Re-Introducing the Vulnerability Search
Wednesday, October 23, 2013
In the past I briefly mentioned the Vulnerability
Search but I never did a proper introduction. Well, consider this post its
formal introduction. The Vulnerability Search is a custom Google that indexes
select websites related to software vulnerabilities. Unlike the Digital
Forensic Search where I’m trying to include as many DFIR sites as possible the
Vulnerability Search takes the opposite approach. The search is only indexing a
select few websites; websites with information about exploits or
vulnerabilities. I have found the Vulnerability Search to be useful so I wanted
to share how I use it for incident response and information security
activities.
The Vulnerability Search excels at triaging potential incidents involving web applications, websites, or backend databases. Let’s say you receive an alert indicating one of your web applications is being banged on by some threat. The alert can be detected by anything; IDS, SIEM, or a server administrator. When this type of alert comes in one question that needs to be answered is: did the attack successfully compromise the server. If the server is compromised then the alert can be elevated into a security incident. However, if the ongoing attacks have no chance of compromising the server then there’s no need for elevation and the resources it requires. This is where the Vulnerability Search comes into play.
The web logs will contain the URLs being used in the attack. If these URLs are not completely obfuscated then they can be used to identify the vulnerability the threats are targeting. For example, let’s say the logs are showing the URL below multiple times in the timeframe of interest:
hxxp://journeyintoir.blogspot.com/index.php?option=com_bigfileuploader&act=uploading
It might not be obvious what the URL’s purpose is or what it’s trying to accomplish. A search using part of the URL can provide clarity about what is happening. Searching on the string “index.php?option=com_bigfileuploader” in the Vulnerability Search shows the vulnerability being targeted is the Joomla Component com_bigfileuploader Arbitary File Upload Vulnerability. Now if the website in question isn’t a Joomla server then the attack won’t be successfully and there is no need to elevate the alert.
The Vulnerability Search also excels at investigating incidents involving web applications, websites, or backend databases. Let’s say someone discovered a web server compromise since it was serving up malicious links. The post mortem analysis identified a few suspicious files on the server. The web activity in an access log around the time the files were created on the server showed the following:
"POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%
6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%
6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%
2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%
74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%
5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%
70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%
2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%
6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
HTTP/1.1" 200 203 "-"
A search on the above string reveals it’s an exploit for the Plesk Apache Zeroday Remote Exploit. If the server in question is running Plesk then you might have just found the initial point of compromise.
The Vulnerability Search is not only useful for DFIR type work but it’s also useful for vulnerability management and penetration testing type work. Let’s say you get a report from a vulnerability scanner and it has a critical vulnerability listed. You can use search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. All of this information can help determine the true criticality of the vulnerability and the timeframe for the vulnerability to be patched.
Now on the other hand let’s say you are doing a pen test and you identify a vulnerability with your tools. You can search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. This type of information can be helpful with exploiting the vulnerability in order to elevate your privileges or access sensitive data.
The purpose of this post was to illustrate what the Vulnerability Search is and how I use it. The examples I used might have been for demonstration purposes but they simulate scenarios I’ve encountered where the search came in handy.
Incident Response Triaging
The Vulnerability Search excels at triaging potential incidents involving web applications, websites, or backend databases. Let’s say you receive an alert indicating one of your web applications is being banged on by some threat. The alert can be detected by anything; IDS, SIEM, or a server administrator. When this type of alert comes in one question that needs to be answered is: did the attack successfully compromise the server. If the server is compromised then the alert can be elevated into a security incident. However, if the ongoing attacks have no chance of compromising the server then there’s no need for elevation and the resources it requires. This is where the Vulnerability Search comes into play.
The web logs will contain the URLs being used in the attack. If these URLs are not completely obfuscated then they can be used to identify the vulnerability the threats are targeting. For example, let’s say the logs are showing the URL below multiple times in the timeframe of interest:
hxxp://journeyintoir.blogspot.com/index.php?option=com_bigfileuploader&act=uploading
It might not be obvious what the URL’s purpose is or what it’s trying to accomplish. A search using part of the URL can provide clarity about what is happening. Searching on the string “index.php?option=com_bigfileuploader” in the Vulnerability Search shows the vulnerability being targeted is the Joomla Component com_bigfileuploader Arbitary File Upload Vulnerability. Now if the website in question isn’t a Joomla server then the attack won’t be successfully and there is no need to elevate the alert.
Incident Response Log Analysis
The Vulnerability Search also excels at investigating incidents involving web applications, websites, or backend databases. Let’s say someone discovered a web server compromise since it was serving up malicious links. The post mortem analysis identified a few suspicious files on the server. The web activity in an access log around the time the files were created on the server showed the following:
"POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%
6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%
6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%
2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%
74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%
5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%
70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%
2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%
6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
HTTP/1.1" 200 203 "-"
A search on the above string reveals it’s an exploit for the Plesk Apache Zeroday Remote Exploit. If the server in question is running Plesk then you might have just found the initial point of compromise.
Vulnerability Management or Penetration Testing
The Vulnerability Search is not only useful for DFIR type work but it’s also useful for vulnerability management and penetration testing type work. Let’s say you get a report from a vulnerability scanner and it has a critical vulnerability listed. You can use search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. All of this information can help determine the true criticality of the vulnerability and the timeframe for the vulnerability to be patched.
Now on the other hand let’s say you are doing a pen test and you identify a vulnerability with your tools. You can search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. This type of information can be helpful with exploiting the vulnerability in order to elevate your privileges or access sensitive data.
The purpose of this post was to illustrate what the Vulnerability Search is and how I use it. The examples I used might have been for demonstration purposes but they simulate scenarios I’ve encountered where the search came in handy.