Refactor some cves

Ostorlab · Feb 24, 2025 · 76a20c6 · 76a20c6
1 parent 05fd2ed
commit 76a20c6
Show file tree

Hide file tree

Showing 9 changed files with 170 additions and 429 deletions.
diff --git a/agent/exploits/cve_2018_15133.py b/agent/exploits/cve_2018_15133.py
@@ -4,13 +4,10 @@
 from urllib import parse as urlparse
 
 from packaging import version
-from ostorlab.agent.kb import kb
 from requests import exceptions as requests_exceptions
-from ostorlab.agent.mixins import agent_report_vulnerability_mixin
 
 from agent import definitions
 from agent import exploits_registry
-from agent.exploits import common
 
 VULNERABILITY_TITLE = "PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution"
 VULNERABILITY_REFERENCE = "CVE-2018-15133"
@@ -23,6 +20,9 @@
     "attacker previously had privileged access or successfully accomplished a previous "
     "attack."
 )
+REFERENCES = {
+    "exploit-db.com": "https://www.exploit-db.com/exploits/47129",
+}
 
 DEFAULT_TIMEOUT = 30
 TARGET_ENDPOINT = "/_ignition/execute-solution"
@@ -38,6 +38,17 @@ class CVE201815133Exploit(definitions.Exploit):
     CVE-2018-15133: PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 RCE
     """
 
+    metadata = definitions.VulnerabilityMetadata(
+        title=VULNERABILITY_TITLE,
+        description=VULNERABILITY_DESCRIPTION,
+        reference=VULNERABILITY_REFERENCE,
+        references=REFERENCES,
+        risk_rating="CRITICAL",
+        targeted_by_malware=True,
+        targeted_by_ransomware=True,
+        targeted_by_nation_state=True,
+    )
+
     def accept(self, target: definitions.Target) -> bool:
         try:
             self.session.get(target.origin, timeout=DEFAULT_TIMEOUT)
@@ -67,44 +78,3 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
             return [vulnerability]
 
         return []
-
-    def _create_vulnerability(
-        self, target: definitions.Target
-    ) -> definitions.Vulnerability:
-        entry = kb.Entry(
-            title=VULNERABILITY_TITLE,
-            risk_rating="CRITICAL",
-            short_description=VULNERABILITY_DESCRIPTION,
-            description=VULNERABILITY_DESCRIPTION,
-            references={
-                "nvd.nist.gov": f"https://nvd.nist.gov/vuln/detail/{VULNERABILITY_REFERENCE}",
-                "exploit-db.com": "https://www.exploit-db.com/exploits/47129",
-            },
-            recommendation=(
-                "- Make sure to install the latest security patches from software vendor \n"
-                "- Update to the latest software version"
-            ),
-            security_issue=True,
-            privacy_issue=False,
-            has_public_exploit=True,
-            targeted_by_malware=True,
-            targeted_by_ransomware=True,
-            targeted_by_nation_state=True,
-        )
-        technical_detail = (
-            f"{target.url} is vulnerable to {VULNERABILITY_REFERENCE}, "
-            f"{VULNERABILITY_TITLE}"
-        )
-        vulnerability_location = common.build_vuln_location(target.url)
-        dna = common.compute_dna(
-            vulnerability_title=VULNERABILITY_TITLE,
-            vuln_location=vulnerability_location,
-        )
-        vulnerability = definitions.Vulnerability(
-            entry=entry,
-            technical_detail=technical_detail,
-            risk_rating=agent_report_vulnerability_mixin.RiskRating.CRITICAL,
-            vulnerability_location=vulnerability_location,
-            dna=dna,
-        )
-        return vulnerability
diff --git a/agent/exploits/cve_2019_12989.py b/agent/exploits/cve_2019_12989.py
@@ -7,12 +7,9 @@
 from urllib3 import disable_warnings
 
 from requests import exceptions as requests_exceptions
-from ostorlab.agent.mixins import agent_report_vulnerability_mixin
-from ostorlab.agent.kb import kb
 
 from agent import definitions
 from agent import exploits_registry
-from agent.exploits import common
 
 disable_warnings(exceptions.InsecureRequestWarning)
 
@@ -21,12 +18,52 @@
 
 logger = logging.getLogger(__name__)
 
