Mailing List Archive

On Oct 23, 2008, at 11:07 PM, Omen Wild wrote:

> Anyone have a plugin for MS08-067
> <http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx>,
> CVE-2008-4250? Sure would be nice to beat the hackers to the punch on
> this one.

We have two plugins (one with credentials, one without). Both are in
final stage of QA and should be in the feed within an hour or less.


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Quoting Renaud Deraison <deraison-lists@nessus.org> on Thu, Oct 23 23:13:
>
> We have two plugins (one with credentials, one without). Both are in
> final stage of QA and should be in the feed within an hour or less.

Excellent! Thanks for the quick response, I will be looking for this
shortly.

--
Omen Wild
Security Administrator
(530) 752-1700

Seems like I was a bit optimistic with regards to QA :) The plugin
with credential will be in the feed within an hour or so, and we're
investigating the credential-less plugin which will take slightly more
time.

On Oct 23, 2008, at 11:13 PM, Renaud Deraison wrote:

>
> On Oct 23, 2008, at 11:07 PM, Omen Wild wrote:
>
>> Anyone have a plugin for MS08-067
>> <http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx>,
>> CVE-2008-4250? Sure would be nice to beat the hackers to the punch
>> on
>> this one.
>
> We have two plugins (one with credentials, one without). Both are in
> final stage of QA and should be in the feed within an hour or less.
>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Sorry for the delay.

So :

Plugin#34476 was released yesterday and checks for MS08-067 with
credentials (ie: it logs into the remote Windows systems and checks
the version of the DLL)

Plugin#34477 was released early today and checks for MS08-067 over the
network, without credentials.


Both are in the plugin feeds (Pro and Home).


http://www.nessus.org/plugins/index.php?view=single&id=34477
http://www.nessus.org/plugins/index.php?view=single&id=34476



Have a good day,

-- Renaud


On Oct 24, 2008, at 12:10 AM, Renaud Deraison wrote:

>
> Seems like I was a bit optimistic with regards to QA :) The plugin
> with credential will be in the feed within an hour or so, and we're
> investigating the credential-less plugin which will take slightly more
> time.
>
> On Oct 23, 2008, at 11:13 PM, Renaud Deraison wrote:
>
>>
>> On Oct 23, 2008, at 11:07 PM, Omen Wild wrote:
>>
>>> Anyone have a plugin for MS08-067
>>> <http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx>,
>>> CVE-2008-4250? Sure would be nice to beat the hackers to the punch
>>> on
>>> this one.
>>
>> We have two plugins (one with credentials, one without). Both are in
>> final stage of QA and should be in the feed within an hour or less.
>>
>>
>> _______________________________________________
>> Nessus mailing list
>> Nessus@list.nessus.org
>> http://mail.nessus.org/mailman/listinfo/nessus
>>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Is there a setting in nessus that I need to have enabled to successfully
get past the

os = get_kb_item ("Host/OS/smb") ;
if ("Windows" >!< os) exit(0);


lines? I think something may be disabled somewhere because I have a
vulnerable machine but if I just call the raw nasl script with

/opt/nessus/bin/nasl -t IP file.nasl

it exits right there. If I remove those lines, the nasl check works.

