Problem with win2k tests might be fixed

From: Michael Scheidell (scheidellat_private)
Date: Mon Jan 07 2002 - 09:20:20 PST

Previous message: Felix Huber: "Re: A couple NASLs for simple CGI traversals"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Most of the Windows (nt) and win2k tests rely on remote reading of the
windows registry entries.
For nt, these are hotfixes and service pack levels are located in

Software\Microsoft\Windows NT\CurrentVersion\HotFix

for win2k, these are in the above, plus in
SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q252795

Here lies two problems:

Windows restricts access to the remote registry server paths with this key:

SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Server Applications
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion

(note the absense of SOFTWARE\Microsoft\Updates\Windows 2000\SP3\ directory)

Also, win2k and windows check registry ACL permissions a little differently,
and the plugins check, not for the presense of the registry entry, but if it
can be accessed.

If anyone wants to try the patches, and verfy the false hits, use these
plugins on a fully patched win2k workstation

(use www.microsoft.com/security/mpsa or hfnetchk to make sure you ARE
patched, and then check this registry entry by hand:

these registry entries by hand to make sure they exist (ms01-046, IrDa
hotfix)

key = "SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q252795";
 key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q252795";

they run nessus ver 1.1x

Make sure you have a valid non-administrator password in smblogin
preferences, and select these plugins in the Windows Family:
IrDa Access Violation patch
SMBAccesable Registry
SMB Login
Smb Registry Win2k Service Pack Version.


You should get a false possitive on IrDa.

disconnect client, apply this patch and SIGHUP nessusd and try again.
let me know what happens.


--- smb_nt_ms01-046.nasl.orig  Mon Dec 17 12:03:22 2001
+++ smb_nt_ms01-046.nasl        Mon Jan  7 12:17:55 2002
@@ -847,9 +847,10 @@
 version = get_kb_item("SMB/WindowsVersion");
 if(version == "5.0")
 {
- key = "SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q252795";
- novalue = registry_get_acl(key:key);
- if(novalue)
+ key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\Q252795";
+ item = "Comments";
+ value = registry_get_sz(key:key, item:item);
+ if(!value)
  {
  security_hole(139);
  exit(0);

Previous message: Felix Huber: "Re: A couple NASLs for simple CGI traversals"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 09:21:49 PST