Thanks for your response. Misnomer on my part, that the plugin would try to
overflow the buffer! Your clarification certainly helps my understanding.
What is the best way to track version history of nessus plugins, apart from
looking at the plugin code? For versions before 1.4, what may have caused
false positive?
On 9/16/06, Nicolas Pouvesle <npouvesle@tenablesecurity.com> wrote:
how2 vuln wrote:
> Nonetheless, I would like to reach out to the list to seek out if
anybody
> has had any observations of false positives with respect to this plugin.
I
> do realize that sometimes the best way to check for such vulnerabilities
is
> with more privileged access. However, given the nature of this specific
> vulnerability, I am confident in an effective network check.
>
>
> 1. What could possibly cause a false positive with such a check?
Since version 1.4 of the plugin, nothing.
Previous version produced false negatives on some systems.
> 2. What is the plugin actually doing? (high level gist: it calls a
> named pipe relating to the server service, initializes a buffer,
> populates
> it with 'nessus', then trying to overflow the buffer;
>
The plugin does not overflow the buffer. It sends a first legitimate
request to write "nessus" in a buffer. Then a second "tricky" request is
sent to read this buffer.
If the server is patched the buffer is reinitialized to 0 and an empty
buffer is returned. However if the server is not patched, the previous
buffer is returned with the string "nessus" at the beginning.
So if this plugin fires on some of your systems it means they are not
patched or rebooted.
Nicolas
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
