Hi,
* ssh_get_info.nasl:
The one in openvas-plugins is contributed by Thomas Reinke.
It is a bit outdated though (e.g. Debian 4.0 is missing).
Perhaps Tomas is willing to provide an update patch.
However, also need to fix dependency to be
ssh_authorization intead of ssh_settings (see below).
Ugh, for the life of me don't know why that was provided.
That is old, and hasn't been updated by us for a LONG
time. In fact, the only change we've done to that is to
remove support for *ix systems, as we have a replacement
for most of the functionality provided by this script.
I've attached a replacement script we use for all of our
*IX distro checks. Not a pretty piece of code - you've
been warned...
You'll note still the ss_ .inc file reference - again,
because we froze on the original version of this file
and didn't want to have changes backdoored into our
systems. Given your use of ssh_authorization, you'll
have a couple of lines to change, but other than that
should work.
I've also attached two ".inc" files that we use for
checking various things. the "ssvercheck.inc" is one
I'd suggest using for doing version checks - it is
intelligent and does the "Right Thing" in most cases.
For example, it does things like correctly evaluate
1.3.9 < 1.3.10
1.3 < 1.20
1.2+etch5 < 1.2+etch10
For the myriad of times that I've seen bugs where
a script checking for version 1.3.1 then tripped
a vulnerability report against 1.3.10 of the product
due to a poor regex check, this version checking
algorithm avoids the regex and problem entirely by
turning the version check into a simple comparison
of " if version < 1.3.10 -> trip report"
The ssrpmcheck.inc does version checking for both
rpm based distros (Redhat, Fedora, Mandriva) as
well as dpkg based systems (Debian, Ubuntu).
Thomas
* find_service.nes: I just used the one from openvas-plugins.
* debian_DSA-*.nasl:
To my understanding, the Debian local security checks of
2.2.10 are GPL. We should consider updating our plugins
from this package.
See http://mail.nessus.org/pipermail/nessus/2007-October/017677.html
where I asked for confirmation of my understanding.
No answer so far.
Test installation
-------------------------
I compiled and installed
openvas-libraries 1.0.0
openvas-libnasl 0.9.1
openvas-server 0.9.1
openvas-plugins 0.9.0
I used a special prefix and for -plugins I applied
--enable-install=buildusername
Then I remove anything from prefix/lib/openvas/plugins/
and copied the above described files there.
Finally of openvas-mkcert and openvas-adduser.
Creating local user
------------------------------
(my system) $ ssh-keygen -t dsa -f id_dsa_sshovas -C "Key for OpenVAS Local
Security Checks"
(target system) # adduser --disabled-password sshovas
Name: OpenVAS Local Security Checks
# su - sshovas
$ mkdir .ssh
$ cp /some/path/id_dsa_sshovas.pub .ssh/authorized_keys
$ chmod 500 .ssh
$ chmod 400 .ssh/authorized_keys
Running the test
--------------------------
I prepared an older state of a Debian Sarge system
with some missing security fixes. My reference here is
debian_DSA-1193.nasl, a test for an outdated xterm.
Running a scan via OpenVAS-Client does however
not result in reporting the security problem.
Neither openvasd.dump nor openvasd.messages
shows any information of relevance.
This is where I think that OpenVAS has far too bad
debugging methodology. This problem
is of course inherited from Nessus. We should
try to be better.
Well, and this is where I am struck right now.
Need to find out about how to debug why nothing
happens, whether the plugins are executed at all,
how to pull information from the knowledge base
etc.
Best
Jan
#
# This script was written by Thomas Reinke <[EMAIL PROTECTED]>
#
# Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License Version 2
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
if(description)
{
script_id(50282);
script_version("$");
name["english"] = "Determine OS and list of installed packages via SSH login";
script_name(english:name["english"]);
desc["english"] = "
This script will, if given a userid/password or
key to the remote system, login to that system,
determine the OS it is running, and for supported
systems, extract the list of installed packages.
Risk factor : None";
script_description(english:desc["english"]);
summary["english"] = "Determine OS and list of installed packages via SSH
login";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"Copyright (c) 2005 E-Soft Inc.
http://www.securityspace.com";);
family["english"] = "Misc.";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "ssh_settings.nasl");
exit(0);
}
#
# The script code starts here
#
cmdline = 0;
include("ss_ssh_func.inc");
port = get_kb_item("Services/ssh");
if(!port) {
port = 22;
}
sock = ssh_login_or_reuse_connection();
if(!sock) {
exit(0);
}
# First command: Grab uname -a of the remote system
uname = ssh_cmd(socket:sock, cmd:"uname -a");
set_kb_item(name: "ssh/login/uname", value:uname);
# Ok...let's first check if this is a RedHat/Fedora Core/Mandrake release
rls = ssh_cmd(socket:sock, cmd:"cat /etc/redhat-release");
if("Red Hat Linux release 7.3" >< rls) {
set_kb_item(name: "ssh/login/release", value: "RH7.3");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Red Hat Linux release 8.0 (Psyche)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "RH8.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Red Hat Linux release 9 (Shrike)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "RH9");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Fedora Core release 1 (Yarrow)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "FC1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Fedora Core release 2 (Tettnang)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "FC2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Fedora Core release 3 (Heidelberg)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "FC3");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Fedora Core release 4 (Stentz)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "FC4");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Fedora Core release 5 (Bordeaux)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "FC5");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Fedora Core release 6 (Zod)" >< rls) {
set_kb_item(name: "ssh/login/release", value: "FC6");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
# Red Hat Enterprise Linux ES release 2.1 (Panama)
# Red Hat Enterprise Linux AS release 3 (Taroon Update 1)
# Red Hat Enterprise Linux AS release 3 (Taroon Update 2)
# Red Hat Enterprise Linux AS release 3 (Taroon Update 3)
# Red Hat Enterprise Linux Desktop release 3.90
if(egrep(pattern:"Red Hat Enterprise.*release 2\.1", string:rls)) {
set_kb_item(name: "ssh/login/release", value: "RHENT_2.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if(egrep(pattern:"Red Hat Enterprise.*release 3 ", string:rls)) {
set_kb_item(name: "ssh/login/release", value: "RHENT_3");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if(egrep(pattern:"Red Hat Enterprise.*release 4 ", string:rls)) {
set_kb_item(name: "ssh/login/release", value: "RHENT_4");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandriva Linux release 2007.1" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_2007.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandriva Linux release 2007.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_2007.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandriva Linux release 2006.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_2006.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrakelinux release 10.2" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_10.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrakelinux release 10.1" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_10.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrake Linux release 10.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_10.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrake Linux release 9.2" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_9.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrake Linux release 9.1" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_9.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrake Linux release 8.1" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_8.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrake Linux release 8.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_8.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Mandrake Linux release 7.2" >< rls) {
set_kb_item(name: "ssh/login/release", value: "MNDK_7.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
# Ok...also using /etc/redhat-release is CentOS...let's try them now
# We'll stay with major release # checking unless we find out we need to do
# otherwise.
#CentOS release 4.0 (Final)
#CentOS release 4.1 (Final)
#CentOS release 3.4 (final)
if("CentOS release 4" >< rls) {
set_kb_item(name: "ssh/login/release", value: "CENTOS4");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running CentOS release 4"));
exit(0);
}
if("CentOS release 3" >< rls) {
set_kb_item(name: "ssh/login/release", value: "CENTOS3");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running CentOS release 3"));
exit(0);
}
# Hmmm...is it Ubuntu?
rls = ssh_cmd(socket:sock, cmd:"cat /etc/lsb-release");
if("DISTRIB_ID=Ubuntu"><rls && "DISTRIB_RELEASE=4.10"><rls) {
set_kb_item(name: "ssh/login/release", value: "UBUNTU4.1");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Ubuntu 4.10"));
exit(0);
}
if("DISTRIB_ID=Ubuntu"><rls && "DISTRIB_RELEASE=5.04"><rls) {
set_kb_item(name: "ssh/login/release", value: "UBUNTU5.04");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Ubuntu 5.04"));
exit(0);
}
if("DISTRIB_ID=Ubuntu"><rls && "DISTRIB_RELEASE=5.10"><rls) {
set_kb_item(name: "ssh/login/release", value: "UBUNTU5.10");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Ubuntu 5.10"));
exit(0);
}
if("DISTRIB_ID=Ubuntu"><rls && "DISTRIB_RELEASE=6.10"><rls) {
set_kb_item(name: "ssh/login/release", value: "UBUNTU6.10");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Ubuntu 6.10"));
exit(0);
}
if("DISTRIB_ID=Ubuntu"><rls && "DISTRIB_RELEASE=7.10"><rls) {
set_kb_item(name: "ssh/login/release", value: "UBUNTU7.10");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Ubuntu 7.10"));
exit(0);
}
# How about Conectiva Linux?
rls = ssh_cmd(socket:sock, cmd:"cat /etc/conectiva-release");
if("Conectiva Linux 9" >< rls) {
set_kb_item(name: "ssh/login/release", value: "CL9");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Conectiva Linux 9"));
exit(0);
}
if("Conectiva Linux 10" >< rls) {
set_kb_item(name: "ssh/login/release", value: "CL10");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Conectiva Linux 10"));
exit(0);
}
# How about Turbolinux?
# Turbolinux signatures:
# release 6.0 WorkStation (Shiga) -- Unsupported
# TurboLinux release 6.1 Server (Naha) -- Unsupported
# Turbolinux Server 6.5 (Jupiter) -- Unsupported
# Turbolinux Server 7.0 (Esprit)
# Turbolinux Workstation 7.0 (Monza)
# Turbolinux Server 8.0 (Viper)
# Turbolinux Workstation 8.0 (SilverStone)
# Turbolinux Server 10.0 (Celica)
# Turbolinux Desktop 10.0 (Suzuka)
# -- Need:
#- Turbolinux Appliance Server 1.0 Hosting Edition
#- Turbolinux Appliance Server 1.0 Workgroup Edition
#- Turbolinux Home
#- Turbolinux 10 F...
rls = ssh_cmd(socket:sock, cmd:"cat /etc/turbolinux-release");
if("Turbolinux Server 7.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "TLS7");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Turbolinux Workstation 7.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "TLWS7");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Turbolinux Server 8.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "TLS8");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Turbolinux Workstation 8.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "TLWS8");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Turbolinux Desktop 10.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "TLDT10");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Turbolinux Server 10.0" >< rls) {
set_kb_item(name: "ssh/login/release", value: "TLS10");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running ", rls));
exit(0);
}
if("Turbolinux">< rls) {
security_note(port:port, data:string("We have detected you are running a
version of Turbolinux currently not supported by SecuritySpace. Please report
the following banner to SecuritySpace: ", rls));
exit(0);
}
#How about FreeBSD? If the uname line begins with "FreeBSD ", we have a match
if(substr(uname, 0, 7)=="FreeBSD ") {
version=eregmatch(pattern:"^[^ ]+ [^ ]+ ([^ ]+)+",string:uname);
splitup = eregmatch(pattern:"([^-]+)-([^-]+)-p([0-9]+)", string:version[1]);
found = 0;
if(!isnull(splitup)) {
release = splitup[1];
patchlevel = splitup[3];
found = 1;
} else {
splitup = eregmatch(pattern:"([^-]+)-RELEASE", string:version[1]);
if(!isnull(splitup)) {
release = splitup[1];
patchlevel = "0";
found = 1;
} else {
splitup=eregmatch(pattern:"([^-]+)-SECURITY",string:version[1]);
if(!isnull(splitup)) {
release = splitup[1];
security_note(port:port, data:string("We have detected you are
running FreeBSD ", splitup[0], ". It also appears that you are using
freebsd-update, a binary update tool for keeping your distribution up to date.
We will not be able to check your core distribution for vulnerabilities, but we
will check your installed ports packages."));
found = 2;
} else {
security_note(port:port, data:string("You appear to be running
FreeBSD, but we do not recognize the output format of uname: ", uname, ". Local
security checks will NOT be run."));
}
}
}
if(found==1) {
set_kb_item(name: "ssh/login/freebsdrel", value: release);
set_kb_item(name: "ssh/login/freebsdpatchlevel", value: patchlevel);
security_note(port:port, data:string("We are able to login and detect
that you are running FreeBSD ", release, " Patch level: ", patchlevel));
}
if(found==2) {
set_kb_item(name: "ssh/login/freebsdrel", value: release);
security_note(port:port, data:string("We are able to login and detect
that you are running FreeBSD ", release, " Patch level: Unknown"));
}
if(found!=0) {
buf = ssh_cmd(socket:sock, cmd:"pkg_info");
set_kb_item(name: "ssh/login/freebsdpkg", value:buf);
}
}
# Hmmm...is it Debian?
rls = ssh_cmd(socket:sock, cmd:"cat /etc/debian_version");
if("2.2"><rls) {
set_kb_item(name: "ssh/login/release", value: "DEB2.2");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Debian 2.2 (Potato)"));
exit(0);
}
if("3.0"><rls) {
set_kb_item(name: "ssh/login/release", value: "DEB3.0");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Debian 3.0 (Woody)"));
exit(0);
}
if("3.1"><rls) {
set_kb_item(name: "ssh/login/release", value: "DEB3.1");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Debian 3.1 (Sarge)"));
exit(0);
}
if("4.0"><rls) {
set_kb_item(name: "ssh/login/release", value: "DEB4.0");
buf = ssh_cmd(socket:sock, cmd:"COLUMNS=200 dpkg -l");
set_kb_item(name: "ssh/login/packages", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Debian 4.0 (Etch)"));
exit(0);
}
# How about Slackware?
rls = ssh_cmd(socket:sock, cmd:"cat /etc/slackware-version");
if("Slackware 12.0"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK12.0");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 12.0"));
exit(0);
}
if("Slackware 11.0"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK11.0");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 11.0"));
exit(0);
}
if("Slackware 10.2"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK10.2");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 10.2"));
exit(0);
}
if("Slackware 10.1"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK10.1");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 10.1"));
exit(0);
}
if("Slackware 10.0"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK10.0");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 10.0"));
exit(0);
}
if("Slackware 9.1"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK9.1");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 9.1"));
exit(0);
}
if("Slackware 9.0"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK9.0");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 9.0"));
exit(0);
}
if("Slackware 8.1"><rls) {
set_kb_item(name: "ssh/login/release", value: "SLK8.1");
buf = ssh_cmd(socket:sock, cmd:"ls /var/log/packages");
set_kb_item(name: "ssh/login/slackpack", value:buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Slackware 8.1"));
exit(0);
}
# How about SuSe?
# SuSE Linux 9.x (i586)
# SUSE LINUX 10.1
rls = ssh_cmd(socket:sock, cmd:"cat /etc/SuSE-release");
if("SUSE LINUX 10.2 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE10.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 10.2"));
exit(0);
}
if("SUSE LINUX 10.1 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE10.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 10.1"));
exit(0);
}
if("SuSE Linux 9.3 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE9.3");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 9.3"));
exit(0);
}
if("SuSE Linux 9.2 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE9.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 9.2"));
exit(0);
}
if("SuSE Linux 9.1 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE9.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 9.1"));
exit(0);
}
if("SuSE Linux 9.0 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE9.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 9.0"));
exit(0);
}
if("SuSE Linux 8.2 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE8.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 8.2"));
exit(0);
}
if("SuSE Linux 8.1 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE8.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 8.1"));
exit(0);
}
if("SuSE Linux 8.0 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE8.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 8.0"));
exit(0);
}
if("SuSE Linux 7.3 "><rls) {
set_kb_item(name: "ssh/login/release", value: "SUSE7.3");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running SuSE Linux 7.3"));
exit(0);
}
# How about Trustix?
rls = ssh_cmd(socket:sock, cmd:"cat /etc/release");
rls2 = ssh_cmd(socket:sock, cmd:"cat /etc/trustix-release");
if("Trustix Secure Linux release 3.0"><rls ||
"Trustix Secure Linux release 3.0"><rls2) {
set_kb_item(name: "ssh/login/release", value: "TSL3.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Trustix 3.0"));
exit(0);
}
if("Trustix Secure Linux release 2.2"><rls ||
"Trustix Secure Linux release 2.2"><rls2) {
set_kb_item(name: "ssh/login/release", value: "TSL2.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Trustix 2.2"));
exit(0);
}
if("Trustix Secure Linux release 2.1"><rls ||
"Trustix Secure Linux release 2.1"><rls2) {
set_kb_item(name: "ssh/login/release", value: "TSL2.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Trustix 2.1"));
exit(0);
}
if("Trustix Secure Linux release 2.0"><rls ||
"Trustix Secure Linux release 2.0"><rls2) {
set_kb_item(name: "ssh/login/release", value: "TSL2.0");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Trustix 2.0"));
exit(0);
}
if("Trustix Secure Linux release 1.5"><rls ||
"Trustix Secure Linux release 1.5"><rls2) {
set_kb_item(name: "ssh/login/release", value: "TSL1.5");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Trustix 1.5"));
exit(0);
}
if("Trustix Secure Linux release 1.2"><rls ||
"Trustix Secure Linux release 1.2"><rls2) {
set_kb_item(name: "ssh/login/release", value: "TSL1.2");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Trustix 1.2"));
exit(0);
}
if("Trustix Secure Linux release 1.1"><rls ||
"Trustix Secure Linux release 1.1"><rls2) {
set_kb_item(name: "ssh/login/release", value: "TSL1.1");
buf = ssh_cmd(socket:sock, cmd:"/bin/rpm -qa --qf
'%{NAME}~%{VERSION}~%{RELEASE};'");
set_kb_item(name: "ssh/login/rpms", value: ";" + buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Trustix 1.1"));
exit(0);
}
# Missing Trustix e-2
# How about Gentoo? Note, just check that its ANY gentoo release, since the
# build # doesn't matter for purposes of checking package version numbers.
rls = ssh_cmd(socket:sock, cmd:"cat /etc/gentoo-release");
if("Gentoo"><rls) {
set_kb_item(name: "ssh/login/release", value: "GENTOO");
set_kb_item(name: "ssh/login/gentoo", value: "GENTOO");
buf = ssh_cmd(socket:sock, cmd:'find /var/db/pkg -mindepth 2 -maxdepth 2
-printf "%P\\n"');
set_kb_item(name: "ssh/login/pkg", value: buf);
security_note(port:port, data:string("We are able to login and detect that
you are running Gentoo"));
exit(0);
}
#{ "NetBSD", "????????????????", },
#{ "OpenBSD", "????????????????", },
#{ "WhiteBox", "????????????????", },
#{ "Linspire", "????????????????", },
#{ "Desktop BSD","????????????????", },
#{ "PC-BSD", "????????????????", },
#{ "FreeSBIE", "????????????????", },
#{ "JDS", "/etc/sun-release", },
#{ "Yellow Dog", "/etc/yellowdog-release", },
exit(0);
#
# This script was written by Thomas Reinke <[EMAIL PROTECTED]>
#
# Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License Version 2
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# Include that can be used to compare two software package version
# strings. Version string comparison operates on a slightly
# different set or ordering rules: Instead of comparing character
# by character exclusively throughout the whole string, we instead
# compare character by character until we run into a numeric, at
# which point we extract the entire numeric, and do a numeric
# comparison. That allows things like v10.1 to be greather than
# v9, whereas any other string comparison would result in v9
# being larger, because '9' is larger than '1'. Typical strcmp
# return values (0=; -1<; 1>;)
function isdigit(a) {
if(ord(a)>=ord('0') && ord(a)<=ord('9')) {
return(1);
}
return(0);
}
function ssvercheck(a, b) {
if(a == b) {
return(0);
}
done = 0;
work_a = a;
work_b = b;
rc = 0;
while(!done) {
lena = strlen(work_a);
lenb = strlen(work_b);
if(lena==0) {
if(lenb>0) {
rc = -1;
break;
}
if(lenb==0) {
break;
}
}
for(i=0; i<lena; i++) {
if(i>=lenb) {
done = 1;
rc = 1;
break;
}
if(isdigit(a:work_a[i]) && isdigit(a:work_b[i])) {
subm_a=eregmatch(pattern:"([0-9]+)",string:substr(work_a,i));
subm_b=eregmatch(pattern:"([0-9]+)",string:substr(work_b,i));
sub_a = subm_a[1];
sub_b = subm_b[1];
work_a = substr(work_a, i+strlen(sub_a));
work_b = substr(work_b, i+strlen(sub_b));
if(int(sub_a)>int(sub_b)) {
done = 1;
rc = 1;
break;
}
if(int(sub_a)<int(sub_b)) {
done = 1;
rc = -1;
break;
}
if(int(sub_a)==int(sub_b)) {
if(work_a[0]=='.' && work_b[0]!='.') {
done = 1;
rc = 1;
break;
}
if(work_a[0]!='.' && work_b[0]=='.') {
done = 1;
rc = -1;
break;
}
# Both must be dots. Allow the check to proceed normally.
break;
}
}
if(ord(work_a[i])<ord(work_b[i])) {
done = 1;
rc = -1;
break;
}
if(ord(work_a[i])>ord(work_b[i])) {
done = 1;
rc = 1;
break;
}
if(i==lena-1 && lenb>lena) {
done = 1;
rc = -1;
break;
}
}
}
return(rc);
}
#
# This script was written by Thomas Reinke <[EMAIL PROTECTED]>
#
# Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License Version 2
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
# rpmcheck is intended to provide a quick way to verify that
# a given rpm, if it is installed, is up to date. The function
# isrpmvuln returns 0 if it is not installed or is installed
# but up to date, and returns 1 if it is installed and vulnerable
function isrpmvuln(pkg, rpm, rls) {
# Check that we have the data for this release.
kbrls = get_kb_item("ssh/login/release");
if(kbrls!=rls) {
return(0);
}
rpms = get_kb_item("ssh/login/rpms");
if(!rpms) return(0);
pat = string(";(", pkg, "~[^;]+);");
matches = eregmatch(pattern:pat, string:rpms);
if(isnull(matches)) {
return(0);
}
#security_note(0, data: "Comparing " + matches[1] + " against " + rpm);
rc = ssvercheck(a:matches[1], b:rpm);
if(rc<0) {
norm_pkg = "";
foreach comp (split(matches[1], sep: "~", keep:0)) {
norm_pkg = string(norm_pkg,"-",comp);
}
norm_pkg = substr(norm_pkg, 1);
security_note(0, data: "Package " + pkg + " version " +
norm_pkg + " is installed which is known to be vulnerable.");
return(1);
}
return(0);
}
# dpkg gives us the package name and version number nicely separated out.
function isdpkgvuln(pkg, ver, rls) {
# Check that we have the data for this release.
kbrls = get_kb_item("ssh/login/release");
if(kbrls!=rls) {
return(0);
}
rpms = get_kb_item("ssh/login/packages");
if(!rpms) return(0);
pat = string("ii (", pkg, ") +([^ ]+)");
matches = eregmatch(pattern:pat, string:rpms);
if(isnull(matches)) {
return(0);
}
rc = ssvercheck(a:matches[2], b:ver);
if(rc<0) {
security_note(0, data: "Package " + pkg + " version " +
matches[2] + " is installed which is known to be vulnerable.");
return(1);
}
return(0);
}
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
