Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Multicast & NASL security
mikhail at nessus
Oct 17, 2003, 1:04 AM
Post #1 of 2 (404 views)
Permalink
I added a "join_multicast_group" function which creates a little
security problem IMHO.
The function opens a socket which must not be closed before we want to
leave the multicast group. But we have to close it at the end of the
script to avoid memory leak.

1. Allowing the script to write on the socket is not good, because
a. It breaks the NASL model where the script is supposed to connect
to the "target" only
b. A malicious script could send information out through it.

But with SMTP or NNTP, it is already possible to attack other machines
or leak information out.

=> I implemented a quick and dirty "jamming". A random value is added
to the socket number, so the descriptor cannot be used from the
script. A cleaner way to do it would be to keep an array of multicast
addresses and associated sockets. Not a big problem.

2. Joining a multicast group may be a way to saturate the network.
3. Is it possible to ping the machines that joined a multicast group?
If so, this could be a way to detect all running nessusd.

The big question is: should multicast be restricted to "trusted"
scripts?
Re: Multicast & NASL security [ In reply to ]
guillaume at valadon
Oct 22, 2003, 3:15 AM
Post #2 of 2 (396 views)
Permalink
hello,

How does this function works ?
Can you provide an example ?

> 1. Allowing the script to write on the socket is not good, because
> a. It breaks the NASL model where the script is supposed to connect
> to the "target" only

Yes, but there is no *single* target when you use multicast as in service
discovery protocols as SLP, UPnP (HTTP/UDP over multicast in fact),
Rendez-vous (dns over multi-cast).

> 3. Is it possible to ping the machines that joined a multicast group?
> If so, this could be a way to detect all running nessusd.

I think the answer is yes, but it did not check it.

In both case, I do not think that is a big issue because a malicious guy has to
know which multicast address nessus is *listening*. So, if it is possible to
*ping* that address, nesssus will only be *visible* during a specific script
execution.
The address used in SLP, Rendez-vous are not the same.

> The big question is: should multicast be restricted to "trusted"
> scripts?

As my answer is only focused on service discovery protocols (and *private*
multicast addresses), I would say no.

Guillaume
--
mailto:guillaume@valadon.net
ICQ uin : 1752110
Page ouebe : http://guillaume.valadon.net
"La reflexion est le premier ennemi de l'amour." - kozette

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal