The following regular expression:
.*Sendmail.*(Switch\-((1\.)|(2\.(0\.|1\.[0-4])))|(\/|UCB | )([5-7]|8\.([0-9](\.|;|$)|1[01]\.|12\.[0-7](\/| |\.|\+)))).*
Matches the following string (which I constructed from a sendmail
server's output but believe should not be considered vulnerable):
ns.somehost.com ESMTP Sendmail 8.12.8/SuSE Linux 0.6; Mon, 3 Mar 2003 5:17:17 -0800
Because it thinks that the 5 in 5:45:18 is the version of the
sendmail. That is the ".*" after Sendmail consumes everything through
"2003" and then the " 5" is matched by "(\/|UCB | )([5-7]...".
In other words, the regular expression will generate false positives
for this server between 5 and 7 in the morning.
Following is a little nasl script which exhibits the problem. Try
changing the time from 5 to 8...
--Steven
--- cut here ---
re = ".*Sendmail.*(Switch\-((1\.)|(2\.(0\.|1\.[0-4])))|(\/|UCB | )([5-7]|8\.([0-9](\.|;|$)|1[01]\.|12\.[0-7](\/| |\.|\+)))).*";
banner = "ns.somehost.com ESMTP Sendmail 8.12.8/SuSE Linux 0.6; Mon, 3 Mar 2003 5:17:17 -0800";
if (ereg(pattern:re, string:banner))
display("matches\n");
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 13:23:38 PST