[Openvas-discuss] question about openvas, arachni and false positives

chris framheim at gmx.de
Wed Aug 31 16:54:38 CEST 2011


Hi,

I tried openvas on Linux Ubuntu 10.04 and scanned some IPs with
permission. 

# aptitude show openvas-server openvas-scanner | grep -i version
Version: 2.0.3-3
Version: 3.2.4-1

Used the client 2.0.5 on Ubuntu again.

Weird things:

1) Used pretty without special configs, leave much of default
I get following section 7(!) times in the report:
---8<---
Vulnerability found on port http (80/tcp)

        
        Overview: This host is installed with Dokuwiki and is prone to
        multiple Cross
        Site Scripting vulnerabilities.
        
        Vulnerability Insight:
        The flaws are due to error in 'ACL' Manager plugin
        (plugins/acl/ajax.php) that
        allows users to perform certain actions via HTTP requests
        without performing
        any validity checks.
        
        Impact:
        Successful exploitation allows attackers to conduct cross site
        request
        forgery attacks via unknown vectors.
        
        Impact Level: Application.
        
        Affected Software/OS:
        Dokuwiki versions prior to 2009-12-25c
        
        Fix: Update to version 2009-12-25c or later.
        For Updates Refer, http://www.splitbrain.org/go/dokuwiki
        
        References:
        http://secunia.com/advisories/38205
        http://www.vupen.com/english/advisories/2010/0150
        http://bugs.splitbrain.org/index.php?do=details&task_id=1853
        
        CVSS Score:
        CVSS Base Score : 6.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:P)
        CVSS Temporal Score : 5.3
        Risk factor: High
        CVE : CVE-2010-0289
        OID : 1.3.6.1.4.1.25623.1.0.800989
---8<---
This is a false positive. It is a Synology Diskstation with no Dokuwiki.

I installed arachni and got none of the former (but scan on just 5
ports, to speed things up and used 
- OpenVAS TCP Scanner and
- Nmap and
- ide-scan and
- snmpwwalk
)!? Weird! Anybody knows?

2) Without arachni:
---8<---
Warning found on port ftp (21/tcp)

        Overview:
        FileZilla Server before 0.9.22 allows remote attackers to
        cause a denial of service (crash) via a wildcard argument
        to the (1) LIST or (2) NLST commands, which results in a
        NULL pointer dereference, a different set of vectors than
        CVE-2006-6564.
        NOTE: CVE analysis suggests that the problem might be due
        to a malformed PORT command.
        
        Solution:
        Upgrade vulnerable FTP server to latest version.
        
        References:
        http://osvdb.org/34435
        
        -------------------------------------------------------
        Plugin output:
        
        OpenVAS was able to crash the remote FTP server by sending
        a malformed PASV command.
        CVE : CVE-2006-6565
        BID : 21542, 21549
        OID : 1.3.6.1.4.1.25623.1.0.102019
---8<---
False positive again, server didn't crash. NSL couldn't even log in
(password protected).

With arachni: none of the above!

3) Same thing without arachni:
---8<---
Vulnerability found on port general/tcp

        
        Overview: This script will list all the vulnerable activex
        controls installed
        on the remote windows machine with references and cause.
        
        Vulnerability Insight:
        The flaws are caused due to error in restricting the
        SetLayoutData method,
        which fails to properly restrict the SetLayoutData method.
        
        Impact:
        Successful exploitation will let the remote attackers execute
        arbitrary code,
        and can compromise a vulnerable system.
        
        Impact Level: System
        
        Affected Software/OS:
        Microsoft Windows 7 Service Pack 1 and prior.
        Microsoft Windows XP Service Pack 3 and prior.
        Microsoft Windows 2003 Service Pack 2 and prior.
        Microsoft Windows Vista Service Pack 2 and prior.
        Microsoft Windows Server 2008 Service Pack 2 and prior.
        
        Fix: Apply the patch from below link,
        http://support.microsoft.com/kb/2562937
        
        Workaround:
        Set the killbit for the following CLSIDs,
        {B4CB50E4-0309-4906-86EA-10B6641C8392},
        {E4F874A0-56ED-11D0-9C43-00A0C90F29FC},
        {FB7FE605-A832-11D1-88A8-0000E8D220A6}
        
        References:
        http://support.microsoft.com/kb/2562937
        http://www.microsoft.com/technet/security/advisory/2562937.mspx 
        OID : 1.3.6.1.4.1.25623.1.0.801966
---8<---
False positive again. ActiveX on a Synology Diskstation?

With arachni, no false positive.

Anybody knows an explanation?

Thanks,
Chris






More information about the Openvas-discuss mailing list