Nmap Development mailing list archives
Re: GSoC 2012 Project - Vulnerability and exploitation specialist
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Mon, 26 Mar 2012 17:53:39 +0200
here: CVE-2012-0152 DoS (DoS marked from microsoft ?) CVE-2012-0002 RCE Then in this case you need two vulnerability entries (two tables): First one marked as a DoS and the next one marked EXPLOIT. If you confirm the first one then it's ok to add the the second vulnerability table since they are fixed by the same patch. Two entries since perhaps there is someone there with an exploit for the second one, and it is cleaner ...As you have explained in the previous mail, there are two vulnerabilities
I'll look into that , thanks.
And if the script will panic Windows then you should add 'dos' category. (I did not follow this RDP stuff so sorry for my dumb questions) That said, if you have a test that will check/confirm the vulnerability without the DoS then it will be better to start with it, perhaps a version check or something else ? After the patch does something change from the first received bytes before the check ? The sole purpose of this script is to test the server in a safe way and
avoid triggering the DoS. It's already doing what you are suggesting. Just triggering the bug is trivial. The way this works follows: 1. send one user request - server replies wit user id (let's call it A) and channel for that user 2. send another user request - server replies with another user id (let's call it B) and another channel 3. send channel join request with requesting user set to A and requesting channel set to B - this is the actual bug, user A should not be able to get channel of user B - if server replies with success message , we conclude that the server is vulnerable - if we do not get the success message , the server is patched 4. in case the server is vulnerable, send a channel join request with requesting user set to B and requesting channel set to B to prevent the chance of BSoD 5. The end This should be clear from the code, but I hope I've cleared things a bit more. Thank you, Aleksandar Nikolic _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Toni Ruottu (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 24)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 25)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 26)
- Message not available
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 26)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 26)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 28)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 28)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Toni Ruottu (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 24)