-
Notifications
You must be signed in to change notification settings - Fork 318
Vulnerability Modules
- What are vulnerabilities?
- How do I use vulnerabilities in SecGen?
- Where are vulnerability modules stored?
- How is the vulnerabilities directory structured?
- What do vulnerability modules actually contain?
- What does secgen_metadata.xml actually contain?
- Where can I get new vulnerability modules from?
- How do I create my own vulnerability modules
Vulnerabilities are programs or services that can lead to exploitation of a generated virtual machine.
Vulnerabilities can be a program misconfiguration errors, access control misconfiguration, exploitable code in a program or privilege escalation.
Vulnerabilities can lead to three completion rewards:
-
Information leakage
Leaked information that may be useful in exploiting another service or vulnerability -
User level access
An exploit can be used to gain user lever access to the generated system -
Root level access
An exploit can be used to gain root/administrator level access to the generated system
Vulnerabilities can be installed on the generated virtual machine via the use of vulnerability modules.
Vulnerability modules are stored in the vulnerabilities directory, a simplified SecGen file structure to the vulnerabilities directory is below:
/SecGen
/modules
/vulnerabilities
The vulnerabilities folder is structured as shown below:
/vulnerabilities
/unix
/{vulnerability_type}
/{vulnerability_name}
/{vulnerability_name}
/windows
/{vulnerability_type}
/{vulnerability_name}
/{vulnerability_name}
{vulnerability_type}:
The vulnerability module type, e.g. ftp
{service_name}:
The name of the vulnerability module
Vulnerability modules have the following structure:
/{vulnerability_name}
/examples
/...
/files
/example.file
/lib
/...
/manifests
/install.pp
/config.pp
/service.pp
/spec
/...
/templates
/example.erb
/{vulnerability_name}.pp
/secgen_metadata.xml
{vulnerability_name}:
The name of the vulnerability module
More information on the different files and directories plus how they are used can be found in the module development overview.
The secgen_metadata.xml files for the vulnerability modules are based on following structure:
Minimal vulnerability secgen_metadata.xml file
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>””</name>
<author>””</author>
<module_license>MIT // Apache v2</module_license>
<description>””</description>
<type>””</type>
<privilege>information_leakage // user // root</privilege> ←Todo - Add information leakage to privilege
<access>remote // local</access>
<platform>linux // unix // windows</platform>
</vulnerability>All values vulnerability secgen_metadata.xml file
<?xml version="1.0"?>
<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
<name>””</name>
<author>””</author>
<module_license>MIT // Apache v2</module_license>
<description>””</description>
<type>””</type>
<privilege>information_leakage // user // root</privilege> ←Todo - Add information leakage to privilege
<access>remote // local</access>
<platform>linux // unix // windows</platform>
<!--optional vulnerability details-->
<difficulty>low // medium // high</difficulty>
<cve>CVE-[0-9]{4}-[0-9]{1,39}</cve>
<cvss_base_score>*.* where * is 0-9</cvss_base_score>
<cvss_vector>AV:(L|A|N)/AC:(H|M|L)/Au:(M|S|N)/C:(N|P|C)/I:(N|P|C)/A:(N|P|C)</cvss_vector>
<reference>””</reference>
<software_name>””</software_name>
<software_license>””</software_license>
<!--optional breadcrumb (info that is leaked and required to exploit)-->
<breadcrumb>””</breadcrumb>
<!--optional hints-->
<msf_module>exploit/[a-zA-Z0-9_\-/]+</msf_module>
<hint>””</hint>
<solution>””</solution>
<conflict>
<module_path>””</module_path>
<name>””</name>
<author>””</author>
<module_license>””</module_license>
<description>””</description>
<type>””</type>
<privilege>user // root</privilege>
<access>remote // local</access>
<platform>linux // unix // windows</platform> <-- need to add windows to schema
<difficulty>low // medium // high</difficulty>
<cve>CVE-[0-9]{4}-[0-9]{1,39}</cve>
<cvss_base_score>*.* where * is 0-9</cvss_base_score>
<cvss_vector>AV:(L|A|N)/AC:(H|M|L)/Au:(M|S|N)/C:(N|P|C)/I:(N|P|C)/A:(N|P|C)</cvss_vector>
<reference>””</reference>
<software_name>””</software_name>
<software_license>””</software_license>
<breadcrumb>””</breadcrumb>
<msf_module>exploit/[a-zA-Z0-9_\-/]+</msf_module>
<hint>””</hint>
<solution>”"</solution>
</conflict>
<requires>
<module_path>””</module_path>
<name>””</name>
<author>””</author>
<module_license>””</module_license>
<description>””</description>
<type>””</type>
<privilege>user // root</privilege>
<access>remote // local</access>
<platform>linux // unix // windows</platform> <-- need to add windows to schema
<difficulty>low // medium // high</difficulty>
<cve>CVE-[0-9]{4}-[0-9]{1,39}</cve>
<cvss_base_score>*.* where * is 0-9</cvss_base_score>
<cvss_vector>AV:(L|A|N)/AC:(H|M|L)/Au:(M|S|N)/C:(N|P|C)/I:(N|P|C)/A:(N|P|C)</cvss_vector>
<reference>””</reference>
<software_name>””</software_name>
<software_license>””</software_license>
<breadcrumb>””</breadcrumb>
<msf_module>exploit/[a-zA-Z0-9_\-/]+</msf_module>
<hint>””</hint>
<solution>“”</solution>
</requires>
</vulnerability>While the SecGen team tries to create all the vulnerability modules to suit your needs, we will not be able to create modules for every vulnerability that has ever existed, yet anyway, therefore knowing how to create vulnerability modules is invaluable to ensure that any vulnerability you want to use can be used.
You can either create vulnerabilities by compiling the program from source code, or you can use archive repositories.
Archive repositories are the preferred way of getting vulnerable software for numerous reasons:
- Source code needs to be save locally and will bloat up SecGen's repository.
- Compiling from source also takes far longer then using software that is already compiled for a specific system.
- Compiling errors are very hard to test and diagnose (especially when using another’s code).
But won't using a source repository limit the OS or Distro?
This is true however when writing modules in puppet, the module should stay as independent of OS or Distro as possible.
An independent module will allow easy installation on multiple Distro's without having to change the module itself.
Some repositories may only cater to Debian files so puppets case statements should allow for selection of the OS when applied with Facter.
TODO: FINISH THIS