Hi, I have rewritten this plugin. Main points: 1) It works in standalone mode. This had been broken since move to Nessus 2, as since then get_http_banner uses a HTTP/1.1 request, but this plugin relies on a HTTP/1.0 request. In fact, I've taken away the knowledge base dependency, as it previously relied on find_service using a HTTP/1.0 request, which is true at the moment but could easily change. 2) It will find an address in any header, not just Content-Location: 3) Description rewritten to mention the genereal case, not just the specific IIS 4 flaw. Regards, Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paulat_private web: www.westpoint.ltd.uk # # This script was written by Georges Dagousset <georges.dagoussetat_private> # Modified by Paul Johnston for Westpoint Ltd <paulat_private> # # See the Nessus Scripts License for details # if(description) { script_id(10759); script_cve_id("CAN-2000-0649"); script_bugtraq_id(1499); script_version ("$Revision: 1.8 $"); name["english"] = "Private IP address leaked in HTTP headers"; script_name(english:name["english"]); desc["english"] = " This web server leaks a private IP address through its HTTP headers. This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with IIS 4.0 doing this in its default configuration. See http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion. Risk factor : Low The private IP address is : "; script_description(english:desc["english"]); summary["english"] = "Checks for private IP addresses in HTTP headers"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001 Alert4Web.com, 2003 Westpoint Ltd"); family["english"] = "General"; script_family(english:family["english"]); script_dependencie("find_service.nes", "http_version.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/iis"); exit(0); } # # The script code starts here # include("http_func.inc"); port = get_kb_item("Services/www"); if(!port) port = 80; # # Craft our own HTTP/1.0 request for the server banner. # Note: HTTP/1.1 is rarely useful for detecting this flaw. # soc = http_open_socket(port); if(!soc) exit(0); send(socket:soc, data:string("GET / HTTP/1.0\r\n\r\n")); banner = http_recv_headers(soc); http_close_socket(soc); # # Check for private IP addresses in the banner # Ranges are: 10.x.x.x, 172.16-31.x.x, 192.168.x.x # private_ip = eregmatch(pattern:"(10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}|192\.168\.[0-9]{1,3}\.[0-9]{1,3})", string:banner); if(!isnull(private_ip)) { security_warning(port:port, data:string(desc["english"], private_ip[0])); }
This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 18:11:42 PDT