Penetration Testing mailing list archives

Re: How to find if exploit exist to a reported CVE ?

From: Ronald Chmara <ron () Opus1 COM>
Date: Wed, 07 Nov 2007 22:16:28 -0800


On Nov 7, 2007, at 4:50 PM, Joey Peloquin wrote:

Walsh, Leo wrote:
I don't personally know of any place that tracks CVE to exploitcode nor
a place that tracks all exploit code.

Wait, *all* exploit code? Such as "all possible code that can bewritten for a given exploit"? I know of no such thing, and if it werecreated, it could rapidly fill several hundred thousand hard drivesin a matter of hours. Rather than spending time characterizing the*code* used in an exploit, the industry has focused on the"signature", and "behavior", of an exploit.

Let me provide an example. Say that posting two newline characters,followed by a dagger (aka, † ), breaks the website of example.com(this is just an example).

Sending two newlines, followed by a dagger, can be written in PHP,Perl, Python, VB, Pascal, Fortran, Applescript, lisp, MS Basic, C, C++, C#, brainf*ck, and any number of other languages. Tracking the*language* a given exploit is written "in" isn't exactly beneficial(though google does try to work on this problem, to slow down thekiddies who simply don't know how to port code, and thus repeat thesame exploit content across many sites).

What most IDS/IPS/Virus detection/Firewall folks actually do is lookfor a "signature", or something common to all similar exploits, suchas "two newline characters, followed by a dagger, POST'ed over http",*regardless* of the source code that generated such a POST.

http://milw0rm.com/ is an exploit repository.
http://www.osvdb.org/ is a vulnerability db, staffed by volunteers,whoresearch disclosed vulns, and document them thoroughly, citing themanydisparate sources of vuln information around the world. CVE andmilw0rm are
just a couple sources researched when mangling a vuln.


*nod*.

frsirt, mitre, osvdb, nessus, XSS, milw0rm, packetstorm, etc. etc.etc....


The heart of working in security is research.

-Ronabop
------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

How to find if exploit exist to a reported CVE ? Juan B (Nov 06)
- RE: How to find if exploit exist to a reported CVE ? Joseph Nicosia (Nov 07)
- Re: How to find if exploit exist to a reported CVE ? security curmudgeon (Nov 07)
- <Possible follow-ups>
- RE: How to find if exploit exist to a reported CVE ? Walsh, Leo (Nov 07)
  - Re: How to find if exploit exist to a reported CVE ? Kyprianos Vassilopoulos (Nov 07)
  - Re: How to find if exploit exist to a reported CVE ? Joey Peloquin (Nov 07)
    - Re: How to find if exploit exist to a reported CVE ? Justin Ferguson (Nov 08)
    - Re: How to find if exploit exist to a reported CVE ? Ronald Chmara (Nov 08)