[Openvas-commits] r3460 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Sun May 24 11:22:38 CEST 2009
Author: mime
Date: 2009-05-24 11:22:37 +0200 (Sun, 24 May 2009)
New Revision: 3460
Added:
trunk/openvas-plugins/scripts/httpdx_35006.nasl
trunk/openvas-plugins/scripts/nsd_35029.nasl
trunk/openvas-plugins/scripts/nsd_version.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/ChangeLog 2009-05-24 09:22:37 UTC (rev 3460)
@@ -1,3 +1,9 @@
+2009-05-24 Michael Meyer <mime at gmx.de>
+ * scripts/nsd_35029.nasl,
+ scripts/nsd_version.nasl,
+ scripts/httpdx_35006.nasl:
+ Added new plugins.
+
2009-05-22 Chandan S <schandan at secpod.com>
* scripts/gb_mcafee_groupshield_exchange_sec_bypass_vuln.nasl,
scripts/secpod_mini_stream_castripper_bof_vuln.nasl,
Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt 2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/cve_current.txt 2009-05-24 09:22:37 UTC (rev 3460)
@@ -40,8 +40,8 @@
CVE-2009-1646 SecPod
CVE-2009-1647 SecPod
-35006 mime
-35029 mime
+35006 mime svn
+35029 mime svn
CVE-2009-1252 SecPod
CVE-2009-1418 SecPod
CVE-2009-1671 SecPod
Added: trunk/openvas-plugins/scripts/httpdx_35006.nasl
===================================================================
--- trunk/openvas-plugins/scripts/httpdx_35006.nasl 2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/scripts/httpdx_35006.nasl 2009-05-24 09:22:37 UTC (rev 3460)
@@ -0,0 +1,113 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# httpdx Multiple Commands Remote Buffer Overflow Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+
+if(description)
+{
+ script_id(100210);
+ script_bugtraq_id(35006);
+ script_version("1.0");
+ script_name(english:"httpdx Multiple Commands Remote Buffer Overflow Vulnerabilities");
+
+ desc["english"] = "
+
+ Overview:
+ The 'httpdx' program is prone to multiple remote buffer-overflow
+ vulnerabilities because the application fails to perform adequate
+ boundary-checks on user-supplied data.
+
+ An attacker can exploit these issues to execute arbitrary code
+ within the context of the affected application. Failed exploit
+ attempts will result in a denial-of-service condition.
+
+ These issues affect httpdx 0.5b; other versions may also be
+ affected.
+
+ See also:
+ http://www.securityfocus.com/bid/35006
+
+ Risk factor : Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Determine if httpdx is vulnerable to buffer-overflow.");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 Michael Meyer");
+ script_family(english:"FTP");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+ ftpPort = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(ftpPort)){
+ exit(0);
+}
+
+if( ! banner = get_ftp_banner(port:ftpPort) ) exit(0);
+
+if( "httpdx" >< banner ) {
+
+ if( safe_checks() ) {
+
+ if( egrep(pattern:"httpdx 0.5 beta", string: banner) ) {
+
+ security_warning(port:ftpPort);
+ exit(0);
+ }
+
+ } else {
+
+ soc = open_sock_tcp(ftpPort);
+
+ if(!soc){
+ exit(0);
+ }
+
+ user = crap(length: 100000);
+ pass = "bla";
+
+ ftp_log_in(socket:soc, user:user, pass:pass);
+ close(soc);
+
+ sleep(2);
+
+ soc1 = open_sock_tcp(ftpPort);
+
+ if(!soc1){
+ security_warning(port:ftpPort);
+ exit(0);
+ }
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/httpdx_35006.nasl
___________________________________________________________________
Name: svn:keywords
+ ID
Added: trunk/openvas-plugins/scripts/nsd_35029.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nsd_35029.nasl 2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/scripts/nsd_35029.nasl 2009-05-24 09:22:37 UTC (rev 3460)
@@ -0,0 +1,78 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# NSD 'packet.c' Off-By-One Buffer Overflow Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(100209);
+ script_version("$Revision: 1.0 $");
+ script_bugtraq_id(35029);
+ script_name(english:"NSD 'packet.c' Off-By-One Buffer Overflow Vulnerability");
+ desc["english"] = "
+
+ Overview:
+ NSD is prone to an off-by-one buffer-overflow vulnerability
+ because the server fails to perform adequate boundary checks on
+ user-supplied data.
+
+ Successfully exploiting this issue will allow attackers to
+ execute arbitrary code within the context of the affected server.
+ Failed exploit attempts will result in a denial-of-service
+ condition.
+
+ Versions prior to NSD 3.2.2 are vulnerable.
+
+ Solution:
+ The vendor has released fixes. Please see http://www.nlnetlabs.nl/projects/nsd/
+ for more information.
+
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the Version of NSD");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 Michael Meyer");
+ script_family(english:"General");
+ script_dependencies("nsd_version.nasl");
+ script_require_keys("nsd/version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+udpPort = 53;
+if(!get_udp_port_state(udpPort)){
+ exit(0);
+}
+
+bindVer = get_kb_item("nsd/version");
+if(!bindVer){
+ exit(0);
+}
+
+ if(version_is_less(version:bindVer, test_version:"3.2.2") ) {
+ security_hole(port:udpPort, proto:"udp");
+ }
Property changes on: trunk/openvas-plugins/scripts/nsd_35029.nasl
___________________________________________________________________
Name: svn:keywords
+ ID
Added: trunk/openvas-plugins/scripts/nsd_version.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nsd_version.nasl 2009-05-22 14:53:52 UTC (rev 3459)
+++ trunk/openvas-plugins/scripts/nsd_version.nasl 2009-05-24 09:22:37 UTC (rev 3460)
@@ -0,0 +1,150 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Detection of Name Server Daemon Version
+#
+# Authors:
+# Michael Meyer
+#
+# Based on bind_version.nasl from Noam Rathaus <noamr at securiteam.com>
+#
+# Copyright:
+# Copyright (c) 2009 Michael Meyer
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+ desc["english"] = "
+
+ Overview:
+ The Name Server Daemon is running at this host.
+ NSD is an authoritative only, high performance, simple and open source name
+ server.
+
+ The NSD allow remote users to query for version and type
+ information. The query of the CHAOS TXT record 'version.bind', will
+ typically prompt the server to send the information back to the
+ querying source.
+
+ Solution:
+ Set 'hide-version: yes' in nsd.conf.
+
+ See also:
+ http://www.nlnetlabs.nl/projects/nsd/
+
+ Risk factor : None";
+
+if (description)
+{
+ script_id(100082);
+ script_version ("1.0");
+ script_name(english:"Name Server Daemon Detection");
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Name Server Daemon");
+ script_category(ACT_GATHER_INFO);
+ script_family(english:"Service detection");
+ script_copyright(english:"This script is Copyright (C) 2009 Michael Meyer");
+ exit(0);
+}
+
+include("misc_func.inc");
+
+ soctcp53 = 0;
+
+ if(get_port_state(53))
+ {
+ soctcp53 = open_sock_tcp(53);
+ }
+ if(!soctcp53){
+ if(!(get_udp_port_state(53)))exit(0);
+ socudp53 = open_sock_udp(53);
+ soc = socudp53;
+ offset = 0;
+ }
+ else {
+ soc = soctcp53;
+ offset = 2;
+ }
+
+ if (soc)
+ {
+
+ raw_data = raw_string(
+ 0x00, 0x0A, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x07);
+
+ if(offset)raw_data = raw_string(0x00, 0x1E) + raw_data;
+
+ raw_data = raw_data + "VERSION";
+ raw_data = raw_data + raw_string( 0x04 );
+ raw_data = raw_data + "BIND";
+ raw_data = raw_data + raw_string(0x00, 0x00, 0x10, 0x00, 0x03);
+
+ send(socket:soc, data:raw_data);
+ result = recv(socket:soc, length:1000);
+ if (result)
+ {
+ if ((result[0+offset] == raw_string(0x00)) && (result[1+offset] == raw_string(0x0A)))
+ {
+ if (((result[2+offset] == raw_string(0x81))||(result[2+offset] == raw_string(0x84))) && ((result[3+offset] == raw_string(0x80))||(result[3+offset] == raw_string(0x00))))
+ {
+ if ((result[4+offset] == raw_string(0x00)) && (result[5+offset] == raw_string(0x01)))
+ {
+ if ((result[6+offset] == raw_string(0x00)) && (result[7+offset] == raw_string(0x01)))
+ {
+ if(result[30+offset]>=0xc0)base=40;
+ else base=52;
+ size = ord(result[base+1+offset]);
+ slen = base + 3 + offset - 1;
+ if(slen > strlen(result))exit(0);
+ if (size > 0)
+ {
+ hole_data = "";
+ for (i = 0; i < size - 1; i = i + 1)
+ {
+ hole_data = hole_data + result[base+3+i+offset];
+ }
+ if(offset)proto = "tcp";
+ else proto = "udp";
+
+ if("NSD" >!< hole_data)exit(0);
+
+ hole_data -= string("NSD ");
+
+ info = string("None\n\nNSD Version '");
+ info += hole_data;
+ info += string("' was detected on the remote Host\n\n");
+
+ desc = ereg_replace(
+ string:desc["english"],
+ pattern:"None$",
+ replace:info
+ );
+
+ set_kb_item(name:"nsd/version",value:hole_data);
+ security_note(port:53, data:desc, protocol:proto);
+ close(soc);
+ exit(0);
+ }
+ }
+ }
+ }
+ }
+ close(soc);
+ exit(0);
+ }
+ }
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/nsd_version.nasl
___________________________________________________________________
Name: svn:keywords
+ ID
More information about the Openvas-commits
mailing list