Re: GSoC 2012 Project - Vulnerability and exploitation specialist

[Djalal Harouni <tixxdz () opendz org>]

On Wed, Mar 28, 2012 at 10:38:00PM -0700, David Fifield wrote:
> If the script finds a service that is not RDP, it marks it NOT_VULN. Is
> that the convention in other scripts? It seems like it should simply
NOT_VULN should only be set if we are sure that it's not vulnerable.
> From the doc:
"NOT_VULN: The program was confirmed to be not vulnerable."

I've attached a small patch, please David check it (I don't have a test
machine).


Currently the behaviour of vulns.lua library IIRC is:
If the state is not set correctly then entries will be ignored with a
debug message.

make_output() will always terminate with:
return stdnse.format_output(true, output)
or
return nil  -- no entries


> leave it unset in this case, because we really don't have positive
> confirmation that the vulnerability is not present. We have roughly the
> same level of knowledge as if the script had not been run.
What other scripts do (at least the ones I've written):

local status, err = check_service(ftp_opts = {vuln,...})
if not status then
  stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, err)
  return nil
end

return report:make_output(ftp_opts.vuln)
end of script


check_service() will return false if it's not the correct service or if
there was a network error, otherwise it will always return true.


check_service() algo:

1) If it is not the correct service:
   check_service() will return false

   and later terminate the script with this:
   if not status then
      stdnse.print_debug(1, "%s: %s", SCRIPT_NAME, err)
      return nil
      -- terminate the script
   end


2) It's the right service:
   check_service() check the version or any returned bytes or goto (3)

   vuln.state = vulns.STATE.NOT_VULN
   or
   vuln.state = vulns.STATE.LIKELY_VULN


   Now it depends on user choice and exploitability of vulnerability or ...


   check_service() will return true
   or
   continue and force the check and goto (3)


3) Do the final check (or force the final check) and confirm:

   vuln.state = vulns.STATE.NOT_VULN
   or
   vuln.state = vulns.STATE.VULN
   or
   vuln.state = vulns.STATE.EXPLOIT
   or
   vuln.state = vulns.STATE.DoS

   at this point check_service() will return true unless there was a
   network error ...



I think that this can be a good standard and it will save time, all my
scripts do the same (hope they are correct :) )

check ftp-vuln-cve2010-4221.nse ...


Thanks.

-- 
tixxdz
http://opendz.org

Attachment: rdp-vuln.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/