Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
strange things plugins
peak at argo
Dec 31, 2004, 1:23 PM
Post #1 of 5 (1970 views)
Permalink
Here some some things I stumbled over during a recent review of
Nessus plugins.

CRLF in some scripts. Grep is your friend. :)

Ugly "staircase effect" in (re)formatted text. Look at
redhat-RHSA-2002-289.nasl for a subtle example ("fix"
on the 2nd line of the text).

The list of evil format strings in http_header_name_format_string.nasl,
http_header_value_format_string.nasl et al. should probably be put into
a shared .inc.

"Avisory is copyright" in gentoo_*.nasl.

rand() is not a safe way to make temporary filenames.

Stupid summaries of redhat-RHSA-*.nasl scripts for multi-package
updates. For instance: redhat-RHSA-2002-121.nasl's summary talks about
arpwatch even if the "primary" package of the set is tcpdump.

Improper "stemming" of package names in redhat-RHSA-*.nasl. E.g.:
redhat-RHSA-2003-246.nasl checks "wu-" rather than "wu-ftpd".

A strange inconsistency: smtp/PORT/real_banner vs www/real_banner/PORT.

pread() arguments with embedded apostrophes or quotation marks in
ssh_get_info.nasl look suspicious.


--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation.
Re: strange things plugins [ In reply to ]
deraison at nessus
Jan 2, 2005, 1:36 PM
Post #2 of 5 (1950 views)
Permalink
On Fri, Dec 31, 2004 at 09:23:57PM +0100, Pavel Kankovsky wrote:
> Here some some things I stumbled over during a recent review of
> Nessus plugins.
>
> CRLF in some scripts. Grep is your friend. :)

Fixed.

> Ugly "staircase effect" in (re)formatted text. Look at
> redhat-RHSA-2002-289.nasl for a subtle example ("fix"
> on the 2nd line of the text).

Will fix.

> The list of evil format strings in http_header_name_format_string.nasl,
> http_header_value_format_string.nasl et al. should probably be put into
> a shared .inc.

Yes.

> rand() is not a safe way to make temporary filenames.

Who cares ? The temporary files are created in a protected directory
that only root can write in.

> Stupid summaries of redhat-RHSA-*.nasl scripts for multi-package
> updates. For instance: redhat-RHSA-2002-121.nasl's summary talks about
> arpwatch even if the "primary" package of the set is tcpdump.

This needs to be fixed.

> Improper "stemming" of package names in redhat-RHSA-*.nasl. E.g.:
> redhat-RHSA-2003-246.nasl checks "wu-" rather than "wu-ftpd".

This is a minor issue (for the moment at least), but I'll fix it as well.

> A strange inconsistency: smtp/PORT/real_banner vs www/real_banner/PORT.

Will fix.

> pread() arguments with embedded apostrophes or quotation marks in
> ssh_get_info.nasl look suspicious.

I could not find any occurence where the quotes where used
inappropriately. The arguments to the 'rpm' commands are ok and do
contain quotes on purpose.

Thanks,


-- Renaud
Re: strange things plugins [ In reply to ]
peak at argo
Jan 3, 2005, 2:26 AM
Post #3 of 5 (1938 views)
Permalink
On Sun, 2 Jan 2005, Renaud Deraison wrote:

> > rand() is not a safe way to make temporary filenames.
>
> Who cares ? The temporary files are created in a protected directory
> that only root can write in.

1. Are you sure two concurrently running scripts cannot pick the same
temporary filename? (This leads to a related and quite interesting
question of the behaviour of nasl_rand() in forked processes...)

2. It might fail back to /tmp when a private directory is unavailable.

> > pread() arguments with embedded apostrophes or quotation marks in
> > ssh_get_info.nasl look suspicious.
>
> I could not find any occurence where the quotes where used
> inappropriately. The arguments to the 'rpm' commands are ok and do
> contain quotes on purpose.

Try
pread(cmd:"echo", argv:make_list("'a'"))
and
ssh_cmd(socket:sock, cmd:"echo 'a'")

Are the results identical?

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
Re: strange things plugins [ In reply to ]
deraison at nessus
Jan 3, 2005, 7:04 AM
Post #4 of 5 (1949 views)
Permalink
On Mon, Jan 03, 2005 at 10:26:55AM +0100, Pavel Kankovsky wrote:
> > > rand() is not a safe way to make temporary filenames.
> >
> > Who cares ? The temporary files are created in a protected directory
> > that only root can write in.
>
> 1. Are you sure two concurrently running scripts cannot pick the same
> temporary filename? (This leads to a related and quite interesting
> question of the behaviour of nasl_rand() in forked processes...)

nasl_rand() is seeded differently for each process. There's no real
garantee that two scripts can't pick the same name, but that would be
quite unlikely (but that has no real security implication anyway).
I'll harden this, though.

> 2. It might fail back to /tmp when a private directory is unavailable.

I was not aware of that (and that does not make me too happy). I've
removed that piece of code. It should be noted that it falls back to
/tmp ONLY if the Nessus installation is broken.

> > > pread() arguments with embedded apostrophes or quotation marks in
> > > ssh_get_info.nasl look suspicious.
> >
> > I could not find any occurence where the quotes where used
> > inappropriately. The arguments to the 'rpm' commands are ok and do
> > contain quotes on purpose.
>
> Try
> pread(cmd:"echo", argv:make_list("'a'"))
> and
> ssh_cmd(socket:sock, cmd:"echo 'a'")
>
> Are the results identical?

Aaah - my bad. Fixed, thanks !


-- Renaud
Re: strange things plugins [ In reply to ]
mikhail at nessus
Jan 25, 2005, 12:07 AM
Post #5 of 5 (1944 views)
Permalink
On Mon Jan 03 2005 at 10:26, Pavel Kankovsky wrote:

> (This leads to a related and quite interesting
> question of the behaviour of nasl_rand() in forked processes...)

There is a line of code that re-seed the random generator after a
fork, IIRC.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal