-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Leuenberger Sent: Tuesday, September 19, 2006 7:28 PM To: [email protected] Subject: Buffer overflow causing service to hang?
I apologize for the lack of detail regarding this question... I'm working on an assessment, with Nessus 3.0.2. I have 'Safe Checks' chosen, and have unchecked the Denial of Service category....to give you an idea of the plugins I have enabled. Very default scan... At some point during the scanning of a specific IP, which just happened to house a Document Management app, a dump occurred, the primary service associated with the doc management application stopped.....which is very bad. The key thing we need to ensure is that no buffers are being overrun at any level. If even a small buffer overrun is attempted for the sake of determining if a larger exploit is possible, this is not viable during business hours. ************************************************************************ ******** I can gather more information tomorrow morning regarding the application that's being used. Is there a way I can find out, perhaps for next time, through a Nessus log that shows what time a specific IP was scanned for a plugin, with the associated result, whether or not it produced an alert? Help is appreciated....this client is insisting that we discontinue the assessment until it's verified that Nessus did or did not cause this application to die. >>> I have been doing these for 6 years now, and if you crashed a service with nessus in safe mode, then you found an undocumented DOS attack possible against that application. There is no 100% way to guarantee that any test, including nmap port scans won't DOS the target system (we have seen nmap DOS such things as 3com switches, 3com viop products, soft plc (scada products), amd have seen nessus (in safe mode) DOS novell servers, 3com voip systems, cisco devices, etc. We tell clients when we start that A) if something goes wrong during our testing, call us first, its most likely us B) just because something happens, doesn't mean it WAS us, but call us first C) we try very hard not to impact services, but we can D) if you want things scheduled during business hours you should watch the services carefully E) if you want things scheduled AFTER business hours, still have someone watch F) if you have critical systems, we will exclude them from automated testing G) if you have a 'mirror' of the critical system, we will test that one instead. Maybe you can work with client to determine the version, patch levels, settings for this program and write up security vulnerability report and send it to the vendor. Bottom line, any testing is intrusive, and can disrupt services, port scans, even a nmap ping scan to discover hosts can disrupt services. _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
