[Openvas-commits] r5407 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Oct 6 18:45:46 CEST 2009


Author: mime
Date: 2009-10-06 18:45:43 +0200 (Tue, 06 Oct 2009)
New Revision: 5407

Added:
   trunk/openvas-plugins/scripts/FtpXQ_36391.nasl
   trunk/openvas-plugins/scripts/flatpress_36543.nasl
   trunk/openvas-plugins/scripts/flatpress_detect.nasl
   trunk/openvas-plugins/scripts/showmount.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/ms_smb2_highid.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/ChangeLog	2009-10-06 16:45:43 UTC (rev 5407)
@@ -1,3 +1,17 @@
+2009-10-06  Michael Meyer <michael.meyer at intevation.de>
+
+	* scripts/flatpress_36543.nasl,
+	scripts/FtpXQ_36391.nasl,
+	scripts/flatpress_detect.nasl:
+	Added new plugins.
+
+	* scripts/ms_smb2_highid.nasl:
+	Changed script_category to ACT_KILL_HOST. Removed unneeded
+	dependencies.
+
+	* scripts/showmount.nasl:
+	Added plugin developed by LSS Security Team.
+
 2009-10-06  Chandrashekhar B <bchandra at secpod.com>
 
 	* scripts/wmi_rsop.inc:

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-06 16:45:43 UTC (rev 5407)
@@ -109,5 +109,6 @@
 CVE-2009-3510			SecPod
 CVE-2009-3541			SecPod
 CVE-2009-3484			SecPod
+36543				Greenbone	svn		R
+36391				Greenbone	svn		R
 
-

Added: trunk/openvas-plugins/scripts/FtpXQ_36391.nasl
===================================================================
--- trunk/openvas-plugins/scripts/FtpXQ_36391.nasl	2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/FtpXQ_36391.nasl	2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# DataWizard FtpXQ Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100293);
+ script_bugtraq_id(36391);
+ script_version ("1.0-$Revision$");
+
+ script_name("DataWizard FtpXQ Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+FtpXQ is prone to a remote denial-of-service vulnerability.
+
+Remote attackers can cause the affected server to stop responding,
+denying service to legitimate users.
+
+FtpXQ 3.0 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36391
+http://www.datawizard.net
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if FtpXQ version is 3.0");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+include("version_func.inc");
+
+port = get_kb_item("Services/ftp");
+if(!port){
+  port = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(port)){
+  exit(0);
+}
+
+if(!banner = get_ftp_banner(port:port))exit(0);
+
+if("FtpXQ" >!< banner)exit(0);
+
+version = eregmatch(string: banner, pattern:"Version ([0-9.]+)");
+
+if(!isnull(version[1])) {
+ if(version_is_equal(version: version[1], test_version: "3.0")) {
+  security_warning(port:port);
+ }
+}   
+
+
+exit(0); 
+
+     


