Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Details on some CVE vulns. [was: Re: Internet Scanner vs Nessus based on CVE hits]
deraison at nessus
Aug 27, 2002, 4:59 AM
Post #1 of 2 (456 views)
Permalink
Ok, I'm in the process of filling the holes for the CVE vulns that
we should test for, and I have some problems.


Here is the list of the "TOP 20" of the CVE checks that Georges
Dagousset published on nessus@list.nessus.org. There is also the full
"not done by Nessus" CVE list published by Michel Arboi a while ago,
which I don't have the URL at hand. I may have added ~ 20 checks
recently, but this is not always easy, especially when it deals with
flaws that were popular 5 years ago.


> Needs be done :
>
> > 1999-0002 3 ISS SARA QUALYS
> > 1999-0113 2 ISS QUALYS
> > 1999-0186 2 ICAT ISS
> > 1999-0204 3 ICAT ISS SARA

All of these have been done.


> > 1999-0299 3 ICAT ISS

This one is a buffer overflow in the way lpd does a DNS resolution. I
have no idea on how this could be tested for apart from saying that port
515 is open. If anyone has a suggestion, let me know.

> > 1999-0722 3 ICAT ISS SARA

I did not find any clear detail on that one. Apparently, SARA checks for
a .htaccess, but I'm not sure.

> > 1999-0493 2 ISS QUALYS

Boring to test for. This flaw allows the execution of a command, without
any argument. Besides "halt" or "reboot", I don't know how we can
determine if it's successful or not (and yes, a patched version of this
daemon replies exactly the same way).



So, a little help would be welcome ;)


-- Renaud
Re: Details on some CVE vulns. [was: Re: Internet Scanner vs Nessus based on CVE hits] [ In reply to ]
peak at argo
Aug 30, 2002, 6:34 AM
Post #2 of 2 (424 views)
Permalink
On Tue, 27 Aug 2002, Renaud Deraison wrote:

> > > 1999-0299 3 ICAT ISS
>
> This one is a buffer overflow in the way lpd does a DNS resolution. I
> have no idea on how this could be tested for apart from saying that port
> 515 is open. If anyone has a suggestion, let me know.

You'd need your own "evil" DNS server. Similar to tests of HTTP
proxies needing an "evil" HTTP server--but somewhat more difficult
because it has to run on 53 and the reverse zone must be delegated to
that server.

> > > 1999-0493 2 ISS QUALYS
>
> Boring to test for. This flaw allows the execution of a command, without
> any argument. Besides "halt" or "reboot", I don't know how we can
> determine if it's successful or not (and yes, a patched version of this
> daemon replies exactly the same way).

Hmm...the execution of commands is a combination of 1999-0493 (RPC
forwrading bug in rpc.statd) and 1999-0210 (bug in autoomuntd), right?
In order to test 1999-0493 it should be sufficient to verify rpc.statd is
willing to forward RPC requests to another RPC service.

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal