From felix.wolfsteller at intevation.de Fri Jan 8 13:29:20 2010 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Fri, 8 Jan 2010 13:29:20 +0100 Subject: [Openvas-plugins] [Openvas-discuss] "False negative" and strange UDP 32789 port In-Reply-To: References: Message-ID: <201001081329.20889.felix.wolfsteller@intevation.de> Thanks a lot Jonas. While I cannot comment on the content, I am cross-posting to the openvas-plugins mailinglist. On Friday 08 January 2010 13:17:56 Jonas Andradas Jonas wrote: > Hello, > > I am using OpenVAS 2 Debian packages, versions: > > libopenvas2 2.0.4-2 > libopenvasnasl2 2.0.2-2 > openvas-client 2.0.5-1intevation1 > openvas-plugins-base 1.0.7-5+svn20090920 > openvas-plugins-dfsg 1.0.7-5+svn20090920 > openvas-server 2.0.3-3 > > I work as a security auditor, and at my company we are using Nessus 4, and > introducing OpenVAS (hopefully, soon it will replace our Nessus). > > Related to the false positive Fidel Castro reported on December 18th, I > wanted to share a "false negative". I am scanning an APC Smart-UPS 1000 RM > device (with version 3.5.5 of APC OS). On port 80 , there is a web server > which, upon an empty GET request, freezes or, at least, becomes > unresponsive. This also makes unresponsive the Telnet server running on the > device. After a while, services are restored. OpenVAS did not report this > issue, but Nessus 4 did report it as "Linksys WRT54G Empty GET Request > Remote DoS". Another host, running OpenSuse 11 and TightVNC 1.2.9, > presents the same issue on the VNC-HTTP port 5801. This was also not > identified by OpenVAS. It seems that more than only the WRT54G has these > issues, so maybe a generic result could be done so that if safe checks are > disabled, and the server does freeze after sending an empty GET, it gets > reported, even if the host is not identified as an WRT54G router or any > other device where this vulnerability might be known. > > > The other issue I would like to comment and ask about is that on some of my > recent scans, I've seen that, when there is an SNMP service with default > credentials ("public" and/or "private", for example), sometimes I get a > result in the report for a Security Hole on port 32789 UDP, which states > that an SNMP server responds to these default community names. I was not > scanning that UDP port on the Options (and I have checked the parameter > that makes consider all unscanned ports as closed). Later, I am unable to > manually verify the existance of this SNMP service listening on port 32789, > nor using SNMP polling software, nor running NMAP against UDP port 32789 > (it appears as "closed"). I don't know if this is an OpenVAS false > positive or if the execution of some plugins somehow makes the remote host > answer SNMP requests on this port. I have seen this behaviour on APC > Smart-UPS and Allied Telesyn 8326GB switches. > > Best Regards, > > Jon?s Andradas. -- Felix Wolfsteller | ++49 541 335083-783 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From ekah at gmx.net Fri Jan 8 16:23:11 2010 From: ekah at gmx.net (Joerg Eckert) Date: Fri, 08 Jan 2010 16:23:11 +0100 Subject: [Openvas-plugins] Conficker versions detection Message-ID: <20100108152311.94730@gmx.net> Hello I asked on irc, but i should better ask here: Openvas own a conficker-script. I tried to look into it and didnt found out which versions of conficker the script is able to detect under what circumstances. For example Conficker A = Is the script able to detect it? If yes, do i need credentials or something else? If there is a hint or explanation i would be very glad. Thanks in advance Joerg ps.: i am not a very good programmer and that might be the reason i didnt found it. -- GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 From michael.meyer at intevation.de Fri Jan 8 18:07:02 2010 From: michael.meyer at intevation.de (Michael Meyer) Date: Fri, 8 Jan 2010 18:07:02 +0100 Subject: [Openvas-plugins] [Openvas-discuss] "False negative" and strange UDP 32789 port In-Reply-To: References: Message-ID: <20100108170702.GA13293@komma-nix.de> Hello Jonas, *** Jonas Andradas wrote: > Related to the false positive Fidel Castro reported on December 18th, I > wanted to share a "false negative". I am scanning an APC Smart-UPS 1000 RM > device (with version 3.5.5 of APC OS). On port 80 , there is a web server > which, upon an empty GET request, freezes or, at least, becomes > unresponsive. This also makes unresponsive the Telnet server running on the > device. After a while, services are restored. OpenVAS did not report this > issue, but Nessus 4 did report it as "Linksys WRT54G Empty GET Request > Remote DoS". The feed contains 'linksys_empty_GET_DoS.nasl' which send an empty GET Request to every open HTTP-Port. Please try to run this plugin at command-line. openvas-nasl -X -t /var/lib/openvas/plugins/linksys_empty_GET_DoS.nasl Any result? Did the webserver freezes? > The other issue I would like to comment and ask about is that on some of my > recent scans, I've seen that, when there is an SNMP service with default > credentials ("public" and/or "private", for example), sometimes I get a > result in the report for a Security Hole on port 32789 UDP, which states > that an SNMP server responds to these default community names. I was not > scanning that UDP port on the Options (and I have checked the parameter that > makes consider all unscanned ports as closed). Port 161 and port 32789 are hardcoded in snmp_default_communities.nasl. Please try to run this plugin at command line too. Maybe have a look at the traffic by running tcpdump or wireshark. I would be happy to help you, but for that I need your support. If you're willing to do, just contact me privately. Then we can make a few tests... Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Sat Jan 9 09:55:49 2010 From: bchandra at secpod.com (Chandrashekhar B) Date: Sat, 9 Jan 2010 14:25:49 +0530 Subject: [Openvas-plugins] Conficker versions detection In-Reply-To: <20100108152311.94730@gmx.net> References: <20100108152311.94730@gmx.net> Message-ID: Hello Joerg, I have added a comment in the plugin now, it detects Conficker.B or C variant. It tries an anonymous connection if credentials aren't supplied and likely works on most systems. But, credentials can be supplied too. There are two other plugins to detect if MS08-067 is installed, secpod_ms08-067_900055.nasl - credential based secpod_ms08-067_900056.nasl - an exploit that might crash an unpatched system. Thanks, Chandra. > -----Original Message----- > From: openvas-plugins-bounces at wald.intevation.org > [mailto:openvas-plugins-bounces at wald.intevation.org] On > Behalf Of Joerg Eckert > Sent: Friday, January 08, 2010 8:53 PM > To: openvas-plugins at wald.intevation.org > Subject: [Openvas-plugins] Conficker versions detection > > Hello > > I asked on irc, but i should better ask here: > > Openvas own a conficker-script. I tried to look into it and > didnt found out which versions of conficker the script is > able to detect under what circumstances. > > For example > Conficker A = Is the script able to detect it? If yes, do i > need credentials or something else? > > If there is a hint or explanation i would be very glad. > > Thanks in advance > > Joerg > > ps.: i am not a very good programmer and that might be the > reason i didnt found it. > -- > GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins From michael.meyer at intevation.de Wed Jan 13 17:51:23 2010 From: michael.meyer at intevation.de (Michael Meyer) Date: Wed, 13 Jan 2010 17:51:23 +0100 Subject: [Openvas-plugins] [Openvas-discuss] "False negative" and strange UDP 32789 port In-Reply-To: References: Message-ID: <20100113165123.GA22360@komma-nix.de> *** Jonas Andradas wrote: > I am scanning an APC Smart-UPS 1000 RM device (with version 3.5.5 of > APC OS). On port 80 , there is a web server which, upon an empty GET request, > freezes or, at least, becomes unresponsive. This also makes > unresponsive the Telnet server running on the device. After a while, services > are restored. OpenVAS did not report this issue, but Nessus 4 did report it as > "Linksys WRT54G Empty GET Request Remote DoS". Jonas and i discovered that both, the embedded webserver at the APC Smart-UPS and the embedded webserver at the Enterasys switch, have problems with certain requests (too long requests, empty GET requests,...). "Problematic" plugins are nikto.nasl and taifajobs_1_0_jobid_sql_injection.nasl for example. Both plugins are able to kill the embedded webservers without reporting about that. Perhaps there are more plugins... As a workaround i will add "if(get_kb_item("Services/www/" + port + "/embedded"))exit(0);" to both plugins. We should consider whether it makes sense in principle, running plugins of Family "Web application abuses" against embedded webservers. Many thanks again to Jonas for his support. Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From Jan-Oliver.Wagner at greenbone.net Thu Jan 14 01:04:45 2010 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Thu, 14 Jan 2010 01:04:45 +0100 Subject: [Openvas-plugins] "False negative" and strange UDP 32789 port In-Reply-To: <20100113165123.GA22360@komma-nix.de> References: <20100113165123.GA22360@komma-nix.de> Message-ID: <201001140104.47245.Jan-Oliver.Wagner@greenbone.net> On Mittwoch, 13. Januar 2010, Michael Meyer wrote: > > I am scanning an APC Smart-UPS 1000 RM device (with version 3.5.5 of > > APC OS). On port 80 , there is a web server which, upon an empty GET request, > > freezes or, at least, becomes unresponsive. This also makes > > unresponsive the Telnet server running on the device. After a while, services > > are restored. OpenVAS did not report this issue, but Nessus 4 did report it as > > "Linksys WRT54G Empty GET Request Remote DoS". > > Jonas and i discovered that both, the embedded webserver at the > APC Smart-UPS and the embedded webserver at the Enterasys switch, have > problems with certain requests (too long requests, empty GET requests,...). > > "Problematic" plugins are nikto.nasl and > taifajobs_1_0_jobid_sql_injection.nasl for example. > > Both plugins are able to kill the embedded webservers without > reporting about that. Perhaps there are more plugins... > > As a workaround i will add > > "if(get_kb_item("Services/www/" + port + "/embedded"))exit(0);" > > to both plugins. this appears a bit too generic to me and might produce false negatives. Wouldn't it be better to detect the system more precisely and use a corresponding KB item instead of just "embedded"? > We should consider whether it makes sense in principle, running > plugins of Family "Web application abuses" against embedded webservers. I think it does make sense. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 202460 Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From michael.meyer at intevation.de Thu Jan 14 11:11:27 2010 From: michael.meyer at intevation.de (Michael Meyer) Date: Thu, 14 Jan 2010 11:11:27 +0100 Subject: [Openvas-plugins] "False negative" and strange UDP 32789 port In-Reply-To: <201001140104.47245.Jan-Oliver.Wagner@greenbone.net> References: <20100113165123.GA22360@komma-nix.de> <201001140104.47245.Jan-Oliver.Wagner@greenbone.net> Message-ID: <20100114101127.GA2681@komma-nix.de> *** Jan-Oliver Wagner wrote: > On Mittwoch, 13. Januar 2010, Michael Meyer wrote: > > "if(get_kb_item("Services/www/" + port + "/embedded"))exit(0);" > > this appears a bit too generic to me and might produce false negatives. > > Wouldn't it be better to detect the system more precisely and use > a corresponding KB item instead of just "embedded"? This KB entry is set by 'embedded_web_server_detect.nasl' (and a few others) which try to detect an embedded webserver. > > We should consider whether it makes sense in principle, running > > plugins of Family "Web application abuses" against embedded webservers. > > I think it does make sense. Hmm...you realy expect to find e.g. a "phpshop" or a "phpgroupware" or a "mambo" on an *embedded* webserver? A lot of embedded webservers running e.g. on switches *seems* to be not very robust. There is a risk that we, while running Scan with "Safe Checks" enabled, kill them. That is not what a User expected, IMHO. But what I have now just seen is, that the functions "can_host_{php,asp}()" using the "Services/www/" + port + "/embedded"' KB entry as well. This functions "return 0" if the webserver is detected as embedded. Since these functions is used in most of the plugins in Family "Web application abuses" that should be enough. In Jonas case it did not work because 'embedded_web_server_detect.nasl' don't match on "Server: Embedded Web Server", only on "Server: Embedded HTTPD". I will add "Server: Embedded Web Server" to that plugin. Does it make sense running nikto.nasl against an embedded webserver? ;) Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jonas at andradas.es Thu Jan 14 15:27:22 2010 From: jonas at andradas.es (Jonas Andradas) Date: Thu, 14 Jan 2010 15:27:22 +0100 Subject: [Openvas-plugins] "False negative" and strange UDP 32789 port In-Reply-To: <20100114101127.GA2681@komma-nix.de> References: <20100113165123.GA22360@komma-nix.de> <201001140104.47245.Jan-Oliver.Wagner@greenbone.net> <20100114101127.GA2681@komma-nix.de> Message-ID: Hello, On Thu, Jan 14, 2010 at 11:11 AM, Michael Meyer wrote: > *** Jan-Oliver Wagner wrote: > > On Mittwoch, 13. Januar 2010, Michael Meyer wrote: > > > > "if(get_kb_item("Services/www/" + port + "/embedded"))exit(0);" > > > > this appears a bit too generic to me and might produce false negatives. > > > > Wouldn't it be better to detect the system more precisely and use > > a corresponding KB item instead of just "embedded"? > > This KB entry is set by 'embedded_web_server_detect.nasl' (and a few > others) which try to detect an embedded webserver. > > > > We should consider whether it makes sense in principle, running > > > plugins of Family "Web application abuses" against embedded webservers. > > > > I think it does make sense. > > Hmm...you realy expect to find e.g. a "phpshop" or a "phpgroupware" or > a "mambo" on an *embedded* webserver? > > A lot of embedded webservers running e.g. on switches *seems* to be not > very robust. There is a risk that we, while running Scan with "Safe Checks" > enabled, kill them. That is not what a User expected, IMHO. > > But what I have now just seen is, that the functions > "can_host_{php,asp}()" using the > "Services/www/" + port + "/embedded"' KB entry as well. > > This functions "return 0" if the webserver is detected as > embedded. Since these functions is used in most of the plugins in > Family "Web application abuses" that should be enough. In Jonas case > it did not work because 'embedded_web_server_detect.nasl' don't match > on "Server: Embedded Web Server", only on "Server: Embedded HTTPD". I will > add "Server: Embedded Web Server" to that plugin. > The APC SmartUPS 1000 RM webserver identifies itself with the string "WebServer: " in the HTTP response. When serveral plugins are run against it, including nikto (also running nikto manually produces the same behaviour), linksys_empty_GET_DoS, and some SQL injection plugins (and maybe other not-yet-identified plugins) the service stops responding for about 3 minutes. When this happens, also FTP and Telnet services stop responding. After this time, all services recover. For this matter, any plugins run on those 3 minutes against the host might not be able gather the appropriate information, because the service is not available. I have seen this same behaviour on Enterasys switches embedded web server (identified itself as "Server: Embedded Web Server" on the HTTP response), but the downtime lasts only for about 30-40 seconds, making also telnet sessions unavailable. Similar behaviour has been observed against the vnc-http service of TightVNC 1.2.9 on OpenSUSE 11.1, although Michael Meyer has tried this same TightVNC version on other OpenSUSE version, and has not been able to verify the issue. When the vnc-http service stops responding, any VNC sessions are interrupted, and new ones not able to establish until the http service comes back up. I don't know whether not running some webserver tests when we find a potentially fragile embedded web server could create more false negatives than bringing down the server, maybe along with other services, sometimes several times during a scan, which might produce false negatives on the web-server itself or on other services. It is not an easy decision, of course, and that's why Michael has brought it up, I think. > Does it make sense running nikto.nasl against an embedded webserver? ;) > > Micha > > -- > Michael Meyer OpenPGP Key: 76E050B9 > http://www.intevation.de > Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > Best Regards, Jon?s. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-plugins/attachments/20100114/856c5493/attachment.htm From michael.wiegand at intevation.de Mon Jan 18 11:27:24 2010 From: michael.wiegand at intevation.de (Michael Wiegand) Date: Mon, 18 Jan 2010 11:27:24 +0100 Subject: [Openvas-plugins] [Openvas-commits] r6414 - in trunk/openvas-plugins: . scripts In-Reply-To: <20100115092944.073D886607A1@pyrosoma.intevation.org> References: <20100115092944.073D886607A1@pyrosoma.intevation.org> Message-ID: <4B54378C.5000401@intevation.de> scm-commit at wald.intevation.org schrieb: > Author: chandra > Date: 2010-01-15 10:29:41 +0100 (Fri, 15 Jan 2010) > New Revision: 6414 > > Added: > trunk/openvas-plugins/scripts/gb_fedora_2009_13551_slim_fc11.nasl > trunk/openvas-plugins/scripts/gb_fedora_2009_13552_slim_fc12.nasl I have noticed that the two NVTs mentioned above contain UTF-8 encoded characters. As I mentioned in my mail to openvas-plugins in early November, NVTs are supposed to be ISO-8859-1 encoded if they contain characters not present in the ASCII encoding. Please re-encode the NVTs mentioned above and make sure automated generators produce only ASCII/ISO-8859-1 encoded files from now on. Thank you! Regards, Michael -- Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - www.intevation.de Neuer Graben 17, 49074 Osnabr?ck, Germany | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From bchandra at secpod.com Tue Jan 19 08:34:05 2010 From: bchandra at secpod.com (Chandrashekhar B) Date: Tue, 19 Jan 2010 13:04:05 +0530 Subject: [Openvas-plugins] [Openvas-commits] r6414 - in trunk/openvas-plugins: . scripts In-Reply-To: <4B54378C.5000401@intevation.de> References: <20100115092944.073D886607A1@pyrosoma.intevation.org> <4B54378C.5000401@intevation.de> Message-ID: <574011431160499C914105DCF1633CE9@bchandra> Hello Michael, Converted and committed. We are also updating the generator to check that. Thanks, Chandra. > -----Original Message----- > From: Michael Wiegand [mailto:michael.wiegand at intevation.de] > Sent: Monday, January 18, 2010 3:57 PM > To: Chandrashekhar B > Cc: openvas-plugins at wald.intevation.org > Subject: Re: [Openvas-commits] r6414 - in > trunk/openvas-plugins: . scripts > > scm-commit at wald.intevation.org schrieb: > > Author: chandra > > Date: 2010-01-15 10:29:41 +0100 (Fri, 15 Jan 2010) New > Revision: 6414 > > > > Added: > > trunk/openvas-plugins/scripts/gb_fedora_2009_13551_slim_fc11.nasl > > trunk/openvas-plugins/scripts/gb_fedora_2009_13552_slim_fc12.nasl > > I have noticed that the two NVTs mentioned above contain > UTF-8 encoded characters. As I mentioned in my mail to > openvas-plugins in early November, NVTs are supposed to be > ISO-8859-1 encoded if they contain characters not present in > the ASCII encoding. > > Please re-encode the NVTs mentioned above and make sure > automated generators produce only ASCII/ISO-8859-1 encoded > files from now on. Thank you! > > Regards, > > Michael > > -- > Michael Wiegand | OpenPGP: D7D049EC | Intevation GmbH - > www.intevation.de > Neuer Graben 17, 49074 Osnabr?ck, Germany | AG > Osnabr?ck, HR B 18998 > Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. > Jan-Oliver Wagner