[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nessus-plugins-writers
Subject:    Re: Details on some CVE vulns. [was: Re: Internet Scanner vs Nessus based on CVE hits]
From:       "Pavel Kankovsky" <peak () argo ! troja ! mff ! cuni ! cz>
Date:       2002-08-30 13:34:55
Message-ID: 20020830152532.4092.0 () syntar ! troja ! mff ! cuni ! cz
[Download RAW message or body]

On Tue, 27 Aug 2002, Renaud Deraison wrote:

> > > 1999-0299   3   ICAT ISS   
> 
> This one is a buffer overflow in the way lpd does a DNS resolution. I
> have no idea on how this could be tested for apart from saying that port
> 515 is open. If anyone has a suggestion, let me know.

You'd need your own "evil" DNS server. Similar to tests of HTTP
proxies needing an "evil" HTTP server--but somewhat more difficult
because it has to run on 53 and the reverse zone must be delegated to
that server.

> > > 1999-0493   2    ISS   QUALYS
> 
> Boring to test for. This flaw allows the execution of a command, without
> any argument. Besides "halt" or "reboot", I don't know how we can
> determine if it's successful or not (and yes, a patched version of this
> daemon replies exactly the same way).

Hmm...the execution of commands is a combination of 1999-0493 (RPC
forwrading bug in rpc.statd) and 1999-0210 (bug in autoomuntd), right?
In order to test 1999-0493 it should be sufficient to verify rpc.statd is
willing to forward RPC requests to another RPC service.

--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."

[prev in list] [next in list] [prev in thread] [next in thread]