Analyzing the .gr domain for vulnerable components – Part 1

Introduction

“That’s not going to happen to me” is something you often hear when you talk to people about securing their infrastructure. The only problem is that sometimes getting compromised  is a lot easier than they think.  Especially when they ‘re relying on outdated pieces of software with nobody to maintain them.

Our main goal was to identify potential OWASP 2013-A9 vulnerabilities. 2013-A9  stands for “Using Components with Known Vulnerabilities”. Furthermore we wanted to provide some statistics to anyone who finds them useful. For that purpose we deployed a custom-made scanner whose only task was to grab HTTP response headers and store them for further analysis. No other scans, which could be considered illegal on some occasions, where performed. Sub-domains were not included in the survey.

Our resource to begin with, was a domain name list ( thanks to @hakmem for his valuable information ) containing all the registered .gr domains.

Domain names 149637
Hosts replied 116469
Hosts replied with server header 114901

 

77.8% of the domains had a web server listening on the other end, 98.7% of which returned a Server header in their response. So, have you ever wondered which is the most popular web server in the .gr domain? Here’s the answer!

web_server_usage

Figure 1

A first look on web server condition

A properly configured web server is the foundation of every robust website. However, after the initial setup, many times web servers are left to their fate. While an outdated web server doesn’t directly pose a threat, it often suggests that various other components (libraries, modules etc.) are outdated, and probably vulnerable, too. 40% of Apache powered domains included their server version in their response headers. In the case of nginx the percentage is raised to 52%. The usage distribution among versions is shown in Figure 2 and 3.

 

apache_branch_usage

Figure 2

 

Figure 3

Figure 3

 

Working in the greek IT industry means dealing with at least one Microsoft IIS server in your lifetime. This “love-to-hate” attitude probably explains why 45% of the discovered IIS servers are still below version 7.5. What will not come as a surprise is that if an IIS server identifies itself as one, it will give out its version. The only other option is to remove the Server header completely. So unless the 1% of hosts without a server header (see Table 1) are running Microsoft IIS, that leaves us with a pretty accurate survey on the version usage.

 

iis_version_usage

Figure 4

 What about ASP?

ASP.NET, probably the most used web application framework in Greece, adds a X-Aspnet-version header which holds the version of the framework. Out of ~11k domains discovered running on ASP.NET, only a small fraction (~17%) of applications return the version header. Figure 5 is based on this small percentage of replies, so it cannot be considered a completely accurate representative sample.

 

asp_version_usage

Figure 5

Good ol’ trusted PHP…or not?

Last October kingcope released an RCE exploit for CVE-2012-1823, affecting multiple PHP versions. While exploitation can be successful under certain conditions (e.x a combination of Apache/PHP is required), these versions should be considered vulnerable. Five months after the exploit’s release and two years after the initial CVE, a considerable amount of PHP-powered servers are running vulnerable versions. We received ~6.5k responses containing the running version of PHP (via Server of X-Powered-By headers). Based on the list provided by the author, almost 1/3 are exploitable!

 

php_version_usage

Figure 6

Conclusion

Using outdated software does not directly make you vulnerable. The biggest threat here is the attitude behind outdated software. Greece can be considered a developing country as far as internet services are concerned. This is probably an explanation why the field is flooded with cases of malpractice that somehow never see the light of day. Hopefully this situation is slowly changing for the better. Who knows, maybe we ‘ll repeat the survey in a year or so and see what happens.