From 1f46b45539ce5c10d304b690ab3766380d66b392 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 8 Apr 2021 12:06:06 +0200 Subject: [PATCH 1/6] no emulation for FreeBSD and binary version detection --- modules/R09_firmware_base_version_check.sh | 2 +- modules/S09_firmware_base_version_check.sh | 5 +++++ modules/S103_deep_search.sh | 1 + modules/S115_usermode_emulator.sh | 7 +++++-- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/modules/R09_firmware_base_version_check.sh b/modules/R09_firmware_base_version_check.sh index 13e1efeeb..0e753b1df 100755 --- a/modules/R09_firmware_base_version_check.sh +++ b/modules/R09_firmware_base_version_check.sh @@ -37,7 +37,7 @@ detect_binary_versions() { STRICT="$(echo "$VERSION_LINE" | cut -d: -f2)" # as we do not have a typical linux executable we can't use strict version details - if [[ $STRICT == "binary" ]]; then + if [[ $STRICT != "strict" ]]; then #print_output "[*] $VERSION_LINE" VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d: -f3- | sed s/^\"// | sed s/\"$//)" echo "." | tr -d "\n" diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh index a18c0577d..7141d8b78 100755 --- a/modules/S09_firmware_base_version_check.sh +++ b/modules/S09_firmware_base_version_check.sh @@ -38,6 +38,11 @@ S09_firmware_base_version_check() { # as we do not have a typical linux executable we can't use strict version details # but to not exhaust the run time we only search for stuff that we know is possible to detect + # on the other hand, if we do not use emulation for deeper detection we run all checks + + if [[ "$STRICT" != "strict" && "$QEMULATION" -ne 1 ]]; then + STRICT="binary" + fi if [[ $STRICT == "binary" ]]; then VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d: -f3- | sed s/^\"// | sed s/\"$//)" diff --git a/modules/S103_deep_search.sh b/modules/S103_deep_search.sh index 53e429447..4b1c5fca4 100755 --- a/modules/S103_deep_search.sh +++ b/modules/S103_deep_search.sh @@ -48,6 +48,7 @@ deep_pattern_search() { print_output "[+] ""$(print_path "$DEEP_S_FILE")" mapfile -t OUTPUT_ARR < <(echo "$S_OUTPUT") for O_LINE in "${OUTPUT_ARR[@]}" ; do + print_output "[*] $O_LINE" COLOR_PATTERN="$GREEN""$PATTERN""$NC" O_LINE="${O_LINE//'\n'/.}" print_output "$( indent "$(echo "${O_LINE//$PATTERN/$COLOR_PATTERN}" | tr "\000-\037\177-\377" "." )")" diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh index d3bdeaf09..aa7d864e2 100755 --- a/modules/S115_usermode_emulator.sh +++ b/modules/S115_usermode_emulator.sh @@ -67,7 +67,10 @@ S115_usermode_emulator() { FULL_BIN_PATH="$R_PATH"/"$BIN_" if ( file "$FULL_BIN_PATH" | grep -q ELF ) && [[ "$BIN_" != './qemu-'*'-static' ]]; then if ! [[ "${BIN_BLACKLIST[*]}" == *"$(basename "$FULL_BIN_PATH")"* ]]; then - if ( file "$FULL_BIN_PATH" | grep -q "x86-64" ) ; then + if ( file "$FULL_BIN_PATH" | grep -q "version\ .\ (FreeBSD)" ) ; then + print_output "[-] No working emulator found for FreeBSD binary $LINE" + EMULATOR="NA" + elif ( file "$FULL_BIN_PATH" | grep -q "x86-64" ) ; then EMULATOR="qemu-x86_64-static" elif ( file "$FULL_BIN_PATH" | grep -q "Intel 80386" ) ; then EMULATOR="qemu-i386-static" @@ -82,7 +85,7 @@ S115_usermode_emulator() { elif ( file "$FULL_BIN_PATH" | grep -q "32-bit MSB.