On Thursday 15 August 2002 23:26, Brian G. Kirsch wrote:
> Hi,
>
> When scanning a Checkpoint FW-1 that has the Web-based Client
> Authentication Remote Service running on port 900, the scan returned a
> false positive for nearly every web-based vulnerability (87 holes/24
> warnings).
I attached a modified version of the no404.nasl plugin which has
signatures for a number of broken web servers as well as a patch to
www_funcs.c in nessus-libraries which stops it from following redirects.
The patch is against the current CVS version (1.2.4), it might need to be
modified to work on a previous stable release. To patch your
nessus-libraries:
export CVSROOT=:pserver:[EMAIL PROTECTED]:/usr/local/cvs
cvs login
cvs co nessus-libraries
cd nessus-libaries/libnessus/
patch -p0 < /path/to/www_funcs.c.patch
cd .. && ./configure && make && make install
Just copy the attached no404.nasl over your old one
(PREFIX/lib/nessus/plugins/no404.nasl) and it should *significantly*
reduce the number of false positives you encounter ;)
-HD
--- www_funcs.c Thu Aug 15 22:50:14 2002
+++ www_funcs_fixed.c Thu Aug 15 22:50:47 2002
@@ -671,137 +671,72 @@
*/
while(!finished)
{
- soc = open_stream_auto_encaps(data, port, 5);
- if(soc <0){
- if(command)efree(&command);
- efree(&cgi_path);
- return(0); /* couldn't open a connection */
- }
- if(cgi_name[0]!='/')
- {
- char * t = strchr(cur_path, ':');
-
- if(t)t[0]=0;
- if (use_head_method)
- command = http_head(data, http_ver, cur_path, cgi_name);
- else
- command = http_get(data, http_ver, cur_path, cgi_name);
- if(t)cur_path = t+sizeof(char);
- else finished++;
-
- }
- else {
- if (use_head_method)
- command = http_head(data, http_ver, NULL, cgi_name);
- else
- command = http_get(data, http_ver, NULL, cgi_name);
- finished++;
- }
+ soc = open_stream_auto_encaps(data, port, 5);
+ if(soc <0){
+ if(command)efree(&command);
+ efree(&cgi_path);
+ return(0); /* couldn't open a connection */
+ }
+ if(cgi_name[0]!='/')
+ {
+ char * t = strchr(cur_path, ':');
+
+ if(t)t[0]=0;
+ if (use_head_method)
+ command = http_head(data, http_ver, cur_path, cgi_name);
+ else
+ command = http_get(data, http_ver, cur_path, cgi_name);
+ if(t)cur_path = t+sizeof(char);
+ else finished++;
+
+ }
+ else {
+ if (use_head_method)
+ command = http_head(data, http_ver, NULL, cgi_name);
+ else
+ command = http_get(data, http_ver, NULL, cgi_name);
+ finished++;
+ }
+
+ write_stream_connection(soc, command, strlen(command));
+ n = read_stream_connection(soc, buff, sizeof(buff));
+ close_stream_connection(soc);
+ t = strchr(buff, '\n');
+ if(t)
+ {
+ t[0]='\0';
+ line = estrdup(buff);
+ t[0]='\n';
+ }
+ else line = strdup(buff);
- write_stream_connection(soc, command, strlen(command));
- n = read_stream_connection(soc, buff, sizeof(buff));
- close_stream_connection(soc);
- t = strchr(buff, '\n');
- if(t)
- {
- t[0]='\0';
- line = estrdup(buff);
- t[0]='\n';
- }
- else line = strdup(buff);
-
- if(strstr(line, " 200 ")){
- if(!no404)
- {
- i=1; /* No error */
- break;
- }
- else
- {
- if(strstr(buff, no404))
- {
- /*
- * we find the content of no404 in
- * what we received, then this page
- * does not exist
- */
- i = 0;
- break;
- }
- else
- {
- i = 1;
- break;
- }
- }
- }
- else if(strstr(line, " 301 ") ||
- strstr(line, " 302 ")){
- /*
- * Redirection
- */
- char * redir_loc = strstr(buff, "Location: ");
- char * end;
- if(!redir_loc)redir_loc = strstr(buff, "location: ");
- if(!redir_loc){
- /* Error */
- i = 0;
- break;
- }
-
- redir_loc = strchr(redir_loc, ' ');
- redir_loc+=sizeof(char);
- end = redir_loc;
- while(isprint(end[0]))end++;
- end[0]=0;
-
- /*
- * redir_loc now equals 'http://blah/location' or
- * /location
- */
- if(redir_loc[0]=='/')
- {
- i = is_cgi_installed_by_port(data, redir_loc, port);
- break;
- }
- else {
- /*
- * http://blah/loc
- *
- * We ensure that 'blah' is the correct host
- *
- */
- if(!strncmp(redir_loc, "http://";, strlen("http://";)))
- {
- struct in_addr addr;
- struct in_addr * host;
- redir_loc += strlen("http://";)*sizeof(char);
- end = strchr(redir_loc, '/');
- if(end)end[0]=0;
- addr = nn_resolve(redir_loc);
- host = plug_get_host_ip(data);
- if(host)
- {
- if(host->s_addr != addr.s_addr)
- {
- i = 0;
- break;
- }
+ if(strstr(line, " 200 ")){
+ if(!no404)
+ {
+ i=1; /* No error */
+ break;
+ }
+ else
+ {
+ if(strstr(buff, no404))
+ {
+ /*
+ * we find the content of no404 in
+ * what we received, then this page
+ * does not exist
+ */
+ i = 0;
+ break;
+ }
+ else
+ {
+ i = 1;
+ break;
+ }
+ }
}
- if(end)end[0] = '/';
- else {
- i = 0;
- break;
- }
- i = is_cgi_installed_by_port(data, end, port);
- break;
- }
- i = 0;
- break;
- }
- }
- else i=0; /* Error */
+ else i=0; /* Error */
}
efree(&command);
efree(&cgi_path);
# last modification by hdm - 10.10.01
#
# This script was written by Renaud Deraison <[EMAIL PROTECTED]>
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(10386);
script_version ("$Revision: 1.20 $");
name["english"] = "No 404 check";
name["francais"] = "No 404 check";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
Some web servers are [mis]configured in that they
do not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map or search page instead.
This script will retrieve the default page which
is issued when a non-existent file is requested, and
will use this information to minimize the risks
of false positives for the other tests.";
desc["francais"] = "
Certains serveurs web n'affichent pas d'erreur 404
lorsqu'un client leur demande une page qui n'existe
pas.
Ce script r�cup�re donc la page d'erreur qui est
affich�e et la garde en m�moire afin de pouvoir
minimiser par la suite les risques d'erreur
dus a ce comportement";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Checks if the remote webserver issues 404 errors";
summary["francais"] = "V�rifie que le serveur web distant sort des erreurs 404";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison",
francais:"Ce script est Copyright (C) 2000 Renaud Deraison");
family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "httpver.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
function check(url, port)
{
req = http_get(item:url, port:port);
soc = open_sock_tcp(port:port);
if (!soc) { return (0); }
send(socket:soc, data:req);
result = recv(socket:soc, length:8192, timeout:20);
close(soc);
return(result);
}
function find_err_msg(buffer)
{
cmsg = 0;
for (cmsg = 0; errmsg[cmsg]; cmsg = cmsg + 1)
{
cpat = errmsg[cmsg];
if (ereg(pattern:cpat, string:buffer, icase:TRUE))
{
return(cpat);
}
}
return (0);
}
# build list of test urls
badurl[0] = string("/TEST_no404.html");
badurl[1] = string("/TEST_no404.cgi");
badurl[2] = string("/TEST_no404.sh");
badurl[3] = string("/TEST_no404.pl");
badurl[4] = string("/TEST_no404.inc");
badurl[5] = string("/TEST_no404.shtml");
badurl[6] = string("/cgi-bin/TEST_no404.html");
badurl[7] = string("/cgi-bin/TEST_no404.cgi");
badurl[8] = string("/cgi-bin/TEST_no404.sh");
badurl[9] = string("/cgi-bin/TEST_no404.pl");
badurl[10] = string("/cgi-bin/TEST_no404.inc");
badurl[11] = string("/cgi-bin/TEST_no404.shtml");
errmsg[0] = "not found";
errmsg[1] = "404";
errmsg[2] = "error has occurred";
errmsg[3] = "firewall-1 message";
errmsg[4] = "Reload acp_userinfo database";
errmsg[5] = "IMail Server Web Messaging";
errmsg[6] = "HP Web JetAdmin";
errmsg[7] = "Error processing SSI file";
errmsg[8] = "ExtendNet DX Configuration";
errmsg[9] = "Unable to complete your request due to added security features";
debug = 0;
port = get_kb_item("Services/www");
if(!port)port = 80;
for (c = 0; badurl[c]; c = c + 1)
{
url = badurl[c];
if(debug) display("Checking URL ", url, "\n");
ret = check(url,port);
if (ret != 0)
{
raw_http_line = egrep(pattern:"^HTTP/", string:ret);
# check for a 200 OK
if(ereg(pattern:"^HTTP.*200", string:raw_http_line))
{
# look for common "not found": indications
not_found = find_err_msg(buffer:ret);
if (not_found != 0)
{
found = string("www/no404/", port);
set_kb_item(name:found, value:not_found);
security_note(port:port, data:not_found);
if(debug) display("200: Using string: ", not_found, "\n");
exit(0);
}
}
# check for a 302 Moved
if(ereg(pattern:"^HTTP.*302", string:raw_http_line))
{
# put the first line of the response as no404 msg ;)
found = string("www/no404/", port);
set_kb_item(name:found, value:raw_http_line);
security_note(port:port, data:raw_http_line);
if(debug) display("302: Using ", raw_http_line, "\n");
exit(0);
}
} else {
if(debug) display("An error occurred when trying to request: ", url, "\n");
}
}
