[Openvas-commits] r5348 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Oct 1 12:15:32 CEST 2009


Author: chandra
Date: 2009-10-01 12:15:29 +0200 (Thu, 01 Oct 2009)
New Revision: 5348

Added:
   trunk/openvas-plugins/scripts/gb_apple_itunes_pls_file_bof_vuln_oct09.nasl
   trunk/openvas-plugins/scripts/secpod_an_image_gallery_dir_trav_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_an_image_gallery_xss_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_freesshd_detect.nasl
   trunk/openvas-plugins/scripts/secpod_freesshd_pre_auth_dos_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_ftpshell_client_detect.nasl
   trunk/openvas-plugins/scripts/secpod_ftpshell_client_pasv_bof_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/ChangeLog	2009-10-01 10:15:29 UTC (rev 5348)
@@ -1,3 +1,14 @@
+2009-10-01  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/secpod_an_image_gallery_xss_vuln.nasl,
+	scripts/secpod_ftpshell_client_detect.nasl,
+	scripts/secpod_freesshd_pre_auth_dos_vuln.nasl,
+	scripts/secpod_ftpshell_client_pasv_bof_vuln.nasl,
+	scripts/secpod_freesshd_detect.nasl,
+	scripts/secpod_an_image_gallery_dir_trav_vuln.nasl,
+	scripts/gb_apple_itunes_pls_file_bof_vuln_oct09.nasl:
+	Added new plugins.
+
 2009-09-29  Thomas Reinke <reinke at securityspace.com>
 
 	* scripts/gb_apache_tomcat_xss_vuln.nasl:

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-01 10:15:29 UTC (rev 5348)
@@ -74,11 +74,18 @@
 CVE-2009-3327			SecPod
 CVE-2009-3330			SecPod
 CVE-2009-3369 			SecPod
-CVE-2009-2817 			SecPod
-CVE-2009-3366			SecPod
-CVE-2009-3367 			Secpod
-CVE-2009-3364 			SecPod
-CVE-2009-3340 			SecPod
+CVE-2009-2817 			SecPod		svn		L
+CVE-2009-3366			SecPod		svn		R
+CVE-2009-3367 			Secpod		svn		R
+CVE-2009-3364 			SecPod		svn		L
+CVE-2009-3340 			SecPod		svn		L
 CVE-2009-3431 			SecPod
 CVE-2009-3444 			SecPod
+CVE-2009-3455 			SecPod
+CVE-2009-3454 			SecPod
+CVE-2009-3456 			SecPod
+CVE-2009-3471			SecPod
+CVE-2009-3473			SecPod
+CVE-2009-3472 			SecPod
+CVE-2009-3478 			SecPod
 

Added: trunk/openvas-plugins/scripts/gb_apple_itunes_pls_file_bof_vuln_oct09.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_apple_itunes_pls_file_bof_vuln_oct09.nasl	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/scripts/gb_apple_itunes_pls_file_bof_vuln_oct09.nasl	2009-10-01 10:15:29 UTC (rev 5348)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_apple_itunes_pls_file_bof_vuln_oct09.nasl 5062 2009-10-01 20:13:12Z oct $
+#
+# Apple iTunes '.pls' Files Buffer Overflow Vulnerability
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801105);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-2817");
+  script_bugtraq_id(36478);
+  script_name("Apple iTunes '.pls' Files Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host has Apple iTunes installed, which is prone to Buffer
+  Overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw exists in the handling of specially crafted '.pls' files. It fails
+  to bounds-check user-supplied data before copying it into an insufficiently
+  sized buffer.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary code within
+  the context of the affected application, failed exploit attempts will result in
+  a denial of service condition.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Apple iTunes version prior to 9.0.1 on Windows.
+
+  Fix: Upgrade to Apple iTunes Version 9.0.1
+  http://www.apple.com/itunes/download
+
+  References:
+  http://support.apple.com/kb/HT3884
+  http://lists.apple.com/archives/security-announce/2009/Sep/msg00006.html
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 6.9
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version of Apple iTunes");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_apple_itunes_detection_win_900123.nasl");
+  script_require_keys("iTunes/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+itunesVer = get_kb_item("iTunes/Win/Ver");
+if(!itunesVer){
+  exit(0);
+}
+
+# Check for iTunes version prior to 9.0.1 (9.0.1.8)
+if(version_is_less(version:itunesVer, test_version:"9.0.1.8")){
+  security_hole(0);
+}

Added: trunk/openvas-plugins/scripts/secpod_an_image_gallery_dir_trav_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_an_image_gallery_dir_trav_vuln.nasl	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/scripts/secpod_an_image_gallery_dir_trav_vuln.nasl	2009-10-01 10:15:29 UTC (rev 5348)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_an_image_gallery_dir_trav_vuln.nasl 5060 2009-09-30 20:38:56Z sep $
+#
+# An Image Gallery Directory Traversal Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(901037);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3366");
+  script_name("An Image Gallery Directory Traversal Vulnerability");
+  desc = "
+  Overview: This host is running An Image Gallery and is prone to Directory
+  Traversal vulnerability.
+
+  Vulnerability Insight:
+  Input passed to the 'path' parameter in 'navigation.php' is not properly
+  verified before being used to generate and display folder contents.
+
+  Impact:
+  Successful exploitation will let the attacker to gain information about
+  directory and file locations.
+
+  Impact Level: System/Application.
+
+  Affected Software/OS:
+  An Image Gallery version 1.0 and prior.
+
+  Fix:
+  No solution or patch is available as on 30th September, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://plohni.com/wb/content/php/Free_scripts.php
+
+  References:
+  http://secunia.com/advisories/36680
+  http://www.milw0rm.com/exploits/9636
+  http://xforce.iss.net/xforce/xfdb/53148
+
+  CVSS Score:
+    CVSS Base Score      : 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N)
+    CVSS Temporal Score  : 4.5
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of An Image Gallery");
+  script_category(ACT_MIXED_ATTACK);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("find_service.nes");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+anPort = get_http_port(default:80);
+if(!anPort){
+  anPort = 80;
+}
+
+if(!get_port_state(anPort)){
+  exit(0);
+}
+
+if(safe_checks()){
+  exit(0);
+}
+
+foreach dir (make_list("/", "/image_gallery", "/gallery", "/album", cgi_dirs()))
+{
+  sndReq = http_get(item:string(dir + "/main.php"), port:anPort);
+  rcvRes = http_send_recv(port:anPort, data:sndReq);
+
+  if("An image gallery" >< rcvRes)
+  {
+    request = http_get(item:dir + "/navigation.php?path=../../../../../../../",
+                       port:anPort);
+    response = http_send_recv(port:anPort, data:request);
+
+    if(("WINDOWS" >< response) || ("root" >< response))
+    {
+      security_warning(anPort);
+      exit(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_an_image_gallery_dir_trav_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_an_image_gallery_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_an_image_gallery_xss_vuln.nasl	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/scripts/secpod_an_image_gallery_xss_vuln.nasl	2009-10-01 10:15:29 UTC (rev 5348)
@@ -0,0 +1,108 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_an_image_gallery_xss_vuln.nasl 5060 2009-09-30 15:11:27Z sep $
+#
+# An Image Gallery Multiple Cross-Site Scripting Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(901038);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3367");
+  script_name("An Image Gallery Multiple Cross-Site Scripting Vulnerability");
+  desc = "
+  Overview: The host is running An Image Gallery and is prone to Multiple
+  Cross-Site Scripting Vulnerability.
+
+  Vulnerability Insight:
+  Input passed to the 'path' parameter in 'index.php' and 'main.php' and to
+  the 'show' parameter in 'main.php' is not properly sanitised before being
+  returned to the user.
+
+  Impact:
+  Successful exploitation could allow remote attackers to execute arbitrary
+  HTML and script code in a user's browser session in the context of an
+  affected site.
+
+  Impact Level:System/Application.
+
+  Affected Software/OS:
+  An Image Gallery version 1.0 and prior.
