Hi
I've been getting a few false positive results when I scan with msrpc_dcom2.nasl and
with msrpc_dcom.nasl. I've added a bunch of debugging to dcom2.nasl to try to track
down why it happens. So far as I can see I never get false positives when I scan one
host at a time, only when I scan a whole bunch - a /24 subnet seems to be enough to
make it happen repeatedly. The false results come when msrpc_dcom2.nasl exits without
setting the KB entry and then msrpc_dcom.nasl runs and finds the host vulnerable to
the old exploit. It looks to me like msrpc_dcom2 is exiting too early. For example, in
the function check() there is code that says
soc = open_sock_tcp(port);
if(!soc)exit(0);
(same code also present in check[2346]) and if this is triggered then we bail out of
the plugin and msrpc_dcom.nasl runs.
I have also seen it exit early in this bit of code
send(socket:soc, data:hex2raw(s:bindwinme));
rwinme = dcom_recv(socket:soc);
if(!rwinme)exit(0);
Are there timeout parameters that I can adjust to stop it from timing out too early?
My config file has
checks_read_timeout=5
plugins_timeout = 180
Services[entry]:Network connection timeout : = 5
Services[entry]:Network read/write timeout : = 5
Services[entry]:Wrapped service read timeout : = 2
The first two of these are also in nessusd.conf and have the same values there.
While trying to find out what's going on, I also noticed that there is a chunk of code
buried in the functions that isn't part of those functions and looks like it would be
better placed further down the code with the rest of the mainline...
port = 135;
if(!get_port_state(port))port = 593;
else {
soc = open_sock_tcp(port);
if(!soc)port = 593;
else close(soc);
}
if(!get_port_state(port))exit(0);
is the code in question.
Trevor Hemsley,
Security Specialist,
Atos Origin Ltd,
Whyteleafe,
+44-(0)1883-628139
[This e-mail and the documents attached are confidential and intended solely for the
addressee ; it may also be privileged . If you receive this e-mail in error, please
notify the sender immediately and destroy it. As its integrity cannot be secured on
internet, the Atos Origin group liability cannot be triggered for the message content.
Although the sender endeavours to maintain a computer virus-free network, the sender
does not warrant that this transmission is virus-free and will not be liable for any
damages resulting from any virus transmitted.]
