[Openvas-commits] r5407 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Tue Oct 6 18:45:46 CEST 2009
Author: mime
Date: 2009-10-06 18:45:43 +0200 (Tue, 06 Oct 2009)
New Revision: 5407
Added:
trunk/openvas-plugins/scripts/FtpXQ_36391.nasl
trunk/openvas-plugins/scripts/flatpress_36543.nasl
trunk/openvas-plugins/scripts/flatpress_detect.nasl
trunk/openvas-plugins/scripts/showmount.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/cve_current.txt
trunk/openvas-plugins/scripts/ms_smb2_highid.nasl
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/ChangeLog 2009-10-06 16:45:43 UTC (rev 5407)
@@ -1,3 +1,17 @@
+2009-10-06 Michael Meyer <michael.meyer at intevation.de>
+
+ * scripts/flatpress_36543.nasl,
+ scripts/FtpXQ_36391.nasl,
+ scripts/flatpress_detect.nasl:
+ Added new plugins.
+
+ * scripts/ms_smb2_highid.nasl:
+ Changed script_category to ACT_KILL_HOST. Removed unneeded
+ dependencies.
+
+ * scripts/showmount.nasl:
+ Added plugin developed by LSS Security Team.
+
2009-10-06 Chandrashekhar B <bchandra at secpod.com>
* scripts/wmi_rsop.inc:
Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt 2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/cve_current.txt 2009-10-06 16:45:43 UTC (rev 5407)
@@ -109,5 +109,6 @@
CVE-2009-3510 SecPod
CVE-2009-3541 SecPod
CVE-2009-3484 SecPod
+36543 Greenbone svn R
+36391 Greenbone svn R
-
Added: trunk/openvas-plugins/scripts/FtpXQ_36391.nasl
===================================================================
--- trunk/openvas-plugins/scripts/FtpXQ_36391.nasl 2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/FtpXQ_36391.nasl 2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# DataWizard FtpXQ Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100293);
+ script_bugtraq_id(36391);
+ script_version ("1.0-$Revision$");
+
+ script_name("DataWizard FtpXQ Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+FtpXQ is prone to a remote denial-of-service vulnerability.
+
+Remote attackers can cause the affected server to stop responding,
+denying service to legitimate users.
+
+FtpXQ 3.0 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36391
+http://www.datawizard.net
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if FtpXQ version is 3.0");
+ script_category(ACT_GATHER_INFO);
+ script_family("FTP");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("ftp_func.inc");
+include("version_func.inc");
+
+port = get_kb_item("Services/ftp");
+if(!port){
+ port = 21;
+}
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+
+if(!get_port_state(port)){
+ exit(0);
+}
+
+if(!banner = get_ftp_banner(port:port))exit(0);
+
+if("FtpXQ" >!< banner)exit(0);
+
+version = eregmatch(string: banner, pattern:"Version ([0-9.]+)");
+
+if(!isnull(version[1])) {
+ if(version_is_equal(version: version[1], test_version: "3.0")) {
+ security_warning(port:port);
+ }
+}
+
+
+exit(0);
+
+
Property changes on: trunk/openvas-plugins/scripts/FtpXQ_36391.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Added: trunk/openvas-plugins/scripts/flatpress_36543.nasl
===================================================================
--- trunk/openvas-plugins/scripts/flatpress_36543.nasl 2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/flatpress_36543.nasl 2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# FlatPress 'userid' Parameter Local File Include Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100295);
+ script_bugtraq_id(36543);
+ script_version ("1.0-$Revision$");
+
+ script_name("FlatPress 'userid' Parameter Local File Include Vulnerability");
+
+desc = "Overview:
+FlatPress is prone to a local file-include vulnerability because it
+fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially
+sensitive information and execute arbitrary local scripts in the
+context of the webserver process. This may allow the attacker to
+compromise the application and the underlying computer; other attacks
+are also possible.
+
+FlatPress 0.804 through 0.812.1 are vulnerable.
+
+Solution:
+The vendor has released an update. Please see the references
+for details.
