Re: [Plugins-writers] Plugin ID 11990

From: Nicolas Pouvesle (npouvesle@private)
Date: Thu Jan 27 2005 - 09:10:21 PST


In most Hotfix plugins we don't check file versions.

So It is possible the hotfix is applied in your server and an 
application replaced the dll with a vulnerable one.

You can check if the patch was installed in the registry :

HKLM\SOFTWARE\Microsoft\Updates\yourssystem\SPversion\
or
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix

and check if KB832483 or Q832483 is present.

If it is the case the plugin is not bugged (and it looks good).
But you will have to fix your mdac version.

Maybe we will add file version check in all Hotfix plugins, we will see...

Nicolas


Scott Clowers wrote:
> I ran a Nessus scan on one of our Windows 2000 Servers. Next I ran the
> Microsoft Baseline Security Analyzer against the same server and compared
> the results. They appear to be pretty close but I have come across one
> anomaly I'd like to resolve. The MBSA flagged MS04-003 based on the file
> version of odbcbcp.dll. I verified the actual version number of the
> installed odbcbcp.dll as 2000.85.1022.0. It should be at least version
> 2005.85.1025.0.
> 
>  
> 
> Nessus Plugin ID 11990 doesn't appear to check any file versions (not sure
> if Nessus has this capability) and did not flag this vulnerability. I
> checked the registry on the affected machine and it should have failed this
> part of the check:
> 
>  
> 
> if ( hotfix_missing(name:"KB832483") > 0 &&
>      hotfix_missing(name:"Q832483") > 0 )
> 
>             security_warning(get_kb_item("SMB/transport"));
> 
>  
> 
> I'm not sure why it didn't fail that check but I ran the Microsoft MDAC
> version checking tool (CC.exe) and it said this machine has version MDAC 2.8
> RTM, so I wonder if it passed this part of the check:
>  
> if(ereg(pattern:"2\.6[3-9].*", string:version))exit(0); # SP3 applied
>  
> and therefore never checked for the missing hotfixes? 
>  
> Thanks,
> Scott
> 
>  
> 
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@private
> http://mail.nessus.org/mailman/listinfo/plugins-writers

_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Thu Jan 27 2005 - 09:08:44 PST