[Openvas-commits] r1448 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Sep 26 07:36:50 CEST 2008


Author: chandra
Date: 2008-09-26 07:36:49 +0200 (Fri, 26 Sep 2008)
New Revision: 1448

Added:
   trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl
   trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl
   trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl
Log:
Added new scripts

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/ChangeLog	2008-09-26 05:36:49 UTC (rev 1448)
@@ -1,3 +1,10 @@
+2008-09-26 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl,
+	  scripts/secpod_office_products_version_900032.nasl,
+	  scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl,
+	  scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl:
+	  Added new scripts and modified Office product version detection
+
 2008-09-25  Vlatko Kosturjak <kost at linux.hr>
 
 	* scripts/remote-MS00-006.nasl: corrected script id

Added: trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl	2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_ms_iexplorer_dos_vuln_900131.nasl	2008-09-26 05:36:49 UTC (rev 1448)
@@ -0,0 +1,94 @@
+##############################################################################
+#
+#  Microsoft Internet Explorer Denial of Service Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/24
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0257
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+ script_id(900131);
+ script_bugtraq_id(31215);
+ script_copyright(english:"Copyright (C) 2008 SecPod");
+ script_version("Revision: 1.1 ");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Denial of Service");
+ script_name(english:"Microsoft Internet Explorer Denial of Service Vulnerability");
+ script_summary(english:"Check for the version of Microsoft Internet Explorer");
+ desc["english"] = "
+ Overview : The host has Microsoft Internet Explorer installed, which is prone
+ to denial of service vulnerability.
+
+ Vulnerability Insight :
+        Due to errors while handling PNG files, CDwnTaskExec::ThreadExec enters
+        into an infinite loop while loading images which causes the browser to
+        crash. This can be exploited by enticing victim to visit a malicious 
+        web page embedded with rouge PNG files.
+
+        Impact : Successful exploitation will cause the application to stop
+        responding and denying the service to legitimate users.
+
+ Impact Level : Application
+
+ Affected Software/OS :
+        Microsoft Internet Explorer 7.x and 8 Beta on Windows
+ 
+ Fix : No solution/patch is available as on 24th September, 2008. Information
+ regarding this issue will be updated once the solution details are available.
+
+ References :
+ http://www.secniche.org/ie_mal_png_dos.html
+ http://www.securityfocus.com/archive/1/496483
+
+ CVSS Score :
+        CVSS Base Score     : 7.1 (AV:N/AC:M/Au:NR/C:N/I:N/A:C)
+        CVSS Temporal Score : 6.4
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+ include("smb_nt.inc");
+
+ if(!get_kb_item("SMB/WindowsVersion")){
+        exit(0);
+ }
+
+ iExpVer = registry_get_sz(key:"SOFTWARE\Microsoft\Internet Explorer" ,
+                           item:"Version");
+ if(!iExpVer){
+	iExpVer = registry_get_sz(item:"IE",
+        	  key:"SOFTWARE\Microsoft\Internet Explorer\Version Vector");
+	if(!iExpVer){
+        	exit(0);
+	}
+ }
+
+ # Grep for IE 8 beta version <= 8.0.60001.18241
+ if(ereg(pattern:"^(7\..*|8\.0\.(([0-5]?[0-9]?[0-9]?[0-9]|6000)\..*|6001" +
+              "\.(0?[0-9]?[0-9]?[0-9]?[0-9]|1[0-7][0-9][0-9][0-9]|18[01]" +
+              "[0-9][0-9]|182([0-3][0-9]|4[01]))))($|[^.0-9])", string:iExpVer)){
+        security_warning(0);
+ }

Added: trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl	2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_nms_dvd_burning_sdk_actvx_vuln_900132.nasl	2008-09-26 05:36:49 UTC (rev 1448)
@@ -0,0 +1,134 @@
+##############################################################################
+#
+#  NuMedia Soft DVD Burning SDK Activex Control Remote Code Execution Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/25
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0272
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+if(description)
+{
+  script_id(900132);
+  script_bugtraq_id(31374);
+  script_copyright(english:"Copyright (C) 2008 SecPod");
+  script_version("Revision: 1.1 ");
+  script_category(ACT_GATHER_INFO);
+  script_family(english:"Misc.");
+  script_name(english:"NuMedia Soft DVD Burning SDK Activex Control Remote Code Execution Vulnerability");
+  script_summary(english:"Check for vulnerable version of CDBurnerXP");
+  desc["english"] = "
+
+  Overview : The host is installed CDBurnerXP, which is prone to ActiveX control
+  based remote code execution vulnerability.
+
+  Vulnerability Insight :
+  The flaw is caused due to an error in validating/sanitizing the input data
+  sent to NMSDVDX.dll file.
+
+  Impact : Exploitation will cause Internet Explorer to restrict the webpage
+  from running scripts and could overwrite files with arbitrary content.
+
+  Impact Level : Application
+
+  Affected Software/OS :
+  CDBurnerXP versions 4.2.1.976 and prior on all platform
+ 
+  Fix : No solution/patch is available as on 24th September, 2008. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates check, http://www.nugroovz.com/Downloads.aspx
+
+  References :
+  http://cdburnerxp.se/en/home
+  http://www.milw0rm.com/exploits/6491
+
+  CVSS Score :
+    CVSS Base Score     : 5.1 (AV:N/AC:H/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 4.6
+  Risk factor : Medium";
+
+  script_description(english:desc["english"]);
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+ 
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+ 
+cdBurnerXpPath = registry_get_sz(item:"ImagePath",
+                                 key:"SYSTEM\ControlSet001\Services\NMSAccessU");
+if(!cdBurnerXpPath){
+  exit(0);
+}
+
+cdBurnerXpPath = cdBurnerXpPath - "\NMSAccessU.exe" + "\cdbxpp.exe";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:cdBurnerXpPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:cdBurnerXpPath);
+
+soc = open_sock_tcp(port);
+if(!soc){
+  exit(0);
+}
+
+r = smb_session_request(soc:soc, remote:name);
+if(!r){
+   close(soc);
+   exit(0);
+}
+
+prot = smb_neg_prot(soc:soc);
+if(!prot){
+  close(soc);
+  exit(0);
+}
+
+r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+                      prot:prot);
+if(!r){
+  close(soc);
+  exit(0);
+}
+
+uid = session_extract_uid(reply:r);
+r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+
+tid = tconx_extract_tid(reply:r);
+if(!tid){
+  close(soc);
+  exit(0);
+}
+
+fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+if(!fid){
+  close(soc);
+  exit(0);
+}
+
+cdBurnerXpVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr:"prod");
+close(soc);
+ 
+# grep for versions 4.2.1.976 and prior
+if(egrep(pattern:"^([0-3]\..*|4\.([01](\..*)?|2\.(0(\..*)?|1\.([0-8]?[0-9]?" +
+		 "[0-9]|9[0-6][0-9]|97[0-6]))))$", string:cdBurnerXpVer)){
+  security_warning(0);
+}

Modified: trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl	2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_office_products_version_900032.nasl	2008-09-26 05:36:49 UTC (rev 1448)
@@ -37,7 +37,7 @@
 
  Risk factor : Informational";
  script_description(english:desc["english"]);
- script_dependencies("secpod_reg_enum.nasl");
+ script_dependencies("secpod_reg_enum.nasl", "secpod_ms_office_detection_900025.nasl");
  script_require_keys("SMB/WindowsVersion");
  exit(0);
 }
@@ -107,6 +107,10 @@
  	return(v);
  }
 
+ if(!get_kb_item("MS/Office/Ver")){
+        exit(0);
+ }
+
  wordFile = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
 			         "\App Paths\Winword.exe", item:"Path");
  if(wordFile)

Added: trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl	2008-09-25 18:22:17 UTC (rev 1447)
+++ trunk/openvas-plugins/scripts/secpod_proftpd_cmd_handling_sec_vuln_900133.nasl	2008-09-26 05:36:49 UTC (rev 1448)
@@ -0,0 +1,98 @@
+##############################################################################
+#
+#  ProFTPD Long Command Handling Security Vulnerability
+#
+#  Copyright: SecPod
+#
+#  Date Written: 2008/09/25
+#
+#  Revision: 1.1
+#
+#  Log : ssharath
+#  Issue #0278
+#  ------------------------------------------------------------------------
+#  This program was written by SecPod and is licensed under the GNU GPL 
+#  license. Please refer to the below link for details,
+#  http://www.gnu.org/licenses/gpl.html
+#  This header contains information regarding licensing terms under the GPL, 
+#  and information regarding obtaining source code from the Author. 
+#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
+#  information found in this header with any distribution you make of this 
+#  Program.
+#  ------------------------------------------------------------------------
+##############################################################################
+
+
+if(description)
+{
+  script_id(900133);
+  script_bugtraq_id(31289);
+  script_copyright(english:"Copyright (C) 2008 SecPod");
+  script_version("Revision: 1.1 ");
+  script_category(ACT_GATHER_INFO);
+  script_family(english:"CGI abuses");
+  script_name(english:"ProFTPD Long Command Handling Security Vulnerability");
+  script_summary(english:"Check for vulnerable version of ProFTPD Project");
+  desc["english"] = "
+  Overview : The host is running ProFTPD Server, which is prone to cross-site 
+  request forgery vulnerability.
+
+  Vulnerability Insight :
+  The flaw exists due to the application truncating an overly long FTP command,
+  and improperly interpreting the remainder string as a new FTP command.
+
+  Impact : This can be exploited to execute arbitrary FTP commands on another
+  user's session privileges.
+
+  Impact Level : Application
+
+  Affected Software/OS :
+  ProFTPD Project versions 1.2.x on Linux
+  ProFTPD Project versions 1.3.x on Linux
+ 
+  Fix : Fixed is available in the SVN repository,
+  http://www.proftpd.org/cvs.html
+
+  *****
+  NOTE : Ignore this warning, if above mentioned fix is applied already.
+  *****
+
+  References :
+  http://secunia.com/advisories/31930/
+  http://bugs.proftpd.org/show_bug.cgi?id=3115
+
+  CVSS Score :
+    CVSS Base Score     : 5.5 (AV:N/AC:L/Au:SI/C:P/I:P/A:N)
+    CVSS Temporal Score : 4.3
+  Risk factor : Medium";
+
+  script_description(english:desc["english"]);
+  script_dependencies("gather-package-list.nasl","find_service.nes");
+  script_require_keys("ssh/login/uname");
+  exit(0);
+}
+
+include("ftp_func.inc");
+
+port = get_kb_item("Services/ftp");
+if(!port){
+  port = 21;
+}
+
+if(!get_port_state(port)){
+  exit(0);
+}
+
+if("Linux" >!< get_kb_item("ssh/login/uname")){
+  exit(0);
+}
+
+banner = get_ftp_banner(port:port);
+if("ProFTPD" >!< banner){
+  exit(0);
+}
+ 
+if(egrep(pattern:"ProFTPD 1\.(2(\..*)?|3(\.0|\.1(rc[0-3])?[^rc])?)[^.0-9]",
+         string:banner)){
+  security_warning(port);
+}



More information about the Openvas-commits mailing list