Hello, On Thu, Jan 14, 2010 at 11:11 AM, Michael Meyer <[email protected] > wrote:
> *** Jan-Oliver Wagner <[email protected]> wrote: > > On Mittwoch, 13. Januar 2010, Michael Meyer wrote: > > > > "if(get_kb_item("Services/www/" + port + "/embedded"))exit(0);" > > > > this appears a bit too generic to me and might produce false negatives. > > > > Wouldn't it be better to detect the system more precisely and use > > a corresponding KB item instead of just "embedded"? > > This KB entry is set by 'embedded_web_server_detect.nasl' (and a few > others) which try to detect an embedded webserver. > > > > We should consider whether it makes sense in principle, running > > > plugins of Family "Web application abuses" against embedded webservers. > > > > I think it does make sense. > > Hmm...you realy expect to find e.g. a "phpshop" or a "phpgroupware" or > a "mambo" on an *embedded* webserver? > > A lot of embedded webservers running e.g. on switches *seems* to be not > very robust. There is a risk that we, while running Scan with "Safe Checks" > enabled, kill them. That is not what a User expected, IMHO. > > But what I have now just seen is, that the functions > "can_host_{php,asp}()" using the > "Services/www/" + port + "/embedded"' KB entry as well. > > This functions "return 0" if the webserver is detected as > embedded. Since these functions is used in most of the plugins in > Family "Web application abuses" that should be enough. In Jonas case > it did not work because 'embedded_web_server_detect.nasl' don't match > on "Server: Embedded Web Server", only on "Server: Embedded HTTPD". I will > add "Server: Embedded Web Server" to that plugin. > The APC SmartUPS 1000 RM webserver identifies itself with the string "WebServer: " in the HTTP response. When serveral plugins are run against it, including nikto (also running nikto manually produces the same behaviour), linksys_empty_GET_DoS, and some SQL injection plugins (and maybe other not-yet-identified plugins) the service stops responding for about 3 minutes. When this happens, also FTP and Telnet services stop responding. After this time, all services recover. For this matter, any plugins run on those 3 minutes against the host might not be able gather the appropriate information, because the service is not available. I have seen this same behaviour on Enterasys switches embedded web server (identified itself as "Server: Embedded Web Server" on the HTTP response), but the downtime lasts only for about 30-40 seconds, making also telnet sessions unavailable. Similar behaviour has been observed against the vnc-http service of TightVNC 1.2.9 on OpenSUSE 11.1, although Michael Meyer has tried this same TightVNC version on other OpenSUSE version, and has not been able to verify the issue. When the vnc-http service stops responding, any VNC sessions are interrupted, and new ones not able to establish until the http service comes back up. I don't know whether not running some webserver tests when we find a potentially fragile embedded web server could create more false negatives than bringing down the server, maybe along with other services, sometimes several times during a scan, which might produce false negatives on the web-server itself or on other services. It is not an easy decision, of course, and that's why Michael has brought it up, I think. > Does it make sense running nikto.nasl against an embedded webserver? ;) > > Micha > > -- > Michael Meyer OpenPGP Key: 76E050B9 > http://www.intevation.de > Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998 > Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner > Best Regards, Jonás.
_______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
