Re: [Openvas-discuss] NASL issue - From a week ago.
Hello Tom,
The issue in secpod_ms10-060.nasl is fixed.
Thanks for informing.
Please let us know if you find any other issues.
Thank you,
Antu Sanadi
Sound Solutions, Inc.
8400 Highland Dr.
Wausau, WI 54401
Tel: 715-842-7665
Fax: 715-842-7620
Hellowe ran the NVT
sync and some of the problems ahs
disappeared...many thanks!! We are looking into
the other ones to make sure...and we'll repost to
the forum if we found anything else out.
This is the very first
NASL issue we had a week agoand it still shows
upthis was not in the group I sent last
night...but from one about a week ago.
Ideas?
Thanks
TP
From:
openvas-discuss-boun...@wald.intevation.org
[mailto:openvas-discuss-boun...@wald.intevation.org]
On Behalf Of Tom Powers
Sent: Thursday, May 12, 2011 2:09 PM
To: openvas-discuss@wald.intevation.org
Subject: {Spam?} {Disarmed} [Openvas-discuss]
NASL issue
Sound Solutions, Inc.
8400 Highland Dr.
Wausau, WI 54401
Tel: 715-842-7665
Fax: 715-842-7620
Hello OpenVas
crew...
We have been
running OV against windows XP machines
and have found something
interesting...and I was curious on
how to best approach the issue.
If we scan an
XP machine we are seeing that it has
this vulnerability:
Microsoft
.NET Common Language Runtime Remote Code
Execution Vulnerability (2265906)
This would be
fixed by MS10-060
The code is
looking for a specific version of
mscorlib.dll seen here:
## win xp, 2K3
if(hotfix_check_sp(xp:4, win2k:5, win2003:3) 0)
{
## Check for the version mscorlib.dll
if(version_in_range(version:Ver, test_version:"2.0.50727.3", test_version2:"2.0.50727.3614") ||
version_in_range(version:Ver, test_version:"2.0.50727.4", test_version2:"2.0.50727.4454"))
{
security_hole(0);
exit(0);
}
}
Now the issue is that this machine has the superceding patch of MS11-028 and shows the version of MSCorlib.dll to be 2.0.50727.3620
If I read the NASL code correctly, it is scanning for a version between .3 and .3614 and since ours is above that range, the OV box shows this as a vulnerability.
My question then is...
Can I just alter the NASL from .3614 to .3620?
Will an openvas-nvt-sync mess that up in the future?
Or am I reading this all wrong?
Effectively...we are getting a false positive on this. We have a few others...but the answer to this question would be the same for the other ones we are finding.
Thanks...all help is
Re: [Openvas-discuss] NASL issue
Hello, we will be looking into this problem. On Donnerstag, 12. Mai 2011, Tom Powers wrote: Can I just alter the NASL from .3614 to .3620? Will an openvas-nvt-sync mess that up in the future? It does not really make sense to change the NASL scipts on your own. They will be updated in the feed and automatically your installation will get updated too, once you run the sync. If you urgently need to create a report on the results, there is the nice Overrides feature where you can set such results to false positive for the time being. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] NASL issue
Hello Tom,
Please find inline comments,
On 05/13/2011 12:39 AM, Tom Powers wrote:
Sound Solutions, Inc.
8400 Highland Dr.
Wausau, WI 54401
Tel: 715-842-7665
Fax: 715-842-7620
Hello OpenVas crew...
We have been running OV against
windows XP machines and have found something
interesting...and I was curious on how to
best approach the issue.
If we scan an XP machine we are
seeing that it has this vulnerability:
Microsoft .NET
Common Language Runtime Remote Code Execution
Vulnerability (2265906)
This would be fixed by MS10-060
The code is looking for a specific
version of mscorlib.dll seen here:
## win xp, 2K3
if(hotfix_check_sp(xp:4, win2k:5, win2003:3) 0)
{
## Check for the version mscorlib.dll
if(version_in_range(version:Ver, test_version:"2.0.50727.3", test_version2:"2.0.50727.3614") ||
version_in_range(version:Ver, test_version:"2.0.50727.4", test_version2:"2.0.50727.4454"))
{
security_hole(0);
exit(0);
}
}
Now the issue is that this machine has the superceding patch of MS11-028 and shows the version of MSCorlib.dll to be 2.0.50727.3620
Yes, you are right MS11-028 is superseding MS10-060 and according to
MS Bulletin MS11-028 MSCorlib.dll
file version
will be 2.0.50727.3620 after
applying the patch.
If I read the NASL code correctly, it is scanning for a version between .3 and .3614 and since ours is above that range, the OV box shows this as a vulnerability
this test is checking version range from 2.0.50727.3 to
2.0.50727.3614. If version is in between this range then
we need to apply the patch, but the version found on the target is
already greater. So it's not an issue with the
NASL test. Please check are there any multiple "MSCorlib.dll" files
with different versions on the target.
My question then is...
Can I just alter the NASL from .3614 to .3620?
No, it will not solve the problem. If you alter .3614 to .3620, then
it NASL test will give false positive for sure.
Presently NASL test is proper, hence no change is required.
Will try to reproduce and fix the issue.
Will an openvas-nvt-sync mess that up in the future?
Or am I reading this all wrong?
Effectively...we are getting a false positive on this. We have a few others...but the answer to this question would be the same for the other ones we are finding.
Thanks...all help is appreciated
Tom P
Sound Solutions, Inc. - Since 1995
We Appreciate Your Business and Referrals
This message (and any associated files) is
intended only for the use of the individual or entity
to which it is addressed and may contain information
that is confidential, subject to copyright or
constitutes a trade secret. If you are not the
intended recipient you are hereby notified that any
dissemination, copying or distribution of this
message, or files
