[Openvas-commits] r11605 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Tue Sep 13 07:51:48 CEST 2011 

Author: veerendragg
Date: 2011-09-13 07:51:43 +0200 (Tue, 13 Sep 2011)
New Revision: 11605

Added:
   trunk/openvas-plugins/scripts/gb_sunway_force_control_webserver_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_tcptrack_detect.nasl
   trunk/openvas-plugins/scripts/gb_tcptrack_long_command_bof_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/cpe.inc
Log:
Added new CPEs.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-13 05:43:30 UTC (rev 11604)
+++ trunk/openvas-plugins/ChangeLog	2011-09-13 05:51:43 UTC (rev 11605)
@@ -1,3 +1,13 @@
+2011-09-13  Veerendra G.G <veerendragg at secpod.com>
+
+	* scripts/gb_tcptrack_long_command_bof_vuln.nasl
+	scripts/gb_tcptrack_detect.nasl
+	scripts/gb_sunway_force_control_webserver_bof_vuln.nasl:
+	Added new plugins.
+
+	* scripts/cpe.inc:
+	Added new CPEs.
+
 2011-09-12  Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/gb_ubuntu_USN_672_1.nasl,

Modified: trunk/openvas-plugins/scripts/cpe.inc
===================================================================
--- trunk/openvas-plugins/scripts/cpe.inc	2011-09-13 05:43:30 UTC (rev 11604)
+++ trunk/openvas-plugins/scripts/cpe.inc	2011-09-13 05:51:43 UTC (rev 11605)
@@ -926,7 +926,8 @@
 "McAfee/SaaS/Win/Ver", "^([0-9.]+)", "cpe:/a:mcafee:saas_endpoint_protection:",
 "Adobe/Flash/Player/MacOSX/Version", "^([0-9.]+)", "cpe:/a:adobe:flash_player:",
 "Adobe/Air/MacOSX/Version", "^([0-9.]+)", "cpe:/a:adobe:adobe_air:",
-"RealPlayer/MacOSX/Version", "^([0-9.]+)", "cpe:/a:realnetworks:realplayer:"
+"RealPlayer/MacOSX/Version", "^([0-9.]+)", "cpe:/a:realnetworks:realplayer:",
+"Tcptrack/Ver", "^([0-9.]+)", "cpe:/a:rhythm:tcptrack:"
 );
 
 

Added: trunk/openvas-plugins/scripts/gb_sunway_force_control_webserver_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_sunway_force_control_webserver_bof_vuln.nasl	2011-09-13 05:43:30 UTC (rev 11604)
+++ trunk/openvas-plugins/scripts/gb_sunway_force_control_webserver_bof_vuln.nasl	2011-09-13 05:51:43 UTC (rev 11605)
@@ -0,0 +1,115 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_sunway_force_control_webserver_bof_vuln.nasl 16413 2011-09-08 13:25:24Z sep $
+#
+# Sunway ForceControl WebServer 'httpsvr.exe' Buffer Overflow Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802156);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2960");
+  script_bugtraq_id(48328);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Sunway ForceControl WebServer 'httpsvr.exe' Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is installed with Sunway ForceControl and is prone to
+  buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw exists due to an error in the WebServer component (httpsvr.exe) and
+  can be exploited to cause a heap-based buffer overflow via a specially
+  crafted URL sent in a web request.
+
+  Impact:
+  Successful exploitation will allow remote attackers to cause denial of
+  service or execute arbitrary code.
+
+  Impact Level: System/Application
+
+  Affected Software :
+  Sunway ForceControl 6.1 SP1, SP2, and SP3.
+
+  Fix: No solution or patch is available as on 9th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.sunwayland.com.cn/pro.asp
+
+  References:
+  http://osvdb.org/73124
+  http://secunia.com/advisories/45033
+  http://www.exploit-db.com/exploits/17721/
+  http://www.cnvd.org.cn/vulnerability/CNVD-2011-05347
+  http://www.sunwayland.com.cn/news_info_.asp?Nid=3593
+  http://www.us-cert.gov/control_systems/pdf/ICSA-11-167-01.pdf ";
+
+  script_description(desc);
+  script_summary("Check for the version of Sunway ForceControl httpsvr.exe");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_keys("SMB/WindowsVersion");
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+if(!get_kb_item("SMB/WindowsVersion")){
+  exit(0);
+}
+
+key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+if(!registry_key_exists(key:key)){
+  exit(0);
+}
+
+foreach item (registry_enum_keys(key:key))
+{
+  ## Check for Sunway ForceControl DisplayName
+  sunName = registry_get_sz(key:key + item, item:"DisplayName");
+  if("Forcecontrol" >< sunName)
+  {
+    ## Get the version of Sunway ForceControl
+    sunVer = registry_get_sz(key:key + item, item:"DisplayVersion");
+    if("6.1" >< sunVer)
+    {
+      ## Get the path of httpsvr.exe
+      exePath = registry_get_sz(key:key + item, item:"InstallLocation");
+      if(!isnull(exePath))
+      {
+        httpVer = fetch_file_version(sysPath:exePath, file_name:"httpsvr.exe");
+        if(httpVer != NULL)
+        {
+          ## Check for httpsvr.exe version <= 6.0.5.3
+          if(version_is_less_equal(version:httpVer, test_version:"6.0.5.3")){
+            security_hole(0) ;
+          }
+        }
+      }
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_tcptrack_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_tcptrack_detect.nasl	2011-09-13 05:43:30 UTC (rev 11604)
+++ trunk/openvas-plugins/scripts/gb_tcptrack_detect.nasl	2011-09-13 05:51:43 UTC (rev 11605)
@@ -0,0 +1,82 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_tcptrack_detect.nasl 16972 2011-09-12 09:32:36Z sep $
+#
+# Tcptrack Version Detection
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801972);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"risk_factor", value:"None");
+  script_name("Tcptrack Version Detection");
+  desc = "
+  Overview: This script finds the Tcptrack installed version and saves
+  the version in KB. ";
+
+  script_description(desc);
+  script_summary("Set the Version of Tcptrack in KB");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Service detection");
+  exit(0);
+}
+
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+  exit(0);
+}
+
+## Confirm Linux, as SSH can be installed on Windows as well
+result = ssh_cmd(socket:sock, cmd:"uname");
+if("Linux" >!< result){
+  exit(0);
+}
+
+## Get the file location
+tcptName = find_file(file_name:"tcptrack", file_path:"/", useregex:TRUE,
+                          regexpar:"$", sock:sock);
+
+## Check for the each path
+if(tcptName)
+{
+  foreach binaryName (tcptName)
+  {
+     ## Get the version
+    tcptVer = get_bin_version(full_prog_name:chomp(binaryName),
+              version_argv:"-v", ver_pattern:"tcptrack v([0-9.]+)",sock:sock);
+    if(tcptVer)
+    {
+      ## Set the version in kb
+      set_kb_item(name:"Tcptrack/Ver", value:tcptVer[1]);
+      security_note(data:"Tcptrack version " + sharkVer[1] +
+          " installed at location " + binaryName + " was detected on the host");
+      ssh_close_connection();
+    }
+  }
+  ssh_close_connection();
+}

Added: trunk/openvas-plugins/scripts/gb_tcptrack_long_command_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_tcptrack_long_command_bof_vuln.nasl	2011-09-13 05:43:30 UTC (rev 11604)
+++ trunk/openvas-plugins/scripts/gb_tcptrack_long_command_bof_vuln.nasl	2011-09-13 05:51:43 UTC (rev 11605)
@@ -0,0 +1,84 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_tcptrack_long_command_bof_vuln.nasl 16972 2011-09-12 12:33:29 sep $
+#
+# Tcptrack Command Line Parsing Heap Based Buffer Overflow Vulnerability
+#
+# Authors:
+# Antu Sanadi <santu at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(801973);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2011-2903");
+  script_bugtraq_id(49352);
+  script_tag(name:"cvss_base", value:"6.8");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("Tcptrack Command Line Parsing Heap Based Buffer Overflow Vulnerability");
+  desc = "
+  Overview: This host is installed with Tcptrack and is prone to heap based
+  buffer overflow vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused  due to error in command line parsing, it is not properly
+  handling long command line argument.
+
+  Impact:
+  Successful exploitation allows attackers to execute arbitrary code via a long
+  command line argument in the LWRES dissector when processing malformed data
+  or packets.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Tcptrack version prior to 1.4.2
+
+  Fix: Upgrade to Tcptrack 1.4.2 or later,
+  For Updates Refer, http://www.rhythm.cx/~steve/devel/tcptrack/#gettingit
+
+  References:
+  http://seclists.org/oss-sec/2011/q3/293
+  https://bugs.gentoo.org/show_bug.cgi?id=377917
+  http://www.rhythm.cx/~steve/devel/tcptrack/#news ";
+
+  script_description(desc);
+  script_summary("Check for the version of Tcptrack");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_dependencies("gb_tcptrack_detect.nasl");
+  script_family("Buffer overflow");
+  script_require_keys("Tcptrack/Ver");
+  exit(0);
+}
+
+
+include("version_func.inc");
+
+## Get the version from kb
+tcpVer = get_kb_item("Tcptrack/Ver");
+if(!tcpVer){
+  exit(0);
+}
+
+## Check the version
+if(version_is_less(version:tcpVer, test_version:"1.4.2")){
+  security_hole(0);
+}

More information about the Openvas-commits mailing list