Offensive Security 101 — Understand the relationship between Vulnerability Mgmt & Version Control (aka Git)

At it’s core, vulnerability management focuses on identifying the specific version of a system, application, kernel, driver, logic condition and making the connection to a known security issue (aka CVE).

To put it simply, The well-known Equifax breach was based on a vulnerability identified in the Struts application. A totally preventable error that a bit of SecDevOps would have helped to mitigate. Synopsys outlines the vulnerability nicely in the article below.

Equifax, Apache Struts, and CVE-2017-5638 vulnerability | Synopsys

For those a bit more technical, you need to dive into technical write-ups often in hopes of reproducing the bug. As a bughunter and/or Security Engineer, you will need to review the codebase, perform a technical analysis against the application to understand the patch & spot the bug. It is a common practice to maintain Application code within a code repository.

CVE-2017–5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution — TrendLabs Security…

Semantic Versioning

Major-minor-patches

Having version controlled semantic releases allow applications to publish x.y.z versions; Using the in Struts CVE-2017–5638 example, This bug was fixed in version `2.3.32` &`2.5.10.1`

If the application has a remote code execution vulnerability within a piece of software, say apache struts then you will need to understand where the flawed logic exists within the application & how to trigger it.

If you are researching a patched version of the software then you will never trigger the vulnerability.

Therefore Git & Version control is a core fundamental bit of knowledge that any Researcher/Engineer/Business Analyst is required to have.

DevOps engineers also use these versions to determine the changes between a test environment and a production environment.

Business Analysts are able to understand how features, bug fixes, and UI changes relate to the current book-of-work. Having a solid understanding of semantic versioning as you interact with the application development team will make you many times more effective.

From a Security Researcher perspective, these versions are critical for setting up a Cyber Range Scenario. Many of us understand the concepts of Virtualization & Containerization. For those who do, here’s handy docker repo of containers hosting vulnerable exploitable scenarios.

vulhub/vulhub

A hands-on introduction to version control with Git

Open-Source is all about re-using the wheel that was previously created. That said, I’ve referenced Scott Lowe’s github multiple times. I believe his content is and delivery of the basic fundamentals of git are spot on. Therefore I copy/paste & provide a reference pointer back to the source.

To learn git, you must read. To learn code, you must read. To contribute as a engineer you must use git. Let’s get started with a review…

Git/Github Flow

github-create-branch-to-deploy

A gitflow outlines the development process used by small/large teams. GitFlow is famous for scaring off new git users with an avalanche of boxes and arrows, while Github Flow takes an almost painfully simple approach.

The CyberRange follows a similar approach yet I used forks to merge changes from my Personal Cyber Range master into the official SecDevOps@Cuse Cyber Range master.

With more contributors, I’ll shift over to branching of the CyberRange features.

Git Cliff-Notes:

Git terms
* Repository: The database that contains all of a project’s information
and history. Once added to the repository, information is immutable
* Index: A binary file maintained by Git that describes the repository’s
directory structure and content at a point in time
* Commit: An entry in the repository (Git database) recording metadata
for each change made to the repository
* Remote: A link to another Git repository
* Push: Sending a committed change to an upstream repository

Lab #1: Installing Git
https://github.com/lowescott/2018-git-workshop/blob/master/lab1.md

Lab #2: Creating a repository
https://github.com/lowescott/2018-git-workshop/blob/master/lab2.md

Git commands from Lab #2
* git init: Initialize (create) a Git repository
* git config: Set Git con guration parameters
* git status: Show the current status of the Git repository ∑ git add: Stage les or changes to be committed to the
repository
* git commit: Commit changes to the repository
* git log: Show the history of changes to the repository

Git branches

Lab #3: Branching and merging
https://github.com/lowescott/2018-git-workshop/blob/master/lab3.md

* As a developer, use branches to maintain small changes.
* Changes committed in a Git branch aren’t visible in other Git branches
* Merging changes from one branch to another is the way to share changes between branches.

Git commands from Lab #3
* git branch: Add, remove, or checkout (switch) branches
* git checkout: Switch branches
* git merge: Merge commits into current branch
* git checkout -b <branch>: Create a new branch

Git remotes

Lab #4: Using remotes
https://github.com/lowescott/2018-git-workshop/blob/master/lab4.md

• Git remotes allow humans to model relationships between repositories
• Git uses the name “origin” by default when cloning a repository
• Git supports the use of multiple protocols to communicate with
  remotes
• SSH (you’ll need public key authentication)
• HTTP/HTTPS (typically used with GitHub/GitLab/etc.)
• Git (fast, but no security)
• You can have multiple remotes (used with “fork-and-branch” work ow)

Git commands from Lab #4
* git clone: Clones a repository from an existing repository
* git remote: Shows information about remote repositories
* git push: Push commits/branches to a Git remote
* git fetch: Retrieve changes from a Git remote
* git pull: Retrieve and merge changes from a Git remote

Vulnerability Management

Analyzing semantic versions of environments, assets, and applications is a key component of vulnerability management. There are many libraries within codebases like python; many versions of Adobe Reader, and many operating windows-based operating systems.

Setting up Vulnerable Software w/ Chocolatey

Read through this to get an idea about chocolatey & what it can do. Then bootup the Cyber Range and use the windows-based Metasploitable3 asset to bootup a completely vulnerable environment. The link below points directly towards the chocolately install script of the Metasplotable3 repository.

rapid7/metasploitable3

Research chocolatey a bit more and this article outlines a quick read about installing software with it. Consider enhancing the Metasploitable3 asset with more chocolatey packages.

How to Install Windows Software Using Chocolatey - Petri

Next Steps

• Make Git part of your daily routine
• Create Some Code, then Read & Learn More
• Sign-Up for the CyberRange Webinar

Cyber Range v2 Webinar — The Open-Source Offensive / Defensive / Security Intel / Reverse…

Additional resources:

Git - Scott's Weblog - The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux…

Simplified Git Flow