+VULNERABILITY_TITLE = (
+    "Security Vulnerabilities in Citrix CVE-2019-12989 and CVE-2019-12991"
+)
+VULNERABILITY_REFERENCE = "CVE-2019-12989"
+VULNERABILITY_DESCRIPTION = (
+    "CVE-2019-12989: The cgi-bin/sdwanrestapi/getpackagefile.cgi Perl script "
+    "contains a SQL injection vulnerability that can be exploited by a remote, unauthenticated attacker."
+    "Input validation is not applied before incorporating user input in "
+    "a SQL query. By exploiting this vulnerability with a crafted HTTP request, an attacker is able to"
+    "write to (and create) files in locations writable by the 'mysql' user. "
+    "CVE-2019-12991: Installpatch.cgi suffers from a command injection vulnerability."
+    " This vulnerability can be exploited by a remote, authenticated attacker to execute OS commands"
+    " with root privileges.Specifically, the 'installfile' parameter value is not "
+    "validated prior to using it in a call to the Perl system() function."
+)
+VULNERABILITY_SHORT_DESCRIPTION = (
+    "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution"
+)
+REFERENCES = {
+    "Tenable Research": "https://www.tenable.com/security/research/tra-2019-32",
+    "Medium - Tenable TechBlog": "https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac",
+    "Citrix Support Article": "https://support.citrix.com/article/CTX251987",
+}
+RECOMMENDATION = """
+    These vulnerabilities have been addressed in the following software versions:
+    NetScaler SD-WAN Center 10.0.8 and NetScaler SD-WAN 10.0.8 Appliance
+    Citrix SD-WAN Center 10.2.3 and Citrix SD-WAN 10.2.3 Appliance
+    Citrix strongly recommends that customers using vulnerable software upgrade their SD-WAN Center management console or SD-WAN appliance to the new version or later as soon as possible.
+"""
+
 
 @exploits_registry.register
 class CVE201912989Exploit(definitions.Exploit):
-    """
-    CVE-2019-12989 and CVE-2019-12991 : Security Vulnerabilities in Citrix SD-WAN .
-    """
+    """CVE-2019-12989 and CVE-2019-12991: Security Vulnerabilities in Citrix SD-WAN"""
+
+    metadata = definitions.VulnerabilityMetadata(
+        title=VULNERABILITY_TITLE,
+        description=VULNERABILITY_DESCRIPTION,
+        reference=VULNERABILITY_REFERENCE,
+        references=REFERENCES,
+        risk_rating="CRITICAL",
+        short_description=VULNERABILITY_SHORT_DESCRIPTION,
+        recommendation=RECOMMENDATION,
+        targeted_by_ransomware=True,
+        targeted_by_nation_state=True,
+    )
 
     def accept(self, target: definitions.Target) -> bool:
         try:
@@ -67,60 +104,11 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
         try:
             if r.status_code == 400 and r.json() == expected:
                 vulnerability = self._create_vulnerability(target)
+                vulnerability.technical_detail = (
+                    f"{target.url} is vulnerable to CVE-2019-12989 and CVE-2019-12991"
+                )
                 return [vulnerability]
             else:
                 return []
         except json.JSONDecodeError:
             return []
-
-    def _create_vulnerability(
-        self, target: definitions.Target
-    ) -> definitions.Vulnerability:
-        entry = kb.Entry(
-            title="Security Vulnerabilities in Citrix CVE-2019-12989 and CVE-2019-12991",
-            risk_rating="CRITICAL",
-            short_description="Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution",
-            description="CVE-2019-12989: The cgi-bin/sdwanrestapi/getpackagefile.cgi Perl script "
-            "contains a SQL injection vulnerability that can be exploited by a remote, unauthenticated attacker."
-            "Input validation is not applied before incorporating user input in "
-            "a SQL query. By exploiting this vulnerability with a crafted HTTP request, an attacker is able to"
-            "write to (and create) files in locations writable by the 'mysql' user. "
-            "CVE-2019-12991: Installpatch.cgi suffers from a command injection vulnerability."
-            " This vulnerability can be exploited by a remote, authenticated attacker to execute OS commands"
-            " with root privileges.Specifically, the 'installfile' parameter value is not "
-            "validated prior to using it in a call to the Perl system() function.",
-            references={
-                "Tenable Research": "https://www.tenable.com/security/research/tra-2019-32",
-                "Medium - Tenable TechBlog": "https://medium.com/tenable-techblog/"
-                "an-exploit-chain-against-citrix-sd-wan-709db08fb4ac",
-                "Citrix Support Article": "https://support.citrix.com/article/CTX251987",
-            },
-            recommendation="""
-                 These vulnerabilities have been addressed in the following software versions:
-                 NetScaler SD-WAN Center 10.0.8 and NetScaler SD-WAN 10.0.8 Appliance
-                 Citrix SD-WAN Center 10.2.3 and Citrix SD-WAN 10.2.3 Appliance
-                 Citrix strongly recommends that customers using vulnerable software upgrade their SD-WAN Center management console or SD-WAN appliance to the new version or later as soon as possible.
-                 """,
-            security_issue=True,
-            privacy_issue=False,
-            has_public_exploit=True,
-            targeted_by_malware=False,
-            targeted_by_ransomware=True,
-            targeted_by_nation_state=True,
-        )
-        technical_detail = (
-            f"{target.url} is vulnerable to CVE-2019-12989 and CVE-2019-12991"
-        )
-        vulnerability_location = common.build_vuln_location(target.url)
-        dna = common.compute_dna(
-            vulnerability_title=entry.title,
-            vuln_location=vulnerability_location,
-        )
-        vulnerability = definitions.Vulnerability(
-            entry=entry,
-            technical_detail=technical_detail,
-            risk_rating=agent_report_vulnerability_mixin.RiskRating.CRITICAL,
-            vulnerability_location=vulnerability_location,
-            dna=dna,
-        )
-        return vulnerability
diff --git a/agent/exploits/cve_2019_7193.py b/agent/exploits/cve_2019_7193.py
@@ -2,20 +2,21 @@
 
 import re
 
-from ostorlab.agent.kb import kb
-from ostorlab.agent.mixins import agent_report_vulnerability_mixin
 from requests import exceptions as requests_exceptions
 
 from agent import definitions
 from agent import exploits_registry
-from agent.exploits import common
 
 VULNERABILITY_TITLE = "QNAP QTS Improper Input Validation Vulnerability"
 VULNERABILITY_REFERENCE = "CVE-2019-7193"
 VULNERABILITY_DESCRIPTION = (
     "This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. "
     "To fix the vulnerability, QNAP recommend updating QTS to their latest versions."
 )
+REFERENCES = {
+    "qnap.com": "https://www.qnap.com/en-us/security-advisory/nas-201911-25",
+    "packetstormsecurity.com": "https://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html",
+}
 
 DEFAULT_TIMEOUT = 90
 HEADERS = {"User-Agent": "Gundy - QNAP RCE"}
@@ -28,6 +29,17 @@ class CVE20197193Exploit(definitions.Exploit):
     CVE-2019-7193: QNAP QTS Improper Input Validation Vulnerability
     """
 
+    metadata = definitions.VulnerabilityMetadata(
+        title=VULNERABILITY_TITLE,
+        description=VULNERABILITY_DESCRIPTION,
+        reference=VULNERABILITY_REFERENCE,
+        references=REFERENCES,
+        risk_rating="CRITICAL",
+        targeted_by_malware=True,
+        targeted_by_ransomware=True,
+        targeted_by_nation_state=True,
+    )
+
     def accept(self, target: definitions.Target) -> bool:
         try:
             resp = self.session.get(
@@ -92,46 +104,5 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
         if b"/bin/sh" not in resp.content:
             return []
 
-        vulnerability = self._create_vulnerability(target.url)
+        vulnerability = self._create_vulnerability(target)
         return [vulnerability]
-
-    def _create_vulnerability(self, target_uri: str) -> definitions.Vulnerability:
-        entry = kb.Entry(
-            title=VULNERABILITY_TITLE,
-            risk_rating="CRITICAL",
-            short_description=VULNERABILITY_DESCRIPTION,
-            description=VULNERABILITY_DESCRIPTION,
-            references={
-                "nvd.nist.gov": f"https://nvd.nist.gov/vuln/detail/{VULNERABILITY_REFERENCE}",
-                "qnap.com": "https://www.qnap.com/en-us/security-advisory/nas-201911-25",
-                "packetstormsecurity.com": "https://packetstormsecurity.com/files/157857/"
-                "QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html",
-            },
-            recommendation=(
-                "- Make sure to install the latest security patches from software vendor \n"
-                "- Update to the latest software version"
-            ),
-            security_issue=True,
-            privacy_issue=False,
-            has_public_exploit=True,
-            targeted_by_malware=True,
-            targeted_by_ransomware=True,
-            targeted_by_nation_state=True,
-        )
-        technical_detail = (
-            f"{target_uri} is vulnerable to {VULNERABILITY_REFERENCE}, "
-            f"{VULNERABILITY_TITLE}"
-        )
-        vulnerability_location = common.build_vuln_location(target_uri)
-        dna = common.compute_dna(
-            vulnerability_title=VULNERABILITY_TITLE,
-            vuln_location=vulnerability_location,
-        )
-        vulnerability = definitions.Vulnerability(
-            entry=entry,
-            technical_detail=technical_detail,
-            risk_rating=agent_report_vulnerability_mixin.RiskRating.CRITICAL,
-            vulnerability_location=vulnerability_location,
-            dna=dna,
-        )
-        return vulnerability