[Openvas-commits] r5687 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Fri Oct 23 16:18:44 CEST 2009


Author: chandra
Date: 2009-10-23 16:18:41 +0200 (Fri, 23 Oct 2009)
New Revision: 5687

Added:
   trunk/openvas-plugins/scripts/gb_alleycode_html_editor_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_alleycode_html_editor_detect.nasl
   trunk/openvas-plugins/scripts/gb_gd_graphics_library_bof_vuln_lin.nasl
   trunk/openvas-plugins/scripts/gb_gd_graphics_library_detect_lin.nasl
   trunk/openvas-plugins/scripts/gb_httpdx_server_detect.nasl
   trunk/openvas-plugins/scripts/gb_httpdx_web_server_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_httpdx_web_server_format_string_vuln.nasl
   trunk/openvas-plugins/scripts/gb_php_gdGetColors_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_lin.nasl
   trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_win.nasl
   trunk/openvas-plugins/scripts/gb_zoiper_empty_callinfo_dos_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/ChangeLog	2009-10-23 14:18:41 UTC (rev 5687)
@@ -1,3 +1,18 @@
+2009-10-23  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/gb_pidgin_oscar_dos_vuln_oct09_lin.nasl,
+	scripts/gb_alleycode_html_editor_bof_vuln.nasl,
+	scripts/gb_httpdx_web_server_bof_vuln.nasl,
+	scripts/gb_alleycode_html_editor_detect.nasl,
+	scripts/gb_gd_graphics_library_detect_lin.nasl,
+	scripts/gb_pidgin_oscar_dos_vuln_oct09_win.nasl,
+	scripts/gb_zoiper_empty_callinfo_dos_vuln.nasl,
+	scripts/gb_gd_graphics_library_bof_vuln_lin.nasl,
+	scripts/gb_httpdx_web_server_format_string_vuln.nasl,
+	scripts/gb_php_gdGetColors_bof_vuln.nasl,
+	scripts/gb_httpdx_server_detect.nasl:
+	Added new plugins.
+
 2009-10-22  Chandrashekhar B <bchandra at secpod.com>
 
 	* scripts/gb_hp_ux_HPSBUX02465.nasl,

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-23 14:18:41 UTC (rev 5687)
@@ -145,7 +145,7 @@
 CVE-2009-3282			SecPod		svn		L
 CVE-2009-3281			SecPod		svn		L
 CVE-2009-3707			SecPod		svn		L
-CVE-2009-3663			SecPod
+CVE-2009-3663			SecPod		svn		R
 CVE-2009-3711			SecPod
 CVE-2009-2981			SecPod		svn		L
 CVE-2009-2980			SecPod		svn		L
@@ -171,10 +171,13 @@
 CVE-2009-3460			SecPod		svn		L
 CVE-2009-3458			SecPod		svn		L
 CVE-2009-3462			SecPod		svn		L
-CVE-2009-3546			SecPod
-CVE-2009-3711			SecPod
+CVE-2009-3546			SecPod		svn		L
+CVE-2009-3711			SecPod		svn		R
 CVE-2009-3662			SecPod		svn		R
-CVE-2009-3615			SecPod
-CVE-2009-3704			SecPod
-CVE-2009-3708			SecPod
-CVE-2009-3709			SecPod
+CVE-2009-3615			SecPod		svn		L
+CVE-2009-3704			SecPod		svn		R
+CVE-2009-3708			SecPod		svn		L
+CVE-2009-3709			SecPod		svn		L
+CVE-2009-3695			SecPod
+CVE-2009-3698			SecPod
+CVE-2009-2999			SecPod

Added: trunk/openvas-plugins/scripts/gb_alleycode_html_editor_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_alleycode_html_editor_bof_vuln.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_alleycode_html_editor_bof_vuln.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,87 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_alleycode_html_editor_bof_vuln.nasl 5352 2009-10-23 19:29:29Z oct $
+#
+# Alleycode HTML Editor Buffer Overflow Vulnerabilities
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801127);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3708", "CVE-2009-3709");
+  script_name("Alleycode HTML Editor Buffer Overflow Vulnerabilities");
+  desc = "
+  Overview: This host is installed with Alleycode HTML Editor and is prone to
+  Buffer Overflow vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple boundary error exists in the Meta Content Optimizer when displaying
+  the content of 'TITLE' or 'META' HTML tags. This can be exploited to cause a
+  stack-based buffer overflow via an HTML file defining an overly long 'TITLE'
+  tag, 'description' or 'keywords' 'META' tag.
+
+  Impact:
+  Successful exploitation will let the attackers to execute arbitrary code or
+  compromise a user's system.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Alleycode HTML Editor version 2.21 and prior
+
+  Fix: No solution or patch is available as on 23rd October, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.alleycode.com/
+
+  References:
+  http://osvdb.org/58649
+  http://secunia.com/advisories/36940
+  http://packetstormsecurity.org/0910-exploits/alleycode-overflow.txt
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 8.4
+  Risk factor: Critical";
+
+  script_description(desc);
+  script_summary("Check for the version of Alleycode HTML Editor");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("gb_alleycode_html_editor_detect.nasl");
+  script_require_keys("Alleycode-HTML-Editor/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+aheVer = get_kb_item("Alleycode-HTML-Editor/Ver");
+if(!aheVer){
+  exit(0);
+}
+
+# Check for Alleycode HTML Editor version <= 2.21 (2.2.1)
+if(version_is_less_equal(version:aheVer, test_version:"2.2.1")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_alleycode_html_editor_bof_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_alleycode_html_editor_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_alleycode_html_editor_detect.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_alleycode_html_editor_detect.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,65 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_alleycode_html_editor_detect.nasl 5352 2009-10-23 19:21:29Z oct $
+#
+# Alleycode HTML Editor Version Detection
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801126);
+  script_version("$Revision: 1.0 $");
+  script_name("Alleycode HTML Editor Version Detection");
+  desc = "
+  Overview: This script detects the installed version of Alleycode HTML Editor
+  and sets the result in KB.
+
+  Risk Factor: Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of Alleycode HTML Editor");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+aheName = registry_get_sz(key:"SOFTWARE\Microsoft\Windows\CurrentVersion" +
+                              "\Uninstall\Kobeman_is1", item:"DisplayName");
+
+if("Alleycode HTML Editor" >< aheName)
+{
+  aheVer = eregmatch(pattern:"Alleycode HTML Editor ([0-9.]+)", string:aheName);
+  if(aheVer[1]){
+    set_kb_item(name:"Alleycode-HTML-Editor/Ver", value:aheVer[1]);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_alleycode_html_editor_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_gd_graphics_library_bof_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_gd_graphics_library_bof_vuln_lin.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_gd_graphics_library_bof_vuln_lin.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,82 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_gd_graphics_library_bof_vuln_lin.nasl 5387 2009-10-23 16:48:56Z oct $
+#
+# GD Graphics Library '_gdGetColors()' Buffer Overflow Vulnerability (Linux)
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801122);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3546");
+  script_bugtraq_id(36712);
+  script_name("GD Graphics Library '_gdGetColors()' Buffer Overflow Vulnerability (Linux)");
+  desc = "
+  Overview: The host is installed with GD Graphics Library and is prone to Buffer
+  Overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to error in '_gdGetColors' function in gd_gd.c which fails to
+  check certain colorsTotal structure member, whicn can be exploited to cause
+  buffer overflow or buffer over-read attacks via a crafted GD file.
+
+  Impact:
+  Successful exploitation could allow attackers to potentially compromise a
+  vulnerable system.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  GD Graphics Library version 2.x on Linux.
+
+  Fix: No solution or patch is available as on 23rd October, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.boutell.com/gd/
+
+  References:
+  http://secunia.com/advisories/37069/
+  http://www.vupen.com/english/advisories/2009/2929
+  http://marc.info/?l=oss-security&m=125562113503923&w=2
+
+  CVSS Score:
+    CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 6.4
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version of GD Graphics Library");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("gb_gd_graphics_library_detect_lin.nasl");
+  script_require_keys("GD-Graphics-Lib/Lin/Ver");
+  exit(0);
+}
+
+
+gdVer = get_kb_item("GD-Graphics-Lib/Lin/Ver");
+
+# Check GD Graphics Library version 2.x
+if(gdVer =~ "^2\..*"){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_gd_graphics_library_bof_vuln_lin.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_gd_graphics_library_detect_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_gd_graphics_library_detect_lin.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_gd_graphics_library_detect_lin.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,66 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_gd_graphics_library_detect_lin.nasl 5387 2009-10-23 13:44:24Z oct $
+#
+# GD Graphics Library Version Detection (Linux)
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801121);
+  script_version("$Revision: 1.0 $");
+  script_name("GD Graphics Library Version Detection (Linux)");
+  desc = "
+  Overview: This script detects the installed version of GD Graphics Library
+  and sets the result in KB.
+
+  Risk factor: Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of GD Graphics Library");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Service detection");
+  exit(0);
+}
+
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+gd_sock = ssh_login_or_reuse_connection();
+if(!gd_sock){
+  exit(0);
+}
+
+gdName = find_bin(prog_name:"gdlib-config", sock:gd_sock);
+
+foreach binName (gdName)
+{
+  gdVer = get_bin_version(full_prog_name:chomp(binName), sock:gd_sock,
+                          version_argv:"--version",
+                          ver_pattern:"([0-9.]+.?(RC[0-9])?)");
+  if(!isnull(gdVer[1])){
+    set_kb_item(name:"GD-Graphics-Lib/Lin/Ver", value:gdVer[1]);
+  }
+}
+ssh_close_connection();


Property changes on: trunk/openvas-plugins/scripts/gb_gd_graphics_library_detect_lin.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_httpdx_server_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_httpdx_server_detect.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_httpdx_server_detect.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,79 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_httpdx_server_detect.nasl 5290 2009-10-23 14:00:08Z oct $
+#
+# httpdx Server Version Detection
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800960);
+  script_version("Revision: 1.0");
+  script_name("httpdx Server Version Detection");
+  desc = "
+  Overview : This script detects the version of installed httpdx Server
+  and saves the result in KB.
+
+  Risk factor : Informational";
+
+  script_description(desc);
+  script_family("Service detection");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_summary("Set the version of httpdx Server");
+  script_dependencies("find_service.nes");
+  script_require_ports("Services/www", "Services/ftp", 80, 21);
+  exit(0);
+}
+
+
+include("ftp_func.inc");
+include("http_func.inc");
+
+httpPort = get_kb_item("Services/www");
+if(!httpPort){
+  httpPort = 80;
+}
+
+ftpPort = get_kb_item("Services/ftp");
+if(!ftpPort){
+  ftpPort = 21;
+}
+
+foreach port (make_list(httpPort, ftpPort))
+{
+  if(get_port_state(port))
+  {
+    banner = get_http_banner(port:port);
+    if("httpdx" >!< banner){
+      banner = get_kb_item(string("Banner/", port));
+    }
+
+    if(!isnull(banner) && "httpdx" >< banner)
+    {
+      httpdxVer = eregmatch(pattern:"httpdx.([0-9.]+[a-z]?)", string:banner);
+      if(!isnull(httpdxVer[1])){
+        set_kb_item(name:"httpdx/" + port + "/Ver", value:httpdxVer[1]);
+      }
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_httpdx_server_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_httpdx_web_server_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_httpdx_web_server_bof_vuln.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_httpdx_web_server_bof_vuln.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,89 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_httpdx_web_server_bof_vuln.nasl 5353 2009-10-23 10:40:24Z oct $
+#
+# httpdx Web Server 'h_handlepeer()' Buffer Overflow Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800962);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2009-3711");
+  script_name("httpdx Web Server 'h_handlepeer()' Buffer Overflow Vulnerability");
+  desc = "
+  Overview: The host is running httpdx Web Server and is prone to Buffer
+  Overflow vulnerability.
+
+  Vulnerability Insight:
+  A boundary error occurs in 'h_handlepeer()' in 'http.cpp' while processing
+  overly long HTTP requests leading to buffer overflow.
+
+  Impact:
+  Remote attackers can exploit this issue to execute arbitrary code or crash
+  the server via a specially crafted request.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  httpdx Web Server version 1.4.3 and prior on windows.
+
+  Fix: Upgrade to httpdx Server version 1.4.4 or later
+  http://sourceforge.net/projects/httpdx/
+
+  References:
+  http://secunia.com/advisories/36991
+  http://www.vupen.com/english/advisories/2009/2874
+  http://www.securityfocus.com/archive/1/archive/1/507042/100/0/threaded
+
+  CVSS Score:
+    CVSS Base Score     : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 7.8
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version of httpdx Web Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("gb_httpdx_server_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+httpdxPort = get_http_port(default:80);
+if(!httpdxPort){
+  exit(0);
+}
+
+httpdxVer = get_kb_item("httpdx/" + httpdxPort + "/Ver");
+if(!isnull(httpdxVer))
+{
+  # Check for versions prior to 1.4.4
+  if(version_is_less(version:httpdxVer, test_version:"1.4.4")){
+    security_hole(httpdxPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_httpdx_web_server_bof_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_httpdx_web_server_format_string_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_httpdx_web_server_format_string_vuln.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_httpdx_web_server_format_string_vuln.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,107 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_httpdx_web_server_format_string_vuln.nasl 5290 2009-10-23 17:29:24Z oct $
+#
+# httpdx 'h_readrequest()' Host Header Format String Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800961);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2009-3663");
+  script_name("httpdx 'h_readrequest()' Host Header Format String Vulnerability");
+  desc = "
+  Overview: The host is running httpdx Web Server and is prone to Format String
+  vulnerability.
+
+  Vulnerability Insight:
+  A format string error exists in the 'h_readrequest()' [httpd_src/http.cpp]
+  function when processing the HTTP 'Host:' header.
+
+  Impact:
+  Successful exploitation will allow attackers to crash an affected server or
+  execute arbitrary code via a specially crafted request.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  httpdx Web Server version 1.4 and prior on windows.
+
+  Fix: Upgrade to httpdx Server version 1.4.1 or later
+  http://sourceforge.net/projects/httpdx/
+
+  References:
+  http://secunia.com/advisories/36734
+  http://www.milw0rm.com/exploits/9657
+  http://www.vupen.com/english/advisories/2009/2654
+
+  CVSS Score:
+    CVSS Base Score     : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 7.8
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for attack and version of httpdx Web Server");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Denial of Service");
+  script_dependencies("gb_httpdx_server_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+httpdxPort = get_http_port(default:80);
+if(!httpdxPort){
+  exit(0);
+}
+
+httpdxVer = get_kb_item("httpdx/" + httpdxPort + "/Ver");
+if(isnull(httpdxVer)){
+  exit(0);
+}
+
+if(!safe_checks())
+{
+  # Send the malicious string in Host header.
+  sndReq = string('GET /',' HTTP/1.1\r\n',
+                  'OpenVAS: deflate,gzip;q=0.3\r\n',
+                  'Connection: OpenVAS, close\r\n',
+                  'Host: ', crap(length: 32, data: "%s"), '\r\n',
+                  'User-Agent: OpenVAS\r\n\r\n');
+  rcvRes = http_send_recv(port:httpdxPort, data:sndReq);
+  rcvRes = http_send_recv(port:httpdxPort, data:sndReq);
+  if(isnull(rcvRes))
+  {
+    security_hole(httpdxPort);
+    exit(0);
+  }
+}
+
+# Check for versions prior to 1.4.1
+if(version_is_less(version:httpdxVer, test_version:"1.4.1")){
+  security_hole(httpdxPort);
+}


Property changes on: trunk/openvas-plugins/scripts/gb_httpdx_web_server_format_string_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_php_gdGetColors_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_gdGetColors_bof_vuln.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_php_gdGetColors_bof_vuln.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,97 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_php_gdGetColors_bof_vuln.nasl 5387 2009-10-23 12:19:56Z oct $
+#
+# PHP '_gdGetColors()' Buffer Overflow Vulnerability
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801123);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3546");
+  script_bugtraq_id(36712);
+  script_name("PHP '_gdGetColors()' Buffer Overflow Vulnerability");
+  desc = "
+  Overview: The host is running PHP and is prone to Buffer Overflow
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to error in '_gdGetColors' function in gd_gd.c which fails to
+  check certain colorsTotal structure member, whicn can be exploited to cause
+  buffer overflow or buffer over-read attacks via a crafted GD file.
+
+  Impact:
+  Successful exploitation could allow attackers to potentially compromise a
+  vulnerable system.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  PHP version 5.2.x to 5.2.11 and 5.3.0 on Linux.
+
+  Fix: Apply patches from SVN repository,
+  http://svn.php.net/viewvc?view=revision&revision=289557
+
+  *****
+  NOTE: Ignore this warning if patch is already applied.
+  *****
+
+  References:
+  http://secunia.com/advisories/37080/
+  http://www.vupen.com/english/advisories/2009/2930
+  http://marc.info/?l=oss-security&m=125562113503923&w=2
+
+  CVSS Score:
+    CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 5.5
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version of PHP");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("gb_php_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+phpPort = get_http_port(default:80);
+if(!phpPort){
+  exit(0);
+}
+
+phpVer = get_kb_item("www/" + phpPort + "/PHP");
+if(phpVer)
+{
+  # Check PHP version 5.2.x through 5.2.11 or 5.3.0
+  if(version_is_equal(version:phpVer, test_version:"5.3.0")||
+     version_in_range(version:phpVer, test_version:"5.2",
+                                     test_version2:"5.2.11")){
+    security_hole(phpPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_php_gdGetColors_bof_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_lin.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_lin.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_pidgin_oscar_dos_vuln_oct09_lin.nasl 5395 2009-10-22 20:13:17Z oct $
+#
+# Pidgin Oscar Protocol Denial of Service Vulnerability (Linux)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801031);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3615");
+  script_bugtraq_id(36719);
+  script_name("Pidgin Oscar Protocol Denial of Service Vulnerability (Linux)");
+  desc = "
+  Overview: This host has Pidgin installed and is prone to Denial of Service
+  vulnerability.
+
+  Vulnerability Insight:
+  This issue is caused by an error in the Oscar protocol plugin when processing
+  malformed ICQ or AIM contacts sent by the SIM IM client, which could cause an
+  invalid memory access leading to a crash.
+
+  Impact:
+  Successful exploitation will let the attacker to cause a Denial of Service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Pidgin version prior to 2.6.3 on Linux.
+
+  Fix: Upgrade to Pidgin version 2.6.3
+  http://pidgin.im/download
+
+  References:
+  http://secunia.com/advisories/37072
+  http://xforce.iss.net/xforce/xfdb/53807
+  http://www.pidgin.im/news/security/?id=41
+  http://developer.pidgin.im/wiki/ChangeLog
+
+  CVSS Score:
+    CVSS Base Score     : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P)
+    CVSS Temporal Score : 3.7
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of Pidgin");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Denial of Service");
+  script_dependencies("secpod_pidgin_detect_lin.nasl");
+  script_require_keys("Pidgin/Lin/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+pidginVer = get_kb_item("Pidgin/Lin/Ver");
+if(pidginVer != NULL)
+{
+  if(version_is_less(version:pidginVer, test_version:"2.6.3")){
+    security_warning(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_lin.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_win.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_win.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_pidgin_oscar_dos_vuln_oct09_win.nasl 5395 2009-10-22 21:53:17Z oct $
+#
+# Pidgin Oscar Protocol Denial of Service Vulnerability (Win)
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801030);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3615");
+  script_bugtraq_id(36719);
+  script_name("Pidgin Oscar Protocol Denial of Service Vulnerability (Win)");
+  desc = "
+  Overview: This host has Pidgin installed and is prone to Denial of Service
+  vulnerability.
+
+  Vulnerability Insight:
+  This issue is caused by an error in the Oscar protocol plugin when processing
+  malformed ICQ or AIM contacts sent by the SIM IM client, which could cause an
+  invalid memory access leading to a crash.
+
+  Impact:
+  Successful exploitation will let the attacker to cause a Denial of Service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Pidgin version prior to 2.6.3 on Windows.
