vulnerability analysis Archives - Tech Chronicles

Graudit: Source Code Auditing Tool

Majordomo — Mon, 29 Nov 2021 14:32:24 +0000

Graudit allows the user to find potential vulnerabilities within the source code of a software. It uses the GNU utility grep to compare the source code with signature sets within different databases. It is comparable to other analyzers such as RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and retaining its flexibility.

Graudit: Source Code Auditing Tool

This tool involves different databases which are included within the tool which are compared with extended regular expressions (POSIX). The user has the option to add additional databases or create their own ones if needed. The databases support a huge range of languages from JavaScript to Python. Lastly, the user has the option to scan a single file or scan multiple files at the same time.

Note: The user has the option to install the tool locally or globally by acting as a superuser. It is however recommended by the developer to clone the repository to that all of the latest database are included within the software.

Databases

The default database contains generic rules which aim to sniff out common vulnerabilities within the source code. In addition to this, there are databases for:

– ASP.NET, C, .NET, JSP, Perl, PHP and Python.

The ‘all’ database combines all of the mentioned databases into a single database. The developer recommends first using the default database to find common vulnerabilities and then use language specific databases to find additional vulnerabilities.

Features:

Portable, Flexible and easy to use
Option to add custom databases
Ensure that source code does not have any vulnerabilities saving the user from future headaches
Supports many different languages ensuring that whichever language you use, you will be protected with this tool
When compared with other tools, this tool has lower technical requirments ensuring it can run on most systems

Supported Platforms:

Linux

Requirements:

None

Install

Clone the GitHub repo:

$ git clone https://github.com/wireghoul/graudi

You can then symlink graudit so it is in path:

$ ln -s ~/graudit/graudit ~/bin/graudit

Graudit Usage

Enter the following command:

$ graudit -h

Available Options:

===========================================================
                                      .___ __  __   
          _________________  __ __  __| _/|__|/  |_ 
         / ___\_` __ \__  \ |  |  \/ __ | | \\_  __\
        / /_/  >  | \// __ \|  |  / /_/ | |  ||  |  
        \___  /|__|  (____  /____/\____ | |__||__|  
       /_____/            \/           \/           
              grep rough audit - static analysis tool
                  v2.6 written by @Wireghoul
=================================[justanotherhacker.com]===
Usage: graudit [opts] /path/to/scan

OPTIONS 
  -d  database to use or /path/to/file.db (uses default if not specified) 
  -A scan ALL files 
  -x exclude these files (comma separated list: -x *.js,*.sql) 
  -i case in-sensitive scan 
  -c  number of lines of context to display, default is 2 

  -B suppress banner 
  -L vim friendly lines 
  -b colour blind friendly template 
  -z suppress colors 
  -Z high contrast colors 

  -l lists databases available 
  -v prints version number 
  -h prints this help screen

DOWNLOAD Graudit

The post Graudit: Source Code Auditing Tool appeared first on Tech Chronicles.

Grype – Vulnerability Scanner For Container Images & Filesystems

Majordomo — Sat, 08 May 2021 23:48:31 +0000

Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based operating systems.

Features of Grype Vulnerability Scanner For Container Images & Filesystems

Scan the contents of a container image or filesystem to find known vulnerabilities and find vulnerabilities for major operating system packages in:

Alpine
BusyBox
CentOS / Red Hat
Debian
Ubuntu

Find vulnerabilities for language-specific packages:

Ruby (Bundler)
Java (JARs, etc)
JavaScript (NPM/Yarn)
Python (Egg/Wheel)
Python pip/requirements.txt/setup.py listings

Grype Supports Docker and OCI image formats.

Using Grype Vulnerability Scanner For Container Images & Filesystems

To scan for vulnerabilities in an image:

grype

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)

grype path/to/image.tar

# scan a directory

grype dir:path/to/dir

The output format for Grype is configurable as well:
grype <image> -o <format>

Where the formats available are:

json: Use this to get as much information out of Grype as possible!
cyclonedx: An XML report conforming to the CycloneDX 1.2 specification.
table: A columnar summary (default).

Getting started

Install the binary, and make sure that grype is available in your path. To scan for vulnerabilities in an image:

grype

The above command scans for vulnerabilities that are visible in the container (i.e., the squashed representation of the image). To include software from all image layers in the vulnerability scan, regardless of its presence in the final image, provide --scope all-layers:

grype  --scope all-layers

Grype can scan a variety of sources beyond those found in Docker.

