Re: Apache killer (was: [NSE] New script and email update patch)

[Henri Doreau <henri.doreau () greenbone net>]

2011/8/29 Duarte Silva <duarte.silva () serializing me>:
> Good morning,
>
> new version implementing Henri Doreau sugestions in the attachments.
>
> Regards,
> Duarte Silva
Hi,

thanks for having implemented them. I still have many false positives
when testing it though. I should have been more explicit when
explaining the detection method.

Both steps don't actually do the same thing, and you can't assume that
the target is vulnerable as soon as you get a reply with code 206.
Step one is used to detect whether the target supports these "range
requests". Getting a code 206 reply on the first ("bytes=100") request
doesn't mean that the target is vulnerable.
The second one actually tests the presence of the vulnerability, but
there's no need to launch it if the first step showed that the target
doesn't support these kind of range requests.

The testing algorithm should then be something like:
"""
send_first_request()
if rep.code == 206 then
  send_second_request()
  if rep.code == 200 then
    target not vulnerable
  else if rep.code == 206 then
    target is vulnerable
  end
end
"""

I also wonder whether using target.name is the best choice. Maybe
trying (target.targetname or target.ip) would be better? In any case
there is this http-vuln-cve2011-3192.hostname available, which is
good.

Finally the "final" variable in the action function should be declared as local.


Regards.

-- 
Henri
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/