Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal)

From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 4 Mar 2010 20:10:54 -0600
Have it been added to script db to get with update feature?

Also, this "--scrip vuln" fail here. I'm using nmap 5.

I also noticed that if I use the tag to check for all scripts some of
them are missed. For example, the VNC auth bypass and default
credentials are simple ignored or stop to detect vulnerable hosts. Is
it a well know problem? I'm using together with -sC.

Thanks

On Wed, Feb 17, 2010 at 3:56 PM, Richard Miles
<richard.k.miles () googlemail com> wrote:

Have it been added to script db to get with update feature?

Also, this "--scrip vuln" fail here. I'm using nmap 5.

I also noticed that if I use the tag to check for all scripts some of
them are missed. For example, the VNC auth bypass and default
credentials are simple ignored or stop to detect vulnerable hosts. Is
it a well know problem? I'm using together with -sC.

Thanks

On Mon, Feb 15, 2010 at 4:51 PM, David Fifield <david () bamsoftware com> wrote:

On Mon, Feb 15, 2010 at 03:13:21PM -0600, Ron wrote:

On Mon, 15 Feb 2010 12:47:12 -0800 Fyodor <fyodor () insecure org> wrote:

I agree that it is an important script, and it is a tough call, but
people who want a vuln assessment should really be doing "--script
vuln".  Given that the script does a specialized web request and that
the vast majority of web servers aren't vulnerable, I'd say we should
take it out of default.  If the request was just getting "/", I'd
argue for keeping it in since it is more likely to be in the cache (or
to be used from the cache by other scripts during execution).

One thing I thought about was that it could probably stay in default
if it was converted to only run if VMWare was detected by version
detection.  I imagine that the vulnerable servers have easily
recognizeable Server headers?  But on the other hand, there is a risk
that the Server line might be stripped for some reason, so the script
would be faster and more stealthy, but not quite as reliable.


What if we made it run by default if the server is VMWare, but not otherwise?

I'm not sure if that's possible to do, but it's an interesting thought.

For now, I'll make it just safe + vuln.


I can see both advantages and disadvantages of keeping it separate, so
I don't really have a preference between those two options.


All right. I prefer keeping it separate, so unless somebody has a
strong objection I'd prefer to keep it separate.


All right, sounds good with "safe", "vuln" and keeping it separate.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: