Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Plugin 22194 / 22034 interpretation

from [Patrice . Arnal] Network Security [Permanent Link]
Subject: Re: Plugin 22194 / 22034 interpretation
Date: Tue, 26 Sep 2006 14:22:09 +0200 
Sorry for the wrong copy-paste.
On the server I scanned; both plugins told that the server is vulnerable. 
ms06-035 AND ms06-040 

__________________________________________________________________________________
Vulnerability   microsoft-ds (445/tcp) 
Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.

Description :

The remote host is vulnerable to a buffer overrun in the 'Server' service
which may allow an attacker to execute arbitrary code on the remote host
with the 'System' privileges.

Solution :

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2006-3439
BID : 19409
Nessus ID : 22194

__________________________________________________________________________________
Vulnerability   microsoft-ds (445/tcp) 
Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.

Description :

The remote host is vulnerable to heap overflow in the 'Server' service 
which
may allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.

In addition to this, the remote host is also vulnerable to an information
disclosure vulnerability in SMB which may allow an attacker to obtain
portions of the memory of the remote host.


Solution :

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2006-1314, CVE-2006-1315
BID : 18891, 18863
Nessus ID : 22034
__________________________________________________________________________________

And I ran both plugins through nasl : Both ended with "not vulnerable" 
diagnostic.
I suppose that it's due to the fact that the OS is not recognized when the 
plugin is launched in standalone :

..........................
[15071]() NASL> [002bc6b8] <- "Host/OS/smb"
[15071](/tools/nessus/lib/nessus/plugins/smb_kb917159.nasl) NASL> Call 
get_kb_item(1: "Host/OS/smb")
[15071](/tools/nessus/lib/nessus/plugins/smb_kb917159.nasl) NASL> Return 
get_kb_item: NULL
[15071]() NASL> [002bdac0] <- undef
NASL:0159> if ("Windows" >!< os) { ... } 
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[15071](/tools/nessus/lib/nessus/plugins/smb_kb917159.nasl) NASL> 
[002bdac0] -> undef
NASL:0157> exit(...)
[15071]() NASL> [002bc6b8] <- 0
[15071](/tools/nessus/lib/nessus/plugins/smb_kb917159.nasl) NASL> Call 
exit(1: 0)
[15071](/tools/nessus/lib/nessus/plugins/smb_kb917159.nasl) NASL> Return 
exit: 0

Is there a way to force the plugin to check the vuln anyway.
I have to do this because it seems that it is a false positive, and I want 
to check ( and eventually show to the admins ) 
the data exchanged between nessus and the server.


Cordialement / Mit freundlichen GrÃÃen / Best regards, 
_____________________________________________
Patrice Arnal
ISS - DataCenter â E&S 
Mailto: patrice.arnal@alcatel.fr 
_____________________________________________

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Plugin 22194 interpretation, how2 vuln
Next by Date:  Re: Plugin 22194 / 22034 interpretation, Renaud Deraison
Previous by Thread:  Re: Plugin 22194 interpretation, how2 vuln
Next by Thread:  Re: Plugin 22194 / 22034 interpretation, Renaud Deraison
Indexes:  [Date] [Thread] [Top] [All Lists]