Sometime between revisions 1.242 and 1.251 of find_service2.nasl the
detection logic for MySQL has changed so that it no longer works
properly. The relevant part follows:
@@ -1787,13 +1809,24 @@
if ( strlen(r) > 4 )
{
- local_var l;
+ local_var l, ver;
l = ord(r[0]) + (ord(r[1]) << 8) + (ord(r[2]) << 16);
- if ( strlen(r) >= l && ord(r[3]) == 0 && substr(r, 4, strlen(r) - 1 ) =~ '[0-9.]+\\.[0-9.]+\\.[0-9.]+' )
- {
- register_service(port: port, proto: 'mysql');
- security_note(port: port, data: "MySQL seems to be running on this port");
- return 1;
+ if ( strlen(r) == (l+4) && ord(r[3]) == 0 && ord(r[4]) > 0 )
+ {
+ l = ord(r[4]);
+ ver = substr(r, 5, l+5-1-1);
+ if (ver =~ '^[0-9.]+\\.[0-9.]+\\.[0-9.]+')
+ {
+ register_service(port: port, proto: 'mysql');
+ security_note(port: port, data: "A MySQL server is running on this port");
+ return 1;
+ }
+ else if (ver =~ '^[0-9.]+\\.[0-9.]+-')
+ {
+ register_service(port: port, proto: 'mysql_im');
+ security_note(port: port, data: "A MySQL Instance Manager is running on this port");
+ return 1;
+ }
}
}
The MySQL banner that is no longer recognized follows:
0x00: 30 00 00 00 0A 34 2E 30 2E 31 36 2D 73 74 61 6E 0....4.0.16-stan
0x10: 64 61 72 64 00 0E 01 00 00 60 22 26 36 7B 2D 6A dard.....`"&6{-j
0x20: 50 00 0C 20 08 02 00 00 00 00 00 00 00 00 00 00 P.. ............
0x30: 00 00 00 00 10 00 00 01 FF 13 04 42 61 64 20 68 ...........Bad h
0x40: 61 6E 64 73 68 61 6B 65 andshake
As far as I can tell the problem is that the new logic incorrectly
calculates the exact banner length:
strlen(r) == (l+4)
The following crude patch resolves the issue (but somebody with better
understanding of the MySQL protocol could probably make it more precise):
--- find_service2.nasl.orig 2008-06-02 10:40:54.000000000 -0600
+++ find_service2.nasl 2008-06-03 18:37:44.000000000 -0600
@@ -1811,7 +1811,7 @@
{
local_var l, ver;
l = ord(r[0]) + (ord(r[1]) << 8) + (ord(r[2]) << 16);
- if ( strlen(r) == (l+4) && ord(r[3]) == 0 && ord(r[4]) > 0 )
+ if ( strlen(r) >= (l+4) && ord(r[3]) == 0 && ord(r[4]) > 0 )
{
l = ord(r[4]);
ver = substr(r, 5, l+5-1-1);
Cheers,
nnposter
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
detection logic for MySQL has changed so that it no longer works
properly. The relevant part follows:
@@ -1787,13 +1809,24 @@
if ( strlen(r) > 4 )
{
- local_var l;
+ local_var l, ver;
l = ord(r[0]) + (ord(r[1]) << 8) + (ord(r[2]) << 16);
- if ( strlen(r) >= l && ord(r[3]) == 0 && substr(r, 4, strlen(r) - 1 ) =~ '[0-9.]+\\.[0-9.]+\\.[0-9.]+' )
- {
- register_service(port: port, proto: 'mysql');
- security_note(port: port, data: "MySQL seems to be running on this port");
- return 1;
+ if ( strlen(r) == (l+4) && ord(r[3]) == 0 && ord(r[4]) > 0 )
+ {
+ l = ord(r[4]);
+ ver = substr(r, 5, l+5-1-1);
+ if (ver =~ '^[0-9.]+\\.[0-9.]+\\.[0-9.]+')
+ {
+ register_service(port: port, proto: 'mysql');
+ security_note(port: port, data: "A MySQL server is running on this port");
+ return 1;
+ }
+ else if (ver =~ '^[0-9.]+\\.[0-9.]+-')
+ {
+ register_service(port: port, proto: 'mysql_im');
+ security_note(port: port, data: "A MySQL Instance Manager is running on this port");
+ return 1;
+ }
}
}
The MySQL banner that is no longer recognized follows:
0x00: 30 00 00 00 0A 34 2E 30 2E 31 36 2D 73 74 61 6E 0....4.0.16-stan
0x10: 64 61 72 64 00 0E 01 00 00 60 22 26 36 7B 2D 6A dard.....`"&6{-j
0x20: 50 00 0C 20 08 02 00 00 00 00 00 00 00 00 00 00 P.. ............
0x30: 00 00 00 00 10 00 00 01 FF 13 04 42 61 64 20 68 ...........Bad h
0x40: 61 6E 64 73 68 61 6B 65 andshake
As far as I can tell the problem is that the new logic incorrectly
calculates the exact banner length:
strlen(r) == (l+4)
The following crude patch resolves the issue (but somebody with better
understanding of the MySQL protocol could probably make it more precise):
--- find_service2.nasl.orig 2008-06-02 10:40:54.000000000 -0600
+++ find_service2.nasl 2008-06-03 18:37:44.000000000 -0600
@@ -1811,7 +1811,7 @@
{
local_var l, ver;
l = ord(r[0]) + (ord(r[1]) << 8) + (ord(r[2]) << 16);
- if ( strlen(r) == (l+4) && ord(r[3]) == 0 && ord(r[4]) > 0 )
+ if ( strlen(r) >= (l+4) && ord(r[3]) == 0 && ord(r[4]) > 0 )
{
l = ord(r[4]);
ver = substr(r, 5, l+5-1-1);
Cheers,
nnposter
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers