[Openvas-commits] r2913 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Thu Mar 26 11:19:14 CET 2009
Author: chandra
Date: 2009-03-26 11:19:12 +0100 (Thu, 26 Mar 2009)
New Revision: 2913
Added:
trunk/openvas-plugins/scripts/secpod_expert_pdf_editorx_activex_vuln.nasl
trunk/openvas-plugins/scripts/secpod_openfire_mult_vuln_mar09.nasl
trunk/openvas-plugins/scripts/secpod_postgresql_detect_lin.nasl
trunk/openvas-plugins/scripts/secpod_postgresql_detect_win.nasl
trunk/openvas-plugins/scripts/secpod_postgresql_dos_vuln_lin.nasl
trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_lin_mar09.nasl
trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_win_mar09.nasl
trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_lin.nasl
trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_win.nasl
trunk/openvas-plugins/scripts/secpod_winasm_studio_wap_bof_vuln.nasl
trunk/openvas-plugins/scripts/secpod_wingate_detect.nasl
trunk/openvas-plugins/scripts/secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl
trunk/openvas-plugins/scripts/secpod_ziproxy_sec_bypass_vuln.nasl
trunk/openvas-plugins/scripts/secpod_ziproxy_server_detect.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/gb_openfire_detect.nasl
trunk/openvas-plugins/scripts/gb_openfire_mult_vuln.nasl
trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_lin.nasl
trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_win.nasl
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/ChangeLog 2009-03-26 10:19:12 UTC (rev 2913)
@@ -1,4 +1,25 @@
2009-03-26 Chandrashekhar B <bchandra at secpod.com>
+ * scripts/gb_openfire_detect.nasl,
+ scripts/secpod_adobe_prdts_bof_vuln_win.nasl,
+ scripts/secpod_postgresql_dos_vuln_lin.nasl,
+ scripts/secpod_vlc_media_player_detect_lin.nasl,
+ scripts/secpod_postgresql_detect_win.nasl,
+ scripts/secpod_winasm_studio_wap_bof_vuln.nasl,
+ scripts/secpod_wingate_detect.nasl,
+ scripts/secpod_openfire_mult_vuln_mar09.nasl,
+ scripts/gb_openfire_mult_vuln.nasl,
+ scripts/secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl,
+ scripts/secpod_ziproxy_sec_bypass_vuln.nasl,
+ scripts/secpod_adobe_prdts_bof_vuln_lin.nasl,
+ scripts/secpod_vlc_media_player_bof_vuln_win_mar09.nasl,
+ scripts/secpod_postgresql_detect_lin.nasl,
+ scripts/secpod_vlc_media_player_bof_vuln_lin_mar09.nasl,
+ scripts/secpod_expert_pdf_editorx_activex_vuln.nasl,
+ scripts/secpod_vlc_media_player_detect_win.nasl,
+ scripts/secpod_ziproxy_server_detect.nasl:
+ Added new plugins
+
+2009-03-26 Chandrashekhar B <bchandra at secpod.com>
* scripts/smbcl_func.inc:
Removed security_note as it was giving unnecessary warning
Modified: trunk/openvas-plugins/scripts/gb_openfire_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_openfire_detect.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/gb_openfire_detect.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -50,25 +50,26 @@
include("http_keepalive.inc");
# Check for default port 9090
-wwwPort = get_http_port(default:9090);
-if(!wwwPort){
- wwwPort = 9090;
+firePort = get_http_port(default:9090);
+if(!firePort){
+ firePort = 9090;
}
-if(!get_port_state(wwwPort)){
- exit(0);
-}
-
-sndReq = string("GET /login.jsp \r\n\r\n");
-rcvRes = http_keepalive_send_recv(port:wwwPort, data:sndReq);
-if(rcvRes == NULL){
- exit(0);
-}
-
-if("<title>Openfire Admin Console" >< rcvRes)
+if(get_port_state(firePort))
{
- fireVer = eregmatch(pattern:"Openfire, Version: ([0-9.]+)", string:rcvRes);
- if(fireVer[1] != NULL){
- set_kb_item(name:"OpenFire/Version", value:fireVer[1]);
+ sndReq = string("GET /login.jsp \r\n\r\n");
+ rcvRes = http_keepalive_send_recv(port:firePort, data:sndReq);
+ if(rcvRes == NULL){
+ exit(0);
}
+
+ if("Openfire Admin Console" >< rcvRes)
+ {
+ fireVer = eregmatch(pattern:"Openfire, Version: ([0-9.]+)", string:rcvRes);
+ if(fireVer[1] != NULL)
+ {
+ set_kb_item(name:"www/" + firePort + "/Openfire", value:fireVer[1]);
+ exit(0);
+ }
+ }
}
Modified: trunk/openvas-plugins/scripts/gb_openfire_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_openfire_mult_vuln.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/gb_openfire_mult_vuln.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -75,29 +75,24 @@
script_category(ACT_GATHER_INFO);
script_copyright(english:"Copyright (C) 2009 Intevation GmbH");
script_family(english:"Web application abuses");
- script_dependencies("gb_openfire_detect.nasl", "http_version.nasl");
- script_require_keys("OpenFire/Version");
+ script_dependencies("gb_openfire_detect.nasl");
script_require_ports("Services/www", 9090);
exit(0);
}
-include("http_func.inc");
include("version_func.inc");
-# Check for default port 9090
-wwwPort = get_http_port(default:9090);
-if(!wwwPort){
+firePort = get_kb_item("Services/www");
+if(!firePort){
exit(0);
}
-# Get version from KB item
-fireVer = get_kb_item("OpenFire/Version");
-if(!fireVer){
- exit(0);
+fireVer = get_kb_item("www/" + firePort + "/Openfire");
+if(fireVer != NULL)
+{
+ # Grep for Openfire version prior to 3.6.3
+ if(version_is_less(version:fireVer, test_version:"3.6.3")){
+ security_hole(firePort);
+ }
}
-
-# Check for version prior to 3.6.3
-if(version_is_less(version:fireVer, test_version:"3.6.3")){
- security_warning(wwwPort);
-}
Modified: trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_lin.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_lin.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -1,8 +1,8 @@
###############################################################################
# OpenVAS Vulnerability Test
-# $Id: secpod_adobe_prdts_bof_vuln_lin.nasl 1064 2009-02-25 19:34:26Z feb $
+# $Id: secpod_adobe_prdts_bof_vuln_lin.nasl 1061 2009-03-25 19:34:26Z mar $
#
-# Buffer Overflow Vulnerability in Adobe Acrobat and Reader (Linux)
+# Buffer Overflow Vulnerability in Adobe Reader (Linux)
#
# Authors:
# Sharath S <sharaths at secpod.com>
@@ -27,49 +27,46 @@
if(description)
{
script_id(900321);
- script_version("$Revision: 1.0 $");
- script_cve_id("CVE-2009-0658");
- script_bugtraq_id(33751);
- script_name(english:"Buffer Overflow Vulnerability in Adobe Acrobat and Reader (Linux)");
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2009-0658", "CVE-2009-0927");
+ script_bugtraq_id(33751, 34169, 34229);
+ script_name(english:"Buffer Overflow Vulnerability in Adobe Reader (Linux)");
desc["english"] = "
- Overview: This host has Adobe Acrobat or Adobe Reader installed, and is prone
- to buffer overflow vulnerability.
+ Overview: This host has Adobe Reader installed, and is prone to buffer
+ overflow vulnerability.
Vulnerability Insight:
- Error in array indexing while processing JBIG2 streams. This can be exploited
- to corrupt arbitrary memory via a specially crafted PDF file, related to a
- non-JavaScript function call.
+ This issue is caused due to error in array indexing while processing JBIG2
+ streams and unspecified vulnerability related to a JavaScript method.
Impact:
- Allow remote attacker to execute arbitrary code in context of the affect
- application and can compromise a user's system.
+ This can be exploited to corrupt arbitrary memory via a specially crafted
+ PDF file, related to a non-JavaScript function call and to execute
+ arbitrary code in context of the affected application.
- Impact Level: Application
+ Impact Level: Application/System
Affected Software/OS:
- Adobe Reader version 8.1.3 and prior
- Adobe Acrobat version 9.0 and prior on Linux.
+ Adobe Reader version 9.x < 9.1, 8.x < 8.1.4, 7.x < 7.1.1 on Linux
- Fix: No solution or patch is available as on 03rd March, 2009. Information
- regarding this issue will be updated once the solution details are available.
- For updates refer, http://www.adobe.com/support/security
+ Fix: Upgrade to Adobe Reader version 9.1 or 8.1.4
+ http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix
References:
http://secunia.com/advisories/33901
- http://securitytracker.com/alerts/2009/Feb/1021739.html
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
+ http://www.adobe.com/support/security/bulletins/apsb09-03.html
+ http://www.adobe.com/support/security/bulletins/apsb09-04.html
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://downloads.securityfocus.com/vulnerabilities/exploits/33751-PoC.pl
- http://www.symantec.com/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=1
CVSS Score:
CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
- CVSS Temporal Score : 8.4
- Risk factor: Critical";
+ CVSS Temporal Score : 7.3
+ Risk factor: High";
script_description(english:desc["english"]);
- script_summary(english:"Check for the version of Adobe Acrobat and Reader");
+ script_summary(english:"Check for the version of Adobe Reader");
script_category(ACT_GATHER_INFO);
script_copyright(english:"Copyright (C) 2009 SecPod");
script_family(english:"Buffer overflow");
@@ -81,11 +78,14 @@
include("version_func.inc");
+# Check for Adobe Reader version prior to 9.1.0 or 8.1.4 or 7.1.1
readerVer = get_kb_item("Adobe/Reader/Linux/Version");
-if(!readerVer){
- exit(0);
+if(readerVer)
+{
+ if(version_in_range(version:readerVer, test_version:"7.0", test_version2:"7.1.0")||
+ version_in_range(version:readerVer, test_version:"8.0", test_version2:"8.1.3")||
+ readerVer =~ "9.0"){
+ security_hole(0);
+ }
}
-if(version_is_less_equal(version:readerVer, test_version:"8.1.3")){
- security_hole(0);
-}
Modified: trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_win.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_adobe_prdts_bof_vuln_win.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -1,6 +1,6 @@
###############################################################################
# OpenVAS Vulnerability Test
-# $Id: secpod_adobe_prdts_bof_vuln_win.nasl 1064 2009-02-25 15:55:26Z feb $
+# $Id: secpod_adobe_prdts_bof_vuln_win.nasl 1061 2009-03-25 15:55:26Z mar $
#
# Buffer Overflow Vulnerability in Adobe Acrobat and Reader (Win)
#
@@ -27,9 +27,10 @@
if(description)
{
script_id(900320);
- script_version("$Revision: 1.0 $");
- script_cve_id("CVE-2009-0658");
- script_bugtraq_id(33751);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2009-0658", "CVE-2009-0927", "CVE-2009-0193",
+ "CVE-2009-0928", "CVE-2009-1061", "CVE-2009-1062");
+ script_bugtraq_id(33751, 34169, 34229);
script_name(english:"Buffer Overflow Vulnerability in Adobe Acrobat and Reader (Win)");
desc["english"] = "
@@ -37,35 +38,33 @@
to buffer overflow vulnerability.
Vulnerability Insight:
- Error in array indexing while processing JBIG2 streams. This can be exploited
- to corrupt arbitrary memory via a specially crafted PDF file, related to a
- non-JavaScript function call.
+ This issue is caused due to error in array indexing while processing JBIG2
+ streams and unspecified vulnerability related to a JavaScript method.
Impact:
- Allow remote attacker to execute arbitrary code in context of the affected
- application and can compromise a user's system.
+ This can be exploited to corrupt arbitrary memory via a specially crafted
+ PDF file, related to a non-JavaScript function call and to execute
+ arbitrary code in context of the affected application.
Impact Level: Application/System
Affected Software/OS:
- Adobe Reader and Acrobat version 9.0 and prior on Windows.
+ Adobe Reader/Acrobat version 9.x < 9.1, 8.x < 8.1.4, 7.x < 7.1.1 on Windows.
- Fix: No solution or patch is available as on 03rd March, 2009. Information
- regarding this issue will be updated once the solution details are available.
- For updates refer, http://www.adobe.com/support/security
+ Fix: Upgrade to Reader/Acrobat version 9.1 or 7.1.1 or 8.1.4
+ http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
References:
http://secunia.com/advisories/33901
- http://securitytracker.com/alerts/2009/Feb/1021739.html
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
+ http://www.adobe.com/support/security/bulletins/apsb09-03.html
+ http://www.adobe.com/support/security/bulletins/apsb09-04.html
http://www.adobe.com/support/security/advisories/apsa09-01.html
http://downloads.securityfocus.com/vulnerabilities/exploits/33751-PoC.pl
- http://www.symantec.com/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=1
CVSS Score:
CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
- CVSS Temporal Score : 8.4
- Risk factor: Critical";
+ CVSS Temporal Score : 7.3
+ Risk factor: High";
script_description(english:desc["english"]);
script_summary(english:"Check for the version of Adobe Acrobat and Reader");
@@ -80,21 +79,26 @@
include("version_func.inc");
+# Check for Adobe Reader version prior to 9.1.0 or 8.1.4 or 7.1.1
readerVer = get_kb_item("Adobe/Reader/Win/Ver");
-acrobatVer = get_kb_item("Adobe/Acrobat/Win/Ver");
-
if(readerVer)
{
- if(version_is_less_equal(version:readerVer, test_version:"9.0.0"))
+ if(version_in_range(version:readerVer, test_version:"7.0", test_version2:"7.1.0")||
+ version_in_range(version:readerVer, test_version:"8.0", test_version2:"8.1.3")||
+ readerVer =~ "9.0")
{
security_hole(0);
exit(0);
}
}
+# Check for Acrobat Reader version prior to 9.1.0 or 8.1.4 or 7.1.1
+acrobatVer = get_kb_item("Adobe/Acrobat/Win/Ver");
if(acrobatVer)
{
- if(version_is_less_equal(version:acrobatVer, test_version:"9.0.0")){
- security_hole(0);
- }
+ if(version_in_range(version:acrobatVer, test_version:"7.0", test_version2:"7.1.0")||
+ version_in_range(version:acrobatVer, test_version:"8.0", test_version2:"8.1.3")||
+ acrobatVer =~ "9.0"){
+ security_hole(0);
+ }
}
Added: trunk/openvas-plugins/scripts/secpod_expert_pdf_editorx_activex_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_expert_pdf_editorx_activex_vuln.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_expert_pdf_editorx_activex_vuln.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,110 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id:secpod_expert_pdf_editorx_activex_vuln.nasl 1068 2009-03-24 19:50:24Z mar $
+#
+# Expert PDF EditorX ActiveX File Overwrite Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900481);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-6496");
+ script_bugtraq_id(32664);
+ script_name(english:"Expert PDF EditorX ActiveX File Overwrite Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is installed with Expert PDF EditorX and is
+ prone to ActiveX file overwrite vulnerability.
+
+ Vulnerability Insight:
+ This flaw is due to an ActiveX control in Expert PDF EditorX file
+ 'VSPDFEditorX.ocx' providing insecure 'extractPagesToFile' method.
+
+ Impact:
+ Successful exploitation will let the attacker corrupt or overwrite
+ arbitrary files on the user's system.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Expert PDF EditorX 'VSPDFEditorX.ocx' version 1.0.1910.0 and prior.
+
+ Workaround:
+ Set the Killbit for the vulnerable CLSID {89F968A1-DBAC-4807-9B3C-405A55E4A279}
+ http://support.microsoft.com/kb/240797
+
+ Fix: No solution or patch is available as on 26th March, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.visagesoft.com/products/pdfeditorx
+
+ References:
+ http://secunia.com/advisories/32990
+ http://www.milw0rm.com/exploits/7358
+ http://xforce.iss.net/xforce/xfdb/47166
+
+ CVSS Score:
+ CVSS Base Score : 8.8 (AV:N/AC:M/Au:NR/C:N/I:C/A:C)
+ CVSS Temporal Score : 7.9
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the 'VSPDFEditorX.ocx' Version and Killbit");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"General");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_activex.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+foreach item (registry_enum_keys(key:key))
+{
+ editorx = registry_get_sz(key:key + item, item:"DisplayName");
+ if("eXPert PDF EditorX" >< editorx)
+ {
+ ocxVer = registry_get_sz(key:key + item, item:"DisplayVersion");
+ break;
+ }
+}
+
+if(ocxVer != NULL)
+{
+ # Grep for VSPDFEditorX.ocx version 1.0.1910.0 and prior
+ if(version_is_less_equal(version:ocxVer, test_version:"1.0.1910.0"))
+ {
+ if(is_killbit_set(clsid:"{89F968A1-DBAC-4807-9B3C-405A55E4A279}") == 0){
+ security_hole(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_expert_pdf_editorx_activex_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_openfire_mult_vuln_mar09.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_openfire_mult_vuln_mar09.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_openfire_mult_vuln_mar09.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,100 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_openfire_mult_vuln_mar09.nasl 1114 2009-03-25 17:30:29Z mar $
+#
+# Openfire Multiple Vulnerabilities (Mar09)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900484);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-6511", "CVE-2008-6510", "CVE-2008-6508", "CVE-2008-6509");
+ script_bugtraq_id(32189);
+ script_name(english:"Openfire Multiple Vulnerabilities (Mar09)");
+ desc["english"] = "
+
+ Overview: This host is running Openfire and is prone to multiple
+ vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are due to,
+ - error in the AuthCheckFilter which causes access to administrative
+ resources without admin authentication.
+ - error in the type parameter inside the file 'sipark-log-summary.jsp'
+ which causes SQL Injection attack.
+ - error in the 'login.jsp' URL parameter which accept malicious chars
+ as input which causes XSS attack.
+ - error in the SIP-Plugin which is deactivated by default which lets the
+ attack install the plugin by using admin authentication bypass methods.
+
+ Impact:
+ Successful exploitation will let the attacker cause multiple attacks in
+ the context of the application i.e. Cross site scripting, disclosure of
+ sensitive information, phishing attacks through the affected parameters.
+
+ Impact level: Application/Network
+
+ Affected Software/OS:
+ Openfire version prior to 3.6.1
+
+ Fix: Upgrade to the version 3.6.1 or later.
+ http://www.igniterealtime.org/downloads/index.jsp
+
+ References:
+ http://secunia.com/advisories/32478
+ http://www.milw0rm.com/exploits/7075
+ http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt
+ http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.3
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Openfire");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Web application abuses");
+ script_dependencies("gb_openfire_detect.nasl");
+ script_require_ports("Services/www", 9090);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+firePort = get_http_port(default:9090);
+if(!firePort){
+ exit(0);
+}
+
+fireVer = get_kb_item("www/" + firePort + "/Openfire");
+if(fireVer != NULL)
+{
+ # Grep for Openfire version prior to 3.6.1
+ if(version_is_less(version:fireVer, test_version:"3.6.1")){
+ security_hole(firePort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_openfire_mult_vuln_mar09.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_postgresql_detect_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_postgresql_detect_lin.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_postgresql_detect_lin.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,69 @@
+#####################i##i########################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_postgresql_detect_lin.nasl 997 2009-03-18 18:40:29Z mar $
+#
+# PostgreSQL Version Detection (Linux)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900478);
+ script_version("$Revision: 1.0 $");
+ script_name(english:"PostgreSQL Version Detection (Linux)");
+ desc["english"] = "
+
+ Overview: The script detects the installed version of PostgreSQL and sets
+ the result in KB.
+
+ Risk Factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Set the KB for the Version of PostgreSQL");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"General");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+postgresql = find_file(file_name:"psql", file_path:"/", useregex:TRUE,
+ regexpar:"$", sock:sock);
+foreach binaryName (postgresql)
+{
+ binaryName = chomp(binaryName);
+ postgresqlVer = get_bin_version(full_prog_name:binaryName, version_argv:"--version",
+ ver_pattern:"psql \(PostgreSQL\) ([0-9.]+)", sock:sock);
+ if(postgresqlVer[1] != NULL)
+ {
+ set_kb_item(name:"PostgreSQL/Lin/Ver", value:postgresqlVer[1]);
+ ssh_close_connection();
+ exit(0);
+ }
+}
+ssh_close_connection();
Added: trunk/openvas-plugins/scripts/secpod_postgresql_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_postgresql_detect_win.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_postgresql_detect_win.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,71 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_postgresql_detect_win.nasl 997 2009-03-19 14:20:24Z mar $
+#
+# PostgreSQL Version Detection (Windows)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900479);
+ script_version("Revision: 1.0 ");
+ script_name(english:"PostgreSQL Version Detection (Windows)");
+ desc["english"] = "
+
+ Overview: This script detects the installed version of PostgreSQL and
+ saves the result in KB.
+
+ Risk factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Set the KB for the Version of PostgreSQL");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"General");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+if(!registry_key_exists(key:"SOFTWARE\PostgreSQL")){
+ exit(0);
+}
+
+key = "SOFTWARE\PostgreSQL Global Development Group\PostgreSQL\";
+path = registry_get_sz(key:key, item:"Location");
+
+exePath = path + "\bin\postgres.exe";
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:exePath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:exePath);
+
+gresqlVer = GetVer(file:file, share:share);
+if(gresqlVer != NULL)
+{
+ set_kb_item(name:"PostgreSQL/Win/Ver", value:gresqlVer);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_postgresql_detect_win.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_postgresql_dos_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_postgresql_dos_vuln_lin.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_postgresql_dos_vuln_lin.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,95 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_postgresql_dos_vuln_lin.nasl 997 2009-03-19 17:15:29Z mar $
+#
+# PostgreSQL Denial of Service Vulnerability (Linux)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900480);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-0922");
+ script_bugtraq_id(34090);
+ script_name(english:"PostgreSQL Denial of Service Vulnerability (Linux)");
+ desc["english"] = "
+
+ Overview: This host is installed with PostgreSQL Server and is prone to
+ denial of service vulnerabilities.
+
+ Vulnerability Insight:
+ This flaw is due to failure in converting a localized error message to the
+ client-specified encoding.
+
+ Impact:
+ Successful exploitation will let the attacker cause stack consumption or
+ denial of service through mismatched encoding conversion requests.
+
+ Affected Software/OS:
+ PostgreSQL versions before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25
+
+ Fix: Upgrade to respective version below,
+ PostgreSQL 8.3.7 or 8.2.13 or 8.1.17 or 8.0.21 or 7.4.25
+ http://www.postgresql.org
+
+ References:
+ https://bugzilla.redhat.com/show_bug.cgi?id=488156
+ http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php
+
+ CVSS Score:
+ CVSS Base Score : 4.0 (AV:N/AC:L/Au:SI/C:N/I:N/A:P)
+ CVSS Temporal Score : 3.1
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of PostgreSQL");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Denial of Service");
+ script_dependencies("secpod_postgresql_detect_lin.nasl", "find_service.nes");
+ script_require_ports("Services/postgres", 5432);
+ script_require_keys("PostgreSQL/Lin/Ver");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+gresqlport = get_kb_item("Services/postgres");
+if(!gresqlport){
+ gresqlport = 5432;
+}
+
+pgsqlVer = get_kb_item("PostgreSQL/Lin/Ver");
+if(!pgsqlVer){
+ exit(0);
+}
+
+# Grep for PostgreSQL versions before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25
+if(version_in_range(version:pgsqlVer, test_version:"8.3", test_version2:"8.3.6") ||
+ version_in_range(version:pgsqlVer, test_version:"8.2", test_version2:"8.2.12") ||
+ version_in_range(version:pgsqlVer, test_version:"8.1", test_version2:"8.1.16") ||
+ version_in_range(version:pgsqlVer, test_version:"8.0", test_version2:"8.0.20") ||
+ version_in_range(version:pgsqlVer, test_version:"7.4", test_version2:"7.4.24")){
+ security_warning(gresqlport);
+}
Added: trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_lin_mar09.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_lin_mar09.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_lin_mar09.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_vlc_media_player_bof_vuln_lin_mar09.nasl 1115 2009-03-25 16:52:02Z mar $
+#
+# VLC Media Player Stack Overflow Vulnerability (Lin-Mar09)
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900531);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1045");
+ script_bugtraq_id(34126);
+ script_name(english:"VLC Media Player Stack Overflow Vulnerability (Lin-Mar09)");
+ desc["english"] = "
+
+ Overview: This host is installed with VLC Media Player and is prone to
+ Stack Overflow Vulnerability.
+
+ Vulnerability Insight:
+ This flaw is due to improper boundary checking in status.xml in the web
+ interface by an overly long request.
+
+ Impact:
+ Successful exploitation allows the attacker to execute arbitrary codes
+ with escalated privileges and cause overflow in stack.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ VLC media player 0.9.8a and prior on Linux.
+
+ Fix: No solution or patch is available as on 26th March, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.videolan.org/vlc
+
+ References:
+ http://www.milw0rm.com/exploits/8213
+ http://xforce.iss.net/xforce/xfdb/49249
+ http://bugs.gentoo.org/show_bug.cgi?id=262708
+ http://www.openwall.com/lists/oss-security/2009/03/17/4
+
+ CVSS Score:
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 9.0
+ Risk factor: Critical";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the Version of VLC Media Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Buffer overflow");
+ script_dependencies("secpod_vlc_media_player_detect_lin.nasl");
+ script_require_keys("VLCPlayer/Lin/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+vlcVer = get_kb_item("VLCPlayer/Lin/Ver");
+if(!vlcVer){
+ exit(0);
+}
+
+if(version_is_less_equal(version:vlcVer, test_version:"0.9.8a")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_lin_mar09.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_win_mar09.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_win_mar09.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_win_mar09.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_vlc_media_player_bof_vuln_win_mar09.nasl 1115 2009-03-24 16:52:02Z mar $
+#
+# VLC Media Player Stack Overflow Vulnerability (Win-Mar09)
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900530);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1045");
+ script_bugtraq_id(34126);
+ script_name(english:"VLC Media Player Stack Overflow Vulnerability (Win-Mar09)");
+ desc["english"] = "
+
+ Overview: This host is installed with VLC Media Player and is prone to
+ Stack Overflow Vulnerability.
+
+ Vulnerability Insight:
+ This flaw is due to improper boundary checking in status.xml in the web
+ interface by an overly long request.
+
+ Impact:
+ Successful exploitation allows the attacker to execute arbitrary codes
+ with escalated privileges and cause overflow in stack.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ VLC media player 0.9.8a and prior on Windows.
+
+ Fix: No solution or patch is available as on 26th March, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.videolan.org/vlc
+
+ References:
+ http://www.milw0rm.com/exploits/8213
+ http://xforce.iss.net/xforce/xfdb/49249
+ http://www.openwall.com/lists/oss-security/2009/03/17/4
+
+ CVSS Score:
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 9.0
+ Risk factor: Critical";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the Version of VLC Media Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Buffer overflow");
+ script_dependencies("secpod_vlc_media_player_detect_win.nasl");
+ script_require_keys("VLCPlayer/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+vlcVer = get_kb_item("VLCPlayer/Win/Ver");
+if(!vlcVer){
+ exit(0);
+}
+
+if(version_is_less_equal(version:vlcVer, test_version:"0.9.8a")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_vlc_media_player_bof_vuln_win_mar09.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_lin.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_lin.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,66 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_vlc_media_player_detect_lin.nasl 1115 2009-03-24 18:47:29Z mar $
+#
+# VLC Media Player Version Detection (Lin)
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900529);
+ script_version("$Revision: 1.0 $");
+ script_name(english:"VLC Media Player Version Detection (Lin)");
+ desc["english"] = "
+ Overview: This script detects the installed version of VLC Media Player
+ and sets the result in KB.
+
+ Risk Factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Set KB for the version of VLC Media Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"General");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+vlcBinPath = find_bin(prog_name:"vlc", sock:sock);
+foreach binPath (vlcBinPath)
+{
+ vlcVer = get_bin_version(full_prog_name:chomp(binPath), version_argv:"--version",
+ ver_pattern:"VLC version ([0-9\.]+[a-z]?)", sock:sock);
+ if(vlcVer[1] != NULL)
+ {
+ set_kb_item(name:"VLCPlayer/Lin/Ver", value:vlcVer[1]);
+ ssh_close_connection();
+ exit(0);
+ }
+}
+ssh_close_connection();
Property changes on: trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_lin.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_win.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_win.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,59 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_vlc_media_player_detect_win.nasl 1115 2009-03-24 17:47:29Z mar $
+#
+# VLC Media Player Version Detection (Win)
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900528);
+ script_version("$Revision: 1.0 $");
+ script_name(english:"VLC Media Player Version Detection (Win)");
+ desc["english"] = "
+ Overview: This script detects the installed version of VLC Media Player
+ and sets the result in KB.
+
+ Risk Factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Set KB for the version of VLC Media Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"General");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+vlcVer = registry_get_sz(item:"Version", key:"SOFTWARE\VideoLAN\VLC");
+if(vlcVer != NULL){
+ set_kb_item(name:"VLCPlayer/Win/Ver", value:vlcVer);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_vlc_media_player_detect_win.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_winasm_studio_wap_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_winasm_studio_wap_bof_vuln.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_winasm_studio_wap_bof_vuln.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_winasm_studio_wap_bof_vuln.nasl 1087 2009-03-25 10:34:01Z mar $
+#
+# WinAsm Studio Buffer Overflow Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900532);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1040");
+ script_bugtraq_id(34132);
+ script_name(english:"WinAsm Studio Buffer Overflow Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is running WinAsm Studio and is prone to Heap Overflow
+ Vulnerability.
+
+ Vulnerability Insight:
+ Improper boundary checking while handling project files which leads to
+ heap overflow while processing crafted '.wap' files.
+
+ Impact:
+ Successful exploitation will let the attacker execute arbitrary codes in
+ the context of the application to cause heap overflow.
+
+ Impact level: System/Application
+
+ Affected Software/OS:
+ WinAsm Studio version 5.1.5.0 and prior.
+
+ Fix: No solution or patch is available as on 26th March, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.winasm.net
+
+ References:
+ http://secunia.com/advisories/34309
+ http://www.milw0rm.com/exploits/8224
+ http://xforce.iss.net/xforce/xfdb/49266
+
+ CVSS Score:
+ CVSS Base Score : 9.0 (AV:N/AC:L/Au:NR/C:P/I:P/A:C)
+ CVSS Temporal Score : 8.1
+ Risk factor: Critical";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of WinAsm Studio");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Buffer overflow");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+progDir = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion\",
+ item:"ProgramFilesDir");
+if(!progDir){
+ exit(0);
+}
+
+winasmPath1 = progDir + "\WinAsm\WinAsm.exe";
+winasmPath2 = progDir - "Program Files" + "\WinAsm\WinAsm.exe";
+
+foreach path (make_list(winasmPath1, winasmPath2))
+{
+ share = ereg_replace(pattern:"([A-Z]):.*",replace:"\1$",string:path);
+ file = ereg_replace(pattern:"[A-Z]:(.*)",replace:"\1",string:path);
+ version = GetVer(file:file, share:share);
+ if(version != NULL){
+ break;
+ }
+}
+
+if(version_is_less_equal(version:version, test_version:"5.1.5.0")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_winasm_studio_wap_bof_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_wingate_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_wingate_detect.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_wingate_detect.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,68 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_wingate_detect.nasl 760 2009-03-18 11:58:02Z mar $
+#
+# Qbik WinGate Version Detection
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900324);
+ script_version("$Revision: 1.0 $");
+ script_name(english:"Qbik WinGate Version Detection");
+ desc["english"] = "
+ Overview: This script detects the version of WinGate and sets the
+ result in KB.
+
+ Risk factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Set KB for the version of WinGate");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPOd");
+ script_family(english:"General");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+path = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+ "\App Paths\gatekeeper.exe", item:"Path");
+if(path)
+{
+ path = path - "\Gatekeeper.exe" + "\WinGate.exe";
+ share = ereg_replace(pattern:"([A-Za-z]):.*", replace:"\1$", string:path);
+ file = ereg_replace(pattern:"[A-Za-z]:(.*)", replace:"\1", string:path);
+ winGateVer = GetVer(file:file, share:share);
+
+ if(winGateVer != NULL){
+ set_kb_item(name:"WinGate/Ver", value:winGateVer);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,98 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl 760 2009-03-18 17:10:29Z mar $
+#
+# Qbik WinGate HTTP Proxy Server Access Controls Bypass Vulnerability
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900325);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-0802");
+ script_bugtraq_id(33858);
+ script_name(english:"Qbik WinGate HTTP Proxy Server Access Controls Bypass Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is running WinGate HTTP Proxy Server and is prone to
+ access controls bypass vulnerability.
+
+ Vulnerability Insight:
+ This issue occurs when the proxy makes a forwarding decision based on the
+ 'Host' HTTP header instead of the destination IP address while the proxy
+ server works in transparent interception mode.
+
+ Impact:
+ Successful exploitation will let the attacker obtain sensitive information
+ i.e. Intranet webpage details.
+
+ Impact Level: Application/Network
+
+ Affected Software/OS:
+ WinGate version 6.0 to 6.5.2 Build 1217.
+
+ Fix: No solution or patch is available as on 26th March, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.wingate.com
+
+ References:
+ http://secunia.com/advisories/34020
+ http://www.kb.cert.org/vuls/id/435052
+
+ CVSS Score:
+ CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:C/I:N/A:N)
+ CVSS Temporal Score : 6.1
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the Version of WinGate");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Web application abuses");
+ script_dependencies("secpod_wingate_detect.nasl", "find_service.nes");
+ script_require_keys("WinGate/Ver");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+GatePort = get_http_port(default:80);
+if(!GatePort){
+ exit(0);
+}
+
+banner = get_http_banner(port:GatePort);
+if("WinGate" >< banner && "WinGate Engine" >!< banner)
+{
+ winGateVer = get_kb_item("WinGate/Ver");
+ if(winGateVer != NULL)
+ {
+ # Check for version 6.5.2 build 1217 and prior
+ if(version_in_range(version:winGateVer, test_version:"6.0",
+ test_version2:"6.5.2.1217")){
+ security_hole(GatePort);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_wingate_http_proxy_serv_acl_bypass_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_ziproxy_sec_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ziproxy_sec_bypass_vuln.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_ziproxy_sec_bypass_vuln.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ziproxy_sec_bypass_vuln.nasl 754 2009-03-25 16:35:29Z mar $
+#
+# Ziproxy Security Bypass Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900523);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-0804");
+ script_bugtraq_id(33858);
+ script_name(english:"Ziproxy Security Bypass Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is running Ziproxy server and is prone to security
+ bypass vulnerability.
+
+ Vulnerability Insight:
+ This vulnerability arises because ziproxy depends on HTTP Host headers
+ to determine the remote endpoints while acting as a transparent proxy.
+
+ Impact:
+ This can be exploited to restrict websites or bypass a browser's
+ security context protection mechanism by sending HTTP requests with
+ forged HTTP Host header.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Ziproxy version 2.6.0 and prior on Linux.
+
+ Fix: No solution or patch is available as on 26th March, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://ziproxy.sourceforge.net/
+
+ References:
+ http://secunia.com/advisories/34018/
+ http://www.kb.cert.org/vuls/id/435052
+
+ CVSS Score:
+ CVSS Base Score : 7.1 (AV:N/AC:M/Au:NR/C:C/I:N/A:N)
+ CVSS Temporal Score : 6.1
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Ziproxy");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Privilege escalation");
+ script_dependencies("secpod_ziproxy_server_detect.nasl");
+ script_require_ports("Services/www", 8080);
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+zipPort = get_kb_item("Services/www");
+if(!zipPort){
+ exit(0);
+}
+
+ziproxyVer = get_kb_item("www/" + zipPort + "/Ziproxy");
+if(!ziproxyVer){
+ exit(0);
+}
+
+if(version_is_less_equal(version:ziproxyVer, test_version:"2.6.0")){
+ security_hole(zipPort);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ziproxy_sec_bypass_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_ziproxy_server_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ziproxy_server_detect.nasl 2009-03-26 09:35:42 UTC (rev 2912)
+++ trunk/openvas-plugins/scripts/secpod_ziproxy_server_detect.nasl 2009-03-26 10:19:12 UTC (rev 2913)
@@ -0,0 +1,70 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ziproxy_server_detect.nasl 754 2009-03-25 15:10:24Z mar $
+#
+# Ziproxy Server Version Detection
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900522);
+ script_version("Revision: 1.0 ");
+ script_name(english:"Ziproxy Server Version Detection");
+ desc["english"] = "
+ Overview: This script detects the installed version of Ziproxy Server
+ and sets the version in KB.
+
+ Risk factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Sets the KB for the version of Ziproxy Server");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"General");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 8080);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+zipPort = get_http_port(default:8080);
+if(!zipPort){
+ zipPort = 8080;
+}
+
+if(get_port_state(zipPort))
+{
+ sndReq = string("GET / \r\n\r\n");
+ rcvRes = http_keepalive_send_recv(port:zipPort, data:sndReq);
+ if("Server: ziproxy" >< rcvRes)
+ {
+ # Grep the Ziproxy Server Version from response
+ ziproxyVer = eregmatch(pattern:"ziproxy/([0-9.]+)", string:rcvRes);
+
+ if(ziproxyVer[1] != NULL){
+ set_kb_item(name:"www/" + zipPort + "/Ziproxy", value:ziproxyVer[1]);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ziproxy_server_detect.nasl
___________________________________________________________________
Name: svn:executable
+ *
More information about the Openvas-commits
mailing list