Mailing List Archive

eDonkey_detect.nasl invalid port
Hi,

this plugin (11022) reported eDonkey on an invalid port (server name obscured):

Plugin output :

Server name : xxxxx (en) (rus) (de)
UDP port : 306188864

I presume that the presence of a valid-looking server name in the output indicates
that eDonkey is actually present, however the port decoded in this case is definitely
wrong. Is it correct that the port is retrieved from a dword?

Maybe adding a sanity check like this would be worthwhile:

--- eDonkey_detect.nasl 2006-11-30 10:37:25.000000000 +0000
+++ eDonkey_detect.nasl 2006-12-07 10:21:11.000000000 +0000
@@ -118,6 +118,8 @@
info += " UDP port : " + port + '\n';
}

+ if (port < 65536)
+ {
report = string(
desc,
"\n\n",
@@ -126,4 +128,5 @@
info
);
security_note(port:port, data:report);
+ }
}



--
Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: eDonkey_detect.nasl invalid port [ In reply to ]
On Thu, Dec 07, 2006 at 10:42:52AM +0000, Hubert Seiwert wrote:

> this plugin (11022) reported eDonkey on an invalid port (server name obscured):
>
> Plugin output :
>
> Server name : xxxxx (en) (rus) (de)
> UDP port : 306188864
>
> I presume that the presence of a valid-looking server name in the output indicates
> that eDonkey is actually present,

The plugin actually sends a Hello packet and verifies the response so it
shouldn't be a false-positive.

> however the port decoded in this case is definitely
> wrong. Is it correct that the port is retrieved from a dword?

Ah, ha! The value retrieved is actually a dword because of the type of
meta tag we're looking at, but it consists of two ports: one for a KAD
and another for an ED2K server.

I've updated the plugin so it separates them in the report. The update
should be available in a couple of hours. Let me know if that doesn't
make more sense.

George
--
theall@tenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers