Skip to content

Commit

Permalink
cve-2024-6387 from RickGeex (#3194) (#3237)
Browse files Browse the repository at this point in the history
Co-authored-by: Jan Klopper <[email protected]>
Co-authored-by: ammar92 <[email protected]>
Co-authored-by: Jeroen Dekkers <[email protected]>
  • Loading branch information
4 people authored Jul 15, 2024
1 parent f7e68e6 commit 9c9cfe7
Show file tree
Hide file tree
Showing 9 changed files with 156 additions and 4 deletions.
8 changes: 4 additions & 4 deletions boefjes/boefjes/katalogus/tests/integration/test_api.py
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,9 @@ def test_get_local_plugin(self):

def test_filter_plugins(self):
response = self.client.get(f"/v1/organisations/{self.org.id}/plugins/")
self.assertEqual(len(response.json()), 93)
self.assertEqual(len(response.json()), 95)
response = self.client.get(f"/v1/organisations/{self.org.id}/plugins?plugin_type=boefje")
self.assertEqual(len(response.json()), 41)
self.assertEqual(len(response.json()), 42)

response = self.client.get(f"/v1/organisations/{self.org.id}/plugins?limit=10")
self.assertEqual(len(response.json()), 10)
Expand All @@ -76,7 +76,7 @@ def test_add_boefje(self):
self.assertEqual(response.status_code, 422)

response = self.client.get(f"/v1/organisations/{self.org.id}/plugins/?plugin_type=boefje")
self.assertEqual(len(response.json()), 42)
self.assertEqual(len(response.json()), 43)

boefje_dict = boefje.dict()
boefje_dict["consumes"] = list(boefje_dict["consumes"])
Expand All @@ -101,7 +101,7 @@ def test_add_normalizer(self):
self.assertEqual(response.status_code, 201)

response = self.client.get(f"/v1/organisations/{self.org.id}/plugins/?plugin_type=normalizer")
self.assertEqual(len(response.json()), 53)
self.assertEqual(len(response.json()), 54)

response = self.client.get(f"/v1/organisations/{self.org.id}/plugins/test_normalizer")
self.assertEqual(response.json(), normalizer.dict())
Expand Down
Empty file.
68 changes: 68 additions & 0 deletions boefjes/boefjes/plugins/kat_cve_2024_6387/normalize.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
"""
CVE-2024-6387 checker
Author: Mischa van Geelen <@rickgeex>
"""

from collections.abc import Iterable

from boefjes.job_models import NormalizerOutput
from octopoes.models import Reference
from octopoes.models.ooi.findings import CVEFindingType, Finding
from packaging.version import Version

VULNERABLE_VERSIONS = [
"SSH-2.0-OpenSSH_8.5",
"SSH-2.0-OpenSSH_8.6",
"SSH-2.0-OpenSSH_8.7",
"SSH-2.0-OpenSSH_8.8",
"SSH-2.0-OpenSSH_8.9",
"SSH-2.0-OpenSSH_9.0",
"SSH-2.0-OpenSSH_9.1",
"SSH-2.0-OpenSSH_9.2",
"SSH-2.0-OpenSSH_9.3",
"SSH-2.0-OpenSSH_9.4",
"SSH-2.0-OpenSSH_9.5",
"SSH-2.0-OpenSSH_9.6",
"SSH-2.0-OpenSSH_9.7",
]


def is_vulnerable(banner: str) -> bool:
if not any(version in banner for version in VULNERABLE_VERSIONS):
return False

if banner.startswith("SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u"):
_, security_update = banner.split("deb12u")
if Version(security_update) >= Version("3"):
return False
elif banner.startswith("SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu"):
_, security_update = banner.split("3ubuntu")
if Version(security_update) >= Version("13.3"):
return False
elif banner.startswith("SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu"):
_, security_update = banner.split("1ubuntu")
if Version(security_update) >= Version("3.6"):
return False
elif banner.startswith("SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu"):
_, security_update = banner.split("3ubuntu")
if Version(security_update) >= Version("0.10"):
return False

return True


def run(input_ooi: dict, raw: bytes) -> Iterable[NormalizerOutput]:
ooi = Reference.from_str(input_ooi["primary_key"])

banner = raw.decode()

if banner.startswith("SSH-2.0-OpenSSH") and is_vulnerable(banner):
finding_type = CVEFindingType(id="CVE-2024-6387")
finding = Finding(
finding_type=finding_type.reference,
ooi=ooi,
description="Service is most likely vulnerable to CVE-2024-6387",
)
yield finding_type
yield finding
11 changes: 11 additions & 0 deletions boefjes/boefjes/plugins/kat_cve_2024_6387/normalizer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"id": "kat_cve_2024_6387_normalize",
"consumes": [
"openkat/service-banner"
],
"description": "Checks service banner for CVE-2024-6387, enable service banner boefje to get the service banner",
"produces": [
"Finding",
"CVEFindingType"
]
}
Empty file.
9 changes: 9 additions & 0 deletions boefjes/boefjes/plugins/kat_service_banner/boefje.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"id": "service_banner",
"name": "Service banner download",
"description": "Downloads service banners from the target hosts",
"consumes": [
"IPPort"
],
"scan_level": 2
}
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
41 changes: 41 additions & 0 deletions boefjes/boefjes/plugins/kat_service_banner/main.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
import socket

from boefjes.job_models import BoefjeMeta

TIMEOUT = 1.0


def get_sock(ip, port, timeout):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
try:
sock.connect((ip, port))
return sock
except Exception:
return None


def get_banner(sock):
if not sock:
return [({"boefje/error"}, "Unable to connect to the service")]
try:
sock.settimeout(TIMEOUT)
banner = sock.recv(1024)
try:
banner = banner.decode().strip()
except UnicodeDecodeError:
banner = banner.decode("latin1").strip()
sock.close()
return [({"openkat/service-banner"}, banner)]
except Exception as e:
return [({"boefje/error"}, f"Unable to get banner. {str(e)}")]


def run(boefje_meta: BoefjeMeta) -> list[tuple[set, str | bytes]]:
input_ = boefje_meta.arguments["input"] # input is IPPort
port = input_["port"]
ip = input_["address"]["address"]

sock = get_sock(ip, port, TIMEOUT)

return get_banner(sock)
23 changes: 23 additions & 0 deletions boefjes/tests/test_cve-2024-6387.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
from boefjes.plugins.kat_cve_2024_6387.normalize import is_vulnerable


def test_is_vulnerable():
for version in [
"SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u3",
"SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u10",
"SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.3",
"SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.4",
"SSH-2.0-OpenSSH_9.3p1 Ubuntu-1ubuntu3.6",
"SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10",
]:
assert not is_vulnerable(version)

for version in [
"SSH-2.0-OpenSSH_8.9p1",
"SSH-2.0-OpenSSH_9.2p1",
"SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2",
"SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13",
"SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7",
"SSH-2.0-OpenSSH_8.9p1 Ubuntu-3",
]:
assert is_vulnerable(version)

0 comments on commit 9c9cfe7

Please sign in to comment.