*PowerPC" ) ; then EMULATOR="qemu-ppc-static" else - print_output "[-] No working emulator found for ""$LINE" + print_output "[-] No working emulator found for $LINE" EMULATOR="NA" fi From 1dcd38edcdb7c0d67c069f0c3b458e7988c6df96 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 9 Apr 2021 00:22:09 +0200 Subject: [PATCH 2/6] FreeBSD, improved static version detectin --- config/bin_version_strings.cfg | 8 +++++--- modules/F19_cve_aggregator.sh | 3 +++ modules/F50_base_aggregator.sh | 4 +++- modules/P07_firmware_bin_base_analyzer.sh | 22 +++++++++++++++++----- modules/S05_firmware_details.sh | 2 -- modules/S09_firmware_base_version_check.sh | 20 +++++++++++--------- modules/S103_deep_search.sh | 3 ++- modules/S115_usermode_emulator.sh | 4 ++-- modules/S15_bootloader_check.sh | 2 +- modules/S25_kernel_check.sh | 4 ++-- modules/S50_authentication_check.sh | 11 +++++++++++ modules/S65_config_file_check.sh | 1 - modules/S85_ssh_check.sh | 2 +- 13 files changed, 58 insertions(+), 28 deletions(-) diff --git a/config/bin_version_strings.cfg b/config/bin_version_strings.cfg index 192588cc7..0597485f4 100644 --- a/config/bin_version_strings.cfg +++ b/config/bin_version_strings.cfg @@ -103,6 +103,8 @@ flash_eraseall::"flash_eraseall\ \$Revision:\ [0-9]\.[0-9]\ \$" flash_erase::"flash_erase\ version\ [0-9]\.[0-9]\.[0-9]" flatfsd:binary:"flatfsd\ [0-9]\.[0-9]\.[0-9]mtd" forked_media_server::"Forked\ Media\ Server:\ Version\ [0-9]\.[0-9]+" +freebsd:binary:"FreeBSD\ [0-9]+\.[0-9]-RELEASE-p[0-9]\ " +freebsd:binary:"FreeBSD\ [0-9]+\.[0-9]-RELEASE\ " fuse_library::"FUSE\ library\ version:\ [0-9]\.[0-9]\.[0-9]" fuser::"fuser\ \(PSmisc\)\ [0-9]+\.[0-9]+" fusermount::"fusermount\ version:\ [0-9]\.[0-9]\.[0-9]" @@ -192,8 +194,8 @@ l2tpd::"l2tpd\ Version\ [0-9]\.[0-9]+\ Copyright\ [0-9]+\ Roaring\ Penguin\ Soft ldapsearch::"OpenLDAP:\ ldapsearch\ [0-9]\.[0-9]+\.[0-9]+\ " ldconfig::"ldconfig\ \(GNU\ libc\)\ [0-9]\.[0-9]+$" lesskey::"lesskey\ \ version\ [0-9]+$" -less::"less\ [0-9]+\ " -less::"less\ [0-9]+$" +less::"^less\ [0-9]+\ " +less::"^less\ [0-9]+$" libc:binary:"GNU\ C\ Library\ development\ release\ version\ [0-9]\.[0-9]+\.[0-9]+$" libc:binary:"GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ [0-9]\.[0-9]+$" libcurl:binary:"CLIENT\ libcurl\ [0-9]\.[0-9]+\.[0-9]+" @@ -340,7 +342,7 @@ radvdump:strict:"Version:\ [0-9]\.[0-9]+\.[0-9]+$" ralink-dot1x::"Ralink\ DOT1X\ daemon,\ version\ ...[0-9]\.[0-9]\.[0-9]\.[0-9]." rdisc6::"ndisc6\:\ IPv6\ Neighbor\/Router\ Discovery\ userland\ tool\ [0-9]\.[0-9]\.[0-9]\ " rdnssd::"rdnssd\:\ IPv6\ Recursive\ DNS\ Server\ discovery\ Daemon\ [0-9]\.[0-9]\.[0-9]\ " -Realtek_camera_tool::"----Welcome\ to\ Realtek\ Camera\ Tool\.\ Version\ [0-9]\.[0-9]+\.[0-9]" +Realtek_camera_tool::"Welcome\ to\ Realtek\ Camera\ Tool\.\ Version\ [0-9]\.[0-9]+\.[0-9]" ripd::"ripd\ version\ [0-9]\.[0-9]+\.[0-9]+" rndimage:binary:"RNDIMGAE\ v[0-9]\.[0-9]+\.[0-9]+" rpcinfo::"rpcinfo\ \(.*\)\ [0-9]\.[0-9]+" diff --git a/modules/F19_cve_aggregator.sh b/modules/F19_cve_aggregator.sh index f7a98c5a2..310f9fcd6 100755 --- a/modules/F19_cve_aggregator.sh +++ b/modules/F19_cve_aggregator.sh @@ -120,6 +120,7 @@ prepare_version_data() { VERSION_lower="${VERSION_lower//zic\.c/zic}" #bzip2, a block-sorting file compressor. Version 1.0.6, VERSION_lower="${VERSION_lower//bzip2,\ a\ block-sorting\ file\ compressor\.\ version/bzip2}" + VERSION_lower="${VERSION_lower//bzip2recover/bzip2}" # gnutls VERSION_lower="${VERSION_lower//enabled\ gnutls/gnutls}" VERSION_lower="${VERSION_lower//project-id-version:\ gnutls/gnutls}" @@ -317,6 +318,8 @@ prepare_version_data() { VERSION_lower="$(echo "$VERSION_lower" | sed -r 's/ntpdc\ vendor-specific.*query.*([0-9]\.[0-9]\.[0-9])([a-z][0-9])/ntp\ \1:\2/g')" # ntpdate 4.2.8p13 -> ntp 4.2.8:p13 VERSION_lower="$(echo "$VERSION_lower" | sed -r 's/ntpdate\ ([0-9]\.[0-9]\.[0-9])([a-z]([0-9]))/ntp\ \1:\2/g')" + # FreeBSD 12.1-RELEASE-p8 -> FreeBSD 12.1:p8 + VERSION_lower="$(echo "$VERSION_lower" | sed -r 's/freebsd\ ([0-9]+\.[0-9]+)-release-([a-z]([0-9]+))/freebsd\ \1:\2/g')" # unzip .... info-zip -> info-zip VERSION_lower="$(echo "$VERSION_lower" | sed -r 's/zipinfo\ ([0-9]\.[0-9][0-9])\ .*\ info-zip.*/info-zip:zip\ \1/g')" VERSION_lower="$(echo "$VERSION_lower" | sed -r 's/unzip\ ([0-9]\.[0-9][0-9])\ .*\ by\ info-zip.*/info-zip:unzip\ \1/g')" diff --git a/modules/F50_base_aggregator.sh b/modules/F50_base_aggregator.sh index 13e27c3b1..a48692fb4 100755 --- a/modules/F50_base_aggregator.sh +++ b/modules/F50_base_aggregator.sh @@ -341,7 +341,7 @@ get_data() { os_detector() { VERIFIED=0 - OSES=("kernel" "vxworks" "siprotec") + OSES=("kernel" "vxworks" "siprotec" "freebsd") #### The following check is based on the results of the aggregator: if [[ -f "$LOG_DIR"/"$CVE_AGGREGATOR_LOG" ]]; then @@ -354,6 +354,8 @@ os_detector() { SYSTEM="SIPROTEC" elif [[ "$OS_TO_CHECK" == "vxworks" ]]; then SYSTEM="VxWorks" + elif [[ "$OS_TO_CHECK" == "freebsd" ]]; then + SYSTEM="FreeBSD" else SYSTEM="$OS_TO_CHECK" fi diff --git a/modules/P07_firmware_bin_base_analyzer.sh b/modules/P07_firmware_bin_base_analyzer.sh index 099391ffe..c5c7b028d 100755 --- a/modules/P07_firmware_bin_base_analyzer.sh +++ b/modules/P07_firmware_bin_base_analyzer.sh @@ -52,7 +52,7 @@ P07_firmware_bin_base_analyzer() { wait_for_pid fi - if [[ $(wc -l "$LOG_DIR"/tmp/p07.tmp | awk '{print $1}') ]] ; then + if [[ $(wc -l "$TMP_DIR"/p07.tmp | awk '{print $1}') ]] ; then NEG_LOG=1 fi @@ -75,6 +75,17 @@ os_identification() { COUNTER_Linux=$((COUNTER_Linux+COUNTER_Linux_FW+COUNTER_Linux_EXT)) echo "." | tr -d "\n" + echo "." | tr -d "\n" + COUNTER_FreeBSD="$(find "$OUTPUT_DIR" -type f -exec strings {} \; | grep -i -c FreeBSD 2> /dev/null)" + echo "." | tr -d "\n" + COUNTER_FreeBSD_EXT="$(find "$LOG_DIR" -type f -name "p05_*" -exec grep -i -c FreeBSD {} \; 2> /dev/null)" + echo "." | tr -d "\n" + COUNTER_FreeBSD_FW="$(strings "$FIRMWARE_PATH" 2>/dev/null | grep -c FreeBSD)" + echo "." | tr -d "\n" + COUNTER_FreeBSD=$((COUNTER_FreeBSD+COUNTER_FreeBSD_FW+COUNTER_FreeBSD_EXT)) + echo "." | tr -d "\n" + + COUNTER_VxWorks="$(find "$OUTPUT_DIR" -type f -exec strings {} \; | grep -i -c "VxWorks\|Wind" 2> /dev/null)" echo "." | tr -d "\n" COUNTER_VxWorks_EXT="$(find "$LOG_DIR" -type f -name "p05_*" -exec grep -i -c "VxWorks\|Wind" {} \; 2> /dev/null)" @@ -125,12 +136,13 @@ os_identification() { export LINUX_PATH_COUNTER LINUX_PATH_COUNTER="$(find "$OUTPUT_DIR" "${EXCL_FIND[@]}" -type d -iname bin -o -type f -iname busybox -o -type d -iname sbin -o -type d -iname etc 2> /dev/null | wc -l)" - if [[ $((COUNTER_Linux+COUNTER_VxWorks+COUNTER_FreeRTOS+COUNTER_eCos+COUNTER_ADONIS+COUNTER_SIPROTEC)) -gt 0 ]] ; then + if [[ $((COUNTER_Linux+COUNTER_VxWorks+COUNTER_FreeRTOS+COUNTER_eCos+COUNTER_ADONIS+COUNTER_SIPROTEC+COUNTER_FreeBSD)) -gt 0 ]] ; then print_output "" print_output "$(indent "$(orange "Operating system detection:")")" if [[ $COUNTER_VxWorks -gt 5 ]] ; then print_output "$(indent "$(orange "VxWorks detected\t\t""$COUNTER_VxWorks")")"; fi if [[ $COUNTER_FreeRTOS -gt 0 ]] ; then print_output "$(indent "$(orange "FreeRTOS detected\t\t""$COUNTER_FreeRTOS")")"; fi if [[ $COUNTER_eCos -gt 0 ]] ; then print_output "$(indent "$(orange "eCos detected\t\t""$COUNTER_eCos")")"; fi + if [[ $COUNTER_FreeBSD -gt 0 ]] ; then print_output "$(indent "$(orange "FreeBSD detected\t\t""$COUNTER_FreeBSD")")"; fi if [[ $COUNTER_Linux -gt 5 && $LINUX_PATH_COUNTER -gt 1 ]] ; then print_output "$(indent "$(green "Linux detected\t\t""$COUNTER_Linux""\t-\tverified Linux operating system detected")")" elif [[ $COUNTER_Linux -gt 5 ]] ; then @@ -142,13 +154,13 @@ os_identification() { elif [[ $COUNTER_SIPROTEC -gt 10 ]] ; then print_output "$(indent "$(orange "SIPROTEC detected\t\t""$COUNTER_SIPROTEC")")"; fi - echo "$((COUNTER_Linux+COUNTER_VxWorks+COUNTER_FreeRTOS+COUNTER_eCos+COUNTER_ADONIS+COUNTER_SIPROTEC))" >> "$LOG_DIR"/tmp/p07.tmp + echo "$((COUNTER_Linux+COUNTER_VxWorks+COUNTER_FreeRTOS+COUNTER_eCos+COUNTER_ADONIS+COUNTER_SIPROTEC+COUNTER_FreeBSD))" >> "$TMP_DIR"/p07.tmp fi echo if [[ $LINUX_PATH_COUNTER -gt 0 ]] ; then print_output "[+] Found possible Linux operating system in $(print_path "$OUTPUT_DIR")" - echo "$LINUX_PATH_COUNTER" >> "$LOG_DIR"/tmp/p07.tmp + echo "$LINUX_PATH_COUNTER" >> "$TMP_DIR"/p07.tmp fi } @@ -160,6 +172,6 @@ binary_architecture_detection() mapfile -t PRE_ARCH < <(binwalk -Y "$FIRMWARE_PATH" | grep "valid\ instructions" | awk '{print $3}' | sort -u) for PRE_ARCH_ in "${PRE_ARCH[@]}"; do print_output "[+] Possible architecture details found: $ORANGE$PRE_ARCH_" - echo "$PRE_ARCH_" >> "$LOG_DIR"/tmp/p07.tmp + echo "$PRE_ARCH_" >> "$TMP_DIR"/p07.tmp done } diff --git a/modules/S05_firmware_details.sh b/modules/S05_firmware_details.sh index 981cc29fa..a44d1f2b3 100755 --- a/modules/S05_firmware_details.sh +++ b/modules/S05_firmware_details.sh @@ -23,11 +23,9 @@ S05_firmware_details() LOG_FILE="$( get_log_file )" - #local DETECTED_FILES local DETECTED_DIR # we use the file FILE_ARR from helpers module - #DETECTED_FILES=$(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -xdev -type f 2>/dev/null | wc -l ) DETECTED_DIR=$(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -xdev -type d 2>/dev/null | wc -l) print_output "[*] ""${#FILE_ARR[@]}"" files and ""$DETECTED_DIR"" directories detected." diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh index 7141d8b78..1e22334ed 100755 --- a/modules/S09_firmware_base_version_check.sh +++ b/modules/S09_firmware_base_version_check.sh @@ -20,8 +20,8 @@ S09_firmware_base_version_check() { # this module check for version details statically. - # this module is designed for linux systems - # for other systems we have the R09 + # this module is designed for *x based systems + # for other systems (eg RTOS) we have the R09 module_log_init "${FUNCNAME[0]}" module_title "Binary firmware versions detection" @@ -70,13 +70,15 @@ S09_firmware_base_version_check() { echo "." | tr -d "\n" fi - VERSION_FINDER=$(find "$OUTPUT_DIR" -xdev -type f -print0 2> /dev/null | xargs -0 strings | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) - - if [[ -n $VERSION_FINDER ]]; then - echo "" - print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in extracted firmware files." - VERSIONS_DETECTED+=("$VERSION_FINDER") - fi + #VERSION_FINDER=$(find "$OUTPUT_DIR" -xdev -type f -print0 2> /dev/null | xargs -0 strings | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) + for BIN in "${BINARIES[@]}"; do + VERSION_FINDER=$(strings "$BIN" | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) + if [[ -n $VERSION_FINDER ]]; then + echo "" + print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in $BIN." + VERSIONS_DETECTED+=("$VERSION_FINDER") + fi + done echo "." | tr -d "\n" fi diff --git a/modules/S103_deep_search.sh b/modules/S103_deep_search.sh index 4b1c5fca4..8466edcf0 100755 --- a/modules/S103_deep_search.sh +++ b/modules/S103_deep_search.sh @@ -46,9 +46,10 @@ deep_pattern_search() { S_OUTPUT="$(grep -E -n -a -h -o ".{0,25}""$PATTERN"".{0,25}" -D skip "$DEEP_S_FILE" | tr -d '\0' )" if [[ -n "$S_OUTPUT" ]] ; then print_output "[+] ""$(print_path "$DEEP_S_FILE")" + #print_output "[+] $DEEP_S_FILE" mapfile -t OUTPUT_ARR < <(echo "$S_OUTPUT") for O_LINE in "${OUTPUT_ARR[@]}" ; do - print_output "[*] $O_LINE" + #print_output "[*] $O_LINE" COLOR_PATTERN="$GREEN""$PATTERN""$NC" O_LINE="${O_LINE//'\n'/.}" print_output "$( indent "$(echo "${O_LINE//$PATTERN/$COLOR_PATTERN}" | tr "\000-\037\177-\377" "." )")" diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh index aa7d864e2..4edf8b86b 100755 --- a/modules/S115_usermode_emulator.sh +++ b/modules/S115_usermode_emulator.sh @@ -68,7 +68,7 @@ S115_usermode_emulator() { if ( file "$FULL_BIN_PATH" | grep -q ELF ) && [[ "$BIN_" != './qemu-'*'-static' ]]; then if ! [[ "${BIN_BLACKLIST[*]}" == *"$(basename "$FULL_BIN_PATH")"* ]]; then if ( file "$FULL_BIN_PATH" | grep -q "version\ .\ (FreeBSD)" ) ; then - print_output "[-] No working emulator found for FreeBSD binary $LINE" + print_output "[-] No working emulator found for FreeBSD binary $BIN_" EMULATOR="NA" elif ( file "$FULL_BIN_PATH" | grep -q "x86-64" ) ; then EMULATOR="qemu-x86_64-static" @@ -85,7 +85,7 @@ S115_usermode_emulator() { elif ( file "$FULL_BIN_PATH" | grep -q "32-bit MSB.*PowerPC" ) ; then EMULATOR="qemu-ppc-static" else - print_output "[-] No working emulator found for $LINE" + print_output "[-] No working emulator found for $BIN_" EMULATOR="NA" fi diff --git a/modules/S15_bootloader_check.sh b/modules/S15_bootloader_check.sh index d34008929..d959b1e29 100755 --- a/modules/S15_bootloader_check.sh +++ b/modules/S15_bootloader_check.sh @@ -292,8 +292,8 @@ find_boot_files() print_output "$(indent "$(orange "$(print_path "$LINE")")")" if [[ "$(basename "$LINE")" == "inittab" ]] ; then INITTAB_V=("${INITTAB_V[@]}" "$LINE") - ((STARTUP_FINDS++)) fi + ((STARTUP_FINDS++)) done else print_output "[-] No startup files found" diff --git a/modules/S25_kernel_check.sh b/modules/S25_kernel_check.sh index 130c65665..389057032 100755 --- a/modules/S25_kernel_check.sh +++ b/modules/S25_kernel_check.sh @@ -97,8 +97,8 @@ populate_karrays() { mapfile -t KERNEL_MODULES < <( find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -xdev -iname "*.ko" -type f -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 ) for K_MODULE in "${KERNEL_MODULES[@]}"; do - KERNEL_VERSION+=( "$(modinfo "$K_MODULE" | grep -E "vermagic" | cut -d: -f2 | sed 's/^ *//g')" ) - KERNEL_DESC+=( "$(modinfo "$K_MODULE" | grep -E "description" | cut -d: -f2 | sed 's/^ *//g' | tr -c '[:alnum:]\n\r' '_')" ) + KERNEL_VERSION+=( "$(modinfo "$K_MODULE" 2>/dev/null | grep -E "vermagic" | cut -d: -f2 | sed 's/^ *//g')" ) + KERNEL_DESC+=( "$(modinfo "$K_MODULE" 2>/dev/null | grep -E "description" | cut -d: -f2 | sed 's/^ *//g' | tr -c '[:alnum:]\n\r' '_')" ) done # unique our results diff --git a/modules/S50_authentication_check.sh b/modules/S50_authentication_check.sh index 7247a67d2..4a0f9f189 100755 --- a/modules/S50_authentication_check.sh +++ b/modules/S50_authentication_check.sh @@ -348,24 +348,28 @@ search_pam_testing_libs() { FOUND_CRACKLIB=1 FOUND=1 print_output "[+] Found pam_cracklib.so (crack library PAM) in ""$(print_path "$FULL_PATH")" + ((AUTH_ISSUES++)) fi if [[ -f "$FULL_PATH""/pam_passwdqc.so" ]] ; then FOUND_PASSWDQC=1 FOUND=1 print_output "[+] Found pam_passwdqc.so (passwd quality control PAM) in ""$(print_path "$FULL_PATH")" + ((AUTH_ISSUES++)) fi if [[ -f "$FULL_PATH""/pam_pwquality.so" ]] ; then FOUND_PWQUALITY=1 FOUND=1 print_output "[+] Found pam_pwquality.so (password quality control PAM) in ""$(print_path "$FULL_PATH")" + ((AUTH_ISSUES++)) fi done # Cracklib if [[ $FOUND_CRACKLIB -eq 1 ]] ; then print_output "[+] pam_cracklib.so found" + ((AUTH_ISSUES++)) else print_output "[-] pam_cracklib.so not found" fi @@ -373,6 +377,7 @@ search_pam_testing_libs() { # Password quality control if [[ $FOUND_PASSWDQC -eq 1 ]] ; then print_output "[+] pam_passwdqc.so found" + ((AUTH_ISSUES++)) else print_output "[-] pam_passwdqc.so not found" fi @@ -380,6 +385,7 @@ search_pam_testing_libs() { # pwquality module if [[ $FOUND_PWQUALITY -eq 1 ]] ; then print_output "[+] pam_pwquality.so found" + ((AUTH_ISSUES++)) else print_output "[-] pam_pwquality.so not found" fi @@ -388,6 +394,7 @@ search_pam_testing_libs() { print_output "[-] No PAM modules for password strength testing found" else print_output "[-] Found at least one PAM module for password strength testing" + ((AUTH_ISSUES++)) fi else @@ -415,6 +422,7 @@ scan_pam_conf() { local LINE LINE=$(echo "$FIND" | ${SEDBINARY} 's/:space:/ /g') print_output "$(indent "$(orange "$LINE")")" + ((AUTH_ISSUES++)) fi fi done @@ -445,6 +453,7 @@ search_pam_configs() { for FILE in "${AUTH_FILES[@]}"; do print_output "[*] Check if LDAP support in PAM files" if [[ -f "$FILE" ]] ; then + ((AUTH_ISSUES++)) print_output "[+] ""$(print_path "$FILE")"" exist" local FIND2 FIND2=$(grep "^auth.*ldap" "$FILE") @@ -479,6 +488,7 @@ search_pam_files() { if [[ -f "$LINE" ]] ; then CHECK=1 print_output "$(indent "$(orange "$(print_path "$LINE")")")" + ((AUTH_ISSUES++)) fi if [[ -d "$LINE" ]] && [[ ! -L "$LINE" ]] ; then print_output "$(indent "$(print_path "$LINE")")" @@ -487,6 +497,7 @@ search_pam_files() { for FIND_FILE in "${FIND[@]}"; do CHECK=1 print_output "$(indent "$(orange "$FIND_FILE")")" + ((AUTH_ISSUES++)) done fi done diff --git a/modules/S65_config_file_check.sh b/modules/S65_config_file_check.sh index 08c7460b8..d36be57b3 100755 --- a/modules/S65_config_file_check.sh +++ b/modules/S65_config_file_check.sh @@ -34,7 +34,6 @@ scan_config() { sub_module_title "Search for config file" - local CONF_FILES_ARR readarray -t CONF_FILES_ARR < <(config_find "$CONFIG_DIR""/config_files.cfg") if [[ "${CONF_FILES_ARR[0]}" == "C_N_F" ]] ; then print_output "[!] Config not found" diff --git a/modules/S85_ssh_check.sh b/modules/S85_ssh_check.sh index 8e51a2df3..2e1a64928 100755 --- a/modules/S85_ssh_check.sh +++ b/modules/S85_ssh_check.sh @@ -47,6 +47,7 @@ search_ssh_files() elif [[ "${#SSH_FILES[@]}" -ne 0 ]] ; then print_output "[+] Found ""${#SSH_FILES[@]}"" ssh configuration files:" for LINE in "${SSH_FILES[@]}" ; do + ((SSH_VUL_CNT++)) if [[ -f "$LINE" ]] ; then print_output "$(indent "$(orange "$(print_path "$LINE")")")" if [[ -f "$EXT_DIR"/sshdcc ]]; then @@ -59,7 +60,6 @@ search_ssh_files() # print finding title as emba finding: if [[ "$S_ISSUE" =~ ^\([0-9+]\)\ \[[A-Z]+\]\ ]]; then print_output "[+] $S_ISSUE" - ((SSH_VUL_CNT++)) # print everything else (except RESULTS and done) as usual output elif ! [[ "$S_ISSUE" == *RESULTS* || "$S_ISSUE" == *done* ]]; then print_output "[*] $S_ISSUE" From 80d0b1d61b5329947a0097cd30659e8213a1c6f2 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 9 Apr 2021 21:25:14 +0200 Subject: [PATCH 3/6] improve static version detection --- config/bin_version_strings.cfg | 2 +- modules/F19_cve_aggregator.sh | 7 ++++++- modules/R09_firmware_base_version_check.sh | 1 - modules/S09_firmware_base_version_check.sh | 21 ++++++++++++++------- 4 files changed, 21 insertions(+), 10 deletions(-) diff --git a/config/bin_version_strings.cfg b/config/bin_version_strings.cfg index 0597485f4..042e405d2 100644 --- a/config/bin_version_strings.cfg +++ b/config/bin_version_strings.cfg @@ -391,7 +391,7 @@ twonky::"Twonky\ Version\ [0-9]\.[0-9]+\.[0-9]+" ubnt-infctld::"Multipurpose\(mtik,\ mcast\)\ control\ daemon\ v[0-9]\.[0-9]\ \(c\)\ Ubiquiti$" u-boot:binary:"Compiled\ with\ U-Boot\ [0-9]+\.[0-9]+$" u-boot:binary:"Compiled\ with\ U-Boot\ [0-9]+\.[0-9]+rc[0-9]+" -uboot::"U-Boot\ [0-9]+\.[0-9]+" +uboot::"U-Boot\ [0-9]+\.[0-9]+\ " uboot::"U-Boot\ [0-9]\.[0-9]+\.[0-9]+\ " ucd-snmpd::"UCD-snmp\ version:\ \ [0-9]\.[0-9]+\.[0-9]+$" ucloud::"ucloud_v2\ ver\.