[Openvas-commits] r1406 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Sep 23 14:15:52 CEST 2008


Author: chandra
Date: 2008-09-23 14:15:51 +0200 (Tue, 23 Sep 2008)
New Revision: 1406

Added:
   trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl
   trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins for VMWare vulnerabilities including the detect scripts

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/ChangeLog	2008-09-23 12:15:51 UTC (rev 1406)
@@ -1,3 +1,11 @@
+2008-09-23 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/gb_vmware_prdts_detect_win_800000.nasl,
+	  scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl,
+	  scripts/gb_vmware_prdts_detect_lin_800001.nasl,
+	  scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl:
+	  Added new plugins for VMWare related vulnerabilities 
+	  including the VMWare detect scripts
+
 2008-09-23  Vlatko Kosturjak <kost at linux.hr>
 
 	* scripts/ike-scan.nasl: implemented basic locking mechanism

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl	2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl	2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,126 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_detect_lin_800001.nasl 0276 2008-09-23 11:00:14Z sep $
+#
+# VMware products version detection (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800001);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.1 $");
+ script_name(english:"VMware products version detection (Linux)");
+ desc["english"] ="
+ Overview : This script retrieves all VMware Products version and saves those
+ in KB.
+
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Get/Set the versions of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"General");
+ script_dependencies("gather-package-list.nasl");
+ script_require_keys("ssh/login/uname");
+ exit(0);
+}
+
+
+ include("ssh_func.inc");
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+        exit(0);
+ }
+
+ sock = ssh_login_or_reuse_connection();
+ if(!sock){
+        exit(0);
+ }
+
+ version = ssh_cmd(socket:sock, cmd:"vmware -v", timeout:120);
+
+ if("VMware GSX Server" >< version)
+ {
+        gsxVer = ereg_replace(string:version, replace:"\1",
+                      pattern:".*VMware GSX Server ([0-9].*) build.*");
+        gsxBuild = ereg_replace(string:version, replace:"\1",
+                        pattern:".*VMware GSX Server [0-9].* build-([0-9].*)$");
+
+        set_kb_item(name:"VMware/GSX-Server/Linux/Ver", value:gsxVer);
+        set_kb_item(name:"VMware/GSX-Server/Linux/Build", value:gsxBuild);
+        set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+        ssh_close_connection();
+ 	exit(0);
+ }
+
+ if("VMware Workstation" >< version)
+ {
+        wrkstnVer = ereg_replace(string:version, replace:"\1",
+                         pattern:".*VMware Workstation ([0-9].*) build.*");
+        wrkstnBuild = ereg_replace(string:version, replace:"\1",
+                         pattern:".*VMware Workstation [0-9].* build-([0-9].*)$");
+
+        set_kb_item(name:"VMware/Workstation/Linux/Ver",
+                    value:wrkstnVer);
+        set_kb_item(name:"VMware/Workstation/Linux/Build",
+                    value:wrkstnBuild);
+        set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+        ssh_close_connection();
+        exit(0);
+ }
+
+ if("VMware Server" >< version)
+ {
+        svrVer = ereg_replace(string:version, replace:"\1",
+                      pattern:".*VMware Server ([0-9].*) build.*");
+        svrBuild = ereg_replace(string:version, replace:"\1",
+                        pattern:".*VMware Server [0-9].* build-([0-9].*)$");
+
+        set_kb_item(name:"VMware/Server/Linux/Ver", value:svrVer);
+        set_kb_item(name:"VMware/Server/Linux/Build", value:svrBuild);
+        set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+        ssh_close_connection();
+        exit(0);
+ }
+
+ version = ssh_cmd(socket:sock, cmd:"vmplayer -v", timeout:120);
+
+ if("VMware Player" >< version)
+ {
+        playerVer = ereg_replace(pattern:".*VMware Player ([0-9].*) build.*",
+                                 string:version, replace:"\1");
+        playerBuild = ereg_replace(string:version, replace:"\1",
+                           pattern:".*VMware Player [0-9].* build-([0-9].*)$");
+
+        set_kb_item(name:"VMware/Player/Linux/Ver", value:playerVer);
+        set_kb_item(name:"VMware/Player/Linux/Build", value:playerBuild);
+        set_kb_item(name:"VMware/Linux/Installed", value:TRUE);
+
+        ssh_close_connection();
+        exit(0);
+ }
+ ssh_close_connection();


Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_lin_800001.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl	2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl	2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,119 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_detect_win_800000.nasl 0274 2008-09-23 10:31:47Z sep $
+#
+# VMware products version detection (Windows)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800000);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.0$");
+ script_name(english:"VMWare products version detection (Windows)");
+ desc["english"] ="
+ Overview : This script retrieves all VMWare Products version from registry and
+ saves those in KB.
+
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Get/Set the versions of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"General");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("secpod_smb_func.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){  #Ensure it is Windows
+ 	exit(0);
+ }
+
+ vmVer = 0;
+ # Check for latest version of VMware ACE product
+ vmKey = "SOFTWARE\VMware, Inc.\VMware ACE\Dormant";
+ if(registry_key_exists(key:vmKey))
+ {
+        uninstall = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+        keys = registry_enum_keys(key:uninstall);
+
+        if(keys == NULL){
+                exit(0);
+        }
+
+        foreach key (keys)
+        {
+                vmace = registry_get_sz(key:uninstall + key, item:"DisplayName");
+                if("VMware ACE Manager" >< vmace)
+                {
+                        vmVer = registry_get_sz(key:uninstall + key,
+                                                item:"DisplayVersion");
+                        break;
+                }
+        }
+ }
+ 
+ if(!vmVer)
+ {
+        # Check for all 5 VMware Products
+ 	vmwarePrdts = make_list("SOFTWARE\VMware, Inc.\VMware GSX Server",
+        	                "SOFTWARE\VMware, Inc.\VMware Workstation",
+                	        "SOFTWARE\VMware, Inc.\VMware Player",
+                       	        "SOFTWARE\VMWare, Inc.\VMWare Server",
+                                "SOFTWARE\VMware, Inc.\VMware ACE");
+ 	foreach vmKey (vmwarePrdts)
+ 	{
+		vmwareCode = registry_get_sz(key:vmKey, item:"ProductCode");
+        	if(vmwareCode)
+        	{
+                	vmVer = registry_get_sz(item:"DisplayVersion",
+                        	key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+				    "\Uninstall\" + vmwareCode);
+			break;
+		}
+	}
+ }
+
+ if(vmVer != NULL)
+ {
+ 	vmware = split(vmVer, sep:".", keep:0);
+        vmwareVer = vmware[0] + "." + vmware[1] + "." + vmware[2];
+        vmwareBuild = vmware[3];
+
+ 	# Check for strange vmware workstation versions
+	if(vmwareBuild == "19175" && vmwareVer == "5.5.0"){
+		vmwareVer = "5.5.1";
+	}
+
+        product = ereg_replace(pattern:"SOFTWARE\\VMWare, Inc.\\VMWare (.*)",
+                               string:vmKey, replace:"\1", icase:TRUE);
+                        
+        # Set KB's for GSX Server, Workstation, Player, Server or ACE
+        set_kb_item(name:"VMware/Win/Installed", value:TRUE);
+        set_kb_item(name:"VMware/" + product + "/Win/Ver", value:vmwareVer);
+        set_kb_item(name:"VMware/" + product + "/Win/Build", value:vmwareBuild);
+ }


Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_detect_win_800000.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl	2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl	2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,117 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_mult_vuln_lin_800003.nasl 0274 2008-09-23 11:43:20Z sep $
+#
+# HGFS VmWare Code Execution Vulnerability (Linux)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800003);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-2098");
+ script_bugtraq_id(29443);
+ script_xref(name:"CB-A", value:"08-0087:");
+ script_name(english:"VMCI/HGFS VmWare Code Execution Vulnerability (Linux)");
+ desc["english"] = "
+ Overview : The host is installed with VMWare product(s) that are vulnerable to
+ arbitrary code execution vulnerability.
+
+ Vulnerability Insight :
+
+        VMware Host Guest File System (HGFS) shared folders feature allows
+        users to transfer data between a guest operating system and the
+        host operating system. A heap buffer overflow exists in
+        VMware HGFS which allows guest system to execute code in the context of
+        vmx process on the host. The issue exists only when VMWare system has
+        shared folder enabled. 
+
+        Successful exploitation requires that the vix.inGuest.enable
+        configuration value is enabled
+       
+        Impact : Successful exploitation allow attackers to execute arbitrary
+        code on the affected system and local users could bypass certain
+        security restrictions or can gain escalated privileges.
+
+ Impact Level : System
+
+ Affected Software/OS :
+        VMware Player 2.0.x - 2.0.3 on Linux
+        VMware Workstation 6.0.x - 6.0.3 on Linux
+
+ Fix : Upgrade VMware to,
+ VMware Workstation 6.0.4 or later
+ www.vmware.com/download/ws/
+
+ VMware Player 2.0.4 or later
+ www.vmware.com/download/player/
+
+ References :
+ http://secunia.com/advisories/30476/
+ http://www.vmware.com/security/advisories/VMSA-2008-0008.html
+
+ CVSS Score :
+        CVSS Base Score     : 6.0 (AV:N/AC:M/Au:SI/C:P/I:P/A:P)
+        CVSS Temporal Score : 4.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("gather-package-list.nasl",
+		     "gb_vmware_prdts_detect_lin_800001.nasl");
+ script_require_keys("ssh/login/uname");
+ exit(0);
+}
+
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+        exit(0);
+ }
+
+ if(!get_kb_item("VMware/Linux/Installed")){
+        exit(0);
+ }
+
+ # VMWare Player
+ playerVer = get_kb_item("VMware/Player/Linux/Ver");
+ if(playerVer)
+ {
+        if(ereg(pattern:"^2\.0(\.[0-3])?($|[^.0-9])",
+                string:playerVer)){
+                security_warning(0);
+	}
+        exit(0);
+ }
+
+ # VMWare Workstation
+ wrkstnVer = get_kb_item("VMware/Workstation/Linux/Ver");
+ if(wrkstnVer)
+ {
+        if(ereg(pattern:"^6\.0(\.[0-3])?($|[^.0-9])", string:wrkstnVer)){
+                security_warning(0);
+	}
+        exit(0);
+ }


Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_lin_800003.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl	2008-09-23 11:08:12 UTC (rev 1405)
+++ trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl	2008-09-23 12:15:51 UTC (rev 1406)
@@ -0,0 +1,135 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_vmware_prdts_mult_vuln_win_800002.nasl 0274 2008-09-23 10:33:04Z sep $
+#
+# VMCI/HGFS VmWare Code Execution Vulnerability (Win)
+#
+# Authors:
+# Chandan S <schandan at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2008 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800002);
+ #script_oid(FIXME);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2008-2098", "CVE-2008-2099");
+ script_bugtraq_id(29443);
+ script_xref(name:"CB-A", value:"08-0087:");
+ script_name(english:"VMCI/HGFS VmWare Code Execution Vulnerability (Win)");
+ desc["english"] = "
+
+ Overview : The host is installed with VMWare product(s) that are vulnerable to
+ arbitrary code execution.
+
+ Vulnerability Insight :
+
+	VMCI is an optional feature that allows communication with one another.
+        This vulnerability allows the guest systems to execute arbitrary code
+        on the host in the context of vmx process. The issue affects Windows
+        based VMWare hosts only.
+
+        VMware Host Guest File System (HGFS) shared folders feature allows
+        users to transfer data between a guest operating system and the
+        host operating system. A heap buffer overflow exists in
+        VMware HGFS which allows guest system to execute code in the context of
+        vmx process on the host. The issue exists only when VMWare system has
+        shared folder enabled.
+
+        Successful exploitation requires that the vix.inGuest.enable
+        configuration value is enabled
+       
+        Impact : Successful exploitation allow attackers to execute arbitrary
+        code on the affected system and users could bypass certain security 
+        restrictions or can gain escalated privileges.
+
+ Impact Level : System
+
+ Affected Software/OS :
+        VMware ACE/Player 2.0.x - 2.0.3 on all Windows
+        VMware Workstation 6.0.x - 6.0.3 on all Windows
+
+ Fix : Upgrade VMware to below versions,
+ VMware Workstation 6.0.4 or later.
+ www.vmware.com/download/ws/
+
+ VMware Player/ACE 2.0.4 or later.
+ www.vmware.com/download/player/
+ www.vmware.com/download/ace/
+
+ References :
+ http://secunia.com/advisories/30476/
+ http://www.vmware.com/security/advisories/VMSA-2008-0008.html
+
+ CVSS Score :
+        CVSS Base Score     : 6.0 (AV:N/AC:M/Au:SI/C:P/I:P/A:P)
+        CVSS Temporal Score : 4.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of VMware Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2008 Intevation GmbH");
+ script_family(english:"Misc.");
+ script_dependencies("secpod_reg_enum.nasl", "gb_vmware_prdts_detect_win_800000.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ if(!get_kb_item("SMB/WindowsVersion")){ # Confirm it is Windows
+ 	exit(0);
+ }
+
+ if(!get_kb_item("VMware/Win/Installed")){ # Is VMWare installed?
+ 	exit(0);
+ }
+
+ # VMware Player
+ vmplayerVer = get_kb_item("VMware/Player/Win/Ver");
+ if(vmplayerVer)
+ {
+        if(ereg(pattern:"^(2\.0\.[0-3])($|\..*)", string:vmplayerVer)){
+                security_warning(0);
+        }
+ 	exit(0);
+ }
+
+ # VMware Workstation
+ vmworkstnVer = get_kb_item("VMware/Workstation/Win/Ver");
+ if(vmworkstnVer)
+ {
+        if(ereg(pattern:"^6\.0(\.[0-3])?$", string:vmworkstnVer)){
+                security_warning(0);
+        }
+ 	exit(0);
+ }
+
+ # VMware ACE
+ vmaceVer = get_kb_item("VMware/ACE/Win/Ver");
+ if(!vmaceVer){
+	vmaceVer = get_kb_item("VMware/ACE\Dormant/Win/Ver");
+ }
+
+ if(vmaceVer)
+ {
+ 	if(ereg(pattern:"^2\.0(\.[0-3])?$", string:vmaceVer)){
+        	security_warning(0);
+        }
+ }


Property changes on: trunk/openvas-plugins/scripts/gb_vmware_prdts_mult_vuln_win_800002.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list