[Openvas-commits] r3533 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri May 29 07:35:12 CEST 2009
Author: chandra
Date: 2009-05-29 07:35:11 +0200 (Fri, 29 May 2009)
New Revision: 3533
Added:
trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl
trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl
trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl
trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl
trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl
trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl
trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl
trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl
trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/squirrelmail_detect.nasl
Log:
Checked-in new scripts andthorough_tests condition removed from squirrelmail detect script
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/ChangeLog 2009-05-29 05:35:11 UTC (rev 3533)
@@ -1,3 +1,18 @@
+2009-05-29 Chandan S <schandan at secpod.com>
+ * scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl,
+ secpod_avg_detect_win.nasl,
+ secpod_sorinara_audio_player_bof_vuln.nasl,
+ secpod_transmission_detect.nasl,
+ secpod_squirrelmail_cmd_exec_vuln.nasl,
+ secpod_transmission_csrf_vuln.nasl,
+ secpod_avg_detection_bypass_vuln_win.nasl,
+ secpod_sorinara_mp3_player_bof_vuln.nasl,
+ secpod_netdecision_tftp_server_detect.nasl:
+ Checkedin new scripts.
+
+ * scripts/squirrelmail_detect.nasl:
+ thorough_tests removed.
+
2009-05-28 Michael Meyer <mime at gmx.de>
* scripts/cacti_27749.nasl,
scripts/lighttpd_35097.nasl,
Added: trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,68 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_avg_detect_win.nasl 2477 2009-05-28 15:10:24Z may $
+#
+# AVG AntiVirus Version Detection (Win)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http//www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900718);
+ script_version("$Revision: 1.0 $");
+ script_name(english:"AVG AntiVirus Version Detection");
+ desc["english"] = "
+
+ Overview : This script is detects the installed version of AVG AntiVirus and
+ sets the result in KB.
+
+ Risk factor : Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Set Version of AVG AntiVirus in KB");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Service detection");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+if(!registry_key_exists(key:"SOFTWARE\AVG")){
+ exit(0);
+}
+
+for(i=1; i<=8; i++)
+{
+ avgVer = registry_get_sz(key:"SOFTWARE\AVG\AVG" + i +
+ "\LinkScanner\Prevalence", item:"CODEVER");
+ if(avgVer != NULL){
+ set_kb_item(name:"AVG/AV/Win/Ver", value:avgVer);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_avg_detection_bypass_vuln_win.nasl 2477 2009-05-28 15:51:24Z may $
+#
+# AVG AntiVirus Engine Malware Detection Bypass Vulnerability (Win)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900719);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1784");
+ script_bugtraq_id(34895);
+ script_name(english:"AVG AntiVirus Engine Malware Detection Bypass Vulnerability (Win)");
+ desc["english"] = "
+
+ Overview: This host is installed with AVG AntiVirus Product Suite for Windows
+ and is prone to Malware Detection Bypass Vulnerability.
+
+ Vulnerability Insight:
+ Error in the file parsing engine can be exploited to bypass the anti-virus
+ scanning functionality via a specially crafted ZIP or RAR file.
+
+ Impact:
+ Successful exploitation will let the attacker craft malwares in a crafted
+ archive file and spread it across the network to gain access to sensitive
+ information or cause damage to the remote system.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ AVG Anti-Virus prior to 8.5.323
+ AVG File Server Edition prior to 8.5.323 on Windows
+
+ Fix: Upgrade to the AVG Anti-Virus Scanning Engine build 8.5.323
+ http://www.avg.com/download
+
+ References:
+ http://xforce.iss.net/xforce/xfdb/50426
+ http://blog.zoller.lu/2009/04/avg-zip-evasion-bypass.html
+
+ CVSS Score:
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
+ CVSS Temporal Score : 7.4
+ Risk factor: High";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the Version of AVG AntiVirus Products");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Remote file access");
+ script_dependencies("secpod_avg_detect_win.nasl");
+ script_require_keys("AVG/AV/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+version = get_kb_item("AVG/AV/Win/Ver");
+if(!version){
+ exit(0);
+}
+
+#Check for AntiVirus Products Suite version prior to 8.5.323
+if(version_is_less(version:version, test_version:"8.5.323")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,133 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_netdecision_tftp_server_detect.nasl 2412 2009-05-21 21:07:05Z may $
+#
+# NetDecision TFTP Server Version Detection
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+##############################################################################
+
+if(description)
+{
+ script_id(900357);
+ script_version ("$Revision: 1.0 $");
+ script_name(english:"NetDecision TFTP Server Version Detection");
+ desc["english"] = "
+
+ Overview: This script is detects installed version of NetDecision TFTP Server
+ and sets the result in KB.
+
+ Risk factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Sets KB of NetDecision TFTP Server Version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Service detection");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+
+if(!registry_key_exists(key:"SOFTWARE\NetDecision")){
+ exit(0);
+}
+
+netdeciKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+foreach item(registry_enum_keys(key:netdeciKey))
+{
+ netdeciName = registry_get_sz(key:netdeciKey + item, item:"DisplayName");
+
+ if("NetDecision" >< netdeciName)
+ {
+ netdeciPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
+ item:"ProgramFilesDir");
+ if(netdeciPath != NULL)
+ {
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:netdeciPath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:netdeciPath + "\NetDecision\Bin\TFTPServer.exe");
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+ prot:prot);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ uid = session_extract_uid(reply:r);
+ if(!uid)
+ {
+ close(soc);
+ exit(0);
+ }
+
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+ tid = tconx_extract_tid(reply:r);
+ if(!tid){
+ close(soc);
+ exit(0);
+ }
+
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid){
+ close(soc);
+ exit(0);
+ }
+ }
+
+ netdeciVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr="prod");
+ close(soc);
+
+ if(netdeciVer){
+ set_kb_item(name:"NetDecision/TFTP/Ver", value:netdeciVer);
+ }
+ exit(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_netdecision_tftp_server_dir_trav_vuln.nasl 2412 2009-05-21 20:30:29Z may $
+#
+# NetDecision TFTP Server Multiple Directory Traversal Vulnerabilities
+#
+# Authors:
+# Sharath s <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod , http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900358);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1730");
+ script_bugtraq_id(35002);
+ script_name(english:"NetDecision TFTP Server Multiple Directory Traversal Vulnerabilities");
+ desc["english"] = "
+
+ Overview: This host is running NetDecision TFTP Server and is prone to
+ multiple directory traversal vulnerabilities.
+
+ Vulnerability Insight:
+ Due to an input validation error within the TFTP server which in fails
+ to sanitize user-supplied input in GET or PUT command via ../ (dot dot)
+ sequences.
+
+ Impact:
+ Successful exploitation will let the attackers to disclose sensitive
+ information,upload or download files to and from arbitrary locations.
+ and compromise a vulnerable system to legitimate users.
+
+
+ Affected Software/OS:
+ NetMechanica, NetDecision TFTP Server version 4.2 and prior
+
+ Fix: No solution or patch is available as on 29th May, 2009. Information
+ regarding this issue will updated once the solution details are available.
+ For updates refer, http://www.netmechanica.com
+
+ References:
+ http://secunia.com/advisories/35131
+ http://xforce.iss.net/xforce/xfdb/50574
+ http://www.securityfocus.com/archive/1/503605
+
+ CVSS Score:
+ CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 8.5
+ Risk factor: Critical";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of NetDecision TFTP Server");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Denial of Service");
+ script_dependencies("find_service.nes",
+ "secpod_netdecision_tftp_server_detect.nasl");
+ script_require_keys("Services/udp/tftp", "NetDecision/TFTP/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+
+netdeciPort = get_kb_item("Services/udp/tftp");
+if(!netdeciPort){
+ netdeciPort = 69;
+}
+
+if(!get_udp_port_state(netdeciPort)){
+ exit(0);
+}
+
+netdeciVer = get_kb_item("NetDecision/TFTP/Ver");
+if(netdeciVer != NULL)
+{
+ if(version_is_less_equal(version:netdeciVer, test_version:"4.2")){
+ security_warning(netdeciPort, proto:"udp");
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_sorinara_audio_player_bof_vuln.nasl 2344 2009-05-19 15:56:36Z may $
+#
+# Sorinara Streaming Audio Player Stack Overflow Vulnerability
+#
+# Authors:
+# Antu Sanadi<santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900649);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1644");
+ script_bugtraq_id(34861);
+ script_name(english:"Sorinara Streaming Audio Player Stack Overflow Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is running Sorinara Streaming Audio Player and is prone
+ to Stack Overflow Vulnerability.
+
+ Vulnerability Insight:
+ This vulnerability is caused due to improper boundary checks when processing
+ playlist 'pla' files.
+
+ Impact:
+ Successful exploitation will let the attacker execute arbitrary codes in
+ the context of the affected system and cause the application to crash by
+ overflowing the stack memory location.
+
+ Affected Software/OS:
+ Sorinara Streaming Audio Player version 0.9 and prior
+
+ Fix: No solution or patch is available as on 29th May, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.sorinara.com/sap/download.html
+
+ References:
+ http://www.milw0rm.com/exploits/8640
+ http://www.milw0rm.com/exploits/8625
+ http://xforce.iss.net/xforce/xfdb/50369
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 8.4
+ Risk factor: Critical";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for version of Sorinara Streaming Audio Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Buffer overflow");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SAP\";
+vendName = registry_get_sz(key:key, item:"DisplayName");
+if("SAP" >< vendName)
+{
+ readmePath = registry_get_sz(key:key, item:"UninstallString");
+ if(!readmePath){
+ exit(0);
+ }
+
+ readmePath = readmePath - "\uninstall.exe /uninstall";
+ readmePath = readmePath + "\Help";
+
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:readmePath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:readmePath + "\index.htm");
+ readmeText = read_file(share:share, file:file, offset:0, count:4500);
+ if(!readmeText){
+ exit(0);
+ }
+
+ sapVer = eregmatch(pattern:"SAP ([0-9.]+)", string:readmeText);
+ if(sapVer[1] != NULL)
+ {
+ if(version_is_less_equal(version:sapVer[1], test_version:"0.9")){
+ security_hole(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_sorinara_mp3_player_bof_vuln.nasl 2344 2009-05-18 15:56:36Z may $
+#
+# Sorinara Soritong MP3 Player Stack Overflow Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900648);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1643");
+ script_bugtraq_id(34863);
+ script_name(english:"Sorinara Soritong MP3 Player Stack Overflow Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is running Sorinara Soritong MP3 Player and is prone to
+ Stack Overflow Vulnerability.
+
+ Vulnerability Insight:
+ This flaw is caused due to an improper boundary checking when processing
+ '.m3u' files.
+
+ Impact:
+ Successful exploitation will let the attacker craft a malicious m3u playlist
+ file and trick the user to open the application which will cause stack overflow
+ in the affected system and will crash the application.
+
+ Affected Software/OS:
+ Soritong MP3 Player version 1.0 and prior
+
+ Fix: No solution or patch is available as on 29th May, 2009. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.sorinara.com/soritong
+
+ References:
+ http://www.milw0rm.com/exploits/8624
+ http://xforce.iss.net/xforce/xfdb/50398
+
+ CVSS Score:
+ CVSS Base Score : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+ CVSS Temporal Score : 8.4
+ Risk factor: Critical";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Sorinara Soritong MP3 Player");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Buffer overflow");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_keys("SMB/WindowsVersion");
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoriTong\";
+appName = registry_get_sz(key:key, item:"DisplayName");
+if("SoriTong" >< appName)
+{
+ readmePath = registry_get_sz(key:key, item:"UninstallString");
+ if(!readmePath){
+ exit(0);
+ }
+
+ readmePath = readmePath - "\uninstall.exe /uninstall";
+ readmePath = readmePath + "\Help";
+
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:readmePath);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+ string:readmePath + "\whatsnew.html");
+
+ readmeText = read_file(share:share, file:file, offset:0, count:500);
+ if(!readmeText){
+ exit(0);
+ }
+
+ saritongVer = eregmatch(pattern:"Version ([0-9.]+)", string:readmeText);
+ if(saritongVer[1] != NULL)
+ {
+ if(version_is_less_equal(version:saritongVer[1], test_version:"1.0")){
+ security_hole(0);
+ }
+ }
+}
Added: trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_squirrelmail_cmd_exec_vuln.nasl 2476 2009-05-26 17:48:29Z may $
+#
+# SquirrelMail Command Execution Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900713);
+ script_version("$Revision: 1.1 $");
+ script_cve_id("CVE-2009-1381");
+ script_bugtraq_id(34916);
+ script_name(english:"SquirrelMail Command Execution Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is running SquirrelMail Web application and is prone
+ to command execution vulnerability.
+
+ Vulnerability Insight:
+ The flaw is due to improper handling of arbitrary commands in map_yp_alias
+ function in functions/imap_general.php file via shell metacharacters in a
+ username string that is used by the ypmatch program.
+
+ Impact:
+ Successful exploitation will let the attacker execute arbitrary commands into
+ the context of the affected web mailing application and can conduct cross site
+ scripting, session fixation or phishing attacks.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ SquirrelMail version prior to 1.4.19
+
+ Fix:
+ Upgrade to SquirrelMail version 1.4.19 or later
+ http://squirrelmail.org/download.php
+
+ References:
+ http://secunia.com/advisories/35140
+ http://www.debian.org/security/2009/dsa-1802
+ http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff
+
+ CVSS Score:
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.0
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of SquirrelMail");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Web application abuses");
+ script_dependencies("squirrelmail_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+mailPort = get_http_port(default:80);
+if(!mailPort){
+ exit(0);
+}
+
+mailVer = get_kb_item("www/"+ mailPort + "/SquirrelMail");
+if(mailVer == NULL){
+ exit(0);
+}
+
+ver = eregmatch(pattern:"^(.+) under (/.*)$", string:mailVer);
+if(ver[1] != NULL)
+{
+ # Check for SquirrelMail version 1.4.18 and prior
+ if(version_is_less_equal(version:ver[1], test_version:"1.4.18")){
+ security_warning(mailPort);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_transmission_csrf_vuln.nasl 2466 2009-05-28 21:25:29Z may $
+#
+# Transmission Client Cross Site Request Forgery Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900715);
+ script_version("$Revision: 1.0 $");
+ script_cve_id("CVE-2009-1757");
+ script_name(english:"Transmission Client Cross Site Request Forgery Vulnerability");
+ desc["english"] = "
+
+ Overview: This host is installed with Transmission Client and is prone to
+ Cross Site Request Forgery Vulnerability.
+
+ Vulnerability Insight:
+ This flaw is due to Cross-site request forgery error which causes hijacking
+ the authentication of unspecified victims via unknown vectors.
+
+ Impact:
+ Successful exploitation will let the attacker hijack the authenticated
+ sessions of unspecified users.
+
+ Affected Software/OS:
+ Transmission Client version 1.5 before 1.53 and 1.6 before 1.61
+
+ Fix:
+ Upgrade to version 1.53 or 1.61
+ http://www.transmissionbt.com/download.php
+
+ References:
+ http://www.openwall.com/lists/oss-security/2009/05/21/1
+
+ CVSS Score:
+ CVSS Base Score : 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
+ CVSS Temporal Score : 5.0
+ Risk factor: Medium";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Check for the version of Transmission Client");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Web application abuses");
+ script_dependencies("secpod_transmission_detect.nasl");
+ script_require_keys("Transmission/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+transVer = get_kb_item("Transmission/Ver");
+if(!transVer){
+ exit(0);
+}
+
+# Grep for Transmission clent versions
+if(version_in_range(version:transVer, test_version:"1.5", test_version2:"1.52") ||
+ version_in_range(version:transVer, test_version:"1.6", test_version2:"1.60")){
+ security_warning(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,69 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_transmission_detect.nasl 2466 2009-05-28 19:18:29Z may $
+#
+# Transmission Version Detection
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(900714);
+ script_version("$Revision: 1.0 $");
+ script_name(english:"Transmission Version Detection");
+ desc["english"] = "
+
+ Overview: The script is detects the installed version of Transmission
+ for Linux and sets the result in KB.
+
+ Risk Factor: Informational";
+
+ script_description(english:desc["english"]);
+ script_summary(english:"Sets KB for the version of Transmission");
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"Copyright (C) 2009 SecPod");
+ script_family(english:"Service detection");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+transPaths = find_file(file_name:"transmissioncli", file_path:"/", useregex:TRUE,
+ regexpar:"$", sock:sock);
+foreach transBin (transPaths)
+{
+ transVer = get_bin_version(full_prog_name:chomp(transBin), sock:sock,
+ version_argv:"-v",
+ ver_pattern:"Transmission ([0-9.]+)");
+ if(transVer[1] != NULL)
+ {
+ set_kb_item(name:"Transmission/Ver", value:transVer[1]);
+ ssh_close_connection();
+ exit(0);
+ }
+}
+ssh_close_connection();
Property changes on: trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/squirrelmail_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/squirrelmail_detect.nasl 2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/squirrelmail_detect.nasl 2009-05-29 05:35:11 UTC (rev 3533)
@@ -6,24 +6,21 @@
desc["english"] = "
-Synopsis :
+ Synopsis :
-The remote web server contains a webmail application.
+ The remote web server contains a webmail application.
-Description :
+ Description :
+ The remote host is running SquirrelMail, a PHP-based webmail package
+ that provides access to mail accounts via POP3 or IMAP.
-The remote host is running SquirrelMail, a PHP-based webmail package
-that provides access to mail accounts via POP3 or IMAP.
+ See also :
+ http://www.squirrelmail.org/
-See also :
+ Risk factor :
-http://www.squirrelmail.org/
+ None";
-Risk factor :
-
-None";
-
-
if (description) {
script_id(12647);
script_version("$Revision$");
@@ -39,7 +36,7 @@
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004 George A. Theall");
- family["english"] = "CGI abuses";
+ family["english"] = "Service detection";
script_family(english:family["english"]);
script_dependencie("http_version.nasl");
@@ -61,10 +58,8 @@
# Search for SquirrelMail.
-if (thorough_tests) dirs = make_list("/squirrelmail", "/webmail", "/mail", "/sm", cgi_dirs());
-else dirs = make_list(cgi_dirs());
-
-foreach dir (dirs) {
+foreach dir (make_list("/squirrelmail", "/webmail", "/mail", "/sm", cgi_dirs()))
+{
req = http_get(item:string(dir, "/src/login.php"), port:port);
res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
if (res == NULL) exit(0);
More information about the Openvas-commits
mailing list