Nmap Development mailing list archives
Re: [NSE] Broadcast script to detect CVE-2011-1002 (Avahi NULL UDP DoS)
From: Djalal Harouni <tixxdz () opendz org>
Date: Tue, 3 May 2011 00:45:52 +0100
On 2011-04-27 19:45:20 -0700, David Fifield wrote:
On Fri, Mar 11, 2011 at 10:18:32AM +0100, Djalal Harouni wrote:On 2011-03-10 10:39:51 -0800, David Fifield wrote:On Wed, Mar 09, 2011 at 11:17:20AM +0100, Djalal Harouni wrote:Hi, Since the Avahi NULL UDP DoS [1] has been patched and since every one can test this vulnerability with every tool that sends UDP packet. I'm sharing an attached script that I wrote the other days to automatically discover hosts on the local network using the DNS Service Discovery protocol and test each host to see if it's vulnerable (you will DoS your hosts or network). The script uses the prerule. I thought this can help Nmap pen-testers. I've tested the script on some default ubuntu machines and on an embedded device, yes avahi can run on some embedded devices. [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002Does a normal Nmap UDP port scan also kill Avahi? I guess not, because UDP payloads are enabled by default and we have one for port 5353. What about with --data-length 0?Yes adding the --data-length 0 option will cause the DoS.I think this script is good to add anyway. As you say, Avahi can run on some embedded devices that might not get fixed so soon, so it's good to be able to detect this. And this fits in well with your role as vulnerability/exploitation NSE developer this summer. Please commit it.
Ok this was committed as r23066, thanks. -- tixxdz http://opendz.org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Broadcast script to detect CVE-2011-1002 (Avahi NULL UDP DoS) David Fifield (Apr 27)
- Re: [NSE] Broadcast script to detect CVE-2011-1002 (Avahi NULL UDP DoS) Djalal Harouni (May 02)