[Openvas-commits] r1448 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Sep 26 07:36:50 CEST 2008
Author: chandra
Date: 2008-09-26 07:36:49 +0200 (Fri, 26 Sep 2008)
New Revision: 1448
Added:
trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl
trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl
trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl
Log:
Added new scripts
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/ChangeLog 2008-09-26 05:36:49 UTC (rev 1448)
@@ -1,3 +1,10 @@
+2008-09-26 Chandrashekhar B <bchandra at secpod.com>
+ * scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl,
+ scripts/secpod_office_products_version_900032.nasl,
+ scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl,
+ scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl:
+ Added new scripts and modified Office product version detection
+
2008-09-25 Vlatko Kosturjak <kost at linux.hr>
* scripts/remote-MS00-006.nasl: corrected script id
Added: trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl 2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl 2008-09-26 05:36:49 UTC (rev 1448)
@@ -0,0 +1,94 @@
+##############################################################################
+#
+# Microsoft Internet Explorer Denial of Service Vulnerability
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/24
+#
+# Revision: 1.1
+#
+# Log : ssharath
+# Issue #0257
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900131);
+ script_bugtraq_id(31215);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"Microsoft Internet Explorer Denial of Service Vulnerability");
+ script_summary(english:"Check for the version of Microsoft Internet Explorer");
+ desc["english"] = "
+ Overview : The host has Microsoft Internet Explorer installed, which is prone
+ to denial of service vulnerability.
+
+ Vulnerability Insight :
+ Due to errors while handling PNG files, CDwnTaskExec::ThreadExec enters
+ into an infinite loop while loading images which causes the browser to
+ crash. This can be exploited by enticing victim to visit a malicious
+ web page embedded with rouge PNG files.
+
+ Impact : Successful exploitation will cause the application to stop
+ responding and denying the service to legitimate users.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+ Microsoft Internet Explorer 7.x and 8 Beta on Windows
+
+ Fix : No solution/patch is available as on 24th September, 2008. Information
+ regarding this issue will be updated once the solution details are available.
+
+ References :
+ http://www.secniche.org/ie_mal_png_dos.html
+ http://www.securityfocus.com/archive/1/496483
+
+ CVSS Score :
+ CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
+ CVSS Temporal Score : 6.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+
+ iExpVer = registry_get_sz(key:"SOFTWARE\Microsoft\Internet Explorer" ,
+ item:"Version");
+ if(!iExpVer){
+ iExpVer = registry_get_sz(item:"IE",
+ key:"SOFTWARE\Microsoft\Internet Explorer\Version Vector");
+ if(!iExpVer){
+ exit(0);
+ }
+ }
+
+ # Grep for IE 8 beta version <= 8.0.60001.18241
+ if(ereg(pattern:"^(7\..*|8\.0\.(([0-5]?[0-9]?[0-9]?[0-9]|6000)\..*|6001" +
+ "\.(0?[0-9]?[0-9]?[0-9]?[0-9]|1[0-7][0-9][0-9][0-9]|18[01]" +
+ "[0-9][0-9]|182([0-3][0-9]|4[01]))))($|[^.0-9])", string:iExpVer)){
+ security_warning(0);
+ }
Added: trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl 2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl 2008-09-26 05:36:49 UTC (rev 1448)
@@ -0,0 +1,134 @@
+##############################################################################
+#
+# NuMedia Soft DVD Burning SDK Activex Control Remote Code Execution Vulnerability
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/25
+#
+# Revision: 1.1
+#
+# Log : ssharath
+# Issue #0272
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+ script_id(900132);
+ script_bugtraq_id(31374);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Misc.");
+ script_name(english:"NuMedia Soft DVD Burning SDK Activex Control Remote Code Execution Vulnerability");
+ script_summary(english:"Check for vulnerable version of CDBurnerXP");
+ desc["english"] = "
+
+ Overview : The host is installed CDBurnerXP, which is prone to ActiveX control
+ based remote code execution vulnerability.
+
+ Vulnerability Insight :
+ The flaw is caused due to an error in validating/sanitizing the input data
+ sent to NMSDVDX.dll file.
+
+ Impact : Exploitation will cause Internet Explorer to restrict the webpage
+ from running scripts and could overwrite files with arbitrary content.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+ CDBurnerXP versions 4.2.1.976 and prior on all platform
+
+ Fix : No solution/patch is available as on 24th September, 2008. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates check, http://www.nugroovz.com/Downloads.aspx
+
+ References :
+ http://cdburnerxp.se/en/home
+ http://www.milw0rm.com/exploits/6491
+
+ CVSS Score :
+ CVSS Base Score : 5.1 (AV:N/AC:H/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 4.6
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+cdBurnerXpPath = registry_get_sz(item:"ImagePath",
+ key:"SYSTEM\ControlSet001\Services\NMSAccessU");
+if(!cdBurnerXpPath){
+ exit(0);
+}
+
+cdBurnerXpPath = cdBurnerXpPath - "\NMSAccessU.exe" + "\cdbxpp.exe";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:cdBurnerXpPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:cdBurnerXpPath);
+
+soc = open_sock_tcp(port);
+if(!soc){
+ exit(0);
+}
+
+r = smb_session_request(soc:soc, remote:name);
+if(!r){
+ close(soc);
+ exit(0);
+}
+
+prot = smb_neg_prot(soc:soc);
+if(!prot){
+ close(soc);
+ exit(0);
+}
+
+r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+ prot:prot);
+if(!r){
+ close(soc);
+ exit(0);
+}
+
+uid = session_extract_uid(reply:r);
+r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+tid = tconx_extract_tid(reply:r);
+if(!tid){
+ close(soc);
+ exit(0);
+}
+
+fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+if(!fid){
+ close(soc);
+ exit(0);
+}
+
+cdBurnerXpVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"prod");
+close(soc);
+
+# grep for versions 4.2.1.976 and prior
+if(egrep(pattern:"^([0-3]\..*|4\.([01](\..*)?|2\.(0(\..*)?|1\.([0-8]?[0-9]?" +
+ "[0-9]|9[0-6][0-9]|97[0-6]))))$", string:cdBurnerXpVer)){
+ security_warning(0);
+}
Modified: trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl 2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl 2008-09-26 05:36:49 UTC (rev 1448)
@@ -37,7 +37,7 @@
Risk factor : Informational";
script_description(english:desc["english"]);
- script_dependencies("secpod_reg_enum.nasl");
+ script_dependencies("secpod_reg_enum.nasl", "secpod_ms_office_detection_900025.nasl");
script_require_keys("SMB/WindowsVersion");
exit(0);
}
@@ -107,6 +107,10 @@
return(v);
}
+ if(!get_kb_item("MS/Office/Ver")){
+ exit(0);
+ }
+
wordFile = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
"\App Paths\Winword.exe", item:"Path");
if(wordFile)
Added: trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl 2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl 2008-09-26 05:36:49 UTC (rev 1448)
@@ -0,0 +1,98 @@
+##############################################################################
+#
+# ProFTPD Long Command Handling Security Vulnerability
+#
+# Copyright: SecPod
+#
+# Date Written: 2008/09/25
+#
+# Revision: 1.1
+#
+# Log : ssharath
+# Issue #0278
+# ------------------------------------------------------------------------
+# This program was written by SecPod and is licensed under the GNU GPL
+# license. Please refer to the below link for details,
+# http://www.gnu.org/licenses/gpl.html
+# This header contains information regarding licensing terms under the GPL,
+# and information regarding obtaining source code from the Author.
+# Consequently, pursuant to section 3(c) of the GPL, you must accompany the
+# information found in this header with any distribution you make of this
+# Program.
+# ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900133);
+ script_bugtraq_id(31289);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"CGI abuses");
+ script_name(english:"ProFTPD Long Command Handling Security Vulnerability");
+ script_summary(english:"Check for vulnerable version of ProFTPD Project");
+ desc["english"] = "
+ Overview : The host is running ProFTPD Server, which is prone to cross-site
+ request forgery vulnerability.
+
+ Vulnerability Insight :
+ The flaw exists due to the application truncating an overly long FTP command,
+ and improperly interpreting the remainder string as a new FTP command.
+
+ Impact : This can be exploited to execute arbitrary FTP commands on another
+ user's session privileges.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+ ProFTPD Project versions 1.2.x on Linux
+ ProFTPD Project versions 1.3.x on Linux
+
+ Fix : Fixed is available in the SVN repository,
+ http://www.proftpd.org/cvs.html
+
+ *****
+ NOTE : Ignore this warning, if above mentioned fix is applied already.
+ *****
+
+ References :
+ http://secunia.com/advisories/31930/
+ http://bugs.proftpd.org/show_bug.cgi?id=3115
+
+ CVSS Score :
+ CVSS Base Score : 5.5 (AV:N/AC:L/Au:SI/C:P/I:P/A:N)
+ CVSS Temporal Score : 4.3
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("gather-package-list.nasl","find_service.nes");
+ script_require_keys("ssh/login/uname");
+ exit(0);
+}
+
+include("ftp_func.inc");
+
+port = get_kb_item("Services/ftp");
+if(!port){
+ port = 21;
+}
+
+if(!get_port_state(port)){
+ exit(0);
+}
+
+if("Linux" >!< get_kb_item("ssh/login/uname")){
+ exit(0);
+}
+
+banner = get_ftp_banner(port:port);
+if("ProFTPD" >!< banner){
+ exit(0);
+}
+
+if(egrep(pattern:"ProFTPD 1\.(2(\..*)?|3(\.0|\.1(rc[0-3])?[^rc])?)[^.0-9]",
+ string:banner)){
+ security_warning(port);
+}
More information about the Openvas-commits
mailing list