Hi,
three plugins related to MS-SQL (mssql_blank_password.nasl,
mssql_brute_force.nasl and mssqlserver_detect.nasl) have some false
negative when dealing with non english versions of SQL Server.
For the two plugins dealing with accounts, the patch is really simple :
< if("context to" >< r)
---
> if("SQL Server" >< r)
For the plugin used to detect a SQL Server, the changes are bigger. In
fact, I took mssql_blank_password.nasl as a template and generated a
unsuccessful login, looking for a specific string in the response.
This trick allows us to check if we've a real SQl server or just a
netcat in listen mode :
====================================================================
anormal = "Port 1433 is open but that's not a Microsoft's SQL Server
*OR* this plugin is buggy.";
[snip]
make_sql_login_pkt(username:"Nessus-Test-User", password:crap(20));
send(socket:soc, data:sql_packet);
send(socket:soc, data:pkt_lang);
r = recv(socket:soc, length:4096);
close(soc);
if("'Nessus-Test-User'" >< r)
{
security_note(port:port, data:report);
} else {
security_note(port:port, data:anormal);
}
====================================================================
Do you need the complete plugins or are theses diffs enough ?
Btw, numerous VA tools have the same problem, I'm currently notifying
them.
Regards,
--
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoireat_private ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 07:30:05 PST