SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Tenable Nessus Vendors:   Deraison, Renaud et al
Nessus Scanner Input Validation Flaws in libnasl and libnessus May Let Local Scripts Execute Arbitrary Code
SecurityTracker Alert ID:  1006820
SecurityTracker URL:  http://securitytracker.com/id/1006820
CVE Reference:   CVE-2003-0372, CVE-2003-0373, CVE-2003-0374   (Links to External Site)
Updated:  Jan 21 2004
Original Entry Date:  May 23 2003
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0.5 and prior versions
Description:   A vulnerability was reported in the Nessus security scanner in libnasl. A local user's Nessus script may be able to execute arbitrary commands on the scanner host.

It is reported that a local user with a valid Nessus account and the ability to upload arbitrary Nessus plugins can upload a specially crafted script that can break out of the security sandbox and execute arbitrary commands on the operating system. The ability to upload arbitrary Nessus plugins is reportedly disabled by default ('plugins_upload' option should be set to 'no' in nessusd.conf).

According to the report, a malicious script can trigger this vulnerability by sending invalid parameters to the insstr() and ftp_log_in() functions and also to other nasl functions. Some similar flaws were reported in libnessus.

The vendor credits "Sir Mordred" <mordred@s-mail.com> with discovering some of these flaws.

In a separate message [see Message History], Sir Mordred provided additional details about the vulnerable functions.

In the insstr() function, a negative value for the fourth argument can trigger the flaw. A demonstration exploit transcript is provided:

$ cat t1.nasl
insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);

$ nasl t1.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
[1384](t1.nasl) insstr: warning! 1st index 3 greater than 2nd index -3
Segmentation fault (core dumped)

In the scanner_add_port() function, a buffer overflow can reportedly be triggered by a long 'proto' argument, as shown in the following demonstration exploit transcript:

$ cat t2.nasl
scanner_add_port(port : 80, proto : crap(data:'A', length:300));

$ nasl t2.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

Finally, a buffer overflow in the ftp_log_in() function can reportedly be triggered by long 'user' and 'pass' arguments, as illustrated below:

$ cat t3.nasl
ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:
crap(data:'A',length:8192));

$ nasl t3.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

Impact:   A local user with script upload privileges can execute arbitrary commands on the system. The commands will run with the privileges of the Nessus scanner (nessusd).
Solution:   The vendor has released a fixed version (2.0.6), available at:

http://www.nessus.org/nessus_2_0.html
http://ftp.nessus.org/nessus/nessus-2.0.6/
ftp://ftp.nessus.org/pub/nessus/nessus-2.0.6/

Vendor URL:  www.nessus.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Additional Details Are Provided) Re: Nessus Scanner Input Validation Flaws in libnasl and libnessus May Let Local Scripts Execute Arbitrary Code
This alert contains Sir Mordred's advisory [in the Source Message] that provides additional details.



 Source Message Contents

Subject:  Potential security vulnerability in Nessus



See below,

/jonas

---------- Forwarded message ----------
Date: Thu, 22 May 2003 17:16:05 -0400
From: Renaud Deraison <deraison@nessus.org>
To: nessus-announce@list.nessus.org
Subject: Nessus 2.0.6 has been released


Nessus 2.0.6 has been released. It fixes a potential security vulnerability in
libnasl as well as some other buglets.

There are some flaws in libnasl which might let a script break out of its
sandboxed environment and execute arbitrary commands on the nessusd host.
To exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default).

Not that these issues can NOT be exploited by a tested host to crash nessusd
remotely.

. Solution

Upgrade to Nessus 2.0.6 available at :
	http://ftp.nessus.org/nessus/nessus-2.0.6/
	ftp://ftp.nessus.org/pub/nessus/nessus-2.0.6/

. Workaround

Make sure the option 'plugins_upload' is set to 'no' in nessusd.conf

. Thanks

"Sir Mordred" <mordred@s-mail.com> discovered some ways to crash NASL scripts
by sending bad parameters to insstr(), ftp_log_in(), and other functions.
Upon investigation, we fixed similar issues in other nasl functions as well
as in libnessus.


-- 
Renaud Deraison
The Nessus Project
http://www.nessus.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC