[Openvas-commits] r5795 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Nov 4 20:13:23 CET 2009 

Author: mime
Date: 2009-11-04 20:13:20 +0100 (Wed, 04 Nov 2009)
New Revision: 5795

Added:
   trunk/openvas-plugins/scripts/samba_32494.nasl
   trunk/openvas-plugins/scripts/serv_u_36585.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/gb_rhinosoft_serv-u_detect.nasl
   trunk/openvas-plugins/scripts/gb_samba_root_file_sys_sec_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_ms08-067_900056.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-11-04 14:48:34 UTC (rev 5794)
+++ trunk/openvas-plugins/ChangeLog	2009-11-04 19:13:20 UTC (rev 5795)
@@ -1,5 +1,21 @@
 2009-11-04 Michael Meyer <michael.meyer at intevation.de>
 
+	* scripts/serv_u_36585.nasl,
+	scripts/samba_32494.nasl:
+	Added new plugins.
+
+	* scripts/gb_rhinosoft_serv-u_detect.nasl:
+	Added one more version check.
+
+	* scripts/gb_samba_root_file_sys_sec_vuln.nasl:
+	Try to get version from 'SMB/NativeLanManager' if
+	'Samba/Version'	is not set.
+
+	* scripts/secpod_ms08-067_900056.nasl:
+	Changed security_note() to log_message().
+
+2009-11-04 Michael Meyer <michael.meyer at intevation.de>
+
 	* scripts/sahana_detect.nasl,
 	scripts/sahana_36826.nasl,
 	scripts/mahara_multiple_vuln.nasl:

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-11-04 14:48:34 UTC (rev 5794)
+++ trunk/openvas-plugins/cve_current.txt	2009-11-04 19:13:20 UTC (rev 5795)
@@ -237,3 +237,9 @@
 35780				Greenbone	svn		R
 CVE-2009-3826			SecPod		svn		L
 CVE-2009-3700			SecPod		svn		L
+CVE-2009-3298			Greenbone	svn		R
+CVE-2009-3299			Greenbone	svn		R
+CVE-2009-3625			Greenbone	svn		R
+36585				Greenbone	svn		R
+32494				Greenbone	svn		R
+

Modified: trunk/openvas-plugins/scripts/gb_rhinosoft_serv-u_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_rhinosoft_serv-u_detect.nasl	2009-11-04 14:48:34 UTC (rev 5794)
+++ trunk/openvas-plugins/scripts/gb_rhinosoft_serv-u_detect.nasl	2009-11-04 19:13:20 UTC (rev 5795)
@@ -84,8 +84,42 @@
     servuPort = 21;
   }
 
-  servuVer = ServuGetVer(su_port:servuPort, pat:pattern2);
-  if(!isnull(servuVer[1])){
-    set_kb_item(name:"Serv-U/FTP/Ver", value:servuVer[1]);
+  if(get_port_state(servuPort)) {
+
+    soc = open_sock_tcp(servuPort);
+
+    if (soc) {
+    
+      banner = ftp_recv_line(socket:soc);
+    
+      if("220 Serv-U" >< banner) {
+
+         req = string("CSID\r\n");
+         send(socket:soc, data:req);
+         buf = ftp_recv_line(socket:soc);
+    
+         if(!isnull(buf)) {
+            if("200 Name=Serv-U" >< buf) {
+               version = eregmatch(string: buf, pattern:"Version=([^;]+);");
+            }
+         }
+    
+      }
+
+      ftp_close(socket:soc);
+    }
   }
+
+  if(!isnull(version[1])) {
+  
+    set_kb_item(name:"Serv-U/FTP/Ver", value:version[1]);
+    set_kb_item(name:string("ftp/", servuPort, "/Serv-U"), value:version[1]);
+
+  } else {
+
+      servuVer = ServuGetVer(su_port:servuPort, pat:pattern2);
+      if(!isnull(servuVer[1])){ # This check is inaccurate for 9.x versions (Don't know about versions <9) but better then nothing. Version 9 Banner is "220 Serv-U FTP Server v9.0 ready..." while real version is 9.0.0.5. 
+        set_kb_item(name:"Serv-U/FTP/Ver", value:servuVer[1]);
+      }
+    }
 }

Modified: trunk/openvas-plugins/scripts/gb_samba_root_file_sys_sec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_samba_root_file_sys_sec_vuln.nasl	2009-11-04 14:48:34 UTC (rev 5794)
+++ trunk/openvas-plugins/scripts/gb_samba_root_file_sys_sec_vuln.nasl	2009-11-04 19:13:20 UTC (rev 5795)
@@ -68,7 +68,7 @@
   script_category(ACT_GATHER_INFO);
   script_copyright("Copyright (C) 2009 Intevation GmbH");
   script_family("Remote file access");
-  script_dependencies("gb_samba_detect.nasl");
+  script_dependencies("smb_nativelanman.nasl","gb_samba_detect.nasl");
   script_require_keys("Samba/Version");
   exit(0);
 }
@@ -77,10 +77,21 @@
 include("version_func.inc");
 
 smbVer = get_kb_item("Samba/Version");
+
 if(!smbVer){
-  exit(0);
+  if(!lanman = get_kb_item("SMB/NativeLanManager"))exit(0);
+  if("Samba" >!< lanman)exit(0);
+  if(!version = eregmatch(pattern:"Samba ([0-9.]+)", string: lanman))exit(0);
+  if(isnull(version[1]))exit(0);
+  smbVer = version[1];
 }
 
