[Openvas-commits] r5765 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Sat Oct 31 09:54:04 CET 2009


Author: chandra
Date: 2009-10-31 09:54:01 +0100 (Sat, 31 Oct 2009)
New Revision: 5765

Added:
   trunk/openvas-plugins/scripts/secpod_efront_detect.nasl
   trunk/openvas-plugins/scripts/secpod_efront_rfi_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_formmax_bof_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_formmax_detect.nasl
   trunk/openvas-plugins/scripts/secpod_nullam_blog_mult_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_qemu_detect_lin.nasl
   trunk/openvas-plugins/scripts/secpod_qemu_vnc_dos_vuln_lin.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/cve_current.txt
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/ChangeLog	2009-10-31 08:54:01 UTC (rev 5765)
@@ -1,3 +1,14 @@
+2009-10-31  Chandrashekhar B <bchandra at secpod.com>
+
+	* scripts/secpod_efront_rfi_vuln.nasl,
+	scripts/secpod_formmax_detect.nasl,
+	scripts/secpod_nullam_blog_mult_vuln.nasl,
+	scripts/secpod_efront_detect.nasl,
+	scripts/secpod_qemu_vnc_dos_vuln_lin.nasl,
+	scripts/secpod_formmax_bof_vuln.nasl,
+	scripts/secpod_qemu_detect_lin.nasl:
+	Added new plugins.
+
 2009-10-30 Michael Meyer <michael.meyer at intevation.de>
 
 	* scripts/gb_sun_java_web_porxy_svr_vuln_lin.nasl:

Modified: trunk/openvas-plugins/cve_current.txt
===================================================================
--- trunk/openvas-plugins/cve_current.txt	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/cve_current.txt	2009-10-31 08:54:01 UTC (rev 5765)
@@ -189,7 +189,7 @@
 CVE-2009-2281			SecPod
 CVE-2009-3767			SecPod
 CVE-2009-3622			SecPod		svn		R
-CVE-2009-3616			SecPod
+CVE-2009-3616			SecPod		svn		L
 CVE-2009-3753			SecPod
 CVE-2009-3752			SecPod
 CVE-2009-3751			SecPod
@@ -200,7 +200,7 @@
 36814				Greenbone	svn		R
 36821				Greenbone	svn		R
 36820				Greenbone	svn		R
-CVE-2009-3660 			SecPod
+CVE-2009-3660 			SecPod		svn		R
 CVE-2009-3714			SecPod		svn		R
 CVE-2009-3715			SecPod		svn		R
 CVE-2009-2911			SecPod		svn		L
@@ -209,3 +209,4 @@
 36830				Greenbone	svn		R
 36833				Greenbone	svn		R
 36874				Greenbone	svn		R
+CVE-2009-3790			SecPod		svn		L

Added: trunk/openvas-plugins/scripts/secpod_efront_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_efront_detect.nasl	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/scripts/secpod_efront_detect.nasl	2009-10-31 08:54:01 UTC (rev 5765)
@@ -0,0 +1,70 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_efront_detect.nasl 5289 2009-10-30 11:38:29Z oct $
+#
+# eFront Version Detection
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+################################################################################
+
+if(description)
+{
+  script_id(901044);
+  script_version("$Revision: 1.0 $");
+  script_name("eFront Version Detection");
+  desc = "
+  Overview: This script detects the installed Efront version and sets
+  the result in KB.
+
+  Risk factor:Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of eFront");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Service detection");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+efrontPort = get_http_port(default:80);
+if(!efrontPort){
+  exit(0);
+}
+
+foreach dir (make_list("/", "/eFront", cgi_dirs()))
+{
+  sndReq = http_get(item:string(dir, "/www/index.php"), port:efrontPort);
+  rcvRes = http_send_recv(port:efrontPort, data:sndReq);
+
+  if(("eFront" >< rcvRes) && ("Login" >< rcvRes))
+  {
+    efrontVer = eregmatch(pattern:"version ([0-9.]+)", string:rcvRes);
+    if(efrontVer[1] != NULL){
+      set_kb_item(name:"www/"+ efrontPort + "/eFront",
+                  value:efrontVer[1] + " under " + dir);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_efront_rfi_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_efront_rfi_vuln.nasl	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/scripts/secpod_efront_rfi_vuln.nasl	2009-10-31 08:54:01 UTC (rev 5765)
@@ -0,0 +1,114 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_efront_rfi_vuln.nasl 5289 2009-10-30 09:56:24Z oct $
+#
+# eFront 'database.php' Remote File Inclusion Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(901045);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2009-3660");
+  script_bugtraq_id(36411);
+  script_name("eFront 'database.php' Remote File Inclusion Vulnerability");
+  desc = "
+  Overview: This host is running eFront and is prone to Remote File Inclusion
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to improper validation of user supplied data and can be
+  exploited via 'path' parameter in 'libraries/database.php' to include and
+  execute remote files on the affected system.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary code on the
+  vulnerable Web server.
+
+  Impact level: Application.
+
+  Affected Software/OS:
+  eFront version 3.5.4 and prior.
+
+  Fix: Apply the patch from below link.
+  http://svn.efrontlearning.net/repos/efront/trunc/libraries/database.php
+
+  *****
+  NOTE: Please ignore this warning if the patch is already applied.
+  *****
+
+  References:
+  http://www.milw0rm.com/exploits/9681
+  http://forum.efrontlearning.net/viewtopic.php?f=1&t=1354&p=7174#p7174
+
+  CVSS Score:
+    CVSS Base Score      : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score  : 5.5
+  Risk factor : High";
+
+  script_description(desc);
+  script_summary("Check the version and attempt a mild attack on eFront");
+  script_category(ACT_MIXED_ATTACK);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("secpod_efront_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+efrontPort = get_http_port(default:80);
+if(!efrontPort){
+  exit(0);
+}
+
+efrontVer = get_kb_item("www/" + efrontPort + "/eFront");
+efrontVer = eregmatch(pattern:"^(.+) under (/.*)$", string:efrontVer);
+
+if((efrontVer[2] != NULL) && (!safe_checks()))
+{
+  sndReq = http_get(item:string(efrontVer[2], "/libraries/database.php"),
+                    port:efrontPort);
+  rcvRes = http_send_recv(port:efrontPort, data:sndReq);
+  if("403 Forbidden" >!<  rcvRes)
+  {
+    sndReq = http_get(item:string(efrontVer[2], "/libraries/database.php?"+
+             "path=xyz/OpenVAS-RemoteFileInclusion.txt"), port:efrontPort);
+    rcvRes = http_send_recv(port:efrontPort, data:sndReq);
+
+    if("xyz/OpenVAS-RemoteFileInclusion.txtadodb/adodb.inc.php" >< rcvRes)
+    {
+      security_hole(efrontPort);
+      exit(0);
+    }
+  }
+}
+
+if(efrontVer[1] != NULL)
+{
+  if(version_is_less_equal(version:efrontVer[1], test_version:"3.5.4")){
+    security_hole(efrontPort);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_efront_rfi_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_formmax_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_formmax_bof_vuln.nasl	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/scripts/secpod_formmax_bof_vuln.nasl	2009-10-31 08:54:01 UTC (rev 5765)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_formmax_bof_vuln.nasl 5501 2009-10-30 18:11:45Z oct $
+#
+# FormMax Buffer Overflow Vulnerability
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900972);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3790");
+  script_name("FormMax Buffer Overflow Vulnerability");
+  desc = "
+  Overview: The host is installed with FormMax and is prone to Buffer
+  Overflow Vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to boundary error while processing malicious '.aim'
+  import files leading to heap-based buffer overflow.
+
+  Impact:
+  Attackers can exploit this issue by executing arbitrary code in the context
+  of an affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  FormMax version 3.5 and prior
+
+  Fix: No solution or patch is available as on 30th October, 2009. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.cutepdf.com/products/FormMax/
+
+  References:
+  http://osvdb.org/59079
+  http://secunia.com/advisories/36943
+  http://xforce.iss.net/xforce/xfdb/53890
+
+  CVSS Score:
+    CVSS Base Score     : 9.3 (AV:N/AC:M/Au:NR/C:C/I:C/A:C)
+    CVSS Temporal Score : 7.9
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version of FormMax");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_formmax_detect.nasl");
+  script_require_keys("FormMax/Evaluation/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+fmVer = get_kb_item("FormMax/Evaluation/Ver");
+if(!fmVer){
+  exit(0);
+}
+
+if(version_is_less_equal(version:fmVer, test_version:"3.5")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_formmax_bof_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_formmax_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_formmax_detect.nasl	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/scripts/secpod_formmax_detect.nasl	2009-10-31 08:54:01 UTC (rev 5765)
@@ -0,0 +1,72 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_frommax_detect.nasl 5501 2009-10-30 15:24:29Z oct $
+#
+# FormMax Version Detection
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900971);
+  script_version("$Revision: 1.0 $");
+  script_name("FormMax Version Detection");
+  desc = "
+  Overview: This script detects the installed version of FormMax and
+  sets the result in KB.
+
+  Risk Factor: Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of FormMax");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Service detection");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+if(!registry_key_exists(key:"SOFTWARE\Acro Software\FormMax Evaluation")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+foreach item (registry_enum_keys(key:key))
+{
+  fmName = registry_get_sz(key:key + item, item:"DisplayName");
+  if("FormMax" >< fmName)
+  {
+    fmVer = eregmatch(pattern:"FormMax.+([0-9]\.[0-9.]+)", string:fmName);
+    if(fmVer[1] != NULL){
+      set_kb_item(name:"FormMax/Evaluation/Ver", value:fmVer[1]);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_formmax_detect.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_nullam_blog_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_nullam_blog_mult_vuln.nasl	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/scripts/secpod_nullam_blog_mult_vuln.nasl	2009-10-31 08:54:01 UTC (rev 5765)
@@ -0,0 +1,125 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_nullam_blog_mult_vuln.nasl 5292 2009-10-30 15:07:29Z oct $
+#
+# Nullam Blog Multiple Vulnerabilities
+#
+# Authors:
+# Sharath S <sharaths at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900888);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3664", "CVE-2009-3665", "CVE-2009-3666");
+  script_name("Nullam Blog Multiple Vulnerabilities");
+  desc = "
+  Overview: This host is running Nullam Blog and is prone to multiple
+  vulnerabilities.
+
+  Vulnerability Insight:
+  - Input passed to the 'p' and 's' parameter in index.php is not properly
+    verified before being used to include files. This can be exploited to
+    include arbitrary files from local resources.
+  - Input passed to the 'i' and 'v' parameter in index.php is not properly
+    sanitised before being used in SQL queries. This can be exploited to
+    manipulate SQL queries by injecting arbitrary SQL code.
+  - Input passed to the 'e' parameter in index.php is not properly sanitised
+    before being returned to the user. This can be exploited to execute
+    arbitrary HTML and script code in a user's browser session in the context
+    of an affected site.
+
+  Impact:
+  Successful exploitation will let the attacker to disclose sensitive information
+  and conduct cross-site scripting and SQL injection attacks.
+
+  Impact Level: System/Application.
+
+  Affected Software/OS:
+  Nullam Blog version prior to 0.1.3 on Linux.
+
+  Fix: Upgrade to Nullam Blog version 0.1.3
+  http://sourceforge.net/projects/nullam/
+
+  References:
+  http://secunia.com/advisories/36648
+  http://www.milw0rm.com/exploits/9625
+  http://xforce.iss.net/xforce/xfdb/53217
+
+  CVSS Score:
+    CVSS Base Score     : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P)
+    CVSS Temporal Score : 5.9
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check through a mild verification attack on Nullam Blog");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl", "find_service.nes");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+
+nullamPort = get_http_port(default:80);
+if(!nullamPort){
+  nullamPort = 80;
+}
+
+if(!get_port_state(nullamPort)){
+  exit(0);
+}
+
+if(!safe_checks())
+{
+  foreach dir (make_list("/", "/nullam", "/blog", cgi_dirs()))
+  {
+    sndReq1 = http_get(item:string(dir, "/index.php"), port:nullamPort);
+    rcvRes1 = http_send_recv(port:nullamPort, data:sndReq1);
+    if("<title>Nullam</title>" >< rcvRes1 &&
+     egrep(pattern:"^HTTP/.* 200 OK",string:rcvRes1))
+    {
+      foreach item (make_list("s", "p"))
+      {
+        sndReq2 = http_get(item:string(dir, "/index.php?", item, "=../../.." +
+                           "/../../../etc/passwd%00"), port:nullamPort);
+        rcvRes2 = http_send_recv(port:nullamPort, data:sndReq2);
+        if(egrep(pattern:".*root:.*:0:[01]:.*", string:rcvRes2))
+        {
+          security_hole(nullamPort);
+          exit(0);
+        }
+      }
+
+      sndReq3 = http_get(item:string(dir, "/index.php?p=error&e=<script>alert" +
+                  "('OpenVAS-SQL-Injection-Test');</script>"), port:nullamPort);
+      rcvRes3 = http_send_recv(port:nullamPort, data:sndReq3);
+      if("<script>alert('OpenVAS-SQL-Injection-Test');</script>" >< rcvRes3)
+      {
+        security_hole(nullamPort);
+        exit(0);
+      }
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_nullam_blog_mult_vuln.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_qemu_detect_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_qemu_detect_lin.nasl	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/scripts/secpod_qemu_detect_lin.nasl	2009-10-31 08:54:01 UTC (rev 5765)
@@ -0,0 +1,68 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_qemu_detect_lin.nasl 5475 2009-10-30 17:40:29Z oct $
+#
+# QEMU Version Detection (Linux)
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) SecPod http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900969);
+  script_version("$Revision: 1.0 $");
+  script_name("QEMU Version Detection (Linux)");
+  desc = "
+  Overview: This script is detects the installed version of QEMU and
+  sets the result in KB.
+
+  Risk factor: Informational";
+
+  script_description(desc);
+  script_summary("Set KB for the version of QEMU");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Service detection");
+  exit(0);
+}
+
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+qemuSock = ssh_login_or_reuse_connection();
+if(!qemuSock){
+  exit(0);
+}
+
+qemuName = find_file(file_name:"qemu", file_path:"/", useregex:TRUE,
+                     regexpar:"$", sock:qemuSock);
+
+foreach binaryName (qemuName)
+{
+  binaryName = chomp(binaryName);
+  qemuVer = get_bin_version(full_prog_name:binaryName, sock:qemuSock,
+                            version_argv:"-help",
+                            ver_pattern:"QEMU PC emulator version ([0-9.]+)");
+  if(qemuVer[1] != NULL){
+    set_kb_item(name:"QEMU/Lin/Ver", value:qemuVer[1]);
+  }
+}
+ssh_close_connection();


Property changes on: trunk/openvas-plugins/scripts/secpod_qemu_detect_lin.nasl
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/openvas-plugins/scripts/secpod_qemu_vnc_dos_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_qemu_vnc_dos_vuln_lin.nasl	2009-10-30 23:47:45 UTC (rev 5764)
+++ trunk/openvas-plugins/scripts/secpod_qemu_vnc_dos_vuln_lin.nasl	2009-10-31 08:54:01 UTC (rev 5765)
@@ -0,0 +1,88 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_qemu_vnc_dos_vuln_lin.nasl 5475 2009-10-30 18:52:41Z oct $
+#
+# QEMU VNC Server Denial of Service Vulnerability (Linux)
+#
+# Authors:
+# Nikita MR <rnikita at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2009 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(900970);
+  script_version("$Revision: 1.0 $");
+  script_cve_id("CVE-2009-3616");
+  script_bugtraq_id(36716);
+  script_name("QEMU VNC Server Denial of Service Vulnerability (Linux)");
+  desc = "
+  Overview: This host is running QEMU and is prone to Denial of Service
+  vulnerability.
+
+  Vulnerability Insight:
+  Multiple use-after-free errors occur in 'vnc.c' in VNC server while processing
+  malicious 'SetEncodings' messages sent via VNC client.
+
+  Impact:
+  Successful exploitation will let the attacker cause memory or CPU consumption,
+  resulting in Denial of Service condition.
+
+  Impact level: Application/System
+
+  Affected Software/OS:
+  QEMU version 0.10.6 and prior on Linux.
+
+  Fix: Apply the available patches.
+  http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=753b405331
+  http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=198a0039c5
+
+  *****
+  NOTE: Ignore this warning if the above mentioned patches is already applied.
+  *****
+
+  References:
+  https://bugzilla.redhat.com/show_bug.cgi?id=505641
+  http://www.openwall.com/lists/oss-security/2009/10/16/8
+
+  CVSS Score:
+    CVSS Base Score     : 8.5 (AV:N/AC:M/Au:SI/C:C/I:C/A:C)
+    CVSS Temporal Score : 6.9
+  Risk factor: High";
+
+  script_description(desc);
+  script_summary("Check for the version of QEMU");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2009 SecPod");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_qemu_detect_lin.nasl");
+  script_require_keys("QEMU/Lin/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+vncVer = get_kb_item("QEMU/Lin/Ver");
+if(vncVer)
+{
+  # Grep for QEMU version <= 0.10.6
+  if(version_is_less_equal(version:vncVer, test_version:"0.10.6")){
+    security_hole(0);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_qemu_vnc_dos_vuln_lin.nasl
___________________________________________________________________
Name: svn:executable
   + *



More information about the Openvas-commits mailing list