search

intrigueio / intrigue-ident

Application and Service Fingerprinting
https://core.intrigue.io
Other
131 stars 40 forks source link

distinguish between webmin and usermin #88

Closed Marmelatze closed 3 years ago

Marmelatze commented 3 years ago

Intrigue does not distinguish between webmin and usermin, but both can be installed on the same server in different versions and have own CVEs (e.g. https://nvd.nist.gov/vuln/detail/CVE-2007-1276)

I did not find a better method for excluding a fingerprint than hiding it, when it conflicts with another? Before:

$ bundle exec util/ident.rb -u http://[redacted]:20000 -d
...
Fingerprint:
 - Webmin Webmin 1.812  - miniserv server (CPE: cpe:2.3:a:webmin:webmin:1.812:) (Tags: ["Administrative"]) (Hide: false) (Issues: ) (Tasks: )

After:

$ bundle exec util/ident.rb -u http://[redacted]:20000 -d
Fingerprint:
 - Webmin Webmin 1.812  - miniserv server (CPE: cpe:2.3:a:webmin:webmin:1.812:) (Tags: ["Administrative"]) (Hide: true) (Issues: ) (Tasks: )
 - Usermin Usermin 1.812  - page title (CPE: cpe:2.3:a:usermin:usermin:1.812:) (Tags: ["Administrative"]) (Hide: false) (Issues: ["exposed_admin_panel_unauthenticated"]) (Tasks: )

For webmin:

$ bundle exec util/ident.rb -u http://[redacted]:10000 -d
Fingerprint:
 - Webmin Webmin 1.970  - miniserv server (CPE: cpe:2.3:a:webmin:webmin:1.970:) (Tags: ["Administrative"]) (Hide: ) (Issues: ) (Tasks: )
 - Webmin Webmin   - page title (CPE: cpe:2.3:a:webmin:webmin::) (Tags: ["Administrative"]) (Hide: false) (Issues: ["exposed_admin_panel_unauthenticated"]) (Tasks: )
jcran commented 3 years ago

A couple questions:

As context - 'hide' is used by existing checks to determine if the underlying asset/endpoint should be hidden, for example when you access a cloudflare IP by hostname and get a 'Not Found' error. We can and will put more docs around this.

Thanks @Marmelatze, appreciate you bringing up this case and putting up a PR!

Marmelatze commented 3 years ago 
* Would it make sense to pull the common component of Miniserv out as its own finding? (if so, we could just focus the webmin checks a bit more to only detect verified cases of webmin vs miniserv). I do note, miniserv doesnt have it's own CPE in NVD's dictionary, and thus, i generally am leaning away from pulling it out as a component. Example: https://nvd.nist.gov/vuln/detail/CVE-2020-35769

It looks like the only usage of miniserv seems to be in Webmin/Usermin

* Is it possible to have Usermin installed and not have Webmin somewhere on the system? (if so, maybe finding both is okay as long as we positively identify usermin?)

Yes. Usermin can be also used standalone. By default webmin runs on port 10000 and usermin on port 20000. Finding both would yield wrong results when looking at the version, as webmin and usermin are released separately. https://www.webmin.com/changes.html vs https://www.webmin.com/uchanges.html

shpendk commented 3 years ago

Hi @Marmelatze

Thanks again for the PR. Would the solution to look for Login to Usermin/Webmin and distinguish the product based on that string work? We could create two separate fingerprints (for usermin and webmin separately) and dynamically look for the version.

Let me know what you think, happy to write the code for it

jcran commented 3 years ago

That seems like the right solution @shpendk, if you have a few mins, i'd suggest we action it and get this PR merged in.

shpendk commented 3 years ago

@jcran request your review on my latest changes, specifically this commit: https://github.com/intrigueio/intrigue-ident/pull/88/commits/cbc3f57b4c801c661a81e5ca66361e745a760a60

I found a bug where if we passed in an url that's not on the root path (for example: http://mydomain.com/login, ident would ignore the path (because we were creating the url from scheme://hostname:port but never appending the path)

Let me know if you see anything wrong with this change, otherwise i'll merge.