[Openvas-commits] r6063 - in trunk/openvas-plugins: . scripts

Fri Dec 4 14:18:02 CET 2009

Author: chandra
Date: 2009-12-04 14:17:59 +0100 (Fri, 04 Dec 2009)
New Revision: 6063

Added:
   trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl
   trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln.nasl
   trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln_lin.nasl
   trunk/openvas-plugins/scripts/gb_mysql_dos_n_spoofing_vuln.nasl
   trunk/openvas-plugins/scripts/gb_php_mult_vuln_dec09.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
released

Modified: trunk/openvas-plugins/ChangeLog
===================================================================

--- trunk/openvas-plugins/ChangeLog	2009-12-04 11:32:23 UTC (rev 6062)
+++ trunk/openvas-plugins/ChangeLog	2009-12-04 13:17:59 UTC (rev 6063)
@@ -1,3 +1,12 @@
+2009-12-04  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl,
+	scripts/gb_mysql_dos_n_spoofing_vuln.nasl,
+	scripts/gb_mysql_auth_bypass_vuln_lin.nasl,
+	scripts/gb_php_mult_vuln_dec09.nasl,
+	scripts/gb_mysql_auth_bypass_vuln.nasl:
+	Added new plugins.
+
 2009-12-03  Thomas Reinke <reinke at securityspace.com>
 
 	* scripts/deb_1939_1.nasl,

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-12-04 11:32:23 UTC (rev 6062)
+++ trunk/openvas-plugins/cve_current.txt	2009-12-04 13:17:59 UTC (rev 6063)
@@ -330,3 +330,10 @@
 37180				Greenbone	svn		R
 33698				Greenbone	svn		R
 37185				Greenbone	svn		R
+CVE-2009-4019			SecPod		svn		R
+CVE-2008-7247			SecPod		svn		R
+CVE-2009-4030			SecPod		svn		R
+CVE-2009-4028			SecPod		svn		R
+CVE-2009-4018			SecPod		svn		R
+CVE-2009-2626			SecPod		svn		R
+CVE-2009-3672			SecPod		svn		L

Added: trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl	2009-12-04 11:32:23 UTC (rev 6062)
+++ trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl	2009-12-04 13:17:59 UTC (rev 6063)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms_ie_style_object_remote_code_exe_vuln.nasl 6031 2009-12-03 11:17:55Z dec $
+#
+# MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it undr the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800727);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3672");
+  script_bugtraq_id(37085);
+  script_name("MS Internet Explorer 'Style' Object Remote Code Execution Vulnerability");
+  desc = "
+  Overview: This host has Microsoft Internet Explorer installed and is prone to
+  Remote Code Execution Vulnerability.
+
+  Vulnerability Insight:
+  This flaw is caused due to CSS information inside HTML rendering engine,
+  inside mshtml.dll library file. Malicious use of 'outerHTML' property
+  causes the remote browser to spray the heap memory allocated area.
+
+  Impact:
+  Successful attack could allow malicious people to execute arbitrary code in the
+  context of the user running the application or compromise the application and
+  possibly the system. failed attacks may cause denial-of-service condition.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Microsoft Internet Explorer 6.x and 7.x
+
+  Fix:
+  No solution or patch is available as on 04th December, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.microsoft.com/technet/security/advisory/977981.mspx
+
+  References:
+  http://www.securityfocus.com/archive/1/archive/1/507984/100/0/threaded
+  http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published
+
+  CVSS Score:
+    CVSS Base Score      : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score  : 8.4
+  Risk factor: Critical";
+
+  script_description(desc);
+  script_summary("Check for the version of Microsoft Internet Explorer");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("gb_ms_ie_detect.nasl");
+  script_require_keys("MS/IE/Version");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+ieVer = get_kb_item("MS/IE/Version");
+if(ieVer =~ "^(6|7)\..*"){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_ms_ie_style_object_remote_code_exec_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln.nasl	2009-12-04 11:32:23 UTC (rev 6062)
+++ trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln.nasl	2009-12-04 13:17:59 UTC (rev 6063)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mysql_auth_bypass_vuln.nasl 5988 2009-12-03 25:29:17Z dec $
+#
+# MySQL Authenticated Access Restrictions Bypass Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801066);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-4030");
+  script_name("MySQL Authenticated Access Restrictions Bypass Vulnerability");
+  desc = "
+  Overview: The host is running MySQL and is prone to Access restrictions Bypass
+  Vulnerability
+
+  Vulnerability Insight:
+  The flaw is due to an error while calling CREATE TABLE on a MyISAM table with modified
+  DATA DIRECTORY or INDEX DIRECTORY.
+
+  Impact:
+  Successful exploitation could allow users to bypass intended access restrictions
+  by calling CREATE TABLE with DATA DIRECTORY or INDEX DIRECTORY argument referring
+  to a subdirectory.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  MySQL 5.1.x before 5.1.41 on all running platform.
+
+  Fix: Upgrade to MySQL version 5.1.41
+  For Updates Refer, http://dev.mysql.com/downloads
+
+  References:
+  http://bugs.mysql.com/bug.php?id=32167
+  http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
+
+  CVSS Score:
+    CVSS Base Score      : 4.4 (AV:L/AC:M/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score  : 3.2
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of MySQL");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_dependencies("mysql_version.nasl");
+  script_require_ports("Services/mysql", 3306);
+  exit(0);
+}
+
+
+include("misc_func.inc");
+include("version_func.inc");
+
+sqlPort = get_kb_item("Services/mysql");
+if(!sqlPort){
+  sqlPort = 3306;
+}
+
+if(!get_port_state(sqlPort)){
+  exit(0);
+}
+
+mysqlVer = get_mysql_version(port:sqlPort);
+if(!isnull(mysqlVer))
+{
+  mysqlVer = eregmatch(pattern:"([0-9.a-z]+)", string:mysqlVer);
+  if(!isnull(mysqlVer[1]))
+  {
+    if(version_in_range(version:mysqlVer[1], test_version:"5.1",test_version2:"5.1.40")){
+      security_warning(sqlPort);
+    }
+  }
+}
+


