I have been running some scans that include plugin 22194 (network check for
server service bo/ms06-040). Did some limited testing under various
circumstances and the plugin seems to detect presence for the vulnerability
accurately.
However, I have heard very recently from a server administrator group, that
they suspect potential false positives. Their claim is that the patches have
been applied, servers rebooted, even before their devices were scanned. From
my part, I have some homework to do with them i.e. really verify that
indeed, the patch for KB921883 was applied and took effect.
Nonetheless, I would like to reach out to the list to seek out if anybody
has had any observations of false positives with respect to this plugin. I
do realize that sometimes the best way to check for such vulnerabilities is
with more privileged access. However, given the nature of this specific
vulnerability, I am confident in an effective network check.
1. What could possibly cause a false positive with such a check?
2. What is the plugin actually doing? (high level gist: it calls a
named pipe relating to the server service, initializes a buffer, populates
it with 'nessus', then trying to overflow the buffer; if patch is applied
the buffer should return 0; if not, the buffer returns 'nessus' - thereby
checking for the vulnerability) Can someone confirm my understanding?
Any help or feedback provided is greatly appreciated.
- how2vuln
server service bo/ms06-040). Did some limited testing under various
circumstances and the plugin seems to detect presence for the vulnerability
accurately.
However, I have heard very recently from a server administrator group, that
they suspect potential false positives. Their claim is that the patches have
been applied, servers rebooted, even before their devices were scanned. From
my part, I have some homework to do with them i.e. really verify that
indeed, the patch for KB921883 was applied and took effect.
Nonetheless, I would like to reach out to the list to seek out if anybody
has had any observations of false positives with respect to this plugin. I
do realize that sometimes the best way to check for such vulnerabilities is
with more privileged access. However, given the nature of this specific
vulnerability, I am confident in an effective network check.
1. What could possibly cause a false positive with such a check?
2. What is the plugin actually doing? (high level gist: it calls a
named pipe relating to the server service, initializes a buffer, populates
it with 'nessus', then trying to overflow the buffer; if patch is applied
the buffer should return 0; if not, the buffer returns 'nessus' - thereby
checking for the vulnerability) Can someone confirm my understanding?
Any help or feedback provided is greatly appreciated.
- how2vuln