[Openvas-discuss] Plugins / odd vulnerabilities...

Matthew Coene mcoene at Bacardi.com
Fri Mar 18 16:39:02 CET 2011


Another thing I noticed...

Running scans against a known set of systems with documented configs...
e.g. all systems in this case have IE8 installed...

Since putting together my OpenVAS4 server I now see reports coming through
with apparently inflated vuln counts and am seeing some reports of
apparently failing checks that only apply to IE7 and lower...

e.g.

OID: 1.3.6.1.4.1.25623.1.0.801702
OID: 1.3.6.1.4.1.25623.1.0.801707

Also there are other plugin checks of which I can confirm the patches
listed in the References / Solutions section are applied...

Even worse is that these control groups are inconsistent... one fails,
others pass...  with the same config....

Another example...

Looking at the NASL code for secpod-ms09-019 I see the check for Server
2003

else if(hotfix_check_sp(win2003:3) > 0)
{
  SP = get_kb_item("SMB/Win2003/ServicePack");
  if("Service Pack 2" >< SP)
  {
    # Check for mshtml.dll version 6.0 < 6.0.3790.4504 or 7.0 <
7.0.6000.16850
    # or 8.0 < 8.0.6001.18783
    if(version_in_range(version:vers, test_version:"6.0",
                        test_version2:"6.0.3790.4503") ||
      version_in_range(version:vers, test_version:"7.0",
                        test_version2:"7.0.6000.16849") ||
      version_in_range(version:vers, test_version:"8.0",
                        test_version2:"8.0.6001.18782")){
      security_hole(0);
    }
  }
  security_hole(0);
}

## Get System Path
sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows NT
\CurrentVersion",
                          item:"PathName");
if(!sysPath){
  exit(0);
}
dllVer = get_file_version(sysPath, file_name:"System32\mshtml.dll");
if(!dllVer){
  exit(0);

One of my Srv2003 systems that isn't reporting this detected vulnerability
has the file mshtml.dll in \windows\system32\ @ version 8.0.6001.19019.

On another system the file 'mshtml.dll' in \windows\system32\ is @ version
8.0.6001.23111 via some manual patching (not relying on WSUS or similar).
This system is reporting as vulnerable.

I've double checked that the plugins can access the guest filesystems /
registries via SMB and WMI.

Otherwise these systems have identical patch loads as they are managed by
WSUS, that is up until out of desperation I started hunting patches
manually on the one reporting the vuln to see if I could stabilize and
normalize the scan results...

Could this perhaps be a case of cached results or similar...

I am really hoping to get the scan results stabilized and consistent...

Cheers,

Matthew Coene


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________



More information about the Openvas-discuss mailing list