BIOS Info (SSH)

2008-09-08T00:00:00
ID BIOS_GET_INFO_SSH.NASL
Type nessus
Reporter This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2008-09-08T00:00:00

Description

Using SMBIOS and UEFI, it was possible to get BIOS info.

                                        
                                            #TRUSTED 8d0186637dfdfd3cd3ad8bbdaabb99a67eedd39c42cfad5ac81f2690828f44e9dae1453dde02c718f0ec1d5379f45b1d7c1bc5840ddea719ff6e9448b74e3e62e11913effdc1194465ba8169bc0667f1590f3ade63ff0193a1b8bc3ec1a325b61c16ebd8827b53e187069fae89d06c399a74f5c7a3618bfa75e41945ebc3cc744a2e56c8e1a1f25b511ff64d4fef6fe529fe4d885eeda122dbfb8a8f9ad42ea5b24b7a0c10200ef01607b4a74d108ad84774b00fc4c3cf615a2718f8b9a23d53ae349a1e50977f01c60d49dd3e5952c8e5ad3faec91424a75824fa74439dcdbfc4c46d2adb93fd14d148219ff5391eef4a473325c099f101ac780b48193e71fa0be71f47c4109e76700f09782f9e785c32adaa03ceb39e126a052822d57128b895615ea5e453420611942b835bb0f869391b12c29143277033973682d6228d369275ff69e72725c5f4a0473b349ed1a831ab59c1918a683daf6fec93269ea77a97dedbcc5115274424ecb5053b4a32260e69ae17d38b957f3c58444bb37c24f2743872847343b7a34787cc6c3c71490198896dad5b3aec12769aa6c10c1407ffeb6ab81a7d46d7987cdd4a066ce0adcc2db65b1f61dd026f568638636cda81bd7564e3c8f32e00acfd8985aaf9dd78cddaa81bbb8b5535b55b1d45097b46f748b64294a5b7a7d62f2f19954e38ccbe3ef410f8723f5b885a2380c186a970732b
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
  script_id(34098);
  script_version ("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value: "2018/11/01");

  script_name(english: "BIOS Info (SSH)");
  script_summary(english: "Get BIOS info using command line");

  script_set_attribute(attribute:"synopsis", value: "BIOS info could be read.");
  script_set_attribute(attribute:"description", value: "Using SMBIOS and UEFI, it was possible to get BIOS info.");
  script_set_attribute(attribute:"solution", value:"N/A");
  script_set_attribute(attribute:"risk_factor", value: "None");
  script_set_attribute(attribute:"plugin_publication_date", value: "2008/09/08");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"agent", value:"unix");
  script_end_attributes();


  script_category(ACT_GATHER_INFO);

  script_copyright(english:"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english: "General");

  script_dependencies("ssh_settings.nasl", "ssh_get_info.nasl");
  script_require_ports("Services/ssh", 22, "nessus/product/agent");
  script_exclude_keys("BIOS/Vendor", "BIOS/Version", "BIOS/ReleaseDate");
  exit(0);
}
include("misc_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
{
  enable_ssh_wrappers();
}
else
{
  disable_ssh_wrappers();
}

# do ALL of the KB values we know how to fetch exist?
if ( get_kb_item("BIOS/Vendor") &&
     get_kb_item("BIOS/Version") &&
     get_kb_item("BIOS/ReleaseDate") &&
     get_kb_item("BIOS/SecureBoot") )
{
  # ALL of the KB values we know how to fetch exist, exit
  exit(0, "BIOS information already collected according to KB items." );
}

# We may support other protocols here
info_connect(exit_on_fail:TRUE);

# I planned initialy to run 
#  dmidecode -s bios-vendor 
#  dmidecode -s bios-version 
#  dmidecode -s bios-release-date
# Unfortunately, not all versions of dmidecode support the "-s" option.
# dmidecode -t 0 (which gives only BIOS information) is not supported
# everywhere either. So we have to parse the whole output.

# Work around broken $PATH
dirs = make_list( "", "/usr/sbin/", "/usr/local/sbin/", "/sbin/");

keys = make_list("Vendor", "Version", "Release Date");
values = make_list();
found = 0;

foreach d (dirs)
{
  cmd = 'LC_ALL=C ' + d + 'dmidecode';
  buf = info_send_cmd(cmd: cmd);
  if ('BIOS Information' >< buf)
  {
    lines = split(buf, keep: 0);
    drop_flag = 1;
    foreach l (lines)
    {
      if (preg(string: l, pattern: '^BIOS Information'))
      {
        drop_flag = 0;
        continue;
      }
      else
      {
        if(preg(string: l, pattern: '^[A-Z]'))
        {
          drop_flag = 1;
        }
      }
      if (drop_flag)
      {
        continue;
      }

      foreach k (keys)
      {
        pat = '^[ \t]+' + k + '[ \t]*:[  \t]*([^ \t].*)';
        v = pregmatch(string: l, pattern: pat);
        if (! isnull(v))
        {
          values[k] = v[1];
          found++;
        }
      }
    }
  }
  if (found > 0)
  {
    break;
  }
}

#
# UEFI spec
# http://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_7_A%20Sept%206.pdf
# SecureBoot BS, RT Whether the platform firmware is operating in Secure boot mode (1) or not (0). All other values are reserved. Should be treated as read-only.
# 
# Using * because sometimes vendors overload the global variable ID
# /sys/firmware/efi/efivars/SecureBoot-*
# if it exist:
# 06 00 00 00 01  -> 4 bytes for 32 bit access mask then 1 byte value (enabled)
# 06 00 00 00 00  -> 4 bytes for 32 bit access mask then 1 byte value (disabled)
#
dirs = make_list( "", "/bin/", "/usr/bin/", "/usr/local/bin/" );
bootSecure = "unknown";
foreach d (dirs)
{
  # 06 00 00 00 01
  cmd  = 'LC_ALL=C 2>/dev/null ' + d + 'od -An -t x1 /sys/firmware/efi/efivars/SecureBoot-*';
  cmd += ' || ';
  cmd += 'LC_ALL=C 2>/dev/null ' + d + 'hexdump -ve \'10/1 "%02x " "\n" \' /sys/firmware/efi/efivars/SecureBoot-*';
  cmd += ' || ';
  cmd += 'LC_ALL=C [ ! -d /sys/firmware/efi ] && echo "06 00 00 00 00"';
  otherBuf = info_send_cmd(cmd: cmd);
  lines = split(otherBuf, keep: 0);
  foreach l (lines)
  {
    # od or hexdump both report this format for enable
    if ( preg( string:tolower(l), pattern:"06 00 00 00 01" ) )
    {
      bootSecure = "enabled";
      break;
    }
    # od or hexdump both report this format for disabled
    if ( preg( string:tolower(l), pattern:"06 00 00 00 00" ) )
    {
      bootSecure = "disabled";
      break;
    }
  }
  if ( bootSecure != "unknown" )
  {
    # we have the answer stop looking
    replace_kb_item(name: 'BIOS/SecureBoot', value: bootSecure);
    break;
  }
}

if(info_t == INFO_SSH)
{
  ssh_close_connection();
}

if (found || 'BIOS Information' >< buf || 'System Information' >< buf)
{
  replace_kb_item(name: 'Host/dmidecode', value: buf);
}

uuid = pgrep(pattern:'^[\t ]*UUID[ \t]*:', string:buf);
if ( ! isnull(uuid) )
{
  pat = '^[ \t]+UUID[ \t]*:[  \t]*([^ \t].*)';
  v = pregmatch(string: uuid, pattern: pat);
  if ( !isnull(v) )
  {
    uuid = v[1];
  }
  else
  {
    uuid = NULL;
  }
}

if (!found)
{
  audit( AUDIT_NOT_DETECT, "BIOS info" );
}

report = "";
foreach k (keys(values))
{
  k2 = str_replace(string: k, find: " ", replace: "");
  if ( !empty_or_null(k2) && !empty_or_null(values[k]) )
  {
    replace_kb_item(name: "BIOS/" + k2, value: values[k]);
    report = report + k + crap(data: ' ', length: 12 - strlen(k)) + ' : ' + values[k] + '\n';
  }
}

if ( !isnull(uuid) )
{
  report = report + "UUID" + crap(data: ' ', length: 12 - strlen("UUID")) + ' : ' + uuid + '\n';

  if ( defined_func('report_xml_tag') )
  {
    report_xml_tag(tag:'bios-uuid', value:uuid);
    set_kb_item(name:"Host/Tags/report/bios-uuid", value:uuid);
  }
}

if ( !empty_or_null( report ) )
{
  report = report + "Secure boot" + crap(data: ' ', length: 12 - strlen("Secure boot")) + ' : ' + bootSecure + '\n';
  security_report_v4(port: 0, severity:SECURITY_NOTE, extra:report);
}