Hi,
this plugin returned a false positive on port 143, misidentifying the
Exchange IMAP service as Remote PC.
Looking at the source there is an apparent bug:
send(socket:soc, data:raw_string(0x28, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00));
r = recv(socket:soc, length:57);
close(soc);
if(strlen(r) == 57 && ord(r[0]) == 0x2A)
{
security_warning(port);
}
The r buffer is limited to 57 characters, and the following test checks
whether it's 57 characters long.
This means that any response which starts with a * (hex 2A) and is at
least 57 characters long will trigger the plugin
("* OK Microsoft Exchange 2000 IMAP4rev1 server version 6.0 version
6.0.6603.0 (xxx) ready" in this case).
I've attached a "fixed" version which increases the recv buffer length
to 8k.
I presume this would still identify a real Remote PC server, while
reducing false positives.
A longer signature would be ideal, but we don't have a copy of Remote PC
available to test.
Regards,
--
Hubert Seiwert
Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom
Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Mon May 23 2005 - 08:28:57 PDT