[Openvas-commits] r1406 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue Sep 23 14:15:52 CEST 2008
Author: chandra
Date: 2008-09-23 14:15:51 +0200 (Tue, 23 Sep 2008)
New Revision: 1406
Added:
trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl
trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl
trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl
trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
Added new plugins for VMWare vulnerabilities including the detect scripts
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/ChangeLog 2008-09-23 12:15:51 UTC (rev 1406)
@@ -1,3 +1,11 @@
+2008-09-23 Chandrashekhar B <bchandra at secpod.com>
+ * scripts/gb_vmware_prdts_detect_win_800000.nasl,
+ scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl,
+ scripts/gb_vmware_prdts_detect_lin_800001.nasl,
+ scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl:
+ Added new plugins for VMWare related vulnerabilities
+ including the VMWare detect scripts
+
2008-09-23 Vlatko Kosturjak <kost at linux.hr>
* scripts/ike-scan.nasl: implemented basic locking mechanism
Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl 2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl 2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,126 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_detect_lin_800001.nasl 0276 2008-09-23 11:00:14Z sep $
+#
+# VMware products version detection (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800001);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.1 $");
+ script_name(english:"VMware products version detection (Linux)");
+ desc["english"] ="
+ Overview : This script retrieves all VMware Products version and saves those
+ in KB.
+
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Get/Set the versions of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"General");
+ script_dependencies("gather-package-list.nasl");
+ script_require_keys("ssh/login/uname");
+ exit(0);
+}
+
+
+ include("ssh_func.inc");
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+ exit(0);
+ }
+
+ sock = ssh_login_or_reuse_connection();
+ if(!sock){
+ exit(0);
+ }
+
+ version = ssh_cmd(socket:sock, cmd:"vmware -v", timeout:120);
+
+ if("VMware GSX Server" >< version)
+ {
+ gsxVer = ereg_replace(string:version, replace:"\1",
+ pattern:".*VMware GSX Server ([0-9].*) build.*");
+ gsxBuild = ereg_replace(string:version, replace:"\1",
+ pattern:".*VMware GSX Server [0-9].* build-([0-9].*)$");
+
+ set_kb_item(name:"VMware/GSX-Server/Linux/Ver", value:gsxVer);
+ set_kb_item(name:"VMware/GSX-Server/Linux/Build", value:gsxBuild);
+ set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+ ssh_close_connection();
+ exit(0);
+ }
+
+ if("VMware Workstation" >< version)
+ {
+ wrkstnVer = ereg_replace(string:version, replace:"\1",
+ pattern:".*VMware Workstation ([0-9].*) build.*");
+ wrkstnBuild = ereg_replace(string:version, replace:"\1",
+ pattern:".*VMware Workstation [0-9].* build-([0-9].*)$");
+
+ set_kb_item(name:"VMware/Workstation/Linux/Ver",
+ value:wrkstnVer);
+ set_kb_item(name:"VMware/Workstation/Linux/Build",
+ value:wrkstnBuild);
+ set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+ ssh_close_connection();
+ exit(0);
+ }
+
+ if("VMware Server" >< version)
+ {
+ svrVer = ereg_replace(string:version, replace:"\1",
+ pattern:".*VMware Server ([0-9].*) build.*");
+ svrBuild = ereg_replace(string:version, replace:"\1",
+ pattern:".*VMware Server [0-9].* build-([0-9].*)$");
+
+ set_kb_item(name:"VMware/Server/Linux/Ver", value:svrVer);
+ set_kb_item(name:"VMware/Server/Linux/Build", value:svrBuild);
+ set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+ ssh_close_connection();
+ exit(0);
+ }
+
+ version = ssh_cmd(socket:sock, cmd:"vmplayer -v", timeout:120);
+
+ if("VMware Player" >< version)
+ {
+ playerVer = ereg_replace(pattern:".*VMware Player ([0-9].*) build.*",
+ string:version, replace:"\1");
+ playerBuild = ereg_replace(string:version, replace:"\1",
+ pattern:".*VMware Player [0-9].* build-([0-9].*)$");
+
+ set_kb_item(name:"VMware/Player/Linux/Ver", value:playerVer);
+ set_kb_item(name:"VMware/Player/Linux/Build", value:playerBuild);
+ set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+ ssh_close_connection();
+ exit(0);
+ }
+ ssh_close_connection();
Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl 2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl 2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,119 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_detect_win_800000.nasl 0274 2008-09-23 10:31:47Z sep $
+#
+# VMware products version detection (Windows)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800000);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.0$");
+ script_name(english:"VMWare products version detection (Windows)");
+ desc["english"] ="
+ Overview : This script retrieves all VMWare Products version from registry and
+ saves those in KB.
+
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Get/Set the versions of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"General");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("secpod_smb_func.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){ #Ensure it is Windows
+ exit(0);
+ }
+
+ vmVer = 0;
+ # Check for latest version of VMware ACE product
+ vmKey = "SOFTWARE\VMware, Inc.\VMware ACE\Dormant";
+ if(registry_key_exists(key:vmKey))
+ {
+ uninstall = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ keys = registry_enum_keys(key:uninstall);
+
+ if(keys == NULL){
+ exit(0);
+ }
+
+ foreach key (keys)
+ {
+ vmace = registry_get_sz(key:uninstall + key, item:"DisplayName");
+ if("VMware ACE Manager" >< vmace)
+ {
+ vmVer = registry_get_sz(key:uninstall + key,
+ item:"DisplayVersion");
+ break;
+ }
+ }
+ }
+
+ if(!vmVer)
+ {
+ # Check for all 5 VMware Products
+ vmwarePrdts = make_list("SOFTWARE\VMware, Inc.\VMware GSX Server",
+ "SOFTWARE\VMware, Inc.\VMware Workstation",
+ "SOFTWARE\VMware, Inc.\VMware Player",
+ "SOFTWARE\VMWare, Inc.\VMWare Server",
+ "SOFTWARE\VMware, Inc.\VMware ACE");
+ foreach vmKey (vmwarePrdts)
+ {
+ vmwareCode = registry_get_sz(key:vmKey, item:"ProductCode");
+ if(vmwareCode)
+ {
+ vmVer = registry_get_sz(item:"DisplayVersion",
+ key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+ "\Uninstall\" + vmwareCode);
+ break;
+ }
+ }
+ }
+
+ if(vmVer != NULL)
+ {
+ vmware = split(vmVer, sep:".", keep:0);
+ vmwareVer = vmware[0] + "." + vmware[1] + "." + vmware[2];
+ vmwareBuild = vmware[3];
+
+ # Check for strange vmware workstation versions
+ if(vmwareBuild == "19175" && vmwareVer == "5.5.0"){
+ vmwareVer = "5.5.1";
+ }
+
+ product = ereg_replace(pattern:"SOFTWARE\\VMWare, Inc.\\VMWare (.*)",
+ string:vmKey, replace:"\1", icase:TRUE);
+
+ # Set KB's for GSX Server, Workstation, Player, Server or ACE
+ set_kb_item(name:"VMware/Win/Installed", value:TRUE);
+ set_kb_item(name:"VMware/" + product + "/Win/Ver", value:vmwareVer);
+ set_kb_item(name:"VMware/" + product + "/Win/Build", value:vmwareBuild);
+ }
Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl 2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl 2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,117 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_mult_vuln_lin_800003.nasl 0274 2008-09-23 11:43:20Z sep $
+#
+# HGFS VmWare Code Execution Vulnerability (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800003);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-2098");
+ script_bugtraq_id(29443);
+ script_xref(name:"CB-A", value:"08-0087:");
+ script_name(english:"VMCI/HGFS VmWare Code Execution Vulnerability (Linux)");
+ desc["english"] = "
+ Overview : The host is installed with VMWare product(s) that are vulnerable to
+ arbitrary code execution vulnerability.
+
+ Vulnerability Insight :
+
+ VMware Host Guest File System (HGFS) shared folders feature allows
+ users to transfer data between a guest operating system and the
+ host operating system. A heap buffer overflow exists in
+ VMware HGFS which allows guest system to execute code in the context of
+ vmx process on the host. The issue exists only when VMWare system has
+ shared folder enabled.
