(moved to openvas-plugins) On Monday 05 October 2009 20:59:07 Thomas Reinke wrote: > > trunk/openvas-plugins/scripts/ms_smb2_highid.nasl > > > > + script_category(ACT_GATHER_INFO); > > > > +data = > > raw_string(0x00,0x00,0x00,0x90,0xff,0x53,0x4d,0x42,0x72,0x00,0x00,0x00,0x > >00,0x18,0x53,0xc8, + > > 0x00,0x26,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff,0xf > >f,0xfe, + > > 0x00,0x00,0x00,0x00,0x00,0x6d,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x5 > >7,0x4f, + > > 0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x0 > >0,0x02, + > > 0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x00,0x02,0x57,0x69,0x6e,0x6 > >4,0x6f, + > > 0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,0x72,0x6b,0x67,0x72,0x6f,0x7 > >5,0x70, + > > 0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x3 > >0,0x30, + > > 0x32,0x00,0x02,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,0x00,0x02,0x4 > >e,0x54, + > > 0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0x02,0x53,0x4d,0x42,0x20,0x3 > >2,0x2e, + 0x30,0x30,0x32,0x00); # Tested against 2008 > > Server. A vulnerable Server doing a reboot. I'm not happy with that, but > > a the moment i have no idea how to detect this vulnerability without > > exploiting it. + > > I suspect this script should be classified as ACT_DENIAL > rather than ACT_GATHER_INFO, given that it causes the > vulnerable server to reboot.
I agree. For the record, the /safe/ version of the check would be just to check for SMBv2 support and flag it as a possible issue. It's not perfect but AFAIK it is all that can be done at the moment. You might also be able to fix up the packet so that it uses values that are unlikely to trigger the crash but I haven't investigated that in any detail. Tim -- Tim Brown <mailto:t...@openvas.org> <http://www.openvas.org/> _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
