Drinking from the Firehose:
Ten Years of Vulnerabilities
through the CVE Lens
Steve Christey
The MITRE Corporation
April 21, 2010
© 2010 The MITRE Corporation. All rights reserved
Welcome to 1998

Vulnerability databases were mostly private
– “We’ll show you our database if you show us your NDA”










Bugtraq was a low-traffic list
CERT advisories said very little
Exploits were shared privately
Attacks were rampant for months/years
Vendors didn’t fix things for months/years
Vulnerability scanning industry still in infancy
WWW wasn’t ubiquitous
Maybe 10 unique vulnerability types
“Smashing the Stack” was only 2 years old
Most reported vulnerabilities were in servers
© 2010 The MITRE Corporation. All rights reserved
Party Like it’s 1999
Security
Advisories
Priority
Lists
Vulnerability
Scanners
Software Vendor
Patches
CVE-1999-0067
Intrusion Detection
Systems
Incident Response
& Reporting
Research
Vulnerability Web
Sites & Databases
© 2010 The MITRE Corporation. All rights reserved
An Approximate Timeline of
Some Important Events












1999: Public launch
2000: Building steam, learning from mistakes
2001: Content decisions still evolving
2002: SNMP/PROTOS, responsible disclosure
2003: More regular updates, smaller batches
2004: Voting largely abandoned; increasing volume
2005: VIM mailing list, NVD dependence
2006: milw0rm
2007: grep-and-gripe, multi-stage exploits
2008: Getting to “root cause”
2009: drowning in details, oss-security
2010: back to the essentials?
© 2010 The MITRE Corporation. All rights reserved
0
Aug-95
Oct-95
Dec-95
Feb-96
Apr-96
Jun-96
Aug-96
Oct-96
Dec-96
Feb-97
Apr-97
Jun-97
Aug-97
Oct-97
Dec-97
Feb-98
Apr-98
Jun-98
Aug-98
Oct-98
Dec-98
Feb-99
Apr-99
Jun-99
Aug-99
Oct-99
Dec-99
Feb-00
Apr-00
Jun-00
Aug-00
Oct-00
Dec-00
Feb-01
Apr-01
Jun-01
Aug-01
Oct-01
Dec-01
Feb-02
Apr-02
Jun-02
Aug-02
Oct-02
Dec-02
Feb-03
Apr-03
Jun-03
Aug-03
Oct-03
Dec-03
Feb-04
Apr-04
Jun-04
Aug-04
Oct-04
Dec-04
Feb-05
Apr-05
Jun-05
Aug-05
Oct-05
Dec-05
Feb-06
CVE Growth Over the Years
45000
40000
35000
30000
25000
20000
15000
10000
5000
© 2010 The MITRE Corporation. All rights reserved
Number of Words per Description
45
40
35
30
25
20
15
10
5
0
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
© 2010 The MITRE Corporation. All rights reserved
Number of References per CVE
9
8
7
6
5
4
3
2
1
0
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
© 2010 The MITRE Corporation. All rights reserved
“Counting” Varies Widely
CVE-1: SQL injection in version 1.x
through login.php and order.php.
CVE-2: SQL injection in version 2.x
through admin.php.
CVE-3: XSS in version 2.x through
login.php and search.php.
ISS and Bugtraq ID
OSVDB
1: SQL injection in login.php
1: Mult. SQL injection in 1.x and 2.x
2: SQL injection in order.php
2: XSS in 2.x
3: SQL injection in admin.php
Secunia, ISS, and Bugtraq ID
1: SQL injection and XSS in 1.x and 2.x
4: XSS in login.php
5: XSS in search.php
© 2010 The MITRE Corporation. All rights reserved
Content Decisions: Abstraction
 AB1:
SPLIT if different flaw types
 AB2:
SPLIT if different versions are affected
 SPLIT
if different vectors are released at a later
time
 SPLIT
if different codebases
 Otherwise
MERGE
These factors are generally stable across all phases of
vulnerability disclosure, and often known early in the game.
http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html
© 2010 The MITRE Corporation. All rights reserved
Content Decisions: Inclusion

INCLUDE any issue for software that
– Could be deployed in an enterprise
– Could be network-connected physical devices
– Has minimal, but non-zero, risk


path disclosure, admin-to-SYSTEM, client-side crasher
EXCLUDE any issue that
–
–
–
–
–
Is “site-specific,” SaaS, hosted, “in the cloud,” …
Is provably wrong
Is just a rumor
Is not “actionable”
Is “just a bug” (e.g. defenestration exploit)
Site-specific / hosted software can be difficult to
identify.
© 2010 The MITRE Corporation. All rights reserved
“All Publicly Known Vulnerabilities,”
Ten Years Later

Site-specific (SaaS, Cloud, etc.)
– How to even identify these?
– Legal questions: can you hack your own site if it’s on someone
else’s physical system?





Joe Schmoe’s phpGolf application
Country X’s most popular IM app
Physical devices: mobile, voting machines, remote-control
coffee makers, alarm clocks with built-in microphones,
software that disables cars, SCADA
Vulns from the 1960’s
Vulns in malware
Shout-outs to OSVDB for still trying to track everything.
© 2010 The MITRE Corporation. All rights reserved
Anatomy of a CVE Description:
CVE-2009-4623
Multiple PHP remote file inclusion vulnerabilities in
Advanced Comment System 1.0 allow remote
attackers to execute arbitrary PHP code via a URL in
the ACS_path parameter to (1) index.php and (2)
admin.php in advanced_comment_system/. NOTE:
this might only be a vulnerability when the
administrator has not followed installation instructions
in install.php.
Flaw type, vendor name, product name, affected versions,
remote/local, impact, attack vectors, clarifiers.
© 2010 The MITRE Corporation. All rights reserved
10 Years of CVE Descriptions
CVE
Desc
CVE19990067
CGI phf program allows remote command execution through shell metacharacters.
CVE20000067
CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack.
CVE20010067
The installation of J-Pilot creates the .jpilot directory with the user's umask, which could allow local
attackers to read other users‘ PalmOS backup information if their umasks are not securely set.
CVE20020067
Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when "htcp_port 0" is
specified in squid.conf, which could allow remote attackers to bypass intended access restrictions.
CVE20030067
The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character
escape sequence and then insert it back to the command line in the user's terminal, e.g. when the
user views a file containing the malicious sequence, which could allow the attacker to execute
arbitrary commands.
CVE20040067
Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote
attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3)
individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8)
calendar.php, (9) gedrecord.php, (10) login.php, and (11)
gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1.
© 2010 The MITRE Corporation. All rights reserved
10 Years of CVE Descriptions
CVE
Desc
CVE2005-0067
The original design of TCP does not require that port numbers be assigned randomly (aka "Port
randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP
connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with
forged "Destination Unreachable“ messages, (2) blind throughput-reduction attacks with forged "Source
Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the
Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been
SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-20050068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally
SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected
implementations and solutions that address the attacks instead of the underlying vulnerabilities.
CVE2006-0067
SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to
execute arbitrary SQL commands via the username parameter.
CVE2007-0067
Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x before 6.5.6, and 7.0.x before 7.0.3
allows remote attackers to cause a denial of service (daemon crash) via requests for URLs that
reference certain files.
CVE2008-0067
Multiple stack-based buffer overflows in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51,
and 7.53 allow remote attackers to execute arbitrary code via (1) long string parameters to the
OpenView5.exe CGI program; (2) a long string parameter to the OpenView5.exe CGI program, related to
ov.dll; or a long string parameter to the (3) getcvdata.exe, (4) ovlaunch.exe, or (5) Toolbar.exe CGI
program.
CVE2009-0067
** RESERVED **
CVE2010-0067
Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server
10.1.2.3 and 10.1.3.4 allows remote attackers to affect confidentiality via unknown vectors.
© 2010 The MITRE Corporation. All rights reserved
Some Favorite CVEs
CVE
Desc
CVE-2002-0013
Vulnerabilities in the SNMPv1 request handling of a large number
of SNMP implementations allow remote attackers to cause a
denial of service or gain privileges via (1) GetRequest, (2)
GetNextRequest, and (3) SetRequest messages, as
demonstrated by the PROTOS c06-SNMPv1 test suite.
CVE-2002-0934
Directory traversal vulnerability in Jon Hedley AlienForm2
(typically installed as af.cgi or alienform.cgi) allows remote
attackers to read or modify arbitrary files via an illegal character in
the middle of a .. (dot dot) sequence in the parameters (1)
_browser_out or (2) _out_file.
CVE-2008-7173
The Jura Internet Connection Kit for the Jura Impressa F90 coffee
maker does not properly restrict access to privileged functions,
which allows remote attackers to cause a denial of service
(physical damage), modify coffee settings, and possibly execute
code via a crafted request.
CVE-*-*
Stack-based buffer overflow in FTP Server [INSERT-PRODUCTNAME-HERE] allows remote attackers to execute arbitrary code
via a long USER name.
© 2010 The MITRE Corporation. All rights reserved
Rise of the Web Applications
17%
“other”
© 2010 The MITRE Corporation. All rights reserved
Postcards from the Linux Kernel
CVE
Desc
CVE-20100291
The Linux kernel before 2.6.32.4 allows local users to gain privileges or
cause a denial of service (panic) by calling the (1) mmap or (2) mremap
function, aka the "do_mremap() mess" or "mremap/mmap mess."
CVE-20094410
The fuse_ioctl_copy_user function in the ioctl handler in fs/fuse/file.c in
the Linux kernel 2.6.29-rc1 through 2.6.30.y uses the wrong
variable in an argument to the kunmap function, which allows local
users to cause a denial of service (panic) via unknown vectors.
CVE-20094026
The mac80211 subsystem in the Linux kernel before 2.6.32-rc8-next20091201 allows remote attackers to cause a denial of service (panic)
via a crafted Delete Block ACK (aka DELBA) packet, related to an
erroneous "code shuffling patch."
CVE-20093620
The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31git11 does not properly verify Concurrent Command Engine
(CCE) state initialization, which allows local users to cause a
denial of service (NULL pointer dereference and system crash) or
possibly gain privileges via unspecified ioctl calls.
© 2010 The MITRE Corporation. All rights reserved
The Common Weakness Enumeration



800 weaknesses - not 40,000 vulnerabilities
Builds heavily on CVE and external taxonomy efforts
Main goal: prevent CVEs from happening in the first place
http://cwe.mitre.org
© 2010 The MITRE Corporation. All rights reserved
2010 CWE/SANS Top 25 Programming
Errors

1. CWE-79 XSS

2. CWE-89 SQL Injection

3. CWE-120 Classic Buffer Overflow

4. CWE-352 CSRF

5. CWE-285 Improper Authorization

6. CWE-807 Reliance on Untrusted
Inputs in Security Decision

14. CWE-129 Uncontrolled Array Index

15. CWE-754 Improper Check for
Exceptional Conditions

16. CWE-209 Error Message Infoleak

17. CWE-190 Integer Overflow/Wrap

18. CWE-131 Incorrect Buffer Size
Calculation

19. CWE-306 Missing Authentication

20. CWE-494 Download of Code
Without Integrity Check

7. CWE-22 Path Traversal

8. CWE-434 File Upload

9. CWE-78 OS Command Injection

21. CWE-732 Insecure Permissions

10. CWE-311 Missing Encryption


11. CWE-798 Hard-coded Credentials
22. CWE-770 Allocation of Resources
Without Limits or Throttling

12. CWE-805 Incorrect Length Value in
Buffer Access

23. CWE-601 Open Redirect

24. CWE-327 Broken Crypto

25. CWE-362 Race Condition

13. CWE-98 PHP Remote File Inclusion
http://cwe.mitre.org/top25
© 2010 The MITRE Corporation. All rights reserved
Predicting Popular Vulnerability Classes

A class may become popular if it has all of these:
– Bad consequences

–
–
–
–


Remote code execution, data compromise, security bypass
Easy to find
Easy to write exploit code
Has had a white paper or two written about it
Has hit very popular software
Past examples: buffer overflows, format strings, SQL
injection, PHP file inclusion, XSS, CSRF
Future:
– Exposed ActiveX methods, file uploads, …
Generally there seems to be at least a 2-year lag time
between first discovery and rampant exploitation.
Exception: format strings.
© 2010 The MITRE Corporation. All rights reserved
The Tipping Points
SQL Injection
Integer Overflow
25
3
20
2.5
15
2
10
1.5
5
1
0
0.5
0
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
CSRF
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
Symbolic Link
5
4
3
2
1
0
© 2010 The MITRE Corporation. All rights reserved
The r0t Method of Vulnerability Analysis




Be 14 or 15 years old, with spare time
Go to a software repository web site
Download a package or try its demo site
Do blatantly simple SQL injection and XSS:
'


<script>alert(‘XSS’)</script>
Move on after 10 minutes
Disclose the issue on your blog
© 2010 The MITRE Corporation. All rights reserved
200612
200611
200610
200609
200608
200607
200606
200605
200604
200603
200602
200601
200512
200511
200510
200509
200508
200507
200506
700
200505
200504
200503
200502
200501
200412
200411
200410
200409
200408
200407
200406
200405
200404
200403
200402
200401
Number of CVEs Disclosed Per Month
(2004 to 2006)
800
r0t
600
500
400
300
200
100
0
© 2010 The MITRE Corporation. All rights reserved
Grep-and-Gripe:
Revenge of the Symlinks



Dmitry E. Oboukhov, August 2008
grep -A5 -B5 /tmp/ [PROGRAM]
Run against Debian packages
5
4.5
4
3.5
3
2.5
2
1.5
1
0.5
0
Dmitry
Those who do not learn from the
past are doomed to repeat it.
Grep-and-gripe is a valid methodology.
© 2010 The MITRE Corporation. All rights reserved
Grep-and-Gripe 2:
Attack of the Clones
abc.php
$language = “english”;
…
include(“$language.php”);
http://example.com/abc.php?language=[RFI]
© 2010 The MITRE Corporation. All rights reserved
Unforgivable Vulnerabilities:
The Lucky 13
<SCRIPT>
AAA…AAA
User/Password
Filenames
Common Commands
User/Password
Body, subject, title,
to, from
“../..” or “/full/path”
Directory Traversal
XSS
Buffer overflow
(CWE-120)
(CWE-23)
(CWE-79)
template=http://example.com/c99
Any include/require
that interpolates
$_GET, $_POST, etc.
Get/Send Command
File sharing
’ OR 1=1
User/Password
id or other
numeric field
-rwxrwxrwx myprog
Executables
Libraries
Configuration Files
World-Writable Files
Remote File Inclusion
SQL Injection
(CWE-98)
(CWE-89)
(CWE-276, 279)
26
© 2010 The MITRE Corporation. All rights reserved
The Lucky 13 (Continued)
tebj lbhe bja pelcgb
http://example/admin/script.cgi
Admin functionality
Library code with
executable extensions
authenticated=1
Substitution
Cipher
Form field
Cookie
Direct Request
(CWE-425)
ln –s /tmp/App.dat /etc/passwd
sleep 100000
Log files
Temporary files
Command-line args
Auth bypass
(CWE-472)
User: psychyore
Pass: psychyore
Hard-coded
Default?
Crypto
Help
Selected from
privileged Windows
executable
(CWE-327)
Privilege Escalation
(CWE-271)
Length: 0xffffffff
Width: 0xffffffff
Arbitrary
length, width,
height, size…
Symlink Following
(CWE-61)
Hard-coded Pass
(CWE-259)
Integer overflow
© 2010 The MITRE Corporation. All rights reserved
(CWE-190)
Typical Vulnerability History of a Product
3
1
Obvious
types in
critical
functionality
7
Unique types
or attacks,
extensive
expert analysis
5
Elimination of
most
common
types
Variants of
common
vulnerability
types
ActiveX,
Image and
High-profile
Joe Schmoe SW
Document Processors
network servers
Incomplete
fixes, closely
related
vectors
Limited
environments,
platforms,
configs
2
4
Rare or novel
types and
attacks
6
© 2010 The MITRE Corporation. All rights reserved
Chains: Why Buffer Overflows
are Still Here
X
Use of
Signed
Integers for
AlwaysPositive
Operations
A
Incorrect
Range
Check
B
C
Integer
Overflow
Insufficient
Memory
Allocation
D
Heap
Overflow
height = -65534; width = -65534
A
Assumption: the
range check will
prevent an
B
overflow from
C
occurring.
D
if (height > 64000 ||
width > 64000) {
error("too big!");
}
size = height * width;
buf = malloc(size);
memmove(buf, InputBuf, SZ);
© 2010 The MITRE Corporation. All rights reserved
Symbolic Link Following
(composition)
Race Condition
CWE-362
Predictability
CWE-340
Symlink Following
CWE-41
Insecure directory
permissions
Path Equivalence
CWE-275
CWE-41
© 2010 The MITRE Corporation. All rights reserved
The Four I’s Principle of Vulnerability
Information

Incomplete
– Missing versions, product names
– Missing patch information

Inaccurate
– Incorrect diagnosis
– Blatantly wrong

Inconsistent
– Acknowledgement discrepancies
– Bug type discrepancies
– Varying severities

Incomprehensible
– Poor writing
– Lack of clear formatting
Coordinated disclosure between researcher
and vendor frequently wipes these out.
© 2010 The MITRE Corporation. All rights reserved
Four I’s: Some Examples From Spring 2010

CVE-2010-1040 : original Symantec advisory implies that Symantec Endpoint
Protection 11.x is affected, but later they say it’s not.

CVE-2009-3376 : Red Hat, Ubuntu claim Thunderbird is affected, but this is not in the
original Mozilla advisory. Same with several other CVEs.

CVE-2010-0009 : vendor accidentally includes CVE-2008-2370 in subject line of
advisory.

developer of affected software, on oss-security: “I'm half way down this discussion
and already I'd prefer to stick needles in my eyes.” Nowhere in the thread is an
affected version mentioned.

CVE-2010-1188: Red Hat provides this CVE as a link in RHSA-2010:0178, but doesn’t
include within their details section. Did they fix this or not? See CVE-2009-4538 for
Mandriva.

CVE-2010-1028: reliable researcher claims a vulnerability but posts no details and did
not provide them to the vendor. Commercial exploit available.

CVE-2009-4463: a reliable researcher says “hard-coded passwords” but ICS-CERT
performs further research and finds out these are default passwords.
© 2010 The MITRE Corporation. All rights reserved
Four I’s: Some Examples From Spring 2010





CVE-2010-1055: original researcher says “RP” parameter is
affected, but everyone else says “id”
CVE-2010-1060: exploit implies consequence of reading
files, but it’s really executing arbitrary programs
CVE-2009-4763: software developer removed third-party
plugin due to “security issues” but no information on the
plugin site; is it the same problem as one that was reported
more than a year earlier?
CVE-2005-1426: re-discovered and disclosed in 2009;
researcher didn’t mention issue had already been
disclosed; also said “blog.msb” which is a typo of
“blog.mdb”
CVE-2008-7254: researcher posts a vulnerability to ExploitDB in 2010, when it had already been disclosed in 2008 on
PacketStorm.
© 2010 The MITRE Corporation. All rights reserved
Carving Out Your Niche in
Applied Vulnerability Research



Applied vulnerability research is a meritocracy
Your idea might be way ahead of its time
Someone else had the idea before you
– … but you’re the one doing something about it

You know less than you think you do
– … but eventually, maybe a little more than anyone else

There are many opportunities
– Thought leaders will understand the limitations of your
breakthrough
– Thought leaders are busy
– We need more freely-available white papers on “established”
techniques that “everybody” knows
© 2010 The MITRE Corporation. All rights reserved
Carving Out Your Niche (2)

Stay open to change in strategy and focus
– Criticism is an opportunity to learn
– Learn to say “no” but be mindful of the consequences
– The future tends to change things


Don’t let the perfect get in the way of the good
Understand your work in the context of the larger picture
© 2010 The MITRE Corporation. All rights reserved
Carving Out Your Niche (3)




Communication skills are critical
Share what you know – you’ll learn, too
Get out of the office every once in a while
If you don’t fail at least a little bit:
– You’re not pushing the envelope enough
– You’re not introspective enough
© 2010 The MITRE Corporation. All rights reserved
How VDBs Notice Researchers


Quality over quantity
If you post a lot, we notice
– If you’re often wrong, you face being ignored


If you post a little but it’s great, we notice
We read disclosure timelines for fun
© 2010 The MITRE Corporation. All rights reserved
Conclusion



We’ve come a long way, baby
We’ve got a long way to go
Getting to the root causes – and understanding their
solutions - has a greater chance of success than hack-andpatch
© 2010 The MITRE Corporation. All rights reserved