LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-11-2004, 09:09 AM   #1
zuessh
Member
 
Registered: Jun 2002
Location: USA
Distribution: Suse 8.0
Posts: 247

Rep: Reputation: 30
How nessus detects new Microsoft Vuln.


Nessus now has a plugin available for the new microsoft vuln, from looking at the source code of the plugin (this is the first one I have ever looked at), is it only detecting if the patch has been installed by the registry key, instead of actually testing the vuln? Is this the case with most of the nessus plugins? Below is the code for the plugin. Thanks

#
# (C) Tenable Network Security
#
if(description)
{
script_id(12052);
script_version("$Revision: 1.2 $");
script_bugtraq_id(9633, 9635);
name["english"] = "ASN.1 parsing vulnerability (828028)";

script_name(english:name["english"]);

desc["english"] = "
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.

To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet (either an IPsec session negociation, or an HTTPS request)
with impropriately advertised lengths.

Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.asp
Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Checks the version of MDAC";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2004 Tenable Network Security");
family["english"] = "Windows";
script_family(english:family["english"]);

script_dependencies("netbios_name_get.nasl",
"smb_login.nasl","smb_registry_full_access.nasl",
"smb_reg_service_pack_W2K.nasl");
script_require_keys("SMB/name", "SMB/login", "SMB/password",
"SMB/registry_full_access","SMB/WindowsVersion");


script_require_ports(139, 445);
exit(0);
}

include("smb_nt.inc");
port = get_kb_item("SMB/transport");
if(!port)port = 139;


access = get_kb_item("SMB/registry_full_access");
if(!access)exit(0);

version = get_kb_item("SMB/WindowsVersion");

if ( ! version ) exit(0);


if("4.0" >< version )
{
key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB828028";
item = "Comments";

value = registry_get_sz(item:item, key:key);
if(!value)security_hole(port);
}


if("5.0" >< version)
{
key = "SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828028";
item = "Description";

# Will be fixed in Service Pack 5
sp = get_kb_item("SMB/Win2K/ServicePack");
if(ereg(string:sp, pattern:"Service Pack [5-9]"))exit(0);

value = registry_get_sz(item:item, key:key);
if(!value)security_hole(port);
}

if("5.1" >< version)
{
key = "SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB828028";
item = "Description";


value = registry_get_sz(item:item, key:key);
if(!value){
key = "SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB828028";
value = registry_get_sz(item:item, key:key);
if ( value ) exit(0);
}
else exit(0);

# Will be fixed in Service Pack 2
sp = get_kb_item("SMB/WinXP/ServicePack");
if(ereg(string:sp, pattern:"Service Pack [2-9]"))exit(0);

security_hole(port);
}

if("5.2" >< version)
{
key = "SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB828028";
item = "Description";
# Will be fixed in Service Pack 1
sp = get_kb_item("SMB/Win2003/ServicePack");
if(ereg(string:sp, pattern:"Service Pack [1-9]"))exit(0);

value = registry_get_sz(item:item, key:key);
if(!value)security_hole(port);
}
 
Old 02-12-2004, 03:13 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
is it only detecting if the patch has been installed by the registry key, instead of actually testing the vuln?
It appears to be that way, yes.


Is this the case with most of the nessus plugins?
I can say, wrt checking M$ vulns, it's not an unique to check the registry for the KB number.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Nessus install script not finding nessus.tar.gz darin3200 Linux - Software 1 08-15-2005 06:35 PM
WARN: Kernel vuln: MCAST_MSFILTER (2.4.22/2.6.1) unSpawn Linux - Security 5 05-04-2004 01:41 PM
New Webdav vuln. ? TheIrish Linux - Security 2 04-26-2004 05:45 AM
vuln, exploits scanner dominant Linux - Security 8 04-04-2004 12:56 PM
New OpenSSL remote vuln: 2003/10/02: RedHat unSpawn Linux - Security 1 10-04-2003 07:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration