[Plugins-writers] windows_asn1_vuln_ntlm.nasl false negative on NT4.0

From: Crow, Owen (Owen_Crow@private)
Date: Tue Mar 09 2004 - 11:48:14 PST

  • Next message: Renaud Deraison: "Re: [Plugins-writers] windows_asn1_vuln_ntlm.nasl false negative on NT4.0"

    I have an NT4.0 system which is vulnerable to the MS04-007 ASN.1 issue
    according to Windows Update and when I verify the version of msasn1.dll.  If
    I scan it like this:
    
     
    
    nasl -s -t hostname windows_asn1_vuln_ntlm.nasl
    
     
    
    It is shown as not vulnerable (no "Success" message).  
    
     
    
    Is there something I can provide to help fix the plugin to detect this
    system (and other NT systems)?  I checked to make sure that either port 139
    or 445 is open:
    
     
    
    # nmap -A -sSU -p139,445 hostname
    
     
    
    Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-09 13:29 CST
    
    Interesting ports on hostname (10.0.0.1):
    
    PORT    STATE  SERVICE      VERSION
    
    139/tcp open   netbios-ssn
    
    139/udp closed netbios-ssn
    
    445/tcp closed microsoft-ds
    
    445/udp closed microsoft-ds
    
    Device type: general purpose
    
    Running: Microsoft Windows NT/2K/XP
    
    OS details: Microsoft Windows NT 4.0 SP5-SP6
    
     
    
    Nmap run completed -- 1 IP address (1 host up) scanned in 7.423 seconds
    
     
    
    My admins who have been patching NT systems say that none of the NT systems
    are showing up in the scans.  Although I know that NT is not vulnerable by
    default, most of these systems have the security fixes in place that
    installed msasn1.dll so they are vulnerable.
    
     
    
    Attached is a sanitized pcap of the nasl run above.
    
     
    
    Thanks,
    
    Owen
    
    
    
    
    

    _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers



    This archive was generated by hypermail 2b30 : Tue Mar 09 2004 - 11:49:25 PST