On 9/19 I reported what I believe to be a bug in at least plugin 10861 - but
it may be deeper than the plugin. It seems real to me after I searched bugzilla
and the web for previous reports. I reported it as bug 1020.
Plugin 10861 itself is a check for the Internet Explorer patch Q867801.
I am curious is anyone else has seen this sort of behavior?
Basically it appears that items in the Windows registry that are long character
strings
are being improperly handled. Report I filed is below:
---------------------------------------------------------------------------
Plugin 10861
If MinorVersion item is too long in smb_nt_ms02-005.nasl the plugin produces
false positives. Last reproduced with Nessus 2.0.12 with updated plugins on
9/19.
Occurs with: Nessus 2.0.12 on SUSE 8.0.
Also on 2.0.9 on Redhat 7.2.
Only patforms tested.
In using plugin 10861 against various W2K machines, several false positives were
produced. This was verified by checking the actual output of IE 6 "About
Internet Explorer" screen and by looking at value of MinorVersion in registry.
Q867801 was in fact present. Plugin was detecting and reporting only SP1, the
first patch in the MinorVersion string.
Appears that if the length of the MinorVersion item string is > 115 the string
is truncated down to the first reported fix. So patch 80671 is not found and
a positive is reported. If the string is shortened manually via regedt32 the
plugin works as reported. If a patched machine that is properly reported on has
its MinorVersion string length increased with bogus fix numbers, problem
appears.
Example 1:
MinorVersion value:
;SP1;Q328970;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q837009;Q831167;Q823353;Q867801;Q833989;
Produces:
We were able to determine that you are running IE Version 6.0000
with these IE Hotfixes installed:
SP1
But is missing security update(s) Q867801 (MS04-025)
Recommendation: Customers using Microsoft IE should install
this patch immediately.
Example 2:
MinorVersion value:
;SP1;Q328970;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q828750;Q824145;Q832894;Q837009;Q831167;Q823353;Q867801;
Produces:
We were able to determine that you are running IE Version 6.0000
with these IE Hotfixes installed:
SP1
Q328970
Q324929
Q810847
Q813951
Q813489
Q330994
Q818529
Q822925
Q828750
Q824145
Q832894
Q837009
Q831167
Q823353
Q867801
Adding the original or bogus patch string reproduces original false positive.
Jim Klun
This e-mail message is intended only for the addressee(s) and contains
information that may be confidential and/or privileged material. If you are
not the intended recipient (or authorized to receive this e-mail message)
please notify the sender by reply e-mail and immediately delete this e-mail.
Use, disclosure or reproduction of any information in this e-mail by anyone
other than the intended recipient(s) is strictly prohibited. Although Sterling
Commerce takes appropriate steps to safeguard its resources, it does not
represent that this email or any attachment(s) are free of viruses. Virus
scanning is recommended and is the responsibility of the recipient. Sterling
Commerce is not liable for any loss or damage arising in any way from
transmission of the message or use of its
attachments_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
