Knowledge Base

Ask A Question

Questions

8

Locating libssh to triage CVE-2018-10933

Looking through Nexpose for libssh server banners I haven't seen the banners being fingerprinted. I've done initial triage with SQL reports Via SSH banners but I was curious if anyone else has already written a solid libssh fingerprint that I can borrow to write a basic vulnerability check? https://www.libssh.org/security/advisories/CVE-2018-10933.txt https://arstechnica.com/information-technology/2018/10/bug-in-libssh-makes-it-amazingly-easy-for-hackers-to-gain-root-access/ My Initial libssh banner report: ``` WITH asset_ips AS ( SELECT asset_id, ip_address, type FROM dim_asset_ip_address dips ), asset_addresses AS ( SELECT da.asset_id, (SELECT array_to_string(array_agg(ip_address), ',') FROM asset_ips WHERE asset_id = da.asset_id AND type = 'IPv4') AS ipv4s, (SELECT array_to_string(array_agg(ip_address), ',') FROM asset_ips WHERE asset_id = da.asset_id AND type = 'IPv6') AS ipv6s, (SELECT array_to_string(array_agg(mac_address), ',') FROM dim_asset_mac_address WHERE asset_id = da.asset_id) AS macs FROM dim_asset da JOIN asset_ips USING (asset_id) ), asset_names AS ( SELECT asset_id, array_to_string(array_agg(host_name), ',') AS names FROM dim_asset_host_name GROUP BY asset_id ), banners AS ( SELECT da.asset_id AS asset_id, dasc.port AS port, ds.name AS ds_name, ' [' || dasc.name::text || ': ' || array_to_string(array_agg(dasc.value),', ')::text || ']' AS banner_info FROM dim_asset da JOIN dim_asset_service_configuration dasc USING (asset_id) JOIN dim_service ds USING (service_id) GROUP BY da.asset_id, da.ip_address, dasc.port, ds.name, dasc.name ) SELECT da.ip_address AS "Asset IP Address", an.names AS "Asset Names", csv(ds.name) AS "Sites", banners.port, banners.ds_name, csv(banners.banner_info) AS "Banner Info" FROM dim_asset da LEFT OUTER JOIN asset_addresses aa USING (asset_id) LEFT OUTER JOIN asset_names an USING (asset_id) JOIN banners using (asset_id) JOIN dim_site_asset using (asset_id) JOIN dim_site ds USING (site_id) WHERE banners.banner_info ilike '%libssh%' GROUP BY da.ip_address, da.ip_address, ds.name, banners.port, banners.ds_name, an.names, ds.name ORDER BY da.ip_address, banners.port ```

Posted by BrianWGray 6 days ago

1

JSON request POST for Nexpose APIv3 issue?

Hi all, I am having an issue with Nexpose APIv3. I have a problem with acceptance of JSON request on server side. On the other hand GET is working fine. The content of my JSON file is below. I am calling API by path "https://nexpose.mydomain.com:3780/api/3/sites", based on your documentation here https://help.rapid7.com/insightvm/en-us/api/index.html#operation/createSite but I am still getting *HTTP Error 400: Bad Request*. So, I guess there is some mistake in my JSON file. According to documentation there is only one required parameter "name". I would really appreciate if you can help me with this. What is probably missing or wrong in my JSON file? Is there any standard which must be used for JSON data such as RFC 4627, RFC 7159, ECMA-404? Thank you very much! Jan ##JSON file post_sites.json { "description":"testing-site", "engineId":"", "importance":"normal", "links":[ { "href":"", "rel":"" } ], "name":"my-first-site", "scan":{ "assets":{ "excludedAssetGroups":{ "assetGroupIDs":[ 0 ], "links":[ { "href":"", "rel":"" } ] }, "excludedTargets":{ "addresses":[ "string" ], "links":[ { "href":"", "rel":"" } ] }, "includedAssetGroups":{ "assetGroupIDs":[ 0 ], "links":[ { "href":"", "rel":"" } ] }, "includedTargets":{ "addresses":[ "string" ], "links":[ { "href":"", "rel":"" } ] } }, "connection":{ "id":"" } }, "scanTemplateId":"testing-template" }

Posted by Jan Stangler 13 days ago

2

SQL severity count

Looking for help on a SQL query. I am looking to get a count of critical, severe and moderate vulns on an asset as well as total vulns. I have been successful with the getting the count of total vulns with a simple count vulnerability_id from dim_vulnerability however the severity is a problem. Since the severity is stores in dim_vulnerability table severity I can not find a way to break out a count of each specific criticality. Below is my attempt at a SQL query but I feel like it may be way too jacked up for fixing. WITH critical_vuln_count AS ( SELECT COUNT dv.severity FROM fact_asset_date('2018-09-01', current_date, INTERVAL '1 year')fad LEFT OUTER JOIN dim_asset as da on fad.asset_id = da.asset_id LEFT OUTER JOIN fact_asset_vulnerability_age as fava on fava.asset_id = da.asset_id LEFT OUTER JOIN dim_vulnerability as dv on dv.vulnerability_id = fava.vulnerability_id WHERE now() - dv.date_published > INTERVAL '30 days' AND dv.severity = 'Critcal' ) SELECT da.ip_address as "IP Address", da.host_name as "Host Name", dos.description AS "Operating System", fad.day as "Date of Summary", COUNT (dv.title) as "Total_Vulnerabilities", cvc.critical_vuln_count FROM fact_asset_date('2018-09-01', current_date, INTERVAL '1 year')fad LEFT OUTER JOIN dim_asset as da on fad.asset_id = da.asset_id LEFT OUTER JOIN dim_operating_system as dos on da.operating_system_id = dos.operating_system_id LEFT OUTER JOIN fact_asset_vulnerability_age as fava on fava.asset_id = da.asset_id LEFT OUTER JOIN dim_vulnerability as dv on dv.vulnerability_id = fava.vulnerability_id LEFT OUTER JOIN critical_vuln_count as cvc using (severity) WHERE now() - dv.date_published > INTERVAL '30 days' GROUP BY "IP Address", "Host Name", "Operating System", "Date of Summary", "critical_vuln_count" I know that there is a table that naturally has this data but in my experience it looks like those are raw values and and are not subject to where parameters such as date published > 30 days.

Posted by Robert DeBellis 14 days ago