[Openvas-commits] r1293 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Sat Sep 6 20:50:28 CEST 2008
Author: ckm
Date: 2008-09-06 20:50:27 +0200 (Sat, 06 Sep 2008)
New Revision: 1293
Added:
trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/smbcl_func.inc
trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
Log:
* scripts/samba_CB-A08-0085.nasl: New.
* scripts/smbcl_gnutls_CB-A08-0079.nasl: New.
* scripts/win_CVE-2007-0043.nasl familiy changed to Windows.
* scripts/smbcl_func.inc changed get_host_name() to get_host_ip().
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/ChangeLog 2008-09-06 18:50:27 UTC (rev 1293)
@@ -1,5 +1,12 @@
2008-09-06 Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+ * scripts/samba_CB-A08-0085.nasl: New.
+ * scripts/smbcl_gnutls_CB-A08-0079.nasl: New.
+ * scripts/win_CVE-2007-0043.nasl familiy changed to Windows.
+ * scripts/smbcl_func.inc changed get_host_name() to get_host_ip().
+
+2008-09-06 Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
* scripts/gnutls_CB-A08-0079.nasl: New.
* scripts/version_func.inc: changed function find_file
to find any file on local or remote Host using locate
Added: trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
===================================================================
--- trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl 2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl 2008-09-06 18:50:27 UTC (rev 1293)
@@ -0,0 +1,160 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90028);
+ script_version ("$Revision: 01 $");
+# script_cve_id("CVE-2008-1105");
+ name["english"] = "Samba 3.0.0 > 3.0.29 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1105
+
+Samba < 3.0.29 vulnerability
+
+Impact
+
+ CVE-2008-1105
+ Heap-based buffer overflow in the receive_smb_raw function
+ in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote
+ attackers to execute arbitrary code via a crafted SMB response.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105
+
+Solution:
+ All Samba users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines Samba < 3.0.29 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test SuSE/FC/Gent./Ubuntu";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("revisions-lib.inc");
+include("pkg-lib-deb.inc");
+
+# Checking SuSE/Fedora
+ kbrls = get_kb_item("ssh/login/release");
+ rls = NULL;
+ ver = NULL;
+ rel = NULL;
+ pkg = NULL;
+ rls[0] = "SUSE10.1";
+ ver[0] = "3.0.28";
+ rel[0] = "0.4.3";
+ pkg[0] = "samba";
+ rls[1] = "SUSE10.2";
+ ver[1] = "3.0.23d";
+ rel[1] = "19.14";
+ pkg[1] = "samba";
+ rls[2] = "SUSE10.3";
+ ver[2] = "3.0.26a";
+ rel[2] = "3.7";
+ pkg[2] = "samba";
+ rls[3] = "FC7";
+ ver[3] = "3.0.28a";
+ rel[3] = "1.fc7";
+ pkg[3] = "samba";
+ rls[4] = "FC8";
+ ver[4] = "3.0.30";
+ rel[4] = "0.fc8";
+ pkg[4] = "samba";
+ rls[5] = "FC9";
+ ver[5] = "3.2.0";
+ rel[5] = "1.rc1.14.fc9";
+ pkg[5] = "samba";
+
+ foreach i (keys(rls)) {
+ if( kbrls == rls[i] ) {
+ rpms = get_kb_item("ssh/login/rpms");
+ if( rpms ) {
+ pat = ";"+pkg[i]+"~([0-9\.\-]+)";
+ version = get_string_version(text:rpms, ver_pattern:pat);
+ if(!isnull(version)) {
+ if( version_is_less(version:version[1], test_version:ver[i]) ) {
+ security_hole(port:0, proto:"Cups");
+ } else {
+ if( version_is_equal(version:version[1], test_version:ver[i]) ) {
+ pat = version[0]+"~([0-9\.\-]+)";
+ release = get_string_version(text:rpms, ver_pattern:pat);
+ if(!isnull(release)) {
+ if( version_is_less(version:release[1] ,test_version:rel[i]) ) {
+ security_hole(port:0, proto:"Cups");
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+# Checking Gentoo
+ rls = NULL;
+ ver = NULL;
+ rel = NULL;
+ pkg = NULL;
+ rls[0] = "GENTOO";
+ pat = "net-fs/samba-([a-zA-Z0-9\.\-]+)";
+ ver[0] = "3.0.28a-r1";
+ if( kbrls == rls[0] ) {
+ pkg = get_kb_item("ssh/login/pkg");
+ if(pkg) {
+ version = get_string_version(text:pkg, ver_pattern:pat);
+ if(!isnull(version)) {
+ if( revcomp(a:version[1], b: ver[0]) == -1 ) {
+ security_hole(port:0, proto:"Cups");
+ }
+ }
+ }
+ }
+
+# Checking Ubuntu
+ rls = NULL;
+ ver = NULL;
+ rel = NULL;
+ pkg = NULL;
+ rls[0] = "UBUNTU6.06 LTS";
+ ver[0] = "3.0.22-1ubuntu3.7";
+ pkg[0] = "samba";
+ rls[1] = "UBUNTU7.04";
+ ver[1] = "3.0.24-2ubuntu1.6";
+ pkg[1] = "samba";
+ rls[2] = "UBUNTU7.10";
+ ver[2] = "3.0.26a-1ubuntu2.4";
+ pkg[2] = "samba";
+ rls[3] = "UBUNTU8.04";
+ ver[3] = "3.0.28a-1ubuntu4.2";
+ pkg[3] = "samba";
+
+ foreach i (keys(rls)) {
+ if( kbrls == rls[i] ) {
+ if(isdpkgvuln(pkg:pkg[i], ver:ver[i], rls:rls[i])) {
+ security_hole(port:0, proto:"Cups");
+ }
+ }
+ }
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/smbcl_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_func.inc 2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/smbcl_func.inc 2008-09-06 18:50:27 UTC (rev 1293)
@@ -30,7 +30,7 @@
arg[1] = "-d0";
arg[2] = "-N";
arg[3] = "-cq";
- arg[4] = "//"+get_host_name()+"/IPC$";
+ arg[4] = "//"+get_host_ip()+"/IPC$";
arg[5] = is_domain;
r = toupper(pread(cmd:"smbclient", argv:arg ));
if( ! ereg(pattern: "NT_STATUS", string: r) ) {
@@ -66,7 +66,7 @@
arg[0] = "smbclient";
arg[1] = "-d1";
arg[2] = string("-U"+get_kb_item ("SMB/login_filled/0")+"%"+get_kb_item ("SMB/password_filled/0"));
- arg[3] = "//"+get_host_name()+"/"+share;
+ arg[3] = "//"+get_host_ip()+"/"+share;
arg[4] = "-cget \"+raw_string(0x22)+filename+"\"+raw_string(0x22)+" "+raw_string(0x22)+tmp_filename+raw_string(0x22);
arg[5] = is_domain;
r = pread(cmd:"smbclient", argv:arg );
@@ -93,7 +93,7 @@
arg[0] = "smbclient";
arg[1] = "-d1";
arg[2] = string("-U"+get_kb_item ("SMB/login_filled/0")+"%"+get_kb_item ("SMB/password_filled/0"));
- arg[3] = "//"+get_host_name()+"/"+share;
+ arg[3] = "//"+get_host_ip()+"/"+share;
arg[4] = "-cdir \"+raw_string(0x22)+dir+"\"+raw_string(0x22);
arg[5] = is_domain;
if( (typ < 0) || (typ > 2) || isnull(typ) ) {
Added: trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl 2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl 2008-09-06 18:50:27 UTC (rev 1293)
@@ -0,0 +1,122 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90027);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1948");
+ name["english"] = "GnuTLS < 2.2.5 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
+
+GnuTLS < 2.2.5 vulnerability
+
+Impact
+
+ CVE-2008-1948
+ The _gnutls_server_name_recv_params function in lib/ext_server_name.c
+ in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly
+ calculate the number of Server Names in a TLS 1.0 Client Hello
+ message during extension handling, which allows remote attackers
+ to cause a denial of service (crash) or possibly execute arbitrary
+ code via a zero value for the length of Server Names, which leads
+ to a buffer overflow in session resumption data in the
+ pack_security_parameters function, aka GNUTLS-SA-2008-1-1.
+
+ CVE-2008-1949
+ The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c
+ in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to
+ process Client Hello messages within a TLS message after one has
+ already been processed, which allows remote attackers to cause a
+ denial of service (NULL dereference and crash) via a TLS message
+ containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.
+
+ CVE 2008-1950
+ Integer signedness error in the _gnutls_ciphertext2compressed
+ function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4
+ allows remote attackers to cause a denial of service (buffer over-read
+ and crash) via a certain integer value in the Random field in an
+ encrypted Client Hello message within a TLS record with an invalid
+ Record Length, which leads to an invalid cipher padding length,
+ aka GNUTLS-SA-2008-1-3.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950
+
+Solution:
+ All GnuTLS users should upgrade to the latest version:
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines GnuTLS < 2.2.5 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("smbcl_func.inc");
+include("version_func.inc");
+local_var ver, test_version, sec_hole, sec_proto, r, path, share, prog;
+
+sec_hole = 0;
+sec_proto = "GnuTLS";
+ver = NULL;
+r = NULL;
+test_version = "2.2.5";
+ if( !get_kb_item("SMB/smbclient") ) {
+ smbclientavail();
+ }
+ if(get_kb_item("SMB/smbclient") ) {
+ if( smbversion() == 0){
+ report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ } else {
+ report = string("SMBClient not found on openvasd host !");
+ security_note(port:0, proto:"SMBClient", data:report);
+ exit(0);
+ }
+ path = "Programme\";
+ share ="C$";
+ prog = "GnuTLS*";
+ r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+ if( isnull(r) ) {
+ path = "Program Files\";
+ r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+ }
+ if( !isnull(r) ) {
+ foreach i (keys(r)) {
+ ver = eregmatch(pattern:"[0-9].*", string:r[i]);
+ if(!isnull(ver) ) {
+ if(version_is_less(version:ver[0], test_version:test_version) ) {
+ if(sec_hole == 0) {
+ security_hole(port:0, proto:sec_proto);
+ sec_hole = 1;
+ }
+ security_hole(port:0, proto:sec_proto, data:string("\nFound : ")+share + " " + path + r[i] + string("\n"));
+ }
+ }
+ }
+ }
+exit(0);
Modified: trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl 2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl 2008-09-06 18:50:27 UTC (rev 1293)
@@ -42,7 +42,7 @@
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is under GPLv2");
- family["english"] = "Windows.NET";
+ family["english"] = "Windows";
script_family(english:family["english"]);
exit(0);
}
More information about the Openvas-commits
mailing list