From a54745112f03f570d73872b8fa2578e9e25d90be Mon Sep 17 00:00:00 2001 From: sean-yeoh Date: Mon, 26 Sep 2022 16:00:33 +0800 Subject: [PATCH 1/2] Add suppor for Saint v9 output --- CHANGELOG.md | 3 + lib/dradis/plugins/saint/importer.rb | 5 + spec/dradis/plugins/saint/importer_spec.rb | 33 +- ...xml => saint_metasploitable_v8_sample.xml} | 0 .../files/saint_metasploitable_v9_sample.xml | 298 ++++++++++++++++++ 5 files changed, 334 insertions(+), 5 deletions(-) rename spec/fixtures/files/{saint_metasploitable_sample.xml => saint_metasploitable_v8_sample.xml} (100%) create mode 100644 spec/fixtures/files/saint_metasploitable_v9_sample.xml diff --git a/CHANGELOG.md b/CHANGELOG.md index c8a56f8..1428643 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +[v#.#.#] ([month] [YYYY]) + - Add support for Saint v9 output + v4.5.0 (August 2022) - No changes diff --git a/lib/dradis/plugins/saint/importer.rb b/lib/dradis/plugins/saint/importer.rb index 3675647..68b14ce 100644 --- a/lib/dradis/plugins/saint/importer.rb +++ b/lib/dradis/plugins/saint/importer.rb @@ -33,6 +33,11 @@ def import(params={}) process_vuln_issue(vuln) end + # Process Saint v9 tags + xml_report.xpath('./details/host_info/vulnerability').each do |vuln| + process_vuln_issue(vuln) + end + # Process tag xml_report.xpath('./overview/vulnerabilities/host_info').each do |xml_host_info| host_name = xml_host_info.xpath('./hostname').first.text diff --git a/spec/dradis/plugins/saint/importer_spec.rb b/spec/dradis/plugins/saint/importer_spec.rb index de7e914..abbcc26 100644 --- a/spec/dradis/plugins/saint/importer_spec.rb +++ b/spec/dradis/plugins/saint/importer_spec.rb @@ -17,17 +17,40 @@ @importer = described_class.new( content_service: @content_service ) - end - it "creates the appropriate Dradis items" do - allow(@content_service).to receive(:create_issue) do |args| + allow(@content_service).to receive(:create_note) do |args| OpenStruct.new(args) end - allow(@content_service).to receive(:create_note) do |args| + + allow(@content_service).to receive(:create_evidence) do |args| + OpenStruct.new(args) + end + + allow(@content_service).to receive(:create_issue) do |args| OpenStruct.new(args) end + + allow(@content_service).to receive(:create_node) do |args| + obj = OpenStruct.new(args) + obj.define_singleton_method(:set_property) { |*| } + obj + end + end + + it 'creates the appropriate Dradis items for Saint v8 output' do + expect(@content_service).to receive(:create_issue).exactly(8).times + expect(@content_service).to receive(:create_node).with(hash_including label: '192.168.150.163').once + + @importer.import(file: 'spec/fixtures/files/saint_metasploitable_v8_sample.xml') + end + + it 'creates the appropriate Dradis items for Saint v9 output' do + expect(@content_service).to receive(:create_issue) do |args| + expect(args[:text]).to include('server is susceptible to BEAST attack') + end.once + expect(@content_service).to receive(:create_node).with(hash_including label: '192.168.150.163').once - @importer.import(file: 'spec/fixtures/files/saint_metasploitable_sample.xml') + @importer.import(file: 'spec/fixtures/files/saint_metasploitable_v9_sample.xml') end end diff --git a/spec/fixtures/files/saint_metasploitable_sample.xml b/spec/fixtures/files/saint_metasploitable_v8_sample.xml similarity index 100% rename from spec/fixtures/files/saint_metasploitable_sample.xml rename to spec/fixtures/files/saint_metasploitable_v8_sample.xml diff --git a/spec/fixtures/files/saint_metasploitable_v9_sample.xml b/spec/fixtures/files/saint_metasploitable_v9_sample.xml new file mode 100644 index 0000000..6b5e364 --- /dev/null +++ b/spec/fixtures/files/saint_metasploitable_v9_sample.xml @@ -0,0 +1,298 @@ + + + + Metasploitable + Wed Mar 22 13:28:09 2017 + Wed Mar 22 13:22:35 2017 + heavy vulnerability + 8.14.25 + + + + 2 + 0 + 8 + 5 + + + 1 + 0 + 0 + 0 + 0 + + + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 8 + + + + 1 + server is susceptible to BEAST attack + 3 + + + 2 + SSL/TLS server supports short block sizes (SWEET32 attack) + 3 + + + 3 + SSL/TLS server supports RC4 ciphers + 2 + + + + + 1 + urd (465/TCP) + 1 + + + 2 + 587/TCP + 1 + + + 3 + SMTP + 1 + + + 4 + WWW + 1 + + + 5 + WWW (Secure) + 1 + + + + + + + 192.168.150.163 + 192.168.150.163 + Linux 2.6.18 - 2.6.22 + 2 + 0 + 8 + + + + + server is susceptible to BEAST attack + 3 + + + SSL/TLS server supports short block sizes (SWEET32 attack) + 3 + + + SSL/TLS server supports RC4 ciphers + 2 + + + + + 192.168.150.163 + + 587/tcp + potential + server is susceptible to BEAST attack + Other + CVE-2011-3389 + 4.3 + + + 443/tcp + potential + server is susceptible to BEAST attack + Other + CVE-2011-3389 + 4.3 + + + 25/tcp + potential + server is susceptible to BEAST attack + Other + CVE-2011-3389 + 4.3 + + + 25/tcp + potential + SSL/TLS server supports RC4 ciphers + Other + CVE-2013-2566 CVE-2015-2808 + 4.3 + + + 587/tcp + potential + SSL/TLS server supports RC4 ciphers + Other + CVE-2013-2566 CVE-2015-2808 + 4.3 + + + 25/tcp + potential + SSL/TLS server supports short block sizes (SWEET32 attack) + Other + CVE-2016-2183 + 5.0 + + + 443/tcp + potential + SSL/TLS server supports short block sizes (SWEET32 attack) + Other + CVE-2016-2183 + 5.0 + + + 587/tcp + potential + SSL/TLS server supports short block sizes (SWEET32 attack) + Other + CVE-2016-2183 + 5.0 + + + 587/tcp + service + 587/TCP + + + 25/tcp + service + SMTP + + + 80/tcp + service + WWW + + + 443/tcp + service + WWW (Secure) + + + 465/tcp + service + urd (465/TCP) + + + 80/tcp + info + Web Directory: / + + + 443/tcp + info + Web Directory: / + + + 80/tcp + info + Web Directory: /cgi-bin/ + + + 80/tcp + info + Web Directory: /scripts/ + + + + +
+ + 10.0.0.9 + 10.0.0.9 + Nov 06 13:52:12 2021 + + server is susceptible to BEAST attack + 192.168.150.163 + 192.168.150.163 + Linux 2.6.18 - 2.6.22 + Mar 22 13:22:35 2017 + new + Potential Problem + CVE-2011-3389 + 4.3 + + A remote attacker with the ability to sniff network traffic could decrypt an + encrypted session. + + + Cipher Block Chaining (CBC) is an encryption mode of operation where the decryption of each block of encrypted text depends on all of the preceding blocks. CBC requires an Initialization Vector, a block of bits which starts the encryption and ensures that the encrypted text is unique. The SSLv3 and TLS 1.0 protocols may encrypt data using Cipher Block Chaining + ciphers that use chained initialization vectors. + + + SSL/TLS CBC Initialization Vector Prediction + 10/28/11 + CVE 2011-3389 + The Browser Exploit against SSL/TLS (BEAST) may allow an attacker to perform + a man-in-the-middle attack to obtain plain-text HTTP headers by conducting a + blockwise chosen-boundary attack (BCBA) against an HTTPS session. + This attack is an extension of two previously + disclosed attacks against SSL. The first of these attacks was detailed by + Gregory Bard in May 2004 (The + Vulnerability of SSL to Chosen Plaintext Attack). This research showed + that cipher block chaining mode used by SSL is vulnerable to decryption in + cases where the attacker can control part of the plaintext. This attack proved + to be difficult to implement against HTTPS sessions due to the attackers' + inability to control the