[Openvas-devel] [Openvas-plugins] Solaris Local Security Checks

Tim Brown timb at nth-dimension.org.uk
Wed Nov 19 01:09:03 CET 2008

On Tuesday 18 November 2008 07:00:56 Michael Wiegand wrote:
> * Tim Brown [17. Nov 2008]:
> > Cheers Michael and Thomas, but actually that's not the problem :(.
> >
> > Obviously your check is an improvement on that ;).  I may have the chance
> > to run my scripts on a real world box this week, so I'll see if I can
> > nail down where my problem lies.
> That would have probably been too easy. :) Do you have any other hints
> as to what the problem might be? What goes wrong? I have access to a
> Solaris Box as well, so if there is anything you want me to test, just
> let me know.

Okay, I got the chance to do a bit of debugging this evening.  At the start of 
my copy of gather-package-list.nasl:

uname = ssh_cmd(socket:sock, cmd:"uname -a");

is called.  This successfully results in uname being set to "SunOS obfuscated 
5.o Generic_oooooo-oo sun4u sparc SUNW,UltraSPARC-IIi-cEngine".  Then at the 
end of the script, if uname is detected as starting with "SunOS ", then some 
more commands are run:

security_note(port:port, data:uname);
osversion = ssh_cmd(socket:sock, cmd:"uname -r");
security_note(port:port, data:osversion);
set_kb_item(name: "ssh/login/solosversion", value:osversion);
hardwaretype = ssh_cmd(socket:sock, cmd:"uname -p");
security_note(port:port, data:hardwaretype);
set_kb_item(name: "ssh/login/solhardwaretype", value:hardwaretype);
buf = ssh_cmd(socket:sock, cmd:"pkginfo");
security_note(port:port, data:buf);
set_kb_item(name: "ssh/login/solpackages", value:buf);
buf = ssh_cmd(socket:sock, cmd:"showrev -p");
security_note(port:port, data:buf);
set_kb_item(name: "ssh/login/solpatches", value:buf);

However, it appears that osversion etc never get populated.  Each debug 
security_note results in a hole being noted which contains the following 

"This script will, if given a userid/password or
key to the remote system, login to that system,
determine the OS it is running, and for supported
systems, extract the list of installed packages/rpms."

This is the default value (description) which is used when (I believe) 
security_note is passed a null data parameter.  If I reorder the script so 
that the Solaris checks are carried out directly after the initial uname then 
it works.

In essence, the later ssh_cmd do not appear to run correctly.  I did try your 
patch to libopenvas MIchael, but that didn't seem to resolve it.

Tim Brown
<mailto:timb at nth-dimension.org.uk>

More information about the Openvas-devel mailing list