During some scans on various hosts, we found that NASL 11923, was
reported as a false positive.
The NASL tests for the Frontpage Chunked Overflow vulnerability. The
fp30reg.dll in IIS is vulnerable in certain implementations of Windows
IIS servers.
The test involves sending a request for the fp30reg.dll. If the dll
exists the server responds with a
"HTTP/1.*200 OK", the test will be marked as true.
If a web server is setup to always return a standard error page, the
test might be flagged as true.
We have included additional error checking to verify if a '404' not
found message exists.
If the no404 exists and is contained in the page returned a standard
response page the test will not be flagged as positive.
#
# See section of code after: #charl@sensepost.com
#
if (r) {
if (egrep(string:r, pattern:"^Server: Microsoft-IIS/5\.[01].*")) {
#if (! strstr(r, "Content-Length: 4009")) security_warning(port:port,
data:myreport);
# here we manually inspect replies to a bogus chunked request
# an unpatched IIS 5.x server will respond to this query with a '200 OK'
req2 = string("POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n");
req2 = req2 + string("Host: ", get_host_name(), "\r\n");
req2 = req2 + string("Transfer-Encoding: chunked\r\n\r\n");
req2 = req2 + string("0\r\n\r\nX\r\n0\r\n\r\n");
r2 = http_keepalive_send_recv(data:req2, port:port);
if (r2 == NULL) exit(0);
if (egrep(string:r2, pattern:"^HTTP/1.*200 OK*"))
{
#charl@sensepost.com
no404 = tolower(get_kb_item(string("www/no404/", port)));
if (no404)
{
response = tolower(r2);
if (no404 >< response && strlen(response)) exit(0);
}
security_hole(port);
}
else set_kb_item(name:"SMB/KB813360", value:TRUE);
}
}
----
reported as a false positive.
The NASL tests for the Frontpage Chunked Overflow vulnerability. The
fp30reg.dll in IIS is vulnerable in certain implementations of Windows
IIS servers.
The test involves sending a request for the fp30reg.dll. If the dll
exists the server responds with a
"HTTP/1.*200 OK", the test will be marked as true.
If a web server is setup to always return a standard error page, the
test might be flagged as true.
We have included additional error checking to verify if a '404' not
found message exists.
If the no404 exists and is contained in the page returned a standard
response page the test will not be flagged as positive.
#
# See section of code after: #charl@sensepost.com
#
if (r) {
if (egrep(string:r, pattern:"^Server: Microsoft-IIS/5\.[01].*")) {
#if (! strstr(r, "Content-Length: 4009")) security_warning(port:port,
data:myreport);
# here we manually inspect replies to a bogus chunked request
# an unpatched IIS 5.x server will respond to this query with a '200 OK'
req2 = string("POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1\r\n");
req2 = req2 + string("Host: ", get_host_name(), "\r\n");
req2 = req2 + string("Transfer-Encoding: chunked\r\n\r\n");
req2 = req2 + string("0\r\n\r\nX\r\n0\r\n\r\n");
r2 = http_keepalive_send_recv(data:req2, port:port);
if (r2 == NULL) exit(0);
if (egrep(string:r2, pattern:"^HTTP/1.*200 OK*"))
{
#charl@sensepost.com
no404 = tolower(get_kb_item(string("www/no404/", port)));
if (no404)
{
response = tolower(r2);
if (no404 >< response && strlen(response)) exit(0);
}
security_hole(port);
}
else set_kb_item(name:"SMB/KB813360", value:TRUE);
}
}
----
Attached Files:
-
frontpage_chunked_overflow.nasl (3.19 KB)