Penetration Testing mailing list archives
Re: How to find if exploit exist to a reported CVE ?
From: Ronald Chmara <ron () Opus1 COM>
Date: Wed, 07 Nov 2007 22:16:28 -0800
On Nov 7, 2007, at 4:50 PM, Joey Peloquin wrote:
Walsh, Leo wrote:I don't personally know of any place that tracks CVE to exploit code nora place that tracks all exploit code.
Wait, *all* exploit code? Such as "all possible code that can be written for a given exploit"? I know of no such thing, and if it were created, it could rapidly fill several hundred thousand hard drives in a matter of hours. Rather than spending time characterizing the *code* used in an exploit, the industry has focused on the "signature", and "behavior", of an exploit.
Let me provide an example. Say that posting two newline characters, followed by a dagger (aka, † ), breaks the website of example.com (this is just an example).
Sending two newlines, followed by a dagger, can be written in PHP, Perl, Python, VB, Pascal, Fortran, Applescript, lisp, MS Basic, C, C+ +, C#, brainf*ck, and any number of other languages. Tracking the *language* a given exploit is written "in" isn't exactly beneficial (though google does try to work on this problem, to slow down the kiddies who simply don't know how to port code, and thus repeat the same exploit content across many sites).
What most IDS/IPS/Virus detection/Firewall folks actually do is look for a "signature", or something common to all similar exploits, such as "two newline characters, followed by a dagger, POST'ed over http", *regardless* of the source code that generated such a POST.
http://milw0rm.com/ is an exploit repository.http://www.osvdb.org/ is a vulnerability db, staffed by volunteers, who research disclosed vulns, and document them thoroughly, citing the many disparate sources of vuln information around the world. CVE and milw0rm arejust a couple sources researched when mangling a vuln.
*nod*.frsirt, mitre, osvdb, nessus, XSS, milw0rm, packetstorm, etc. etc. etc....
The heart of working in security is research. -Ronabop ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- How to find if exploit exist to a reported CVE ? Juan B (Nov 06)
- RE: How to find if exploit exist to a reported CVE ? Joseph Nicosia (Nov 07)
- Re: How to find if exploit exist to a reported CVE ? security curmudgeon (Nov 07)
- <Possible follow-ups>
- RE: How to find if exploit exist to a reported CVE ? Walsh, Leo (Nov 07)
- Re: How to find if exploit exist to a reported CVE ? Kyprianos Vassilopoulos (Nov 07)
- Re: How to find if exploit exist to a reported CVE ? Joey Peloquin (Nov 07)
- Re: How to find if exploit exist to a reported CVE ? Justin Ferguson (Nov 08)
- Re: How to find if exploit exist to a reported CVE ? Ronald Chmara (Nov 08)