HTTP Server Arbitrary HTTP Request Headers Security Weakness
IBM HTTP Server 1.3.26 .2 IBM HTTP Server 1.3.26 .1 IBM HTTP Server 1.3.26 IBM HTTP Server 1.3.19 .5 … Apache Software Foundation HTTP Server 2.0.57 …
www.securityfocus.com/bid/19661 - 20k - Cached - Similar pages

Apache Mod_Access_Referer NULL Pointer Dereference Denial of …
Apache Software Foundation Apache 2.0 - Apache Software Foundation Apache 1.3.27 - Apache Software Foundation Apache 1.3.26 …
www.securityfocus.com/bid/7375 - 15k - Cached - Similar pages


With all of this information I started to come to several conclusions. First of all, my Vulnerability Search FU is wanting and second, I should have just stuck with the trusty Google in the first place. And once I really started thinking about it I realized that I could start refining my searches (Duh!!). I could add “buffer” for buffer overflows or “-denial” if I did not want to see anything with a denial of service. Of course, you have to be careful because many vulnerabilities cause a denial of service as well as other things like privilege escalation. So you will want to be careful with your Google FU.

I have also come to the realization that searching for vulnerabilities is no easy task.  There are so many vulnerabilities in so many products by so many vendors that searching is time consuming and tedious.  You definitely have to set aside some time for this type of research when you are developing your plan of attach.  Not only are all versions of services and operating systems represented in a vulnerability database but, if you are investigating a large organization you are probably going to have several different versions of the same application.  This equates to more time using your Vulnerability Search and Google FU.

Hopefully you avoid some of the pitfalls I ran into.  As an Security Manager with Risk Assessment responsibilities (as well as an aspiring penetration tester) I should know these things better.  Oh well, now I do. 

If you have suggestions or techniques that you use to help speed up the vulnerability searching process, please post a comment.

Go forth and do good things,
Cutaway
Go forth and do good things,
Cutaway