Not find some vulnerabilities for Microsoft-IIS/7.5

[artvorlov]

Greetings! The script does not find vulnerabilities CVE-2010-2730, CVE-2010-3972 and CVE-2010-1899. On the port, the Microsoft server is IIS/7.5.

nmap  -sV --script ./cvescannerv2.nse X.X.X.X -d -vvv
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-05 15:04 +07
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI: 
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:04
NSE: Starting cvescannerv2.
NSE: [cvescannerv2] Timestamp: 2024-03-05T08:04:20+00:00
NSE: [cvescannerv2] CVE data source: nvd.nist.gov
NSE: [cvescannerv2] Script version: 3.1.2
NSE: Finished cvescannerv2.
Completed NSE at 15:04, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:04
Completed NSE at 15:04, 0.00s elapsed
Initiating Ping Scan at 15:04
Scanning X.X.X.X [2 ports]
Completed Ping Scan at 15:04, 0.37s elapsed (1 total hosts)
Overall sending rates: 5.40 packets / s.
mass_rdns: Using DNS server 127.0.0.53
Initiating Parallel DNS resolution of 1 host. at 15:04
mass_rdns: 0.00s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 15:04, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 15:04
Scanning X.X.X.X [1000 ports]
Discovered open port 110/tcp on X.X.X.X
Discovered open port 25/tcp on X.X.X.X
Discovered open port 80/tcp on X.X.X.X
Completed Connect Scan at 15:04, 20.93s elapsed (1000 total ports)
Overall sending rates: 95.92 packets / s.
Initiating Service scan at 15:04
Scanning 3 services on X.X.X.X
Completed Service scan at 15:04, 14.85s elapsed (3 services on 1 host)
NSE: Script scanning X.X.X.X.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:04
NSE: Starting cvescannerv2 against X.X.X.X:25.
NSE: Finished cvescannerv2 against X.X.X.X:25.
NSE: Starting cvescannerv2 against X.X.X.X.
NSE: Finished cvescannerv2 against X.X.X.X.
NSE: Starting vmware-version against X.X.X.X:80.
NSE: Starting https-redirect against X.X.X.X:80.
NSE: Starting hnap-info against X.X.X.X:80.
NSE: Starting cvescannerv2 against X.X.X.X:110.
NSE: Finished cvescannerv2 against X.X.X.X:110.
NSE: Starting cvescannerv2 against X.X.X.X:80.
NSE: [cvescannerv2 X.X.X.X:80] nmap cpe: cpe:/a:microsoft:iis:7.5 | version: 7.5
NSE: Starting http-trane-info against X.X.X.X:80.
NSE: [cvescannerv2 X.X.X.X:80] http.request socket error: The script encountered an error:
- ssl failed:
- Failed to connect:
- Could not connect:
- TIMEOUT
NSE: [cvescannerv2 X.X.X.X:80] Error processing request http://X.X.X.X:80/ => Error creating socket.
NSE: [cvescannerv2 X.X.X.X:80] cpe => cpe:/a:microsoft:iis:7.5 | version => 7.5
NSE: [cvescannerv2 X.X.X.X:80] product => iis | version => 7.5
NSE: Finished cvescannerv2 against X.X.X.X:80.
NSE: [vmware-version X.X.X.X:80] Couldn't download file: /sdk
NSE: Finished vmware-version against X.X.X.X:80.
NSE: Finished https-redirect against X.X.X.X:80.
NSE: [hnap-info X.X.X.X:80] HTTP: Host returns proper 404 result.
NSE: [http-trane-info X.X.X.X:80] HTTP: Host returns proper 404 result.
NSE: Finished hnap-info against X.X.X.X:80.
NSE: Finished http-trane-info against X.X.X.X:80.
Completed NSE at 15:05, 2.95s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:05
NSE: Starting http-server-header against X.X.X.X:80.
NSE: Finished http-server-header against X.X.X.X:80.
Completed NSE at 15:05, 1.75s elapsed
Nmap scan report for X.X.X.X
Host is up, received syn-ack (0.35s latency).
Scanned at 2024-03-05 15:04:20 +07 for 41s
Not shown: 997 filtered ports
Reason: 997 no-responses
PORT    STATE SERVICE REASON  VERSION
25/tcp  open  smtp    syn-ack hMailServer smtpd
80/tcp  open  http    syn-ack Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_cvescannerv2: 
110/tcp open  pop3    syn-ack hMailServer pop3d
Service Info: Host: A8W12.ru; OS: Windows; CPE: cpe:/o:microsoft:windows
Final times for host: srtt: 348779 rttvar: 48079  to: 541095

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 15:05
NSE: Starting cvescannerv2.
NSE: Finished cvescannerv2.
Completed NSE at 15:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 15:05
Completed NSE at 15:05, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.19 seconds

[scmanjarrez]

Nothing I can't do here... IIS is defined as internet_information_services in NVD data

cpe:2.3:a:microsoft:internet_information_services:7.5:*:*:*:*:*:*:*

but NMAP returns

cpe:/a:microsoft:iis:7.5

Obv, querying iis in the database yields 0 rows

Maybe would be possible to build some kind of heuristic, but that would be overkill in the long term.

This is one of the shortcomings of this method, CPE weren't standardized (and I think, still aren't). Some CVEs use different vendor-product-version than others, so you end up with multiple entries referring to the same product.

product_id  vendor  product version version_update
80024   microsoft   iis 7.5 *

486471  microsoft   internet_information_services   7.5 *

Two different entries for the same product yet only one is linked in NVD.

[artvorlov]

Yes, I understand the problem. For myself, I decided to add a file with product aliases. Here is my solution, maybe it will be useful to someone:

products-aliases.json

{
  "iis": ["internet_information_services"]
}

cvescannerv2.nse

...
local regex_arg = stdnse.get_script_args('regex') or 'http-regex-vulnerscom.json'
local products_aliases_arg = stdnse.get_script_args('products-aliases') or 'products-aliases.json'
local service_arg = stdnse.get_script_args('service') or 'all'
...
if not exists(db_arg) then
      ret = fmt("Database %s not found. " ..
                "Run ./databases.py before running nmap script.",
                db_arg)
   elseif not exists(path_arg) then
      ret = fmt("Paths file %s not found.", path_arg)
   elseif not valid_json(path_arg, 'path') then
      ret = fmt("Invalid json %s.", path_arg)
   elseif not exists(regex_arg) then
      ret = fmt("Regexes file %s not found.", regex_arg)
   elseif not valid_json(regex_arg, 'regex') then
      ret = fmt("Invalid json %s.", regex_arg)
   elseif not exists(products_aliases_arg) then
      ret = fmt("CPE products aliases file %s not found.", products_aliases_arg)
   elseif not valid_json(products_aliases_arg, 'products-aliases') then
      ret = fmt("Invalid json %s.", products_aliases_arg)
   end
...
local function valid_json (arg, type)
   local f = io.open(arg, 'r')
   local status, data = json.parse(f:read('*all'))
   if status then
      if type == 'path' then
         registry.path = data
      elseif type == 'regex' then
        registry.regex = data
      elseif type == 'products-aliases' then
        registry.products_aliases = data
      end
   end
   f:close()
   return status
end
...
tmp_vulns = vulnerabilities(host, port, cpe, product, info)
-- Product aliases
if registry.products_aliases[product] then
    for _, alias in pairs(registry.products_aliases[product]) do
    local tmp_alias_vulns = vulnerabilities(host, port, cpe, alias, info)
    if tmp_alias_vulns then
        tmp_vulns[1] = tmp_vulns[1] + table.remove(tmp_alias_vulns, 1)
        for _, v in pairs(tmp_alias_vulns) do
        table.insert(tmp_vulns, v)
        end
    end
    end
end
local nvulns = table.remove(tmp_vulns, 1)

[scmanjarrez]

I think this can be a good workaround. We can improve the json with the most common services, maybe people can improve the list over time opening an ISSUE. Would you mind doing a PR with your implementation? I'll check NMAP code, maybe I can kind of automate the generation of the first initial list.

[scmanjarrez]

Hi, thanks for the PR, I've merged it. I relocated your code to leverage the logging functionality, otherwise the new CVEs wouldn't be logged.

I've seen this https://nvd.nist.gov/products/cpe/detail/A43289F0-8E95-4C9E-A0BC-A906D3CA0325, it seems that NVD kind of knows the deprecated CPEs, maybe I can check the API and obtain this information and build the json. I need to check it.

cpe:2.3:a:microsoft:iis:7.5 - NVD - Detail

This CPE has been deprecated to:
    cpe:2.3:a:microsoft:internet_information_server:7.5:*:*:*:*:*:*:*

[scmanjarrez]

Hey, I've been checking the code of NMAP, it seems that the latest version (7.94) has the correct CPEs. After rechecking your comments, it seems that you're running a very outdated version (7.80). I'll try to setup a container with IIS to test again with CVEScannerV2 3.1.2, but I think the problem here was your NMAP version. Anyway, this feature should improve the scan quality overall.

[artvorlov]

You're right, it looks like it's time for me to upgrade. Version 7.80 is the latest for my ubuntu release - 20.04.5 LTS

[scmanjarrez]

You could run NMap from a container (only 36MB). I'm currently working on migrating all of my CI/CD running on a self-hosted GitLab to GitHub. I expect to have a working action in the following days to build docker containers with CVEScannerV2 (no db) and another one with the database embedded. I'm also planning to detach entirely CVEScannerV2DB (removed as submodule) to keep "small" the main repository but still build the database automatically.

[scmanjarrez]

Closed as completed in c957afa05410e91bbd0ac83f0a6d14c0a0cb3286. New containers can be found in dockerhub under scmanjarrez/cvescanner, variants db and nodb.