Re: How to find if exploit exist to a reported CVE ?

From: Ronald Chmara (ron@Opus1.COM)
Date: Thu Nov 08 2007 - 01:16:28 EST

• Next message: eladexposed@gmail.com: "Changing or spoofing the mac address of Beceem ms120."
• Previous message: merigoth@gmail.com: "Re: Fingerprinting and Testing Firewalls"
• In reply to: Joey Peloquin: "Re: How to find if exploit exist to a reported CVE ?"
• Next in thread: Justin Ferguson: "Re: How to find if exploit exist to a reported CVE ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Nov 7, 2007, at 4:50 PM, Joey Peloquin wrote:
> Walsh, Leo wrote:
>> I don't personally know of any place that tracks CVE to exploit
>> code nor
>> a place that tracks all exploit code.

Wait, *all* exploit code? Such as "all possible code that can be
written for a given exploit"? I know of no such thing, and if it were
created, it could rapidly fill several hundred thousand hard drives
in a matter of hours. Rather than spending time characterizing the
*code* used in an exploit, the industry has focused on the
"signature", and "behavior", of an exploit.

Let me provide an example. Say that posting two newline characters,
followed by a dagger (aka, † ), breaks the website of example.com
(this is just an example).

Sending two newlines, followed by a dagger, can be written in PHP,
Perl, Python, VB, Pascal, Fortran, Applescript, lisp, MS Basic, C, C+
+, C#, brainf*ck, and any number of other languages. Tracking the
*language* a given exploit is written "in" isn't exactly beneficial
(though google does try to work on this problem, to slow down the
kiddies who simply don't know how to port code, and thus repeat the
same exploit content across many sites).

What most IDS/IPS/Virus detection/Firewall folks actually do is look
for a "signature", or something common to all similar exploits, such
as "two newline characters, followed by a dagger, POST'ed over http",
*regardless* of the source code that generated such a POST.

> http://milw0rm.com/ is an exploit repository.
> http://www.osvdb.org/ is a vulnerability db, staffed by volunteers,
> who
> research disclosed vulns, and document them thoroughly, citing the
> many
> disparate sources of vuln information around the world. CVE and
> milw0rm are
> just a couple sources researched when mangling a vuln.

*nod*.

frsirt, mitre, osvdb, nessus, XSS, milw0rm, packetstorm, etc. etc.
etc....

The heart of working in security is research.

-Ronabop
------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: eladexposed@gmail.com: "Changing or spoofing the mac address of Beceem ms120."
• Previous message: merigoth@gmail.com: "Re: Fingerprinting and Testing Firewalls"
• In reply to: Joey Peloquin: "Re: How to find if exploit exist to a reported CVE ?"
• Next in thread: Justin Ferguson: "Re: How to find if exploit exist to a reported CVE ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:12 EDT