Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vuls Major Update - user friendly and new feature custom advisory @ Black Hat MEA 2022

MaineK00n
November 16, 2022
15

Vuls Major Update - user friendly and new feature custom advisory @ Black Hat MEA 2022

MaineK00n

November 16, 2022
Tweet

Transcript

  1. Vuls Major Update - user friendly and new feature custom

    advisory MaineK00n, KotaKanbe @ Black Hat MEA 2022 Arsenal
  2. Vuls OSS vulnerability scanner for Linux/FreeBSD published by @kotakanbe in

    2016 Collected 9,500+ Stars on GitHub Currently, the following features have been added • Vulnerability detection of network routers using CPE • Show whether there is publicly available Exploit information on the detected vulnerabilities https://github.com/future-architect/vuls
  3. 1. Nightly Vuls install Installation is very easy and can

    be done with go install. Special distribution on Google Drive Linux: https://onl.bz/6it3MAD Windows: https://onl.bz/5KMVf9U
  4. 2. DB Fetch Prepare the DB needed for detection. With

    Vuls, you can simply run `vuls db fetch` and use the latest DB we have prepared.
  5. 3. Configuration for Scan Target Create a config for the

    scan target. `vuls config init` creates a config template. Modify the template to suit your environment.
  6. Scan Target Scan two hosts. 1. localhost (Ubuntu 22.04) 2.

    remote host that can be connected to with 127.0.0.1:2222 (Debian 11)
  7. Optional. add to Known Hosts for remote host Vuls connects

    to the remote host via SSH, so it should be registered in known_hosts.
  8. 4. Scan Scan targets. On operating systems that use dpkg,

    such as Ubuntu and Debian, package information is collected using dpkg-query. The scan result is as follows.
  9. 6. Report Use `vuls report -format list` to see the

    detection results in an easy-to-read format.
  10. CVE-2021-44228 Timeline the timeline for the first registration of a

    CPE Configuration to the NVD - 2021/11/25: Alibaba Cloud Security Team reports vulnerability to The Apache Software Foundation (The ASF) - 2021/12/10: PoC released, Fix version 2.15.0 released, CVE information posted on NVD - 2021/12/11: JPCERT/CC observes PoC abuse - 2021/12/13: CPE Configuration registered for the first time at NVD
  11. Custom Advisory If a data source for detection was not

    provided, it could not be detected. We want to freely customize the vulnerability DB for our own use.
  12. Assumed Scenario You have received information that apache log4j is

    vulnerable. You would like to be alerted to this vulnerability by issuing an advisory, BLACKHAT-2022-0001, early. At first, you do not know which versions are affected, so you create an advisory 1 to be on the lookout for all versions of apache log4j. Next, assuming that the affected version is known up to 2.19.0, create advisory 2.
  13. Create DB containing custom advisories Just prepare the advisory in

    a fixed location and run `vuls db create`.
  14. Scan Target There are two hosts. 1. cpe1: apache log4j

    2.19.1 installed 2. cpe2: apache log4j 2.16.0 is installed
  15. Scan 1. Prepare config.json with the path to vuls.db and

    start the server mode. 2. Request systeminfo information to the server.
  16. That's all for now • Try Vuls on your machine

    If you are using Ubuntu, Debian or Windows, you can get Vuls from the following link and run it now! Linux: https://onl.bz/6it3MAD Windows: https://onl.bz/5KMVf9U • Vuls hands-on space If you want to run the actual flow from db fetch to scan, detect, and report, or if you want to see the contents of vuls.db and results, please go to the space. • If you have any questions. I will answer, but I am not good at English ...... I will do my best to respond, but if you want a more accurate response, please contact me at Twitter: @MaineK00n E-mail: [email protected]