Re-Introducing the Vulnerability Search

Wednesday, October 23, 2013 Posted by Corey Harrell 0 comments
In the past I briefly mentioned the Vulnerability Search but I never did a proper introduction. Well, consider this post its formal introduction. The Vulnerability Search is a custom Google that indexes select websites related to software vulnerabilities. Unlike the Digital Forensic Search where I’m trying to include as many DFIR sites as possible the Vulnerability Search takes the opposite approach. The search is only indexing a select few websites; websites with information about exploits or vulnerabilities. I have found the Vulnerability Search to be useful so I wanted to share how I use it for incident response and information security activities.

Incident Response Triaging


The Vulnerability Search excels at triaging potential incidents involving web applications, websites, or backend databases. Let’s say you receive an alert indicating one of your web applications is being banged on by some threat. The alert can be detected by anything; IDS, SIEM, or a server administrator. When this type of alert comes in one question that needs to be answered is: did the attack successfully compromise the server. If the server is compromised then the alert can be elevated into a security incident. However, if the ongoing attacks have no chance of compromising the server then there’s no need for elevation and the resources it requires. This is where the Vulnerability Search comes into play.

The web logs will contain the URLs being used in the attack. If these URLs are not completely obfuscated then they can be used to identify the vulnerability the threats are targeting. For example, let’s say the logs are showing the URL below multiple times in the timeframe of interest:

hxxp://journeyintoir.blogspot.com/index.php?option=com_bigfileuploader&act=uploading

It might not be obvious what the URL’s purpose is or what it’s trying to accomplish. A search using part of the URL can provide clarity about what is happening. Searching on the string “index.php?option=com_bigfileuploader” in the Vulnerability Search shows the vulnerability being targeted is the Joomla Component com_bigfileuploader Arbitary File Upload Vulnerability. Now if the website in question isn’t a Joomla server then the attack won’t be successfully and there is no need to elevate the alert.

Incident Response Log Analysis


The Vulnerability Search also excels at investigating incidents involving web applications, websites, or backend databases. Let’s say someone discovered a web server compromise since it was serving up malicious links. The post mortem analysis identified a few suspicious files on the server. The web activity in an access log around the time the files were created on the server showed the following:

"POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%
6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%
6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%
2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%
74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%
5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%
70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%
2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%
6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E
HTTP/1.1" 200 203 "-"

A search on the above string reveals it’s an exploit for the Plesk Apache Zeroday Remote Exploit. If the server in question is running Plesk then you might have just found the initial point of compromise.

Vulnerability Management or Penetration Testing


The Vulnerability Search is not only useful for DFIR type work but it’s also useful for vulnerability management and penetration testing type work. Let’s say you get a report from a vulnerability scanner and it has a critical vulnerability listed. You can use search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. All of this information can help determine the true criticality of the vulnerability and the timeframe for the vulnerability to be patched.

Now on the other hand let’s say you are doing a pen test and you identify a vulnerability with your tools. You can search on the CVE to get clarity about what the vulnerability is, what the vulnerability allows for if exploited, and what exploits are available. This type of information can be helpful with exploiting the vulnerability in order to elevate your privileges or access sensitive data.


The purpose of this post was to illustrate what the Vulnerability Search is and how I use it. The examples I used might have been for demonstration purposes but they simulate scenarios I’ve encountered where the search came in handy.
Labels: ,

Linkz 4 Free Infosec and IT Training

Sunday, October 6, 2013 Posted by Corey Harrell 3 comments
In this day and age budgets are shrinking, training funds are dwindling, and the threats we face continue to increase each day. It's not feasible to solely rely on training vendors to get your team up to speed. Not only does it not make sense economically but for your teams to increase and maintain their skills they need to be constantly challenged. In this edition of linkz I'm linking to free training resources one can use to increase their own or their team's skills.

This post may be one you want to bookmark since I'm going to keep it up to date with any additional free online training resources I come across.

ENISA CERT Exercises and training material

The ENISA CERT has some exercises and training material for computer security incident response teams (CSIRTs). The material covers a range of topics such as: triage & basic incident handling, vulnerability handling, large scale incident handling, proactive incident detection, and incident handling in live role playing. This material will be of use to those wanting to do in-house training for people who are responsible or involved with responding to and/or handling security incidents.

Open Security Training

Open Security Training.info has posted some outstanding information security training. To demonstrate the depth of what is available I'll only touch on the beginner courses. These include: Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration, Introduction to Network Forensics, Introduction to Vulnerability Assessment, Offensive, Defensive, and Forensic Techniques for Determining Web User Identity, and Malware Dynamic Analysis. If anyone is looking to take free security training then Open Security Training should be your first stop.

SecurityXploded Malware Analysis Training

The SecurityXploded website also offers free malware analysis training. The current offerings are Reverse Engineering & Malware Analysis Training and Advanced Malware Analysis Training. For anyone wanting to explore malware analysis then one of these courses may be helpful.

DHS/FEMA Online Security Training

The next resource provides various security courses by the DHS/FEMA Certified Online Trainingover at the TEEX Domestic Preparedness Campus . The courses offered on this site aren't as technical as the other resources I'm linking to. However, the content shouldn't be overlooked with topics such as: Cyber Incident Analysis and Response, Information Security Basics, Information Risk Management, and Secure Software. These courses are not only useful for people who are on a security team but I can see these being beneficial for anyone wanting to know more about security.

College Courses on Coursera

"Coursera is an education company that partners with the top universities and organizations in the world to offer courses online for anyone to take, for free." The courses available are on a range of subjects; just like the offerings at your local universities. As it relates to InfoSec and IT, there are courses in Computer Science, Information Technology, and security related topics.

Microsoft Virtual Academy

The next resource will definitely be useful for anyone wanting to learn more about Microsoft's technology. The " Microsoft Virtual Academy (MVA) offers online Microsoft training delivered by experts to help technologists continually learn, with hundreds of courses, in 11 different languages." The available courses are on a range of technologies including: Windows, Windows Server, Server Infrastructure, and Virtualization. One of the more interesting courses - as it relates to incident response- is the Utilizing SysInternals Tools for IT Pros course.

PentesterLab

The next resource is on the offensive side of the security house. " PentesterLab is an easy and great way to learn penetration testing." " PentesterLab provides vulnerable systems that can be used to test and understand vulnerabilities." The available exercises include but are not limited to: Web Pentester, Web Pentester II, From SQL Injection to Shell, and Introduction to Linux Host Review.

Metasploit Unleashed

Continuing on with the offensive side of the security house is Metasploit Unleashed.  For anyone looking to learn more about Metasploit should start out with this course for a solid foundation about the framework.
Labels: