Re: [Plugins-writers] False negative for linksys_ap_default_password?

From: Erik Stephens (erik@private)
Date: Sat Mar 06 2004 - 10:24:40 PST

  • Next message: Crow, Owen: "[Plugins-writers] windows_asn1_vuln_ntlm.nasl false negative on NT4.0" 

    On Sat, 6 Mar 2004, Renaud Deraison wrote:

> On Sat, Mar 06, 2004 at 03:07:49AM -0700, Erik Stephens wrote:
> > Using this plugin against a linksys router with the default password
> > set does not successfully identify the hole.  Attached is a patch that
> > I *think* would handle it better.  Here is the raw output:
> [...]
> > --- linksys_ap_default_password.nasl	2004-02-18 02:07:07.000000000 -0700
> > +++ linksys_ap_default_password.nasl.new	2004-03-06 02:54:32.000000000 -0700
> > @@ -53,4 +53,4 @@
> >  res = http_keepalive_send_recv(port:port, data:req);
> >  if (res == NULL ) exit(0);
> > -if("HTTP/1.1 200 OK" >< res && "WANConnectionSel" >< res && "linksys" >< res)security_hole(port);
> > +if ("401 Unauthorized" >!< res) security_hole(port);
>
> This would false positive on any web server not password protected, but
> I've commited a fix along those lines, thanks.

Doh!  My patch was a gross oversimplification.  Thanks for cleaning that
up.  I have another question still.  When testing if the 2nd request let
us in, would it be more robust to say as long as the page does not look
like a "401 Unauthorized" page, like so?

    if ( egrep ( pattern:"^HTTP/.* 401 .*", string:res ) )
    {
     req -= string("\r\n\r\n");
     req += string("\r\nAuthorization: Basic OmFkbWlu\r\n\r\n");
     res = http_keepalive_send_recv(port:port, data:req);
     if (res == NULL ) exit(0);
     if ( ! egrep ( pattern:"^HTTP/.* 401 .*", string:res) )
    	security_hole(port);
    }

It might better deal with web servers that might issue a redirect or
something weird (non 200 return code) after logging you in.


By the way, I just ran across plugin 10999, which does the same thing as
this one.  Looks like it was written before this one and might suffer from
false negatives also.  It checks for hyperlinks to the different
management pages, which will not be the same for all versions of these
routers.  It did have a CVE reference:

    script_cve_id("CAN-1999-0508");


Best regards,
Erik Stephens                                           www.edgeos.com
                             Managed Vulnerability Assessment Services
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

    This archive was generated by hypermail 2b30 : Sat Mar 06 2004 - 10:25:25 PST