Welcome back, my nascent hackers!
Earlier, I wrote a guide on finding operating system and application vulnerabilities in Microsoft's own security bulletins/vulnerability database. In this tutorial, I will demonstrate another invaluable resource for finding vulnerabilities and exploits by using the SecurityFocus database.
Most often, when we're trying to hack a system, the vulnerabilities and exploits that will work on the target are not going to be simply handed to us, like I have done in these tutorials. We need to do a bit of research to find what will work on a particular target system. After running reconnaissance on the system, we can determine what operating system is running, what ports are open, and what services are running. From there, we need to decide upon the best strategy to compromise the system without being detected. That's not always going to be obvious or simple.
We most likely will have to do a little research first to find the proper vulnerability on the target system and then find an exploit to take advantage of it. In this tutorial, we'll look at one of the most complete and helpful resources in finding vulnerabilities and exploits.
Let's start by navigating to www.securityfocus.com. It should look like this.
We can see that the SecurityFocus database has some handy tools for searching for vulnerabilities. It will allow us to search by vendor, by title of the software and by the version. Finally, it will allow us to search by CVE, which is the Common Vulnerability and Exploit number. These numbers are assigned by Mitre Corporation, who is funded by the National Cyber Security Division of the U.S. Homeland Security.
The CVE database includes nearly every vulnerability that has been found in the wild or discovered by security researchers, even if the software publisher doesn't want it known or hasn't patched it yet.
For instance, Adobe has had a very bad run in recent years with poorly designed software that's full of security vulnerabilities. These include such ubiquitous software as Adobe Reader, Adobe Flash, etc. Since nearly every client-side computer system has Adobe Flash or Reader installed on it, let's take a look at the known vulnerabilities to these applications.
Let's look at Adobe Flash. Simply select Adobe in the pull-down menu of vendors and then select Flash Player from the pull-down in the title window. Finally, click on the submit button and the system will return pages of Adobe Flash Player vulnerabilities.
The very first vulnerability to appear is Adobe Flash Player APS813-17 Multiple Remote Code Execution Vulnerabilies. This is a brand new vulnerability just published July 9, 2013. Woohoo!
Even better, it allows for "remote code execution," or in other words, it will allow for the installation of a listener/rootkit on the system running Flash Player. If we scroll down, we see that this vulnerability is included in the Android Flash Player 220.127.116.11 and nearly every version of Adobe Flash Player right up to 18.104.22.168. Since the current version of Adobe Flash Player is 11.8, this would mean that unless the user has updated their Flash Player very recently, this vulnerability exists on their system.
Now that we've found a vulnerability that virtually every PC will have, the next step is to find an exploit. A vulnerability is simply a weakness or hole in the system that can be exploited, it does not necessarily mean it has been exploited. Developing an exploit requires some advanced coding skills, but is not beyond the capability of a talented, aspiring hacker.
To find the exploit for this vulnerability, we simply need to click on the EXPLOIT tab at the top of the page. This will open that tab and reveal any and all exploits that have been developed for that vulnerability. When we do that for this brand new vulnerability, we can see that no one has yet developed the exploit.
So....all my newbie hackers, here is your opportunity to make your name and develop an exploit for this brand new vulnerability!
We can see that SecurityFocus has over four pages of vulnerabilities for Adobe Flash alone. This doesn't count all the other Adobe products that are almost as flawed as Flash Player. Do you have any question in your mind now why Apple banned Flash Player from its iOS?
Let's take a look at some of the other Flash Player vulnerabilities. If we scroll down a bit, we come to a vulnerability called Adobe Flash Player CVE-2012-0754 . That one sounds interesting, let's click on it.
We can see that it was published just last year ago in February 2012 and was updated just last June 2013. If we look down a bit, we can see all the browsers and operating systems that are vulnerable when running Flash Player.
Now, if we click on the Exploit tab, we can see that an exploit is available and we can get it through clicking on the link.
- msf> search adobe flash mp4
We can see that Metasploit has incorporated this exploit into its latest version and updates and is ready for us to use to own nearly any system (XP, Vista, and Windows 7 SP1) running Adobe Flash!