Property changes on: trunk/openvas-plugins/scripts/FtpXQ_36391.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/flatpress_36543.nasl
===================================================================
--- trunk/openvas-plugins/scripts/flatpress_36543.nasl	2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/flatpress_36543.nasl	2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# FlatPress 'userid' Parameter Local File Include Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100295);
+ script_bugtraq_id(36543);
+ script_version ("1.0-$Revision$");
+
+ script_name("FlatPress 'userid' Parameter Local File Include Vulnerability");
+
+desc = "Overview:
+FlatPress is prone to a local file-include vulnerability because it
+fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially
+sensitive information and execute arbitrary local scripts in the
+context of the webserver process. This may allow the attacker to
+compromise the application and the underlying computer; other attacks
+are also possible.
+
+FlatPress 0.804 through 0.812.1 are vulnerable.
+
+Solution:
+The vendor has released an update. Please see the references
+for details.
+
+References:
+http://www.securityfocus.com/bid/36543
+https://sourceforge.net/project/shownotes.php?group_id=157089&release_id=628765
+http://www.securityfocus.com/archive/1/506816
+
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if FlatPress is prone to a local file-include vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("flatpress_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/flatpress")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+if(!isnull(vers) && vers >!< "unknown") {
+
+  if(version_in_range(version: vers, test_version: "0.804", test_version2: "0.812.1")) {
+      security_warning(port:port);
+      exit(0);
+  }
+
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/flatpress_36543.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/flatpress_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/flatpress_detect.nasl	2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/flatpress_detect.nasl	2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,110 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Flatpress Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running Flatpress, an open-source blogging engine.
+
+See also:
+http://www.flatpress.org
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100294);
+ script_version ("1.0-$Revision$");
+
+ script_name("Flatpress Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of Flatpress");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/flatpress","/blog",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "powered by <a [^>]>FlatPress", string: buf, icase: TRUE) ||
+    egrep(pattern: 'meta name="generator" content="FlatPress', string: buf, icase: TRUE))
+ {
+     if(strlen(dir)>0) {
+        install=dir;
+     } else {
+        install=string("/");
+     }
+
+    vers = string("unknown");
+    ### try to get version 
+    version = eregmatch(string: buf, pattern: 'FlatPress fp-([0-9.]+[^"]*)',icase:TRUE);
+
+    if ( !isnull(version[1]) ) {
+       vers=chomp(version[1]);
+    }
+
+    set_kb_item(name: string("www/", port, "/flatpress"), value: string(vers," under ",install));
+
+    info = string("None\n\nFlatPress Version '");
+    info += string(vers);
+    info += string("' was detected on the remote host in the following directory(s):\n\n");
+    info += string(install, "\n");
+
+    desc = ereg_replace(
+        string:desc,
+        pattern:"None$",
+        replace:info
+    );
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ }
+}
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/flatpress_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/ms_smb2_highid.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ms_smb2_highid.nasl	2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/ms_smb2_highid.nasl	2009-10-06 16:45:43 UTC (rev 5407)
@@ -72,16 +72,15 @@
 
  script_description(desc);
  script_summary("Determine if Microsoft Windows is prone to a remote code-execution vulnerability");
- script_category(ACT_GATHER_INFO);
+ script_category(ACT_KILL_HOST);
  script_family("Windows");
  script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
- script_dependencies("find_service.nes", "smtpserver_detect.nasl");
+ script_dependencies("find_service.nes");
  script_require_ports(445);
  exit(0);
 }
 
 include("misc_func.inc");
-include("network_func.inc");
 
 if(safe_checks())exit(0);
 

Added: trunk/openvas-plugins/scripts/showmount.nasl
===================================================================
--- trunk/openvas-plugins/scripts/showmount.nasl	2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/showmount.nasl	2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,217 @@
+###################################################################
+# OpenVAS Network Vulnerability Test
+# $Id$
+#
+# Showmount
+#
+# LSS-NVT-2009-014
+#
+# Developed by LSS Security Team <http://security.lss.hr>
+#
+# Copyright (C) 2009 LSS <http://www.lss.hr>
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program. If not, see
+# <http://www.gnu.org/licenses/>.
+###################################################################
+if(description)
+{
+ script_id(102014);
+ script_version ("1.0-$Revision$");
+ script_cve_id("CVE-1999-0554", "CVE-1999-0548");
+ script_name("NFS export");
+
+ desc = "
+This plugin lists NFS exported shares, and warns if some of
+them are readable.
+
+It also warns if the remote NFS server is superfluous.
+
+Tested on Ubuntu/Debian mountd
+
+References:
+  rfc 1057
+  rfc 1094
+
+Thanks to Wireshark!
+
+Risk factor : Low / Medium";
+
+ script_description(desc);
+ script_summary("Checks for NFS shares");
+ script_category(ACT_GATHER_INFO);
+ script_family("Remote file access");
+ script_dependencie("secpod_rpc_portmap.nasl");
+ script_require_keys("rpc/portmap");
+ exit(0);
+}
+
+include("misc_func.inc");
+include("nfs_func.inc");
+
+#mountd program number and version
+
+RPC_MOUNTD = 100005;
+RPC_MOUNTD_VERSION = 1;
+RPC_NFSD = 100003;
+####RPC MOUNT EXPORT function####
+#  PURPOSE: obtains the targets export list by sending an RPC CALL message to EXPORT procedure of mountd
+#  ARGUMENT: -port- on which the mountd daemon is listening
+#       -protocol- IPPROTO_UDP(default) or IPPROTO_TCP
+#  RETURN: returns the NFSd daemons export list as defined in rfc 1094 (Appendix A)
+#    null on error
+
+
+function rpc_mountd_export(port,protocol){
+
+  XID = raw_string(0x01,0x23,0x45,0x67);#rpc message ID, should be the same as reply xid
+  RPC_CALL = raw_string(0x00,0x00,0x00,0x00);#call message = 0
+  RPC_VERSION = raw_string(0x00,0x00,0x00,0x02);#current RPC version = 2
+  RPC_PROG = raw_string(0x00,0x01,0x86,0xa5);#mountd program number = 100005
+  RPC_PROG_VERSION = raw_string(0x00,0x00,0x00,0x01);#mountd program version = 1
+  RPC_PROCEDURE = raw_string(0x00,0x00,0x00,0x05);#mountd export procedure number = 5
+  RPC_CREDENTIALS_FLAVOR = raw_string(0x00,0x00,0x00,0x00);#credentials flavor = AUTH_NULL = 0
+  RPC_CREDENTIALS_LENGTH = raw_string(0x00,0x00,0x00,0x00);#credentials length = 0
+  RPC_VERIFIER_FLAVOR = raw_string(0x00,0x00,0x00,0x00);#verifier flavor = AUTH_NULL = 0
+        RPC_VERIFIER_LENGTH = raw_string(0x00,0x00,0x00,0x00);#verifier length = 0
+
+  rpc_mountd_export_call = XID +
+        RPC_CALL +
+        RPC_VERSION +
+        RPC_PROG +
+        RPC_PROG_VERSION +
+        RPC_PROCEDURE +
+        RPC_CREDENTIALS_FLAVOR +
+        RPC_CREDENTIALS_LENGTH +
+        RPC_VERIFIER_FLAVOR +
+        RPC_VERIFIER_LENGTH;
+  if(isnull(protocol)){
+    protocol = IPPROTO_UDP;
+  }
+  MSS = 1460; #data len to read at most (maximum segment size for ethernet)
+  rpc_mountd_export_reply = NULL;
+  if(protocol == IPPROTO_UDP){
+    udp_sock = open_sock_udp(port);
+    if(isnull(udp_sock)) {
+                  log_message("rpc_mountd_export: Error opening socket on udp port " + port);
+      return NULL;
+    }
+    send(socket: udp_sock, data: rpc_mountd_export_call);
+    rpc_mountd_export_reply = recv(socket: udp_sock, length: MSS);
+    close(udp_sock);
+  }else if(protocol == IPPROTO_TCP){
+    tcp_sock = open_sock_tcp(port);
+    if(isnull(tcp_sock)){
+                        log_message("rpc_mountd_export: Error opening socket on tcp port " + port);
+      return NULL;
+    }
+                send(socket: tcp_sock, data: rpc_mountd_export_call);
+                rpc_mountd_export_reply = recv(socket: tcp_sock, length: MSS);
+    close(tcp_sock);
+  }else {
+    log_message("rpc_mountd_export: Invalid protocol");
+    return NULL;
+  }
+
+  if(isnull(rpc_mountd_export_reply)){
+                log_message("rpc_mountd_export: No reply message");
+    return NULL;
+  }
+
+  #RPC reply
+  reply_xid = substr(rpc_mountd_export_reply,0,3);
+  if(reply_xid != XID){
+    log_message("rpc_mountd_export: xid don't match");
+    return NULL;
+  }
+  reply_msg_type = substr(rpc_mountd_export_reply,4,7);
+  if(reply_msg_type != raw_string(0x00, 0x00, 0x00, 0x01)){
+    log_message("rpc_mountd_export: Not a reply message");
+    return NULL;
+  }
+  reply_reply_state = substr(rpc_mountd_export_reply,8,11);
+  if(reply_reply_state != raw_string(0x00, 0x00, 0x00, 0x00)){
+    log_message("rpc_mountd_export: Call was denied by the server");
+    return NULL;
+  }
+  reply_verifier_flavor = substr(rpc_mountd_export_reply,12,15);
+        reply_verifier_length = substr(rpc_mountd_export_reply,16,19);
+        reply_accept_state = substr(rpc_mountd_export_reply,20,23);
+  if(reply_accept_state != raw_string(0x00, 0x00, 0x00, 0x00)){
+    log_message("rpc_mountd_export: Remote procedure returned an error");
+    return NULL;
+  }
+  #MOUNTD exportlist
+  reply_mountd_exportlist = substr(rpc_mountd_export_reply,24);
+  return reply_mountd_exportlist;
+}
+
+####MAIN####
+
+RPC_MOUNTD_port = get_rpc_port(program: RPC_MOUNTD, protocol: IPPROTO_UDP);
+RPC_NFSD_port = get_rpc_port(program: RPC_NFSD, protocol: IPPROTO_UDP);
+
+#display("NFSD: " + RPC_NFSD_port + '\n');
+#display("MOUNTD port: " + RPC_MOUNTD_port + '\n');
+
+export_list = rpc_mountd_export(port: RPC_MOUNTD_port, protocol: IPPROTO_UDP); #using UDP because get_rpc_port is written only for udp ports
+if(isnull(export_list)){
+  log_message("rpc_mountd_export: FAIL!");
+  exit(-1);
+}else{
+  VALUE_FOLLOWS = raw_string(0x00, 0x00, 0x00, 0x01);
+  LEFT = 0; RIGHT = 3;
+  export_value_follows = substr(export_list, LEFT, RIGHT);
+  while(export_value_follows == VALUE_FOLLOWS){
+    LEFT = RIGHT + 1;
+    RIGHT = LEFT + 3;
+    export_dirpath_length = str2long(val: substr(export_list, LEFT,RIGHT), idx: 0);
+    LEFT = RIGHT + 1;
+    RIGHT = LEFT + export_dirpath_length - 1;
+    export_dirpath = substr(export_list, LEFT, RIGHT);
+    LEFT = RIGHT + padsz(len: export_dirpath_length) + 1;
+    RIGHT = LEFT + 3;
+    groups_value_follows = substr(export_list, LEFT, RIGHT);
+    groups = "";
+    while(groups_value_follows == VALUE_FOLLOWS){
+      LEFT = RIGHT + 1;
+                  RIGHT = LEFT + 3;
+      groups_length = str2long(val: substr(export_list, LEFT,RIGHT), idx: 0);
+      LEFT = RIGHT + 1;
+                  RIGHT = LEFT + groups_length - 1;
+                  groups = groups + substr(export_list, LEFT, RIGHT);
+                  LEFT = RIGHT + padsz(len: groups_length) + 1;
+                  RIGHT = LEFT + 3;
+                  groups_value_follows = substr(export_list, LEFT, RIGHT);
+    }
+    LEFT = RIGHT + 1;
+                RIGHT = LEFT + 3;
+    export_value_follows = substr(export_list, LEFT,RIGHT);
+    insstr(groups, '\0', strlen(groups) - 1);
+    list += export_dirpath + ' ' + groups + '\n';
+          set_kb_item(name:"nfs/exportlist", value:export_dirpath);
+  }
+}
+
+proto = "udp";
+if(isnull(list)){
+   report = 'You are running a superfluous NFS daemon.\nYou should consider removing it\n';
+   security_note(port:RPC_NFSD_port, data:report, proto:proto);
+   #display(report);
+   exit(0);
+}else{
+  report = 'Here is the export list of ' + get_host_name() + ' : \n' + list;
+  security_note(port:RPC_NFSD_port, data:report, proto:proto);
+  #display(report);
+  exit(0);
+}


Property changes on: trunk/openvas-plugins/scripts/showmount.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision



More information about the Openvas-commits mailing list