[Openvas-commits] r3460 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Sun May 24 11:22:38 CEST 2009


Author: mime
Date: 2009-05-24 11:22:37 +0200 (Sun, 24 May 2009)
New Revision: 3460

Added:
   trunk/openvas-plugins/scripts/httpdx_35006.nasl
   trunk/openvas-plugins/scripts/nsd_35029.nasl
   trunk/openvas-plugins/scripts/nsd_version.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/ChangeLog	2009-05-24 09:22:37 UTC (rev 3460)
@@ -1,3 +1,9 @@
+2009-05-24 Michael Meyer <mime at gmx.de>
+	* scripts/nsd_35029.nasl,
+	scripts/nsd_version.nasl,
+	scripts/httpdx_35006.nasl:
+	Added new plugins.
+
 2009-05-22 Chandan S <schandan at secpod.com>
 	* scripts/gb_mcafee_groupshield_exchange_sec_bypass_vuln.nasl,
 	scripts/secpod_mini_stream_castripper_bof_vuln.nasl,

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/cve_current.txt	2009-05-24 09:22:37 UTC (rev 3460)
@@ -40,8 +40,8 @@
 CVE-2009-1646			SecPod
 CVE-2009-1647			SecPod
 
-35006 				mime
-35029				mime
+35006 				mime		svn
+35029				mime		svn
 CVE-2009-1252			SecPod
 CVE-2009-1418			SecPod
 CVE-2009-1671			SecPod

Added: trunk/openvas-plugins/scripts/httpdx_35006.nasl
===================================================================
--- trunk/openvas-plugins/scripts/httpdx_35006.nasl	2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/scripts/httpdx_35006.nasl	2009-05-24 09:22:37 UTC (rev 3460)
@@ -0,0 +1,113 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# httpdx Multiple Commands Remote Buffer Overflow Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+
+if(description)
+{
+  script_id(100210);
+  script_bugtraq_id(35006);
+  script_version("1.0");
+  script_name(english:"httpdx Multiple Commands Remote Buffer Overflow Vulnerabilities");
+
+  desc["english"] = "
+
+  Overview:
+   The 'httpdx' program is prone to multiple remote buffer-overflow
+   vulnerabilities because the application fails to perform adequate
+   boundary-checks on user-supplied data.
+
+   An attacker can exploit these issues to execute arbitrary code
+   within the context of the affected application. Failed exploit
+   attempts will result in a denial-of-service condition.
+
+   These issues affect httpdx 0.5b; other versions may also be
+   affected. 
+   
+  See also:
+   http://www.securityfocus.com/bid/35006
+
+  Risk factor : Medium";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Determine if httpdx is vulnerable to buffer-overflow.");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 Michael Meyer");
+  script_family(english:"FTP");
+  script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+  script_require_ports("Services/ftp", 21);
+  exit(0);
+}
+
+include("ftp_func.inc");
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(ftpPort)){
+  exit(0);
+}
+
+if( ! banner = get_ftp_banner(port:ftpPort) ) exit(0);
+
+if( "httpdx" >< banner ) {
+
+  if( safe_checks() ) {
+
+   if( egrep(pattern:"httpdx 0.5 beta", string: banner) ) {
+
+      security_warning(port:ftpPort);
+      exit(0);
+   }  
+
+  } else {
+
+     soc = open_sock_tcp(ftpPort);
+   
+     if(!soc){
+       exit(0);
+     }
+
+     user = crap(length: 100000);
+     pass = "bla";
+
+     ftp_log_in(socket:soc, user:user, pass:pass);
+     close(soc);
+
+     sleep(2);
+
+     soc1 = open_sock_tcp(ftpPort);
+
+     if(!soc1){
+	security_warning(port:ftpPort);
+	exit(0);
+     } 
+  }
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/httpdx_35006.nasl
___________________________________________________________________
Name: svn:keywords
   + ID

Added: trunk/openvas-plugins/scripts/nsd_35029.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nsd_35029.nasl	2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/scripts/nsd_35029.nasl	2009-05-24 09:22:37 UTC (rev 3460)
@@ -0,0 +1,78 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# NSD 'packet.c' Off-By-One Buffer Overflow Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(100209);
+  script_version("$Revision: 1.0 $");
+  script_bugtraq_id(35029);
+  script_name(english:"NSD 'packet.c' Off-By-One Buffer Overflow Vulnerability");
+  desc["english"] = "
+
+  Overview:
+   NSD is prone to an off-by-one buffer-overflow vulnerability
+   because the server fails to perform adequate boundary checks on
+   user-supplied data.
+
+   Successfully exploiting this issue will allow attackers to
+   execute arbitrary code within the context of the affected server.
+   Failed exploit attempts will result in a denial-of-service
+   condition.
+
+   Versions prior to NSD 3.2.2 are vulnerable. 
+
+  Solution:
+   The vendor has released fixes. Please see http://www.nlnetlabs.nl/projects/nsd/
+   for more information.
+
+  Risk factor: High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the Version of NSD");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 Michael Meyer");
+  script_family(english:"General");
+  script_dependencies("nsd_version.nasl");
+  script_require_keys("nsd/version");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+udpPort = 53;
+if(!get_udp_port_state(udpPort)){
+  exit(0);
+}
+
+bindVer = get_kb_item("nsd/version");
+if(!bindVer){
+  exit(0);
+}
+
+  if(version_is_less(version:bindVer, test_version:"3.2.2") ) {
+    security_hole(port:udpPort, proto:"udp");
+  }


Property changes on: trunk/openvas-plugins/scripts/nsd_35029.nasl
___________________________________________________________________
Name: svn:keywords
   + ID

Added: trunk/openvas-plugins/scripts/nsd_version.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nsd_version.nasl	2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/scripts/nsd_version.nasl	2009-05-24 09:22:37 UTC (rev 3460)
@@ -0,0 +1,150 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Detection of Name Server Daemon Version
+#
+# Authors:
+# Michael Meyer
+#
+# Based on bind_version.nasl from Noam Rathaus <noamr at securiteam.com> 
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+ desc["english"] = "
+
+ Overview:
+  The Name Server Daemon is running at this host.
+  NSD is an authoritative only, high performance, simple and open source name
+  server. 
+
+  The NSD allow remote users to query for version and type
+  information. The query of the CHAOS TXT record 'version.bind', will
+  typically prompt the server to send the information back to the
+  querying source.
+
+ Solution:
+  Set 'hide-version: yes' in nsd.conf.
+
+ See also:
+  http://www.nlnetlabs.nl/projects/nsd/
+
+ Risk factor : None";
+
+if (description)
+{
+ script_id(100082);
+ script_version ("1.0");
+ script_name(english:"Name Server Daemon Detection");  
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Name Server Daemon");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Service detection");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ exit(0);
+}
+
+include("misc_func.inc");
+
+ soctcp53 = 0;
+ 
+ if(get_port_state(53))
+  {
+  soctcp53 = open_sock_tcp(53);
+ }
+ if(!soctcp53){
+  if(!(get_udp_port_state(53)))exit(0);
+  socudp53 = open_sock_udp(53);
+  soc = socudp53;
+  offset = 0;
+  }
+  else {
+  	soc = soctcp53;
+	offset = 2;
+  	}
+  
+ if (soc)
+ {
+  
+  raw_data = raw_string(
+			0x00, 0x0A, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+			0x00, 0x00, 0x07);
+  
+  if(offset)raw_data = raw_string(0x00, 0x1E) + raw_data;
+  
+  raw_data = raw_data + "VERSION";
+  raw_data = raw_data + raw_string( 0x04 );
+  raw_data = raw_data + "BIND";
+  raw_data = raw_data + raw_string(0x00, 0x00, 0x10, 0x00, 0x03);
+
+  send(socket:soc, data:raw_data);
+  result = recv(socket:soc, length:1000);
+  if (result)
+  {
+    if ((result[0+offset] == raw_string(0x00)) && (result[1+offset] == raw_string(0x0A)))
+    {
+     if (((result[2+offset] == raw_string(0x81))||(result[2+offset] == raw_string(0x84))) && ((result[3+offset] == raw_string(0x80))||(result[3+offset] == raw_string(0x00))))
+     {
+      if ((result[4+offset] == raw_string(0x00)) && (result[5+offset] == raw_string(0x01)))
+	  {
+       if ((result[6+offset] == raw_string(0x00)) && (result[7+offset] == raw_string(0x01)))
+	   {
+		if(result[30+offset]>=0xc0)base=40;
+		else base=52;
+		size = ord(result[base+1+offset]);
+		slen = base + 3 + offset - 1;
+		if(slen > strlen(result))exit(0);
+		if (size > 0)
+		{
+		 hole_data = "";
+		 for (i = 0; i < size - 1; i = i + 1)
+		 {
+		  hole_data = hole_data + result[base+3+i+offset];
+		 }
+		 if(offset)proto = "tcp";
+		 else proto = "udp";
+
+		 if("NSD" >!< hole_data)exit(0);
+
+		 hole_data -= string("NSD ");
+
+		 info = string("None\n\nNSD Version '"); 
+		 info += hole_data;
+		 info += string("' was detected on the remote Host\n\n");  
+		
+		desc = ereg_replace(
+    	                        string:desc["english"],
+                         	pattern:"None$",
+                        	replace:info
+                       );    
+
+		set_kb_item(name:"nsd/version",value:hole_data);
+		security_note(port:53, data:desc, protocol:proto);
+		close(soc);
+		exit(0);
+		}
+	   }
+	  }
+     }
+    }
+ close(soc);
+ exit(0);
+  }
+ }
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/nsd_version.nasl
___________________________________________________________________
Name: svn:keywords
   + ID



More information about the Openvas-commits mailing list