[Openvas-commits] r3533 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri May 29 07:35:12 CEST 2009


Author: chandra
Date: 2009-05-29 07:35:11 +0200 (Fri, 29 May 2009)
New Revision: 3533

Added:
   trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl
   trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl
   trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl
   trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/squirrelmail_detect.nasl
Log:
Checked-in new scripts andthorough_tests condition removed from squirrelmail detect script

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/ChangeLog	2009-05-29 05:35:11 UTC (rev 3533)
@@ -1,3 +1,18 @@
+2009-05-29 Chandan S <schandan at secpod.com> 
+	* scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl,
+	secpod_avg_detect_win.nasl,
+	secpod_sorinara_audio_player_bof_vuln.nasl,
+	secpod_transmission_detect.nasl,
+	secpod_squirrelmail_cmd_exec_vuln.nasl,
+	secpod_transmission_csrf_vuln.nasl,
+	secpod_avg_detection_bypass_vuln_win.nasl,
+	secpod_sorinara_mp3_player_bof_vuln.nasl,
+	secpod_netdecision_tftp_server_detect.nasl:
+	Checkedin new scripts.
+
+	* scripts/squirrelmail_detect.nasl:
+	thorough_tests removed.
+
 2009-05-28 Michael Meyer <mime at gmx.de>
 	* scripts/cacti_27749.nasl,
 	scripts/lighttpd_35097.nasl,

Added: trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,68 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_avg_detect_win.nasl 2477 2009-05-28 15:10:24Z may $
+#
+# AVG AntiVirus Version Detection (Win)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http//www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900718);
+  script_version("$Revision: 1.0 $");
+  script_name(english:"AVG AntiVirus Version Detection");
+  desc["english"] = "
+
+  Overview : This script is detects the installed version of AVG AntiVirus and
+  sets the result in KB.
+
+  Risk factor : Informational";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Set Version of AVG AntiVirus in KB");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+if(!registry_key_exists(key:"SOFTWARE\AVG")){
+  exit(0);
+}
+
+for(i=1; i<=8; i++)
+{
+  avgVer = registry_get_sz(key:"SOFTWARE\AVG\AVG" + i +
+                               "\LinkScanner\Prevalence", item:"CODEVER");
+  if(avgVer != NULL){
+    set_kb_item(name:"AVG/AV/Win/Ver", value:avgVer);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_avg_detect_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_avg_detection_bypass_vuln_win.nasl 2477 2009-05-28 15:51:24Z may $
+#
+# AVG AntiVirus Engine Malware Detection Bypass Vulnerability (Win)
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900719);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1784");
+  script_bugtraq_id(34895);
+  script_name(english:"AVG AntiVirus Engine Malware Detection Bypass Vulnerability (Win)");
+  desc["english"] = "
+
+  Overview: This host is installed with AVG AntiVirus Product Suite for Windows
+  and is prone to Malware Detection Bypass Vulnerability.
+
+  Vulnerability Insight:
+  Error in the file parsing engine can be exploited to bypass the anti-virus
+  scanning functionality via a specially crafted ZIP or RAR file.
+
+  Impact:
+  Successful exploitation will let the attacker craft malwares in a crafted
+  archive file and spread it across the network to gain access to sensitive
+  information or cause damage to the remote system.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  AVG Anti-Virus prior to 8.5.323
+  AVG File Server Edition prior to 8.5.323 on Windows
+
+  Fix: Upgrade to the AVG Anti-Virus Scanning Engine build 8.5.323
+  http://www.avg.com/download
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/50426
+  http://blog.zoller.lu/2009/04/avg-zip-evasion-bypass.html
+
+  CVSS Score:
+    CVSS Base Score     : 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
+    CVSS Temporal Score : 7.4
+  Risk factor: High";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the Version of AVG AntiVirus Products");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Remote file access");
+  script_dependencies("secpod_avg_detect_win.nasl");
+  script_require_keys("AVG/AV/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+version = get_kb_item("AVG/AV/Win/Ver");
+if(!version){
+  exit(0);
+}
+
+#Check for AntiVirus Products Suite version prior to 8.5.323
+if(version_is_less(version:version, test_version:"8.5.323")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_avg_detection_bypass_vuln_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_detect.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,133 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_netdecision_tftp_server_detect.nasl 2412 2009-05-21 21:07:05Z may $
+#
+# NetDecision TFTP Server Version Detection
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+##############################################################################
+
+if(description)
+{
+  script_id(900357);
+  script_version ("$Revision: 1.0 $");
+  script_name(english:"NetDecision TFTP Server Version Detection");
+  desc["english"] = "
+
+  Overview: This script is detects installed version of NetDecision TFTP Server
+  and sets the result in KB.
+
+  Risk factor: Informational";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Sets KB of NetDecision TFTP Server Version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+
+if(!registry_key_exists(key:"SOFTWARE\NetDecision")){
+  exit(0);
+}
+
+netdeciKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+foreach item(registry_enum_keys(key:netdeciKey))
+{
+  netdeciName = registry_get_sz(key:netdeciKey + item, item:"DisplayName");
+
+  if("NetDecision" >< netdeciName)
+  {
+    netdeciPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion",
+                                  item:"ProgramFilesDir");
+    if(netdeciPath != NULL)
+    {
+      share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:netdeciPath);
+      file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                          string:netdeciPath + "\NetDecision\Bin\TFTPServer.exe");
+
+      soc = open_sock_tcp(port);
+      if(!soc){
+        exit(0);
+      }
+
+      r = smb_session_request(soc:soc, remote:name);
+      if(!r)
+      {
+        close(soc);
+        exit(0);
+      }
+
+      prot = smb_neg_prot(soc:soc);
+      if(!prot)
+      {
+        close(soc);
+        exit(0);
+      }
+
+      r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain,
+                            prot:prot);
+      if(!r)
+      {
+        close(soc);
+        exit(0);
+      }
+
+      uid = session_extract_uid(reply:r);
+      if(!uid)
+      {
+        close(soc);
+        exit(0);
+      }
+
+      r = smb_tconx(soc:soc, name:name, uid:uid, share:share);
+      tid = tconx_extract_tid(reply:r);
+      if(!tid){
+        close(soc);
+        exit(0);
+      }
+
+      fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+      if(!fid){
+        close(soc);
+        exit(0);
+      }
+    }
+
+    netdeciVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid, verstr="prod");
+    close(soc);
+
+    if(netdeciVer){
+      set_kb_item(name:"NetDecision/TFTP/Ver", value:netdeciVer);
+    }
+    exit(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_netdecision_tftp_server_dir_trav_vuln.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_netdecision_tftp_server_dir_trav_vuln.nasl 2412 2009-05-21 20:30:29Z may $
+#
+# NetDecision TFTP Server Multiple Directory Traversal Vulnerabilities
+#
+# Authors:
+# Sharath s <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod , http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900358);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1730");
+  script_bugtraq_id(35002);
+  script_name(english:"NetDecision TFTP Server Multiple Directory Traversal Vulnerabilities");
+  desc["english"] = "
+
+  Overview: This host is running NetDecision TFTP Server and is prone to
+  multiple directory traversal vulnerabilities.
+
+  Vulnerability Insight:
+  Due to an input validation error within the TFTP server which in fails
+  to sanitize user-supplied input in GET or PUT command via ../ (dot dot)
+  sequences.
+
+  Impact:
+  Successful exploitation will let the attackers to disclose sensitive
+  information,upload or download files to and from arbitrary locations.
+  and compromise a vulnerable system to legitimate users.
+
+
+  Affected Software/OS:
+  NetMechanica, NetDecision TFTP Server version 4.2 and prior
+
+  Fix: No solution or patch is available as on 29th May, 2009. Information
+  regarding this issue will updated once the solution details are available.
+  For updates refer, http://www.netmechanica.com
+
+  References:
+  http://secunia.com/advisories/35131
+  http://xforce.iss.net/xforce/xfdb/50574
+  http://www.securityfocus.com/archive/1/503605
+
+  CVSS Score:
+    CVSS Base Score     : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 8.5
+  Risk factor: Critical";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of NetDecision TFTP Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Denial of Service");
+  script_dependencies("find_service.nes",
+                      "secpod_netdecision_tftp_server_detect.nasl");
+  script_require_keys("Services/udp/tftp", "NetDecision/TFTP/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+
+netdeciPort = get_kb_item("Services/udp/tftp");
+if(!netdeciPort){
+  netdeciPort = 69;
+}
+
+if(!get_udp_port_state(netdeciPort)){
+  exit(0);
+}
+
+netdeciVer = get_kb_item("NetDecision/TFTP/Ver");
+if(netdeciVer != NULL)
+{
+  if(version_is_less_equal(version:netdeciVer, test_version:"4.2")){
+    security_warning(netdeciPort, proto:"udp");
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_sorinara_audio_player_bof_vuln.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_sorinara_audio_player_bof_vuln.nasl 2344 2009-05-19 15:56:36Z may $
+#
+# Sorinara Streaming Audio Player Stack Overflow Vulnerability
+#
+# Authors:
+# Antu Sanadi<santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900649);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1644");
+  script_bugtraq_id(34861);
+  script_name(english:"Sorinara Streaming Audio Player Stack Overflow Vulnerability");
+  desc["english"] = "
+
+  Overview: This host is running Sorinara Streaming Audio Player and is prone
+  to Stack Overflow Vulnerability.
+
+  Vulnerability Insight:
+  This vulnerability is caused due to improper boundary checks when processing
+  playlist 'pla' files.
+
+  Impact:
+  Successful exploitation will let the attacker execute arbitrary codes in
+  the context of the affected system and cause the application to crash by
+  overflowing the stack memory location.
+
+  Affected Software/OS:
+  Sorinara Streaming Audio Player version 0.9 and prior
+
+  Fix: No solution or patch is available as on 29th May, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.sorinara.com/sap/download.html
+
+  References:
+  http://www.milw0rm.com/exploits/8640
+  http://www.milw0rm.com/exploits/8625
+  http://xforce.iss.net/xforce/xfdb/50369
+
+  CVSS Score:
+    CVSS Base Score      : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score  : 8.4
+  Risk factor: Critical";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for version of Sorinara Streaming Audio Player");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Buffer overflow");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SAP\";
+vendName = registry_get_sz(key:key, item:"DisplayName");
+if("SAP" >< vendName)
+{
+  readmePath = registry_get_sz(key:key, item:"UninstallString");
+  if(!readmePath){
+    exit(0);
+  }
+
+  readmePath = readmePath - "\uninstall.exe /uninstall";
+  readmePath = readmePath + "\Help";
+
+  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:readmePath);
+  file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                       string:readmePath + "\index.htm");
+  readmeText = read_file(share:share, file:file, offset:0, count:4500);
+  if(!readmeText){
+    exit(0);
+  }
+
+  sapVer = eregmatch(pattern:"SAP ([0-9.]+)", string:readmeText);
+  if(sapVer[1] != NULL)
+  {
+    if(version_is_less_equal(version:sapVer[1], test_version:"0.9")){
+      security_hole(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_sorinara_mp3_player_bof_vuln.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_sorinara_mp3_player_bof_vuln.nasl 2344 2009-05-18 15:56:36Z may $
+#
+# Sorinara Soritong MP3 Player Stack Overflow Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900648);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1643");
+  script_bugtraq_id(34863);
+  script_name(english:"Sorinara Soritong MP3 Player Stack Overflow Vulnerability");
+  desc["english"] = "
+
+  Overview: This host is running Sorinara Soritong MP3 Player and is prone to
+  Stack Overflow Vulnerability.
+
+  Vulnerability Insight:
+  This flaw is caused due to an improper boundary checking when processing
+  '.m3u' files.
+
+  Impact:
+  Successful exploitation will let the attacker craft a malicious m3u playlist
+  file and trick the user to open the application which will cause stack overflow
+  in the affected system and will crash the application.
+
+  Affected Software/OS:
+  Soritong MP3 Player version 1.0 and prior
+
+  Fix: No solution or patch is available as on 29th May, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.sorinara.com/soritong
+
+  References:
+  http://www.milw0rm.com/exploits/8624
+  http://xforce.iss.net/xforce/xfdb/50398
+
+  CVSS Score:
+    CVSS Base Score      : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score  : 8.4
+  Risk factor: Critical";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of Sorinara Soritong MP3 Player");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Buffer overflow");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoriTong\";
+appName = registry_get_sz(key:key, item:"DisplayName");
+if("SoriTong" >< appName)
+{
+  readmePath = registry_get_sz(key:key, item:"UninstallString");
+  if(!readmePath){
+    exit(0);
+  }
+
+  readmePath = readmePath - "\uninstall.exe /uninstall";
+  readmePath = readmePath + "\Help";
+
+  share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:readmePath);
+  file =  ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1",
+                       string:readmePath + "\whatsnew.html");
+
+  readmeText = read_file(share:share, file:file, offset:0, count:500);
+  if(!readmeText){
+    exit(0);
+  }
+
+  saritongVer = eregmatch(pattern:"Version ([0-9.]+)", string:readmeText);
+  if(saritongVer[1] != NULL)
+  {
+    if(version_is_less_equal(version:saritongVer[1], test_version:"1.0")){
+      security_hole(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_squirrelmail_cmd_exec_vuln.nasl 2476 2009-05-26 17:48:29Z may $
+#
+# SquirrelMail Command Execution Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900713);
+  script_version("$Revision: 1.1 $");
+  script_cve_id("CVE-2009-1381");
+  script_bugtraq_id(34916);
+  script_name(english:"SquirrelMail Command Execution Vulnerability");
+  desc["english"] = "
+
+  Overview: This host is running SquirrelMail Web application and is prone
+  to command execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to improper handling of arbitrary commands in map_yp_alias 
+  function in functions/imap_general.php file via shell metacharacters in a 
+  username string that is used by the ypmatch program.
+
+  Impact:
+  Successful exploitation will let the attacker execute arbitrary commands into
+  the context of the affected web mailing application and can conduct cross site
+  scripting, session fixation or phishing attacks.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  SquirrelMail version prior to 1.4.19
+
+  Fix:
+  Upgrade to SquirrelMail version 1.4.19 or later
+  http://squirrelmail.org/download.php
+
+  References:
+  http://secunia.com/advisories/35140
+  http://www.debian.org/security/2009/dsa-1802
+  http://release.debian.org/proposed-updates/stable_diffs/squirrelmail_1.4.15-4+lenny2.debdiff
+
+  CVSS Score:
+    CVSS Base Score     : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 5.0
+  Risk factor: Medium";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of SquirrelMail");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Web application abuses");
+  script_dependencies("squirrelmail_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+mailPort = get_http_port(default:80);
+if(!mailPort){
+  exit(0);
+}
+
+mailVer = get_kb_item("www/"+ mailPort + "/SquirrelMail");
+if(mailVer == NULL){
+  exit(0);
+}
+
+ver = eregmatch(pattern:"^(.+) under (/.*)$", string:mailVer);
+if(ver[1] != NULL)
+{
+  # Check for SquirrelMail version 1.4.18 and prior
+  if(version_is_less_equal(version:ver[1], test_version:"1.4.18")){
+    security_warning(mailPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_squirrelmail_cmd_exec_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_transmission_csrf_vuln.nasl 2466 2009-05-28 21:25:29Z may $
+#
+# Transmission Client Cross Site Request Forgery Vulnerability
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900715);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-1757");
+  script_name(english:"Transmission Client Cross Site Request Forgery Vulnerability");
+  desc["english"] = "
+
+  Overview: This host is installed with Transmission Client and is prone to
+  Cross Site Request Forgery Vulnerability.
+
+  Vulnerability Insight:
+  This flaw is due to Cross-site request forgery error which causes hijacking
+  the authentication of unspecified victims via unknown vectors.
+
+  Impact:
+  Successful exploitation will let the attacker hijack the authenticated
+  sessions of unspecified users.
+
+  Affected Software/OS:
+  Transmission Client version 1.5 before 1.53 and 1.6 before 1.61
+
+  Fix:
+  Upgrade to version 1.53 or 1.61
+  http://www.transmissionbt.com/download.php
+
+  References:
+  http://www.openwall.com/lists/oss-security/2009/05/21/1
+
+  CVSS Score:
+    CVSS Base Score     : 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
+    CVSS Temporal Score : 5.0
+  Risk factor: Medium";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Check for the version of Transmission Client");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Web application abuses");
+  script_dependencies("secpod_transmission_detect.nasl");
+  script_require_keys("Transmission/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+transVer = get_kb_item("Transmission/Ver");
+if(!transVer){
+  exit(0);
+}
+
+# Grep for Transmission clent versions
+if(version_in_range(version:transVer, test_version:"1.5", test_version2:"1.52") ||
+   version_in_range(version:transVer, test_version:"1.6", test_version2:"1.60")){
+  security_warning(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_transmission_csrf_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -0,0 +1,69 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_transmission_detect.nasl 2466 2009-05-28 19:18:29Z may $
+#
+# Transmission Version Detection
+#
+# Authors:
+# Sujit Ghosal <sghosal at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900714);
+  script_version("$Revision: 1.0 $");
+  script_name(english:"Transmission Version Detection");
+  desc["english"] = "
+
+  Overview: The script is detects the installed version of Transmission
+  for Linux and sets the result in KB.
+
+  Risk Factor: Informational";
+
+  script_description(english:desc["english"]);
+  script_summary(english:"Sets KB for the version of Transmission");
+  script_category(ACT_GATHER_INFO);
+  script_copyright(english:"Copyright (C) 2009 SecPod");
+  script_family(english:"Service detection");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+  exit(0);
+}
+
+transPaths = find_file(file_name:"transmissioncli", file_path:"/", useregex:TRUE,
+                       regexpar:"$", sock:sock);
+foreach transBin (transPaths)
+{
+  transVer = get_bin_version(full_prog_name:chomp(transBin), sock:sock,
+                             version_argv:"-v",
+                             ver_pattern:"Transmission ([0-9.]+)");
+  if(transVer[1] != NULL)
+  {
+    set_kb_item(name:"Transmission/Ver", value:transVer[1]);
+    ssh_close_connection();
+    exit(0);
+  }
+}
+ssh_close_connection();


Property changes on: trunk/openvas-plugins/scripts/secpod_transmission_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/openvas-plugins/scripts/squirrelmail_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/squirrelmail_detect.nasl	2009-05-29 03:29:07 UTC (rev 3532)
+++ trunk/openvas-plugins/scripts/squirrelmail_detect.nasl	2009-05-29 05:35:11 UTC (rev 3533)
@@ -6,24 +6,21 @@
 
 
   desc["english"] = "
-Synopsis :
+  Synopsis :
 
-The remote web server contains a webmail application. 
+  The remote web server contains a webmail application. 
 
-Description :
+  Description :
+  The remote host is running SquirrelMail, a PHP-based webmail package
+  that provides access to mail accounts via POP3 or IMAP. 
 
-The remote host is running SquirrelMail, a PHP-based webmail package
-that provides access to mail accounts via POP3 or IMAP. 
+  See also :
+  http://www.squirrelmail.org/
 
-See also :
+  Risk factor : 
 
-http://www.squirrelmail.org/
+  None";
 
-Risk factor : 
-
-None";
-
-
 if (description) {
   script_id(12647);
   script_version("$Revision$");
@@ -39,7 +36,7 @@
   script_category(ACT_GATHER_INFO);
   script_copyright(english:"This script is Copyright (C) 2004 George A. Theall");
 
-  family["english"] = "CGI abuses";
+  family["english"] = "Service detection";
   script_family(english:family["english"]);
 
   script_dependencie("http_version.nasl");
@@ -61,10 +58,8 @@
 
 
 # Search for SquirrelMail.
-if (thorough_tests) dirs = make_list("/squirrelmail", "/webmail", "/mail", "/sm", cgi_dirs());
-else dirs = make_list(cgi_dirs());
-
-foreach dir (dirs) {
+foreach dir (make_list("/squirrelmail", "/webmail", "/mail", "/sm", cgi_dirs()))
+{
   req = http_get(item:string(dir, "/src/login.php"), port:port);
   res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
   if (res == NULL) exit(0);



More information about the Openvas-commits mailing list