[Plugins-writers] denial of service semi-false positives

From: Don Kitchen (don@private)
Date: Fri Feb 18 2005 - 22:37:54 PST


I was trying to track down a semi-false positive in a nessus scan and I think I've found an answer that makes enough sense.

The problem I was trying to find is that nessus reported four different ways that cause a web server to crash. Of course the first thing I did was check whether the web server was still running - it was not. But since it doesn't restart automatically, how is it possible that FOUR different plugins are claiming credit for having crashed it?? I've pretty sure I had Denial of Service enabled, safe checks disabled, and optimization off. So especially with no safe checks, there shouldn't be any plugins simply checking version headers and saying that they WOULD HAVE been able to crash it - they should only report if they were actually able to crash it.

So my next thought was, check the scripts, maybe these authors were lazy and didn't put in different messages/actions for safe checks. But I was wrong, without safe checks they didn't shortcut on headers/version information, and they seemed to check the port before and after the attempt.

So I ran nessus again, and eliminated two of the attacks by hand - server servived. Nessus did crash it again though, but the second time nessus reported a different set of plugins that crashed it (one of the same and one new one) and suddenly it dawned on me... Nessus runs multiple plugins in parallel. So what would happen if there was a race condition, so that whichever Denial-of-service plugins were in the process of running at the time any of them crash the service - they would all notice the service went down during their run and take credit for it.

So is there any serialization for denial of service plugins?

Thanks

_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Fri Feb 18 2005 - 23:05:19 PST