funsec mailing list archives
Another security product that opens systems to attack
From: "'Richard M. Smith'" <rms () computerbytesman com>
Date: Thu, 2 Aug 2007 11:31:54 -0400
http://www.heise-security.co.uk/news/93667 Flaw in Nessus under Windows puts pentesters at risk The maker of vulnerability scanner Nessus <http://www.nessus.org/index.php> has released version 3.0.6.1 for Windows <http://www.nessus.org/news/> , which fixes a bug which could have opened the penetration tester itself to penetration. Two exploits for the application have been published on Milw0rm. According to Tenable, under Windows the Nessus GUI (scan.dll) registers an ActiveX control which includes the functions addsetConfig, deleteReport and saveNessusRC, which can be controlled remotely. This can be exploited to create or delete files on a PC and to pass commands to the Windows shell and execute them. The latter requires just three lines of JavaScript: http://oas.wwwheise.de/RealMedia/ads/adstream_lx.ads/www.heise.de/security_u k/news/206621382/Middle1/he-test-contentads/zaehler.html/3436313639323361343 6623166383830?_RM_EMPTY_ <script language="javascript"> obj.addsetConfig('shutdown -t 1000 -s -c "hello world ;]" && pause', '', ''); </script> The attack does, however, require the user to visit a prepared web page. All versions of Nessus 3.0.x for Windows are affected. Users are urgently recommended to update to the new version. See also: * Nessus Vulnerability Scanner 3.0.6 ActiveX 0day Remote <http://milw0rm.com/exploits/4237> Code Execution Exploit, security advisory from Krystian Kloskowski * Nessus Vulnerability Scanner 3.0.6 ActiveX deleteReport() <http://milw0rm.com/exploits/4230> 0day Remote Delete File Exploit, security advisory from Krystian Kloskowski
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Another security product that opens systems to attack 'Richard M. Smith' (Aug 02)