Exploitability attributes of Nessus plugins: good, bad and Vulners

Exploitability is one of the most important criteria for prioritizing vulnerabilities. Let’s see how good is the exploit-related data of Tenable Nessus NASL plugins and whether we can do it better.

Nessus exploitability

What are the attributes related to exploits? To understand this, I parsed all nasl plugins and got the following results.

script_set_attribute(attribute:"cpe", value:"cpe:/a:malwarebytes:malwarebytes_anti-exploit");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"exploithub_sku", value:"EH-10-031");
script_set_attribute(attribute:"exploithub_sku", value:"EH-11-053");
...
script_set_attribute(attribute:"exploithub_sku", value:"EH-14-757");

This is what you can expect to see in the scan results.

Some attributes indicate the existence of exploit:

  • exploit_available
  • exploitability_ease

Some attributes indicate the possibility of practical use of the exploit (only available value is “yes”):

  • exploited_by_malware
  • exploited_by_nessus

Some attributes indicate that there is an exploit in some well-known exploit framework (only available value is “yes”):

  • exploit_framework_canvas
  • exploit_framework_core
  • exploit_framework_exploithub
  • exploit_framework_metasploit

And some specific references to exploits (exploithub is already a closed project, so it’s not so interesting):

  • exploithub_sku

Nessus Exploitability Data

All plugins 90115
exploitability_ease 42267
exploit_available 42267
exploit_framework_core 4360
exploited_by_malware 4072
exploit_framework_metasploit 3469
exploit_framework_canvas 2544
exploited_by_nessus 873
exploit_framework_d2_elliot 327
exploit_framework_exploithub 166
exploithub_sku 166

Good

Wherever there is an exploitability_ease attribute, there will also be an exploit_available attribute. It is awesome. Let’s see what combinations of exploitability_ease and exploit_available can be.

Nessus combinations of exploitability attributes

exploit_available:false, exploitability_ease:
No known exploits are available
16453
exploit_available:true, exploitability_ease:
Exploits are available
24205
exploit_available:true, exploitability_ease:
No exploit is required
1609

So, if you want to get vulnerabilities with exploits, you can search for exploit_available == true and exploitability_ease attribute is not really necessary.

Bad

Now let’s see if exploitability_ease/exploit_available attributes are set in every plugin where additional exploitability attribute (exploit_framework_core, exploited_by_malware, exploit_framework_metasploit, etc.) set.

This is true for all attributes except exploited_by_nessus. There are 63 plug-ins (!) in which there is only exploited_by_nessus and no exploitability_ease/exploit_available.

Examples of such plugins:

BOOTPARAMD_GET_NIS_DOMAIN.NASL
SVN_IN_WWW.NASL
ORION_EXAMPLES_XSS.NASL
PHP_EXPOSE_PHP.NASL
GRANDSTREAM_GET_PASSWORD.NASL
TRAPEZE_ADMIN_ACCESSIBLE.NASL
PLIGG_REG_USERNAME_XSS.NASL
JRUN.NASL
OSCOMMERCE_ADMIN_ACCESS.NASL
MONGODB_AUTHENTICATION_DISABLED.NASL

Among them there are quite interesting this year plugins, for example “Belkin N750 Router Command Injection (BELKIN_TWONKY_PROXY_CMD_INJECTION.NASL)

So, be careful while filtering vulnerabilities. Don’t miss this “exploited_by_nessus” plugins.

Vulners

And finally the most interesting part, let’s look at Nessus plugins for which there are no attribute exploit_available at all, or exploit_available == false and try to find exploits for them. I’ve used this exploit data collections from vulners.com (“canvas”, “dsquare”, “metasploit”, “packetstorm”, “saint”, “exploitdb”):

Vulners exploits

If some particularTenable Nessus plugin and some Exploit have a link to the same CVE, that mean that they are somehow related, right? It’s not a rocket science, however this method gives pretty good results. I have found exploits for around 6000 Nessus plugins, for which Tenable gives no information on exploitability. That means more critical vulnerabilities will pass prioritization filter.

Additional exploitable vulnerabilities found with Vulners

exploit_available:true 25814
Vulners sploitable 6764
other plugins 57537

Some examples:



UBUNTU_USN-618-1.NASL
set([u’EDB-ID:30605′])

MANDRAKE_MDKSA-2006-053.NASL
set([u’EDB-ID:1557′])

MOZILLA_THUNDERBIRD_20023.NASL
set([u’EDB-ID:33128′])

DEBIAN_DLA-982.NASL
set([u’PACKETSTORM:143369′])

MANDRIVA_MDVSA-2014-056.NASL
set([u’EDB-ID:31615′, u’MSF:AUXILIARY/DOS/HTTP/APACHE_COMMONS_FILEUPLOAD_DOS’])

FEDORA_2012-9442.NASL
set([u’EDB-ID:37306′])

FREEBSD_PKG_B2A6FC0E070F11E0A6E900215C6A37BB.NASL
set([u’EDB-ID:15431′, u’PACKETSTORM:95574′])

SUSE_11_KERNEL-120418.NASL
set([u’EDB-ID:35403′])

CISCO-SA-20140605-OPENSSL-IOS.NASL
set([u’MSF:AUXILIARY/SCANNER/SSL/OPENSSL_CCS’])

CISCO-SA-20140605-OPENSSL-IOS.NASL
set([u’MSF:AUXILIARY/DOS/SSL/DTLS_FRAGMENT_OVERFLOW’])

SUSE_11_NTP-140721.NASL
set([u’MSF:AUXILIARY/SCANNER/NTP/NTP_READVAR’, u’MSF:AUXILIARY/SCANNER/NTP/NTP_PEER_LIST_SUM_DOS’, u’MSF:AUXILIARY/SCANNER/PORTMAP/PORTMAP_AMP’, u’MSF:AUXILIARY/SCANNER/NTP/NTP_UNSETTRAP_DOS’, u’MSF:AUXILIARY/SCANNER/NTP/NTP_MONLIST’, u’MSF:AUXILIARY/SCANNER/UDP/UDP_AMPLIFICATION’, u’MSF:AUXILIARY/SCANNER/UPNP/SSDP_AMP’, u’EDB-ID:33073′, u’PACKETSTORM:127492′, u’MSF:AUXILIARY/SCANNER/NTP/NTP_REQ_NONCE_DOS’, u’MSF:AUXILIARY/SCANNER/NTP/NTP_PEER_LIST_DOS’, u’MSF:AUXILIARY/SCANNER/NTP/NTP_RESLIST_DOS’])

Let’s see an example that there are no exploitability attributes in Nessus plugin for vulnerability that pretty sure is exploitable.

Cisco IOS Cluster Management Protocol Telnet Option Handling RCE (cisco-sa-20170317-cmp)

Note that there is a link to RCE exploit in Packet Storm:

Cisco IOS RCE

And here is a part of Nessus plugin code:

CISCO IOS RCE plugin code

As you can see, no exploitability_ease/exploit_available attributes. And this is pretty strange.

Thus, the use of external exploit databases can greatly help with the search of exploitable vulnerabilities detected by Nessus.

Leave a Reply

Your email address will not be published. Required fields are marked *