Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: plugin 22194 - potential false positive?

from [how2 vuln] Network Security [Permanent Link]
Subject: Re: plugin 22194 - potential false positive?
Date: Sun, 17 Sep 2006 01:26:11 -0400 
Just re-read your message and it looks like previous version caused false
negative, NOT false positive? In my environment a false positive is more
serious than a false negative. Nonetheless, what may have caused the false
negatives in version prior to 1.4?

On 9/17/06, how2 vuln <how2vuln@gmail.com> wrote: 

Thanks for your response. Misnomer on my part, that the plugin would try
to overflow the buffer! Your clarification certainly helps my understanding.

What is the best way to track version history of nessus plugins, apart
from looking at the plugin code? For versions before 1.4, what may have
caused false positive?


On 9/16/06, Nicolas Pouvesle <npouvesle@tenablesecurity.com > wrote:
>
> how2 vuln wrote:
> > Nonetheless, I would like to reach out to the list to seek out if
> anybody
> > has had any observations of false positives with respect to this
> plugin. I
> > do realize that sometimes the best way to check for such
> vulnerabilities is
> > with more privileged access. However, given the nature of this
> specific
> > vulnerability, I am confident in an effective network check.
> >
> >
> >   1. What could possibly cause a false positive with such a check?
>
> Since version 1.4 of the plugin, nothing.
> Previous version produced false negatives on some systems.
>
> >   2. What is the plugin actually doing? (high level gist: it calls a
> >   named pipe relating to the server service, initializes a buffer,
> > populates
> >   it with 'nessus', then trying to overflow the buffer;
> >
>
> The plugin does not overflow the buffer. It sends a first legitimate
> request to write "nessus" in a buffer. Then a second "tricky" request is
> sent to read this buffer.
> If the server is patched the buffer is reinitialized to 0 and an empty
> buffer is returned. However if the server is not patched, the previous
> buffer is returned with the string "nessus" at the beginning.
>
> So if this plugin fires on some of your systems it means they are not
> patched or rebooted.
>
>
> Nicolas
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: plugin 22194 - potential false positive?, how2 vuln
Next by Date:  Re: plugin 22194 - potential false positive?, Nicolas Pouvesle
Previous by Thread:  Re: plugin 22194 - potential false positive?, how2 vuln
Next by Thread:  Re: plugin 22194 - potential false positive?, Nicolas Pouvesle
Indexes:  [Date] [Thread] [Top] [All Lists]