Mailing List Archive

NASL 'Split' function Buffer overflow Vulnerability
Hi,

We have discovered a vulnerability in libnasl of Nessus which can
cause Denial of
Service. We have attached the advisory which details the vulnerability and
also has the fix. A patch for libnasl 2.2.4 is included.


Thanks,
OS2A Team.
Re: NASL 'Split' function Buffer overflow Vulnerability [ In reply to ]
On Apr 25, 2006, at 3:54 AM, OS2A BTO wrote:

> Hi,
>
> We have discovered a vulnerability in libnasl of Nessus which can
> cause Denial of
> Service. We have attached the advisory which details the
> vulnerability and
> also has the fix. A patch for libnasl 2.2.4 is included.


Thanks for the notice. I fail to see how it can be used to execute
arbitrary commands as your advisory states -- there is no buffer
overflow.

On Nessus2, malloc() eventually fails which results in a call to abort
() (hence the 'killed' message)

On Nessus3, nasl crashes when trying to read an invalid pointer
(pointing on NULL+0x280500c, which is not a user-controllable index),
which is something which can't be exploited either.

It's also worth noting that even it if were exploitable, a user would
have to manually load rogue plugins in its Nessus installation, as
the plugins downloads are signed, which would mitigate this problem
if it was one.

Nevertheless, this bug will be addressed in a further release of
Nessus 2 and Nessus 3.
(2.2.8 and 3.0.3 respectively).

Thanks,

-- Renaud
_______________________________________________
Nessus-devel mailing list
Nessus-devel@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus-devel