Michel Arboi wrote: > > and didn't put in different messages/actions for safe checks. > There is another potential false positive generator: the script must > make sure that the service is alive before testing it. > What scripts were responsible for the FP? Three of the scripts that came up were argosoft_dos, ws4d_overflow, and sambar DoS. I've cut and pasted the before and after checks for these: 11734 argosoft_dos if(! get_port_state(port)) exit(0); if (http_is_dead(port: port)) exit(0); 11560 ws4d_overflow if(! get_port_state(port)) exit(0); if(http_is_dead(port:port))exit(0); 11131 sambar_DoS if(! get_port_state(port)) exit(0); if(http_is_dead(port:port))exit(0); I don't pretend to be a nasl expert, but they appear to be doing the checks correctly. Your name is on the last one so, again, they seem correct. ;) But like I said, suppose argosoft and ws4d are running in parallel. Both of them check the port state, and both determine the web server is alive. While each of them is performing their respective incantations, one of them, or perhaps even some other script, crashes the server. Each of them in turn finishes its own payload and checks if the port is dead. argosoft says dead. ws4d says dead. Both of them report they crashed the web server. But they can't both be right. (Well, they could, if the trick to crashing the server was that you had to do both payloads in parallel, but that would be a new vulnerability from the individual tests in these particular scripts) You can see why I'm hesitant to call them false positives. I mean, they're right, the service took a dive while they were running... The only question is why. So.... If the scripts aren't wrong... And the functions above are assumed to work properly... And there's not already a serialization process for Denial of service... Then the answer would appear to be that the easy fix of changing something in the script is not the answer, that it's the hard solution of making nessus serialize Denial of Service in order to accurately report results. I suppose it wouldn't really be that hard to do it the unoptimized way... If the script is DoS script, it could do a spinlock mutex (either global or keyed to the port number it's working on) waiting for exclusive rights to crash that service.(heh heh Bill, they're waiting in line to crash you) Unfortunately in order to really optimize things, the spinlock would have to be done automagically in the interpreter without the plugin counting against the maximum number of simultanous plugins running. Otherwise, in the worst case of n plugins allowed, all n are after the same port, and n-1 are frozen waiting for their turn. Don Although speaking of false positives, I do see the SQL hello or the SQL sapphire a lot on "fully patched" servers. Anyone know much about these? _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Sat Feb 19 2005 - 23:53:14 PST