How nessus detects new Microsoft Vuln.
Nessus now has a plugin available for the new microsoft vuln, from looking at the source code of the plugin (this is the first one I have ever looked at), is it only detecting if the patch has been installed by the registry key, instead of actually testing the vuln? Is this the case with most of the nessus plugins? Below is the code for the plugin. Thanks
#
# (C) Tenable Network Security
#
if(description)
{
script_id(12052);
script_version("$Revision: 1.2 $");
script_bugtraq_id(9633, 9635);
name["english"] = "ASN.1 parsing vulnerability (828028)";
script_name(english:name["english"]);
desc["english"] = "
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet (either an IPsec session negociation, or an HTTPS request)
with impropriately advertised lengths.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.asp
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Checks the version of MDAC";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004 Tenable Network Security");
family["english"] = "Windows";
script_family(english:family["english"]);
script_dependencies("netbios_name_get.nasl",
"smb_login.nasl","smb_registry_full_access.nasl",
"smb_reg_service_pack_W2K.nasl");
script_require_keys("SMB/name", "SMB/login", "SMB/password",
"SMB/registry_full_access","SMB/WindowsVersion");
script_require_ports(139, 445);
exit(0);
}
include("smb_nt.inc");
port = get_kb_item("SMB/transport");
if(!port)port = 139;
access = get_kb_item("SMB/registry_full_access");
if(!access)exit(0);
version = get_kb_item("SMB/WindowsVersion");
if ( ! version ) exit(0);
if("4.0" >< version )
{
key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828028";
item = "Comments";
value = registry_get_sz(item:item, key:key);
if(!value)security_hole(port);
}
if("5.0" >< version)
{
key = "SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828028";
item = "Description";
# Will be fixed in Service Pack 5
sp = get_kb_item("SMB/Win2K/ServicePack");
if(ereg(string:sp, pattern:"Service Pack [5-9]"))exit(0);
value = registry_get_sz(item:item, key:key);
if(!value)security_hole(port);
}
if("5.1" >< version)
{
key = "SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB828028";
item = "Description";
value = registry_get_sz(item:item, key:key);
if(!value){
key = "SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828028";
value = registry_get_sz(item:item, key:key);
if ( value ) exit(0);
}
else exit(0);
# Will be fixed in Service Pack 2
sp = get_kb_item("SMB/WinXP/ServicePack");
if(ereg(string:sp, pattern:"Service Pack [2-9]"))exit(0);
security_hole(port);
}
if("5.2" >< version)
{
key = "SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828028";
item = "Description";
# Will be fixed in Service Pack 1
sp = get_kb_item("SMB/Win2003/ServicePack");
if(ereg(string:sp, pattern:"Service Pack [1-9]"))exit(0);
value = registry_get_sz(item:item, key:key);
if(!value)security_hole(port);
}
|