Week 36 - CVE Submission

After a few of you reached out, I wanted to make this week’s web hacking tip on how to find CVEs and what to do when you discover one. So, let’s get into it! First, you need to locate software that runs on-premises at organizations rather than in the cloud. To do this you have to research. You can find giant lists of this all over the web, and it’s helpful if you find a certain type of software to target (CMS, Project Management Software, etc). Saasworthy[.]com is a useful website for filtering by software that runs on-prem: https://www.saasworthy.com/list/on-premise-project-management-software?page=2 I also suggest you target the worst reviewed software. In all my testing, I’ve discovered an absolute truth: if a company does not invest in its application’s design, they also do not invest in its security. Now that you have a target, I highly recommend looking for a specific vulnerability depending on your level of comfort and expertise. Cross-Site Scripting is a good way to go, or SQLi if you’re comfortable enough with it. Try to sign up for a free trial of the software, access a demo, or find open-source code. If you have more ideas on how to get access, let me know in the comments. BUT PLEASE REMEMBER TO ONLY TEST APPS WITH EXPLICIT PERMISSION FROM THE OWNER. So, you’ve finally discovered your CVE! After searching online and determining it wasn’t already discovered/reported, submit your finding to MITRE: https://www.cve.org/ResourcesSupport/ReportRequest#RequestCVEID Now you will have to wait approximately 30 days for a response. If it’s accepted, they will provide a simple response like “Use CVE-XXXX-XXXXX”. At this point, I was super confused, because I didn’t know how to use a CVE number. But after some research, I found that I needed to publicize the vulnerability before it would be posted on MITRE. CXSecurity[.]com was the fastest to publicize my CVE (took less than a day), so I recommend going to them first. You can also use PacketStorm or Exploit-DB if you choose. After one of these companies posts your vulnerability, you need to go back to MITRE: https://cveform.mitre.org/ And select the ‘Notify CVE about a publication’ option. Then simply provide the link to CXSecurity/PacketStorm/Exploit-DB and wait. It took about a day for MITRE to accept my publication and post the CVE! Once MITRE posts your CVE on cve[.]mitre[.]org it will take about a day to post on cvedetails[.]com, since cvedetails updates its records daily based upon MITRE. By the way, please reach out to the software vendor before publicizing your CVE. After all, we are in cyber security to help companies rather than criminals. I hope this was a helpful overview and inspires some of you to find a CVE!