Re: [Openvas-discuss] NASL issue - From a week ago.
Hello Tom, The issue in secpod_ms10-060.nasl is fixed. Thanks for informing. Please let us know if you find any other issues. Thank you, Antu Sanadi Sound Solutions, Inc. 8400 Highland Dr. Wausau, WI 54401 Tel: 715-842-7665 Fax: 715-842-7620 Hellowe ran the NVT sync and some of the problems ahs disappeared...many thanks!! We are looking into the other ones to make sure...and we'll repost to the forum if we found anything else out. This is the very first NASL issue we had a week agoand it still shows upthis was not in the group I sent last night...but from one about a week ago. Ideas? Thanks TP From: openvas-discuss-boun...@wald.intevation.org [mailto:openvas-discuss-boun...@wald.intevation.org] On Behalf Of Tom Powers Sent: Thursday, May 12, 2011 2:09 PM To: openvas-discuss@wald.intevation.org Subject: {Spam?} {Disarmed} [Openvas-discuss] NASL issue Sound Solutions, Inc. 8400 Highland Dr. Wausau, WI 54401 Tel: 715-842-7665 Fax: 715-842-7620 Hello OpenVas crew... We have been running OV against windows XP machines and have found something interesting...and I was curious on how to best approach the issue. If we scan an XP machine we are seeing that it has this vulnerability: Microsoft .NET Common Language Runtime Remote Code Execution Vulnerability (2265906) This would be fixed by MS10-060 The code is looking for a specific version of mscorlib.dll seen here: ## win xp, 2K3 if(hotfix_check_sp(xp:4, win2k:5, win2003:3) 0) { ## Check for the version mscorlib.dll if(version_in_range(version:Ver, test_version:"2.0.50727.3", test_version2:"2.0.50727.3614") || version_in_range(version:Ver, test_version:"2.0.50727.4", test_version2:"2.0.50727.4454")) { security_hole(0); exit(0); } } Now the issue is that this machine has the superceding patch of MS11-028 and shows the version of MSCorlib.dll to be 2.0.50727.3620 If I read the NASL code correctly, it is scanning for a version between .3 and .3614 and since ours is above that range, the OV box shows this as a vulnerability. My question then is... Can I just alter the NASL from .3614 to .3620? Will an openvas-nvt-sync mess that up in the future? Or am I reading this all wrong? Effectively...we are getting a false positive on this. We have a few others...but the answer to this question would be the same for the other ones we are finding. Thanks...all help is
Re: [Openvas-discuss] NASL issue
Hello, we will be looking into this problem. On Donnerstag, 12. Mai 2011, Tom Powers wrote: Can I just alter the NASL from .3614 to .3620? Will an openvas-nvt-sync mess that up in the future? It does not really make sense to change the NASL scipts on your own. They will be updated in the feed and automatically your installation will get updated too, once you run the sync. If you urgently need to create a report on the results, there is the nice Overrides feature where you can set such results to false positive for the time being. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] NASL issue
Hello Tom, Please find inline comments, On 05/13/2011 12:39 AM, Tom Powers wrote: Sound Solutions, Inc. 8400 Highland Dr. Wausau, WI 54401 Tel: 715-842-7665 Fax: 715-842-7620 Hello OpenVas crew... We have been running OV against windows XP machines and have found something interesting...and I was curious on how to best approach the issue. If we scan an XP machine we are seeing that it has this vulnerability: Microsoft .NET Common Language Runtime Remote Code Execution Vulnerability (2265906) This would be fixed by MS10-060 The code is looking for a specific version of mscorlib.dll seen here: ## win xp, 2K3 if(hotfix_check_sp(xp:4, win2k:5, win2003:3) 0) { ## Check for the version mscorlib.dll if(version_in_range(version:Ver, test_version:"2.0.50727.3", test_version2:"2.0.50727.3614") || version_in_range(version:Ver, test_version:"2.0.50727.4", test_version2:"2.0.50727.4454")) { security_hole(0); exit(0); } } Now the issue is that this machine has the superceding patch of MS11-028 and shows the version of MSCorlib.dll to be 2.0.50727.3620 Yes, you are right MS11-028 is superseding MS10-060 and according to MS Bulletin MS11-028 MSCorlib.dll file version will be 2.0.50727.3620 after applying the patch. If I read the NASL code correctly, it is scanning for a version between .3 and .3614 and since ours is above that range, the OV box shows this as a vulnerability this test is checking version range from 2.0.50727.3 to 2.0.50727.3614. If version is in between this range then we need to apply the patch, but the version found on the target is already greater. So it's not an issue with the NASL test. Please check are there any multiple "MSCorlib.dll" files with different versions on the target. My question then is... Can I just alter the NASL from .3614 to .3620? No, it will not solve the problem. If you alter .3614 to .3620, then it NASL test will give false positive for sure. Presently NASL test is proper, hence no change is required. Will try to reproduce and fix the issue. Will an openvas-nvt-sync mess that up in the future? Or am I reading this all wrong? Effectively...we are getting a false positive on this. We have a few others...but the answer to this question would be the same for the other ones we are finding. Thanks...all help is appreciated Tom P Sound Solutions, Inc. - Since 1995 We Appreciate Your Business and Referrals This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files