+if(!smbVer){
+  exit(0);
+}  
+
 if(version_in_range(version:smbVer, test_version:"3.2", test_version2:"3.2.6")){
   security_warning(0);
 }
+
+

Added: trunk/openvas-plugins/scripts/samba_32494.nasl
===================================================================
--- trunk/openvas-plugins/scripts/samba_32494.nasl	2009-11-04 14:48:34 UTC (rev 5794)
+++ trunk/openvas-plugins/scripts/samba_32494.nasl	2009-11-04 19:13:20 UTC (rev 5795)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Samba Arbitrary Memory Contents Information Disclosure Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100337);
+ script_bugtraq_id(32494);
+ script_cve_id("CVE-2008-4314");
+ script_version ("1.0-$Revision$");
+
+ script_name("Samba Arbitrary Memory Contents Information Disclosure Vulnerability");
+
+desc = "Overview:
+Samba is prone to an information-disclosure vulnerability.
+
+Successful exploits will allow attackers to obtain arbitrary
+memory contents.
+
+This issue affects Samba 3.0.29 through 3.2.4.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/32494
+http://www.samba.org
+http://support.avaya.com/elmodocs2/security/ASA-2009-014.htm
+http://sourceforge.net/project/shownotes.php?group_id=151951&release_id=503763
+http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=838290
+http://us1.samba.org/samba/security/CVE-2008-4314.html
+http://sunsolve.sun.com/search/document.do?assetkey=1-66-249087-1
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Samba is prone to an information-disclosure vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("General");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("smb_nativelanman.nasl");
+ script_require_ports(139, 445);
+ script_require_keys("SMB/NativeLanManager");
+ exit(0);
+}
+
+include("version_func.inc");
+
+port = get_kb_item("SMB/transport");
+if(!port)port = 139;
+
+if(!get_port_state(port))exit(0);
+
+if(!lanman = get_kb_item("SMB/NativeLanManager"))exit(0);
+if("Samba" >!< lanman)exit(0);
+
+if(!version = eregmatch(pattern:"Samba ([0-9.]+)", string: lanman))exit(0);
+if(isnull(version[1]))exit(0);
+
+if(version_in_range(version:version[1], test_version:"3.0.29", test_version2: "3.2.4")) {
+  security_warning(port:port);
+  exit(0);
+}  
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/samba_32494.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/secpod_ms08-067_900056.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms08-067_900056.nasl	2009-11-04 14:48:34 UTC (rev 5794)
+++ trunk/openvas-plugins/scripts/secpod_ms08-067_900056.nasl	2009-11-04 19:13:20 UTC (rev 5795)
@@ -112,7 +112,7 @@
 {
   close(soc);
   report = string("MS08-067: Failed to perform Clear Text based authentication.");
-  security_note(data:report, port:port);
+  log_message(data:report, port:port);
   exit(0);
 }
 

Added: trunk/openvas-plugins/scripts/serv_u_36585.nasl
===================================================================
--- trunk/openvas-plugins/scripts/serv_u_36585.nasl	2009-11-04 14:48:34 UTC (rev 5794)
+++ trunk/openvas-plugins/scripts/serv_u_36585.nasl	2009-11-04 19:13:20 UTC (rev 5795)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Serv-U 'SITE SET TRANSFERPROGRESS ON' Command Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100338);
+ script_bugtraq_id(36585);
+ script_version ("1.0-$Revision$");
+
+ script_name("Serv-U 'SITE SET TRANSFERPROGRESS ON' Command Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+Serv-U is prone to a remote denial-of-service vulnerability.
+
+Successfully exploiting this issue will allow attackers to deny
+service to legitimate users.
+
+Serv-U 7.0.0.1 through 8.2.0.3 are vulnerable; other versions may also
+be affected.
+
+Solution:
+The vendor has released an update. Please see the references
+for details.
+
+References:
+http://www.securityfocus.com/bid/36585
+http://www.serv-u.com/
+http://www.serv-u.com/releasenotes/
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Serv-U is prone to a remote denial-of-service vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("gb_rhinosoft_serv-u_detect.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+
+include("ftp_func.inc");
+include("version_func.inc");
+
+port = get_kb_item("Services/ftp");
+if(!port){
+  port = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(port)){
+  exit(0);
+}
+
+if(!version = get_kb_item(string("ftp/", port, "/Serv-U"))) {
+ if(!version = get_kb_item(string("Serv-U/FTP/Ver"))) {
+  exit(0);
+ }  
+}  
+
+if(!isnull(version[1])) {
+  vers = version[1];
+}  
+
+if(!isnull(vers)) {
+
+    if( version_in_range(version:vers, test_version:"7.0.0.1", test_version2:"8.2.0.3") ) {
+        security_warning(port: port);
+        exit(0);
+    }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/serv_u_36585.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

More information about the Openvas-commits mailing list