-----Original Message-----
From: nessus-bounces@list.nessus.org
[mailto:nessus-bounces@list.nessus.org] On Behalf Of Jason Leuenberger
Sent: Tuesday, September 19, 2006 7:28 PM
To: nessus@list.nessus.org
Subject: Buffer overflow causing service to hang?
I apologize for the lack of detail regarding this question...
I'm working on an assessment, with Nessus 3.0.2. I have 'Safe Checks'
chosen, and have unchecked the Denial of Service category....to give you
an idea of the plugins I have enabled. Very default scan...
At some point during the scanning of a specific IP, which just happened
to house a Document Management app, a dump occurred, the primary service
associated with the doc management application stopped.....which is very
bad.
The key thing we need to ensure is that no buffers are being overrun at
any level. If even a small buffer overrun is attempted for the sake of
determining if a larger exploit is possible, this is not viable during
business hours.
************************************************************************
********
I can gather more information tomorrow morning regarding the application
that's being used. Is there a way I can find out, perhaps for next time,
through a Nessus log that shows what time a specific IP was scanned for
a plugin, with the associated result, whether or not it produced an
alert?
Help is appreciated....this client is insisting that we discontinue the
assessment until it's verified that Nessus did or did not cause this
application to die.
I have been doing these for 6 years now, and if you crashed a
service with nessus in safe mode, then you found an undocumented DOS
attack possible against that application.
There is no 100% way to guarantee that any test, including nmap port
scans won't DOS the target system (we have seen nmap DOS such things as
3com switches, 3com viop products, soft plc (scada products), amd have
seen nessus (in safe mode) DOS novell servers, 3com voip systems, cisco
devices, etc.
We tell clients when we start that
A) if something goes wrong during our testing, call us first, its most
likely us
B) just because something happens, doesn't mean it WAS us, but call us
first
C) we try very hard not to impact services, but we can
D) if you want things scheduled during business hours you should watch
the services carefully
E) if you want things scheduled AFTER business hours, still have someone
watch
F) if you have critical systems, we will exclude them from automated
testing
G) if you have a 'mirror' of the critical system, we will test that one
instead.
Maybe you can work with client to determine the version, patch levels,
settings for this program and write up security vulnerability report and
send it to the vendor.
Bottom line, any testing is intrusive, and can disrupt services, port
scans, even a nmap ping scan to discover hosts can disrupt services.
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
