[Openvas-commits] r5854 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Nov 13 12:21:27 CET 2009 

Author: mime
Date: 2009-11-13 12:21:24 +0100 (Fri, 13 Nov 2009)
New Revision: 5854

Added:
   trunk/openvas-plugins/scripts/cups_36958.nasl
   trunk/openvas-plugins/scripts/novell_edirectory_37009.nasl
   trunk/openvas-plugins/scripts/xm_easy_ftp_37008.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/gallarific_28163.nasl
   trunk/openvas-plugins/scripts/ike-scan.nasl
   trunk/openvas-plugins/scripts/remote-MS00-006.nasl
   trunk/openvas-plugins/scripts/remote-MS00-058.nasl
   trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl
   trunk/openvas-plugins/scripts/secpod_xitami_server_detect.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/ChangeLog	2009-11-13 11:21:24 UTC (rev 5854)
@@ -1,3 +1,18 @@
+2009-11-13 Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/novell_edirectory_37009.nasl,
+	scripts/cups_36958.nasl,
+	scripts/xm_easy_ftp_37008.nasl:
+	Added new plugins.
+
+	* scripts/gallarific_28163.nasl,
+	scripts/secpod_ms09-050-remote.nasl,
+	scripts/remote-MS00-006.nasl,
+	scripts/remote-MS00-058.nasl,
+	scripts/secpod_xitami_server_detect.nasl,
+	scripts/ike-scan.nasl:
+	Small Bugfixes.
+
 2009-11-13  Felix Wolfsteller <felix.wolfseller at intevation.de>
 
 	* scripts/secpod_ms08-043_900028.nasl: Fixed typos, set svn revision

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/cve_current.txt	2009-11-13 11:21:24 UTC (rev 5854)
@@ -256,3 +256,7 @@
 CVE-2009-3466			SecPod		svn		L
 CVE-2009-3852			SecPod		svn		L
 CVE-2009-3878			SecPod		svn		L
+37009				Greenbone	svn		R
+CVE-2009-2820			Greenbone	svn		R
+37008				Greenbone	svn		R
+36969				Greenbone	svn		R

Added: trunk/openvas-plugins/scripts/cups_36958.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cups_36958.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/cups_36958.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100344);
+ script_bugtraq_id(36958);
+ script_cve_id("CVE-2009-2820");
+ script_version ("1.0-$Revision$");
+
+ script_name("CUPS 'kerberos' Parameter Cross Site Scripting Vulnerability");
+
+desc = "Overview:
+CUPS is prone to a cross-site scripting vulnerability because the
+application fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code
+in the browser of an unsuspecting user in the context of the affected
+site. This may let the attacker steal cookie-based authentication
+credentials and launch other attacks.
+
+Note: This vulnerability was originally reported in BID 36956 (Apple
+      Mac OS X 2009-006 Multiple Security Vulnerabilities), but has
+      been given its own record to better document it.
+
+This issue affects CUPS versions prior to 1.4.2.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/36958
+http://www.cups.org/articles.php?L590
+http://www.cups.org
+http://www.cups.org/str.php?L3367
+http://sunsolve.sun.com/search/document.do?assetkey=1-66-271169-1
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Cups version is < 1.4.2");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("secpod_cups_detect.nasl");
+ script_require_ports("Services/www", 631);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+cupsPort = get_http_port(default:631);
+if(!cupsPort){
+  exit(0);
+}
+
+cupsVer = get_kb_item("www/"+ cupsPort + "/CUPS");
+if(!cupsVer){
+  exit(0);
+}
+
+if(cupsVer != NULL)
+{
+  # Check for CUPS version < 1.4.2
+  if(version_is_less(version:cupsVer, test_version:"1.4.2")){
+    security_warning(cupsPort);
+  }
+}
+


Property changes on: trunk/openvas-plugins/scripts/cups_36958.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/gallarific_28163.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gallarific_28163.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/gallarific_28163.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -79,7 +79,7 @@
    
   url =  string(dir,'/search.php?dosearch=true&query="><script>alert(document.cookie)</script>'); 
   req = http_get(item:url, port:port);
-  buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);  
+  buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);  
   if( buf == NULL )continue;
 
   if(egrep(pattern: "<script>alert\(document\.cookie\)</script>", string: buf, icase: TRUE)) {

Modified: trunk/openvas-plugins/scripts/ike-scan.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ike-scan.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/ike-scan.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -85,7 +85,7 @@
 
 if (!find_in_path("ike-scan"))
 {
-	set_kb_item(name:"/tmp/UnableToRun/80000", value:true);
+	set_kb_item(name:"/tmp/UnableToRun/80000", value:TRUE);
 	exit(0);
 }
 

Added: trunk/openvas-plugins/scripts/novell_edirectory_37009.nasl
===================================================================
--- trunk/openvas-plugins/scripts/novell_edirectory_37009.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/novell_edirectory_37009.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -0,0 +1,134 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Novell eDirectory '/dhost/modules?I:' Buffer Overflow Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100343);
+ script_bugtraq_id(37009);
+ script_version ("1.0-$Revision$");
+
+ script_name("Novell eDirectory '/dhost/modules?I:' Buffer Overflow Vulnerability");
+
+desc = "Overview:
+Novell eDirectory is prone to a buffer-overflow vulnerability
+because it fails to perform adequate boundary checks on user-
+supplied data.
+
+Attackers can exploit this issue to execute arbitrary code in the
+context of the affected application. Failed exploit attempts will
+likely cause denial-of-service conditions.
+
+Novell eDirectory 8.8 SP5 is vulnerable; other versions may also
+be affected.
+
+References:
+http://www.securityfocus.com/bid/37009
+http://www.novell.com/products/edirectory/
+http://www.securityfocus.com/archive/1/507812
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Novell eDirectory is prone to a buffer-overflow vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Buffer overflow");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("novell_edirectory_detect.nasl");
+ script_require_ports("Services/ldap", 389);
+ exit(0);
+}
+
+port = get_kb_item("Services/ldap");
+if(!port)exit(0);
+if(!get_port_state(port))exit(0);
+
+if(!version = get_kb_item(string("ldap/", port, "/eDirectory")))exit(0);
+if(!isnull(version)) {
+
+  versions = split(version,sep: " ", keep:FALSE);
+
+  if(!isnull(versions[0])) {
+     major = versions[0];
+  } else {
+     exit(0);
+  }  
+
+  if(!isnull(versions[1])) {
+     if("SP" >< versions[1]) {
+       sp = versions[1];
+       sp -= "SP";
+       sp = int(sp);
+     } else {
+       revision = versions[1];
+     }   
+  }
+
+  if(sp && !isnull(versions[2])) {
+     revision = versions[2];
+  }  
+
+  if(revision) {
+   revision -= "(";
+   revision -= ")";
+   revision -= ".";
+   revision = int(revision);
+  }
+
+   if(major == "8.8") { 
+     if(sp && sp > 0) {
+       if(sp == 5) { 
+         if(!revision) {
+           VULN = TRUE;
+         }  
+       }
+       if(sp < 5 ) { 
+         VULN = TRUE;
+       }
+     } else {
+       VULN = TRUE;
+     }
+   }  
+   else if(major == "8.8.1") {
+       VULN = TRUE;
+   }
+   else if(major == "8.8.2") {
+    if(!revision && !sp) {
+       VULN = TRUE;
+    }  
+  }   
+}
+
+if(VULN) {
+   security_warning(port:port);
+   exit(0);
+}
+
+exit(0);
+
+
+
+
+


Property changes on: trunk/openvas-plugins/scripts/novell_edirectory_37009.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/remote-MS00-006.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-MS00-006.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/remote-MS00-006.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -86,6 +86,8 @@
 	foreach asp_file (pages)
 	{
 		soc = open_sock_tcp(port);
+		if(!soc)continue;
+
 		req = http_get( item:string("/null.htw?CiWebHitsFile=/" + asp_file + "%20&CiRestriction=none&CiHiliteType=Full"), port:port);
 		send(socket:soc, data: req);
 

Modified: trunk/openvas-plugins/scripts/remote-MS00-058.nasl
===================================================================
--- trunk/openvas-plugins/scripts/remote-MS00-058.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/remote-MS00-058.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -88,6 +88,7 @@
 	foreach asp_file (pages)
 	{
 		soc = open_sock_tcp(port);
+		if(!soc)continue;
 		
 		qry = string('GET /' + asp_file + ' HTTP/1.0\r\n',
  			  'Host: ' + h_ip + ':' + port + '\r\n',

Modified: trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -105,8 +105,10 @@
 # '0xfe' -> SMBv2 - Windows Server at enterprise (2008), SP
 #  After applying patch, strlen(resp) is > 77
 
-if(ord(resp[4]) == 255 && ord(resp[5]) == 83 && ord(resp[6]) == 77 && ord(resp[7]) == 66 &&
-   ord(resp[8]) == 114 && strlen(resp) == 77){
-  security_hole(port);
-}
+if(resp) {
+  if(ord(resp[4]) == 255 && ord(resp[5]) == 83 && ord(resp[6]) == 77 && ord(resp[7]) == 66 &&
+     ord(resp[8]) == 114 && strlen(resp) == 77){
+    security_hole(port);
+  }
+}  
 close(soc);

Modified: trunk/openvas-plugins/scripts/secpod_xitami_server_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_xitami_server_detect.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/secpod_xitami_server_detect.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -60,6 +60,8 @@
 }
 
 soc = open_sock_tcp(wwwPort);
+if(!soc)exit(0);
+
 req = string("GET /\r\n\r\n", "Host: ", get_host_name(), "\r\n");
 send(socket:soc, data:req);
 rcvRes = http_recv(socket:soc);

Added: trunk/openvas-plugins/scripts/xm_easy_ftp_37008.nasl
===================================================================
--- trunk/openvas-plugins/scripts/xm_easy_ftp_37008.nasl	2009-11-13 11:19:11 UTC (rev 5853)
+++ trunk/openvas-plugins/scripts/xm_easy_ftp_37008.nasl	2009-11-13 11:21:24 UTC (rev 5854)
@@ -0,0 +1,139 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# XM Easy Personal FTP Server 'NLST' Command Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100342);
+ script_bugtraq_id(37008,36969);
+ script_version ("1.0-$Revision$");
+
+ script_name("XM Easy Personal FTP Server 'NLST' Command Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+XM Easy Personal FTP Server is prone to a remote denial-of-service
+vulnerability.
+
+This issue allows remote attackers to crash affected FTP servers,
+denying service to legitimate users.
+
+XM Easy Personal FTP Server 5.8.0 is vulnerable; other versions may
+also be affected.
+
+References:
+http://www.securityfocus.com/bid/37008
+http://www.securityfocus.com/bid/36969
+http://www.securityfocus.com/archive/1/507785
+http://www.dxm2008.com/
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if XM Easy Personal FTP Server is prone to a remote denial-of-service vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+include("version_func.inc");
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(ftpPort)){
+  exit(0);
+}
+
+if(safe_checks()) {
+
+ if( ! banner = get_ftp_banner(port:ftpPort)) exit(0);
+ if(egrep(pattern: "Welcome to DXM's FTP Server", string:banner)) {
+
+   version = eregmatch(pattern: "Welcome to DXM's FTP Server ([0-9.]+)", string: banner); 
+
+   if( ! isnull(version[1])) {
+     if(version_is_equal(version: version[1], test_version: "5.8.0")) {
+       security_warning(port:ftpPort);
+       exit(0);
+     }  
+   }
+ }
+
+} else {
+
+  soc1 = open_sock_tcp(ftpPort);
+  if(!soc1){
+    exit(0);
+  }
+
+  domain = get_kb_item("Settings/third_party_domain");
+  if(isnull(domain)) {
+   domain = this_host_name();;
+  }
+
+  user = get_kb_item("ftp/login");
+  pass = get_kb_item("ftp/password");
+
+  if(!user)user = "anonymous";
+  if(!pass)pass = string("openvas@", domain);;
+
+  login_details = ftp_log_in(socket:soc1, user:user, pass:pass);
+  if(login_details)
+  {
+    ftpPort2 = ftp_get_pasv_port(socket:soc1);
+    if(ftpPort2)
+    {
+      soc2 = open_sock_tcp(ftpPort2, transport:get_port_transport(ftpPort));
+      if(soc2)
+      {
+        bo_data = string("NLST ", crap(length: 100000, data:"A"));
+        send(socket:soc1, data:bo_data);
+        close(soc2);
+        close(soc1);
+
+        sleep(2);       
+
+        soc3 = open_sock_tcp(ftpPort);
+
+        if( ! ftp_recv_line(socket:soc3) )
+        {
+          security_warning(port:ftpPort);
+    	  close(soc3);
+          exit(0);
+        }
+      }
+    }
+  }
+}
+exit(0);
+ 


Property changes on: trunk/openvas-plugins/scripts/xm_easy_ftp_37008.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

More information about the Openvas-commits mailing list