[Openvas-commits] r2786 - trunk/openvas-plugins/scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Sun Mar 15 21:21:11 CET 2009 

Author: edjenguele
Date: 2009-03-15 21:21:09 +0100 (Sun, 15 Mar 2009)
New Revision: 2786

Added:
   trunk/openvas-plugins/scripts/remote-MS06-056.nasl
   trunk/openvas-plugins/scripts/remote-detect-MSdotNET-version.nasl
Log:
Added  Microsoft Security Bulletin MS06-056
.NET Framework 2.0 Cross-Site Scripting Vulnerability - CVE-2006-3436 
Added a microsoft dotNet Version grabber script dependency


Added: trunk/openvas-plugins/scripts/remote-MS06-056.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-MS06-056.nasl	2009-03-15 20:09:08 UTC (rev 2785)
+++ trunk/openvas-plugins/scripts/remote-MS06-056.nasl	2009-03-15 20:21:09 UTC (rev 2786)
@@ -0,0 +1,138 @@
+# OpenVAS Vulnerability Test
+# $Id$
+# Description: 
+# Microsoft Security Bulletin MS06-056
+# .NET Framework 2.0 Cross-Site Scripting Vulnerability - CVE-2006-3436 
+#
+#
+# Affected Software: 
+#
+# .NET Framework 2.0 for the following operating system versions: 
+# Microsoft Windows 2000 Service Pack 4
+# Microsoft Windows XP Service Pack 1 or Windows XP Service Pack 2
+# Microsoft Windows XP Professional x64 Edition
+# Microsoft Windows XP Tablet PC Edition
+# Microsoft Windows XP Media Center Edition
+# Microsoft Windows Server 2003 or Windows Server 2003 Service Pack 1
+# Microsoft Windows Server with SP1 for Itanium-based Systems
+# Microsoft Windows Server 2003 x64 Edition
+# 
+# Non-Affected Software:
+#
+# Microsoft Windows Server 2003 for Itanium-based Systems
+# 
+# Tested Microsoft Windows Components:
+#
+# Affected Components:
+#
+# Microsoft .NET Framework 2.0
+#
+# Non-Affected Components:
+#
+# Microsoft .NET Framework 1.0
+# Microsoft .NET Framework 1.1 
+#
+# remote-MS06-056.nasl
+#
+# Author:
+# Christian Eric Edjenguele <christian.edjenguele at owasp.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 and later,
+# as published by the Free Software Foundation
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+
+
+if(description)
+{
+script_id(101006);
+script_bugtraq_id(20337);
+script_cve_id("CVE-2006-3436");
+name["english"] = "Microsoft Security Bulletin MS06-056";
+script_name(english:name["english"]);
+ 
+desc["english"] = "
+A cross-site scripting vulnerability exists in a server running a vulnerable version of the .Net Framework 2.0 
+that could inject a client side script in the user's browser. The script could spoof content, 
+disclose information, or take any action that the user could take on the affected web site.
+
+
+
+
+
+Solution :
+Microsoft has released a patch to correct this issue,
+you can download it from the following web site:
+http://www.microsoft.com/technet/security/Bulletin/MS06-056.mspx
+ 
+
+
+
+Risk factor : Low";
+
+script_description(english:desc["english"]); 
+
+summary["english"] = ".NET Framework 2.0 Cross-Site Scripting Vulnerability";
+
+script_summary(english:summary["english"]);
+
+script_category(ACT_ATTACK);
+
+script_copyright(english:"This script is Written by Christian Eric Edjenguele <christian.edjenguele at owasp.org> and released under GPL v2 or later");
+family["english"] = "Windows : Microsoft Bulletins";
+script_family(english:family["english"]);
+script_dependencies("find_service.nes", "remote-detect-MSdotNET-version.nasl");
+script_require_ports("Services/www");
+script_require_keys("dotNET/version", "dotNet/port");
+
+
+
+exit(0);
+
+}
+
+
+#
+# The script code starts here
+#
+
+
+dotnet = get_kb_item("dotNET/version"); 
+port = get_kb_item("dotNet/port");
+
+if(!dotnet)
+	exit(0);
+
+else
+{
+	dotnetlist = split(dotnet, sep:'.');
+	l = max_index(dotnetlist) - 1;
+	
+	# Microsoft .NET Framework version 2.0
+    	dotnetversion['2.0.one'] = ( dotnetlist[0] == '2' && dotnetlist[1] == '0' && int(dotnetlist[2]) < 50727 );
+    	dotnetversion['2.0.two'] = (l > 3 && dotnetlist[0] == '2' && dotnetlist[1] == '0' && int(dotnetlist[2]) == 50727 && int(dotnetlist[3]) < 210 );
+    	
+
+
+	foreach version (dotnetversion)
+	{
+
+	    	if (version == TRUE)
+			# Report 'Microsoft .NET Framework 2.0 Cross-Site Scripting Vulnerability (MS06-056)'
+		    	report = 'Detected Microsoft .Net Framework version: ' + dotnet;
+			security_hole(port:port, data:report);
+	}
+}
+
+
+

Added: trunk/openvas-plugins/scripts/remote-detect-MSdotNET-version.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-detect-MSdotNET-version.nasl	2009-03-15 20:09:08 UTC (rev 2785)
+++ trunk/openvas-plugins/scripts/remote-detect-MSdotNET-version.nasl	2009-03-15 20:21:09 UTC (rev 2786)
@@ -0,0 +1,118 @@
+# OpenVAS Vulnerability Test
+# $Id$
+# Description: detects the version of Microsoft .Net Framework
+#
+# remote-detect-MSdotNET-version.nasl
+#
+# Author:
+# Christian Eric Edjenguele <christian.edjenguele at owasp.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 and later,
+# as published by the Free Software Foundation
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+
+
+if(description)
+{
+script_id(101007);
+name["english"] = "Microsoft dotNET version grabber";
+script_name(english:name["english"]);
+ 
+desc["english"] = "
+The remote host seems to have Microsoft .NET installed. 
+
+
+
+Solution :
+It's recommended to disable verbose error displaying to avoid version detection.
+this can be done througth the IIS management console.
+ 
+
+
+
+Risk factor : None";
+
+script_description(english:desc["english"]); 
+
+summary["english"] = "The remote host seems to have Microsoft .NET installed";
+
+script_summary(english:summary["english"]);
+
+script_category(ACT_GATHER_INFO);
+
+script_copyright(english:"This script is Written by Christian Eric Edjenguele <christian.edjenguele at owasp.org> and released under GPL v2 or later");
+family["english"] = "General";
+script_family(english:family["english"]);
+script_dependencies("find_service.nes");
+script_require_ports("Services/www");
+
+
+
+exit(0);
+
+}
+
+
+#
+# The script code starts here
+#
+
+include("misc_func.inc");
+include("http_func.inc");
+
+iis_servers = get_kb_list("Services/www");
+
+# request a non existant random page
+# test page in browser: http://www.camstar.com/000111222.aspx
+ 
+page = string(rand() + '.aspx');
+
+foreach port (iis_servers)
+{
+	soc = open_sock_tcp(port);
+	qry = strcat('GET /' , page , ' HTTP/1.0\r\n\r\n');
+		
+	req = http_get(item:qry, port:port);
+	send(socket:soc, data:req);
+
+	# Get back the response
+	reply = recv(socket:soc, length:1204);
+
+	# Get the ASP.NET Microsoft .Net Framework version
+	# a tipical response from test page above
+	# Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433
+	dotNet_header = egrep(pattern:"Microsoft .NET Framework Version:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)", string:reply, icase:TRUE);
+	aspNet_header = egrep(pattern:"ASP.NET Version:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)", string:reply, icase:TRUE);
+
+	if(('Version Information' >< response) && dotNet_header)
+		dotnetversion = ereg_replace(string:response, pattern:dotNet_header,"\1");
+		report = "Detected Microsoft .NET Framework version: " + dotnetversion;
+		
+		if(aspNET_header)
+			aspnetversion = ereg_replace(string:response, pattern:aspNet_header,"\1");
+			report += "Detected ASP .NET version: " + aspnetversion;
+	
+		# save informations into the kb
+		set_kb_item(name:"dotNET/installed", value:TRUE);
+		set_kb_item(name:"aspNET/installed", value:TRUE);
+		set_kb_item(name:"dotNET/version", value:dotnetversion);
+		set_kb_item(name:"aspNET/version", value:aspnetversion);
+		set_kb_item(name:"dotNET/port", value:port);
+
+		# report all gathered informations
+		security_note(port:port, data:report);
+ 
+	
+}
+

More information about the Openvas-commits mailing list