Patches for scripts 10492 and 10481

Kristof Meirlaen kristof at kri-soft.be
Sun Nov 28 03:36:03 EST 2004 

Dear All,

Please find attached 2 patches for the nessus plugins.  I've found these 
scripts to be inaccurate when tested against a system, and have tried to 
make some improvements to the scripts, which I would like to submit.

----------------------------------------------
iis_anything_idq.nasl.patch (script_id 10492):

The script consists of 2 tests, one with anything.idq and one with 
anything.ida.  The first test succeeds, but with the anyting.ida, the test 
failed when the string "<HTML>The IDQ file D:\Inetpub\wwwroot\anything.ida 
could not be found." was returned, because the return string is not 
converted to lower case prior to the verification. It is correctly done 
when testing using the anyting.idq page.
Therefore, I've added a line to convert


     str = egrep( pattern:"^<HTML>", string:r ) - "<HTML>";
+   str = tolower(str);
     if ( egrep(pattern:"[a-z]\:\\.*anything", string:str) )
        security_warning( port:port );
     }
-----------------------------------------------
mysql_unpassworded.nasl.patch (script_id 10481)

(note: patch is against v 1.21, i just noticed that we are at 1.22 now)

The script connects to mysql database using root and empty password.
On a system I recently verified, I knew this vulnerability was present, 
however, when tested using Nessus, the vuln did not get reported.

Analyzing the tcp trace, we saw that the connection was successfull, but 
the script stopped after receiving the login response.
It seems the script is verifying the login attempt against the following 
raw string:

expect = raw_string(0x03, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00);

Our system returned a correct login, but still, the returned string was 
somewhat different.

I think it would be better only to verify the return code from mysql, 
rather then the complete response, which is the improvement in the script.
The same technique is used in the following script:

http://cvsweb.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/mysql_auth_bypass_zeropass.nasl?content-type=text/plain

I only had the chance to test it against 1 mysql instance for the moment, 
so regression tests may be advisable here.

-------------------------------------------------

Please let me know what you think about these improvements.

Also, is this the proper way to submit patches?

Thank you.

Kind regards,
Kristof Meirlaen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iis_anything_idq.nasl.patch
Type: application/octet-stream
Size: 544 bytes
Desc: not available
Url : http://mail.nessus.org/pipermail/nessus/attachments/20041128/ef904ccf/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mysql_unpassworded.nasl.patch
Type: application/octet-stream
Size: 974 bytes
Desc: not available
Url : http://mail.nessus.org/pipermail/nessus/attachments/20041128/ef904ccf/attachment-0001.obj 
-------------- next part --------------

More information about the Nessus mailing list