RE: [NSE] Shodan exploits database library (and demo script)

["Rob Nicholls" <robert () robnicholls co uk>]

I'm afraid I agree with Fyodor, version numbers have a lot of complexity,
mostly because big software vendors choose to concurrently support multiple
versions. Apache is one example (2.x covers two supported streams, plus
there's an alpha that will eventually become the 2.4 stream), Oracle would
be another (recently they seem to have two releases with the same major
version), as would PHP (again, typically running two streams with the same
major version.

If we start checking the major version (so we don't compare Apache 1.3
against 2.x) and sub-version (to avoid saying PHP 5.2.14 is newer than
5.3.1, or mixing Oracle 11G with 11GR2)  followed by checking this special
number, then you're starting to lose the benefit of calculating this special
number.

How does it cope if someone uses alpha characters, such as the OpenSSL
versions? Would a-z be treated as 1-26? If so, what about alpha and beta
versions of other software that are denoted by A and B at the end, perhaps
followed by an RC release, then lose everything to become stable (e.g.
PHP5.3.4RC2 is older than PHP 5.3.4). BIND also adds to the mix, with its
-P1 and -ESV-R3 style sub-versions.:
http://www.isc.org/software/version-numbering

In general, this could be a good way to compare numbers (as I'm sure the
majority of software has only one latest version) if they use a simple
convention, but I'm concerned that we'll end up with some kind of long list
of exceptions to the rule to cover the more popular products.

http://en.wikipedia.org/wiki/Software_versioning

Rob

-----Original Message-----
From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org]
On Behalf Of Gutek
Sent: 12 December 2010 21:47
To: nmap-dev () insecure org
Subject: Re: [NSE] Shodan exploits database library (and demo script)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 12/12/2010 20:37, Fyodor a écrit :
> you should divide by something like a million to the i power.

after meeting some x.y.154 this afternoon, this is exactly what it does by
now :) For the moment I'll keep an algorithm which allows me to deal with a
unique number representing the versions, as it seems easier to me to
manipulate versions and ranges with as less comparisons loops as
possible...as long as it's proved to be reliable. If not, I'll change for
your second suggestion.

Anyway, in the end it could use both (a unique number and a per-digit
approach): alone, a math versions comparison is not always pertinent.
For example, giving an exploit working on "Apache <= 2.x.y" as an output
when the script deals with a target showing "Apache 1.3.x" doesn't make
sense.
"This is not mission difficult, Mr. Hunt, it's mission impossible" :)

Thanks !

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk0FQukACgkQ3aDTTO0ha7gbUACfbI3uETIFOH168OXZQk/xL65K
bM8An00WBfE6/XR0roRKIMXWVlabvAWj
=gnqE
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/