Property changes on: trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln_lin.nasl	2009-12-04 11:32:23 UTC (rev 6062)
+++ trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln_lin.nasl	2009-12-04 13:17:59 UTC (rev 6063)
@@ -0,0 +1,107 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mysql_auth_bypass_vuln_lin.nasl 5988 2009-12-03 23:29:17Z dec $
+#
+# MySQL Authenticated Access Restrictions Bypass Vulnerability (Linux)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801065);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2008-7247");
+  script_name("MySQL Authenticated Access Restrictions Bypass Vulnerability (Linux)");
+  desc = "
+  Overview: The host is running MySQL and is prone to Access Restrictions Bypass
+  Vulnerability
+
+  Vulnerability Insight:
+  The flaw is due to an error in 'sql/sql_table.cc', when the data home directory
+  contains a symlink to a different filesystem.
+
+  Impact:
+  Successful exploitation could allow users to bypass intended access restrictions
+  by calling CREATE TABLE with  DATA DIRECTORY or INDEX DIRECTORY argument referring
+  to a subdirectory.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  MySQL 5.0.x before 5.0.88, 5.1.x before 5.1.41, 6.0 before 6.0.9-alpha
+
+  Fix: Upgrade to MySQL version 5.0.88 or 5.1.41 or 6.0.9-alpha
+  For Updates Refer, http://dev.mysql.com/downloads
+
+  References:
+  http://lists.mysql.com/commits/59711
+  http://bugs.mysql.com/bug.php?id=39277
+  http://marc.info/?l=oss-security&m=125908040022018&w=2
+
+  CVSS Score:
+    CVSS Base Score      : 6.0 (AV:N/AC:M/Au:SI/C:P/I:P/A:P)
+    CVSS Temporal Score  : 4.4
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of MySQL");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_dependencies("mysql_version.nasl");
+  script_require_ports("Services/mysql", 3306);
+  exit(0);
+}
+
+
+include("misc_func.inc");
+include("version_func.inc");
+
+sqlPort = get_kb_item("Services/mysql");
+if(!sqlPort){
+  sqlPort = 3306;
+}
+
+if(!get_port_state(sqlPort)){
+  exit(0);
+}
+
+mysqlVer = get_mysql_version(port:sqlPort);
+if(isnull(mysqlVer)){
+  exit(0);
+}
+
+mysqlVer = eregmatch(pattern:"([0-9.a-z]+)", string:mysqlVer);
+if(isnull(mysqlVer[1])){
+  exit(0);
+}
+
+if(version_in_range(version:mysqlVer[1], test_version:"5.0",test_version2:"5.0.87") ||
+   version_in_range(version:mysqlVer[1], test_version:"5.1",test_version2:"5.1.40")){
+  security_warning(sqlPort);
+}
+
+else if(mysqlVer[1] =~ "^6\.")
+{
+  if(version_is_less(version:mysqlVer[1],test_version:"6.0.9a")){
+    security_warning(sqlPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_mysql_auth_bypass_vuln_lin.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_mysql_dos_n_spoofing_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_mysql_dos_n_spoofing_vuln.nasl	2009-12-04 11:32:23 UTC (rev 6062)
+++ trunk/openvas-plugins/scripts/gb_mysql_dos_n_spoofing_vuln.nasl	2009-12-04 13:17:59 UTC (rev 6063)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_mysql_dos_n_spoofing_vuln.nasl 5988 2009-12-03 21:29:17Z dec $
+#
+# MySQL Denial Of Service and Spoofing Vulnerabilities
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801064);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-4019","CVE-2009-4028");
+  script_name("MySQL Denial Of Service and Spoofing Vulnerabilities");
+  desc = "
+  Overview: The host is running MySQL and is prone to Denial Of Service
+  and Spoofing Vulnerabilities
+
+  Vulnerability Insight:
+  The flaws are due to:
+  - mysqld does not properly handle errors during execution of certain SELECT
+    statements with subqueries, and does not preserve certain null_value flags
+    during execution of statements that use the 'GeomFromWKB()' function.
+  - An error in 'vio_verify_callback()' function in 'viosslfactories.c', when
+    OpenSSL is used, accepts a value of zero for the depth of X.509 certificates.
+
+  Impact:
+  Successful exploitation could allow users to cause a Denial of Service and
+  man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via
+  a crafted certificate.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41 on all running platform.
+
+  Fix: Upgrade to MySQL version 5.0.88 or 5.1.41
+  For Updates Refer, http://dev.mysql.com/downloads
+
+  References:
+  http://bugs.mysql.com/47780
+  http://bugs.mysql.com/47320
+  http://marc.info/?l=oss-security&m=125881733826437&w=2
+  http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
+
+  CVSS Score:
+    CVSS Base Score      : 6.4 (AV:N/AC:L/Au:NR/C:N/I:P/A:P)
+    CVSS Temporal Score  : 4.7
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of MySQL");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_dependencies("mysql_version.nasl");
+  script_require_ports("Services/mysql", 3306);
+  exit(0);
+}
+
+
+include("misc_func.inc");
+include("version_func.inc");
+
+sqlPort = get_kb_item("Services/mysql");
+if(!sqlPort){
+  sqlPort = 3306;
+}
+
+if(!get_port_state(sqlPort)){
+  exit(0);
+}
+
+mysqlVer = get_mysql_version(port:sqlPort);
+if(isnull(mysqlVer)){
+  exit(0);
+}
+
+mysqlVer = eregmatch(pattern:"([0-9.a-z]+)", string:mysqlVer);
+if(!isnull(mysqlVer[1]))
+{
+  if(version_in_range(version:mysqlVer[1], test_version:"5.0",test_version2:"5.0.87") ||
+     version_in_range(version:mysqlVer[1], test_version:"5.1",test_version2:"5.1.40")){
+    security_warning(sqlPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_mysql_dos_n_spoofing_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_php_mult_vuln_dec09.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_mult_vuln_dec09.nasl	2009-12-04 11:32:23 UTC (rev 6062)
+++ trunk/openvas-plugins/scripts/gb_php_mult_vuln_dec09.nasl	2009-12-04 13:17:59 UTC (rev 6063)
@@ -0,0 +1,107 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_php_mult_vuln_dec09.nasl 5956 2009-12-02 18:42:56Z dec $
+#
+# PHP Multiple Vulnerabilities Dec-09
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801060);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-4018","CVE-2009-2626");
+  script_bugtraq_id(37138, 36009);
+  script_name("PHP Multiple Vulnerabilities Dec-09");
+  desc = "
+  Overview: This host is running PHP and is prone to multiple vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to:
+   - Error in 'proc_open()' function in 'ext/standard/proc_open.c' that does not
+     enforce the 'safe_mode_allowed_env_vars' and 'safe_mode_protected_env_vars'
+     directives, which allows attackers to execute programs with an arbitrary
+     environment via the env parameter.
+   - Error in 'zend_restore_ini_entry_cb()' function in 'zend_ini.c', which
+     allows attackers to obtain sensitive information.
+
+  Impact:
+  Successful exploitation could allow local attackers to bypass certain
+  security restrictions and cause denial of service.
+
+  Impact Level: Network
+
+  Affected Software/OS:
+  PHP version 5.2.10 and prior.
+  PHP version 5.3.x before 5.3.1
+
+  Fix: Upgrade to PHP version 5.3.1
+  http://www.php.net/downloads.php
+
+  References:
+  http://secunia.com/advisories/37482
+  http://bugs.php.net/bug.php?id=49026
+  http://securityreason.com/achievement_securityalert/65
+  http://www.openwall.com/lists/oss-security/2009/11/23/15
+
+  CVSS Score:
+    CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 5.9
+  Risk factor : High";
+
+  script_description(desc);
+  script_summary("Check for the version of PHP");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("gb_php_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+phpPort = get_kb_item("Services/www");
+if(!phpPort)
+{
+  phpPort = 80;
+  if(!get_port_state(phpPort)){
+    exit(0);
+  }
+}
+
+phpVer = get_kb_item("www/" + phpPort + "/PHP");
+if(!phpVer){
+  exit(0);
+}
+
+if(version_is_less(version:phpVer, test_version:"5.2.11")){
+  security_hole(0);
+  exit(0);
+}
+
+else if(phpVer =~ "^5\.3")
+{
+  if(version_is_less(version:phpVer, test_version:"5.3.1")){
+   security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_php_mult_vuln_dec09.nasl
___________________________________________________________________
Name: svn:executable
   + *