Thanks in advance,
Tim

Renaud Deraison wrote:
>
> Sorry for the delay.
>
> So :
>
> Plugin#34476 was released yesterday and checks for MS08-067 with
> credentials (ie: it logs into the remote Windows systems and checks
> the version of the DLL)
>
> Plugin#34477 was released early today and checks for MS08-067 over the
> network, without credentials.
>
>
> Both are in the plugin feeds (Pro and Home).
>
>
> http://www.nessus.org/plugins/index.php?view=single&id=34477
> http://www.nessus.org/plugins/index.php?view=single&id=34476
>
>
>
> Have a good day,
>
> -- Renaud
>
>
> On Oct 24, 2008, at 12:10 AM, Renaud Deraison wrote:
>
>> Seems like I was a bit optimistic with regards to QA :) The plugin
>> with credential will be in the feed within an hour or so, and we're
>> investigating the credential-less plugin which will take slightly more
>> time.
>>
>> On Oct 23, 2008, at 11:13 PM, Renaud Deraison wrote:
>>
>>> On Oct 23, 2008, at 11:07 PM, Omen Wild wrote:
>>>
>>>> Anyone have a plugin for MS08-067
>>>> <http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx>,
>>>> CVE-2008-4250? Sure would be nice to beat the hackers to the punch
>>>> on
>>>> this one.
>>> We have two plugins (one with credentials, one without). Both are in
>>> final stage of QA and should be in the feed within an hour or less.
>>>
>>>
>>> _______________________________________________
>>> Nessus mailing list
>>> Nessus@list.nessus.org
>>> http://mail.nessus.org/mailman/listinfo/nessus
>>>
>> _______________________________________________
>> Nessus mailing list
>> Nessus@list.nessus.org
>> http://mail.nessus.org/mailman/listinfo/nessus
>>
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

On Oct 24, 2008, at 5:02 PM, Tim Rupp wrote:

> Is there a setting in nessus that I need to have enabled to
> successfully
> get past the
>
> os = get_kb_item ("Host/OS/smb") ;
> if ("Windows" >!< os) exit(0);
>
>
> lines? I think something may be disabled somewhere because I have a
> vulnerable machine but if I just call the raw nasl script with
>
> /opt/nessus/bin/nasl -t IP file.nasl
>
> it exits right there. If I remove those lines, the nasl check works.



The plugin is meant to run from within nessusd. If you remove these
two lines when running in command-line it will work, but when scanning
from within nessusd, this KB entry will be set by
smb_nativelanman.nasl which is a dependency of this particular plugin.

Are you encountering a problem when running from within nessusd?

-- Renaud


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Ok, gotcha. No, it's running just fine inside Nessus, but I was just
doing a quick test from nasl and wasn't getting the result I expected.

Thanks for the clarification Renaud.

-Tim

Renaud Deraison wrote:
>
> On Oct 24, 2008, at 5:02 PM, Tim Rupp wrote:
>
>> Is there a setting in nessus that I need to have enabled to successfully
>> get past the
>>
>> os = get_kb_item ("Host/OS/smb") ;
>> if ("Windows" >!< os) exit(0);
>>
>>
>> lines? I think something may be disabled somewhere because I have a
>> vulnerable machine but if I just call the raw nasl script with
>>
>> /opt/nessus/bin/nasl -t IP file.nasl
>>
>> it exits right there. If I remove those lines, the nasl check works.
>
>
>
> The plugin is meant to run from within nessusd. If you remove these two
> lines when running in command-line it will work, but when scanning from
> within nessusd, this KB entry will be set by smb_nativelanman.nasl which
> is a dependency of this particular plugin.
>
> Are you encountering a problem when running from within nessusd?
>
> -- Renaud
>
>
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

ive been testing this against a Vista machine that is not patched, though
its not alarming. Looking to get a system with XP now, does plugin 34477
check for this on Vista as well? Ive run 34476 and get the same results
(though I do get some info that the remote registry cannot be read. Im more
interested in getting 34477 working though.

On Oct 24, 2008 10:38am, Tim Rupp <tarupp@fnal.gov> wrote:
> Ok, gotcha. No, it's running just fine inside Nessus, but I was just
>
> doing a quick test from nasl and wasn't getting the result I expected.
>
>
>
> Thanks for the clarification Renaud.
>
>
>
> -Tim
>
>
>
> Renaud Deraison wrote:
>
> >
>
> > On Oct 24, 2008, at 5:02 PM, Tim Rupp wrote:
>
> >
>
> >> Is there a setting in nessus that I need to have enabled to
successfully
>
> >> get past the
>
> >>
>
> >> os = get_kb_item ("Host/OS/smb") ;
>
> >> if ("Windows" >!
> >>
>
> >>
>
> >> lines? I think something may be disabled somewhere because I have a
>
> >> vulnerable machine but if I just call the raw nasl script with
>
> >>
>
> >> /opt/nessus/bin/nasl -t IP file.nasl
>
> >>
>
> >> it exits right there. If I remove those lines, the nasl check works.
>
> >
>
> >
>
> >
>
> > The plugin is meant to run from within nessusd. If you remove these two
>
> > lines when running in command-line it will work, but when scanning from
>
> > within nessusd, this KB entry will be set by smb_nativelanman.nasl which
>
> > is a dependency of this particular plugin.
>
> >
>
> > Are you encountering a problem when running from within nessusd?
>
> >
>
> > -- Renaud
>
> >
>
> >
>
> _______________________________________________
>
> Nessus mailing list
>
> Nessus@list.nessus.org
>
> http://mail.nessus.org/mailman/listinfo/nessus
>

On Oct 24, 2008, at 7:57 PM, x0SiN0x@gmail.com wrote:

> ive been testing this against a Vista machine that is not patched,
> though its not alarming. Looking to get a system with XP now, does
> plugin 34477 check for this on Vista as well? Ive run 34476 and get
> the same results (though I do get some info that the remote registry
> cannot be read. Im more interested in getting 34477 working though.

The vulnerability can only be exploited without credentials on Windows
2000, XP and 2008. That's why the credential-less plugin does not fire
against Vista and 2008.


Nicolas
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Quoting Renaud Deraison <deraison-lists@nessus.org> on Fri, Oct 24 14:00:
>
> Plugin#34476 was released yesterday and checks for MS08-067 with
> credentials (ie: it logs into the remote Windows systems and checks
> the version of the DLL)
>
> Plugin#34477 was released early today and checks for MS08-067 over the
> network, without credentials.

Just a word of warning, for those who have not updated in the last couple
hours (exact time unknown), you need to update your plugins before these
will work. I updated at 3:15 AM PST and both plugins had an 'exit(0);'
at the top. Newer versions seem to have removed this. So, upgrade
plugins before declaring victory.

--
Omen Wild
Security Administrator
(530) 752-1700

Quoting Renaud Deraison <deraison-lists@nessus.org> on Fri, Oct 24 14:00:
>
> Plugin#34477 was released early today and checks for MS08-067 over the
> network, without credentials.

Has anyone had any issues with this plugin crashing svchost.exe? Every
2nd or 3rd run of Nessus causes the following error on my XP Pro SP3 test
box (fully patched except this patch):
----- Begin crash report -----
Faulting application svchost.exe, version 5.1.2600.5512, faulting module
netapi32.dll, version 5.1.2600.5512, fault address 0x00018ae1.
----- End crash report -----

All three crashes that I caused have the exact same error and fault
address. Nessus will not find the hole again until after I reboot the
Windows box. I suspect file sharing stops working, but have not done
further testing.

My plugin revision is 1.8.

Anyone else seeing this?

--
Omen Wild
Security Administrator
(530) 752-1700

yeah, I have same issuse.

2008/10/28 Omen Wild <omen@ucdavis.edu>

> Quoting Renaud Deraison <deraison-lists@nessus.org> on Fri, Oct 24 14:00:
> >
> > Plugin#34477 was released early today and checks for MS08-067 over the
> > network, without credentials.
>
> Has anyone had any issues with this plugin crashing svchost.exe? Every
> 2nd or 3rd run of Nessus causes the following error on my XP Pro SP3 test
> box (fully patched except this patch):
> ----- Begin crash report -----
> Faulting application svchost.exe, version 5.1.2600.5512, faulting module
> netapi32.dll, version 5.1.2600.5512, fault address 0x00018ae1.
> ----- End crash report -----
>
> All three crashes that I caused have the exact same error and fault
> address. Nessus will not find the hole again until after I reboot the
> Windows box. I suspect file sharing stops working, but have not done
> further testing.
>
> My plugin revision is 1.8.
>
> Anyone else seeing this?
>
> --
> Omen Wild
> Security Administrator
> (530) 752-1700
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkkGH68ACgkQf4N9PynZEkn8HQCfYaySVNn2zYSKOw/kOyDSBdm0
> E9sAnRn笠捁�⽟賮肌ﯚ䟬존
> =aLxy
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--
Best Regards :-)
-------------------------------------------
Wang Yao(王耀),wangyao@cs.hit.edu.cn ipconfigme@gmail.com
HomePage: http://cudev.cublog.cn
Research Center of Computer Network and Information Security Technology
Harbin Institute Of Technology
Address:NO.92 West Da-Zhi Street,NanGang District,Harbin,Heilongjiang

Quoting Omen Wild <omen@ucdavis.edu> on Mon, Oct 27 13:08:
>
> Quoting Renaud Deraison <deraison-lists@nessus.org> on Fri, Oct 24 14:00:
> >
> > Plugin#34477 was released early today and checks for MS08-067 over the
> > network, without credentials.
>
> Has anyone had any issues with this plugin crashing svchost.exe? Every
> 2nd or 3rd run of Nessus causes the following error on my XP Pro SP3 test
> box (fully patched except this patch):

Tenable worked with me offline to test several new versions. Due to some
technical issues on my side it took much longer than it should have, but
the bottom line is that version 1.12 (available in the feed) cleared up
all of the crashing I was having. With older versions svchost.exe would
crash in 3-4 iterations, with version 1.12 I ran 800 tests without a
crash. I am going to recommend we enable the plugin campus wide and
test our 80,000+ machines with it. Should be fun times!

Thanks for all the help!

--
Omen Wild
Security Administrator
(530) 752-1700

"but
the bottom line is that version 1.12 (available in the feed) cleared up
all of the crashing I was having. "


I also ran tests on about 200 hosts using the 1.12 version of the MS08-067 plugin. I have not seen another instance of the SVCHOST.EXE crash scenario.

I plan on enabling it for the 10,000 hosts we scan each week.

Regards,

Sonny

Quoting Nicolas Pouvesle <npouvesle@tenablesecurity.com> on Fri, Oct 24 20:20:
>
> The vulnerability can only be exploited without credentials on Windows
> 2000, XP and 2008. That's why the credential-less plugin does not fire
> against Vista and 2008.

How about a WYSE terminal running Microsoft Windows XP Embedded? I find
a bunch of people asking the question, but Microsoft isn't answering.

--
Omen Wild
Security Administrator
(530) 752-1700

Hey guys,

Can we consider this plugin 'stable' ?

Thanks

On Tue, Nov 4, 2008 at 3:35 PM, Omen Wild <omen@ucdavis.edu> wrote:

> Quoting Nicolas Pouvesle <npouvesle@tenablesecurity.com> on Fri, Oct 24
> 20:20:
> >
> > The vulnerability can only be exploited without credentials on Windows
> > 2000, XP and 2008. That's why the credential-less plugin does not fire
> > against Vista and 2008.
>
> How about a WYSE terminal running Microsoft Windows XP Embedded? I find
> a bunch of people asking the question, but Microsoft isn't answering.
>
> --
> Omen Wild
> Security Administrator
> (530) 752-1700
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkkQsg8ACgkQf4N9PynZEknOUwCePJ2uVy5nyPb2C7K3z0lXLj+7
> DLMAn0nkzQXUmigp2hetpG6ulLR8CwcY
> =W187
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>



--
Francis Lacoste-Cordeau

nexact wrote:
> Hey guys,
>
> Can we consider this plugin 'stable' ?
>
> Thanks
>

We consider it stable. I've spoken with a few customers that had crash issues
caused by an earlier version of the remote check. Upgrading to the most recent
release resulted in a reliable, accurate and non-destructive remote test.

Many of these organizations had manual plugin update processes and they
were not running the latest versions of the plugins.

Ron Gula
Tenable Network Security








_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus