Re: [Plugins-writers] False negative for linksys_ap_default_password?

From: Erik Stephens (erik@private)
Date: Sat Mar 06 2004 - 10:24:40 PST

  • Next message: Crow, Owen: "[Plugins-writers] windows_asn1_vuln_ntlm.nasl false negative on NT4.0"

    On Sat, 6 Mar 2004, Renaud Deraison wrote:
    
    > On Sat, Mar 06, 2004 at 03:07:49AM -0700, Erik Stephens wrote:
    > > Using this plugin against a linksys router with the default password
    > > set does not successfully identify the hole.  Attached is a patch that
    > > I *think* would handle it better.  Here is the raw output:
    > [...]
    > > --- linksys_ap_default_password.nasl	2004-02-18 02:07:07.000000000 -0700
    > > +++ linksys_ap_default_password.nasl.new	2004-03-06 02:54:32.000000000 -0700
    > > @@ -53,4 +53,4 @@
    > >  res = http_keepalive_send_recv(port:port, data:req);
    > >  if (res == NULL ) exit(0);
    > > -if("HTTP/1.1 200 OK" >< res && "WANConnectionSel" >< res && "linksys" >< res)security_hole(port);
    > > +if ("401 Unauthorized" >!< res) security_hole(port);
    >
    > This would false positive on any web server not password protected, but
    > I've commited a fix along those lines, thanks.
    
    Doh!  My patch was a gross oversimplification.  Thanks for cleaning that
    up.  I have another question still.  When testing if the 2nd request let
    us in, would it be more robust to say as long as the page does not look
    like a "401 Unauthorized" page, like so?
    
        if ( egrep ( pattern:"^HTTP/.* 401 .*", string:res ) )
        {
         req -= string("\r\n\r\n");
         req += string("\r\nAuthorization: Basic OmFkbWlu\r\n\r\n");
         res = http_keepalive_send_recv(port:port, data:req);
         if (res == NULL ) exit(0);
         if ( ! egrep ( pattern:"^HTTP/.* 401 .*", string:res) )
        	security_hole(port);
        }
    
    It might better deal with web servers that might issue a redirect or
    something weird (non 200 return code) after logging you in.
    
    
    By the way, I just ran across plugin 10999, which does the same thing as
    this one.  Looks like it was written before this one and might suffer from
    false negatives also.  It checks for hyperlinks to the different
    management pages, which will not be the same for all versions of these
    routers.  It did have a CVE reference:
    
        script_cve_id("CAN-1999-0508");
    
    
    Best regards,
    Erik Stephens                                           www.edgeos.com
                                 Managed Vulnerability Assessment Services
    _______________________________________________
    Plugins-writers mailing list
    Plugins-writers@private
    http://mail.nessus.org/mailman/listinfo/plugins-writers
    



    This archive was generated by hypermail 2b30 : Sat Mar 06 2004 - 10:25:25 PST