Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
Bug in plugin 11673 (Remote PC Access Server Detection)
hubert at westpoint
May 23, 2005, 8:28 AM
Post #1 of 2 (278 views)
Permalink
Hi,

this plugin returned a false positive on port 143, misidentifying the
Exchange IMAP service as Remote PC.
Looking at the source there is an apparent bug:

send(socket:soc, data:raw_string(0x28, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00));
r = recv(socket:soc, length:57);
close(soc);
if(strlen(r) == 57 && ord(r[0]) == 0x2A)
{
security_warning(port);
}

The r buffer is limited to 57 characters, and the following test checks
whether it's 57 characters long.
This means that any response which starts with a * (hex 2A) and is at
least 57 characters long will trigger the plugin
("* OK Microsoft Exchange 2000 IMAP4rev1 server version 6.0 version
6.0.6603.0 (xxx) ready" in this case).

I've attached a "fixed" version which increases the recv buffer length
to 8k.
I presume this would still identify a real Remote PC server, while
reducing false positives.
A longer signature would be ideal, but we don't have a copy of Remote PC
available to test.


Regards,

--
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
Bug in plugin 11673 (Remote PC Access Server Detection) [ In reply to ]
hubert at westpoint
May 23, 2005, 8:33 AM
Post #2 of 2 (272 views)
Permalink
Plugin attached.

--
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal