📄 gnutls_cb-a08-0079.nasl
字号:
## This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>## This script is released under the GNU GPLv2## $Revision: 01 $if(description){ script_id(90026); script_version ("$Revision: 01 $"); script_cve_id("CVE-2008-1948"); name["english"] = "GnuTLS < 2.2.5 vulnerability"; script_name(english:name["english"]); desc["english"] = "The remote host is probably affected by the vulnerabilities described inCVE-2008-1948, CVE-2008-1949, CVE-2008-1950Impact CVE-2008-1948 The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1. CVE-2008-1949 The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2. CVE 2008-1950 Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3.References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950Solution: All GnuTLS users should upgrade to the latest version:Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "Determines GnuTLS < 2.2.5 vulnerability"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is under GPLv2"); family["english"] = "Local test"; script_family(english:family["english"]); script_dependencies("ssh_authorization.nasl"); exit(0);}## The code starts here#include("version_func.inc");local_var ver, sec_hole, sec_proto, grep, r, i, t, l;sec_hole = 0;sec_proto = "GnuTLS";ver = NULL;r = NULL; r = find_bin(prog_name:"libgnutls-config"); if( isnull(r) ) { r = find_bin(prog_name:"gnutls-cli"); } if( ! isnull(r) ) { r[0] = chomp(r[0]); ver = get_bin_version(full_prog_name:r[0], version_argv:"--version", ver_pattern:"([0-9\.]+)"); } r = NULL; if(isnull(ver) || version_is_less(version:ver[0], test_version:"2.2.5") ) { grep = find_bin(prog_name:"grep"); grep = chomp(grep[0]); l = find_file(file_path:"/usr/lib64/", file_name:"libgnutls.so.*.*"); i = 0; foreach t (l) { if( "libgnutls.so" >< t ) { r[i++] = t; } } l = find_file(file_path:"/usr/lib/", file_name:"libgnutls.so.*.*"); foreach t (l) { if( "libgnutls.so" >< t ) { r[i++] = t; } } garg[0] = "-o"; garg[1] = "-m1"; garg[2] = "-a"; garg[3] = string("Received zero size server name"); foreach binary_name (r) { binary_name = chomp(binary_name); if (islocalhost()) { garg[4] = binary_name; arg = garg; } else { arg = garg[0]+" "+garg[1]+" "+garg[2]+" "+raw_string(0x22)+garg[3]+raw_string(0x22)+" "+binary_name; } ver = get_bin_version(full_prog_name:grep, version_argv:arg, ver_pattern:"(Received zero size server name)"); if( isnull(ver) ) { if(sec_hole == 0) { security_hole(port:0, proto:sec_proto); sec_hole = 1; } security_hole(port:0, proto:sec_proto, data:string("\nFound : ") + binary_name + string("\n")); } } }exit(0);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -