Ok...I shall now bury my head in shame :(
Seems I put this test in place a while ago to try to eliminate false
positives. Unfortunately, I never got around to testing it, and did
a lousy job implementing it.
So, all those criticisms apply to myself :( :(
At any rate - for those interested, the script changes DO now work
and HAVE now been tested, and get rid of pesky false positives
on this script.
Sigh. Not a good day.
Thomas
Thomas Reinke wrote:
>
> Ack... the last script is incorrect: for testing had changed the port
> to be port 443. The attached script is the correct one.
>
> Thomas
>
> Thomas Reinke wrote:
> >
> > The Sambar sendmail script has a false positive "elimination" line
> > that checks for SSL enabled servers talking non-SSL.
> >
> > Unfortunately, the false positive elimination doesn't work. The line:
> >
> > if("You're speaking plain HTTP to an SSL-enabled server port" <>
> > buf)exit(0);
> >
> > has a number of problems:
> >
> > - The <> should be ><
> > - The text should all be in lower case, since the script changes
> > the buf to lower case.
> > - The buf never contains this text, because recv_line() was used
> > instead
> > of recv().
> >
> > A modified version of sambar_sendmail.nasl is attached that fixes these
> > problems, and has been tested and no longer generates these false
> > positives.
> >
> > Thomas
> >
> > ------------------------------------------------------------------------
> > #
> > # Copyright 2000 by Hendrik Scholz <hendrikat_private>
> > #
> >
> > if(description)
> > {
> > script_id(10415);
> >
> > name["english"] = "Sambar sendmail /session/sendmail";
> > script_name(english:name["english"]);
> >
> > desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
> > You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
> > Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
> >
> > See http://www.toppoint.de/~hscholz/sambar for more information.
> >
> > Solution : Try to disable this module. There might be a patch in the future.
> >
> > Risk factor : High";
> >
> > script_description(english:desc["english"]);
> >
> > summary["english"] = "Sambar /session/sendmail mailer installed ?";
> >
> > script_summary(english:summary["english"]);
> >
> > script_category(ACT_ATTACK);
> >
> >
> > script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");
> >
> > family["english"] = "CGI abuses";
> > family["francais"] = "Abus de CGI";
> > script_family(english:family["english"], francais:family["francais"]);
> >
> > script_dependencie("find_service.nes");
> > script_require_ports("Services/www", 80);
> > exit(0);
> > }
> >
> > #
> > # The script code starts here
> >
> > port = get_kb_item("Services/www");
> > if(!port)port = 443;
> > if(get_port_state(port))
> > {
> > data = http_get(item:"/session/sendmail", port:port);
> > soc = open_sock_tcp(port);
> > if(soc)
> > {
> > send(socket:soc, data:data);
> > buf = recv(socket:soc, length:4096);
> > close(soc);
> > buf = tolower(buf);
> > if(" 400 invalid header received " >< buf)exit(0);
> > if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
> > if(" 400 " >< buf)security_warning(port);
> > }
> > }
>
> --
> ------------------------------------------------------------
> E-Soft Inc. http://www.e-softinc.com
> Publishers of SecuritySpace http://www.securityspace.com
> Tel: 1-905-331-2260 Fax: 1-905-331-2504
> Tollfree in North America: 1-800-799-4831
>
> ------------------------------------------------------------------------
> #
> # Copyright 2000 by Hendrik Scholz <hendrikat_private>
> #
>
> if(description)
> {
> script_id(10415);
>
> name["english"] = "Sambar sendmail /session/sendmail";
> script_name(english:name["english"]);
>
> desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
> You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
> Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
>
> See http://www.toppoint.de/~hscholz/sambar for more information.
>
> Solution : Try to disable this module. There might be a patch in the future.
>
> Risk factor : High";
>
> script_description(english:desc["english"]);
>
> summary["english"] = "Sambar /session/sendmail mailer installed ?";
>
> script_summary(english:summary["english"]);
>
> script_category(ACT_ATTACK);
>
>
> script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");
>
> family["english"] = "CGI abuses";
> family["francais"] = "Abus de CGI";
> script_family(english:family["english"], francais:family["francais"]);
>
> script_dependencie("find_service.nes");
> script_require_ports("Services/www", 80);
> exit(0);
> }
>
> #
> # The script code starts here
>
> port = get_kb_item("Services/www");
> if(!port)port = 80;
> if(get_port_state(port))
> {
> data = http_get(item:"/session/sendmail", port:port);
> soc = open_sock_tcp(port);
> if(soc)
> {
> send(socket:soc, data:data);
> buf = recv(socket:soc, length:4096);
> close(soc);
> buf = tolower(buf);
> if(" 400 invalid header received " >< buf)exit(0);
> if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
> if(" 400 " >< buf)security_warning(port);
> }
> }
--
------------------------------------------------------------
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
Tel: 1-905-331-2260 Fax: 1-905-331-2504
Tollfree in North America: 1-800-799-4831
This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 11:29:26 PST