[Openvas-commits] r1492 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Oct 7 16:11:34 CEST 2008 

Author: chandra
Date: 2008-10-07 16:11:33 +0200 (Tue, 07 Oct 2008)
New Revision: 1492

Added:
   trunk/openvas-plugins/scripts/gb_ms08-046.nasl
   trunk/openvas-plugins/scripts/gb_php_detect.nasl
   trunk/openvas-plugins/scripts/gb_php_mult_vuln_aug08.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-10-07 13:20:14 UTC (rev 1491)
+++ trunk/openvas-plugins/ChangeLog	2008-10-07 14:11:33 UTC (rev 1492)
@@ -1,7 +1,13 @@
 2008-10-07 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/gb_ms08-046.nasl,
+	  scripts/gb_php_detect.nasl,
+	  scripts/gb_php_mult_vuln_aug08.nasl:
+	  Added new plugins
+
+2008-10-07 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/secpod_smb_func.inc:
 	  Resolved an issue, was fetching unwanted numbers in certain 
-          file versions patterns
+	  file versions patterns
 
 2008-10-07 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/gb_thunderbird_mult_vuln_july08_lin.nasl,

Added: trunk/openvas-plugins/scripts/gb_ms08-046.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms08-046.nasl	2008-10-07 13:20:14 UTC (rev 1491)
+++ trunk/openvas-plugins/scripts/gb_ms08-046.nasl	2008-10-07 14:11:33 UTC (rev 1492)
@@ -0,0 +1,205 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms08-046.nasl 310 2008-10-04 12:15:05Z oct $
+#
+# Microsoft Windows Image Color Management System Code Execution Vulnerability (952954)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+
+if(description)
+{
+  script_id(800023);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2008-2245");
+  script_bugtraq_id(30594);
+  script_name(english:"Microsoft Windows Image Color Management System Code Execution Vulnerability (952954)");
+  desc["english"] = "
+
+  Overview: This host has critical security update missing according to
+  Microsoft Bulletin MS08-046.
+
+  Vulnerability Insight:
+  The flaw is caused due to the way Microsoft Color Management System (MSCMS)
+  module of the Microsoft ICM component handles memory allocation.
+
+  Impact:
+  Successful exploitation could execute arbitrary code when a user opens a
+  specially crafted image file and can gain same user rights as the local
+  user. An attacker could then install programs; view, change, or delete
+  data, or create new accounts.
+
+  Impact Level: System
+
+  Affected Software/OS: Microsoft Windows 2K/XP/2003
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link.
+  http://www.microsoft.com/technet/security/bulletin/ms08-049.mspx
+
+  References:
+  http://www.microsoft.com/technet/security/bulletin/ms08-046.mspx
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 6.9
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the vulnerable File Version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Windows");
+  script_dependencies("secpod_reg_enum.nasl");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){
+  exit(0);
+}
+
+function get_version()
+{
+  dllPath = registry_get_sz(item:"Install Path",
+                           key:"SOFTWARE\Microsoft\COM3\Setup");
+  if(!dllPath){
+    exit(0);
+  }
+  dllPath += "\Mscms.dll";
+  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+  file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);
+
+  soc = open_sock_tcp(port);
+  if(!soc){
+    exit(0);
+  }
+
+  r = smb_session_request(soc:soc, remote:name);
+  if(!r)
+  {
+    close(soc);
+    exit(0);
+  }
+  prot = smb_neg_prot(soc:soc);
+  if(!prot)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  r = smb_session_setup(soc:soc, login:login, password:pass,
+                        domain:domain, prot:prot);
+  if(!r)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  uid = session_extract_uid(reply:r);
+
+  r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+  tid = tconx_extract_tid(reply:r);
+  if(!tid)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+  if(!fid)
+  {
+    close(soc);
+    exit(0);
+  }
+
+  v = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, offset:60000,
+                 verstr:"prod");
+  close(soc);
+  return v;
+}
+
+# Check for MS08-046 Hotfix (952954)
+if(hotfix_missing(name:"952954") == 0){
+  exit(0);
+}
+
+fileVer = get_version();
+if(!fileVer){
+  exit(0);
+}
+
+if(hotfix_check_sp(win2k:5) > 0)
+{
+  # Check for version < 5.0.2195.7162
+  if(version_is_less(version:fileVer, test_version:"5.0.2195.7162")){
+    security_hole(0);
+  }
+  exit(0);
+}
+else if(hotfix_check_sp(xp:4) > 0)
+{
+  SP = get_kb_item("SMB/WinXP/ServicePack");
+  if("Service Pack 2" >< SP)
+  {
+    # < 5.1.2600.3396
+    if(version_is_less(version:fileVer, test_version:"5.1.2600.3396")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  else if("Service Pack 3" >< SP)
+  {
+    # Check for version < 5.1.2600.5627
+    if(version_is_less(version:fileVer, test_version:"5.1.2600.5627")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}
+else if(hotfix_check_sp(win2003:3) > 0)
+{
+  SP = get_kb_item("SMB/Win2003/ServicePack");
+  if("Service Pack 1" >< SP)
+  {
+    # Check for version < 5.2.3790.3163
+    if(version_is_less(version:fileVer, test_version:"5.2.3790.3163")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  else if("Service Pack 2" >< SP)
+  {
+    # Check for version < 5.2.3790.4320
+    if(version_is_less(version:fileVer, test_version:"5.2.3790.4320")){
+      security_hole(0);
+    }
+    exit(0);
+  }
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ms08-046.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_php_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_detect.nasl	2008-10-07 13:20:14 UTC (rev 1491)
+++ trunk/openvas-plugins/scripts/gb_php_detect.nasl	2008-10-07 14:11:33 UTC (rev 1492)
@@ -0,0 +1,74 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_php_detect.nasl 311 2008-10-07 15:15:24Z oct $
+#
+# PHP Version Detection
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800109);
+  script_version("Revision: 1.0 ");
+  script_name(english:"PHP Version Detection");
+  desc["english"] = "
+  Overview : This script finds the installed PHP Version and saves the
+  version in KB.
+
+  Risk factor : Informational";
+
+  script_description(english:desc["english"]);
+  script_family(english:"General");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_summary(english:"Set Version of PHP in KB");
+  script_dependencies("find_service.nes");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port)){
+  exit(0);
+}
+
+banner = get_http_banner(port:port);
+if("PHP" >!< banner){
+  exit(0);
+}
+
+# PHP can be installed as a stand-alone package, local checks
+# have to be separately written.
+
+phpInfo = egrep(pattern:"Server.*PHP.*", string:banner);
+if(!phpInfo){
+  phpInfo = egrep(pattern:"X.Powered.By.*PHP.*", string:banner);
+}
+
+phpVer = ereg_replace(pattern:".*PHP/([.0-9]*).*", string:phpInfo, replace:"\1");
+if(phpVer)
+{
+  set_kb_item(name:"PHP/Version", value:phpVer);
+  set_kb_item(name:"PHP/Port", value:port);
+}

