[Openvas-commits] r1293 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Sat Sep 6 20:50:28 CEST 2008


Author: ckm
Date: 2008-09-06 20:50:27 +0200 (Sat, 06 Sep 2008)
New Revision: 1293

Added:
   trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
   trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/smbcl_func.inc
   trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
Log:
        * scripts/samba_CB-A08-0085.nasl: New.
        * scripts/smbcl_gnutls_CB-A08-0079.nasl: New.
        * scripts/win_CVE-2007-0043.nasl familiy changed to Windows.
        * scripts/smbcl_func.inc changed get_host_name() to get_host_ip().



Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/ChangeLog	2008-09-06 18:50:27 UTC (rev 1293)
@@ -1,5 +1,12 @@
 2008-09-06  Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
 
+        * scripts/samba_CB-A08-0085.nasl: New.
+        * scripts/smbcl_gnutls_CB-A08-0079.nasl: New.
+        * scripts/win_CVE-2007-0043.nasl familiy changed to Windows.
+        * scripts/smbcl_func.inc changed get_host_name() to get_host_ip().
+
+2008-09-06  Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
 	* scripts/gnutls_CB-A08-0079.nasl: New.
 	* scripts/version_func.inc: changed function find_file
 	to find any file on local or remote Host using locate

Added: trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
===================================================================
--- trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl	2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl	2008-09-06 18:50:27 UTC (rev 1293)
@@ -0,0 +1,160 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90028);
+ script_version ("$Revision: 01 $");
+# script_cve_id("CVE-2008-1105");
+ name["english"] = "Samba 3.0.0 > 3.0.29 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1105
+
+Samba < 3.0.29 vulnerability
+
+Impact
+
+   CVE-2008-1105
+      Heap-based buffer overflow in the receive_smb_raw function
+      in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote
+      attackers to execute arbitrary code via a crafted SMB response. 
+ 
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1105
+
+Solution:
+    All Samba users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines Samba < 3.0.29 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test SuSE/FC/Gent./Ubuntu";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+include("revisions-lib.inc");
+include("pkg-lib-deb.inc");
+
+# Checking SuSE/Fedora
+   kbrls = get_kb_item("ssh/login/release");
+   rls = NULL;
+   ver = NULL;
+   rel = NULL;
+   pkg = NULL;
+   rls[0] = "SUSE10.1";
+   ver[0] = "3.0.28";
+   rel[0] = "0.4.3";
+   pkg[0] = "samba";
+   rls[1] = "SUSE10.2";
+   ver[1] = "3.0.23d";
+   rel[1] = "19.14";
+   pkg[1] = "samba";
+   rls[2] = "SUSE10.3";
+   ver[2] = "3.0.26a";
+   rel[2] = "3.7";
+   pkg[2] = "samba";
+   rls[3] = "FC7";
+   ver[3] = "3.0.28a";
+   rel[3] = "1.fc7";
+   pkg[3] = "samba";
+   rls[4] = "FC8";
+   ver[4] = "3.0.30";
+   rel[4] = "0.fc8";
+   pkg[4] = "samba";
+   rls[5] = "FC9";
+   ver[5] = "3.2.0";
+   rel[5] = "1.rc1.14.fc9";
+   pkg[5] = "samba";
+
+   foreach i (keys(rls)) {
+     if( kbrls == rls[i] ) {
+       rpms = get_kb_item("ssh/login/rpms");
+       if( rpms ) {
+         pat = ";"+pkg[i]+"~([0-9\.\-]+)";
+         version = get_string_version(text:rpms, ver_pattern:pat);
+         if(!isnull(version)) {
+	   if( version_is_less(version:version[1], test_version:ver[i]) ) {
+             security_hole(port:0, proto:"Cups");
+           } else {
+             if( version_is_equal(version:version[1], test_version:ver[i]) ) {
+               pat = version[0]+"~([0-9\.\-]+)";
+               release = get_string_version(text:rpms, ver_pattern:pat);
+               if(!isnull(release)) {
+                 if( version_is_less(version:release[1] ,test_version:rel[i]) ) {
+                   security_hole(port:0, proto:"Cups");
+                 }
+               }
+             }
+           }
+         }
+       }
+     }
+   }
+
+# Checking Gentoo
+   rls = NULL;
+   ver = NULL;
+   rel = NULL;
+   pkg = NULL;
+   rls[0] = "GENTOO";
+   pat = "net-fs/samba-([a-zA-Z0-9\.\-]+)";
+   ver[0] = "3.0.28a-r1";
+   if( kbrls == rls[0] ) {
+       pkg = get_kb_item("ssh/login/pkg");
+       if(pkg) {
+         version = get_string_version(text:pkg, ver_pattern:pat);
+         if(!isnull(version)) {
+	   if( revcomp(a:version[1], b: ver[0]) == -1 ) {
+             security_hole(port:0, proto:"Cups");
+           }
+         }
+       }
+   }
+
+# Checking Ubuntu
+   rls = NULL;
+   ver = NULL;
+   rel = NULL;
+   pkg = NULL;
+   rls[0] = "UBUNTU6.06 LTS";
+   ver[0] = "3.0.22-1ubuntu3.7";
+   pkg[0] = "samba";
+   rls[1] = "UBUNTU7.04";
+   ver[1] = "3.0.24-2ubuntu1.6";
+   pkg[1] = "samba";
+   rls[2] = "UBUNTU7.10";
+   ver[2] = "3.0.26a-1ubuntu2.4";
+   pkg[2] = "samba";
+   rls[3] = "UBUNTU8.04";
+   ver[3] = "3.0.28a-1ubuntu4.2";
+   pkg[3] = "samba";
+
+   foreach i (keys(rls)) {
+     if( kbrls == rls[i] ) {
+       if(isdpkgvuln(pkg:pkg[i], ver:ver[i], rls:rls[i])) {
+         security_hole(port:0, proto:"Cups");
+       }
+     }
+   }
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/samba_CB-A08-0085.nasl
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/openvas-plugins/scripts/smbcl_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_func.inc	2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/smbcl_func.inc	2008-09-06 18:50:27 UTC (rev 1293)
@@ -30,7 +30,7 @@
   arg[1] = "-d0";
   arg[2] = "-N";
   arg[3] = "-cq";
-  arg[4] = "//"+get_host_name()+"/IPC$";
+  arg[4] = "//"+get_host_ip()+"/IPC$";
   arg[5] = is_domain;
   r = toupper(pread(cmd:"smbclient", argv:arg ));
   if( ! ereg(pattern: "NT_STATUS", string: r) ) {
@@ -66,7 +66,7 @@
   arg[0] = "smbclient";
   arg[1] = "-d1";
   arg[2] = string("-U"+get_kb_item ("SMB/login_filled/0")+"%"+get_kb_item ("SMB/password_filled/0"));
-  arg[3] = "//"+get_host_name()+"/"+share;
+  arg[3] = "//"+get_host_ip()+"/"+share;
   arg[4] = "-cget \"+raw_string(0x22)+filename+"\"+raw_string(0x22)+" "+raw_string(0x22)+tmp_filename+raw_string(0x22);
   arg[5] = is_domain;
   r = pread(cmd:"smbclient", argv:arg );
@@ -93,7 +93,7 @@
   arg[0] = "smbclient";
   arg[1] = "-d1";
   arg[2] = string("-U"+get_kb_item ("SMB/login_filled/0")+"%"+get_kb_item ("SMB/password_filled/0"));
-  arg[3] = "//"+get_host_name()+"/"+share;
+  arg[3] = "//"+get_host_ip()+"/"+share;
   arg[4] = "-cdir \"+raw_string(0x22)+dir+"\"+raw_string(0x22);
   arg[5] = is_domain;
   if( (typ < 0) || (typ > 2) || isnull(typ) ) {

Added: trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl	2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/smbcl_gnutls_CB-A08-0079.nasl	2008-09-06 18:50:27 UTC (rev 1293)
@@ -0,0 +1,122 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90027);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1948");
+ name["english"] = "GnuTLS < 2.2.5 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
+
+GnuTLS < 2.2.5 vulnerability
+
+Impact
+
+   CVE-2008-1948
+     The _gnutls_server_name_recv_params function in lib/ext_server_name.c
+     in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly
+     calculate the number of Server Names in a TLS 1.0 Client Hello
+     message during extension handling, which allows remote attackers
+     to cause a denial of service (crash) or possibly execute arbitrary
+     code via a zero value for the length of Server Names, which leads
+     to a buffer overflow in session resumption data in the
+     pack_security_parameters function, aka GNUTLS-SA-2008-1-1.
+
+   CVE-2008-1949
+     The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c
+     in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to
+     process Client Hello messages within a TLS message after one has
+     already been processed, which allows remote attackers to cause a
+     denial of service (NULL dereference and crash) via a TLS message
+     containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.
+
+   CVE 2008-1950
+     Integer signedness error in the _gnutls_ciphertext2compressed
+     function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4
+     allows remote attackers to cause a denial of service (buffer over-read
+     and crash) via a certain integer value in the Random field in an
+     encrypted Client Hello message within a TLS record with an invalid
+     Record Length, which leads to an invalid cipher padding length,
+     aka GNUTLS-SA-2008-1-3.
+
+References:
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949
+    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950
+
+Solution:
+    All GnuTLS users should upgrade to the latest version:
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines GnuTLS < 2.2.5 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Windows";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("smbcl_func.inc");
+include("version_func.inc");
+local_var ver, test_version, sec_hole, sec_proto, r, path, share, prog;
+
+sec_hole = 0;
+sec_proto = "GnuTLS";
+ver = NULL;
+r = NULL;
+test_version = "2.2.5";
+  if( !get_kb_item("SMB/smbclient") ) {
+     smbclientavail();
+  }
+  if(get_kb_item("SMB/smbclient") ) {
+    if( smbversion() == 0){
+      report = string("Error getting SMB-Data -> "+get_kb_item("SMB/ERROR"));
+      security_note(port:0, proto:"SMBClient", data:report);
+      exit(0);
+    }
+  } else {
+    report = string("SMBClient not found on openvasd host !");
+    security_note(port:0, proto:"SMBClient", data:report);
+    exit(0);
+  }
+  path = "Programme\";
+  share ="C$";
+  prog = "GnuTLS*";
+  r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+  if( isnull(r) ) {
+    path = "Program Files\";
+    r = smbgetdir(share: share, dir: path+prog, typ: 2 );
+  }
+  if( !isnull(r) ) {
+    foreach i (keys(r)) {
+      ver = eregmatch(pattern:"[0-9].*", string:r[i]);
+      if(!isnull(ver) ) {
+        if(version_is_less(version:ver[0], test_version:test_version) ) {
+          if(sec_hole == 0) {
+            security_hole(port:0, proto:sec_proto);
+            sec_hole = 1;
+          }
+          security_hole(port:0, proto:sec_proto, data:string("\nFound : ")+share + " " + path + r[i] + string("\n"));
+        }
+      }
+    }
+  }
+exit(0);

Modified: trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl
===================================================================
--- trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl	2008-09-06 09:16:56 UTC (rev 1292)
+++ trunk/openvas-plugins/scripts/win_CVE-2007-0043.nasl	2008-09-06 18:50:27 UTC (rev 1293)
@@ -42,7 +42,7 @@
  script_summary(english:summary["english"]);
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is under GPLv2");
- family["english"] = "Windows.NET";
+ family["english"] = "Windows";
  script_family(english:family["english"]);
  exit(0);
 }



More information about the Openvas-commits mailing list