[Openvas-plugins] "False negative" and strange UDP 32789 port
Jan-Oliver.Wagner at greenbone.net
Thu Jan 14 01:04:45 CET 2010
On Mittwoch, 13. Januar 2010, Michael Meyer wrote:
> > I am scanning an APC Smart-UPS 1000 RM device (with version 3.5.5 of
> > APC OS). On port 80 , there is a web server which, upon an empty GET request,
> > freezes or, at least, becomes unresponsive. This also makes
> > unresponsive the Telnet server running on the device. After a while, services
> > are restored. OpenVAS did not report this issue, but Nessus 4 did report it as
> > "Linksys WRT54G Empty GET Request Remote DoS".
> Jonas and i discovered that both, the embedded webserver at the
> APC Smart-UPS and the embedded webserver at the Enterasys switch, have
> problems with certain requests (too long requests, empty GET requests,...).
> "Problematic" plugins are nikto.nasl and
> taifajobs_1_0_jobid_sql_injection.nasl for example.
> Both plugins are able to kill the embedded webservers without
> reporting about that. Perhaps there are more plugins...
> As a workaround i will add
> "if(get_kb_item("Services/www/" + port + "/embedded"))exit(0);"
> to both plugins.
this appears a bit too generic to me and might produce false negatives.
Wouldn't it be better to detect the system more precisely and use
a corresponding KB item instead of just "embedded"?
> We should consider whether it makes sense in principle, running
> plugins of Family "Web application abuses" against embedded webservers.
I think it does make sense.
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
More information about the Openvas-plugins