[Plugins-writers] Finding flaws in closed software

From: Michel Arboi (mikhail@private)
Date: Mon Sep 20 2004 - 00:28:25 PDT


Or "The universal DoS"?
Ten days ago, I played with Yet Another Close Source Obscure
Commercial Software which does not appear once in any security
archive, of course.
I have a couple of problems with this supervision software. It runs an
"agent" and several web servers on dynamic ports.

1. It uses a specific web server. 
The HMAP fingerprint is very different from any other known
fingerprint, so I guess that it was really written from scratch.
Apart from the fact that it is vulnerable to every kind of XSS (this
does not matter in fact), it resists to all generic nasty HTTP
attacks from Nessus. 
Good.
=> should we add more generic HTTP attacks? (and maybe other
protocols). If so, what kind of attacks?
e.g. this Apache flaw was discovered with an automated (?) tool:
http://www.uniras.gov.uk/l1/l2/l3/alerts2004/alert-3404.txt

2. The agent died when miscflood.nasl ran against it.
I'm not sure this is an exploitable buffer overflow. I did not have
much time for investigations.
=> miscflood.nasl & misc_format_string.nasl are very simple. Any idea
for other attacks? I was told that a "parrot" that repeats every
packet on a network can be destructive, I am not sure this would be
efficient at the Nessus level.

3. The software talks to a supervision console. I sniffed the traffic
but could not get much useful information from it.
Maybe we can design a special tool that "mutate" data from the pcap
dump and see how the remote agent reacts. I'm not sure that it can
easily be integrated into Nessus, though.

-- 
arboi@private	http://arboi.da.ru
FAQNOPI de fr.comp.securite http://faqnopi.da.ru/
NASL2 reference manual http://michel.arboi.free.fr/nasl2ref/
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Mon Sep 20 2004 - 00:47:15 PDT