Skip to content

Instantly share code, notes, and snippets.

@slayerlab

slayerlab/linux-definitions-vulnerability-oval.xml

Last active March 6, 2021 19:54
Show Gist options
  • Save slayerlab/b2a358f13ab267f2e9543bb9f9320ffc to your computer and use it in GitHub Desktop.
Save slayerlab/b2a358f13ab267f2e9543bb9f9320ffc to your computer and use it in GitHub Desktop.
Download ZIP
OVAL Language for detect CVE-2018-7187 vulnerability on Linux environment. This PoC was made to answer this question: https://security.stackexchange.com/questions/194557/how-to-discover-known-vulnerabilities-cves-in-go-executables
Raw
linux-definitions-vulnerability-oval.xml
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd">
<generator>
<oval:product_name>Security StackExchange Question - 194557</oval:product_name>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2018-09-27T08:17:02</oval:timestamp>
</generator>
<definitions>
<definition xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" class="vulnerability" id="oval:com.stackexchange.security:def:666" version="1">
<metadata>
<title>Golang 1.9.4 "go get" RCE Vulnerability - CVE-2018-7187</title>
<affected family="unix">
<product>golang</product>
</affected>
<reference ref_id="CVE-2018-7187" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187" source="CVE"/>
<description>The "go get" implementation in Go 1.9.4, when the -insecure command-line option is used, does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.
</description>
</metadata>
<criteria comment="Golang is installed + vulnerable version" operator="AND">
<criterion comment="Golang is installed" test_ref="oval:com.stackexchange.security:tst:666000"/>
<criterion comment="Golang version is equal to 1.9.4" test_ref="oval:com.stackexchange.security:tst:666002"/>
</criteria>
</definition>
</definitions>
<tests>
<dpkginfo_test comment="Golang is installed" check="all" check_existence="at_least_one_exists" id="oval:com.stackexchange.security:tst:666000" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:com.stackexchange.security:obj:666002"/>
</dpkginfo_test>
<dpkginfo_test comment="Golang version is equals to 1.9.4 or 1.9.3" check="all" check_existence="at_least_one_exists" id="oval:com.stackexchange.security:tst:666002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<object object_ref="oval:com.stackexchange.security:obj:666002"/>
<state state_ref="oval:com.stackexchange.security:ste:666002"/>
<state state_ref="oval:com.stackexchange.security:ste:666003"/>
</dpkginfo_test>
</tests>
<objects>
<dpkginfo_object id="oval:com.stackexchange.security:obj:666002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<name>golang-1.9</name>
</dpkginfo_object>
</objects>
<states>
<dpkginfo_state id="oval:com.stackexchange.security:ste:666002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version datatype="version" operation="equals">1.9.4</version>
</dpkginfo_state>
<dpkginfo_state id="oval:com.stackexchange.security:ste:666003" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
<version datatype="version" operation="greater than or equal">1.9.3</version>
</dpkginfo_state>
</states>
</oval_definitions>
@slayerlab
Copy link
Author

I do not have executed it into a Debian GNU/Linux 7 yet, but it apparently works.
I just have tested from a kali linux amd64:

$ uname -a
Linux kali 4.18.0-kali1-amd64 #1 SMP Debian 4.18.6-1kali1 (2018-09-10) x86_64 GNU/Linux
$ oscap oval eval linux-definitions-oval.xml 
Definition oval:com.stackexchange.security:def:666: false
Evaluation done.

@slayerlab
Copy link
Author

slayerlab commented Sep 29, 2018
edited

I will check this rule on Ubuntu 18.04.1 LTS because I already have installed in my lab. Hence, I have to edit some lines to detect the installed Ubuntu.

Edit:

I did it better: As we know, this vulnerability may exists on any Linux-like OS environment that has golang-1.9.4 or golang-1.9.3 installed. According to the CVE-2018-7187 description this vulnerability exists only in golang 1.9.4 version. It is a false information because it can be exploited on golang-1.9.3 as well, but it cannot be exploited on golang "<=1.7.x" versions. I do not tested on others golang versions but I believe that works on versions that are less than or equal to golang-1.9.4 version: 1.9.x <= 1.9.4

@slayerlab
Copy link
Author

Works like a charm:

$ oscap oval eval linux-definitions-vulnerability-oval.xml 
Definition oval:com.stackexchange.security:def:666: true
Evaluation done.

@slayerlab
Copy link
Author

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7187

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment