[Openvas-commits] r13183 - in trunk/openvas-plugins: . scripts

Mon Apr 2 17:34:58 CEST 2012

Author: mime
Date: 2012-04-02 17:34:57 +0200 (Mon, 02 Apr 2012)
New Revision: 13183

Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/ldap.inc
   trunk/openvas-plugins/scripts/vmware_esx.inc
Log:
Cosmetics. Fix for ADS in function is_ldapv3(). Many thanks to Guillaume Castagnino for the patch.

Modified: trunk/openvas-plugins/ChangeLog
===================================================================

--- trunk/openvas-plugins/ChangeLog	2012-04-02 14:54:18 UTC (rev 13182)
+++ trunk/openvas-plugins/ChangeLog	2012-04-02 15:34:57 UTC (rev 13183)
@@ -1,6 +1,15 @@
 2012-04-02  Michael Meyer <michael.meyer at greenbone.net>
 
 	* scripts/vmware_esx.inc:
+	Cosmetics.
+
+	* scripts/ldap.inc:
+	Fix for ADS in function is_ldapv3(). Many thanks to
+	Guillaume Castagnino for the patch.
+
+2012-04-02  Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/vmware_esx.inc:
 	Fixed parse error.
 
 2012-04-02  Michael Meyer <michael.meyer at greenbone.net>

Modified: trunk/openvas-plugins/scripts/ldap.inc
===================================================================
--- trunk/openvas-plugins/scripts/ldap.inc	2012-04-02 14:54:18 UTC (rev 13182)
+++ trunk/openvas-plugins/scripts/ldap.inc	2012-04-02 15:34:57 UTC (rev 13183)
@@ -52,23 +52,60 @@
  return NULL;
 }
 
+# extract the message length
+# WARNING offset is updated by the function call (reference) !
+function get_ber_size(buf, offset) {
+    local_var lm_length, length_length, i;
+    lm_length = ord(buf[offset]);
+    offset++;
+    if(lm_length > 128) {
+        # undetermined length message
+        length_length = lm_length - 128;
+        lm_length = 0;
+        for(i=0; i<length_length; i++) {
+            lm_length = (lm_length << 8) | ord(buf[offset++]);
+        }
+    }
+    return lm_length;
+}
+
 function is_ldapv3(port) {
+    local_var offset, lm_length, messageId_length, bindResponse_length, resultCode_length, resultCode, i, soc, buf;
 
-  soc = open_sock_tcp(port);
-  if(!soc)return FALSE;
+    soc = open_sock_tcp(port);
+    if(!soc) return FALSE;
 
-  req =  raw_string(0x30,0x0c,0x02,0x01,0x01,0x60,0x07,0x02,0x01,0x03,0x04,0x00,0x80,0x00); # v3 bind
-  send(socket:soc, data:req);
+    req =  raw_string(0x30,0x0c,0x02,0x01,0x01,0x60,0x07,0x02,0x01,0x03,0x04,0x00,0x80,0x00); # v3 bind
+    send(socket:soc, data:req);
 
-  buf = recv(socket:soc, length:128);
-  close(soc);
+    buf = recv(socket:soc, length:128);
+    close(soc);
 
-  if(!buf)return FALSE;
+    if(!buf) return FALSE;
 
-  if(ord(buf[9]) == 0 && ord(buf[10]) == 4 && ord(buf[11] == 0)) { # ord(buf[9] == bindResponse -> resultCode. 0 == success, >0 == error
-    return TRUE;
-  }  
+    # decode ldapMessage length (encoded as BER)
+    offset = 0;
+    if(ord(buf[offset++]) != 48) return FALSE; # (0x30)
+    lm_length = get_ber_size(buf, offset);
+    if (strlen(buf) < lm_length + offset) return FALSE; # whoops, we have not enough data (should never happen since bindResponse is a short message)
 
-  return FALSE;
+    # we are not at offset = message id, we skip it
+    if (ord(buf[offset++]) != 2) return FALSE; # messageId is an INT
+    messageId_length = get_ber_size(buf, offset);
+    offset += messageId_length;
 
+    # now enter the bindResponse
+    if (ord(buf[offset++]) != 97) return FALSE; # (0x61)
+    bindResponse_length = get_ber_size(buf, offset);
+
+    # now dig into response code
+    if (ord(buf[offset++]) != 10) return FALSE; # (0x0A)
+    resultCode_length = get_ber_size(buf, offset);
+    resultCode = 0;
+    for (i=0; i<resultCode_length; i++) {
+        resultCode = (resultCode << 8) | ord(buf[offset++]);
+    }
+    if (resultCode == 0) return TRUE; # server has accepted the v3 bind
+
+    return FALSE;
 }  

Modified: trunk/openvas-plugins/scripts/vmware_esx.inc
===================================================================
--- trunk/openvas-plugins/scripts/vmware_esx.inc	2012-04-02 14:54:18 UTC (rev 13182)
+++ trunk/openvas-plugins/scripts/vmware_esx.inc	2012-04-02 15:34:57 UTC (rev 13183)
@@ -296,7 +296,7 @@
 
   if(isnull(bulletins[1])) {
      set_kb_item(name:"VMware/ESXi/4.1/unpatched", value:TRUE);
-     log_message(data:'Could not found a single bulletin installed on this host. Assuming this\nis a completly unpatched system. All ESXi 4.1 NVTs will report...\nRECV:\n' + recv + "\n");
+     log_message(data:'Could not found a single bulletin installed on this host. Assuming this\nis a completly unpatched system. All ESXi 4.1 NVTs will report...\nRECV:\n' + recv + '\n');
      return TRUE;
   }   
 

