Trying out deep-scan
18 Nov 2018 - Christopher McArthur
Mission
Vuls offers several modes and up until now I’ve only tested against the ‘fast’ scan mode. Today’s missing is to test the deep scan, this is supposed to find all vulnerabilities.
First problem is vuls will need root access to the container… this means building a container with a user that Vuls will be able to ssh into.
Secondly It requires some packages which are not present in the default ubuntu image I am starting from… Now this is incredably backwards… Here’s the build for just installing ping and adding a user vuls to sudoers…
cmcarthur@docker-engine-one:~$ docker build ./ping-test
Sending build context to Docker daemon 2.048kB
Step 1/3 : FROM ubuntu:latest
---> ea4c82dcd15a
Step 2/3 : RUN apt-get update && apt-get install -y iputils-ping && adduser --ingroup sudo --disabled-password vuls
---> Running in 9a6e58489c49
[ Fetching... ]
Fetched 15.1 MB in 6s (2554 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
libcap2 libcap2-bin libidn11 libpam-cap
The following NEW packages will be installed:
iputils-ping libcap2 libcap2-bin libidn11 libpam-cap # << New packages installed! there's 5
0 upgraded, 5 newly installed, 0 to remove and 5 not upgraded.
Need to get 140 kB of archives.
After this operation, 537 kB of additional disk space will be used.
[ Downloading packages... ]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 140 kB in 1s (245 kB/s)
[ Package setup... ]
Adding user `vuls' ...
Adding new user `vuls' (1000) with group `sudo' ...
Creating home directory `/home/vuls' ...
Copying files from `/etc/skel' ...
Changing the user information for vuls
Enter the new value, or press ENTER for the default
Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Use of uninitialized value $answer in chop at /usr/sbin/adduser line 621.
Use of uninitialized value $answer in pattern match (m//) at /usr/sbin/adduser line 622.
Is the information correct? [Y/n] Removing intermediate container 9a6e58489c49
---> 5c32b54a36fe
Step 3/3 : CMD bash
---> Running in 3b2104823e1e
Removing intermediate container 3b2104823e1e
---> f3fc471b7d34
Successfully built f3fc471b7d34
Scanning ping test fails because some tools are not available
And now let’s install the checkrestart package as well
The following NEW packages will be installed:
bsdmainutils ca-certificates cron curl dctrl-tools debian-goodies elfutils
file groff-base iputils-ping krb5-locales libasm1 libasn1-8-heimdal libbsd0
libcap2 libcap2-bin libcurl4 libdw1 libelf1 libexpat1 libfribidi0
libgdbm-compat4 libgdbm5 libgssapi-krb5-2 libgssapi3-heimdal
libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal
libhx509-5-heimdal libidn11 libipc-system-simple-perl libk5crypto3
libkeyutils1 libkrb5-26-heimdal libkrb5-3 libkrb5support0 libldap-2.4-2
libldap-common libmagic-mgc libmagic1 libmpdec2 libnewt0.52 libnghttp2-14
libpam-cap libperl5.26 libpipeline1 libpopt0 libpsl5 libpython3-stdlib
libpython3.6-minimal libpython3.6-stdlib libreadline7 libroken18-heimdal
librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libslang2
libsqlite3-0 libssl1.1 libwind0-heimdal man-db mime-support netbase openssl
perl perl-modules-5.26 popularity-contest publicsuffix python3
python3-minimal python3.6 python3.6-minimal readline-common whiptail
xz-utils
0 upgraded, 76 newly installed, 0 to remove and 5 not upgraded.
Yep … counter productive… for sure I’ll find more vulnerabilities….
Turns out deep scan fails on my ping-test ubuntu image… The extra required package fails LOL !
[Nov 18 21:39:15] DEBUG [vuls@172-17-0-1] Executing... LANGUAGE=en_US.UTF-8 checkrestart
[Nov 18 21:39:16] DEBUG [vuls@172-17-0-1] execResult: servername: vuls@172-17-0-1
cmd: /usr/bin/ssh -tt -o StrictHostKeyChecking=yes -o LogLevel=quiet -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=auto -o ControlPath=/root/.vuls/controlmaster-%r-172-17-0-1.%p -o Controlpersist=10m cmcarthur@172.17.0.1 -p 22 stty cols 1000; docker exec --user 0 9a90b193e52a /bin/sh -c 'LANGUAGE=en_US.UTF-8 checkrestart'
exitstatus: 1
stdout: Traceback (most recent call last):
File "/usr/sbin/checkrestart", line 798, in <module>
main()
File "/usr/sbin/checkrestart", line 159, in main
toRestart = lsoffilescheck(blacklist = blacklist)
File "/usr/sbin/checkrestart", line 370, in lsoffilescheck
for line in check_output(['lsof', '+XL', '-F', 'nf']).decode(errors="ignore").splitlines():
File "/usr/lib/python3.6/subprocess.py", line 336, in check_output
**kwargs).stdout
File "/usr/lib/python3.6/subprocess.py", line 403, in run
with Popen(*popenargs, **kwargs) as process:
File "/usr/lib/python3.6/subprocess.py", line 709, in __init__
restore_signals, start_new_session)
File "/usr/lib/python3.6/subprocess.py", line 1344, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'lsof': 'lsof'
stderr:
err: %!s(<nil>)
Adding the missing package to the docker build
The following NEW packages will be installed:
bsdmainutils ca-certificates cron curl dctrl-tools debian-goodies elfutils
file groff-base iputils-ping krb5-locales libasm1 libasn1-8-heimdal libbsd0
libcap2 libcap2-bin libcurl4 libdw1 libelf1 libexpat1 libfribidi0
libgdbm-compat4 libgdbm5 libgssapi-krb5-2 libgssapi3-heimdal
libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal
libhx509-5-heimdal libidn11 libipc-system-simple-perl libk5crypto3
libkeyutils1 libkrb5-26-heimdal libkrb5-3 libkrb5support0 libldap-2.4-2
libldap-common libmagic-mgc libmagic1 libmpdec2 libnewt0.52 libnghttp2-14
libpam-cap libperl5.26 libpipeline1 libpopt0 libpsl5 libpython3-stdlib
libpython3.6-minimal libpython3.6-stdlib libreadline7 libroken18-heimdal
librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libslang2
libsqlite3-0 libssl1.1 libwind0-heimdal lsof man-db mime-support netbase
openssl perl perl-modules-5.26 popularity-contest publicsuffix python3
python3-minimal python3.6 python3.6-minimal readline-common whiptail
xz-utils
0 upgraded, 77 newly installed, 0 to remove and 5 not upgraded.
5 more dependencies are requires… However I did see some life in the debug print ( the change log files are massive )
Deep scan does no work on host because it hangs on sudo credentials! ( ill need to modify my sudoers I forgot do correct that for my host )
Some pretty crazy results….
With the caching it took 32s!! diff
There were several new vulnerabilities ( and thats without updated databases of CVEs ) just the new packages.. I suspected it would be counter productive to install more tools.
It does have the added bonus of telling you which CVEs have been fixed ( I manually checked on of them and it is listed in a higher package version that the CVE was addressed )
After serval hours it seems the scan hanged on 5 packages… I will re-run the scan in debug tomorrow, I can not scan and update the databases at the same time.
[Nov 19 07:35:39] INFO [172-17-0-1] (172/178) Scanned apt: []
[Nov 19 07:35:39] DEBUG [172-17-0-1] execResult: servername: 172-17-0-1
cmd: /usr/bin/ssh -tt -o StrictHostKeyChecking=yes -o LogLevel=quiet -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=auto -o ControlPath=/root/.vuls/controlmaster-%r-172-17-0-1.%p -o Controlpersist=10m cmcarthur@172.17.0.1 -p 22 stty cols 1000; PAGER=cat apt-get -q=2 changelog initramfs-tools-core
exitstatus: 0
stdout:
[ ... the massive changelog ]
stderr:
err: %!s(<nil>)
[Nov 19 07:35:39] INFO [172-17-0-1] (173/178) Scanned initramfs-tools-core: []
[Nov 19 09:33:54] ERROR [localhost] Timed out: 172-17-0-1
Very odd… ill retry running it again… since what’s missing
UPDATE: It’s stuck at 172 again =? it went through in a different order
RIP no more testing local host