Implement automatic verification of CVE exploitation

Question

Implement automatic verification of CVE exploitation

Opened this issue 2 months ago · 0 comments

Currently, there is no method to verify whether a CVE has been successfully exploited. A solution would be to introduce the mandatory parameter "verify" to cvex.yml with a string that CVEX would have to find in logs (outputs of commands, pcaps, strace logs, ProcessMonitor logs):

blueprint: windows10-windows10
windows1:
  trace: "nginx"
  playbook: "windows1.yml"
  verify: "string to find in logs of windows1"
windows2:
  command: "curl https://windows1/index.html?cat=(select*from(select(sleep(15)))a)"
  verify: "string to find in logs of windows2"

For example, "verify" can be:

"is vulnerable" that would print an exploit
"uid=0(root) gid=0(root) groups=0(root)" that would print an exploit
"root:x:0:0:root:/root:/bin/bash" that would be present in the pcap when an exploit downloads /etc/passwd