+
+References:
+http://www.securityfocus.com/bid/36543
+https://sourceforge.net/project/shownotes.php?group_id=157089&release_id=628765
+http://www.securityfocus.com/archive/1/506816
+
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if FlatPress is prone to a local file-include vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("flatpress_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+if(!can_host_php(port:port)) exit(0);
+
+if(!version = get_kb_item(string("www/", port, "/flatpress")))exit(0);
+if(!matches = eregmatch(string:version, pattern:"^(.+) under (/.*)$"))exit(0);
+
+vers = matches[1];
+if(!isnull(vers) && vers >!< "unknown") {
+
+ if(version_in_range(version: vers, test_version: "0.804", test_version2: "0.812.1")) {
+ security_warning(port:port);
+ exit(0);
+ }
+
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/flatpress_36543.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Added: trunk/openvas-plugins/scripts/flatpress_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/flatpress_detect.nasl 2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/flatpress_detect.nasl 2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,110 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Flatpress Detection
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running Flatpress, an open-source blogging engine.
+
+See also:
+http://www.flatpress.org
+
+Risk factor : None";
+
+if (description)
+{
+ script_id(100294);
+ script_version ("1.0-$Revision$");
+
+ script_name("Flatpress Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of Flatpress");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/flatpress","/blog",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if(egrep(pattern: "powered by <a [^>]>FlatPress", string: buf, icase: TRUE) ||
+ egrep(pattern: 'meta name="generator" content="FlatPress', string: buf, icase: TRUE))
+ {
+ if(strlen(dir)>0) {
+ install=dir;
+ } else {
+ install=string("/");
+ }
+
+ vers = string("unknown");
+ ### try to get version
+ version = eregmatch(string: buf, pattern: 'FlatPress fp-([0-9.]+[^"]*)',icase:TRUE);
+
+ if ( !isnull(version[1]) ) {
+ vers=chomp(version[1]);
+ }
+
+ set_kb_item(name: string("www/", port, "/flatpress"), value: string(vers," under ",install));
+
+ info = string("None\n\nFlatPress Version '");
+ info += string(vers);
+ info += string("' was detected on the remote host in the following directory(s):\n\n");
+ info += string(install, "\n");
+
+ desc = ereg_replace(
+ string:desc,
+ pattern:"None$",
+ replace:info
+ );
+
+ if(report_verbosity > 0) {
+ security_note(port:port,data:desc);
+ }
+ exit(0);
+
+ }
+}
+exit(0);
+
Property changes on: trunk/openvas-plugins/scripts/flatpress_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Modified: trunk/openvas-plugins/scripts/ms_smb2_highid.nasl
===================================================================
--- trunk/openvas-plugins/scripts/ms_smb2_highid.nasl 2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/ms_smb2_highid.nasl 2009-10-06 16:45:43 UTC (rev 5407)
@@ -72,16 +72,15 @@
script_description(desc);
script_summary("Determine if Microsoft Windows is prone to a remote code-execution vulnerability");
- script_category(ACT_GATHER_INFO);
+ script_category(ACT_KILL_HOST);
script_family("Windows");
script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
- script_dependencies("find_service.nes", "smtpserver_detect.nasl");
+ script_dependencies("find_service.nes");
script_require_ports(445);
exit(0);
}
include("misc_func.inc");
-include("network_func.inc");
if(safe_checks())exit(0);
Added: trunk/openvas-plugins/scripts/showmount.nasl
===================================================================
--- trunk/openvas-plugins/scripts/showmount.nasl 2009-10-06 15:09:37 UTC (rev 5406)
+++ trunk/openvas-plugins/scripts/showmount.nasl 2009-10-06 16:45:43 UTC (rev 5407)
@@ -0,0 +1,217 @@
+###################################################################
+# OpenVAS Network Vulnerability Test
+# $Id$
+#
+# Showmount
+#
+# LSS-NVT-2009-014
+#
+# Developed by LSS Security Team <http://security.lss.hr>
+#
+# Copyright (C) 2009 LSS <http://www.lss.hr>
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program. If not, see
+# <http://www.gnu.org/licenses/>.
+###################################################################
+if(description)
+{
+ script_id(102014);
+ script_version ("1.0-$Revision$");
+ script_cve_id("CVE-1999-0554", "CVE-1999-0548");
+ script_name("NFS export");
+
+ desc = "
+This plugin lists NFS exported shares, and warns if some of
+them are readable.
+
+It also warns if the remote NFS server is superfluous.
+
+Tested on Ubuntu/Debian mountd
+
+References:
+ rfc 1057
+ rfc 1094
+
+Thanks to Wireshark!
+
+Risk factor : Low / Medium";
+
+ script_description(desc);
+ script_summary("Checks for NFS shares");
+ script_category(ACT_GATHER_INFO);
+ script_family("Remote file access");
+ script_dependencie("secpod_rpc_portmap.nasl");
+ script_require_keys("rpc/portmap");
+ exit(0);
+}
+
+include("misc_func.inc");
+include("nfs_func.inc");
+
+#mountd program number and version
+
+RPC_MOUNTD = 100005;
+RPC_MOUNTD_VERSION = 1;
+RPC_NFSD = 100003;
+####RPC MOUNT EXPORT function####
+# PURPOSE: obtains the targets export list by sending an RPC CALL message to EXPORT procedure of mountd
+# ARGUMENT: -port- on which the mountd daemon is listening
+# -protocol- IPPROTO_UDP(default) or IPPROTO_TCP
+# RETURN: returns the NFSd daemons export list as defined in rfc 1094 (Appendix A)
+# null on error
+
+
+function rpc_mountd_export(port,protocol){
+
+ XID = raw_string(0x01,0x23,0x45,0x67);#rpc message ID, should be the same as reply xid
+ RPC_CALL = raw_string(0x00,0x00,0x00,0x00);#call message = 0
+ RPC_VERSION = raw_string(0x00,0x00,0x00,0x02);#current RPC version = 2
+ RPC_PROG = raw_string(0x00,0x01,0x86,0xa5);#mountd program number = 100005
+ RPC_PROG_VERSION = raw_string(0x00,0x00,0x00,0x01);#mountd program version = 1
+ RPC_PROCEDURE = raw_string(0x00,0x00,0x00,0x05);#mountd export procedure number = 5
+ RPC_CREDENTIALS_FLAVOR = raw_string(0x00,0x00,0x00,0x00);#credentials flavor = AUTH_NULL = 0
+ RPC_CREDENTIALS_LENGTH = raw_string(0x00,0x00,0x00,0x00);#credentials length = 0
+ RPC_VERIFIER_FLAVOR = raw_string(0x00,0x00,0x00,0x00);#verifier flavor = AUTH_NULL = 0
+ RPC_VERIFIER_LENGTH = raw_string(0x00,0x00,0x00,0x00);#verifier length = 0
+
+ rpc_mountd_export_call = XID +
+ RPC_CALL +
+ RPC_VERSION +
+ RPC_PROG +
+ RPC_PROG_VERSION +
+ RPC_PROCEDURE +
+ RPC_CREDENTIALS_FLAVOR +
+ RPC_CREDENTIALS_LENGTH +
+ RPC_VERIFIER_FLAVOR +
+ RPC_VERIFIER_LENGTH;
+ if(isnull(protocol)){
+ protocol = IPPROTO_UDP;
+ }
+ MSS = 1460; #data len to read at most (maximum segment size for ethernet)
+ rpc_mountd_export_reply = NULL;
+ if(protocol == IPPROTO_UDP){
+ udp_sock = open_sock_udp(port);
+ if(isnull(udp_sock)) {
+ log_message("rpc_mountd_export: Error opening socket on udp port " + port);
+ return NULL;
+ }
+ send(socket: udp_sock, data: rpc_mountd_export_call);
+ rpc_mountd_export_reply = recv(socket: udp_sock, length: MSS);
+ close(udp_sock);
+ }else if(protocol == IPPROTO_TCP){
+ tcp_sock = open_sock_tcp(port);
+ if(isnull(tcp_sock)){
+ log_message("rpc_mountd_export: Error opening socket on tcp port " + port);
+ return NULL;
+ }
+ send(socket: tcp_sock, data: rpc_mountd_export_call);
+ rpc_mountd_export_reply = recv(socket: tcp_sock, length: MSS);
+ close(tcp_sock);
+ }else {
+ log_message("rpc_mountd_export: Invalid protocol");
+ return NULL;
+ }
+
+ if(isnull(rpc_mountd_export_reply)){
+ log_message("rpc_mountd_export: No reply message");
+ return NULL;
+ }
+
+ #RPC reply
+ reply_xid = substr(rpc_mountd_export_reply,0,3);
+ if(reply_xid != XID){
+ log_message("rpc_mountd_export: xid don't match");
+ return NULL;
+ }
+ reply_msg_type = substr(rpc_mountd_export_reply,4,7);
+ if(reply_msg_type != raw_string(0x00, 0x00, 0x00, 0x01)){
+ log_message("rpc_mountd_export: Not a reply message");
+ return NULL;
+ }
+ reply_reply_state = substr(rpc_mountd_export_reply,8,11);
+ if(reply_reply_state != raw_string(0x00, 0x00, 0x00, 0x00)){
+ log_message("rpc_mountd_export: Call was denied by the server");
+ return NULL;
+ }
+ reply_verifier_flavor = substr(rpc_mountd_export_reply,12,15);
+ reply_verifier_length = substr(rpc_mountd_export_reply,16,19);
+ reply_accept_state = substr(rpc_mountd_export_reply,20,23);
+ if(reply_accept_state != raw_string(0x00, 0x00, 0x00, 0x00)){
+ log_message("rpc_mountd_export: Remote procedure returned an error");
+ return NULL;
+ }
+ #MOUNTD exportlist
+ reply_mountd_exportlist = substr(rpc_mountd_export_reply,24);
+ return reply_mountd_exportlist;
+}
+
+####MAIN####
+
+RPC_MOUNTD_port = get_rpc_port(program: RPC_MOUNTD, protocol: IPPROTO_UDP);
+RPC_NFSD_port = get_rpc_port(program: RPC_NFSD, protocol: IPPROTO_UDP);
+
+#display("NFSD: " + RPC_NFSD_port + '\n');
+#display("MOUNTD port: " + RPC_MOUNTD_port + '\n');
+
+export_list = rpc_mountd_export(port: RPC_MOUNTD_port, protocol: IPPROTO_UDP); #using UDP because get_rpc_port is written only for udp ports
+if(isnull(export_list)){
+ log_message("rpc_mountd_export: FAIL!");
+ exit(-1);
+}else{
+ VALUE_FOLLOWS = raw_string(0x00, 0x00, 0x00, 0x01);
+ LEFT = 0; RIGHT = 3;
+ export_value_follows = substr(export_list, LEFT, RIGHT);
+ while(export_value_follows == VALUE_FOLLOWS){
+ LEFT = RIGHT + 1;
+ RIGHT = LEFT + 3;
+ export_dirpath_length = str2long(val: substr(export_list, LEFT,RIGHT), idx: 0);
+ LEFT = RIGHT + 1;
+ RIGHT = LEFT + export_dirpath_length - 1;
+ export_dirpath = substr(export_list, LEFT, RIGHT);
+ LEFT = RIGHT + padsz(len: export_dirpath_length) + 1;
+ RIGHT = LEFT + 3;
+ groups_value_follows = substr(export_list, LEFT, RIGHT);
+ groups = "";
+ while(groups_value_follows == VALUE_FOLLOWS){
+ LEFT = RIGHT + 1;
+ RIGHT = LEFT + 3;
+ groups_length = str2long(val: substr(export_list, LEFT,RIGHT), idx: 0);
+ LEFT = RIGHT + 1;
+ RIGHT = LEFT + groups_length - 1;
+ groups = groups + substr(export_list, LEFT, RIGHT);
+ LEFT = RIGHT + padsz(len: groups_length) + 1;
+ RIGHT = LEFT + 3;
+ groups_value_follows = substr(export_list, LEFT, RIGHT);
+ }
+ LEFT = RIGHT + 1;
+ RIGHT = LEFT + 3;
+ export_value_follows = substr(export_list, LEFT,RIGHT);
+ insstr(groups, '\0', strlen(groups) - 1);
+ list += export_dirpath + ' ' + groups + '\n';
+ set_kb_item(name:"nfs/exportlist", value:export_dirpath);
+ }
+}
+
+proto = "udp";
+if(isnull(list)){
+ report = 'You are running a superfluous NFS daemon.\nYou should consider removing it\n';
+ security_note(port:RPC_NFSD_port, data:report, proto:proto);
+ #display(report);
+ exit(0);
+}else{
+ report = 'Here is the export list of ' + get_host_name() + ' : \n' + list;
+ security_note(port:RPC_NFSD_port, data:report, proto:proto);
+ #display(report);
+ exit(0);
+}
Property changes on: trunk/openvas-plugins/scripts/showmount.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
More information about the Openvas-commits
mailing list