contents. This attack method was extended to support + TLS 1.0 and improved in April 2006 (A + Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on + SSL). + In September 2011, Juliano Rizzo and Thai Duong presented a modern iteration + of this attack that utilized Java or HTML5 WebSockets as an entry-point for + attackers. Using this method, attackers could host a malicious website that, + when visited by victims, uses Java or WebSockets to establish a connection to + any secured 3rd party website of their choice. If the user has an active + session to the targeted 3rd party site, any cookies he or she has saved will also + be sent. Since the attacker is initiating this request, he can control the + length of the requested resource, allowing him to position the cookie on a + block boundary. The attacker also knows part of the cleartext. If this can be + done in a man-in-the-middle scenario, the attacker will be able to intercept + this encrypted request and decrypt it off-line to obtain the cookie. If the + cookie contains an authentication token, this may result in account theft. + TLS 1.1 and later have been improved to use an explicit initialization vector + strategy, rendering them immune to this type of attack. + + + Most browser vendors have released updates which prevent this attack, but some affected browsers still remain at this time, so it is still advisable also to fix the problem on the server side. SSLv3 and TLS 1.0 should be disabled on the server as follows: + Apache: Set the following directive in the Apache configuration file. (The -TLSv1 argument requires Apache 2.2.24 or higher or an update from your Linux vendor.) + SSLProtocol all -SSLv2 -SSLv3 -TLSv1 + IIS: See [http://support.microsoft.com/kb/245030] KB245030 and [https://support.microsoft.com/en-us/kb/187498] KB187498. + Note that disabling SSLv3 and TLS 1.0 entirely on the server may affect the usability of the web site, as some web browsers may not yet support TLS 1.1. + + + Thai Duong wrote a detailed [http://vnhacker.blogspot.com/2011/09/beast.html] blog post about this attack, including a video demonstration. + Adam Langley wrote a helpful [http://www.imperialviolet.org/2011/09/23/chromeandbeast.html] blog post that helps highlight concerns for both browser vendors and website hosts. + Rob VanderBrink of SANS Internet Storm Center [http://isc.sans.edu/diary.html?storyid=11629] posted a blog update detailing TLS 1.1/1.2 support in many common browsers as of September, 2011. + Eric Rescorla wrote a [http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html] detailed blog post explaining how the attack works in detail and analyzing the security impact of this vulnerability. + + + Service: 587:TCP + Server accepted TLS 1.0 CBC cipher: TLS_RSA_WITH_3DES_EDE_CBC_SHA + + +
+ From d8a0ad4b558019e36d3caa643227bceae1b8bbff Mon Sep 17 00:00:00 2001 From: sean-yeoh Date: Mon, 26 Sep 2022 16:16:28 +0800 Subject: [PATCH 2/2] Use xpath OR --- lib/dradis/plugins/saint/importer.rb | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lib/dradis/plugins/saint/importer.rb b/lib/dradis/plugins/saint/importer.rb index 68b14ce..93c7ac9 100644 --- a/lib/dradis/plugins/saint/importer.rb +++ b/lib/dradis/plugins/saint/importer.rb @@ -29,12 +29,7 @@ def import(params={}) end # Process tags - xml_report.xpath('./details/vulnerability').each do |vuln| - process_vuln_issue(vuln) - end - - # Process Saint v9 tags - xml_report.xpath('./details/host_info/vulnerability').each do |vuln| + xml_report.xpath('./details/vulnerability|./details/host_info/vulnerability').each do |vuln| process_vuln_issue(vuln) end