[Openvas-commits] r3501 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Thu May 28 07:14:10 CEST 2009
Author: chandra
Date: 2009-05-28 07:14:08 +0200 (Thu, 28 May 2009)
New Revision: 3501
Added:
trunk/openvas-plugins/scripts/gb_samba_dos_vuln.nasl
trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_detect.nasl
trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_mul_bof_vuln.nasl
trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_lin.nasl
trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_win.nasl
trunk/openvas-plugins/scripts/secpod_tcpdb_detect.nasl
trunk/openvas-plugins/scripts/secpod_tcpdb_sec_bypass_vuln.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/gb_openssl_detect_lin.nasl
trunk/openvas-plugins/scripts/gb_samba_detect.nasl
Log:
New scripts checkedin and
updated 2 detect scripts to get newer versions
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/ChangeLog 2009-05-28 05:14:08 UTC (rev 3501)
@@ -1,3 +1,18 @@
+2009-05-26 Chandan S <schandan at secpod.com>
+ * scripts/secpod_openssl_mult_dos_vuln_win.nasl,
+ scripts/gb_samba_dos_vuln.nasl,
+ scripts/secpod_cyrus_sasllib_mul_bof_vuln.nasl,
+ scripts/secpod_openssl_mult_dos_vuln_lin.nasl,
+ scripts/secpod_tcpdb_detect.nasl,
+ scripts/secpod_tcpdb_sec_bypass_vuln.nasl,
+ scripts/secpod_cyrus_sasllib_detect.nasl:
+ New plugins committed.
+
+ * scripts/gb_samba_detect.nasl,
+ scripts/gb_openssl_detect_lin.nasl
+ Modified samba and openssl detect scripts to get newer versions.
+
+
2009-05-27 Thomas Reinke <reinke at securityspace.com>
* scripts/secpod_apache_mod_proxy_ajp_info_disc_vuln.nasl
Updated to remove spurious carriage returns.
Modified: trunk/openvas-plugins/scripts/gb_openssl_detect_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_openssl_detect_lin.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/gb_openssl_detect_lin.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -51,18 +51,17 @@
exit(0);
}
-paths = find_file(file_name:"openssl",file_path:"/", useregex:TRUE,
- regexpar:"$", sock:sock);
+paths = find_bin(prog_name:"openssl",sock:sock);
foreach sslBin (paths)
{
sslVer = get_bin_version(full_prog_name:chomp(sslBin), sock:sock,
version_argv:"version",
- ver_pattern:"OpenSSL ([0-9.a-z]+)");
+ ver_pattern:"OpenSSL ([0-9.a-z\-]+)");
if(sslVer[1] != NULL)
{
set_kb_item(name:"OpenSSL/Linux/Ver", value:sslVer[1]);
ssh_close_connection();
- exit(0);
+ #exit(0);
}
}
ssh_close_connection();
Modified: trunk/openvas-plugins/scripts/gb_samba_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_samba_detect.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/gb_samba_detect.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -7,6 +7,10 @@
# Authors:
# Chandan S <schandan at secpod.com>
#
+# Modified by: Sujit Ghosal (sghosal at secpod.com)
+# Date: 8th May 2009
+# Changes: Changed the command from smbd to smbclient and Modified Regex
+#
# Copyright:
# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
#
@@ -58,10 +62,11 @@
{
binaryName = chomp(binaryName);
smbVer = get_bin_version(full_prog_name:binaryName, version_argv:"-V",
- ver_pattern:"Version ([0-9.]+[a-z]?)", sock:sock);
- if(smbVer[1] != NULL)
+ ver_pattern:"Version (.*)", sock:sock);
+ smbVer = split(smbVer[1], "\n", keep:0);
+ if(smbVer[0] != NULL)
{
- set_kb_item(name:"Samba/Version", value:smbVer[1]);
+ set_kb_item(name:"Samba/Version", value:smbVer[0]);
ssh_close_connection();
exit(0);
}
Added: trunk/openvas-plugins/scripts/gb_samba_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_samba_dos_vuln.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/gb_samba_dos_vuln.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_samba_dos_vuln.nasl 2204 2009-05-08 16:20:29Z may $
+#
+# Samba winbind Daemon Denial of Service Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(800711);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2008-6800");
+ script_name(english:"Samba winbind Daemon Denial of Service Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is installed with Samba for Linux and is prone to
+ Winbind daemon Denial of Service Vulnerability.
+
+ Vulnerability Insight:
+ This flaw is due to a race condition in the winbind daemon which allows
+ remote attackers to cause denial of service through unspecified vectors
+ related to an unresponsive child process.
+
+ Impact:
+ Successful exploitation will let the attacker crash the application.
+
+ Impact level: Application
+
+ Affected Software/OS:
+ Samba version prior to 3.0.32
+
+ Fix:
+ Upgrade to the latest version 3.0.32
+ http://us1.samba.org/samba
+
+ References:
+ http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0308
+ http://www.samba.org/samba/history/samba-3.0.32.html
+ http://www.securityfocus.com/archive/1/archive/1/497941/100/0/threaded
+
+ CVSS Score:
+ CVSS Base Score : 4.3 (AV:N/AC:M/Au:NR/C:N/I:N/A:P)
+ CVSS Temporal Score : 3.2
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Samba");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 Intevation GmbH");
+ script_family(english:"Denial of Service");
+ script_dependencies("gb_samba_detect.nasl");
+ script_require_keys("Samba/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+sambaVer = get_kb_item("Samba/Version");
+sambaVer = ereg_replace(pattern:"-", string:sambaVer, replace:".");
+sambaVer = ereg_replace(pattern:"\.([a-z|A-Z].*)", string:sambaVer, replace:"");
+if(sambaVer == NULL){
+ exit(0);
+}
+
+# Grep for Samba version prior to 3.0.32
+if(version_is_less(version:sambaVer, test_version:"3.0.32")){
+ security_warning(0);
+}
Property changes on: trunk/openvas-plugins/scripts/gb_samba_dos_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_detect.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_detect.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -0,0 +1,67 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_cyrus_sasllib_detect.nasl 2347 2009-05-27 15:21:24Z may $
+#
+# Cyrus SASL Library Version Detection
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900659);
+ script_version("Revision: 1.0 ");
+ script_name(english:"Cyrus SASL Library Version Detection");
+ desc["english"] = "
+
+ Overview: This script detects the installed version of Cyrus SASL Library and
+ sets the result in KB.
+
+ Risk factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Sets KB for the version of Cyrus SASL Library");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Service detection");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+paths = find_bin(prog_name:"sasldblistusers2", sock:sock);
+foreach saslbin (paths)
+{
+ saslVer = get_bin_version(full_prog_name:chomp(saslbin), sock:sock,
+ version_argv:"-v", ver_pattern:"version ([0-9.]+)");
+ if(saslVer[1] != NULL)
+ {
+ set_kb_item(name:"Cyrus/SASL/Ver", value:saslVer[1]);
+ ssh_close_connection();
+ exit(0);
+ }
+}
+ssh_close_connection();
Added: trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_mul_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_mul_bof_vuln.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/secpod_cyrus_sasllib_mul_bof_vuln.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_cyrus_sasllib_mul_bof_vuln.nasl 2347 2009-05-27 15:05:27Z may $
+#
+# Cyrus SASL Remote Buffer Overflow Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900660);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-0688");
+ script_bugtraq_id(34961);
+ script_name(english:"Cyrus SASL Remote Buffer Overflow Vulnerability");
+ desc["english"] = "
+
+ Overview: This host has installed Cyrus SASL library and is prone to Remote
+ Buffer Overflow vulnerability
+
+ Vulnerability Insight:
+ An error in 'sasl_encode64' function within the lib/saslutil.c, as it fails
+ to perform adequate boundary checks on user supplied data before copying the
+ data to allocated memory buffers.
+
+ Impact:
+ Successful exploits allow attackers to run arbitrary code and to crash an
+ application that uses the library thus denying service to legitimate users.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Cyrus SASL version prior to 2.1.23
+
+ Fix:Upgrade to version 2.1.23 or later.
+ ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gz
+
+ References:
+ http://secunia.com/advisories/35102
+ http://www.kb.cert.org/vuls/id/238019
+ http://www.vupen.com/english/advisories/2009/1313
+
+ CVSS Score:
+ CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.5
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Checks for the Version Cyrus SASL library");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Buffer overflow");
+ script_dependencies("secpod_cyrus_sasllib_detect.nasl");
+ script_require_keys("Cyrus/SASL/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+saslVer = get_kb_item("Cyrus/SASL/Ver");
+if(saslVer != NULL)
+{
+ if(version_is_less(version:saslVer, test_version:"2.1.23")){
+ security_hole(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_lin.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_lin.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -0,0 +1,122 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_openssl_mult_dos_vuln_lin.nasl 2393 2009-05-22 12:10:29Z may $
+#
+# OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities (Linux)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+ desc1["english"] = "
+ Multiple flaws are due to,
+ - The library does not limit the number of buffered DTLS records with a
+ future epoch.
+ - An error when processing DTLS messages can be exploited to exhaust all
+ available memory by sending a large number of out of sequence handshake
+ messages.
+
+ Impact:
+ Successful exploitation will let the attacker to cause denial-of-service
+ conditions,crash the client,and exhaust all memory.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ OpenSSL version 0.9.8 to version 0.9.8k on Linux.
+
+ Fix: Apply patches or upgrade to the latest version.
+ For updates refer,http://www.openssl.org/source/
+
+ References:
+ http://secunia.com/advisories/35128
+ http://cvs.openssl.org/chngview?cn=18188
+ http://www.openwall.com/lists/oss-security/2009/05/18/1
+
+ CVSS Score:
+ CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P)
+ CVSS Temporal Score : 3.7
+ Risk factor: Medium";
+
+ desc2["english"] = "
+ Flaws is due to,
+ - A use-after-free error in the 'dtls1_retrieve_buffered_fragment()' function
+ can be exploited to cause a crash in a client context.
+
+ Impact:
+ Successful exploitation will let the attacker to cause denial-of-service
+ conditions,crash the client,and exhaust all memory.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ OpenSSL version 1.0.0 Beta2 and prior on Linux.
+
+ Fix: Apply patches or upgrade to the latest version.
+ http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
+
+ References:
+ https://launchpad.net/bugs/cve/2009-1379
+ http://www.openwall.com/lists/oss-security/2009/05/18/4
+
+ CVSS Score:
+ CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P)
+ CVSS Temporal Score : 3.7
+ Risk factor: Medium";
+
+if(description)
+{
+ script_id(900653);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379");
+ script_bugtraq_id(35001);
+ script_name(english:"OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities (Linux)");
+ script_description(english:desc1["english"]);
+ script_description(english:desc2["english"]);
+ script_summary(english:"Check for the version of OpenSSL");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Denial of Service");
+ script_dependencies("gb_openssl_detect_lin.nasl");
+ script_require_keys("OpenSSL/Linux/Ver");
+ exit(0);
+}
+
+
+include ("version_func.inc");
+
+opensslVer = get_kb_item("OpenSSL/Linux/Ver");
+if(opensslVer == NULL){
+ exit(0);
+}
+
+opensslVer = ereg_replace(pattern:"-", string:opensslVer, replace: ".");
+report = string("\n Overview: This host is running OpenSSL and is prone to" +
+ "\n Multiple Denial of Service Vulnerabilities (Linux) \n" +
+ "\n Vulnerability Insight:");
+
+if(version_in_range(version:opensslVer, test_version:"0.9.8", test_version2:"0.9.8k"))
+{
+ security_warning(data:string(report, desc1["english"]));
+ exit(0);
+ }
+
+if(version_is_less_equal(version:opensslVer, test_version:"1.0.0.beta2")){
+ security_warning(data:string(report, desc2["english"]));
+}
Added: trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_win.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/secpod_openssl_mult_dos_vuln_win.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_openssl_mult_dos_vuln_win.nasl 2393 2009-05-22 12:10:29Z may $
+#
+# OpenSSL DTLS Packets Multiple DOS Vulnerabilities (Win)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900654);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1377", "CVE-2009-1378","CVE-2009-1379");
+ script_bugtraq_id(35001);
+ script_name(english:"OpenSSL DTLS Packets Multiple DOS Vulnerabilities (win)");
+ desc["english"] = "
+
+ Overview: This host is running OpenSSL and is prone to Multiple Denial of
+ Service Vulnerabilities
+
+ Vulnerability Insight:
+ Multiple flaws are due to,
+ - The library does not limit the number of buffered DTLS records with a
+ future epoch.
+ - An error when processing DTLS messages can be exploited to exhaust all
+ available memory by sending a large number of out of sequence handshake
+ messages.
+ - A use-after-free error in the 'dtls1_retrieve_buffered_fragment()' function
+ can be exploited to cause a crash in a client context.
+
+ Impact:
+ Successful exploitation will let the attacker to cause denial-of-service
+ conditions,crash the client,and exhaust all memory.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ OpenSSL version 0.9.8 to version 0.9.8k on Windows.
+ OpenSSL version 1.0.0 Beta2 and prior on Windows.
+
+ Fix: Apply patches or upgrade to the latest version.
+ For updates refer,http://www.slproweb.com/products/Win32OpenSSL.html
+
+ References:
+ http://secunia.com/advisories/35128
+ http://cvs.openssl.org/chngview?cn=18188
+
+ CVSS Score:
+ CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P)
+ CVSS Temporal Score : 3.7
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of OpenSSL");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Denial of Service");
+ script_dependencies("gb_openssl_detect_win.nasl");
+ script_require_keys("OpenSSL/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+opensslVer = get_kb_item("OpenSSL/Win/Ver");
+if(!opensslVer){
+ exit(0);
+}
+
+if(version_in_range(version:opensslVer, test_version:"0.9.8", test_version2:"0.9.8k")){
+ security_warning(0);
+}
Added: trunk/openvas-plugins/scripts/secpod_tcpdb_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_tcpdb_detect.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/secpod_tcpdb_detect.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -0,0 +1,74 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_tcpdb_detect.nasl 2380 2009-05-25 10:58:24Z may $
+#
+# TCPDB Version Detection
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900550);
+ script_version("Revision: 1.0 ");
+ script_name(english:"TCPDB Version Detection");
+ desc["english"] = "
+
+ Overview: This script detects the installed version of TCPDB and
+ sets the result in KB.
+
+ Risk factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Sets the KB for the version of TCPDB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Service detection");
+ script_dependencies("http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+
+wwwPort = get_http_port(default:80);
+if(!wwwPort){
+ exit(0);
+}
+
+foreach dir (make_list("/tcpdb", cgi_dirs()))
+{
+ sndReq = http_get(item:string(dir, "/main.php"), port:wwwPort);
+ rcvRes = http_send_recv(port:wwwPort, data:sndReq);
+ if(rcvRes == NULL){
+ exit(0);
+ }
+
+ if("TCPDB" >< rcvRes)
+ {
+ tcpdbVer = eregmatch(pattern:"TCPDB version ([0-9]\.[0-9])", string:rcvRes);
+ if(tcpdbVer[1]!= NULL)
+ {
+ set_kb_item(name:"www/" + wwwPort + "/TCPDB", value:tcpdbVer[1] + " under " + dir);
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_tcpdb_detect.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_tcpdb_sec_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_tcpdb_sec_bypass_vuln.nasl 2009-05-27 18:49:15 UTC (rev 3500)
+++ trunk/openvas-plugins/scripts/secpod_tcpdb_sec_bypass_vuln.nasl 2009-05-28 05:14:08 UTC (rev 3501)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_tcpdb_sec_bypass_vuln.nasl 2380 2009-05-25 11:06:33Z may $
+#
+# TCPDB Security Bypass Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900551);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1670");
+ script_bugtraq_id(34866);
+ script_name(english:"TCPDB Security Bypass Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is installed with TCPDB and is prone to security bypass
+ vulnerability.
+
+ Vulnerability Insight:
+ The vulnerability is caused due to the application not properly restricting
+ access to certain administrative pages. (e.g. 'user/index.php')
+
+ Impact:
+ Successful exploitation will allow remote attackers to bypass security
+ restrictions and add admin accounts, via unspecified vectors in
+ user/index.php script.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ TCPDB version 3.8 and prior.
+
+ Fix: No solution or patch is available as on 28th May, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer,http://www.tcpdb.com/index.php
+
+ References:
+ http://secunia.com/advisories/34966
+ http://xforce.iss.net/xforce/xfdb/50371
+
+ CVSS Score:
+ CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 6.7
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of TCPDB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Web application abuses");
+ script_dependencies("secpod_tcpdb_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+tPort = get_http_port(default:80);
+if(!tPort){
+ exit(0);
+}
+
+tcpdbVer = get_kb_item("www/" + tPort + "/TCPDB");
+tcpdbVer = eregmatch(pattern:"^(.+) under (/.*)$", string:tcpdbVer);
+
+if(tcpdbVer[1] != NULL)
+{
+ if(version_is_less_equal(version:tcpdbVer[1], test_version:"3.8")){
+ security_hole(tPort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_tcpdb_sec_bypass_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
More information about the Openvas-commits
mailing list