search

rapid7 / recog

Pattern recognition for hosts, services, and content
Other
671 stars 199 forks source link

x.version and x.version.version in CPE #292

Closed agentzex closed 2 years ago

agentzex commented 4 years ago

Hi I'm looking at some fingerprints in Recog, and trying to understand what the subversion (x.version.version , x.version.version.version etc) means in the CPE strings. In all of the CPEs in Recog only the x.version is used. For example: "cpe:/a:ntp:ntp:{service.version}" . But, if you search on NVD, you can find a lot of examples when concatenating different subversion yields more accurate results. In this fingerprint for example:

<fingerprint flags="REG_DOT_NEWLINE,REG_ICASE" pattern='^.*version="ntpd ([^ p]+)(:?p[^ "]+)?[^"]+",.*processor="([^ ]+)",.*system="FreeBSD/?(?:[^ ]+-NETSCALER-([^ ]+))"'>
<description>ntpd running on Citrix Netscaler, which is based on FreeBSD</description>
<example os.arch="i386" os.version="9.3" service.version="4.2.6" service.version.version="p2@1.2194">
      version="ntpd 4.2.6p2@1.2194 Wed Nov 24 15:54:11 UTC 2010 (1)",
      processor="i386", system="FreeBSD/6.3-NETSCALER-9.3", leap=00, stratum=3,
    </example>
<example os.arch="amd64" os.version="10.5" service.version="4.2.6" service.version.version="p3-a">
      version="ntpd 4.2.6p3-a (1)", processor="amd64", system="FreeBSD/8.4-NETSCALER-10.5",
      leap=3, stratum=16, precision=-21, rootdelay=0.000, rootdisp=1264777.230,
    </example>
<param name="service.version" pos="1"/>
<param name="service.version.version" pos="2"/>
<param name="service.vendor" pos="0" value="NTP"/>
<param name="service.product" pos="0" value="NTP"/>
<param name="service.cpe23" pos="0" value="cpe:/a:ntp:ntp:{service.version}"/>
<param name="os.vendor" pos="0" value="Citrix"/>
<param name="os.family" pos="0" value="NetScaler"/>
<param name="os.device" pos="0" value="Network Management Device"/>
<param name="os.product" pos="0" value="NetScaler"/>
<param name="os.arch" pos="3"/>
<param name="os.version" pos="4"/>
</fingerprint>

If I concatenate service.version and service.version.version to the CPE string with colon delimiter, I will get more accurate result, having the "update" field in the CPE as well as the version. (https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a%2fa%3antp%3antp%3a4.2.6%3ap1&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.2)

So here, one can assume service.version.version matches the "update" field on NVD.

On another example I've found, if one will concatenate both fields, but with dot delimiter instead of colon, the result will be a more precise version. For example:

<fingerprint pattern="^([^ ]+) GroupWise SMTP/MIME Daemon ([^ ]+\.[^ ]+) v([^ ]+) Ready \(C\).* Novell, Inc\. *$">
<description>Novell GroupWise - versions below 5</description>
<example host.name="foo.bar" service.version="4.1" service.version.version="3">foo.bar GroupWise SMTP/MIME Daemon 4.1 v3 Ready (C)1993, 1996 Novell, Inc.</example>
<param name="service.vendor" pos="0" value="Novell"/>
<param name="service.family" pos="0" value="GroupWise"/>
<param name="service.product" pos="0" value="GroupWise"/>
<param name="host.name" pos="1"/>
<param name="service.version" pos="2"/>
<param name="service.version.version" pos="3"/>
<param name="service.cpe23" pos="0" value="cpe:/a:novell:groupwise:{service.version}"/>
</fingerprint>

Here, when concatenating service.version and service.version.version the result will be "cpe:/a:novell:groupwise:4.1.3" . While this version number specifically doesn't have entries in NVD, if I take the same pattern but with other digits, for example service.version=6.5 & service.version.version=2 so "cpe:/a:novell:groupwise:6.5.2" , it yields different result than using only the first service.version "cpe:/a:novell:groupwise:6.5" on NVD 6.5.2 - https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a%2fa%3anovell%3agroupwise%3a6.5.2&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.2

6.5 - https://nvd.nist.gov/products/cpe/search/results?keyword=cpe%3a%2fa%3anovell%3agroupwise%3a6.5&status=FINAL,DEPRECATED&orderBy=CPEURI&namingFormat=2.2

So 2 questions raise here:

  1. Is the x.version.version (and the other subversion) have a constant meaning on Recog? or they can mean one thing in some cases and other meaning in another? (as can be seen in the examples)
  2. Since on Recog, only the x.version is used but the subversion aren't in CPE strings, this might yield wrong result, is that an expected behavior? In the example above, if I would use Recog CPE string I will get results for vulnerabilities for version 6.5 while the actual version is 6.5.2, according to this patterns, so this might be false positive.

Thanks