+
+  Fix: No solution or patch is available as on 30th September, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://plohni.com/wb/content/php/Free_scripts.php
+
+  References:
+  http://secunia.com/advisories/36680
+
+  CVSS Score:
+    CVSS Base Score      : 4.3 (AV:N/AC:M/Au:NR/C:N/I:P/A:N)
+    CVSS Temporal Score  : 3.9
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of An Image Gallery");
+  script_category(ACT_MIXED_ATTACK);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("find_service.nes");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+anPort = get_http_port(default:80);
+if(!anPort){
+  anPort = 80;
+}
+
+if(!get_port_state(anPort)){
+  exit(0);
+}
+
+if(safe_checks()){
+  exit(0);
+}
+
+foreach dir (make_list("/", "/image_gallery", "/gallery", "/album", cgi_dirs()))
+{
+  sndReq = http_get(item:string(dir + "/main.php"), port:anPort);
+  rcvRes = http_send_recv(port:anPort, data:sndReq);
+
+  if("An image gallery" >< rcvRes)
+  {
+    request = http_get(item:dir + "/main.php?show=<script>alert(Exploit-XSS)" +
+                                  "</script>",port:anPort);
+    response = http_send_recv(port:anPort, data:request);
+
+    if("Exploit-XSS" >< response)
+    {
+      security_warning(anPort);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_freesshd_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_freesshd_detect.nasl	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/scripts/secpod_freesshd_detect.nasl	2009-10-01 10:15:29 UTC (rev 5348)
@@ -0,0 +1,70 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_freesshd_detect.nasl 5058 2009-09-30 13:14:28Z sep $
+#
+# freeSSHd Version Detection
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900959);
+  script_version("$Revision: 1.0 $");
+  script_name("freeSSHd Version Detection");
+  desc = "
+  Overview: This script detects the installed version of freeSSHd and sets
+  the reuslt in KB.
+
+  Risk Factor: Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of freeSSHd");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+foreach item (registry_enum_keys(key:key))
+{
+  sshdName = registry_get_sz(key:key + item, item:"DisplayName");
+
+  if("freeSSHd" >< sshdName)
+  {
+    sshdVer = eregmatch(pattern:"freeSSHd ([0-9.]+)", string:sshdName);
+
+    if(!isnull(sshdVer[1])){
+      set_kb_item(name:"freeSSHd/Ver", value:sshdVer[1]);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_freesshd_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_freesshd_pre_auth_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_freesshd_pre_auth_dos_vuln.nasl	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/scripts/secpod_freesshd_pre_auth_dos_vuln.nasl	2009-10-01 10:15:29 UTC (rev 5348)
@@ -0,0 +1,86 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_freesshd_pre_auth_dos_vuln.nasl 5058 2009-09-30 15:01:39Z sep $
+#
+# freeSSHd Pre-Authentication Error Remote DoS Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+
+if(description)
+{
+  script_id(900960);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3340");
+  script_bugtraq_id(36235);
+  script_name("freeSSHd Pre-Authentication Error Remote DoS Vulnerability");
+  desc = "
+  Overview: This host has freeSSHd installed and is prone to Denial of Service
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an unspecified pre-authentication error.
+
+  Impact:
+  Successful attack could allow attackers to crash application to cause
+  denial of service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  freeSSHd version 1.2.4 and prior.
+
+  Fix: No solution or patch is available as on 30th September, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.freesshd.com/
+
+  References:
+  http://intevydis.com/vd-list.shtml
+  http://www.intevydis.com/blog/?p=57
+  http://secunia.com/advisories/36506
+  http://securitytracker.com/alerts/2009/Sep/1022811.html
+
+  CVSS Score:
+    CVSS Base Score     : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P)
+    CVSS Temporal Score : 4.5
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of freeSSHd");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Denial of Service");
+  script_dependencies("secpod_freesshd_detect.nasl");
+  script_require_keys("freeSSHd/Ver");
+  script_require_ports("Services/ssh", 22);
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+sshdVer = get_kb_item("freeSSHd/Ver");
+if(sshdVer)
+{
+  # Grep for freeSSHd version 1.2.4 and prior
+  if(version_is_less_equal(version:sshdVer, test_version:"1.2.4")){
+    security_warning(sshdPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_freesshd_pre_auth_dos_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ftpshell_client_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ftpshell_client_detect.nasl	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/scripts/secpod_ftpshell_client_detect.nasl	2009-10-01 10:15:29 UTC (rev 5348)
@@ -0,0 +1,97 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ftpshell_client_detect.nasl 5061 2009-09-30 16:54:10Z sep $
+#
+# FTPShell Client Version Detection
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900961);
+  script_version("$Revision: 1.0$");
+  script_name("FTPShell Client Version Detection");
+  desc = "
+  Overview: This script detects the installed version of FTPShell Client
+  and sets the result in KB.
