Re: [NSE] Release of nmap nse vulscan 0.6

[Henri Salo <henri () nerv fi>]

On Thu, Jun 03, 2010 at 09:21:58AM +0200, Marc Ruef wrote:
> Hello,
>
> As I have announced in my post to the nmap-dev mailing list in
> mid-May, I wrote another nse script[1]. This script adds the
> functionality of a basic (derivative) vulnerability scanner. The
> first public release can be downloaded at my personal web site at:
>
>    http://www.computec.ch/mruef/?s=software&l=x
>
> You have to create a sub-folder "vulscan" in your scripts directory
> of your nmap installation. Put the script and the txt files into
> that folder. Afterwards, you are able to execute the script with the
> following command:
>
>    nmap -PN -sS -sV --script=vulscan -p80 www.scip.ch
>
> It is a requirement to use the option -sV to enable version
> detection. This data gathering is used to lookup potential
> vulnerabilities within the local data base.
>
> As data base a (improved) edition of the osvdb csv/txt export is
> used. It is possible to update this data base yourself by
> downloading the current export at the project web site and to
> override the files in your vulscan folder. [2]
>
> An example of an output is shown below. As you can see, the osvdb id
> and the title of the vulnerability is shown for every port/service
> that could be fingerprinted and matched within the data base (in
> this case Exim smtpd).
>
> PORT   STATE SERVICE REASON  VERSION
> 25/tcp open  smtp    syn-ack Exim smtpd 4.69
> | vulscan: [5330] Exim Configuration File Variable Overflow
> | [5896] Exim sender_verify Function Remote Overflow
> | [5897] Exim header_syntax Function Remote Overflow
> | [5930] Exim Parenthesis File Name Filter Bypass
> | [12726] Exim -be Command Line Option host_aton Function Local Overflow
> | [12727] Exim SPA Authentication spa_base64_to_bits Function Remote
> Overflow
> |_[12946] Exim -bh Command Line Option dns_build_reverse Function
> Local Overflow
>
> The current implementation uses, if executed with no further
> options, a full-text search of the title field in the
> vulnerabilities table to determine affected products. The reason for
> this simple approach called title lookup is, that nmap and osvdb do
> not share the same naming conventions for products and osvdb does
> not provide full support of the linking between products and
> vulnerabilities. This mode may cause some false-positives (e.g.
> Apache httpd). [3, 4]
>
> The script supports another mode called correlations lookup which
> can be enabled with the following argument:
>
>    nmap -PN -sS -sV --script=vulscan --script-args
> vulscancorrelation=1 -p80 www.scip.ch
>
> In this case the determined product is looked up in the products
> table of osvdb. Further links to the vulnerabilities are determined.
> This causes a lot less false-positives. But such a correlation
> lookup takes more time and because of missing data there might be
> some false-negatives. Additional details about the current
> implementation is available at [5] (German only).
>
> As you can see in the comments of the scripts, there are some todos.
> For example, I would like to add support for other data bases as
> well (e.g. SecurityFocus, CVE and Secunia). And the correlation mode
> might also support taking the version of an installation into
> account (because there are some further differences between
> nmap/osvdb this will be another challenge). I am going to publish
> new releases of the script at my web site and announce them at my
> twitter feed[6].
>
> I would like to thank a number of people which supported me
> developing this script: Stefan Friedli, Simon Zumstein, David
> Fifield and Doggy Dog. If there are any suggestions, feature
> requests or bug reports, please let me know.
>
> Regards,
>
> Marc
>
> [1] http://seclists.org/nmap-dev/2010/q2/527
> [2] http://osvdb.org/database_info
> [3] http://seclists.org/nmap-dev/2010/q2/547
> [4] http://seclists.org/nmap-dev/2010/q2/564
> [5] http://www.scip.ch/?labs.20100603
> [6] http://twitter.com/mruef/
>
> -- 
> Marc Ruef | marc.ruef () computec ch | http://www.computec.ch/mruef/

I get massive ammounts of false-positive with this script. For example I am using patched up-to-date version of Debian 
stable OpenSSH: OpenSSH 5.1p1 Debian 5 (protocol 2.0)

Results I get with vulscancorrelation=1:

22/tcp   open  ssh        OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| vulscan: [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
| [1853] OpenSSH Symbolic Link 'cookies' File Removal
| [2112] OpenSSH Reverse DNS Lookup Bypass
| [2557] OpenSSH Multiple Buffer Management Multiple Overflows
| [3938] OpenSSL and OpenSSH /dev/random Check Failure
| [4536] OpenSSH Portable AIX linker Privilege Escalation
| [5408] OpenSSH echo simulation Information Disclosure
| [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
| [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
| [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
| [6248] Multiple SSH Client ssh-agent Forwarding Information Disclosure
| [6601] OpenSSH *realloc() Unspecified Memory Errors
| [16567] OpenSSH Privilege Separation LoginGraceTime DoS
| [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
| [29152] OpenSSH Identical Block Packet DoS
| [32721] OpenSSH Username Password Complexity Account Enumeration
| [22692] OpenSSH scp Command Line Filename Processing Command Injection
| [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
| [3456] OpenSSH buffer_append_space() Heap Corruption
| [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
| [34600] OpenSSH S/KEY Authentication Account Enumeration
| [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
| [2140] OpenSSH w/ PAM Username Validity Timing Attack
| [2114] Multiple SSH Client X11 Forwarding Information Disclosure
| [795] Multiple Vendor SSH CRC-32 detect_attack() Function Overflow
| [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
| [504] OpenSSH SSHv2 Public Key Authentication Bypass
| [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
| [642] OpenSSH Multiple Key Type ACL Bypass
| [341] OpenSSH UseLogin Local Privilege Escalation
| [688] OpenSSH UseLogin Environment Variable Local Command Execution
| [6072] OpenSSH PAM Conversation Function Stack Modification
| [5113] OpenSSH YP Netgroups Authentication Bypass
| [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
| [9550] OpenSSH scp Traversal Arbitrary File Overwrite
| [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass
|_[70873] OpenSSH Legacy Certificates Stack Memory Disclosure

What is the correct way not to get false-positives as otherwise this script does not help at all :)

Best regards,
Henri Salo
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/