[prev in list] [next in list] [prev in thread] [next in thread]
List: nessus-plugins-writers
Subject: Re: Details on some CVE vulns. [was: Re: Internet Scanner vs Nessus based on CVE hits]
From: "Pavel Kankovsky" <peak () argo ! troja ! mff ! cuni ! cz>
Date: 2002-08-30 13:34:55
Message-ID: 20020830152532.4092.0 () syntar ! troja ! mff ! cuni ! cz
[Download RAW message or body]
On Tue, 27 Aug 2002, Renaud Deraison wrote:
> > > 1999-0299 3 ICAT ISS
>
> This one is a buffer overflow in the way lpd does a DNS resolution. I
> have no idea on how this could be tested for apart from saying that port
> 515 is open. If anyone has a suggestion, let me know.
You'd need your own "evil" DNS server. Similar to tests of HTTP
proxies needing an "evil" HTTP server--but somewhat more difficult
because it has to run on 53 and the reverse zone must be delegated to
that server.
> > > 1999-0493 2 ISS QUALYS
>
> Boring to test for. This flaw allows the execution of a command, without
> any argument. Besides "halt" or "reboot", I don't know how we can
> determine if it's successful or not (and yes, a patched version of this
> daemon replies exactly the same way).
Hmm...the execution of commands is a combination of 1999-0493 (RPC
forwrading bug in rpc.statd) and 1999-0210 (bug in autoomuntd), right?
In order to test 1999-0493 it should be sufficient to verify rpc.statd is
willing to forward RPC requests to another RPC service.
--Pavel Kankovsky aka Peak
"Welcome to the Czech Republic. Bring your own lifeboats."
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic