[Openvas-commits] r1543 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Oct 14 16:57:32 CEST 2008 

Author: chandra
Date: 2008-10-14 16:57:31 +0200 (Tue, 14 Oct 2008)
New Revision: 1543

Added:
   trunk/openvas-plugins/scripts/secpod_hp_smh_unspecified_xss_vuln_900150.nasl
   trunk/openvas-plugins/scripts/secpod_rhinosoft_serv-u_dir_trav_and_dos_vuln_900149.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-10-14 14:47:09 UTC (rev 1542)
+++ trunk/openvas-plugins/ChangeLog	2008-10-14 14:57:31 UTC (rev 1543)
@@ -1,4 +1,9 @@
 2008-10-14 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/secpod_hp_smh_unspecified_xss_vuln_900150.nasl,
+	  scripts/secpod_rhinosoft_serv-u_dir_trav_and_dos_vuln_900149.nasl:
+	  Added new plugins 
+
+2008-10-14 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/pkg-lib-rpm.inc:
 	  Fixed an issue with regex to grep the RPM
 	  revision

Added: trunk/openvas-plugins/scripts/secpod_hp_smh_unspecified_xss_vuln_900150.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_hp_smh_unspecified_xss_vuln_900150.nasl	2008-10-14 14:47:09 UTC (rev 1542)
+++ trunk/openvas-plugins/scripts/secpod_hp_smh_unspecified_xss_vuln_900150.nasl	2008-10-14 14:57:31 UTC (rev 1543)
@@ -0,0 +1,92 @@
+##############################################################################
+#
+#  HP System Management Homepage Unspecified XSS Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/10/14
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0315
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+  script_id(900150);
+  script_bugtraq_id(31663);
+  script_cve_id("CVE-2008-4411");
+  script_copyright(english:"Copyright (C) 2008 SecPod");
+  script_version("Revision: 1.1 ");
+  script_category(ACT_GATHER_INFO);
+  script_family(english:"CGI abuses : XSS");
+  script_name(english:"HP System Management Homepage Unspecified XSS Vulnerability");
+  script_summary(english:"Check for vulnerable version of HP SMH");
+  desc["english"] = "
+  Overview : The host is running HP System Management Homepage, which is prone
+  to unspecified XSS Vulnerability. 
+
+  Certain input parameters are not properly sanitized before returned to the
+  user.
+
+  Impact:
+  An attacker can execute arbitrary script code in the user's browser session.
+
+  Impact Level : Application
+
+  Affected Software/OS:
+  HP System Management Homepage versions prior to 2.1.15.210
+
+  Fix : Update to version 2.1.15.210 or later.
+  HP System Management Homepage for Linux (x86) v2.1.15.210:
+  http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-e85a4029b2dd42959f1f82dda7
+
+  HP System Management Homepage for Linux (AMD64/EM64T) v2.1.15.210:
+  http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-5c90113499bb41faacdcad9485  
+
+  HP System Management Homepage for Windows v2.1.15.210:
+  http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?swItem=MTX-84b4161b7cd3455fb34ac57586
+
+  References :
+  http://secunia.com/advisories/32199/
+  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01570589
+
+  CVSS Score :
+    CVSS Base Score     : 6.4 (AV:N/AC:L/Au:NR/C:P/I:P/A:N)
+    CVSS Temporal Score : 4.7
+  Risk factor : Medium";
+
+  script_description(english:desc["english"]);
+  script_dependencies("http_version.nasl");
+  exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+smhPort = 2301;
+if(get_port_state(smhPort))
+{
+  smhReq = http_get(item:"/", port:smhPort);
+  smhRes = http_keepalive_send_recv(port:smhPort, data:smhReq);
+
+  if(egrep(pattern:"CompaqHTTPServer/9\.9 HP System Management Homepage", 
+     string:smhRes) && egrep(pattern:"^HTTP/.* 302 Found", string:smhRes))
+  {
+    if(egrep(pattern:"/2\.(0(\..*)?|1((\.[0-9]|\.1[0-5])(\.[01]?[0-9]?[0-9]|" +
+                     "\.20[0-9])?)?)($|[^.0-9])", string:smhRes)){
+       security_warning(smhPort);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_rhinosoft_serv-u_dir_trav_and_dos_vuln_900149.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_rhinosoft_serv-u_dir_trav_and_dos_vuln_900149.nasl	2008-10-14 14:47:09 UTC (rev 1542)