Added: trunk/openvas-plugins/scripts/gb_php_mult_vuln_aug08.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_mult_vuln_aug08.nasl	2008-10-07 13:20:14 UTC (rev 1491)
+++ trunk/openvas-plugins/scripts/gb_php_mult_vuln_aug08.nasl	2008-10-07 14:11:33 UTC (rev 1492)
@@ -0,0 +1,107 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_php_mult_vuln_aug08.nasl 312 2008-10-07 16:43:56Z oct $
+#
+# Multiple Vulnerabilities in PHP August-08
+#
+# Authors:
+# Veerendra GG <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800110);
+  script_version("$Revision: 1.0 $");
+  script_bugtraq_id(29009, 27413, 27786);
+  script_cve_id("CVE-2008-2050", "CVE-2008-2051", "CVE-2007-4850",
+                "CVE-2008-0599", "CVE-2008-0674");
+  script_xref(name:"CB-A", value:"08-0118");
+  script_name(english:"Multiple Vulnerabilities in PHP August-08");
+  desc["english"] = "
+
+  Overview: The host is installed with PHP, that is prone to multiple
+  vulnerabilities.
+
+  Vulnerability Insight:
+  The flaws are caused by,
+  - an unspecified stack overflow error in FastCGI SAPI (fastcgi.c).
+  - an error during path translation in cgi_main.c.
+  - an error with an unknown impact/attack vectors.
+  - an unspecified error within the processing of incomplete multibyte
+    characters in escapeshellcmd() API function.
+  - error in curl/interface.c in the cURL library(libcurl), which could be
+    exploited by attackers to bypass safe_mode security restrictions.
+  - an error in PCRE. i.e buffer overflow error when handling a character class
+    containing a very large number of characters with codepoints greater than
+    255(UTF-8 mode).
+
+  Impact:
+  Successful exploitation could result in remote arbitrary code execution,
+  security restrictions bypass, access to restricted files, denial of service.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  PHP version prior to 5.2.6
+
+  Fix:
+  Upgrade to PHP version 5.2.6 or above,
+  http://www.php.net/downloads.php
+
+  References:
+  http://pcre.org/changelog.txt
+  http://www.php.net/ChangeLog-5.php
+  http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176
+  http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0178
+  http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0086
+
+  CVSS Score:
+    CVSS Base Score     : 9.0 (AV:N/AC:L/Au:NR/C:P/I:P/A:C)
+    CVSS Temporal Score : 7.0
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of PHP");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+  script_family(english:"Misc.");
+  script_dependencies("gb_php_detect.nasl");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+phpPort = get_kb_item("PHP/Port");
+if(!phpPort){
+  exit(0);
+}
+
+phpVer = get_kb_item("PHP/Version");
+if(!phpVer){
+  exit(0);
+}
+
+# Debian and Gentoo advisories are available. Once local checks
+# are written, we can exit from here.
+
+# Match PHP version < 5.2.6 
+if(version_is_less_equal(version:phpVer, test_version:"5.2.5")){
+  security_hole(phpPort);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_php_mult_vuln_aug08.nasl
___________________________________________________________________
Name: svn:executable
   + *

More information about the Openvas-commits mailing list