Another security product that opens systems to attack

["'Richard M. Smith'" <rms () computerbytesman com>]

http://www.heise-security.co.uk/news/93667


Flaw in Nessus under Windows puts pentesters at risk 


The maker of vulnerability scanner Nessus <http://www.nessus.org/index.php>
has released version 3.0.6.1 for Windows <http://www.nessus.org/news/> ,
which fixes a bug which could have opened the penetration tester itself to
penetration. Two exploits for the application have been published on
Milw0rm. According to Tenable, under Windows the Nessus GUI (scan.dll)
registers an ActiveX control which includes the functions addsetConfig,
deleteReport and saveNessusRC, which can be controlled remotely. This can be
exploited to create or delete files on a PC and to pass commands to the
Windows shell and execute them. The latter requires just three lines of
JavaScript: 


http://oas.wwwheise.de/RealMedia/ads/adstream_lx.ads/www.heise.de/security_u
k/news/206621382/Middle1/he-test-contentads/zaehler.html/3436313639323361343
6623166383830?_RM_EMPTY_

<script language="javascript">
obj.addsetConfig('shutdown -t 1000 -s -c "hello world ;]" && pause', '',
'');
</script>

The attack does, however, require the user to visit a prepared web page. All
versions of Nessus 3.0.x for Windows are affected. Users are urgently
recommended to update to the new version.

See also: 

*       Nessus Vulnerability Scanner 3.0.6 ActiveX 0day Remote
<http://milw0rm.com/exploits/4237>  Code Execution Exploit, security
advisory from Krystian Kloskowski 
*       Nessus Vulnerability Scanner 3.0.6 ActiveX deleteReport()
<http://milw0rm.com/exploits/4230>  0day Remote Delete File Exploit,
security advisory from Krystian Kloskowski

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.