From bchandra at secpod.com Tue Jan 20 06:28:45 2009 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 20 Jan 2009 10:58:45 +0530 Subject: [Openvas-plugins] [Openvas-discuss] Question about plugin 11808 In-Reply-To: <5792267e0901191508y1c1fe4fbg47e682f6909a6d6@mail.gmail.com> References: <5792267e0901191508y1c1fe4fbg47e682f6909a6d6@mail.gmail.com> Message-ID: Hello Eric, Appreciate your efforts to try and patch the MS03-026 plugin. It is a very old plugin (that gives us a task to re-audit all the old plugins and keep them updated) and it is replaced by MS04-012, MS05-012, MS05-051 and also Update Rollup for Windows 2000. On top of the existing code, you can add multiple lines to check for the above KB numbers. Thanks, Chandra. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Eric Gearhart Sent: Tuesday, January 20, 2009 4:38 AM To: OpenVAS Discuss; OpenVAS Plugins Subject: Re: [Openvas-discuss] Question about plugin 11808 Sorry about the double posting, but I was not aware there even was an openvas-plugins mailing list, and the volume on both lists is not deafening, so I figured it can't hurt to cross-post to both lists (if nothing else more people will be made aware the openvas-plugins list *exists*) ( please see original post at http://lists.wald.intevation.org/pipermail/openvas-plugins/2008-May/000057.h tml ) I am having the exact same issue as reported by the link in the note above.... a huge number of machines are reported as vulnerable to MS03-026, when I know for a fact they're completely patched. I can see their status via WSUS (if you're familiar with the Windows patching routine you're familiar with WSUS - if not http://en.wikipedia.org/wiki/Windows_Server_Update_Services looks pretty accurate) Here's the full text of the offending plugin: "Reported by NVT "Microsoft RPC Interface Buffer Overrun (823980)" (1.3.6.1.4.1.25623.1.0.11808): The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is currently exploiting this vulnerability. Namely, the MsBlaster worm. Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Risk factor : High CVE : CAN-2003-0352 BID : 8205 Other references : IAVA:2003-A-0011" A quick grep of my plugins/ folder reveals the plugin with filename msrpc_dcom.nasl is what's the offending nasl script. In that file, I see this section: if(get_kb_item("SMB/KB824146"))exit(0); if(get_kb_item("SMB/KB824146_cant_be_verified"))exit(0); I looked up that knowledgebase article, and indeed that update has been superseded by http://support.microsoft.com/kb/828741/ "MS04-012: Cumulative Update for Microsoft RPC/DCOM" I've modifed the original NASL script, and flipped the KB824146 bits over to KB828741. I'm in the process of re-scanning one of the machines now, to see if the change made a difference. I don't have a vulnerable machine available (that does not have either update), so I have no way to test there; that's assuming testing is necessary for a simple "Is the KB828741 patch installed?" nasl script... I would be tickled pink if the effort I've put in leads to an improvement in OpenVAS... should I try to cobble a patch together to apply against msrpc_dcom.nasl to update those two lines to the newer KB article? -- Eric http://nixwizard.net _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss