Hello.
I have used nessus for several years and wanted to make some suggestions for
a couple of scripts.
First, just a couple of additions. In the rsh.nasl there's an incomplete
description of the danger involved in rsh. I suggest adding something like
the following:
Also, it may allow poorly authenticated logins
without passwords. If the host is vulnerable to
TCP sequence number guessing (from any network)
or IP spoofing (including ARP hijacking on a
local network) then it may be possible to bypass
authentication.
Also, rsh is an easy way to turn file-write
access into full logins through the .rhosts or
rhosts.equiv files. It is a built-in backdoor
into a system that an attacker will make easy
use of.
In windows_terminal_services.nasl, it would probably be good to mention:
An attacker is able to repeatedly test names and passwords.
In xdmcp.nasl it would be good to mention a similar item:
Also XDMCP is an additional login mechanism that you may not
have been aware was enabled, or may not be monitoring failed
logins on.
Secondly, I think it's fantastic the way nessus kb determines there's a web
server on a strange port and then goes after it. When
openssl_overflow_generic_test.nasl detects openssl vulnerability on ports
2381 or 49401 (insight manager ssl ports) the advice it gives should match
the product. Nessus gives no information for this product and it's very
difficult to find from the vendor (gee, I wonder why?)
I suggest the following:
--- openssl_overflow_generic_test.nasl.orig 2003-10-24 11:44:35.000000000 -0700
+++ openssl_overflow_generic_test.nasl 2003-10-24 11:50:24.000000000 -0700
@@ -27,7 +27,9 @@
This version is vulnerable to a buffer overflow which,
may allow an attacker to obtain a shell on this host.
+See also: online.securityfocus.com/advisories/4316
Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer
+Compaq Insight Manager: www.compaq.com/support/files/server/us/download/15803.html
Risk factor : High";
script_description(english:desc["english"], francais:desc["francais"]);
Speaking of alternative products that are web servers, the http_version.nasl
should recognize some of the more common special-purpose http daemons. I shut
off the response completely; IMHO this result should only apply to
specific version numbers or perhaps not to give away that it's IIS or
apache, I think anything else is going to be given away through the content.
Anyway, maybe you think oracle should produce this finding also, but here
is what I do:
--- http_version.nasl.orig Thu Nov 28 14:46:22 2002
+++ http_version.nasl Thu Nov 28 15:01:45 2002
@@ -72,7 +72,15 @@
if("Microsoft-IIS/" >< svr){
report = report + string("\n", "Solution : You can use urlscan to change reported server for IIS.");
}else{
- report = report + string("\n", "Solution : We recommend that you configure (if possible) your web server to return\n", "a bogus Server header in order to not leak information.\n");
+ if("Oracle9iAS" >< svr){
+# don't want to hear it
+ }else{
+ if("CompaqHTTPServer/" >< svr){
+# don't want to hear it
+ }else{
+ report = report + string("\n", "Solution : We recommend that you configure (if possible) your web server to return\n", "a bogus Server header in order to not leak information.\n");
+ }
+ }
}
}
security_note(port:port, data:report);
Also on the topic of Insight Manager, I notice that two scripts seem to trigger
a lot from the Insight Manager, and as far as I can tell they're false results.
I simply exit based on the port number. Probably the better way would be to
set some key in the http_version script mentioned above, and terminate these
based on requiring that key. Anyway, here is what I am doing now.
--- Jserv_css.nasl.orig 2003-10-23 12:37:24.000000000 -0700
+++ Jserv_css.nasl 2003-10-24 11:41:55.000000000 -0700
@@ -46,6 +46,7 @@
port = get_kb_item("Services/www");
if(!port)port = 80;
+if((port == 2301)||(port==49400)) exit(0);
if(get_kb_item(string("www/", port, "/generic_xss")))exit(0);
--- snapstream_dir_trav.nasl.bak Thu Oct 24 15:36:03 2002
+++ snapstream_dir_trav.nasl Thu Oct 24 15:36:16 2002
@@ -53,6 +53,7 @@
if(!port)port = 8129;
if(!get_port_state(port)) exit(0);
+if((port == 2301)||(port==49400)) exit(0);
fil[0] = "../ssd.ini";
fil[1] = "/../../../../autoexec.bat"
The next thing is that there are two ca_unicenter scripts which are a bit
out of date. They are five years old, and test only the ports being open
and report "security holes". The content indicates no specific vulnerability.
Although it's probably a good idea to produce a warning that the ports are
exposed, I think both of them should be downgraded to warnings.
There are, however, several unicenter vulnerabilities, just not on those
particular ports. Securityfocus gives the following Bugtraq ID's:
9863 Unicenter TNG Utilities Multiple Buffer Overflow
9205,9206,9207 Unicenter Remote control
7811,7809,7816,7817 Unicenter TNG
7808 Asset Manager
I don't know if there's a port number on the last one but I modified the
scripts I mentioned to check these ports and report similar information.
The changes of hole to warning:
--- ca_unicenter_file_transfer_service.nasl.bak Wed Oct 16 23:36:07 2002
+++ ca_unicenter_file_transfer_service.nasl Wed Oct 16 23:55:36 2002
@@ -58,7 +58,7 @@
if (strlen(result)>0)
{
set_kb_item(name:"Windows compatible", value:TRUE);
- security_hole(port:4104, protocol:"udp");
+ security_warning(port:4104, protocol:"udp");
}
close(socudp4104);
--- ca_unicenter_transport_service.nasl.bak Thu Oct 17 15:34:57 2002
+++ ca_unicenter_transport_service.nasl Thu Oct 17 15:22:27 2002
@@ -52,7 +52,7 @@
if (strlen(result)>0)
{
set_kb_item(name:"Windows compatible", value:TRUE);
- security_hole(0);
+ security_warning(0);
}
}
And here are diffs against file_transfer for the items that really are holes.
Notice a completely different set of port numbers.
--- ca_unicenter_file_transfer_service.nasl 2004-09-15 06:28:02.000000000 -0700
+++ ca_unicenter_controlit_service.nasl 2004-09-18 10:46:58.000000000 -0700
@@ -1,19 +1,20 @@
#
-# This script was written by Noam Rathaus <noamr@private>
+# This script was derived from one written by Noam Rathaus <noamr@private>
#
# See the Nessus Scripts License for details
#
if(description)
{
- script_id(10032);
- script_version ("$Revision: 1.9 $");
- name["english"] = "CA Unicenter's File Transfer Service is running";
+ script_id(FIXME);
+ script_bugtraq_id(9205,9206,9207);
+ script_version ("$Revision: 1.0 $");
+ name["english"] = "CA Unicenter's ControlIT Service is running";
script_name(english:name["english"]);
- desc["english"] = "CA Unicenter's File Transfer Service uses ports TCP:3104, UDP:4104 and
-TCP:4105 for communication between its clients and other CA Unicenter
-servers. These ports are open, meaning that CA Unicenter File Transfer
+ desc["english"] = "CA Unicenter's ControlIT Service uses ports TCP:799, UDP:800 and
+UDP:801 for communication between its clients and other CA Unicenter
+servers. These ports are open, meaning that CA Unicenter ControlIT
service is probably running, and is open for outside attacks.
Solution: Block those ports from outside communication
@@ -22,15 +23,15 @@
script_description(english:desc["english"]);
- summary["english"] = "CA Unicenter's File Transfer Service is running";
+ summary["english"] = "CA Unicenter's ControlIT Service is running";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
- script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam");
+ script_copyright(english:"Portions of this script are Copyright (C) 1999 SecuriTeam");
family["english"] = "Windows";
script_family(english:family["english"]);
- script_require_ports(3104, 4105);
+ script_require_ports(799);
exit(0);
}
@@ -38,30 +39,28 @@
# The script code starts here
#
- if ((get_port_state(3104)) && (get_port_state(4105)) && (get_udp_port_state(4104)))
+ if ((get_port_state(799)) && (get_port_state(800)) && (get_udp_port_state(801)))
{
- soctcp = open_sock_tcp(3104);
+ soctcp = open_sock_tcp(799);
if(!soctcp)exit(0);
else close(soctcp);
- soctcp = open_sock_tcp(4105);
- if(!soctcp)exit(0);
- else close(soctcp);
-
-
- socudp4104 = open_sock_udp(4104);
+ socudp800 = open_sock_udp(800);
+ socudp801 = open_sock_udp(801);
- if (socudp4104)
+ if ((socudp800) && (sockudp801))
{
- send (socket:socudp4104, data:string("\r\n"));
- result = recv(socket:socudp4104, length:1000);
- if (strlen(result)>0)
+ send (socket:socudp800, data:string("\r\n"));
+ result800 = recv(socket:socudp800, length:1000);
+ send (socket:socudp801, data:string("\r\n"));
+ result801 = recv(socket:socudp801, length:1000);
+ if ((strlen(result800)>0) || (strlen(result801)>0))
{
set_kb_item(name:"Windows compatible", value:TRUE);
-# security_hole(port:4104, protocol:"udp");
- security_warning(port:4104, protocol:"udp");
+ security_hole(port:799, protocol:"tcp");
}
- close(socudp4104);
+ close(socudp800);
+ close(socudp801);
}
}
--- ca_unicenter_file_transfer_service.nasl 2004-09-15 06:28:02.000000000 -0700
+++ ca_unicenter_TNG_service.nasl 2004-09-18 11:19:24.000000000 -0700
@@ -1,20 +1,21 @@
#
-# This script was written by Noam Rathaus <noamr@private>
+# This script was derived from one written by Noam Rathaus <noamr@private>
#
# See the Nessus Scripts License for details
#
if(description)
{
- script_id(10032);
- script_version ("$Revision: 1.9 $");
- name["english"] = "CA Unicenter's File Transfer Service is running";
+ script_id(FIXME);
+ script_bugtraq_id(7811,7809,7816,7817,9863);
+ script_version ("$Revision: 1.0 $");
+ name["english"] = "CA Unicenter TNG services is running";
script_name(english:name["english"]);
- desc["english"] = "CA Unicenter's File Transfer Service uses ports TCP:3104, UDP:4104 and
+ desc["english"] = "CA Unicenter TNG services use ports TCP:1721 and
TCP:4105 for communication between its clients and other CA Unicenter
-servers. These ports are open, meaning that CA Unicenter File Transfer
-service is probably running, and is open for outside attacks.
+servers. These ports are open, meaning that CA Unicenter TNG
+services are probably running, and are open for outside attacks.
Solution: Block those ports from outside communication
@@ -22,15 +23,15 @@
script_description(english:desc["english"]);
- summary["english"] = "CA Unicenter's File Transfer Service is running";
+ summary["english"] = "CA Unicenter TNG services is running";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
- script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam");
+ script_copyright(english:"Portions of this script are Copyright (C) 1999 SecuriTeam");
family["english"] = "Windows";
script_family(english:family["english"]);
- script_require_ports(3104, 4105);
+ script_require_ports(1721);
exit(0);
}
@@ -38,30 +39,22 @@
# The script code starts here
#
- if ((get_port_state(3104)) && (get_port_state(4105)) && (get_udp_port_state(4104)))
+ if (get_port_state(1721))
{
- soctcp = open_sock_tcp(3104);
+ soctcp = open_sock_tcp(1721);
if(!soctcp)exit(0);
else close(soctcp);
-
- soctcp = open_sock_tcp(4105);
- if(!soctcp)exit(0);
- else close(soctcp);
-
-
- socudp4104 = open_sock_udp(4104);
-
- if (socudp4104)
- {
- send (socket:socudp4104, data:string("\r\n"));
- result = recv(socket:socudp4104, length:1000);
- if (strlen(result)>0)
- {
- set_kb_item(name:"Windows compatible", value:TRUE);
-# security_hole(port:4104, protocol:"udp");
- security_warning(port:4104, protocol:"udp");
- }
- close(socudp4104);
+ set_kb_item(name:"Windows compatible", value:TRUE);
+ security_hole(port:1721, protocol:"tcp");
}
+
+ if (get_port_state(4105))
+ {
+ soctcp = open_sock_tcp(4105);
+ if(!soctcp)exit(0);
+ else close(soctcp);
+
+ set_kb_item(name:"Windows compatible", value:TRUE);
+ security_hole(port:4105, protocol:"tcp");
}
Incidently, the scripts make reference to the Nessus Scripts License but
there doesn't seem to be one anywhere... Hidden? Or overlooked? The specific
mention makes it sound like it's something other than the GPL.
The last thing is a comment on the no404 script. Several of the scripts have
verying degrees of reliablity with safe-checks enabled. Vendors don't change
version numbers after patching, etc. And there's an option to cut down on
false reports. But it seems like 404-related false results are a particularly
bad problem because it causes a chain reaction of many false results.
I know there's nothing that can be done on regular web servers (after all,
404 problems are common, but so are vulnerable web servers) but it seems
like it would be good to have a option specifically to turn down the false
positive rate on http servers on some of the non-web ports, such as:
280
1810
2301
2381
7777
7778
49400
49401
Sorry for so many different items in the same email. Thanks
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Wed Sep 22 2004 - 05:38:49 PDT