Hello all,
I've been getting false negatives against frontpage servers. I've modified
Renaud's frontpage.nasl (attached). I've removed the dependency on
"script_require_keys("www/iis");", since so many servers now just belch out
a 500 error without giving out server name....Many servers are using
ENTERCEPT, URLSCAN, etc. and just don't give up the "IIS" string like they
used to....
Comments?
Also, I am interested in compiling a list of "TODO plugins" (i.e. plugins
that need to be written...by CVE, BID, or otherwise)....ideally, I would
like deltas between other scanners and nessus (i.e. which checks do other
scanners do better)...
TIA,
John W. Lampe
https://f00dikator.aceryder.com/
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
#
# This script was written by Renaud Deraison <[EMAIL PROTECTED]>
#
# See the Nessus Scripts License for details
#
# Modified by John [EMAIL PROTECTED] to add "open service" call and
# add 2 more files to look for
if(description)
{
script_id(10077);
script_version ("$Revision: 1.16.2.1 $");
script_cve_id("CAN-2000-0114");
name["english"] = "Microsoft Frontpage exploits";
name["francais"] = "Exploits Microsoft Frontpage";
script_name(english:name["english"], francais:name["francais"]);
desc["english"] = "
The remote web server appears to be running with
Frontpage extensions.
You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.
Risk factor : High if your configuration file is
not well set up";
desc["francais"] = "
Le serveur web distant semble tourner avec
des extensions Frontpage.
Vous devriez v�rifier votre configuration puisque
de nombreux probl�mes de s�curit� sont li�s a la mauvaise
configuration de ces extensions.
Facteur de risque : Elev� si votre fichier de configuration
n'est pas bien fait";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Checks for the presence of Microsoft Frontpage extensions";
summary["francais"] = "V�rifie la pr�sence des extensions Frontpage";
script_summary(english:summary["english"], francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison",
francais:"Ce script est Copyright (C) 1999 Renaud Deraison");
family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes", "no404.nasl", "http_version.nasl");
script_require_ports("Services/www", 80);
# script_require_keys("www/iis");
exit(0);
}
#
# The script code starts here
#
port = get_kb_item("Services/www");
if (!port) port = 80;
req = string("POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.0\r\n");
req = req + string("Connection: Keep-Alive\r\nDate: Mon, 23 Mar 2003 00:00:15
GMT\r\n");
req = req + string("Accept: */*\r\nHost: ", get_host_ip(),"\r\n","User-Agent:
MSFrontPage/4.0\r\n");
req = req + string("Content-Length: 58\r\nContent-Type:
application/x-www-form-urlencoded\r\n");
req = req + string("MIME-Version: 1.0\r\nX-Vermeer-Content-Type:
application/x-www-form-urlencoded\r\n\r\n");
req = req + string("method=open+service%3a3%2e0%2e2%2e1105&service%5fname=%2f\r\n");
soc = open_sock_tcp(port);
if (soc) {
send(socket:soc, data:req);
r=recv(socket:soc, length:1024);
if(egrep(pattern:".*x-vermeer-rpc*", string:r)) {
startofmsg = strstr(r , "method=");
startofmsg = startofmsg + 1;
myreport = string("The remote frontpage server may leak information on
the anonymous user\r\n");
myreport = myreport + string("By knowing the name of the anonymous user,
more sophisticated attacks may be launched\r\n");
myreport = myreport + string("Check the following data for any potential
leaks:\r\n\r\n",startofmsg,"\r\n\r\n");
set_kb_item(name:"www/frontpage", value:TRUE);
security_hole(port:port, data:myreport);
}
close(soc);
}
file[0] = "/_vti_bin/_vti_adm/admin.dll";
file[1] = "/_vti_bin/_vti_aut/author.dll";
file[2] = "/_vti_bin/shtml.exe/_vti_rpc";
flag = 1;
for (i=0; file[i]; i = i + 1) {
port = is_cgi_installed(file[i]);
if(!port) flag = 0;
if(get_port_state(port) && flag)
{
soc = open_sock_tcp(port);
if(soc)
{
name = string("www/no404/", port);
no404 = get_kb_item(name);
str = http_post(item:file[i], port:port);
send(socket:soc, data:str);
buf = recv_line(socket:soc, length:1024);
content = recv(socket:soc, length:4096);
buf = tolower(buf);
close(soc);
if(("http/1.1 200" >< buf)||("http/1.0 200" >< buf))
{
if(no404)
{
no404 = tolower(no404);
if(no404 >< content)exit(0);
}
security_warning(port);
set_kb_item(name:"www/frontpage", value:TRUE);
}
}
}
flag = 1;
}
