There are some patches for Windows which are covered by more than one hotfix. Accurately checking for these patches requires checking multiple keys in the windows registry. One example of this is MS03-027 (Nessus plug-in #11792). This hotfix is also included in the Windows XP Update Rollup 1 (see http://support.microsoft.com/?kbid=826939). Therefore to check if the hotfix is applied both the key "HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP2\Q811493" and "HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP2\K826939" must be checked. If either key is present the vulnerability is patched. Between the XP Update Rollup and some cases where one patch supersedes another there is the possibility of false positives in scans. Modified code for plug-in 11792 which gives and accurate answer follows: # # (C) Tenable Network Security # #v1.5 changes by Nathan Hall (13/05/2004): check for XP Update Rollup 1 # if(description) { script_id(11792); script_version("$Revision: 1.5 $"); script_cve_id("CAN-2003-0306"); name["english"] = "Buffer overrun in Windows Shell (821557)"; script_name(english:name["english"]); desc["english"] = " The remote host is running a version of Windows which has a flaw in its shell. An attacker could exploit it by creating a malicious Desktop.ini file which triggers the flaw, and put it on a shared folder and wait for someone to browse it. Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-027.mspx Risk factor : Medium"; script_description(english:desc["english"]); summary["english"] = "Checks for hotfix Q823980"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Tenable Network Security"); family["english"] = "Windows"; script_family(english:family["english"]); script_dependencies("netbios_name_get.nasl", "smb_login.nasl","smb_registry_full_access.nasl", "smb_reg_service_pack_XP.nasl", "smb_reg_service_pack_W2K.nasl"); script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/registry_full_access","SMB/WindowsVersion"); script_exclude_keys("SMB/Win2003/ServicePack"); script_require_ports(139, 445); exit(0); } include("smb_nt.inc"); port = get_kb_item("SMB/transport"); if(!port)port = 139; access = get_kb_item("SMB/registry_full_access"); if(!access)exit(0); version = get_kb_item("SMB/WindowsVersion"); # XP only if("5.1" >< version) { item = "Description"; # fixed in Service Pack 2 sp = get_kb_item("SMB/WinXP/ServicePack"); if(ereg(string:sp, pattern:"Service Pack [2-9]"))exit(0); # also fixed in XP Update Rollup 1 key = "SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB826939"; value = registry_get_sz(item:item, key:key); if(value)exit(0); key = "SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB821557"; value = registry_get_sz(item:item, key:key); if(!value)security_hole(port); } Nathan Hall System Administrator - Computer Services SUNY Oneonta Oneonta, NY 13820 (607) 436-2708 _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2b30 : Thu May 13 2004 - 12:23:16 PDT