Hello!
Thanks for the submission. But it seems your nasl script does not work
(it has syntax errors!). Have you tested the script?
I made few fixes to your script, but I stopped fixing it because there
is lot more errors. here's the latest one:
openvas-nasl -X remote-ms00-06-kost.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
[17659]() Unknown escape sequence \/
[17659]() Unknown escape sequence \/
syntax error, unexpected '.', expecting ';'
Parse error at or near line 84
Please, test your script at least with "openvas-nasl -X"
Christian Eric EDJENGUELE wrote:
> Hi all here is the NVT for MS00-06, shortly I'll send the Filemaker, MDNS and
> EMC Legato information gathering modules. Note that the script_id is missing.
>
> # OpenVAS Vulnerability Test
> # $Id$
> # Description:
> # This program test for the following vulnerabilities:
> # Microsoft Index Server File Information and Path Disclosure Vulnerability
> (MS00-006)
> # Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal
> Vulnerability (MS00-006)
> # Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006)
> # Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006)
> #
> # Author:
> # Christian Eric Edjenguele <[EMAIL PROTECTED]>
> #
> # This program is free software; you can redistribute it and/or modify
> # it under the terms of the GNU General Public License version 2 and later,
> # as published by the Free Software Foundation
> #
> # This program is distributed in the hope that it will be useful,
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> # GNU General Public License for more details.
> #
> # You should have received a copy of the GNU General Public License
> # along with this program; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> #
>
>
> if(description)
> {
> script_id(00000);
> script_bugtraq_id(950);
> script_xref(name: "Microsoft", value: "MS00-006");
> script_cve_id("CVE-2000-0097");
> name["english"] = "Malformed Hit-Highlighting Argument Vulnerability ";
> script_name(english:name["english"]);
>
> desc["english"] = "
> The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to
> read arbitrary files,
> aka the "Malformed Hit-Highlighting Argument" vulnerability.
>
> Solution :
> To Fix that, you must download the latest upodates from microsoft security
> website:
> http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp.
> Risk factor : Medium";
> script_description(english:desc["english"]);
>
> summary["english"] = "A vulnerability on Microsoft index server allows
> unauthorized predictable file location";
> script_summary(english:summary["english"]);
>
> script_category(ACT_GATHER_INFO);
>
> script_copyright(english:"This script is under GPL v2 +");
> family["english"] = "General";
> script_family(english:family["english"]);
> script_dependencie("find_service.nes");
> script_require_ports("Services/www", 80);
>
> exit(0);
> }
> #
> # The script code starts here
> #
> include("http_func.inc");
> port = get_http_port(default:80);
> # Asp files the plugin will test
> pages = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp')
> # open http connection to the remote host
> soc = http_open_soc(port);
> if (!soc) return(1);
> # Build the malicious request
> foreach asp_files (pages)
> {
>
> req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file +
> '%20&CiRestriction=none&CiHiliteType=Full'));
> send(socket:soc, data: req);
>
> # Get back the response
> reply_code = recv_line(socket:soc, length:1204);
> if(reply_code)
> {
> reply_header = recv_headers2(socket:soc);
> reply_headers = strcat(reply_code, reply_header);
> reply_body = http_recv_body(socket:soc, headers: reply_headers);
> reply_bodylowerized = reply_body.lower();
> }
> # clode http connection
> http_close_socket(soc);
> # check the reply for vulnerability
> if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('<html>')
> >< reply_bodylowerized)
> security_hole(port);
> ===
> Christian Eric Edjenguele
> IT Security Software Developer & Researcher
> tel. +39 3408580513
> View my linkedin profile: http://www.linkedin.com/in/edjenguele
> My blog: http://www.edjenguele.blogspot.com
> ---
> Management, Developers, Security Professionals – can only result in one
> thing…… better security.
> http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept
> 22nd-25th 2008
>
> __________________________________________________
> Do You Yahoo!?
> Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto
> spazio gratuito per i tuoi file e i messaggi
> http://mail.yahoo.it
> _______________________________________________
> Openvas-plugins mailing list
> [email protected]
> http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
# OpenVAS Vulnerability Test
# $Id$
# Description:
# This program test for the following vulnerabilities:
# Microsoft Index Server File Information and Path Disclosure Vulnerability
(MS00-006)
# Microsoft Index Server 'Malformed Hit-Highlighting' Directory Traversal
Vulnerability (MS00-006)
# Microsoft IIS 'idq.dll' Directory Traversal Vulnerability (MS00-006)
# Microsoft Index Server ASP Source Code Disclosure Vulnerability (MS00-006)
#
# Author:
# Christian Eric Edjenguele <[EMAIL PROTECTED]>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 and later,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
if(description)
{
script_id(99993);
script_bugtraq_id(950);
script_xref(name: "Microsoft", value: "MS00-006");
script_cve_id("CVE-2000-0097");
name["english"] = "Malformed Hit-Highlighting Argument Vulnerability ";
script_name(english:name["english"]);
desc["english"] = "
The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to
read arbitrary files,
aka the 'Malformed Hit-Highlighting Argument' vulnerability.
Solution :
To Fix that, you must download the latest upodates from microsoft security
website:
http://www.microsoft.com/TechNet/security/bulletin/ms00-006.asp.
Risk factor : Medium";
script_description(english:desc["english"]);
summary["english"] = "A vulnerability on Microsoft index server allows
unauthorized predictable file location";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is under GPL v2 +");
family["english"] = "General";
script_family(english:family["english"]);
script_dependencie("find_service.nes");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
port = get_http_port(default:80);
# Asp files the plugin will test
pages = make_array( 1, 'default.asp', 2, 'iisstart.asp', 3, 'localstart.asp');
# open http connection to the remote host
soc = http_open_soc(port);
if (!soc) return(1);
# Build the malicious request
foreach asp_files (pages)
{
req = http_get( item:string( '\/null.htw?CiWebHitsFile=\/' + asp_file +
'%20&CiRestriction=none&CiHiliteType=Full'));
send(socket:soc, data: req);
# Get back the response
reply_code = recv_line(socket:soc, length:1204);
if(reply_code)
{
reply_header = recv_headers2(socket:soc);
reply_headers = strcat(reply_code, reply_header);
reply_body = http_recv_body(socket:soc, headers: reply_headers);
reply_bodylowerized = reply_body.lower();
}
# clode http connection
http_close_socket(soc);
# check the reply for vulnerability
if('Microsoft-IIS' >< reply_headers && reply_code == 200 && string('<html>') ><
reply_bodylowerized)
security_hole(port);
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
