Last active
March 6, 2021 19:54
-
-
Save slayerlab/b2a358f13ab267f2e9543bb9f9320ffc to your computer and use it in GitHub Desktop.
OVAL Language for detect CVE-2018-7187 vulnerability on Linux environment. This PoC was made to answer this question: https://security.stackexchange.com/questions/194557/how-to-discover-known-vulnerabilities-cves-in-go-executables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<oval_definitions | |
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" | |
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd"> | |
<generator> | |
<oval:product_name>Security StackExchange Question - 194557</oval:product_name> | |
<oval:schema_version>5.10</oval:schema_version> | |
<oval:timestamp>2018-09-27T08:17:02</oval:timestamp> | |
</generator> | |
<definitions> | |
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="vulnerability" id="oval:com.stackexchange.security:def:666" version="1"> | |
<metadata> | |
<title>Golang 1.9.4 "go get" RCE Vulnerability - CVE-2018-7187</title> | |
<affected family="unix"> | |
<product>golang</product> | |
</affected> | |
<reference ref_id="CVE-2018-7187" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187" source="CVE"/> | |
<description>The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site. | |
</description> | |
</metadata> | |
<criteria comment="Golang is installed + vulnerable version" operator="AND"> | |
<criterion comment="Golang is installed" test_ref="oval:com.stackexchange.security:tst:666000"/> | |
<criterion comment="Golang version is equal to 1.9.4" test_ref="oval:com.stackexchange.security:tst:666002"/> | |
</criteria> | |
</definition> | |
</definitions> | |
<tests> | |
<dpkginfo_test comment="Golang is installed" check="all" check_existence="at_least_one_exists" id="oval:com.stackexchange.security:tst:666000" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> | |
<object object_ref="oval:com.stackexchange.security:obj:666002"/> | |
</dpkginfo_test> | |
<dpkginfo_test comment="Golang version is equals to 1.9.4 or 1.9.3" check="all" check_existence="at_least_one_exists" id="oval:com.stackexchange.security:tst:666002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> | |
<object object_ref="oval:com.stackexchange.security:obj:666002"/> | |
<state state_ref="oval:com.stackexchange.security:ste:666002"/> | |
<state state_ref="oval:com.stackexchange.security:ste:666003"/> | |
</dpkginfo_test> | |
</tests> | |
<objects> | |
<dpkginfo_object id="oval:com.stackexchange.security:obj:666002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> | |
<name>golang-1.9</name> | |
</dpkginfo_object> | |
</objects> | |
<states> | |
<dpkginfo_state id="oval:com.stackexchange.security:ste:666002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> | |
<version datatype="version" operation="equals">1.9.4</version> | |
</dpkginfo_state> | |
<dpkginfo_state id="oval:com.stackexchange.security:ste:666003" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"> | |
<version datatype="version" operation="greater than or equal">1.9.3</version> | |
</dpkginfo_state> | |
</states> | |
</oval_definitions> |
I will check this rule on Ubuntu 18.04.1 LTS because I already have installed in my lab. Hence, I have to edit some lines to detect the installed Ubuntu.
Edit:
I did it better: As we know, this vulnerability may exists on any Linux-like OS environment that has golang-1.9.4
or golang-1.9.3
installed. According to the CVE-2018-7187 description this vulnerability exists only in golang 1.9.4 version. It is a false information because it can be exploited on golang-1.9.3 as well, but it cannot be exploited on golang "<=1.7.x" versions. I do not tested on others golang versions but I believe that works on versions that are less than or equal to golang-1.9.4 version: 1.9.x <= 1.9.4
Works like a charm:
$ oscap oval eval linux-definitions-vulnerability-oval.xml
Definition oval:com.stackexchange.security:def:666: true
Evaluation done.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I do not have executed it into a Debian GNU/Linux 7 yet, but it apparently works.
I just have tested from a kali linux amd64: