Common Vulnerability Scoring System (CVSS)

A1. Attack Vector (AV)

A1.1 Network (N)

Vulnerability is exploitable from across the internet, or absent more information, assume worst case.
  • The vulnerability is in the web application and reasonably requires network interaction with the server.
  • The attacker connects to the exploitable MySQL database over a network.
  • The attack is conducted over a network. Note that the attack can take place at any point between the victim and web server over which the network traffic is routed. The value is therefore Network rather than Adjacent Network; the latter is only used for attacks where the attacker must be on the same physical network (or equivalent).
  • VMX process is bound to the network stack and the attacker can send RPC commands remotely.
  • The vulnerability is in a network service that uses OpenSSL.
  • The attacker is sending the packets over the network.
  • The attacker can be multiple hops away from the vulnerable component.
  • A victim must access a vulnerable system via the network.
  • The victim must visit a malicious website that may exist outside the local network.
  • A PDF file opened in Google Chrome is automatically displayed using the PDFium functionality that is part of the browser and allows remote attackers to execute arbitrary code on vulnerable installations of Google Chrome.
  • An attack that is not limited to a collision domain and may be performed against any user on the network for which a man-in-the-middle scenario may be established.

A1.2 Adjacent (A)

Vulnerability is exploitable across a limited physical or logical network distance, i.e. bluetooth, wifi, etc.
  • Exploitation of this vulnerability requires network adjacency with the target system.
  • The attacker would need to be in the same proximity as the target machine in order to send and receive radio transmissions within the Bluetooth radio spectrum.

A1.3 Local (L)

Attack is committed through a local application vulnerability, or the attacker is able to log in locally.
  • Local user access is required to read/modify Tomcat configuration files.
  • The vulnerability is in the local parser.
  • A flaw in the local document software that is triggered by opening a malformed document.

A1.4 Physical (P)

Attacker requires physical access to the vulnerable component.
  • Requires physical access to the device.

A2. Attack Complexity (AC)

A2.1 Low (L)

Attacker can exploit the vulnerability at any time, always.
  • A valid session token can be easily obtained and many systems likely use well-known or default database names.
  • Replication must be enabled on the target database. Although disabled by default, it is common for it to be enabled .
  • The only required conditionto exploit the  VMware Guest to Host Escape Vulnerability is for virtual machines to have 4GB of memory. 
  • No special knowledge is necessary to impact XML parser integrity.
  • Specialized conditions or advanced knowledge is not required. Access to the protected network is beyond the scope of Attack Complexity.
  • Specialized conditions or advanced knowledge is not required.
  • An attacker needs to only find a listening network service to mount an attack.
  • An attacker needs to only gain access to a listening service that uses the GNU Bash shell as an interpreter or interact with a GNU Bash shell directly.
  • The complexity of creating packets that match the criteria (non-first fragments) is low.
  • The complexity of crafting ARP packets to exploit the vulnerability is low.
  • The attack steps are simple.
  • A phishing email does not absolutely require victim reconnaissance.
  • The attacker does not need to perform any special reconnaissance for this attack
  • Specialized access conditions or extenuating circumstances do not exist.

A2.2 High (H)

Successful attack depends on conditions beyond the attacker's control.

  • A man in the middle attack is complex for the attacker to perform. Privileges Required None An attacker requires no privileges to mount an attack. User Interaction Required The victim must be tricked into running malicious code on her web browser.
  • The attacker must configure an authoritative source with a public IP to be routed to by the recursive server. The attacker must also beat a race condition to successfully exploit (regardless of how quick that race condition may occur).
  • The attacker must be able to monitor and alter victims' network traffic.
  • Measurable effort is typically required to intercept network traffic in this way, making attack complexity "High".
  • The attacker requires specialized access conditions or extenuating circumstances in order to create a man-in-the-middle scenario. In many circumstances this would require access to a private internal network.

A3. Privileges Required (PR)

A3.1 None (N)

An unauthorized attacker.
  • An attacker requires no privileges to mount an attack.
  • Some attack vectors do not require any privileges (e.g. CGI in web server).
  • A non-privileged user can initiate the packet stream.
  • A non-privileged user can generate the ARP packets.
  • The device is not protected with a PIN.
  • The attacker does not need any permissions to perform this attack, the attacker lets the victim perform the action on the attacker's behalf.

A3.2 Low (L)

User level access is required.
  • The attack requires an account with the ability to change user-supplied identifiers, such as table names. Basic users do not get this privilege by default, but it is not considered a sufficiently trusted privilege to warrant this metric being High.
  • The attacker must have access to the Guest VM. This is easy in a tenant environment.
  • Administrative privileges are not required.
  • An attacker must possess "upload" permission to upload a malicious SWF file to the vulnerable wiki.

A3.3 High (H)

Administrator or system level access required.
  • The user requires high privileges to be able to modify Tomcat configuration files.

A4. User Interaction

A4.1 None (N)

Attack can be accomplished without any user interaction.
  • The attacker requires no user interaction to successfully exploit the vulnerability. RPC commands can be sent anytime.
  • No user access is required for an attacker to launch a successful attack.
  • Attacks that does not rely on any user interaction.

A4.2 Required (R) 

Successful attack requires user interaction.
  • A successful attack requires the victim to visit the vulnerable component, e.g. by clicking a malicious URL.
  • The victim must be tricked into running malicious code on her web browser.
  • The user needs to navigate to malicious website.
  • The victim needs to open the malformed document.
  • The victim must click a specially crafted link provided by the attacker.
  • A successful attack requires a victim to open a malicious PDF file.
  • A successful attack requires the victim user to perform a domain join, user account add, printer share, or similar action. The attacker must wait for an action to occur.

A5. Scope

A5.1 Changed (C) 

Impacts caused to systems beyond the exploitable component.
  • The vulnerable component is the web server running the phpMyAdmin software.;The impacted component is the victim's browser.
  • The vulnerable component is the MySQL server database and the impacted component is a remote MySQL server database (or databases).
  • The vulnerable component is a VMX process that can only be accessed from the Guest VM. The impacted component is the host OS which has separate authorization authority from the Guest VM.
  • The vulnerable component is the DNS server. The impacted component is the victim system who is unknowingly re-directed to unintended network locations based on the malicious DNS answers.
  • Assuming that Joomla has its own separate authorization authority and the attacker is able to break out from it and access files on the file system with privileges of web server which has a separate authorization authority.
  • The vulnerable component is the CRS itself, while the impacted component is the network and devices protected downstream by the CRS.
  • The vulnerable component is the Junos device itself, while the impacted component is any device for which the ARP entry is poisoned.
  • Based on the assumption that the attacker is breaking out of Chrome's controlled sandboxed environment, the vulnerable component is Google Chrome and the impacted component is the operating system on which Chrome is running.

A5.2 Unchanged (U)

Impact is localized to the exploitable component.
  • The vulnerable component is the web server because it insecurely responds to padding errors in a way that can be used to brute force encrypted data.;The impacted component is also the web server because the cookie information disclosed is part of its authorization authority.
  • Assuming simple webapps that do not maintain separate authorization authority.
  • The vulnerability allows authorization bypass, but impact is contained to the original scope of vulnerable component.
  • The vulnerable component is OpenSSL which is integrated with the network service, therefore no change in scope occurs during the attack.
  • The vulnerable component is the GNU Bash shell which is used as an interpreter for various services or can be accessed directly, therefore no change in scope occurs during the attack.
  • The vulnerable component and impacted component are the same, which is operating system.
  • The vulnerable and impacted components are the same.
  • The vulnerable component is SearchBlox. The impacted component is also SearchBlox as the actions only affect the SearchBlox configuration.
  • The vulnerable component is OpenSSL. The impacted component is also OpenSSL as only the OpenSSL encrypted channel is impacted.
  • For CVE-2016-0128, the vulnerable component is the Windows subsystem consisting of the Windows Domain Controller and associated SAM database, that authenticates the victim’s SMB connections.
  • For CVE-2016-2118, the vulnerable component is the SAMBA server, that authenticates the victim’s SMB connections.
  • For both vulnerabilities, the impacted component is the same as the vulnerable component.

A6. Confidentiality (C)

A6.1 High (H)

All information is disclosed to attacker, OR, only some critical information is disclosed.
  • Full compromise of host OS via remote code execution.
  • Successful exploitation could result in a complete compromise of the targeted device which results in a complete (High) impact on Confidentiality of the device.
  • Arbitrary Code Execution
  • Access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact to the affected scope (e.g. the attacker can read the administrator's password, or private keys in memory are disclosed to the attacker).
  • Allows an attacker to take complete control of the affected system.
  • The attacker can read any traffic intended for the targeted subscriber(s).
  • The attacker can view, change, or delete data; or create new accounts with full user rights.
  • The attacker can obtain permissions to view all confidential data contained in SearchBlox.
  • An attacker is able to decrypt all SSL/TLS traffic between the client and server.
  • The worst case scenario is Chrome is running with administrative privileges. The attacker can overwrite system configuration and grant the attacker access to any data on the system.
  • The Google Chrome web browser is completely compromised and runs executable code created by the attacker.
  • An attacker can spoof a user and access the victim user’s resources on the vulnerable server. The attacker is assumed to target a highly privileged user.

A6.2 Low (L)

Some information can be obtained, and/or attacker does not have control over kind or degree.
  • Information maintained in the victim's web browser can be read and sent to the attacker. This is constrained to information associated with the web site running phpMyAdmin, and cookie data is excluded because the HttpOnly flag is enabled by default by phpMyAdmin. If the HttpOnly flag is not set, the Confidentiality Impact will become High if the attacker has access to sufficient cookie data to hijack the victim's session.
  • The injected SQL runs with high privilege and can access information the attacker should not have access to. Although this runs on a remote database (or databases), it may be possible to exfiltrate the information as part of the SQL statement. The malicious SQL is injected into SQL statements that are part of the replication functionality, preventing the attacker from executing arbitrary SQL statements.
  • The attack discloses cookie information that the attacker should not have access to.
  • Webapp xml and tld files can be exposed.
  • The attacker is able to read files to which web server has access.
  • Information which should only be disclosed to the vulnerable site, such as cookies, could be provided by the victim's browser to the attacker.

A6.3 None (N)

No information disclosed.
  • Any confidentiality is secondary.
  • Impact is scored against the network and devices beyond the firewall (impacted component), and not the CRS (vulnerable component). Any confidentiality loss is a secondary impact.

A7. Integrity (I)

A7.1 High (H)

Attacker can only modify any information at any time, OR, only some critical information can be altered.
  • Full compromise of host OS via remote code execution.
  • Successful exploitation could result in a complete compromise of the targeted device which results in a complete (High) impact on Integrity of the device.
  • Arbitrary Code Execution 
  • Allows an attacker to take complete control of the affected system.
  • The victim user has trusted a poisoned cache and is being directed to any destination the attacker wishes.
  • The attacker has full access to the system.
  • Assuming a worst-case impact of the victim having High privileges on the affected system.
  • The attacker can view, change, or delete data; or create new accounts with full user rights.
  • High if the importance (security) of the feature is very crucial.
  • User accounts can be modified at will as well as SearchBlox configuration.
  • An attacker is able to decrypt all SSL/TLS traffic between the client and server.
  • The worst case scenario is Chrome is running with administrative privileges. The attacker can overwrite any file, including important system files.
  • An attacker can spoof a user and modify any of the user’s resources on the vulnerable server. The protocol downgrade removes the ability for the server to detect the manipulation. The attacker is assumed to target a highly privileged user.

A7.2 Low (L)

Some Information can be altered, and/or attacker does not have control over kind or degree.
  • Information maintained in the victim's web browser can be modified, but only information associated with the web site running phpMyAdmin.
  • The injected SQL runs with high privilege and can modify information the attacker should not have access to. The malicious SQL is injected into SQL statements that are part of the replication functionality, preventing the attacker from executing arbitrary SQL statements.
  • The integrity of the XML parser is lost, possibly resulting in a corrupt JSP.
  • Exploitation results in an integrity impact on the network or devices (impacted component) under the protection of the CRS (vulnerable component).
  • Information maintained in the victim's web browser can be modified, but only information associated with the web site running DokuWiki.

A7.3 None (N)

No integrity loss.
  • No information can be modified by the attacker.
  • There is no indication that the files can be modified as well.
  • While modification of the routing table on the vulnerable component would represent an impact on integrity, the Integrity impact on the downstream (impacted) component is None.

A8. Availability (A)

A8.1 High (H)

Resource is completely unavailable, OR select resource is critical to the component.
  • Full compromise of host OS via remote code execution.
  • Successful exploitation could result in a complete compromise of the targeted device which results in a complete (High) impact on the Availability of the device.
  • Arbitrary Code Execution
  • Allows an attacker to take complete control of the affected system.
  • The attacker has full access to the system. Regarding availability impact vs. required control of the device. We are measuring the capabilities granted to the attacker from the vulnerability.
  • Impact on Availability for the downstream (impacted) component results in a complete denial of service for the targeted subscriber(s).
  • Assuming a worst-case impact of the victim having High privileges on the affected system.
  • The attacker can view, change, or delete data; or create new accounts with full user rights.
  • SearchBlox configuration may be modified such as to disable services.
  • The worst case scenario is Chrome is running with administrative privileges. The attacker can cause a system crash by overwriting particular system files.
  • The Google Chrome web browser is completely compromised and runs executable code created by the attacker.
  • For CVE-2016-2118, an attacker can immediately read/write files to a file or printer server, potentially degrading service or even shutting it down, so the impact is High.

A8.2 Low (L)

Reduced performance or interruption of resource availability or response.
  • The reasonable outcome behind modifying the XML parser is to make certain web applications unavailable.

A8.3 None (N)

No availability impact.
  • The malicious code can deliberately slow the victim's system, but the effect is usually minor and the victim can easily close the browser tab to terminate it.
  • Although injected code is run with high privilege, the nature of this attack prevents arbitrary SQL statements being run that could affect the availability of MySQL databases.
  • Impact is scored against the network and devices beyond the firewall (impacted component), and not the CRS (vulnerable component). Any availability is a secondary impact (for example, targeted DoS attack).
  • No impact to the availability of the SSL/TLS session, the victim believes the session works correctly.

Reference

https://first.org/cvss/user-guide
https://first.org/cvss/examples

Popular posts from this blog

Remote Desktop Protocol (RDP) Security

Image
Common Remote Desktop Protocol (RDP) Vulnerabilities Terminal Services Encryption Level is Medium or Low Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness Terminal Services Doesn't Use Network Level Authentication (NLA) Only Terminal Services Encryption Level is Medium or Low Vulnerability Assessment: Host Assessment: Remediation: Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level Set client connection encryption level to High Note: High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD S...
Read more

Penetration Testing - Network

Image
Manual Vulnerability Assessment TCP/21: FTP Anonymous FTP Enabled anonymous guest TCP/22: SSH nmap -p 22 --script ssh2-enum-algos <ip_address> SSH Weak Algorithms Supported SSH Server CBC Mode Ciphers Enabled ssh -oCiphers=<ciphers> <ip_address> SSH Weak MAC Algorithms Enabled ssh -oMACs=<algorithm> <ip_address> SSH Protocol v1 Supported ssh -1 <ip_address> -v Hardening on SSH Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com TCP/23: Telnet Unencrypted Telnet Server telnet <ip_address> 23 TCP/25: SMTP SMTP Service Cleartext Login Permitted telnet <ip_address> 25 EHLO <ip_address> AUTH LOGIN Mailserver answer to VRFY and EXPN requests * nc <ip_address> 25 EXPN root VRFY root TCP/53: DNS DNS Server Cache Snooping Remote Information Disclosure ...
Read more

Damn Vulnerable Web Services (DVWS) - Walkthrough

Image
Installation Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. https://github.com/snoopysecurity/dvws WSDL Enumeration Spider DVWS using Burp Suite and look for service.php Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price XPATH Injection User Login: 1' or '1'='1 User Password: 1' or '1'='1 Command Injection Original Request parameter value of name is " find "   by default  Edited Request change the parameter value of  name  from "find" to " dir "   Cross Site Tracing (XST) Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e...
Read more

Server Message Block (SMB) Security

Image
Common SMB related vulnerabilities Microsoft Windows SMBv1 Multiple Vulnerabilities SMB Signing Disabled Microsoft Windows SMB NULL Session Authentication Microsoft Windows SMB Shares Unprivileged Access Network Discovery: TCP port 5357 - Web Services on Devices API (WSDAPI) File and Printer Sharing: TCP port 135 - Remote Procedure Call (RPC) TCP port 139 - NETBIOS Session Service TCP port 445 - Server Message Block (SMB) By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented Microsoft Windows SMBv1 Multiple Vulnerabilities Vulnerability Assessment: NSE script smb-protocols can be used to check if the server supported NT LM 0.12 (SMBv1) . Host Assessment: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} Remediation: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters...
Read more

Offensive Security Testing Guide

Image
This cheat sheet compiles the commands we learned to exploit vulnerable machines. However, these commands alone may not be sufficient to obtain your Offensive Security Certified Professional (OSCP) certification. So... Try Harder! Information Gathering Operating System Windows Interesting Path "Documents and Settings"/Administrator/Desktop file:///C:/xampp/readme_en.txt file:///C:/xampp/passwords.txt file:///C:/xampp/webdav/webdav.txt file:///C:/xampp/apache/conf/extra/httpd-dav.conf file:///C:/xampp/apache/conf/extra/httpd-xampp.conf file:///C:/xampp/apache/logs/access.log file:///C:/xampp/apache/logs/error.log file:///C:/xampp/security/webdav.htpasswd file:///C:/xampp/htdocs/dashboard/phpinfo.php file:///C:/xampp/phpmyadmin/config.inc.php file:///C:/xampp/php/logs/php_error_log file:///C:/xampp/mysql/bin/my.ini C:\Users\<User>\AppData\Local\Temp #Email Address C:\Users\<User>\AppData\Local\Microsoft\Outlook Active Connection netstat -...
Read more

Host Configuration Assessment - Windows

Image
OS Information Gathering systeminfo wmic computersystem get domainrole 0 - Standalone workstation 1 - Member workstation 2 - Standalone server 3 - Member server 4 - Domain controller secedit /export /cfg cfg.ini > nul net user administrator > netuseradmin.txt auditpol.exe /get /category:* > auditpol.txt netsh advfirewall show allprofiles > firewall.txt net accounts > netaccount.txt gpresult /f /h evid/gporesult.html > nul accesschk /accepteula -q -a * > accesschk.txt *Simplify the process with Scgary ! User Right Assignment type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyIn...
Read more

Web Server Hardening - Apache Tomcat

Image
Reference: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html 1. Remove Extraneous Resources Removing sample resources C:\xampp\Tomcat\webapps\docs C:\xampp\Tomcat\webapps\examples Removing Manager Application if not using C:\xampp2\Tomcat\webapps\host-manager C:\xampp2\Tomcat\webapps\manager C:\xampp2\Tomcat\conf\Catalina\localhost\manager.xml Disable unused Connector C:\xampp2\tomcat\conf\server.xml cat server.xml | grep "Connector" 2. Limit Server Platform Information Leaks Alter the Advertised server information Audit: cd $CATALINA_HOME/lib jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties grep server.info org/apache/catalina/util/ServerInfo.properties Remediation: server.info=<SomeWebServer> server.number=<someversion> server.built= Disable X-Powered-By HTTP Header and Rename the Server Value for all Connectors Turn off TRACE Affected file: $CATALINA_HOME/conf/server.xml Remediation:...
Read more

Content Page

The Cheat Sheets offer a variety of information security cheat sheets on various security assessments and provides code to simplify testing and verification processes. Penetration Testing Network CMS - WordPress Mobile - Android Mobile - iOS Web Service (API) Security Damn Vulnerable Web Services - Walkthrough OWASP Series 2017  A1 Injection 2017  A3 Sensitive Data Exposure 2017  A4 XML External Entities (XXE) 2017 A6 Security Misconfiguration 2017 A7 Cross-Site Scripting (XSS) 2017 A8 Insecure Deserialization Configuration Assessment Windows Linux Network Device Web Server Hardening Apache PHP MySQL SSL Security Database Assessment Oracle PostgreSQL Database Assessment Tool Host Device Hardening Server Message Block (SMB) Security Remote Desktop Protocol (RDP) Security Social Engineering Social Engineering Testing - Phishing Email Security Malware Exploitation using Shell Post Exploitation Physical ...
Read more

Mobile Penetration Testing - Android

Image
Testing Environment Android Emulator Geny Motion: https://www.genymotion.com/fun-zone/ Android Debug Bridge (ADB) C:\Users\<User>\AppData\Local\Android\Sdk\platform-tools adb -s <specific device> shell #Specific Device adb -d shell #Device adb -e shell #Emulator Basic ADB command adb install <apk file> adb pull <location> adb push <file> <location> Basic Linux command cat /proc/version #Kernel version cat /proc/cpuinfo #Processor Information ps #Processes cat /system/etc/permissions/platform.xml #Permission and GID Information Gathering Retrieve APK file from Device (Recommended) adb shell pm list packages pm path <package> adb pull <apk path> Retrieve APK file from Internet https://apkpure.com To check the certificate information keytool -printcert -file CERT.RSA #C:\Program Files\Java\jre1.8.0_131\bin\keytool.exe Android Manifest Analysis 1. Activity, Service, Content Provider, Broadcast ...
Read more

Penetration Testing with OWASP Top 10 - 2017 A7 Cross-Site Scripting (XSS)

Image
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. DOM-Based XSS Proof of Concept <html> <head> <title>DOM-based Cross-site Scripting</title> </head> <body> Hi, <script> var pos = document.URL.indexOf("name=")+5; //finds the position of value var userInput = document.URL.substring(pos,document.URL.length); //copy the value into userInput variable document.write(unescape(userInput));  //writes content to the webpage </script> </body> </html> XSS Validation Bypass <Script>alert(1)</script> <script<script>>alert(1)</script> <svg onload=...
Read more