Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

plugin 22194 - potential false positive?

from [how2 vuln] Network Security [Permanent Link]
Subject: plugin 22194 - potential false positive?
Date: Fri, 15 Sep 2006 22:01:44 -0400 
I have been running some scans that include plugin 22194 (network check for
server service bo/ms06-040). Did some limited testing under various
circumstances and the plugin seems to detect presence for the vulnerability
accurately.

However, I have heard very recently from a server administrator group, that
they suspect potential false positives. Their claim is that the patches have
been applied, servers rebooted, even before their devices were scanned. From
my part, I have some homework to do with them i.e. really verify that
indeed, the patch for KB921883 was applied and took effect.

Nonetheless, I would like to reach out to the list to seek out if anybody
has had any observations of false positives with respect to this plugin. I
do realize that sometimes the best way to check for such vulnerabilities is
with more privileged access. However, given the nature of this specific
vulnerability, I am confident in an effective network check.


  1. What could possibly cause a false positive with such a check?
  2. What is the plugin actually doing? (high level gist: it calls a
  named pipe relating to the server service, initializes a buffer, populates
  it with 'nessus', then trying to overflow the buffer; if patch is applied
  the buffer should return 0; if not, the buffer returns 'nessus' - thereby
  checking for the vulnerability) Can someone confirm my understanding?

Any help or feedback provided is greatly appreciated.

- how2vuln 
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Nessus 3.0.3 scan abends Btcpcom.nlm, Joel Elwell
Next by Date:  Re: plugin 22194 - potential false positive?, Nicolas Pouvesle
Previous by Thread:  Nessus 3.0.3 scan abends Btcpcom.nlm, Joel Elwell
Next by Thread:  Re: plugin 22194 - potential false positive?, Nicolas Pouvesle
Indexes:  [Date] [Thread] [Top] [All Lists]