[Plugins-writers] plugin 22194 - potential false positive?

From: how2 vuln (how2vuln@private)
Date: Fri Sep 15 2006 - 19:01:44 PDT


I have been running some scans that include plugin 22194 (network check for
server service bo/ms06-040). Did some limited testing under various
circumstances and the plugin seems to detect presence for the vulnerability
accurately.

However, I have heard very recently from a server administrator group, that
they suspect potential false positives. Their claim is that the patches have
been applied, servers rebooted, even before their devices were scanned. From
my part, I have some homework to do with them i.e. really verify that
indeed, the patch for KB921883 was applied and took effect.

Nonetheless, I would like to reach out to the list to seek out if anybody
has had any observations of false positives with respect to this plugin. I
do realize that sometimes the best way to check for such vulnerabilities is
with more privileged access. However, given the nature of this specific
vulnerability, I am confident in an effective network check.


   1. What could possibly cause a false positive with such a check?
   2. What is the plugin actually doing? (high level gist: it calls a
   named pipe relating to the server service, initializes a buffer, populates
   it with 'nessus', then trying to overflow the buffer; if patch is applied
   the buffer should return 0; if not, the buffer returns 'nessus' - thereby
   checking for the vulnerability) Can someone confirm my understanding?

Any help or feedback provided is greatly appreciated.

- how2vuln



_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Fri Sep 15 2006 - 19:09:04 PDT