+
+  Fix: Upgrade to Pidgin version 2.6.3
+  http://pidgin.im/download
+
+  References:
+  http://secunia.com/advisories/37072
+  http://xforce.iss.net/xforce/xfdb/53807
+  http://www.pidgin.im/news/security/?id=41
+  http://developer.pidgin.im/wiki/ChangeLog
+
+  CVSS Score:
+    CVSS Base Score     : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P)
+    CVSS Temporal Score : 3.7
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for the version of Pidgin");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Denial of Service");
+  script_dependencies("secpod_pidgin_detect_win.nasl");
+  script_require_keys("Pidgin/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+pidginVer = get_kb_item("Pidgin/Win/Ver");
+if(pidginVer != NULL)
+{
+  if(version_is_less(version:pidginVer, test_version:"2.6.3")){
+    security_warning(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_pidgin_oscar_dos_vuln_oct09_win.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/gb_zoiper_empty_callinfo_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_zoiper_empty_callinfo_dos_vuln.nasl	2009-10-23 13:35:03 UTC (rev 5686)
+++ trunk/openvas-plugins/scripts/gb_zoiper_empty_callinfo_dos_vuln.nasl	2009-10-23 14:18:41 UTC (rev 5687)
@@ -0,0 +1,104 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_zoiper_empty_callinfo_dos_vuln.nasl 5355 2009-10-23 16:48:26Z oct $
+#
+# ZoIPer Empty Call-Info Denial of Service Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 Intevation GmbH, http://www.intevation.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(800963);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3704");
+  script_name("ZoIPer Empty Call-Info Denial of Service Vulnerability");
+  desc = "
+  Overview: This host is running ZoIPer and is prone to Denial of Service
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an error while handling specially crafted SIP INVITE
+  messages which contain an empty Call-Info header.
+
+  Impact:
+  Successful exploitation will let the attackers to cause the service to crash.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  ZoIPer version prior to 2.24 (Windows) and 2.13 (Linux)
+
+  Fix: Upgrade to ZoIPer version 2.24 (Windows) and 2.13 (Linux) or later,
+  http://www.zoiper.com/zoiper.php
+
+  References:
+  http://secunia.com/advisories/37015
+  http://xforce.iss.net/xforce/xfdb/53792
+  http://packetstormsecurity.org/0910-exploits/zoiper_dos.py.txt
+
+  CVSS Score:
+    CVSS Base Score     : 5.0 (AV:N/AC:L/Au:NR/C:N/I:N/A:P)
+    CVSS Temporal Score : 3.9
+  Risk factor: Medium";
+
+  script_description(desc);
+  script_summary("Check for DoS attack on ZoIPer");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2009 Intevation GmbH");
+  script_family("Denial of Service");
+  exit(0);
+}
+
+
+include("sip.inc");
+
+zoiperPort = 5060;
+if(!get_udp_port_state(zoiperPort)){
+  exit(0);
+}
+
+banner = get_sip_banner(port:zoiperPort);
+if("Zoiper" >!< banner || safe_checks()){
+  exit(0);
+}
+
+soc1 = open_sock_udp(zoiperPort);
+if(soc1)
+{
+  sndReq = string("INVITE sip:openvas at 10.0.0.1 SIP/2.0","\r\n",
+           "Via: SIP/2.0/UDP ", get_host_name(), ".131:1298;branch=z9hG4bKJRnTggvMGl-6233","\r\n",
+           "Max-Forwards: 70","\r\n",
+           "From: OpenVAS <sip:OpenVAS@", get_host_name(),".131>;tag=f7mXZqgqZy-6233","\r\n",
+           "To: openvas <sip:openvas at 10.0.0.1>","\r\n",
+           "Call-ID: wSHhHjng99-6233@", get_host_name(),".131","\r\n",
+           "CSeq: 6233 INVITE","\r\n",
+           "Contact: <sip:OpenVAS@", get_host_name(),".131>","\r\n",
+           "Content-Type: application/sdp","\r\n",
+           "Call-Info:","\r\n",
+           "Content-Length: 125","\r\n\r\n");
+
+  send(socket:soc1, data:sndReq);
+  close(soc1);
+  banner = get_sip_banner(port:zoiperPort);
+  if(isnull(banner)){
+    security_hole(port:5060, proto:"udp");
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_zoiper_empty_callinfo_dos_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list