I have been running some scans that include plugin 22194 (network check for server service bo/ms06-040). Did some limited testing under various circumstances and the plugin seems to detect presence for the vulnerability accurately. However, I have heard very recently from a server administrator group, that they suspect potential false positives. Their claim is that the patches have been applied, servers rebooted, even before their devices were scanned. From my part, I have some homework to do with them i.e. really verify that indeed, the patch for KB921883 was applied and took effect. Nonetheless, I would like to reach out to the list to seek out if anybody has had any observations of false positives with respect to this plugin. I do realize that sometimes the best way to check for such vulnerabilities is with more privileged access. However, given the nature of this specific vulnerability, I am confident in an effective network check. 1. What could possibly cause a false positive with such a check? 2. What is the plugin actually doing? (high level gist: it calls a named pipe relating to the server service, initializes a buffer, populates it with 'nessus', then trying to overflow the buffer; if patch is applied the buffer should return 0; if not, the buffer returns 'nessus' - thereby checking for the vulnerability) Can someone confirm my understanding? Any help or feedback provided is greatly appreciated. - how2vuln _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Fri Sep 15 2006 - 19:09:04 PDT