[Openvas-commits] r1424 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Sep 25 09:10:41 CEST 2008


Author: chandra
Date: 2008-09-25 09:10:39 +0200 (Thu, 25 Sep 2008)
New Revision: 1424

Added:
   trunk/openvas-plugins/scripts/secpod_apple_itunes_detection_win_900123.nasl
   trunk/openvas-plugins/scripts/secpod_apple_itunes_prv_esc_vuln_900122.nasl
   trunk/openvas-plugins/scripts/secpod_apple_quicktime_detection_win_900124.nasl
   trunk/openvas-plugins/scripts/secpod_apple_quicktime_mult_vuln_900121.nasl
   trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_lin_900216.nasl
   trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_win_900215.nasl
   trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_linux_900217.nasl
   trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_win_900218.nasl
   trunk/openvas-plugins/scripts/secpod_ibmhttpserver_mod_proxy_dos_900222.nasl
   trunk/openvas-plugins/scripts/secpod_mysql_dos_vuln_900221.nasl
   trunk/openvas-plugins/scripts/secpod_personal_ftp_server_dos_vuln_900127.nasl
   trunk/openvas-plugins/scripts/secpod_simple_machines_forum_sec_bypass_vuln_900118.nasl
   trunk/openvas-plugins/scripts/secpod_trendmicro_officescan_bof_vuln_sept08_900220.nasl
   trunk/openvas-plugins/scripts/secpod_wordpress_mult_vuln_900219.nasl
   trunk/openvas-plugins/scripts/secpod_zonealarm_net_sec_suite_bof_vuln_900126.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
New scripts added

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/ChangeLog	2008-09-25 07:10:39 UTC (rev 1424)
@@ -1,4 +1,22 @@
 2008-08-25 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/secpod_apple_quicktime_mult_vuln_900121.nasl,
+	  scripts/secpod_apple_quicktime_detection_win_900124.nasl,
+ 	  scripts/secpod_simple_machines_forum_sec_bypass_vuln_900118.nasl,
+	  scripts/secpod_ibm_db2_detect_linux_900217.nasl,
+	  scripts/secpod_ibm_db2_8_udb_mult_vuln_win_900215.nasl,
+	  scripts/secpod_personal_ftp_server_dos_vuln_900127.nasl,
+	  scripts/secpod_ibm_db2_detect_win_900218.nasl,
+	  scripts/secpod_ibmhttpserver_mod_proxy_dos_900222.nasl,
+	  scripts/secpod_apple_itunes_prv_esc_vuln_900122.nasl,
+	  scripts/secpod_wordpress_mult_vuln_900219.nasl,
+	  scripts/secpod_mysql_dos_vuln_900221.nasl,
+	  scripts/secpod_trendmicro_officescan_bof_vuln_sept08_900220.nasl,
+	  scripts/secpod_ibm_db2_8_udb_mult_vuln_lin_900216.nasl,
+	  scripts/secpod_zonealarm_net_sec_suite_bof_vuln_900126.nasl,
+	  scripts/secpod_apple_itunes_detection_win_900123.nasl:
+	  Added new scripts
+
+2008-08-25 Chandrashekhar B <bchandra at secpod.com>
 	* scripts/smb_logins.nasl:
 	  Updated the KB items names to reflect that
 	  of smb_authorization.nasl

Added: trunk/openvas-plugins/scripts/secpod_apple_itunes_detection_win_900123.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apple_itunes_detection_win_900123.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_apple_itunes_detection_win_900123.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,141 @@
+##############################################################################
+#
+#  Apple iTunes Version Detection for Windows
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1 
+#
+#  Log: ssharath
+#  Issue #0191
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+ script_id(900123);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_name(english:"Apple iTunes Version Detection for Windows");
+ script_summary(english:"Set File Version of Apple iTunes in KB");
+ desc["english"] = "
+ Overview : This script finds the Apple iTunes installed version of windows 
+ from the registry and saves the version in KB.
+ 
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+ 	exit(0);
+ }
+
+ name = kb_smb_name();
+ domain = kb_smb_domain();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ port = kb_smb_transport();
+ 
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+ 
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r){
+        close(soc);
+        exit(0);
+ }
+ 
+ prot = smb_neg_prot(soc:soc);
+ if(!prot){
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+                           prot:prot);
+ if(!r){
+        close(soc);
+        exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+ 
+ tid = tconx_extract_tid(reply:r);
+ if(!tid){
+        close(soc);
+        exit(0);
+ }
+ 
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r){
+        close(soc);
+        exit(0);
+ }
+ 
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe){
+        close(soc);
+        exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r){
+        close(soc);
+        exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle){
+        close(soc);
+        exit(0);
+ }
+
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key,
+                              reply:handle);
+ if(!key_h){
+        close(soc);
+        exit(0);
+ }
+
+ entries = registry_enum_key(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h);
+ close(soc);
+
+ foreach entry (entries)
+ {
+        iTunesName = registry_get_sz(key:key + entry, item:"DisplayName");
+
+        if("iTunes" >< iTunesName)
+        {
+                iTunesVer = registry_get_sz(key:key + entry,
+                                                item:"DisplayVersion");
+                if(iTunesVer){
+                        set_kb_item(name:"iTunes/Win/Ver", value:iTunesVer);
+                }
+                exit(0);
+        }
+ }

Added: trunk/openvas-plugins/scripts/secpod_apple_itunes_prv_esc_vuln_900122.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apple_itunes_prv_esc_vuln_900122.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_apple_itunes_prv_esc_vuln_900122.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,80 @@
+##############################################################################
+#
+#  Apple iTunes Local Privilege Escalation Vulnerability 
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0191
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900122);
+ script_bugtraq_id(31089);
+ script_cve_id("CVE-2008-3636");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"Apple iTunes Local Privilege Escalation Vulnerability");
+ script_summary(english:"Check for vulnerable version of Apple iTunes");
+ desc["english"] = "
+ Overview : The host is installed with Apple iTunes, which prone to privilege
+ escalation vulnerability.
+
+ Vulnerability Insight :
+
+        The flaw is caused due to integer overflow error in a third-party
+        driver bundled with iTune.
+
+        Impact : Successful exploitation will allow local users to obtain elevated
+        privileges thus compromising the affected system. 
+
+ Impact Level : System
+
+ Affected Software/OS :
+        Apple iTunes versions prior to 8.0 on Windows
+ 
+ Fix : Upgrade to version 8.0,
+ http://www.apple.com/itunes/download/
+
+ References : http://securitytracker.com/alerts/2008/Sep/1020839.html
+ http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html
+
+ CVSS Score :
+        CVSS Base Score     : 6.6 (AV:L/AC:M/Au:SI/C:C/I:C/A:C)
+        CVSS Temporal Score : 4.9
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl",
+                     "secpod_apple_itunes_detection_win_900123.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ if(egrep(pattern:"^([0-6]\..*|7\.[0-9](\..*)?)$", 
+          string:get_kb_item("iTunes/Win/Ver"))){
+        security_warning(0);
+ }

Added: trunk/openvas-plugins/scripts/secpod_apple_quicktime_detection_win_900124.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apple_quicktime_detection_win_900124.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_apple_quicktime_detection_win_900124.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,116 @@
+##############################################################################
+#
+#  Apple QuickTime Version Detection for Windows
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1 
+#
+#  Log : ssharath
+#  Issue #0185
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900124);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_name(english:"Apple QuickTime Version Detection for Windows");
+ script_summary(english:"Set File Version of Apple QuickTime in KB");
+ desc["english"] = "
+ Overview : This script finds the Apple QuickTime installed version of windows 
+ from the QuickTimePlayer.exe file and saves the version in KB.
+ 
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+ 	exit(0);
+ }
+
+ quickTimePath = registry_get_sz(item:"InstallDir",
+                          key:"SOFTWARE\Apple Computer, Inc.\QuickTime");
+ if(!quickTimePath){
+        exit(0);
+ }
+
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:quickTimePath);
+ file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+		      string:quickTimePath + "\QuickTimePlayer.exe");
+
+ name = kb_smb_name();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ domain = kb_smb_domain();
+ port = kb_smb_transport();
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r){
+	close(soc);
+        exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot){
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, 
+                           prot:prot);
+ if(!r){
+        close(soc);
+        exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid){
+        close(soc);
+        exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid){
+        close(soc);
+        exit(0);
+ }
+
+ quickTimeVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, 
+                                  offset:7000000);
+ close(soc);
+
+ if(quickTimeVer){
+	set_kb_item(name:"QuickTime/Win/Ver", value:quickTimeVer);
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_apple_quicktime_detection_win_900124.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_apple_quicktime_mult_vuln_900121.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_apple_quicktime_mult_vuln_900121.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_apple_quicktime_mult_vuln_900121.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,97 @@
+##############################################################################
+#
+#  Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities 
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0185
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900121);
+ script_bugtraq_id(31086);
+ script_cve_id("CVE-2008-3615","CVE-2008-3635","CVE-2008-3624","CVE-2008-3625",
+               "CVE-2008-3614","CVE-2008-3626","CVE-2008-3627","CVE-2008-3628",
+               "CVE-2008-3629");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Apple QuickTime Movie/PICT/QTVR Multiple Remote Vulnerabilities");
+ script_summary(english:"Check for vulnerable version of Apple QuickTime");
+ desc["english"] = "
+ Overview : This host has Apple QuickTime installed, which prone to multiple
+ vulnerabilities.
+
+ Vulnerability Insight :
+
+        The flaws exists due to,
+        - an uninitialized memory access inn the Indeo v5 codec and lack of
+          proper bounds checking within QuickTimeInternetExtras.qtx file.
+        - improper handling of panorama atoms in QTVR movie files.
+        - improper handling of maxTilt, minFieldOfView and maxFieldOfView
+          parameters in panorama track PDAT atoms.
+        - an uninitialized memory access in the third-party Indeo v5 codec.
+        - an invalid pointer in handling of PICT images.
+        - memory corruption in handling of STSZ atoms in movie files within
+          CallComponentFunctionWithStorage() function.
+        - multiple memory corruption in H.264 encoded movie files.
+        - parsing of movie video files in QuickTimeH264.scalar and MP4 video
+          files in QuickTimeH264.qtx.
+
+        Impact : Successful exploitation could allow remote attackers to gain
+        unauthorized access to execute arbitrary code and trigger a denial of
+        service condition.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        Apple QuickTime versions prior to 7.5.5 on Windows (all)
+ 
+ Fix : Upgrade to version 7.5.5
+ http://www.apple.com/quicktime/download/
+
+ References : http://support.apple.com/kb/HT3027
+ http://www.securityfocus.com/archive/1/496161
+ http://www.securityfocus.com/archive/1/496163
+ http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=744
+
+ CVSS Score :
+        CVSS Base Score     : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+        CVSS Temporal Score : 6.1
+ Risk factor : High"; 
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl",
+                     "secpod_apple_quicktime_detection_win_900124.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ if(egrep(pattern:"^([0-6]\..*|7\.([0-4](\..*)?|5(\.[0-4])?))$",
+          string:get_kb_item("QuickTime/Win/Ver"))){
+        security_hole(0);
+ }
+

Added: trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_lin_900216.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_lin_900216.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_lin_900216.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,87 @@
+#############################################################################
+#
+#  IBM DB2 Universal Database Multiple Vulnerabilities - Sept08 (Linux)
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1 
+#
+#  Log: veerendragg
+#  Issue #0187
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900216);
+ script_bugtraq_id(31058);
+ script_cve_id("CVE-2008-2154", "CVE-2008-3958", "CVE-2008-3960");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"IBM DB2 Universal Database Multiple Vulnerabilities - Sept08 (Linux)");
+ script_summary(english:"Check for vulnerable version of DB2 Universal Database");
+ desc["english"] = "
+ Overview : The host is running DB2 Database Server, which is prone to multiple
+ vulnerabilities.
+
+ Vulnerability Insight :
+
+        The flaws exists due to unspecified errors in processing of
+        - CONNECT/ATTACH requests, 
+        - DB2FMP process and DB2JDS service.
+
+        Impact : Remote exploitation could allow attackers to bypass security
+        restrictions, cause a denial of service or gain elevated privileges.
+ 
+ Impact Level : Application
+ 
+ Affected Software/OS :
+        IBM DB2 version 8 prior to Fixpak 17 on Linux (All).
+ 
+ Fix: Update to Fixpak 17 or later.
+ ftp://ftp.software.ibm.com/ps/products/db2/fixes/
+
+ *****
+ NOTE : Ignore this warning, if above mentioned patch is already applied.
+ *****
+
+ References : http://secunia.com/advisories/31787/
+ http://www.frsirt.com/english/advisories/2008/2517
+ http://securitytracker.com/alerts/2008/Sep/1020826.html
+ http://www-01.ibm.com/support/docview.wss?uid=swg1JR29274
+ 
+ CVSS Score Report :
+        CVSS Base Score     : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+        CVSS Temporal Score : 6.1
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("gather-package-list.nasl",
+                     "secpod_ibm_db2_detect_linux_900217.nasl");
+ script_require_keys("ssh/login/uname", "Linux/IBM_db2/Ver",
+                     "Linux/IBM_db2/FixPack");
+ exit(0);
+}
+
+
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+        exit(0);
+ }
+
+ if(egrep(pattern:"^8\.[0-2]\..*", string:get_kb_item("Linux/IBM_db2/Ver"))){
+ 	security_hole(0);
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_lin_900216.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_win_900215.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_win_900215.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_win_900215.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,89 @@
+#############################################################################
+#
+#  IBM DB2 Universal Database Multiple Vulnerabilities - Sept08 (Win)
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1 
+#
+#  Log: veerendragg
+#  Issue #0187
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900215);
+ script_bugtraq_id(31058);
+ script_cve_id("CVE-2008-2154", "CVE-2008-3958", "CVE-2008-3960");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"IBM DB2 Universal Database Multiple Vulnerabilities - Sept08 (Win)");
+ script_summary(english:"Check for vulnerable version of DB2 Universal Database");
+ desc["english"] = "
+ Overview : The host is running DB2 Database Server, which is prone to multiple
+ vulnerabilities.
+
+ Vulnerability Insight :
+
+        The flaws exists due to unspecified errors in processing of,
+        - CONNECT/ATTACH requests, 
+        - DB2FMP process and DB2JDS service.
+
+        Impact : Remote exploitation could allow attackers to bypass security
+        restrictions, cause a denial of service or gain elevated privileges.
+ 
+ Impact Level : Application
+ 
+ Affected Software/OS :
+        IBM DB2 version 8 prior to Fixpak 17 on Windows (All).
+ 
+ Fix: Update to Fixpak 17 or later.
+ ftp://ftp.software.ibm.com/ps/products/db2/fixes/
+
+ *****
+ NOTE : Ignore this warning, if above mentioned patch is already applied.
+ *****
+
+ References : http://secunia.com/advisories/31787/
+ http://www.frsirt.com/english/advisories/2008/2517
+ http://securitytracker.com/alerts/2008/Sep/1020826.html
+ http://www-01.ibm.com/support/docview.wss?uid=swg1JR29274
+ 
+ CVSS Score Report :
+        CVSS Base Score     : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+        CVSS Temporal Score : 6.1
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl",
+                     "secpod_ibm_db2_detect_win_900218.nasl");
+ script_require_keys("SMB/WindowsVersion", "Win/IBM-db2/Ver");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ if(egrep(pattern:"^8\.([01](\..*)?|2(\.([0-9]|1[0-6]))?)$",
+	  string:get_kb_item("Win/IBM-db2/Ver"))){
+ 	security_hole(0);
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_ibm_db2_8_udb_mult_vuln_win_900215.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_linux_900217.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_linux_900217.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_linux_900217.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,76 @@
+#############################################################################
+#
+#  IBM DB2 Server Detection (Linux)
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1 
+#
+#  Log: veerendragg
+#  Issue #0187
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+ script_id(900217);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_name(english:"IBM DB2 Server Detection (Linux)");
+ script_summary(english:"Set KB for IBM DB2 Server");
+ desc["english"] = "
+ This script detects the version of IBM DB2 Server and saves the
+ results in KB.
+
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_dependencies("gather-package-list.nasl");
+ script_require_keys("ssh/login/uname");
+ exit(0);
+}
+
+
+ include("ssh_func.inc");
+        
+ if("Linux" >!< get_kb_item("ssh/login/uname")){
+        exit(0);
+ }
+
+ sock = ssh_login_or_reuse_connection();
+ if(sock)
+ {
+        db2Ver = ssh_cmd(socket:sock, cmd:"db2ls -a", timeout:120);
+	ssh_close_connection();
+        if(!db2Ver){
+		exit(0);
+	}
+
+	ibmdbVer = eregmatch(pattern:" [.0-9]+", string:strstr(db2Ver, '/'));
+	if(ibmdbVer != NULL)
+	{
+		set_kb_item(name:"Linux/IBM_db2/Ver", value:ibmdbVer[0]- " ");
+
+		patchVer = eregmatch(pattern:" [.0-9a-z ]+", 
+				     string:strstr(db2Ver, '/'));
+
+                patchVersion = ereg_replace(pattern:" +[.0-9]+ +([0-9a-z]+).*",
+                                            replace:"\1", string:patchVer[0]);
+		if(patchVersion){
+			set_kb_item(name:"Linux/IBM_db2/FixPack", value:patchVersion);
+		}
+	}
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_linux_900217.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_win_900218.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_win_900218.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_win_900218.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,154 @@
+#############################################################################
+#
+#  IBM DB2 Server Detection (Windows)
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/12
+#
+#  Revision: 1.1 
+#
+#  Log: veerendragg
+#  Issue #0187
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+ script_id(900218);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"General");
+ script_name(english:"IBM DB2 Server Detection (Windows)");
+ script_summary(english:"Set KB for IBM DB2 Server");
+ desc["english"] = "
+ This script detects the version of IBM DB2 Server and saves the
+ results in KB.
+ 
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion"); 
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ name   =  kb_smb_name();
+ login  =  kb_smb_login();
+ pass   =  kb_smb_password();
+ domain =  kb_smb_domain();
+ port   =  kb_smb_transport();
+ 
+ if(!port){
+	port = 139;
+ }
+ 
+ if(!get_port_state(port)){
+	exit(0);
+ }
+ 
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+                       domain:domain, prot:prot);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+                          key:key, reply:handle);
+ if(!key_h)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h);
+ close(soc);
+
+ foreach entry (enumKeys)
+ {
+        appName = registry_get_sz(item:"DisplayName", key:key + entry); 
+        if("DB2 Enterprise Server Edition" >< appName)
+        {
+                ibmdbVer = registry_get_sz(item:"DisplayVersion", 
+                                           key:key + entry);
+                if(ibmdbVer){
+                        set_kb_item(name:"Win/IBM-db2/Ver", value:ibmdbVer);
+                }
+                exit(0);
+        }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_ibm_db2_detect_win_900218.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ibmhttpserver_mod_proxy_dos_900222.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ibmhttpserver_mod_proxy_dos_900222.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_ibmhttpserver_mod_proxy_dos_900222.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,97 @@
+##############################################################################
+#
+#  IBM HTTP Server mod_proxy Interim Responses DoS Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/23
+#
+#  Revision: 1.1
+#
+#  Log: veerendragg
+#  Issue #0122
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900222);
+ script_bugtraq_id(29653);
+ script_cve_id("CVE-2008-2364");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("$Revision: 1.1 $");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"IBM HTTP Server mod_proxy Interim Responses DoS Vulnerability");
+ script_summary(english:"Check for IBM HTTP Server version");
+ desc["english"] = "
+ Overview : This host is running IBM HTTP Server, which is prone to Denial of
+ Service Vulnerability.
+
+ Vulnerability Insight :
+
+        Issue is caused due to an error in the ap_proxy_http_process_response()
+        function in mod_proxy_http.c in the mod_proxy module when processing 
+        large number of interim responses to the client, which could consume 
+        all available memory resources.
+
+        Impact : A remote/local user can cause denial of service 
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        IBM HTTP Server versions prior to 6.1.0.19. 
+
+ Fix : Update to Fix Pack 19 
+ http://www-01.ibm.com/support/docview.wss?uid=swg27008517
+
+ *****
+ NOTE : Ignore this warning if above mentioned patch is applied already.
+ *****
+
+ References :
+ http://secunia.com/Advisories/31904/
+ http://xforce.iss.net/xforce/xfdb/42987
+ http://www-01.ibm.com/support/docview.wss?rs=177&context=SSEQTJ&uid=swg21173021
+
+ CVSS Score :
+        CVSS Base Score     : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
+        CVSS Temporal Score : 5.3
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80, 8880, 8008);
+ exit(0);
+}
+
+
+ include("http_func.inc");
+
+ ports = make_list("80","8008","8880");
+
+ foreach port (ports)
+ {
+        ibmWebSer = get_http_banner(port);
+ 
+        # Check for IBM HTTP Server Version
+        if(egrep(pattern:"Server: IBM_HTTP_Server.*", string:ibmWebSer))
+        {
+                if(egrep(pattern:"IBM_HTTP_Server/([0-5]\..*|6\.[01])[^.0-9]",
+                         string:ibmWebSer))
+		{
+                        security_hole(port);
+			exit(0);
+		}
+        }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_ibmhttpserver_mod_proxy_dos_900222.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_mysql_dos_vuln_900221.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_mysql_dos_vuln_900221.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_mysql_dos_vuln_900221.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,95 @@
+##############################################################################
+#
+#  MySQL Empty Bit-String Literal Denial of Service Vulnerability 
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/18
+#
+#  Revision: 1.1
+#
+#  Log: veerendragg
+#  Issue #0241
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900221);
+ script_bugtraq_id(31081);
+ script_cve_id("CVE-2008-3963");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"MySQL Empty Bit-String Literal Denial of Service Vulnerability");
+ script_summary(english:"Check for version of MySQL");
+ desc["english"] = "
+ Overview : This host is running MySQL, which is prone to Denial of Service
+ Vulnerability.
+
+ Vulnerability Insight :
+
+        Issue is due to error while processing an empty bit string literal via
+        a specially crafted SQL statement.
+
+        Impact : Successful exploitation by remote attackers could cause denying
+        access to legitimate users.
+
+ Impact Level : Application
+
+ Affected Software/OS : 
+        MySQL versions prior to 5.0.x - 5.0.66,
+                                5.1.x - 5.1.26, and
+                                6.0.x - 6.0.5 on all running platform.
+
+ Fix : Update to version 5.0.66 or 5.1.26 or 6.0.6 or later.
+ http://dev.mysql.com/downloads/
+
+ References : 
+ http://secunia.com/advisories/31769/
+ http://bugs.mysql.com/bug.php?id=35658
+ http://dev.mysql.com/doc/refman/5.1/en/news-5-1-26.html
+ 
+ CVSS Score :
+        CVSS Base Score     : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
+        CVSS Temporal Score : 5.6
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("mysql_version.nasl");
+ script_require_ports("Services/mysql", 3306);
+ exit(0);
+}
+
+
+ include("misc_func.inc");
+
+ sqlPort = get_kb_item("Services/mysql");
+ if(!sqlPort){
+        sqlPort = 3306;
+ }
+
+ if(!get_port_state(sqlPort)){
+        exit(0);
+ }
+
+ mysqlVer = get_mysql_version(port:sqlPort);
+ if(mysqlVer)
+ {
+       # grep for version < 5.0.66, 5.1.26, and 6.0.6
+       if(ereg(pattern:"^(5\.0(\.[0-5]?[0-9]|\.6[0-5])?|5\.1(\.[01]?[0-9]|" +
+                       "\.2[0-5])?|6\.0(\.[0-5])?)[^.0-9]", string:mysqlVer)){
+                security_hole(sqlPort);
+       }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_mysql_dos_vuln_900221.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_personal_ftp_server_dos_vuln_900127.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_personal_ftp_server_dos_vuln_900127.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_personal_ftp_server_dos_vuln_900127.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,93 @@
+##############################################################################
+#
+#  Personal FTP Server RETR Command Remote Denial of Service Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/18
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0237
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900127);
+ script_bugtraq_id(31173);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"Personal FTP Server RETR Command Remote Denial of Service Vulnerability");
+ script_summary(english:"Check for vulnerable version of Personal FTP Server");
+ desc["english"] = "
+ Overview : The host is running Personal FTP Server, which is prone to denial 
+ of service vulnerability.
+
+ Vulnerability Insight :
+
+        This issue is caused due to an error when handling the RETR command.
+
+        Impact : Successful exploitation will deny the service by sending
+        multiple RETR commands with an arbitrary argument.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        Michael Roth Personal FTP Server 6.0f and prior on Windows (all).
+ 
+ Fix : No solution/patch is available as on 16th September, 2008. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates check, http://www.michael-roth-software.de/new/Produkte.html
+
+ References : http://shinnok.evonet.ro/vulns_html/pftp.html 
+ http://downloads.securityfocus.com/vulnerabilities/exploits/31173.c
+
+ CVSS Score :
+        CVSS Base Score     : 6.3 (AV:N/AC:M/Au:SI/C:N/I:N/A:C)
+        CVSS Temporal Score : 5.7
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl", "find_service.nes");
+ script_require_keys("SMB/WindowsVersion");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+ 
+ port = get_kb_item("Services/ftp");
+ if(!port){
+        port = 21;
+ }
+
+ if(!get_port_state(port)){
+        exit(0);
+ }
+
+ pftpVer = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+                               "\Uninstall\The Personal FTP Server_is1",
+                           item:"DisplayVersion");
+
+ if(egrep(pattern:"^([0-5]\..*|6\.0([a-f])?)$", string:pftpVer)){
+        security_warning(port);
+ }

Added: trunk/openvas-plugins/scripts/secpod_simple_machines_forum_sec_bypass_vuln_900118.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_simple_machines_forum_sec_bypass_vuln_900118.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_simple_machines_forum_sec_bypass_vuln_900118.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,98 @@
+##############################################################################
+#
+#  Simple Machines Forum Password Reset Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/17
+#
+#  Revision: 1.1
+#
+#  Log: ssharath
+#  Issue #0176
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+ script_id(900118);
+ script_bugtraq_id(31053);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("$Revision: 1.1 $");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_name(english:"Simple Machines Forum Password Reset Vulnerability");
+ script_summary(english:"Check for the vulnerable version of Simple Machines");
+ desc["english"] = "
+ Overview : The host has Simple Machines Forum, which is prone to security
+ bypass vulnerability.
+
+ Vulnerability Insight :
+
+        The vulnerability exists due to the application generating weak
+        validation codes for the password reset functionality which allows
+        for easy validation code guessing attack. 
+
+        Impact: Attackers can guess the validation code and reset the user
+        password to the one of their choice. 
+
+ Impact Level : Application
+
+ Affected Software/OS : 
+        Simple Machines Forum versions prior to 1.1.6 on 
+
+ Fix : Update to version 1.1.6
+ http://download.simplemachines.org/
+
+ References :
+ http://milw0rm.com/exploits/6392
+ http://secunia.com/advisories/31750/
+ http://www.simplemachines.org/community/index.php?topic=260145.0
+
+ CVSS Score :
+        CVSS Base Score      : 6.4 (AV:N/AC:L/Au:NR/C:P/I:P/A:N)
+        CVSS  Temporal Score : 5.0
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+ include("http_func.inc");
+ include("http_keepalive.inc");
+
+ port = get_http_port(default:80);
+ if(!port){
+        exit(0);
+ }
+
+ foreach path (make_list("/sm_forum", cgi_dirs()))
+ {
+        sndReq = http_get(item:string(path, "/index.php"), port:port);
+        rcvRes = http_keepalive_send_recv(port:port, data:sndReq);
+        if(rcvRes == NULL){
+                exit(0);
+        }
+
+	if(egrep(pattern:"sm_forum", string:rcvRes) &&
+           egrep(pattern:"^HTTP/.* 200 OK", string:rcvRes))
+	{
+		if(egrep(pattern:"SMF (1\.0(\..*)?|1\.1(\.[0-5])?)[^.0-9]",
+			 string:rcvRes)){
+			security_hole(port);
+		} 
+		exit(0);
+       }
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_simple_machines_forum_sec_bypass_vuln_900118.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_trendmicro_officescan_bof_vuln_sept08_900220.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_trendmicro_officescan_bof_vuln_sept08_900220.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_trendmicro_officescan_bof_vuln_sept08_900220.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,191 @@
+#############################################################################
+#
+#  Trend Micro OfficeScan Server cgiRecvFile.exe Buffer Overflow Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/18
+#
+#  Revision: 1.1
+#
+#  Log: veerendragg
+#  Issue #0223
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+ desc["english"] = "
+ Overview : This Remote host is installed with Trend Micro OfficeScan, which
+ is prone to Buffer Overflow Vulnerability.