[0-9]+" diff --git a/modules/F19_cve_aggregator.sh b/modules/F19_cve_aggregator.sh index 310f9fcd6..7c9a289aa 100755 --- a/modules/F19_cve_aggregator.sh +++ b/modules/F19_cve_aggregator.sh @@ -97,7 +97,12 @@ prepare_version_data() { # remove multiple spaces # shellcheck disable=SC2001 VERSION_lower="$(echo "$VERSION_lower" | sed -e 's/[[:space:]]\+/\ /g')" - VERSION_lower="${VERSION_lower//in\ extracted\ firmware\ files\./}" + VERSION_lower="${VERSION_lower//\ in\ extracted\ firmware\ files\./\ }" + VERSION_lower="${VERSION_lower//\ in\ original\ firmware\ file\./\ }" + VERSION_lower="${VERSION_lower//\ in\ extraction\ logs\./\ }" + VERSION_lower="${VERSION_lower//\ in\ binwalk\ logs\./\ }" + # shellcheck disable=SC2001 + VERSION_lower="$(echo "$VERSION_lower" | sed -e 's/\ in\ binary\ .*\./\ /g')" # GNU gdbserver (GDB) VERSION_lower="${VERSION_lower//gnu\ gdbserver\ /gdb\ }" diff --git a/modules/R09_firmware_base_version_check.sh b/modules/R09_firmware_base_version_check.sh index 0e753b1df..ef0d86393 100755 --- a/modules/R09_firmware_base_version_check.sh +++ b/modules/R09_firmware_base_version_check.sh @@ -64,7 +64,6 @@ detect_binary_versions() { echo "." | tr -d "\n" fi - VERSION_FINDER=$(find "$OUTPUT_DIR" -type f -print0 2> /dev/null | xargs -0 strings | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) if [[ -n $VERSION_FINDER ]]; then diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh index 1e22334ed..9bf171fec 100755 --- a/modules/S09_firmware_base_version_check.sh +++ b/modules/S09_firmware_base_version_check.sh @@ -35,16 +35,13 @@ S09_firmware_base_version_check() { echo "." | tr -d "\n" STRICT="$(echo "$VERSION_LINE" | cut -d: -f2)" + BIN_NAME="$(echo "$VERSION_LINE" | cut -d: -f1)" # as we do not have a typical linux executable we can't use strict version details # but to not exhaust the run time we only search for stuff that we know is possible to detect # on the other hand, if we do not use emulation for deeper detection we run all checks - if [[ "$STRICT" != "strict" && "$QEMULATION" -ne 1 ]]; then - STRICT="binary" - fi - - if [[ $STRICT == "binary" ]]; then + if [[ $STRICT != "strict" ]]; then VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d: -f3- | sed s/^\"// | sed s/\"$//)" echo "." | tr -d "\n" @@ -70,16 +67,26 @@ S09_firmware_base_version_check() { echo "." | tr -d "\n" fi - #VERSION_FINDER=$(find "$OUTPUT_DIR" -xdev -type f -print0 2> /dev/null | xargs -0 strings | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) for BIN in "${BINARIES[@]}"; do VERSION_FINDER=$(strings "$BIN" | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) if [[ -n $VERSION_FINDER ]]; then echo "" - print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in $BIN." + print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in binary $BIN." VERSIONS_DETECTED+=("$VERSION_FINDER") fi done echo "." | tr -d "\n" + else + mapfile -t STRICT_BINS < <(find "$OUTPUT_DIR" -xdev -executable -type f -name "$BIN_NAME" -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3) + for BIN in "${STRICT_BINS[@]}"; do + VERSION_FINDER=$(strings "$BIN" | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) + if [[ -n $VERSION_FINDER ]]; then + echo "" + print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in binary $BIN (strict)." + VERSIONS_DETECTED+=("$VERSION_FINDER") + fi + done + echo "." | tr -d "\n" fi done < "$CONFIG_DIR"/bin_version_strings.cfg From 7385cd77fb5a6a46ab8cfc7f639a301d0b7cde05 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 9 Apr 2021 21:55:20 +0200 Subject: [PATCH 4/6] fix of strict version detection --- config/bin_version_strings.cfg | 1 + modules/S09_firmware_base_version_check.sh | 10 +++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/config/bin_version_strings.cfg b/config/bin_version_strings.cfg index 042e405d2..db4640efe 100644 --- a/config/bin_version_strings.cfg +++ b/config/bin_version_strings.cfg @@ -382,6 +382,7 @@ systemd:strict:"^[0-9]+$" tar::"\(GNU\ tar\)\ [0-9]\.[0-9]+$" tcpdump::"tcpdump\.[0-9]\.[0-9]+\.[0-9]+\ version" tcpdump::"tcpdump\ version\ [0-9]\.[0-9]+\.[0-9]+$" +tcpdump:strict:"^[0-9]\.[0-9]+\.[0-9]+$" texinfo::"\(GNU\ texinfo\)\ [0-9]\.[0-9]+$" tinylogin::"Tinylogin v[0-9]\.[0-9]+\ \(.*\)\ multi-call\ binary$" traceroute\.db::"traceroute\.db\:\ Modern\ traceroute\ for\ Linux,\ version\ [0-9]\.[0-9]\.[0-9]+,\ Jul\ [0-9]+\ [0-9]+" diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh index 9bf171fec..bbe8e8736 100755 --- a/modules/S09_firmware_base_version_check.sh +++ b/modules/S09_firmware_base_version_check.sh @@ -36,13 +36,17 @@ S09_firmware_base_version_check() { STRICT="$(echo "$VERSION_LINE" | cut -d: -f2)" BIN_NAME="$(echo "$VERSION_LINE" | cut -d: -f1)" + echo "VERSION_LINE: $VERSION_LINE" + echo "STRICT: $STRICT" + echo "BIN_NAME: $BIN_NAME" # as we do not have a typical linux executable we can't use strict version details # but to not exhaust the run time we only search for stuff that we know is possible to detect # on the other hand, if we do not use emulation for deeper detection we run all checks + VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d: -f3- | sed s/^\"// | sed s/\"$//)" + if [[ $STRICT != "strict" ]]; then - VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d: -f3- | sed s/^\"// | sed s/\"$//)" echo "." | tr -d "\n" # check binwalk files sometimes we can find kernel version information or something else in it @@ -79,10 +83,10 @@ S09_firmware_base_version_check() { else mapfile -t STRICT_BINS < <(find "$OUTPUT_DIR" -xdev -executable -type f -name "$BIN_NAME" -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3) for BIN in "${STRICT_BINS[@]}"; do - VERSION_FINDER=$(strings "$BIN" | grep -o -a -E "$VERSION_IDENTIFIER" | head -1 2> /dev/null) + VERSION_FINDER=$(strings "$BIN" | grep -E "$VERSION_IDENTIFIER" | sort -u) if [[ -n $VERSION_FINDER ]]; then echo "" - print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in binary $BIN (strict)." + print_output "[+] Version information found ${RED}""$BIN"" ""$VERSION_FINDER""${NC}${GREEN} in binary $BIN (strict)." VERSIONS_DETECTED+=("$VERSION_FINDER") fi done From 9c9ad750bb770504bff0c0cfd223bb1b4d0d06bb Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 9 Apr 2021 21:56:32 +0200 Subject: [PATCH 5/6] cleanup --- modules/S09_firmware_base_version_check.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh index bbe8e8736..a10cf4ec2 100755 --- a/modules/S09_firmware_base_version_check.sh +++ b/modules/S09_firmware_base_version_check.sh @@ -36,9 +36,6 @@ S09_firmware_base_version_check() { STRICT="$(echo "$VERSION_LINE" | cut -d: -f2)" BIN_NAME="$(echo "$VERSION_LINE" | cut -d: -f1)" - echo "VERSION_LINE: $VERSION_LINE" - echo "STRICT: $STRICT" - echo "BIN_NAME: $BIN_NAME" # as we do not have a typical linux executable we can't use strict version details # but to not exhaust the run time we only search for stuff that we know is possible to detect From 1eb5419860e08c4bbbb8a3686f58ef54075f6969 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Fri, 9 Apr 2021 22:13:31 +0200 Subject: [PATCH 6/6] link in s115 included --- modules/S115_usermode_emulator.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh index 4edf8b86b..3564d433e 100755 --- a/modules/S115_usermode_emulator.sh +++ b/modules/S115_usermode_emulator.sh @@ -68,6 +68,7 @@ S115_usermode_emulator() { if ( file "$FULL_BIN_PATH" | grep -q ELF ) && [[ "$BIN_" != './qemu-'*'-static' ]]; then if ! [[ "${BIN_BLACKLIST[*]}" == *"$(basename "$FULL_BIN_PATH")"* ]]; then if ( file "$FULL_BIN_PATH" | grep -q "version\ .\ (FreeBSD)" ) ; then + # https://superuser.com/questions/1404806/running-a-freebsd-binary-on-linux-using-qemu-user print_output "[-] No working emulator found for FreeBSD binary $BIN_" EMULATOR="NA" elif ( file "$FULL_BIN_PATH" | grep -q "x86-64" ) ; then