On Thu, 2003-04-03 at 14:06, Renaud Deraison wrote: > On Thu, Apr 03, 2003 at 01:47:16PM +0200, Jonny Stone wrote: > > Then i have write a script to find mysqld Privilege Escalation > > Vulnerability, blindlfold > > i think is corrent and it don't run because i have receive then previos > > message. > > It is not always possible to connect to the remote MySQL - sometimes it > will tell you you're coming from a host which is not allowed to connect > to it[1] and you can't determine the remote version number. The problem is Nessus scripts connect several times just to determine the MySQL version, so the nessusd host is quite rapidly blacklisted after 10 attempts. The following patch stores the mysql version string in the KB and the other scripts use this key instead of connecting directly. While trying it, it did allow Nessus to find a few more vulnerabilities. May I commit it to CVS ? Cordialement, -- Vincent Renardias <vincentat_private> Index: misc_func.inc =================================================================== RCS file: /usr/local/cvs/nessus-plugins/scripts/misc_func.inc,v retrieving revision 1.17 diff -u -r1.17 misc_func.inc --- misc_func.inc 18 Mar 2003 14:44:40 -0000 1.17 +++ misc_func.inc 29 Mar 2003 21:10:53 -0000 @@ -27,7 +27,43 @@ } +function set_mysql_version(port, version) +{ + local_var sb; + sb = string("mysql/version/", port); + set_kb_item(name: sb, value: version); +} +function get_mysql_version(port) +{ + local_var sb, vers, soc, result, MySQL_version, end_found; + sb = string("mysql/version/", port); + vers = get_kb_item(sb); + if (vers) return(vers); + else { # Get it on the fly. + soc = open_sock_tcp(port); + if(!soc) return(NULL); + result = recv(socket:soc, length:1000); + close(soc); + if(strlen(result) < 6)return(NULL); + if("is not allowed" >< result)return(NULL); + if("is blocked" >< result) return(NULL); + MySQL_version = ""; + if ((result[1] == raw_string(0x00)) && (result[2] == raw_string(0x00)) && + (result[3] == raw_string(0x00)) && ((ord(result[4]) > 8) && (ord(result[4]) < 12))){ + end_found = FALSE; + for (i = 0; end_found == FALSE ; i = i + 1) { + if (result[5+i] == raw_string(0x00)) { + end_found = TRUE; + } else { + MySQL_version = string(MySQL_version, result[5+i]); + } + } + return(MySQL_version); + } + } + return(NULL); +} function get_unknown_banner(port, dontfetch) { Index: mysql_bad_password.nasl =================================================================== RCS file: /usr/local/cvs/nessus-plugins/scripts/mysql_bad_password.nasl,v retrieving revision 1.12 diff -u -r1.12 mysql_bad_password.nasl --- mysql_bad_password.nasl 14 Sep 2002 19:12:18 -0000 1.12 +++ mysql_bad_password.nasl 29 Mar 2003 21:10:54 -0000 @@ -41,7 +41,7 @@ valide d'accéder à vos tables. -Facteur de risque : Elevé +Risk factor: High Solution : Mettez votre version à jour, ou bien patchez le fichier mysql-xxx/sql/password.c : - cherchez la boucle 'while(*scrambled)' @@ -64,7 +64,7 @@ family["english"] = "Remote file access"; family["francais"] = "Accès aux fichiers distants"; script_family(english:family["english"], francais:family["francais"]); - script_dependencie("find_service.nes"); + script_dependencie("find_service.nes", "mysql_version.nasl"); script_require_ports("Services/mysql", 3306); exit(0); } @@ -73,19 +73,12 @@ # The script code starts here # +include("misc_func.inc"); port = get_kb_item("Services/mysql"); if(!port)port = 3306; -if(get_port_state(port)) -{ - soc = open_sock_tcp(port); - if(soc) - { - r = recv(socket:soc, length:5); - r = recv(socket:soc, length:10); - if(ereg(pattern:"3\.(22\.(2[6789]|30)|23\.([89]|10))", - string:r))security_hole(port); - close(soc); - } -} +ver = get_mysql_version(port); +if (ver == NULL) exit(0); +if(ereg(pattern:"3\.(22\.(2[6789]|30)|23\.([89]|10))", string:ver))security_hole(port); + Index: mysql_double_free.nasl =================================================================== RCS file: /usr/local/cvs/nessus-plugins/scripts/mysql_double_free.nasl,v retrieving revision 1.3 diff -u -r1.3 mysql_double_free.nasl --- mysql_double_free.nasl 3 Mar 2003 10:27:37 -0000 1.3 +++ mysql_double_free.nasl 29 Mar 2003 21:10:54 -0000 @@ -48,7 +48,7 @@ family["english"] = "Gain a shell remotely"; family["francais"] = "Obtenir un shell à distance"; script_family(english:family["english"], francais:family["francais"]); - script_dependencie("find_service.nes"); + script_dependencie("find_service.nes", "mysql_version.nasl"); script_require_ports("Services/mysql", 3306); exit(0); } @@ -57,24 +57,13 @@ # The script code starts here # +include("misc_func.inc"); port = get_kb_item("Services/mysql"); if(!port)port = 3306; - - -if(get_port_state(port)) -{ - soc = open_sock_tcp(port); - if(soc) - { - r = recv(socket:soc, length:5); - if(!r)exit(0); - r = recv(socket:soc, length:10); - close(soc); - if(!r)exit(0); - if(ereg(pattern:"3\.(([0-9]\..*|(1[0-9]\..*)|(2[0-2]\..*))|23\.([0-4][0-9]|5[0-4])[^0-9])", +ver=get_mysql_version(port); +if(ver==NULL) exit(0); +if(ereg(pattern:"3\.(([0-9]\..*|(1[0-9]\..*)|(2[0-2]\..*))|23\.([0-4][0-9]|5[0-4])[^0-9])", string:r))security_warning(port); - - } -} + Index: mysql_flaws.nasl =================================================================== RCS file: /usr/local/cvs/nessus-plugins/scripts/mysql_flaws.nasl,v retrieving revision 1.12 diff -u -r1.12 mysql_flaws.nasl --- mysql_flaws.nasl 14 Mar 2003 19:55:30 -0000 1.12 +++ mysql_flaws.nasl 29 Mar 2003 21:10:54 -0000 @@ -46,7 +46,7 @@ family["english"] = "Remote file access"; family["francais"] = "Accès aux fichiers distants"; script_family(english:family["english"], francais:family["francais"]); - script_dependencie("find_service.nes"); + script_dependencie("find_service.nes", "mysql_version.nasl"); script_require_ports("Services/mysql", 3306); exit(0); } @@ -55,18 +55,13 @@ # The script code starts here # +include("misc_func.inc"); port = get_kb_item("Services/mysql"); if(!port)port = 3306; -if(get_port_state(port)) -{ - soc = open_sock_tcp(port); - if(soc) - { - r = recv(socket:soc, length:5); - r = recv(socket:soc, length:10); - if(ereg(pattern:"3\.(([0-9]\..*)|(1[0-9]\..*)|(2(([0-2]\..*)|3\.(([0-9]$)|([0-2][0-9])|(3[0-5])))))", string:r))security_hole(port); - close(soc); - } -} +ver=get_mysql_version(port); +if(ver==NULL) exit(0); +if(ereg(pattern:"3\.(([0-9]\..*)|(1[0-9]\..*)|(2(([0-2]\..*)|3\.(([0-9]$)|([0-2][0-9])|(3[0-5])))))", + string:ver)) + security_hole(port); Index: mysql_multiple_flaws.nasl =================================================================== RCS file: /usr/local/cvs/nessus-plugins/scripts/mysql_multiple_flaws.nasl,v retrieving revision 1.2 diff -u -r1.2 mysql_multiple_flaws.nasl --- mysql_multiple_flaws.nasl 1 Mar 2003 15:01:19 -0000 1.2 +++ mysql_multiple_flaws.nasl 29 Mar 2003 21:10:54 -0000 @@ -32,9 +32,15 @@ If you have not patched this version, then any attacker may crash this service remotely. -Risk factor : Medium +See also : http://security.e-matters.de/advisories/042002.html + +References : + CVE: CAN-2002-1373, CAN-2002-1374, CAN-2002-1375, CAN-2002-1376 + Bugtraq ID: 6368, 6370, 6373, 6374, 6375 + Solution : Upgrade to the latest version of MySQL -See also : http://security.e-matters.de/advisories/042002.html"; +Risk factor : Medium +"; @@ -53,7 +59,7 @@ family["english"] = "Gain a shell remotely"; family["francais"] = "Obtenir un shell à distance"; script_family(english:family["english"], francais:family["francais"]); - script_dependencie("find_service.nes"); + script_dependencie("find_service.nes", "mysql_version.nasl"); script_require_ports("Services/mysql", 3306); exit(0); } @@ -62,23 +68,13 @@ # The script code starts here # +include("misc_func.inc"); port = get_kb_item("Services/mysql"); if(!port)port = 3306; - - -if(get_port_state(port)) -{ - soc = open_sock_tcp(port); - if(soc) - { - r = recv(socket:soc, length:5); - r = recv(socket:soc, length:10); - close(soc); - if(!r)exit(0); - if(ereg(pattern:"3\.(([0-9]\..*|(1[0-9]\..*)|(2[0-2]\..*))|23\.([0-4][0-9]|5[0-3])[^0-9])", - string:r))security_hole(port); - if(ereg(pattern:"4\.0\.[0-5][^0-9]", string:r))security_hole(port); - } -} +ver=get_mysql_version(port); +if(ver==NULL) exit(0); +if(ereg(pattern:"3\.(([0-9]\..*|(1[0-9]\..*)|(2[0-2]\..*))|23\.([0-4][0-9]|5[0-3])[^0-9])", + string:ver))security_hole(port); +if(ereg(pattern:"4\.0\.[0-5][^0-9]", string:ver))security_hole(port); Index: mysql_unpassworded.nasl =================================================================== RCS file: /usr/local/cvs/nessus-plugins/scripts/mysql_unpassworded.nasl,v retrieving revision 1.16 diff -u -r1.16 mysql_unpassworded.nasl --- mysql_unpassworded.nasl 6 Mar 2003 09:55:46 -0000 1.16 +++ mysql_unpassworded.nasl 29 Mar 2003 21:10:54 -0000 @@ -155,3 +155,4 @@ "Risk factor : High"); security_hole(port:port, data:report); + Index: mysql_version.nasl =================================================================== RCS file: /usr/local/cvs/nessus-plugins/scripts/mysql_version.nasl,v retrieving revision 1.11 diff -u -r1.11 mysql_version.nasl --- mysql_version.nasl 20 Feb 2003 16:09:38 -0000 1.11 +++ mysql_version.nasl 29 Mar 2003 21:10:54 -0000 @@ -77,10 +84,14 @@ if(mySQL_version) { + set_mysql_version(port:port, version:mySQL_version); mySQL_version = string("Remote MySQL version : ", mySQL_version); - - set_kb_item(name:"mysql/version", value:mySQL_version); security_note(port:port, data:mySQL_version); - register_service(port:port, proto:"mysql"); + register_service(port:port, proto:"mysql"); } }
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 04:25:57 PST