how2 vuln wrote: > Nonetheless, I would like to reach out to the list to seek out if anybody > has had any observations of false positives with respect to this plugin. I > do realize that sometimes the best way to check for such vulnerabilities is > with more privileged access. However, given the nature of this specific > vulnerability, I am confident in an effective network check. > > > 1. What could possibly cause a false positive with such a check?
Since version 1.4 of the plugin, nothing. Previous version produced false negatives on some systems. > 2. What is the plugin actually doing? (high level gist: it calls a > named pipe relating to the server service, initializes a buffer, > populates > it with 'nessus', then trying to overflow the buffer; > The plugin does not overflow the buffer. It sends a first legitimate request to write "nessus" in a buffer. Then a second "tricky" request is sent to read this buffer. If the server is patched the buffer is reinitialized to 0 and an empty buffer is returned. However if the server is not patched, the previous buffer is returned with the string "nessus" at the beginning. So if this plugin fires on some of your systems it means they are not patched or rebooted. Nicolas _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