+
+  Risk factor: Informational";
+
+  script_description(desc);
+  script_summary("Set the KB for the version of FTPShell Client");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+
+foreach item (registry_enum_keys(key:key))
+{
+  fclntName = registry_get_sz(key:key + item, item:"DisplayName");
+
+  if("FTPShell Client" >< fclntName)
+  {
+    fclntPath = registry_get_sz(key:key + item, item:"UninstallString");
+    fclntPath = ereg_replace(pattern:'\"(.*)\"',replace:"\1",string:fclntPath);
+    fclntPath = fclntPath - 'unins000.exe' + 'readme.txt';
+
+    if(isnull(fclntPath)){
+      exit(0);
+    }
+
+    share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:fclntPath);
+    file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:fclntPath);
+    readmeText = read_file(share:share, file:file, offset:0, count:500);
+
+    if(readmeText)
+    {
+      shellVer = eregmatch(pattern:"Version +: ([0-9.]+).?([a-zA-Z]+.?[0-9]+)?",
+                           string:readmeText);
+      if(!isnull(shellVer[1]))
+      {
+        if(!isnull(shellVer[2]))
+        {
+          shellVer[2] = ereg_replace(pattern:" ",string:shellVer[2],replace:"");
+          shellVer = shellVer[1] + "." + shellVer[2];
+        }
+        else
+           shellVer = shellVer[1];
+
+        if(shellVer){
+          set_kb_item(name:"FTPShell/Client/Ver", value:shellVer);
+        }
+      }
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_ftpshell_client_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_ftpshell_client_pasv_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ftpshell_client_pasv_bof_vuln.nasl	2009-09-30 22:43:42 UTC (rev 5347)
+++ trunk/openvas-plugins/scripts/secpod_ftpshell_client_pasv_bof_vuln.nasl	2009-10-01 10:15:29 UTC (rev 5348)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ftpshell_client_pasv_bof_vuln.nasl 5061 2009-09-30 16:18:42Z sep $
+#
+# FTPShell Client PASV Command Buffer Overflow Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900962);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3364");
+  script_bugtraq_id(36327);
+  script_name("FTPShell Client PASV Command Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is running FTPShell Client and is prone to Buffer
+  Overflow vulnerability.
+
+  Vulnerability Insight:
+  A buffer overflow error occurs due to improper bounds checking when handling
+  overly long PASV messages sent by the server.
+
+  Impact:
+  Successful exploitation will let the user execute arbitrary code and crash
+  the application to cause denial of service.
+
+  Affected Software/OS:
+  FTPShell Client 4.1 RC2 and prior.
+
+  Fix: No solution or patch is available as on 30th September, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.ftpshell.com/
+
+  References:
+  http://secunia.com/advisories/36628
+  http://www.milw0rm.com/exploits/9613
+  http://xforce.iss.net/xforce/xfdb/53126
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 8.4
+  Risk factor: Critical";
+
+  script_description(desc);
+  script_summary("Check for the version of FTPShell Client");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_ftpshell_client_detect.nasl");
+  script_require_keys("FTPShell/Client/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+shellVer = get_kb_item("FTPShell/Client/Ver");
+if(isnull(shellVer)){
+  exit(0);
+}
+
+if(version_is_less_equal(version:shellVer, test_version:"4.1.RC2")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_ftpshell_client_pasv_bof_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list