Re: Top10 Blowing Chunks :>

["Albert R. Campa" <abcampa () gmail com>]

This may be some of what the check looks for.
https://community.qualys.com/thread/2242

I like how Nessus has open checks so you can see the source code.


On Mon, Sep 9, 2013 at 11:52 AM, Dave Aitel <dave () immunityinc com> wrote:

> IIRC the vulnerability did not affect Linux in practice as you needed to
> find a memcpy that was broken backwards or use the SEH (in the case of
> Windows) to handle the exception. I could be wrong though.
>
> Is it possible that the Qualys check sees Apache server lines that have
> no version and marks them as potentially vulnerable? This would explain
> the prevalence of the check triggering in this day and age as more
> people remove that information. It's also possible some WAF reacts
> strangely to the check, causing a false positive (or a True Positive,
> but against the WAF?)
>
> Something here is worth digging into, but I'm not sure what the results
> will be. Is it possible for Qualys to release some of the logic of the
> check?
>
> -dave
>
>
> On 9/4/2013 2:34 PM, Wolfgang Kandek wrote:
> > Here is a bit more background on the data and our collection methods.
> >
> > The Top 10 are collected every 3 months and include data for the
> > preceding 3 months. The aim is to give customers an idea on what is
> > prevalent at the moment.
> >
> > External means that the data comes from the scanners that Qualys runs
> > on the Internet and that are used by Qualys customers to scan their
> > Internet connected machines. Internal means that the data comes from
> > the Scanner Appliances that customers run themselves and use to scan
> > their internal networks.  Our customers are free to run authenticated
> > scans with the external scanners and free to scan their Internet
> > connected machines with the Scanner Appliances as well, but it is fair
> > to say that most customers will use authenticated scans only on
> > Scanner Appliances and will scan their Internet connected machines
> > with our external scanners. It is worth to mention that our PCI
> > service uses the external scanners for all audits.
> >
> > In November 2011 the "Apache Chunked encoding" vulnerability was
> > ranked #16 and did not make it into the Top 10 at the time. Since then
> > we have seen many of the of the Top 10 vulnerabilities drop in number,
> > so for example Win2000 obsolete has dropped fourfold, while Apache
> > Chunked encoding has actually gone up.
> >
> > The vulnerability was pretty widespread at the time and affected
> > Apache 1.3 and 2.0 on many operating systems, including Linux and many
> > embedded devices, so it is possible that one of our customers has
> > started scanning these type of ranges.
> >
> > The vulnerability is an active check (i.e. not banner based or software
> > version based), and the detection has not been modified for the last
> > couple of years. It affects the outcome of a PCI scan and we have had
> > no Support tickets regarding FPs, which is a pretty good measure as to
> > its accuracy.
> >
> > If Rapid7 or Tenable can share some of they are seeing it would be
> helpful.
> > -
> > Wolfgang
> >
> >
> > On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <dave () immunityinc com> wrote:
> > > http://www.qualys.com/research/top10/
> > >
> > > So I recently found out about the Qualys Top 10 vulnerabilities list,
> > > which is a pretty cool resource really.  Any time a big company with a
> > > lot of data offers a view into it, it is a useful thing, even if just to
> > > understand the built-in filter on the data.
> > >
> > > They have both "internal" and "external" which I think could better be
> > > further broken down into "authenticated scans" and "unauthenticated
> > > scans". You'll see client-side attacks predominating the "internal"
> > > scans, which were obviously found by the kind of patch-and-file checking
> > > that authenticated scans allow.
> > >
> > > However, you'll also see very very strange things in the external scans.
> > > The most weird is that Apache Chunked is a top-10 in August 2013, but
> > > not in November of 2011. For it to be anywhere at all is strange,
> > > because it's a 10 year old vulnerability that only affected Windows and
> > > BSD-based Apache's in the first place (which are not the majority of
> > > Apache installs, to say the least).
> > >
> > > So what conclusions can you draw? Is it a false positive? Is it weirdly
> > > common? If it is a false positive, is this an issue with a particular
> > > check in Qualys or is this vulnerability very hard to correctly
> > > determine in the first place? Also, MS08-067 seems to me to be something
> > > that should no longer be in the top-10...Wolfgang said he's looking into
> > > it, so maybe we can get a response to the list at some point.
> > >
> > > It would be great if Tenable and Rapid7 and the other people in the VA
> > > world would release similar numbers.
> > >
> > > -dave
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave () lists immunityinc com
> > > https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave