[Openvas-commits] r3436 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed May 20 10:26:24 CEST 2009


Author: chandra
Date: 2009-05-20 10:26:22 +0200 (Wed, 20 May 2009)
New Revision: 3436

Added:
   trunk/openvas-plugins/scripts/secpod_ms_iis_detect.nasl
   trunk/openvas-plugins/scripts/secpod_ms_iis_webdav_auth_bypass_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_opensc_insecure_key_generation_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_sdp_downloader_bof_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_sdp_downloader_detect.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-05-20 06:40:28 UTC (rev 3435)
+++ trunk/openvas-plugins/ChangeLog	2009-05-20 08:26:22 UTC (rev 3436)
@@ -1,3 +1,11 @@
+2009-05-20 Chandrashekhar B <bchandra at secpod.com>
+	* scripts/secpod_ms_iis_webdav_auth_bypass_vuln.nasl,
+	scripts/secpod_sdp_downloader_bof_vuln.nasl,
+	scripts/secpod_opensc_insecure_key_generation_vuln.nasl,
+	scripts/secpod_ms_iis_detect.nasl,
+	scripts/secpod_sdp_downloader_detect.nasl:
+	Added new plugins
+
 2009-05-19 Thomas Reinke <reinke at securityspace.com>
 	* deb_1799_1.nasl freebsd_cyrus-sasl2.nasl freebsd_drupal512.nasl
 	freebsd_ghostscript8.nasl freebsd_libwmf0.nasl freebsd_libwmf.nasl

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-05-20 06:40:28 UTC (rev 3435)
+++ trunk/openvas-plugins/cve_current.txt	2009-05-20 08:26:22 UTC (rev 3436)
@@ -45,6 +45,6 @@
 CVE-2009-1671			SecPod
 CVE-2009-1672			SecPod
 CVE-2009-1675			SecPod
-CVE-2009-1676			SecPod
+CVE-2009-1676			SecPod		svn
 CVE-2009-1677			SecPod
 CVE-2009-1678			SecPod

Added: trunk/openvas-plugins/scripts/secpod_ms_iis_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_iis_detect.nasl	2009-05-20 06:40:28 UTC (rev 3435)
+++ trunk/openvas-plugins/scripts/secpod_ms_iis_detect.nasl	2009-05-20 08:26:22 UTC (rev 3436)
@@ -0,0 +1,72 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms_iis_detect.nasl 2386 2009-05-19 12:54:36Z may $
+#
+# Microsoft IIS Webserver Version Detection
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900710);
+  script_version("Revision: 1.0 ");
+  script_name(english:"Microsoft IIS Webserver Version Detection");
+  desc["english"] = "
+
+  Overview: This script detects the installed MS IIS Webserver and sets the
+  result in KB.
+
+  Risk factor: Informational";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Set the Version of Microsoft IIS in KB");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Service detection");
+  script_dependencies("find_service.nes");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+iisPort = get_http_port(default:80);
+if(!iisPort){
+  iisPort = 80;
+}
+
+if(!get_port_state(iisPort)){
+  exit(0);
+}
+
+request = http_get(item:string("/"), port:iisPort);
+response = http_send_recv(port:iisPort, data:request);
+
+if("Microsoft-IIS" >!< response){
+  exit(0);
+}
+
+iisVer = eregmatch(pattern:"IIS\/([0-9.]+)", string:response);
+if(iisVer[1] != NULL){
+  # KB for Internet Information Service (IIS)
+  set_kb_item(name:"IIS/" + iisPort + "/Ver", value:iisVer[1]);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_ms_iis_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ms_iis_webdav_auth_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_iis_webdav_auth_bypass_vuln.nasl	2009-05-20 06:40:28 UTC (rev 3435)
+++ trunk/openvas-plugins/scripts/secpod_ms_iis_webdav_auth_bypass_vuln.nasl	2009-05-20 08:26:22 UTC (rev 3436)
@@ -0,0 +1,122 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms_iis_webdav_auth_bypass_vuln.nasl 2386 2009-05-19 13:22:23Z may $
+#
+# Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900711);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1676", "CVE-2009-1535");
+  script_bugtraq_id(34993);
+  script_name(english:"Microsoft IIS WebDAV Remote Authentication Bypass Vulnerability");
+  desc["english"] = "
+
+  Overview: The host is running Microsoft IIS Webserver with WebDAV Module and
+  is prone to remote authentication bypass vulnerability.
+
+  Vulnerability Insight:
+  Due to the wrong implementation of UNICODE characters support (WebDAV extension)
+  for Microsoft IIS Server which fails to decode the requested URL properly.
+  Unicode character checks are being done after IIS Server internal security
+  check, which lets the attacker execute any crafted UNICODE character in the
+  HTTP requests to get information on any password protected directories without
+  any authentication schema.
+
+  Impact:
+  Successful exploitation will let the attacker craft malicious UNICODE characters
+  and send it over the context of IIS Webserver where WebDAV is enabled. As a
+  result due to lack of security implementation check it will let the user fetch
+  password protected directories without any valid authentications.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Microsoft Internet Information Services version 5.0 to 6.0
+
+  Workaround:
+  Disable WebDAV or Upgrade to Microsoft IIS 7.0
+  http://www.microsoft.com/technet/security/advisory/971492.mspx
+
+  Fix: No solution or patch is available as on 20th May, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.microsoft.com
+
+  References:
+  http://view.samurajdata.se/psview.php?id=023287d6&page=2
+  http://www.microsoft.com/technet/security/advisory/971492.mspx
+  http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
+  http://downloads.securityfocus.com/vulnerabilities/exploits/34993.rb
+  http://downloads.securityfocus.com/vulnerabilities/exploits/34993.txt
+
+  CVSS Score:
+    CVSS Base Score     : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 7.8
+  Risk factor: High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of IIS and presence of WebDAV");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Web Servers");
+  script_dependencies("secpod_ms_iis_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+iisPort = get_http_port(default:80);
+if(!iisPort){
+  exit(0);
+}
+
+# For IIS WebDAV Enabled servers "MS-Author-VIA" header should be present.
+# "OPTIONS" HTTP Method fetches which HTTP methods are supported for your server.
+request = string("OPTIONS / HTTP/1.0 \r\n\r\n");
+response = http_send_recv(port:iisPort, data:request);
+if("200 OK" >!< response && "Server: Microsoft-IIS" >!< response)
+{
+  request = string("OPTIONS / HTTP/1.1 \r\n\r\n");
+  response = http_send_recv(port:iisPort, data:request);
+  if("200 OK" >!< response && "Server: Microsoft-IIS" >!< response){
+    exit(0);
+  }
+}
+
+# Check whether WebDAV Module is enabled.
+if("MS-Author-Via: DAV" >!< response){
+  exit(0);
+}
+
+iisVer = get_kb_item("IIS/" + iisPort + "/Ver");
+if(iisVer == NULL){
+  exit(0);
+}
+
+if(version_in_range(version:iisVer, test_version:"5.0", test_version2:"6.0")){
+  security_hole(iisPort);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_ms_iis_webdav_auth_bypass_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_opensc_insecure_key_generation_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_opensc_insecure_key_generation_vuln.nasl	2009-05-20 06:40:28 UTC (rev 3435)
+++ trunk/openvas-plugins/scripts/secpod_opensc_insecure_key_generation_vuln.nasl	2009-05-20 08:26:22 UTC (rev 3436)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_opensc_insecure_key_generation_vuln.nasl 2248 2009-05-19 20:37:34Z may $
+#
+# OpenSC Incorrect RSA Keys Generation Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900639);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1603");
+  script_bugtraq_id(34884);
+  script_name(english:"OpenSC Incorrect RSA Keys Generation Vulnerability");
+  desc["english"] = "
+
+  Overview: This host is installed with OpenSC and is prone to Insecure Key
+  Generation vulnerability.
+
+  Vulnerability Insight:
+  Security issue are caused due to,
+  - a tool that starts a key generation with public exponent set to 1, an
+    invalid value that causes an insecure RSA key.
+  - a PKCS#11 module that accepts that this public exponent and forwards it
+    to the card.
+  - a card that accepts the public exponent and generates the rsa key.
+
+  Impact:
+  Successful exploitation will let the attacker to obtain the sensitive
+  information or gain unauthorized access to the smartcard.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  OpenSC version prior to 0.11.8 on Linux.
+
+  Fix:
+  Upgrade to OpenSC version 0.11.8
+  http://www.opensc-project.org/files/opensc
+
+  References:
+  http://secunia.com/advisories/35035
+  http://www.vupen.com/english/advisories/2009/1295
+  http://www.opensc-project.org/pipermail/opensc-announce/2009-May/000025.html
+
+  CVSS Score:
+   CVSS Base Score     : 4.3 (AV:N/AC:M/Au:NR/C:P/I:N/A:N)
+   CVSS Temporal Score : 3.4
+  Risk factor: Medium";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of OpenSC");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPOd");
+  script_family(english:"Privilege escalation");
+  script_dependencies("gb_opensc_detect.nasl");
+  script_require_keys("OpenSC/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+openscVer = get_kb_item("OpenSC/Ver");
+if(openscVer != NULL)
+{
+  # Check for the version OpenSC < 0.11.8
+  if(version_is_less(version:openscVer, test_version:"0.11.8")){
+    security_warning(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_sdp_downloader_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_sdp_downloader_bof_vuln.nasl	2009-05-20 06:40:28 UTC (rev 3435)
+++ trunk/openvas-plugins/scripts/secpod_sdp_downloader_bof_vuln.nasl	2009-05-20 08:26:22 UTC (rev 3436)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_sdp_downloader_bof_vuln.nasl 2283 2009-05-19 10:07:05Z may $
+#
+# SDP Downloader ASX File Heap Buffer Overflow Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+##############################################################################
+
+if(description)
+{
+  script_id(900642);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1627");
+  script_bugtraq_id(34712);
+  script_name(english:"SDP Downloader ASX File Heap Buffer Overflow Vulnerability");
+  desc["english"] = "
+
+  Overview: This host is installed with SDP Downloader and is prone to Buffer
+  Overflow vulnerability.
+
+  Vulnerability Insight:
+  A boundary error exists while processing an HREF attribute of a REF element
+  in ASX files, due to which application fails to check user supplied input
+  before copying it into an insufficiently sized buffer.
+
+  Impact:
+  Successful exploits will allow attackers to execute arbitrary code and can
+  cause application crash via a long .asf URL.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  SDP Downloader version 2.3.0 and prior
+
+  Fix: No solution or patch is available as on 19th May, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://sdp.ppona.com
+
+  References:
+  http://secunia.com/advisories/34883
+  http://www.milw0rm.com/exploits/8536
+  http://www.vupen.com/english/advisories/2009/1171
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 8.4
+  Risk factor: Critical";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Checks for the version of SDP Downloader");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Buffer overflow");
+  script_dependencies("secpod_sdp_downloader_detect.nasl");
+  script_require_keys("SDP/Downloader/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+sdpVer = get_kb_item("SDP/Downloader/Ver");
+
+if(sdpVer != NULL)
+{
+  if(version_is_less_equal(version:sdpVer,test_version:"2.3.0")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_sdp_downloader_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_sdp_downloader_detect.nasl	2009-05-20 06:40:28 UTC (rev 3435)
+++ trunk/openvas-plugins/scripts/secpod_sdp_downloader_detect.nasl	2009-05-20 08:26:22 UTC (rev 3436)
@@ -0,0 +1,70 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_sdp_downloader_detect.nasl 2009-05-19 09:07:05Z may $
+#
+# SDP Downloader Version Detection
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900641);
+  script_version("$Revision: 1.0 $");
+  script_name(english:"SDP Downloader Version Detection");
+  desc["english"] = "
+
+  Overview: This script detects the installed version of SDP Downloader
+  and sets the result in KB.
+
+  Risk factor: Informational";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Sets KB for the Version of SDP Downloader");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+sdpKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+foreach item(registry_enum_keys(key:sdpKey))
+{
+  sdpName = registry_get_sz(key:sdpKey + item, item:"DisplayName");
+
+  if("SDP Downloader" >< sdpName)
+  {
+    sdpVer = registry_get_sz(key:sdpKey + item, item:"DisplayVersion");
+    if(sdpVer){
+      set_kb_item(name:"SDP/Downloader/Ver", value:sdpVer);
+    }
+    exit(0);
+  }
+}



More information about the Openvas-commits mailing list