+
+ Vulnerability Insight :
+
+        The flaw is caused due to error in cgiRecvFile.exe can be exploited
+        to cause a stack based buffer overflow by sending a specially crated
+        HTTP request with a long ComputerName parameter.
+
+        Impact : Remote exploitation could allow execution of arbitrary code to
+        cause complete compromise of system and failed attempt leads to denial
+        of service condition.
+
+ Impact Level : Application/System.
+
+ Affected Software/OS :
+        Trend Micro OfficeScan Corporate Edition version 8.0
+        Trend Micro OfficeScan Corporate Edition versions 7.0 and 7.3
+        Trend Micro Client Server Messaging Security (CSM) for SMB versions 2.x and 3.x
+
+ Fix : Partially Fixed.
+ Fix is available for Trend Micro OfficeScan 8.0, 7.3 and
+ Client Server Messaging Security (CSM) 3.6.
+
+ Apply patch Trend Micro OfficeScan Corporate Edition 8.0 from
+ http://www.trendmicro.com/ftp/products/patches/OSCE_8.0_Win_EN_CriticalPatch_B1361.exe
+ http://www.trendmicro.com/ftp/products/patches/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2424.exe
+ http://www.trendmicro.com/ftp/products/patches/OSCE_8.0_SP1_Patch1_Win_EN_CriticalPatch_B3060.exe
+
+ Apply patch Trend Micro OfficeScan Corporate Edition 7.3 from
+ http://www.trendmicro.com/ftp/products/patches/OSCE_7.3_Win_EN_CriticalPatch_B1367.exe
+
+ Apply patch Trend Micro Client Server Messaging Security (CSM) 3.6 from
+ http://www.trendmicro.com/ftp/products/patches/CSM_3.6_OSCE_7.6_Win_EN_CriticalPatch_B1195.exe
+
+ References : http://secunia.com/advisories/31342/
+ http://securitytracker.com/alerts/2008/Sep/1020860.html
+ http://www.juniper.net/security/auto/vulnerabilities/vuln31139.html
+
+ CVSS Score :
+        CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+        CVSS Temporal Score : 7.1
+ Risk factor : High";
+
+if(description)
+{
+ script_id(900220);
+ script_bugtraq_id(31139);
+ script_cve_id("CVE-2008-2437");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"Trend Micro OfficeScan Server cgiRecvFile.exe Buffer Overflow Vulnerability.");
+ script_summary(english:"Check for the version of Trend Micro OfficeScan");
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+ include("secpod_smb_func.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ scanVer = registry_get_sz(key:"SOFTWARE\TrendMicro\OfficeScan\service" + 
+                               "\Information", item:"Server_Version");
+ if(!scanVer){
+	exit(0);
+ }
+
+ if(!egrep(pattern:"^([0-7]\..*|8\.0)$", string:scanVer)){
+	exit(0);
+ }
+
+ offPath = registry_get_sz(key:"SOFTWARE\TrendMicro\OfficeScan\service" +
+                               "\Information", item:"Local_Path");
+ if(!offPath){
+	exit(0);
+ }
+
+ report = string("\n *****\n NOTE : Ignore this warning if the above mentioned" + 
+                 "patch is already applied.\n *****\n");
+
+ # For Trend Micro Client Server Messaging Security and Office Scan 8 or 7.0
+ if(registry_key_exists(key:"SOFTWARE\TrendMicro\CSM") || 
+                        scanVer =~ "^(8\..*|[0-7]\.[0-2](\..*)?)$"){
+        security_hole(data:string(desc["english"], report));
+        exit(0);
+ }
+
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:offPath);
+ file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", 
+                      string:offPath + "Web\CGI\cgiRecvFile.exe");
+
+ name    =  kb_smb_name();
+ login   =  kb_smb_login();
+ pass    =  kb_smb_password();
+ domain  =  kb_smb_domain();
+ port    =  kb_smb_transport();
+
+ if(!port){
+	port = 139;
+ }
+
+ if(!get_port_state(port)){
+        exit(0);
+ }
+ 
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
+ 
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid)
+ {
+        close(soc);
+        exit(0);
+ }
+
+ fileVersion = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid);
+ if(!fileVersion){
+        exit(0);
+ }
+
+ # grep for file version < 7.3.0.1367
+ if(egrep(pattern:"^7\.3\.0\.(0?[0-9]?[0-9]?[0-9]|1[0-2][0-9][0-9]|" +
+                  "13[0-5][0-9]|136[0-6])$", string:scanVer)){
+        security_warning(0);
+ }


Property changes on: trunk/openvas-plugins/scripts/secpod_trendmicro_officescan_bof_vuln_sept08_900220.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_wordpress_mult_vuln_900219.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_wordpress_mult_vuln_900219.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_wordpress_mult_vuln_900219.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,106 @@
+##############################################################################
+#
+#  WordPress Multiple Vulnerabilities - Sept08
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/10/12
+#
+#  Revision: 1.1
+#
+#  Log: veerendragg
+#  Issue #0192
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900219);
+ script_bugtraq_id(30750, 31068, 31115);
+ script_cve_id("CVE-2008-3747");
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_name(english:"WordPress Multiple Vulnerabilities");
+ script_summary(english:"Check for version of WordPress");
+ desc["english"] = "
+ Overview : This host is running WordPress, which is prone to multiple
+ vulnerabilities.
+
+ Vulnerability Insight :
+
+        The flaws are due to,
+                - SQL column-truncation issue.
+		- Weakness in the entropy of generated passwords.
+		- functions get_edit_post_link(), and get_edit_comment_link() fail
+                  to use SSL when transmitting data.
+
+        Impact : Successful exploitation will allow attackers to reset the
+        password of arbitrary accounts, guess randomly generated passwords,
+        obtain sensitive information and possibly to impersonate users and
+        tamper with network data.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        WordPress 2.6.1 and prior versions.
+
+ Fix : Upgrade to WordPress 2.6.2 or later.
+ http://wordpress.org/
+
+ References :
+ http://www.sektioneins.de/advisories/SE-2008-05.txt
+ http://seclists.org/fulldisclosure/2008/Sep/0194.html
+ http://www.juniper.net/security/auto/vulnerabilities/vuln31068.html
+ http://www.juniper.net/security/auto/vulnerabilities/vuln30750.html
+
+ CVSS Score :
+        CVSS Base Score     : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+        CVSS Temporal Score : 5.3
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+ include("http_func.inc");
+ include("http_keepalive.inc");
+
+ port = get_http_port(default:80);
+ if(!port){
+        exit(0);
+ }
+
+ foreach path (make_list("/wordpress", cgi_dirs()))
+ {
+        sndReq = http_get(item:string(path, "/index.php"), port:port);
+        rcvRes = http_keepalive_send_recv(port:port, data:sndReq);
+        if(rcvRes == NULL){
+                exit(0);
+        }
+
+	if(egrep(pattern:"Powered by WordPress", string:rcvRes) &&
+           egrep(pattern:"^HTTP/.* 200 OK", string:rcvRes))
+        {
+                if(egrep(pattern:"WordPress 2\.([0-5](\..*)?|6(\.[01])?)[^.0-9]",
+                         string:rcvRes)){
+                        security_hole(port);
+                }
+                exit(0);
+        }
+ }
+


Property changes on: trunk/openvas-plugins/scripts/secpod_wordpress_mult_vuln_900219.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_zonealarm_net_sec_suite_bof_vuln_900126.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_zonealarm_net_sec_suite_bof_vuln_900126.nasl	2008-09-25 06:19:00 UTC (rev 1423)
+++ trunk/openvas-plugins/scripts/secpod_zonealarm_net_sec_suite_bof_vuln_900126.nasl	2008-09-25 07:10:39 UTC (rev 1424)
@@ -0,0 +1,90 @@
+##############################################################################
+#
+#  ZoneAlarm Internet Security Suite Buffer Overflow Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/18
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0221
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900126);
+ script_bugtraq_id(31124);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"ZoneAlarm Internet Security Suite Buffer Overflow Vulnerability");
+ script_summary(english:"Check for vulnerable version of ZoneAlarm Internet Security Suite");
+ desc["english"] = "
+ Overview : The host has ZoneAlarm Internet Security Suite installed, which
+ is prone to buffer overflow vulnerability.
+
+ Vulnerability Insight :
+
+        The vulnerability is caused due to inadequate boundary checks on 
+        user-supplied input in multiscan.exe file when performing virus scans 
+        on long paths or file names. This can be exploited by tricking into 
+        scanning malicious directory or file names. 
+
+        Impact : Exploitation could allow attackers to execute arbitrary code 
+        on the affected system or cause denial of service. 
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        ZoneAlarm Internet Security Suite 8.x and prior on Windows (All).
+ 
+ Fix : No solution/patch is available as on 18th September, 2008. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer,
+ http://www.zonealarm.com/store/content/dotzone/freeDownloads.jsp
+ 
+ References :
+ http://secunia.com/advisories/31832/
+ http://www.securityfocus.com/archive/1/496226
+ http://www.frsirt.com/english/advisories/2008/2556
+
+ CVSS Score :
+        CVSS Base Score     : 8.3 (AV:N/AC:M/Au:NR/C:P/I:P/A:C)
+        CVSS Temporal Score : 7.5
+ Risk factor : High";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ zoneVer = registry_get_sz(key:"SOFTWARE\Zone Labs\ZoneAlarm",
+                           item:"CurrentVersion");
+
+ if(egrep(pattern:"^([0-6]\..*|7\.0(\.[0-3]?[0-9]?[0-9]|\.4[0-7]?[0-9]|" +
+		  "\.48[0-3])?|8\.0(\.0?[0-1]?[0-9]|\.020)?)(\.0{1,3})?$",
+          string:zoneVer)){
+      security_warning(0);
+ }



More information about the Openvas-commits mailing list