[Openvas-commits] r6097 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Dec 8 12:57:11 CET 2009


Author: mime
Date: 2009-12-08 12:57:07 +0100 (Tue, 08 Dec 2009)
New Revision: 6097

Added:
   trunk/openvas-plugins/scripts/CoreHTTP_37237.nasl
   trunk/openvas-plugins/scripts/iWeb_37228.nasl
   trunk/openvas-plugins/scripts/polipo_37226.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/gb_apple_safari_css_bof_vuln.nasl
   trunk/openvas-plugins/scripts/ldap_null_base.nasl
   trunk/openvas-plugins/scripts/ldap_null_bind.nasl
   trunk/openvas-plugins/scripts/ldapsearch.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/ChangeLog	2009-12-08 11:57:07 UTC (rev 6097)
@@ -1,3 +1,21 @@
+2009-12-08 Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/iWeb_37228.nasl,
+	scripts/CoreHTTP_37237.nasl,
+	scripts/polipo_37226.nasl:
+	Added new Plugins.
+
+	* scripts/gb_apple_safari_css_bof_vuln.nasl:
+	Fixed typo in script_family.
+
+	* scripts/ldap_null_base.nasl,
+	scripts/ldap_null_bind.nasl:
+	Set KB entry on success.
+
+	* scripts/ldapsearch.nasl:
+	Output of the reports consolidated. Only run if the
+	corresponding entries exist in KB.
+
 2009-12-08  Chandrashekhar B <bchandra at secpod.com>
 
 	* scripts/gb_yahoo_msg_detect.nasl,

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/cve_current.txt	2009-12-08 11:57:07 UTC (rev 6097)
@@ -351,5 +351,8 @@
 CVE-2009-4175			SecPod		svn		R
 CVE-2009-4174			SecPod		svn		R
 CVE-2009-4097			SecPod		svn		L
+37228				Greenbone	svn		R
+37226				Greenbone	svn		R
+37237				Greenbone	svn		R
 
 

Added: trunk/openvas-plugins/scripts/CoreHTTP_37237.nasl
===================================================================
--- trunk/openvas-plugins/scripts/CoreHTTP_37237.nasl	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/scripts/CoreHTTP_37237.nasl	2009-12-08 11:57:07 UTC (rev 6097)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# CoreHTTP 'src/http.c ' Buffer Overflow Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100377);
+ script_bugtraq_id(37237);
+ script_cve_id("CVE-2009-3586");
+ script_version ("1.0-$Revision$");
+
+ script_name("CoreHTTP 'src/http.c ' Buffer Overflow Vulnerability");
+
+desc = "Overview:
+CoreHTTP is prone to a buffer-overflow vulnerability because it fails
+to adequately bounds-check user-supplied data.
+
+Attackers can exploit this issue to execute arbitrary code within the
+context of the affected application. Failed exploit attempts will
+result in a denial of service.
+
+This issue affects CoreHTTP 0.5.3.1. ; other versions may also
+be affected.
+
+References:
+http://www.securityfocus.com/bid/37237
+http://corehttp.sourceforge.net/
+http://www.securityfocus.com/archive/1/508272
+
+Risk factor : High";
+
+ script_description(desc);
+ script_summary("Determine if CoreHTTP is prone to a buffer-overflow vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/www", 5555);
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:5555);
+if(!get_port_state(port))exit(0);
+
+banner = get_http_banner(port: port);
+if(!banner)exit(0);
+
+if(egrep(pattern:"Server: corehttp", string:banner))
+ {
+  if(safe_checks()) {
+    version = eregmatch(pattern: "Server: corehttp-([0-9.]+)", string: banner);
+    if(!isnull(version[1])) {
+     if(version_is_equal(version: version[1], test_version: "0.5.3.1")) {
+	security_hole(port:port);
+	exit(0);
+     }	
+    }   
+
+  } else {  
+
+   soc = http_open_socket(port);
+   if(!soc)exit(0);
+
+   crap_data = crap(length:400);
+   req = string(crap_data, "/index.html HTTP/1.1\r\n\r\n");
+   send(socket:soc, data:req);
+
+   if(http_is_dead(port:port)) {
+     security_hole(port:port);
+     exit(0); 
+   }
+  } 
+ }
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/CoreHTTP_37237.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/gb_apple_safari_css_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_safari_css_bof_vuln.nasl	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/scripts/gb_apple_safari_css_bof_vuln.nasl	2009-12-08 11:57:07 UTC (rev 6097)
@@ -67,7 +67,7 @@
   script_summary("Check for the version of Apple Safari");
   script_category(ACT_GATHER_INFO);
   script_copyright("Copyright (C) 2009 Greenbone Networks GmbH");
-  script_family("Buffer overlow");
+  script_family("Buffer overflow");
   script_dependencies("secpod_apple_safari_detect_win_900003.nasl");
   script_require_keys("AppleSafari/Version");
   exit(0);

Added: trunk/openvas-plugins/scripts/iWeb_37228.nasl
===================================================================
--- trunk/openvas-plugins/scripts/iWeb_37228.nasl	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/scripts/iWeb_37228.nasl	2009-12-08 11:57:07 UTC (rev 6097)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# iWeb Server URL Directory Traversal Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100378);
+ script_bugtraq_id(37228);
+ script_cve_id("CVE-2009-4053");
+ script_version ("1.0-$Revision$");
+
+ script_name("iWeb Server URL Directory Traversal Vulnerability");
+
+desc = "Overview:
+iWeb Server is prone to a directory-traversal vulnerability because
+the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue allows an attacker to access files outside of
+the web servers root directory. Successfully exploiting this issue
+will allow attackers to gain access to sensitive information.
+
+References:
+http://www.securityfocus.com/bid/37228
+http://www.ashleybrown.co.uk/iweb/
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if iWeb Server is prone to a	directory-traversal vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+banner = get_http_banner(port: port);
+if(!banner)exit(0);
+
+if(egrep(pattern:"Server: iWeb", string:banner))
+ {
+   url = string("/..%5C..%5C..%5Cboot.ini");
+   req = http_get(item:url, port:port);
+   res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
+   if( res == NULL )exit(0);
+
+   if( egrep(pattern: "\[boot loader\]", string: res, icase: TRUE) ) {
+        security_warning(port:port);
+        exit(0); 
+   }
+ }
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/iWeb_37228.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/ldap_null_base.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ldap_null_base.nasl	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/scripts/ldap_null_base.nasl	2009-12-08 11:57:07 UTC (rev 6097)
@@ -70,7 +70,12 @@
     if (l >= 7)
     {
       error_code = substr(rez, l - 7, l - 5);
-      if (hexstr(error_code) == "0a0100") security_note(port);
+
+      if (hexstr(error_code) == "0a0100") { 
+        security_note(port);
+        set_kb_item(name: string("LDAP/", port, "/NULL_BASE"), value: TRUE);
+        exit(0);
+      }	
     }
 }
 

Modified: trunk/openvas-plugins/scripts/ldap_null_bind.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ldap_null_bind.nasl	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/scripts/ldap_null_bind.nasl	2009-12-08 11:57:07 UTC (rev 6097)
@@ -71,8 +71,12 @@
     result1 = send_stuff(myport:port);
     if(result1)
     {
-    error_code = substr(result1, strlen(result1) - 7, strlen(result1) - 5);
-    if (hexstr(error_code) == "0a0100") security_note(port);
+      error_code = substr(result1, strlen(result1) - 7, strlen(result1) - 5);
+      if (hexstr(error_code) == "0a0100") {
+        security_note(port);
+        set_kb_item(name: string("LDAP/", port, "/NULL_BIND"), value:  TRUE);
+        exit(0);
+      }  
     }
 }
 

Modified: trunk/openvas-plugins/scripts/ldapsearch.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ldapsearch.nasl	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/scripts/ldapsearch.nasl	2009-12-08 11:57:07 UTC (rev 6097)
@@ -32,11 +32,11 @@
 
   script_copyright("This script is Copyright (C) 2006 Tarik El-Yassem/ITsec Security Services");
   script_family("Remote file access");
-  script_dependencies("find_service.nes", "doublecheck_std_services.nasl", "external_svc_ident.nasl");
+  script_dependencies("find_service.nes", "doublecheck_std_services.nasl", "external_svc_ident.nasl","ldap_null_base.nasl","ldap_null_bind.nasl");
   script_require_ports("Services/ldap", 389);
 
   script_add_preference(name:"Timeout value", type:"entry", value:"3");
-  script_add_preference(name:"Buffersize", type:"entry", value:"20");
+  script_add_preference(name:"Buffersize", type:"entry", value:"500");
   exit(0);
 }  
 
@@ -45,6 +45,11 @@
 if (! port) port = 389;
 if (! get_port_state(port)) exit(0);
 
+if(! null_base = get_kb_item(string("LDAP/", port, "/NULL_BASE")) && 
+   ! null_bind = get_kb_item(string("LDAP/", port, "/NULL_BIND"))) {
+     exit(0);
+}     
+
 if (! find_in_path("ldapsearch"))
 {
   log_message(port:port, data: 'Command "ldapsearch" not available to scan server (not in search path).\nTherefore this test was not executed.');
@@ -122,28 +127,9 @@
     s = '';
     
     foreach x (args) s = s + x + ' ';
+    result = string("(Command was:'",  s  ,"')\n\n",results,"\n");
+    return result;
 
-    if (type="null-base")
-    {
-      security_warning(
-        port: port,
-        data: 'The LDAPserver allows null-binds and null-base requests.\n\n' 
-      );
-      security_note(
-        port: port,
-        data: 'Grabbed the following information with a null-bind, null-base request: \n' +
-              '(Command was:' + s + ')\n' +
-              '--------------------------------------------------------------------------------------------------\n\n' + results
-      );
-    }
- 
-    if (type="null-bind")
-    security_note(
-      port: port,
-      data: 'Grabbed the following information from the LDAP server: \n' +
-            '(Command was:' + s + ')\n' +
-            '----------------------------------------------------------------------------------------\n\n' + results
-      );
   }
 }
 
@@ -155,6 +141,8 @@
   else return(0);
 }
 
+if(!null_base)exit(0);
+
 #first do ldapsearch -h x.x.x.x -b '' -x -C -s base
 type = "null-base";
 value = '';
@@ -164,22 +152,41 @@
 res = res_check(res);
 #this is insecure, but there's no other way to do this at the moment.
 if(res){
-  makereport(res, type);
+base_report = makereport(res, type);
 }
 
-#then ldapsearch -h x.x.x.x -b dc=X,dc=Y -x -C -s base 'objectclass=*' -P3 -A
-type = "null-bind"; 
-val = getdc(res); #this gets the dc values so we can use them for a ldapsearch down the branch..
-value = "dc=" + val[0] + "dc=" + val[1]; #get the first two dc values to pass it to LDAPsearch.
-#note that for deeper searches we would want use the other values in the array.
-#we could make this recursive so a user can specify how many branches we want to examine. 
-#but then we would need to grab other things like the cn values and use those in the requests.
+if(null_bind && res) {
+  #then ldapsearch -h x.x.x.x -b dc=X,dc=Y -x -C -s base 'objectclass=*' -P3 -A
+  type = "null-bind"; 
+  val = getdc(res); #this gets the dc values so we can use them for a ldapsearch down the branch..
+  value = "dc=" + val[0] + "dc=" + val[1]; #get the first two dc values to pass it to LDAPsearch.
+  #note that for deeper searches we would want use the other values in the array.
+  #we could make this recursive so a user can specify how many branches we want to examine. 
+  #but then we would need to grab other things like the cn values and use those in the requests.
 
-args = scanopts(port,type,value);
+  args = scanopts(port,type,value);
 
-res = pread(cmd:"ldapsearch", argv: args, nice: 5);
-res = res_check(res);
-#this is insecure, but unfortunately there's no other way to do this at the moment.
-if(res){
- makereport(res, type);
+  res = pread(cmd:"ldapsearch", argv: args, nice: 5);
+  res = res_check(res);
+  #this is insecure, but unfortunately there's no other way to do this at the moment.
+  if(res){
+    bind_report =  makereport(res, type);
+  }
 }
+  
+if(bind_report || base_report) {
+ 
+  data = string("Grabbed the following information with a null-bind, null-base request:\n");
+
+  if(bind_report == base_report) {
+   data += bind_report;
+  } else {
+   data += bind_report + base_report;
+  }  
+
+  security_note(port:port,data:data);
+  exit(0);
+
+} 
+
+exit(0);

Added: trunk/openvas-plugins/scripts/polipo_37226.nasl
===================================================================
--- trunk/openvas-plugins/scripts/polipo_37226.nasl	2009-12-08 11:03:15 UTC (rev 6096)
+++ trunk/openvas-plugins/scripts/polipo_37226.nasl	2009-12-08 11:57:07 UTC (rev 6097)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Polipo Malformed HTTP GET Request Memory Corruption Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100379);
+ script_bugtraq_id(37226);
+ script_version ("1.0-$Revision$");
+
+ script_name("Polipo Malformed HTTP GET Request Memory Corruption Vulnerability");
+
+desc = "Overview:
+Polipo is prone to a memory-corruption vulnerability.
+
+Successful exploits may allow remote attackers to execute arbitrary
+code within the context of the affected application or crash the
+application, denying service to legitimate users.
+
+Polipo 0.9.8 and 1.0.4 are vulnerable; other versions may also
+be affected.
+
+References:
+http://www.securityfocus.com/bid/37226
+http://www.pps.jussieu.fr/~jch/software/polipo/
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Polipo is prone to a memory-corruption vulnerability");
+ script_category(ACT_DENIAL);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/www", 8123);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+if(safe_checks())exit(0);
+
+port = get_http_port(default:8123);
+if(!get_port_state(port))exit(0);
+
+banner = get_http_banner(port: port);
+if(!banner)exit(0);
+
+if(egrep(pattern:"Server: Polipo", string:banner))
+ {
+
+    soc = http_open_socket(port);
+    req = string("GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n");
+    send(socket:soc, data:req);
+
+    if(http_is_dead(port:port)) {
+      security_warning(port:port);
+      exit(0);
+    }  
+
+ }
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/polipo_37226.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision



More information about the Openvas-commits mailing list