# scan a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)
grype path/to/image.tar

# scan a directory
grype dir:path/to/dir

Grype’s Database

Grype pulls a database of vulnerabilities derived from the publicly available Anchore Feed Service. This database is updated at the beginning of each scan, but an update can also be triggered manually.

Shell Completion

Grype supplies shell completion through its CLI implementation (cobra). Generate the completion code for your shell by running one of the following commands:

grype completion
go run main.go completion

This will output a shell script to STDOUT, which can then be used as a completion script for Grype. Running one of the above commands with the -h or --help flags will provide instructions on how to do that for your chosen shell.

You can download Grype or read more here.

The post Grype – Vulnerability Scanner For Container Images & Filesystems appeared first on Tech Chronicles.

Vulmap : Web Vulnerability Scanning & Verification Tools

Majordomo — Sun, 31 Jan 2021 20:10:59 +0000

Vulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.

It is currently has vulnerability scanning (poc) and exploiting (exp) modes. Use “-m” to select which mode to use, and the default poc mode is the default. In poc mode, it also supports “-f” batch target scanning, “-o” File output results and other main functions, Other functions Options Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.

Try to use “-a” to establish target types to reduce false positives, such as “-a solr”

Installation

The operating system must have python3, python3.7 or higher is recommended

Installation dependency

pip3 install -r requirements.txt

Linux & MacOS & Windows

python3 vulmap.py -u http://example.com

Options

optional arguments:
-h, –help show this help message and exit
-u URL, –url URL Target URL (e.g. -u “http://example.com”)
-f FILE, –file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f “/home/user/list.txt”)
-m MODE, –mode MODE The mode supports “poc” and “exp”, you can omit this option, and enter poc mode by default
-a APP, –app APP Specify a web app or cms (e.g. -a “weblogic”). default scan all
-c CMD, –cmd CMD Custom RCE vuln command, Other than “netstat -an” and “id” can affect program judgment. defautl is “netstat -an”
-v VULN, –vuln VULN Exploit, Specify the vuln number (e.g. -v “CVE-2020-2729”)
–list Displays a list of vulnerabilities that support scanning
–debug Debug mode echo request and responses
–delay DELAY Delay check time, default 0s
–timeout TIMEOUT Scan timeout time, default 10s
–output FILE Text mode export (e.g. -o “result.txt”)

Examples

Test all vulnerabilities poc mode

python3 vulmap.py -u http://example.com

For RCE vuln, use the “id” command to test the vuln, because some linux does not have the “netstat -an” command

python3 vulmap.py -u http://example.com -c “id”

Check http://example.com for struts2 vuln

python3 vulmap.py -u http://example.com -a struts2

python3 vulmap.py -u http://example.com -m poc -a struts2

Exploit the CVE-2019-2729 vuln of WebLogic on http://example.com:7001

python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729

python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729

Batch scan URLs in list.txt

python3 vulmap.py -f list.txt

Export scan results to result.txt

python3 vulmap.py -u http://example.com:7001 -o result.txt

Vulnerability List

Vulmap supported vulnerabilities are as follows

+-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Target type       | Vuln Name        | Poc | Exp | Impact Version && Vulnerability description                 |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+
 | Apache Shiro      | CVE-2016-4437    |  Y  |  Y  | <= 1.2.4, shiro-550, rememberme deserialization rce         |
 | Apache Solr       | CVE-2017-12629   |  Y  |  Y  | < 7.1.0, runexecutablelistener rce & xxe, only rce is here  |
 | Apache Solr       | CVE-2019-0193    |  Y  |  N  | < 8.2.0, dataimporthandler module remote code execution     |
 | Apache Solr       | CVE-2019-17558   |  Y  |  Y  | 5.0.0 - 8.3.1, velocity response writer rce                 |
 | Apache Struts2    | S2-005           |  Y  |  Y  | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce   |
 | Apache Struts2    | S2-008           |  Y  |  Y  | 2.0.0 - 2.3.17, debugging interceptor rce                   |
 | Apache Struts2    | S2-009           |  Y  |  Y  | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce         |
 | Apache Struts2    | S2-013           |  Y  |  Y  | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce        |
 | Apache Struts2    | S2-015           |  Y  |  Y  | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce        |
 | Apache Struts2    | S2-016           |  Y  |  Y  | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce          |
 | Apache Struts2    | S2-029           |  Y  |  Y  | 2.0.0 - 2.3.24.1, ognl interpreter rce                      |
 | Apache Struts2    | S2-032           |  Y  |  Y  | 2.3.20-28, cve-2016-3081 rce can be performed via method    |
 | Apache Struts2    | S2-045           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-046           |  Y  |  Y  | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce     |
 | Apache Struts2    | S2-048           |  Y  |  Y  | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce             |
 | Apache Struts2    | S2-052           |  Y  |  Y  | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce  |
 | Apache Struts2    | S2-057           |  Y  |  Y  | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce  |
 | Apache Struts2    | S2-059           |  Y  |  Y  | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce           |
 | Apache Struts2    | S2-devMode       |  Y  |  Y  | 2.1.0 - 2.5.1, devmode remote code execution                |
 | Apache Tomcat     | Examples File    |  Y  |  N  | all version, /examples/servlets/servlet/SessionExample      |
 | Apache Tomcat     | CVE-2017-12615   |  Y  |  Y  | 7.0.0 - 7.0.81, put method any files upload                 |
 | Apache Tomcat     | CVE-2020-1938    |  Y  |  Y  | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read  |
 | Drupal            | CVE-2018-7600    |  Y  |  Y  | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution          |
 | Drupal            | CVE-2018-7602    |  Y  |  Y  | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce            |
 | Drupal            | CVE-2019-6340    |  Y  |  Y  | < 8.6.10, drupal core restful remote code execution         |
 | Jenkins           | CVE-2017-1000353 |  Y  |  N  | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution    |
 | Jenkins           | CVE-2018-1000861 |  Y  |  Y  | <= 2.153, LTS <= 2.138.3, remote code execution             |
 | Nexus OSS/Pro     | CVE-2019-7238    |  Y  |  Y  | 3.6.2 - 3.14.0, remote code execution vulnerability         |
 | Nexus OSS/Pro     | CVE-2020-10199   |  Y  |  Y  | 3.x  <= 3.21.1, remote code execution vulnerability         |
 | Oracle Weblogic   | CVE-2014-4210    |  Y  |  N  | 10.0.2 - 10.3.6, weblogic ssrf vulnerability                |
 | Oracle Weblogic   | CVE-2017-3506    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2017-10271   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce       |
 | Oracle Weblogic   | CVE-2018-2894    |  Y  |  Y  | 12.1.3.0, 12.2.1.2-3, deserialization any file upload       |
 | Oracle Weblogic   | CVE-2019-2725    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2019-2729    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |
 | Oracle Weblogic   | CVE-2020-2551    |  Y  |  N  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |
 | Oracle Weblogic   | CVE-2020-2555    |  Y  |  Y  | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce  |
 | Oracle Weblogic   | CVE-2020-2883    |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |
 | Oracle Weblogic   | CVE-2020-14882   |  Y  |  Y  | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce     |
 | RedHat JBoss      | CVE-2010-0738    |  Y  |  Y  | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |
 | RedHat JBoss      | CVE-2010-1428    |  Y  |  Y  | 4.2.0 - 4.3.0, web-console deserialization any files upload |
 | RedHat JBoss      | CVE-2015-7501    |  Y  |  Y  | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |
 | ThinkPHP          | CVE-2019-9082    |  Y  |  Y  | < 3.2.4, thinkphp rememberme deserialization rce            |
 | ThinkPHP          | CVE-2018-20062   |  Y  |  Y  | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce  |
 +-------------------+------------------+-----+-----+-------------------------------------------------------------+

Docker

docker build -t vulmap/vulmap .
docker run –rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com

Download

The post Vulmap : Web Vulnerability Scanning & Verification Tools appeared first on Tech Chronicles.

Vuls – Vulnerability Scanner

Majordomo — Sun, 01 Nov 2020 22:12:38 +0000

Vuls is an agentless vulnerability scanner for Linux and FreeBSD servers. It makes the job of every system administrator much easier by automatically scanning for vulnerabilities and then informing the system administrator which services and servers are affected.

Abstract

For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in a production environment, it is common for a system administrator to choose not to use the automatic update option provided by the package manager and to perform update manually. This leads to the following problems.

The system administrator will have to constantly watch out for any new vulnerabilities in NVD (National Vulnerability Database) or similar databases.
It might be impossible for the system administrator to monitor all the software if there are a large number of software packages installed in the server.
It is expensive to perform analysis to determine the servers affected by new vulnerabilities. The possibility of overlooking a server or two during analysis is there.

Vuls is a tool created to solve the problems listed above. It has the following characteristics.

Informs users of the vulnerabilities that are related to the system.
Informs users of the servers that are affected.
Vulnerability detection is done automatically to prevent any oversight.
A report is generated on a regular basis using CRON or other methods. to manage vulnerability.

Vuls Scanner

Vuls automatically scans through many different vulnerability databases including NVD, JVN and OVAL. This makes it easier for system administrators who must overlook servers which are running numerous software’s. After scanning the database, Vuls will generate a report which can be accessed through the GUI or a TUI. Vuls will give details about each vulnerability such as its severity level, description and released fixes. Vuls can also search for Non-OS packages and WordPress core, themes and plugins.

Features:

Scan for all vulnerabilities in Linux and FreeBSD servers
Vuls ensures a high-quality scan by scanning through multiple vulnerability servers
Multiple scan modes are available depending on the resource availability of the server. These range from fast mode to deep mode (Fast Scan, Fast Root Scan, Remote and Local Scan, Server Mode)
Dynamic and Static Analysis
Scan vulnerability of Non-OS packages such as libraries of programming languages and network devices
Scan through WordPress core, themes, plugins

Supported Platforms:

Alpine, Ubuntu, Debian, RHEL, Oracle Linux, CentOS, Amazon Linux, FreeBSD, SUSE Enterprise, Raspbian

Requirements:

Docker
SQLite3, MySQL, PostgreSQL, Redis
git
gcc
GNU Make
go v1.13+ (The latest version is recommended)

Install

Install Docker:

$ sudo systemctl start docker

Clone Vulsctl and fetch vulnerability databases:

$ git clone https://github.com/vulsio/vulsctl.git 
$ cd vulsctl
$ ./update-all.sh

Prepare config.toml in the same directory:

$ cat $HOME/vulsctl/config.toml
 [servers]
 [servers.hostos]
 host = "52.10.10.10"
 port = "22"
 user = "centos"
 keypath in the Vuls docker container
 keyPath     = "/root/.ssh/id_rsa"

SSH before scanning to add fingerprint to $HOME/.ssh/known_hosts on the Docker host:

$ ssh centos@52.100.100.100 -i ~/.ssh/id_rsa.pem
$ ./scan.sh 
$ ./report.sh 
$ ./tui.sh

Install With Docker

Run the following commands:

$ docker pull vuls/go-cve-dictionary
$ docker run --rm vuls/go-cve-dictionary –v
$ docker pull vuls/goval-dictionary
$ docker run --rm vuls/goval-dictionary –v
$ docker pull vuls/gost
$ docker run --rm vuls/gost -v
$ docker pull vuls/vuls
$ docker run --rm vuls/vuls -v

How to use Vuls

Local Scanning Mode

Once you deployed Vuls, go ahead and create a config file:

$ cd $HOME 
$ cat config.toml 

[servers] [servers.localhost] 
host = "localhost" 
port = "local"

Run the following command to start scan:

$ vuls scan

Reporting

To view one line summary:

$ vuls report -format-one-line-text

To view short summary:

$ vuls report -format-list

Full report:

$ vuls report -format-full-text | less

To run Terminal Based User Interface:

$ vuls tui

Scan via Docker

Prepare log directory:

$ cd /path/to/working/dir
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log go-exploitdb-log

Fetch various Vulnerability Directories:

$ for i in seq 2004 $(date +"%Y"); do \ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary-log:/var/log/vuls \ vuls/go-cve-dictionary fetchnvd -years $i; \ done $ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch redhat $ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch redhat $ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/go-exploitdb-log:/var/log/go-exploitdb \ vuls/go-exploitdb fetch exploitdb

Create config.toml using this as a sample.

Configtest:

$ docker run --rm -it\
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     vuls/vuls configtest \
     -config=./config.toml # path to config.toml in docker

Scan:

$ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     -e "TZ=Asia/Tokyo" \
     vuls/vuls scan \
     -config=./config.toml # path to config.toml in docker

If Docker host is Debian or Ubuntu:

$ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     -v /etc/timezone:/etc/timezone:ro \
     vuls/vuls scan \
     -config=./config.toml # path to config.toml in docker

Download Vuls

The post Vuls – Vulnerability Scanner appeared first on Tech Chronicles.