+++ trunk/openvas-plugins/scripts/secpod_rhinosoft_serv-u_dir_trav_and_dos_vuln_900149.nasl	2008-10-14 14:57:31 UTC (rev 1543)
@@ -0,0 +1,164 @@
+##############################################################################
+#
+#  Serv-U File Renaming Directory Traversal and 'STOU' DoS Vulnerabilities
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/10/07
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0309
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+  script_id(900149);
+  script_bugtraq_id(31563);
+  script_copyright(english:"Copyright (C) 2008 SecPod");
+  script_version("Revision: 1.1 ");
+  script_category(ACT_GATHER_INFO);
+  script_family(english:"Denial of Service");
+  script_name(english:"Serv-U File Renaming Directory Traversal and 'STOU' DoS Vulnerabilities");
+  script_summary(english:"Check for vulnerable version of Serv-U FTP Server");
+  desc["english"] = "
+  Overview : The host is running Serv-U FTP Server, which is prone to Directory
+  Traversal and Denial of Service Vulnerabilities. 
+
+  The flaws are due to,
+  - error in handling "STOU" FTP command. It can exhaust available CPU
+    resources when exploited through a specially crafted argument vaule.
+  - input validation error in the FTP service when renaming files which can be
+    exploited to overwrite or rename files via directory traversal attacks.
+
+  Impact :
+  Successful exploitation allows an attacker to write arbitrary files to 
+  locations outside of the application's current directory, and deny the service.
+
+  Impact Level : Application
+
+  Affected Software/OS :
+  RhinoSoft Serv-U FTP Server 7.3.0.0 and prior 
+
+  Fix : No solution/patch is available as on 07th October, 2008.
+
+  References :
+  http://milw0rm.com/exploits/6660
+  http://secunia.com/advisories/32150/
+  http://xforce.iss.net/xforce/xfdb/45653
+
+  CVSS Score :
+    CVSS Base Score     : 7.5 (AV:N/AC:M/Au:SI/C:P/I:P/A:C)
+    CVSS Temporal Score : 6.7
+  Risk factor : High";
+
+  script_description(english:desc["english"]);
+  script_dependencies("secpod_reg_enum.nasl", "find_service.nes");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+include("ftp_func.inc");
+include("secpod_smb_func.inc");
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+if(!get_port_state(ftpPort)){
+  exit(0);
+}
+
+banner = get_ftp_banner(port:ftpPort);
+if("Serv-U" >!< banner){
+  exit(0);
+}
+
+if(egrep(pattern:"Serv-U FTP Server v7\.[0-2]", string:banner)){
+  security_warning(ftpPort);
+  exit(0);
+}
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+servPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+                               "\Uninstall\Serv-U_is1", item:"DisplayIcon");
+if(!servPath){
+  exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*",replace:"\1$",string:servPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)",replace:"\1",string:servPath);
+
+soc = open_sock_tcp(port);
+if(!soc){
+  exit(0);
+}
+
+r = smb_session_request(soc:soc, remote:name);
+if(!r){
+  close(soc);
+  exit(0);
+}
+
+prot = smb_neg_prot(soc:soc);
+if(!prot){
+  close(soc);
+  exit(0);
+}
+
+r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+                      prot:prot);
+if(!r){
+  close(soc);
+  exit(0);
+}
+
+uid = session_extract_uid(reply:r);
+if(!uid){
+  close(soc);
+  exit(0);
+}
+
+r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+if(!r){
+  close(soc);
+  exit(0);
+}
+
+tid = tconx_extract_tid(reply:r);
+if(!tid){
+  close(soc);
+  exit(0);
+}
+
+fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+if(!fid){
+  close(soc);
+  exit(0);
+}
+
+ftpVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"prod");
+close(soc);
+
+if(!ftpVer){
+  exit(0);
+}
+
+if(egrep(pattern:"^(7\.3(\.0(\.0)?)?)$", string:ftpVer)){
+  security_warning(ftpPort);
+}

More information about the Openvas-commits mailing list