Goran Ličina wrote:
> if ("Darwin" >< uname)
> {
> rls = ssh_cmd(socket:sock, cmd:"cat -v -t
> /System/Library/CoreServices/SystemVersion.plist | egrep '10' | tail -n 1 |
> sed s/'\^I<string>'// | sed s/'<\/string>'//");
> rls = "Mac OS X "+rls;
> set_kb_item(name: "ssh/login/release", value:rls);
> security_note(data:string("We are able to login and detect that you are
> running ", rls));
> exit(0);
> }
The only thing that catches my attention above is the dynamic nature of
the "rls" value set into the kb. While the above is simple and clean in
that it probably catches ALL possible release values, it reports
successful login and detection across all release variables, even if one
is found that is unsupported
Then there's the fact because we don't control the value, if some
sort of point value system is added into the release number, it will
break local security checks that are hardcoded to referencing something
similar. An example is debian - the release file might indicate
rls "5.0" or "5.0.2", but both are "DEB5.0" from the perspective of
all of the local security checks.
I'd suggest a specific check for the release numbers within a known
set of "legitimate" values that we support as per the local security
checks that use the value, and only set the kb and generate the note
if the rls value falls within that legitimate set.
Thomas
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
