nessus-plugins/scripts cfengine_authdiag.nasl, NONE, 1.1 cfengine_detect.nasl, NONE, 1.1 cfengine_format_string_vuln.nasl, NONE, 1.1 cfengine_trans_packet_buff_overrun.nasl, NONE, 1.1
- To: nessus-cvs_at_list.nessus.org
- Subject: nessus-plugins/scripts cfengine_authdiag.nasl, NONE, 1.1 cfengine_detect.nasl, NONE, 1.1 cfengine_format_string_vuln.nasl, NONE, 1.1 cfengine_trans_packet_buff_overrun.nasl, NONE, 1.1
- From: jwlampe_at_nessus.org
- Date: Fri, 20 Aug 2004 16:00:22 -0400 (EDT)
Update of /usr/local/cvs/nessus-plugins/scripts
In directory raccoon.nessus.org:/tmp/cvs-serv35401
Added Files:
cfengine_authdiag.nasl cfengine_detect.nasl
cfengine_format_string_vuln.nasl
cfengine_trans_packet_buff_overrun.nasl
Log Message:
a bunch of new cfengine scripts from David Maciejak
--- NEW FILE: cfengine_authdiag.nasl ---
#TRUSTED
# This script was written by David Maciejak <david dot maciejak at kyxar dot fr>
#
# GPL
#
# Ref: Juan Pablo Martinez Kuhn
if(description)
{
script_id(14314);
script_version ("$Revision: 1.1 $");
script_bugtraq_id(10899, 10900);
name["english"] = "cfengine AuthenticationDialogue vulnerability";
script_name(english:name["english"]);
desc["english"] = "
Cfengine is running on this remote host.
cfengine cfservd is reported prone to a remote heap-based buffer
overrun vulnerability.
The vulnerability presents itself in the cfengine cfservd
AuthenticationDialogue() function. The issue exists due to a
lack of sufficient boundary checks performed on challenge data
that is received from a client.
In addition, cfengine cfservd is reported prone to a remote denial
of service vulnerability. The vulnerability presents itself in the cfengine
cfservd AuthenticationDialogue() function which is responsible for processing
SAUTH commands and also performing RSA based authentication. The vulnerability
presents itself because return values for several statements within the
AuthenticationDialogue() function are not checked.
Solution: Upgrade to 2.1.8 or newer
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "check for cfengine flaw based on its version";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004 David Maciejak");
family["english"] = "Denial of Service";
family["francais"] = "Déni de service";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports(5308);
script_dependencies("cfengine_detect.nasl", "global_settings.nasl");
exit(0);
}
include("global_settings.inc");
port=5308;
version=get_kb_item("cfengine/" + port + "/version");
if (version)
{
if (egrep(pattern:"2\.(0\.[0-9]|1\.[0-7])", string:version))
security_hole(port);
}
exit(0);
--- NEW FILE: cfengine_detect.nasl ---
#TRUSTED
# This script was written by David Maciejak <david dot maciejak at kyxar dot fr>
#
# GPL
#
if(description)
{
script_id(14315);
script_version ("$Revision: 1.1 $");
name["english"] = "cfengine detection and local identification";
script_name(english:name["english"]);
desc["english"] = "
The cfengine service is running on this port.
Cfengine is a language-based system for testing and configuring
Unix and Windows systems attached to a TCP/IP network.
Risk factor : None";
script_description(english:desc["english"]);
summary["english"] = "check for the presence of cfengine with local identification version checks if possible";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004 David Maciejak");
family["english"] = "General";
family["francais"] = "General";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports(5308);
script_dependencies("ssh_settings.nasl");
exit(0);
}
# Start script
include("global_settings.inc");
include("ssh_func.inc");
buf = "";
port=5308;
if (! get_port_state(port) )
exit(0);
soc = open_sock_tcp(port);
if (!soc)
exit(0);
close(soc);
ver=NULL;
if (islocalhost())
{
buf = pread(cmd: "/usr/sbin/cfservd", argv: make_list("cfservd","--help"));
lines=split(buf);
foreach line (lines)
{
v=eregmatch(pattern: '^cfengine-([0-9.]+)', string: line, icase: 0);
if (!isnull(v))
{
ver=v[1];
break;
}
}
}
else
{
account = get_kb_item("Secret/SSH/login");
password = get_kb_item("Secret/SSH/password");
public_key = get_kb_item("Secret/SSH/publickey");
private_key = get_kb_item("Secret/SSH/privatekey");
passphrase = get_kb_item("Secret/SSH/passphrase");
if ( ! account || (! password && (! public_key || ! private_key))) exit(0);
sock = open_sock_tcp(22, transport: ENCAPS_IP);
if (! sock)
{
#display("Could not open socket port 22\n");
exit(0);
}
if (public_key && private_key)
ret = ssh_login(socket:sock, login:account, pub:public_key, priv:private_key, passphrase:passphrase);
else
ret = 1;
if (ret && password)
ret = ssh_login(socket:sock, login:account, password: password);
if (ret != 0)
{
#display("Could not login\n");
exit(0);
}
ver = ssh_cmd(socket:sock, cmd:"/usr/sbin/cfservd --help | grep ^cfengine | cut -d '-' -f 2", timeout:60);
ver=chomp(ver);
if (! ver)
{
#display("could not send command\n");
exit(0);
}
close(sock);
}
if (ver)
{
set_kb_item(name:string("cfengine/", port, "/version"), value:string(ver));
desc["english"] = "
cfengine version "+ver+" is running on this port.
cfengine is a language-based system for testing and configuring
unix and windows systems attached to a TCP/IP network.
Risk factor : None";
security_note(port:port, data:desc["english";]);
}
else
{
#port is open, but we don t know why
security_note(port);
}
exit(0);
--- NEW FILE: cfengine_format_string_vuln.nasl ---
#TRUSTED
# This script was written by David Maciejak <david dot maciejak at kyxar dot fr>
#
# GPL
#
# Ref: Pekka Savola <pekkas_at_netcore.fi>
if(description)
{
script_id(14316);
script_version ("$Revision: 1.1 $");
script_bugtraq_id(1757);
script_cve_id("CVE-2000-0947");
if ( defined_func("script_xref") ) script_xref(name:"OSVDB", value:"1590");
name["english"] = "cfengine format string vulnerability";
script_name(english:name["english"]);
desc["english"] = "
Cfengine is running on this remote host.
Cfengine contains a component, cfd, which serves as a remote-configuration
client to cfengine. This version of cfd contains several flaws in the
way that it calls syslog(). As a result, trusted hosts and valid users
(if access controls are not in place) can cause the vulnerable host to
log malicious data which, when logged, can either crash the server or
execute arbitrary code on the stack. In the latter case, the code would
be executed as the 'root' user.
Solution: Upgrade to 1.6.0a11 or newer
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "check for cfengine flaw based on its version";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004 David Maciejak");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root à distance";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports(5308);
script_dependencies("cfengine_detect.nasl", "global_settings.nasl");
exit(0);
}
include("global_settings.inc");
port=5308;
version=get_kb_item("cfengine/"+port+"/version");
if (version)
{
if (egrep(pattern:"1\.(5|6\.0a([0-9]|10))", string:version))
security_hole(port);
}
--- NEW FILE: cfengine_trans_packet_buff_overrun.nasl ---
#TRUSTED
# This script was written by David Maciejak <david dot maciejak at kyxar dot fr>
#
# GPL
#
# Ref: Nick Cleaton <nick_at_cleaton.net>
if(description)
{
script_id(14317);
script_version ("$Revision: 1.1 $");
script_bugtraq_id(8699);
name["english"] = "cfengine CFServD transaction packet buffer overrun vulnerability";
script_name(english:name["english"]);
desc["english"] = "
Cfengine is running on this remote host.
This version is prone to a stack-based buffer overrun vulnerability.
An attacker, exploiting this flaw, would need network access to the
server as well as the ability to send a crafted transaction packet
to the cfservd process. A successful exploitation of this flaw
would lead to arbitrary code being executed on the remote machine
or a loss of service (DoS).
Solution: Upgrade to at least 1.5.3-4, 2.0.8 or most recent 2.1 version.
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "check for cfengine flaw based on its version";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004 David Maciejak");
family["english"] = "Gain a shell remotely";
family["francais"] = "Obtenir un shell à distance";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports(5308);
script_dependencies("cfengine_detect.nasl", "global_settings.nasl");
exit(0);
}
include("global_settings.inc");
port=5308;
version=get_kb_item("cfengine/"+port+"/version");
if (version)
{
if (egrep(pattern:"2\.(0\.[0-7]|1\.0a[689])", string:version))
security_hole(port);
}
- Previous by Date: nessus-plugins/scripts kerio_webmail_multiple_flaws.nasl,1.4,1.5
- Next by Date: nessus-plugins/scripts cutenews_xss.nasl,NONE,1.1
- Previous by Thread: nessus-plugins/scripts cfengine_authdiag.nasl, 1.2, 1.3 cfengine_detect.nasl, 1.2, 1.3 cfengine_format_string_vuln.nasl, 1.3, 1.4 cfengine_trans_packet_buff_overrun.nasl, 1.2, 1.3
- Next by Thread: nessus-plugins/scripts cfengine_detect.nasl, 1.1, 1.2 cfengine_trans_packet_buff_overrun.nasl, 1.1, 1.2
-
Nessus-cvs August 2004 archives indexes sorted by: [ thread ]
[ subject ]
[ author ]
[ date ]
-
Nessus-cvs list archive Table of Contents
-
More information about the Nessus-cvs mailing list
This archive was generated by a fusion of
Pipermail 0.09 (Mailman edition) and
MHonArc 2.6.8.