+
+ Successful exploitation requires that the vix.inGuest.enable
+ configuration value is enabled
+
+ Impact : Successful exploitation allow attackers to execute arbitrary
+ code on the affected system and local users could bypass certain
+ security restrictions or can gain escalated privileges.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ VMware Player 2.0.x - 2.0.3 on Linux
+ VMware Workstation 6.0.x - 6.0.3 on Linux
+
+ Fix : Upgrade VMware to,
+ VMware Workstation 6.0.4 or later
+ www.vmware.com/download/ws/
+
+ VMware Player 2.0.4 or later
+ www.vmware.com/download/player/
+
+ References :
+ http://secunia.com/advisories/30476/
+ http://www.vmware.com/security/advisories/VMSA-2008-0008.html
+
+ CVSS Score :
+ CVSS Base Score : 6.0 (AV:N/AC:M/Au:SI/C:P/I:P/A:P)
+ CVSS Temporal Score : 4.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("gather-package-list.nasl",
+ "gb_vmware_prdts_detect_lin_800001.nasl");
+ script_require_keys("ssh/login/uname");
+ exit(0);
+}
+
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+ exit(0);
+ }
+
+ if(!get_kb_item("VMware/Linux/Installed")){
+ exit(0);
+ }
+
+ # VMWare Player
+ playerVer = get_kb_item("VMware/Player/Linux/Ver");
+ if(playerVer)
+ {
+ if(ereg(pattern:"^2\.0(\.[0-3])?($|[^.0-9])",
+ string:playerVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+
+ # VMWare Workstation
+ wrkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+ if(wrkstnVer)
+ {
+ if(ereg(pattern:"^6\.0(\.[0-3])?($|[^.0-9])", string:wrkstnVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl 2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl 2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,135 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_mult_vuln_win_800002.nasl 0274 2008-09-23 10:33:04Z sep $
+#
+# VMCI/HGFS VmWare Code Execution Vulnerability (Win)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800002);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-2098", "CVE-2008-2099");
+ script_bugtraq_id(29443);
+ script_xref(name:"CB-A", value:"08-0087:");
+ script_name(english:"VMCI/HGFS VmWare Code Execution Vulnerability (Win)");
+ desc["english"] = "
+
+ Overview : The host is installed with VMWare product(s) that are vulnerable to
+ arbitrary code execution.
+
+ Vulnerability Insight :
+
+ VMCI is an optional feature that allows communication with one another.
+ This vulnerability allows the guest systems to execute arbitrary code
+ on the host in the context of vmx process. The issue affects Windows
+ based VMWare hosts only.
+
+ VMware Host Guest File System (HGFS) shared folders feature allows
+ users to transfer data between a guest operating system and the
+ host operating system. A heap buffer overflow exists in
+ VMware HGFS which allows guest system to execute code in the context of
+ vmx process on the host. The issue exists only when VMWare system has
+ shared folder enabled.
+
+ Successful exploitation requires that the vix.inGuest.enable
+ configuration value is enabled
+
+ Impact : Successful exploitation allow attackers to execute arbitrary
+ code on the affected system and users could bypass certain security
+ restrictions or can gain escalated privileges.
+
+ Impact Level : System
+
+ Affected Software/OS :
+ VMware ACE/Player 2.0.x - 2.0.3 on all Windows
+ VMware Workstation 6.0.x - 6.0.3 on all Windows
+
+ Fix : Upgrade VMware to below versions,
+ VMware Workstation 6.0.4 or later.
+ www.vmware.com/download/ws/
+
+ VMware Player/ACE 2.0.4 or later.
+ www.vmware.com/download/player/
+ www.vmware.com/download/ace/
+
+ References :
+ http://secunia.com/advisories/30476/
+ http://www.vmware.com/security/advisories/VMSA-2008-0008.html
+
+ CVSS Score :
+ CVSS Base Score : 6.0 (AV:N/AC:M/Au:SI/C:P/I:P/A:P)
+ CVSS Temporal Score : 4.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("secpod_reg_enum.nasl", "gb_vmware_prdts_detect_win_800000.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ if(!get_kb_item("SMB/WindowsVersion")){ # Confirm it is Windows
+ exit(0);
+ }
+
+ if(!get_kb_item("VMware/Win/Installed")){ # Is VMWare installed?
+ exit(0);
+ }
+
+ # VMware Player
+ vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
+ if(vmplayerVer)
+ {
+ if(ereg(pattern:"^(2\.0\.[0-3])($|\..*)", string:vmplayerVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+
+ # VMware Workstation
+ vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
+ if(vmworkstnVer)
+ {
+ if(ereg(pattern:"^6\.0(\.[0-3])?$", string:vmworkstnVer)){
+ security_warning(0);
+ }
+ exit(0);
+ }
+
+ # VMware ACE
+ vmaceVer = get_kb_item("VMware/ACE/Win/Ver");
+ if(!vmaceVer){
+ vmaceVer = get_kb_item("VMware/ACE\Dormant/Win/Ver");
+ }
+
+ if(vmaceVer)
+ {
+ if(ereg(pattern:"^2\.0(\.[0-3])?$", string:vmaceVer)){
+ security_warning(0);
+ }
+ }
Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl
___________________________________________________________________
Name: svn:executable
+ *
More information about the Openvas-commits
mailing list