Or "The universal DoS"? Ten days ago, I played with Yet Another Close Source Obscure Commercial Software which does not appear once in any security archive, of course. I have a couple of problems with this supervision software. It runs an "agent" and several web servers on dynamic ports. 1. It uses a specific web server. The HMAP fingerprint is very different from any other known fingerprint, so I guess that it was really written from scratch. Apart from the fact that it is vulnerable to every kind of XSS (this does not matter in fact), it resists to all generic nasty HTTP attacks from Nessus. Good. => should we add more generic HTTP attacks? (and maybe other protocols). If so, what kind of attacks? e.g. this Apache flaw was discovered with an automated (?) tool: http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-3404.txt 2. The agent died when miscflood.nasl ran against it. I'm not sure this is an exploitable buffer overflow. I did not have much time for investigations. => miscflood.nasl & misc_format_string.nasl are very simple. Any idea for other attacks? I was told that a "parrot" that repeats every packet on a network can be destructive, I am not sure this would be efficient at the Nessus level. 3. The software talks to a supervision console. I sniffed the traffic but could not get much useful information from it. Maybe we can design a special tool that "mutate" data from the pcap dump and see how the remote agent reacts. I'm not sure that it can easily be integrated into Nessus, though. -- arboi@private http://arboi.da.ru FAQNOPI de fr.comp.securite http://faqnopi.da.ru/ NASL2 reference manual http://michel.arboi.free.fr/nasl2ref/ _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Mon Sep 20 2004 - 00:47:15 PDT