gmane.comp.security.nmap.devel

New VA Modules: MSF: 2

New VA Module Alert Service — 2012-05-26T17:00:19

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Metasploit modules (2) ==

r15336 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/linux/http/webid_converter.rb
WeBid converter.php Remote PHP Code Injection

r15337 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/ftp/quickshare_traversal_write.rb
QuickShare File Share 1.2.1 Directory Traversal Vulnerability
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

nmap v6.00 - problems if a wlan interface is installed/activated

Tom Eichstaedt — 2012-05-26T11:41:33

Hi all,


nmap v6.00 has problems if a wlan interface is installed/activated.
OS: GNU/Linux 3.0


My findings (nmap 5.51 vs nmap 6.00):

=======================================================================

(1) nmap 5.51 with deactivated wlan interface (--iflist):

Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-24 12:59 CEST
************************INTERFACES************************
DEV   (SHORT) IP/MASK          TYPE        UP MTU   MAC
lo    (lo)    127.0.0.1/8      loopback    up 16436
lan-1 (lan-1) 10.100.0.10/24   ethernet    up 1500  00:30:18:4B:9E:CD
wan-1 (wan-1) 192.168.2.1/24   ethernet    up 1500  00:30:18:4B:9E:CC
ppp0  (ppp0)  xxx.xxx.xxx.xxx/32 point2point up 1492

**************************ROUTES**************************
DST/MASK         DEV   GATEWAY
217.0.118.108/32 ppp0
10.100.0.0/24    lan-1
192.168.2.0/24   wan-1
0.0.0.0/0        ppp0  xxx.xxx.xxx.xxx

=======================================================================

(2) nmap 6.00 with deactivated wlan interface (--iflist):

Starting Nmap 6.00 ( http://nmap.org ) at 2012-05-24 13:10 CEST
************************INTERFACES************************
DEV      (SHORT)    IP/MASK          TYPE        UP   MTU   MAC
lo       (lo)       127.0.0.1/8      loopback    up   16436
lan-1    (lan-1)    10.100.0.10/24   ethernet    up   1500 00:30:18:4B:9E:CD
wan-1    (wan-1)    192.168.2.1/24   ethernet    up   1500 00:30:18:4B:9E:CC
unused-1 (unused-1) (null)/0         ethernet    down 1500 00:30:18:4B:9E:CB
unused-2 (unused-2) (null)/0         ethernet    down 1500 00:30:18:4B:9E:CA
wlan-1   (wlan-1)   (null)/0         ethernet    down 1500 00:1D:0F:FE:BF:C4
ppp0     (ppp0)     91.57.179.165/32 point2point up   1492

ROUTES: NONE FOUND(!)

=======================================================================

(3) nmap 5.51 with activated wlan interface in master mode (--iflist):

Starting Nmap 5.51 ( http://nmap.org ) at 2012-05-24 13:06 CEST
************************INTERFACES************************
DEV    (SHORT)  IP/MASK          TYPE        UP MTU   MAC
lo     (lo)     127.0.0.1/8      loopback    up 16436
lan-1  (lan-1)  10.100.0.10/24   ethernet    up 1500  00:30:18:4B:9E:CD
wan-1  (wan-1)  192.168.2.1/24   ethernet    up 1500  00:30:18:4B:9E:CC
wlan-1 (wlan-1) 10.100.1.10/24   ethernet    up 1500  00:1D:0F:FE:BF:C4
ppp0   (ppp0)   xxx.xxx.xxx.xxx/32 point2point up 1492

**************************ROUTES**************************
DST/MASK         DEV    GATEWAY
217.0.118.108/32 ppp0
10.100.0.0/24    lan-1
10.100.1.0/24    wlan-1
192.168.2.0/24   wan-1
0.0.0.0/0        ppp0   xxx.xxx.xxx.xxx

=========================================================================

(4) nmap 6.00 with activated wlan interface in master mode (--iflist):

Starting Nmap 6.00 ( http://nmap.org ) at 2012-05-24 13:09 CEST
INTERFACES: NONE FOUND(!)
ROUTES: NONE FOUND(!)

=========================================================================


As you can see, nmap 5.51 works well in any case (1 and 3).
In the second case (2) nmap 6.00 finds no routes (but works).
In the last case (4) nmap 6.00 finds no routes and no interfaces.

Other people with totally different hardware seem to have exactly
the same problem: http://talk.maemo.org/archive/index.php/t-48673.html

I hope my findings will help you to solve the problem.
If you need further information, please let me know.


Cheers, Tom


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

rmiregistry default configuration vulnerability script

Aleksandar Nikolic — 2012-05-25T18:48:07

Hi All,

I've written a script to test rmiregistry servers for this default
configuration
vulnerability which allows remote class loading and therefore remote
code execution.

There is a Metasploit exploit for this vulnerability.

To test it , you just need to run rmiregistry which comes with
any JRE installation (rmiregistry.exe on Windows, rmiregistry on Linux)
and then run the script against it.

I've attached the script and a small patch for rmi.lua library as I needed
one function to add raw data as arguments to writeMethodCall.
The sciript contains already serialized data, it was easier to do it
that way then implement the whole serialization in the library.
For additional info , see references in the script.

Please tell me if you have any comments and suggestions.


Thanks,
Aleksandar
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

mysql-brute using brute library

Aleksandar Nikolic — 2012-05-25T18:33:15

Hi All,

I rewrote the mysql-brute script to use brute library.
I've commited it to trunk as per David's suggestion.

Here is the sample output with timing:

PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-brute:
|   Accounts
|     No valid accounts found
|   Statistics
|_    Performed 2290 guesses in 600 seconds, average tps: 4

Nmap done: 1 IP address (1 host up) scanned in 602.52 seconds

And here is the output of the old script:

PORT     STATE SERVICE
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 605.47 seconds

No noticeable increase in speed I'm afraid.
I've tested it agains my own server without default passwords on purpose.

Any suggestions?

Thanks,
Aleksandar
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

New VA Modules: OpenVAS: 28, MSF: 1, Nessus: 1

New VA Module Alert Service — 2012-05-25T17:01:50

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (28) ==

r13497 841014 gb_ubuntu_USN_1449_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1449_1.nasl?root=openvas&view=markup
Ubuntu Update for feedparser USN-1449-1

r13497 secpod_google_sketchup_detect_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_google_sketchup_detect_macosx.nasl?root=openvas&view=markup
Google SketchUp Version Detection (Mac OS X)

r13497 802785 gb_adobe_flash_professional_jpg_obj_bof_vuln_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_flash_professional_jpg_obj_bof_vuln_macosx.nasl?root=openvas&view=markup
Adobe Flash Professional JPG Object Processing BOF Vulnerability (Mac OS
X)

r13497 802788 gb_adobe_illustrator_mult_unspecified_vuln_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_illustrator_mult_unspecified_vuln_macosx.nasl?root=openvas&view=markup
Adobe Illustrator Multiple Unspecified Vulnerabilities (Mac OS X)

r13497 gb_adobe_flash_professional_detect_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_flash_professional_detect_macosx.nasl?root=openvas&view=markup
Adobe Flash Professional Version Detection (Mac OS X)

r13497 gb_adobe_photoshop_detect_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_photoshop_detect_macosx.nasl?root=openvas&view=markup
Adobe Photoshop Version Detection (Mac OS X)

r13497 902835 secpod_tftpd32_req_format_string_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_tftpd32_req_format_string_vuln.nasl?root=openvas&view=markup
TFTPD32 Request Error Message Format String Vulnerability

r13497 903028 secpod_zebedee_redirection_port_dos_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_zebedee_redirection_port_dos_vuln.nasl?root=openvas&view=markup
Zebedee Allowed Redirection Port Denial of Service Vulnerability

r13497 902838 secpod_php_address_book_mult_xss_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_php_address_book_mult_xss_vuln.nasl?root=openvas&view=markup
PHP Address Book Multiple Cross Site Scripting Vulnerabilities

r13497 841015 gb_ubuntu_USN_1450_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1450_1.nasl?root=openvas&view=markup
Ubuntu Update for net-snmp USN-1450-1

r13497 802779 gb_adobe_shockwave_player_mult_code_exec_n_dos_vuln_win.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_shockwave_player_mult_code_exec_n_dos_vuln_win.nasl?root=openvas&view=markup
Adobe Shockwave Player Multiple Code Execution and DoS Vulnerabilities
(Windows)

r13497 902679 secpod_google_sketchup_skp_file_code_exec_vuln_win.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_google_sketchup_skp_file_code_exec_vuln_win.nasl?root=openvas&view=markup
Google SketchUp '.SKP' File Remote Code Execution Vulnerability
(Windows)

r13497 903029 secpod_apple_safari_mult_vuln_win_oct11.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_apple_safari_mult_vuln_win_oct11.nasl?root=openvas&view=markup
Apple Safari Multiple Vulnerabilities - Oct 2011 (Windows)

r13497 902837 secpod_php_apache_req_headers_bof_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_php_apache_req_headers_bof_vuln.nasl?root=openvas&view=markup
PHP 'apache_request_headers()' Function Buffer Overflow Vulnerability
(Windows)

r13497 802781 gb_adobe_flash_professional_jpg_obj_bof_vuln_win.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_flash_professional_jpg_obj_bof_vuln_win.nasl?root=openvas&view=markup
Adobe Flash Professional JPG Object Processing BOF Vulnerability
(Windows)

r13497 802790 gb_adobe_illustrator_mult_unspecified_vuln_win.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_illustrator_mult_unspecified_vuln_win.nasl?root=openvas&view=markup
Adobe Illustrator Multiple Unspecified Vulnerabilities (Windows)

r13497 gb_adobe_illustrator_detect_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_illustrator_detect_macosx.nasl?root=openvas&view=markup
Adobe Illustrator Version Detection (Mac OS X)

r13497 gb_adobe_flash_professional_detect_win.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_flash_professional_detect_win.nasl?root=openvas&view=markup
Adobe Flash Professional Detection (Windows)

r13497 902839 secpod_ms_frontpage_ext_device_name_dos_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_ms_frontpage_ext_device_name_dos_vuln.nasl?root=openvas&view=markup
Microsoft FrontPage Server Extensions MS-DOS Device Name DoS
Vulnerability

r13497 gb_adobe_illustrator_detect_win.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_illustrator_detect_win.nasl?root=openvas&view=markup
Adobe Illustrator Detection (Windows)

r13497 902914 secpod_ms_iis_get_request_dos_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_ms_iis_get_request_dos_vuln.nasl?root=openvas&view=markup
Microsoft IIS GET Request Denial of Service Vulnerability

r13497 903027 secpod_macosx_su12-003.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_macosx_su12-003.nasl?root=openvas&view=markup
Mac OS X 'Internet plug-ins' Unspecified Vulnerability (2012-003)

r13497 902836 secpod_php_typeinfo_code_exec_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_php_typeinfo_code_exec_vuln.nasl?root=openvas&view=markup
PHP 'com_print_typeinfo()' Remote Code Execution Vulnerability (Windows)

r13497 802786 gb_adobe_photoshop_bof_n_use_after_free_vuln_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_photoshop_bof_n_use_after_free_vuln_macosx.nasl?root=openvas&view=markup
Adobe Photoshop BOF and Use After Free Vulnerabilities (Mac OS X)

r13497 902681 secpod_google_sketchup_skp_file_code_exec_vuln_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/secpod_google_sketchup_skp_file_code_exec_vuln_macosx.nasl?root=openvas&view=markup
Google SketchUp '.SKP' File Remote Code Execution Vulnerability (Mac OS
X)

r13497 802782 gb_adobe_photoshop_bof_n_use_after_free_vuln_win.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_photoshop_bof_n_use_after_free_vuln_win.nasl?root=openvas&view=markup
Adobe Photoshop BOF and Use After Free Vulnerabilities (Windows)

r13497 802780 gb_adobe_shockwave_player_mult_code_exec_n_dos_vuln_macosx.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_adobe_shockwave_player_mult_code_exec_n_dos_vuln_macosx.nasl?root=openvas&view=markup
Adobe Shockwave Player Multiple Code Execution and DoS Vulnerabilities
(Mac OS X)

r13497 841013 gb_ubuntu_USN_1451_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1451_1.nasl?root=openvas&view=markup
Ubuntu Update for openssl USN-1451-1

== Metasploit modules (1) ==

r15335 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/http/rabidhamster_r4_log.rb
RabidHamster R4 Log Entry sprintf() Buffer Overflow

== Nessus plugins (1) ==

59255 google_chrome_19_0_1084_52.nasl
http://nessus.org/plugins/index.php?view=single&id=59255
Google Chrome < 19.0.1084.52 Multiple Vulnerabilities
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Question: Nmap on Github

Daniel Miller — 2012-05-25T01:41:39

Hey list,

Does anyone know who is running the Nmap repo on Github? It's at
https://github.com/nmap/nmap and there is no name associated with it.
I would like to fork it for keeping track of my modifications and
submissions, but I'm not sure if I should trust it, since the owner
could conceivably modify the code any way they like.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

[patch] Modify prototype for PortList::nextPort and get_port

Daniel Miller — 2012-05-24T21:03:36

List,

I'm proposing a change with this patch that won't make any difference to 
users, but changes the way a couple functions are called to make them 
more straightforward for developers. Patch attached.

I ran into this while working on my XML-structured-output patch, which 
needed some TLC with regard to memory management. Previously, calling 
PortList::nextPort required passing a Port object by reference, which 
would be modified with simple assignment to return the next port. The 
downside I ran into was that this prevents modifying Port objects with 
any heap-allocated structures without implementing a copy constructor, 
and that would be a lot of overhead for most calls, which discard a 
large number of Ports until the one desired is found. Fortunately, this 
return value was not used in any of the existing calls, since the 
function also returns a pointer to the Port object. It seemed 
straightforward to just trim out the parameter, saving the hassle and a 
small amount of stack memory from not needing to declare a Port object 
(several of which were labelled with comments declaring it a "dummy" 
object).

Unfortunately, it wasn't that easy: In the case of a port in the 
"default state" (e.g. filtered because of no-response for TCP), there 
wasn't a real Port object to point to. The solution I came up with is to 
modify the PortList::default_port_state Port object for each call and 
return a pointer to it. This has a few caveats, which I put in a comment 
in the function. Here's that section of the patch:

In order to make sure no one modifies the default_port_state for a given 
PortList, I changed the prototype for nextPort to return a const Port *. 
This didn't cause any problems with any existing code in my tests and in 
my examination of the source. Finally, the get_ports function in 
nse_utility.cc had to be modified in the same ways (const return, drop 
the Port * parameter).

I realize it's a hard sell to change something that wasn't broken, but I 
thought that with the small memory improvement it was a useful enough 
change to separate it from the XML-structured-output patch.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

New VA Modules: MSF: 1, Nessus: 15

New VA Module Alert Service — 2012-05-24T17:00:23

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Metasploit modules (1) ==

r15327 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/multi/http/apprain_upload_exec.rb
appRain CMF Arbitrary PHP File Upload Vulnerability

== Nessus plugins (15) ==

59254 ubuntu_USN-1450-1.nasl
http://nessus.org/plugins/index.php?view=single&id=59254
USN-1450-1 : net-snmp vulnerability

59253 redhat-RHSA-2012-0688.nasl
http://nessus.org/plugins/index.php?view=single&id=59253
RHSA-2012-0688: flash-plugin

59252 mandriva_MDVA-2012-044.nasl
http://nessus.org/plugins/index.php?view=single&id=59252
MDVA-2012:044 : timezone

59251 debian_DSA-2479.nasl
http://nessus.org/plugins/index.php?view=single&id=59251
Debian DSA-2479-1 : libxml2 - off-by-one

59250 debian_DSA-2478.nasl
http://nessus.org/plugins/index.php?view=single&id=59250
Debian DSA-2478-1 : sudo - parsing error

59248 ofbiz_webslinger_xss.nasl
http://nessus.org/plugins/index.php?view=single&id=59248
Apache OFBiz Webslinger Component XSS

59247 ofbiz_nested_script_rce.nasl
http://nessus.org/plugins/index.php?view=single&id=59247
Apache OFBiz FlexibleStringExpander Remote Code Execution

59246 ofbiz_default_creds.nasl
http://nessus.org/plugins/index.php?view=single&id=59246
Apache OFBiz Default Credentials

59245 ofbiz_detect.nasl
http://nessus.org/plugins/index.php?view=single&id=59245
Apache OFBiz Detection

59244 phpmyadmin_pmasa_2011_2.nasl
http://nessus.org/plugins/index.php?view=single&id=59244
phpMyAdmin 2.11.x / 3.3.x < 2.11.11.3 / 3.3.9.2 SQL Query Bookmarks
Arbitrary SQL Query Execution (PMASA-2011-02)

59243 coreftp_stack_overflow.nasl
http://nessus.org/plugins/index.php?view=single&id=59243
Core FTP Filename Processing Boundary Error FTP List Command Response
Parsing Remote Overflow

59242 packetvideo_twonky_dir_traversal.nasl
http://nessus.org/plugins/index.php?view=single&id=59242
PacketVideo TwonkyServer Directory Traversal

59241 packetvideo_twonky_detect.nasl
http://nessus.org/plugins/index.php?view=single&id=59241
PacketVideo TwonkyServer Detection

59240 wireshark_1_6_8.nasl
http://nessus.org/plugins/index.php?view=single&id=59240
Wireshark 1.6.x < 1.6.8 Multiple Denial of Service Vulnerabilities

59239 wireshark_1_4_13.nasl
http://nessus.org/plugins/index.php?view=single&id=59239
Wireshark 1.4.x < 1.4.13 Multiple Denial of Service Vulnerabilities
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Using Teredo to overcome lack of raw socket privileges

Kasper Dupont — 2012-05-23T19:58:02

I did a grep through the nmap-6.00 and no such feature seems
to exist so far. And I tried to search the mailing-list
archives, and I found no indication that it has been
considered before, so I'd like to ask what people think of
this idea.

Usually in order to make use of all the features in nmap,
you need to have raw socket privileges. Without it, you are
limited in what you can do. But with IPv6 there is another
option, which I think is worth considering.

The Teredo protocol was originally designed to tunnel IPv6
through IPv4 NAT gateways. It does that by tunnelling all
IPv6 packets through UDP. However since using a UDP port
does not require raw socket privileges, nmap could take
advantage of it as well.

Running a Teredo client and nmap on the same host requires
privileges for both, but the privileges in that case is only
required for the communication between the Teredo client and
nmap running on the same machine. If a Teredo client was
built into nmap, the need for privileges would be reduced to
just being able to make use of a single UDPv4 port.

Obviously the feature does have certain limitations. You are
no longer on the same network segment as the target host, so
any features that require you to be on the same segment will
no longer work. However I guess most of those features would
have required administrator privileges to begin with.
Additionally you have a reduced MTU, and may also be
affected by the reliability of Teredo (or rather lack
thereof).

But in cases where you are already on a different network
segment from the target and don't have raw socket
privileges, I think such a feature would often be useful.

So my questions are. Did anybody already give it a try? And
would such a feature be welcome in the nmap mainline?

(It seems my previous attempt at posting this message got
lost due to me accidentally sending it from a different
address than the one I subscribed to the list with.)

New VA Modules: NSE: 2, MSF: 1, Nessus: 12

New VA Module Alert Service — 2012-05-23T17:00:23

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== Nmap Scripting Engine scripts (2) ==

r28652 icap-info http://nmap.org/nsedoc/scripts/icap-info.html
https://svn.nmap.org/nmap/scripts/icap-info.nse
Tries a list of known ICAP service names and prints information about
the ones it detects. The Internet Content Adaptation Protocol (ICAP) is
used to extend transparent proxy server and is generally used for
content filtering and antivirus scanning.

r28655 distcc-cve2004-2687 http://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html
https://svn.nmap.org/nmap/scripts/distcc-cve2004-2687.nse
Detects and exploits a remote code execution vulnerability in the
distributed compiler daemon distcc. The vulnerability was disclosed in
2002, but is still present in modern implementation due to poor
configuration of the service.

== Metasploit modules (1) ==

r15325 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/fileformat/openoffice_ole.rb
OpenOffice OLE Importer DocumentSummaryInformation Stream Handling
Overflow

== Nessus plugins (12) ==

59238 ubuntu_USN-1449-1.nasl
http://nessus.org/plugins/index.php?view=single&id=59238
USN-1449-1 : feedparser vulnerability

59237 suse_openssl-8112.nasl
http://nessus.org/plugins/index.php?view=single&id=59237
SuSE 10 Security Update : openssl (ZYPP Patch Number 8112)

59236 solaris10_x86_148408.nasl
http://nessus.org/plugins/index.php?view=single&id=59236
Solaris 10 (x86) : 148408-01

59235 solaris10_x86_148007.nasl
http://nessus.org/plugins/index.php?view=single&id=59235
Solaris 10 (x86) : 148007-01

59234 solaris10_x86_141105.nasl
http://nessus.org/plugins/index.php?view=single&id=59234
Solaris 10 (x86) : 141105-04

59233 centos_RHSA-2012-0683.nasl
http://nessus.org/plugins/index.php?view=single&id=59233
CentOS : RHSA-2012-0683

59232 liferay_6_1_0_addUser.nasl
http://nessus.org/plugins/index.php?view=single&id=59232
Liferay Portal 6.1.0 'addUser()' Security Bypass

59231 liferay_6_1_0.nasl
http://nessus.org/plugins/index.php?view=single&id=59231
Liferay Portal 6.0.5 / 6.0.6 Arbitrary File Download

59230 liferay_6_0_6.nasl
http://nessus.org/plugins/index.php?view=single&id=59230
Liferay Portal < 6.0.6 Multiple Vulnerabilities

59229 liferay_default_creds.nasl
http://nessus.org/plugins/index.php?view=single&id=59229
Liferay Portal Default Credentials

59228 liferay_detect.nasl
http://nessus.org/plugins/index.php?view=single&id=59228
Liferay Portal Detection

59227 cisco_asa_proxy_info_leak.nasl
http://nessus.org/plugins/index.php?view=single&id=59227
Cisco ASA Cut Through Proxy Authentication Vulnerability
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

http-methods & http-trace NSE Script Enhancement Ideas

King Thorin — 2012-05-23T12:17:03

I was just looking through some online docs and some nmap results. I've 
never seen a server that includes public or allow header(s) on a 
redirect response [maybe my experience is limited?]. It seems to me that the http-methods NSE should follow 
redirects (HTTP 301, 302, 303) in order to perform the necessary OPTIONS
 request on a page/resource that's providing a HTTP 200.


Perhaps similar to the http-trace script:
http://nmap.org/svn/scripts/http-trace.nse
Though
 even that only follows one 301 or 302 redirect. 

Further, maybe both scripts should follow a configurable
 # of redirects (default 2, 3, 4 and configurable further) looking for a
 HTTP 200 & handle 301, 302, and 303 redirect codes.


Reference:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

I've emailed the devs of both scripts without any luck.



I'd be glad to provide the necessary changes, if someone can simply fill me in as to how they should be submitted.

       
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

bug report: "Microsoft Visual C++ 2010 Redistributable failed toinstall"

2012-05-22T18:54:20

Installed nmap 6.0 from nmap-6.00-setup on Lenovo T420S running Windows 7 
SP1 64-bit. Running from administrator-equivalent profile. Received the 
subject error message part way through the install, although the remainder 
of the process appeared to complete successfully. Zenmap opens and scan 
process runs. Just FYI - no urgency.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Italian translation

Francesco Tombolini — 2012-05-22T19:43:16

Hallo, I would like to translate zenmap in my language.
If it's ok, I'll start to localize it in italian.
Regards.

request for high-res zenmap icons

Ben Kohler — 2012-05-22T17:57:22

Hello,

The current Nmap tarball ships with a 48x48 PNG icon for zenmap, but on
modern desktop environments (especially on higher-DPI screens) this is
becoming inadequate.  Most newer desktop applications are shipping with PNG
icons ranging from 16px all the way up to 256px, and sometimes with an SVG
too.  Is there any way Nmap can start shipping larger icons to better fit
into a modern desktop environment?

Here's an example of what Zenmap's icons look like alongside other GUI
applications (in gnome-shell):  http://ompldr.org/vZHYwMg

Thanks,

Ben
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

[NSE] Improving performance for ssl-enum-ciphers

Patrik Karlsson — 2012-05-22T17:09:59

Hi list,

I've experimented a little with ssl-enum-ciphers lately and just changed
the script to use worker threads instead of sequentially running all the
cipher checks.
As far as my quick tests show I'm seeing consistent results with the
non-threaded version but at 10 times the speed.
I'm attaching a patch for this change for anyone that would like to test
this new version and would appreciate some feedback.

Thanks,
Patrik

New VA Modules: OpenVAS: 24, MSF: 3, Nessus: 19

New VA Module Alert Service — 2012-05-22T17:01:47

This report describes any new scripts/modules/exploits added to Nmap,
OpenVAS, Metasploit, and Nessus since yesterday.

== OpenVAS plugins (24) ==

r13487 864247 gb_fedora_2012_7692_rubygem-actionmailer_fc15.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7692_rubygem-actionmailer_fc15.nasl?root=openvas&view=markup
Fedora Update for rubygem-actionmailer FEDORA-2012-7692

r13487 864241 gb_fedora_2012_7659_android-tools_fc15.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7659_android-tools_fc15.nasl?root=openvas&view=markup
Fedora Update for android-tools FEDORA-2012-7659

r13487 864242 gb_fedora_2012_7677_android-tools_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7677_android-tools_fc16.nasl?root=openvas&view=markup
Fedora Update for android-tools FEDORA-2012-7677

r13487 864243 gb_fedora_2012_7597_moodle_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7597_moodle_fc16.nasl?root=openvas&view=markup
Fedora Update for moodle FEDORA-2012-7597

r13487 864248 gb_fedora_2012_7535_rubygem-mail_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7535_rubygem-mail_fc16.nasl?root=openvas&view=markup
Fedora Update for rubygem-mail FEDORA-2012-7535

r13487 802630 gb_liferay_portal_mult_vuln.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_liferay_portal_mult_vuln.nasl?root=openvas&view=markup
Liferay Portal Multiple Vulnerabilities

r13487 802797 gb_apple_safari_webkit_mult_vuln_macosx_may12.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_apple_safari_webkit_mult_vuln_macosx_may12.nasl?root=openvas&view=markup
Apple Safari Webkit Multiple Vulnerabilities - May 12 (Mac OS X)

r13487 864245 gb_fedora_2012_7692_rubygem-mail_fc15.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7692_rubygem-mail_fc15.nasl?root=openvas&view=markup
Fedora Update for rubygem-mail FEDORA-2012-7692

r13487 870595 gb_RHSA-2012_0678-01_postgresql_and_postgresql84.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_RHSA-2012_0678-01_postgresql_and_postgresql84.nasl?root=openvas&view=markup
RedHat Update for postgresql and postgresql84 RHSA-2012:0678-01

r13487 802796 gb_apple_safari_webkit_mult_vuln_win_may12.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_apple_safari_webkit_mult_vuln_win_may12.nasl?root=openvas&view=markup
Apple Safari Webkit Multiple Vulnerabilities - May 12 (Windows)

r13487 864252 gb_fedora_2012_7802_perl-Config-IniFiles_fc15.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7802_perl-Config-IniFiles_fc15.nasl?root=openvas&view=markup
Fedora Update for perl-Config-IniFiles FEDORA-2012-7802

r13487 864246 gb_fedora_2012_8063_pidgin-otr_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_8063_pidgin-otr_fc16.nasl?root=openvas&view=markup
Fedora Update for pidgin-otr FEDORA-2012-8063

r13487 864250 gb_fedora_2012_7683_apache-poi_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7683_apache-poi_fc16.nasl?root=openvas&view=markup
Fedora Update for apache-poi FEDORA-2012-7683

r13487 841009 gb_ubuntu_USN_1443_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1443_1.nasl?root=openvas&view=markup
Ubuntu Update for update-manager USN-1443-1

r13487 864249 gb_fedora_2012_7686_apache-poi_fc15.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7686_apache-poi_fc15.nasl?root=openvas&view=markup
Fedora Update for apache-poi FEDORA-2012-7686

r13487 864244 gb_fedora_2012_7777_perl-Config-IniFiles_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7777_perl-Config-IniFiles_fc16.nasl?root=openvas&view=markup
Fedora Update for perl-Config-IniFiles FEDORA-2012-7777

r13487 870594 gb_RHSA-2012_0677-01_postgresql.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_RHSA-2012_0677-01_postgresql.nasl?root=openvas&view=markup
RedHat Update for postgresql RHSA-2012:0677-01

r13487 802794 gb_macosx_su12-002.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_macosx_su12-002.nasl?root=openvas&view=markup
Mac OS X Multiple Vulnerabilities (2012-002)

r13487 841012 gb_ubuntu_USN_1444_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1444_1.nasl?root=openvas&view=markup
Ubuntu Update for backuppc USN-1444-1

r13487 841010 gb_ubuntu_USN_1445_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1445_1.nasl?root=openvas&view=markup
Ubuntu Update for linux USN-1445-1

r13487 864251 gb_fedora_2012_7535_rubygem-actionmailer_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7535_rubygem-actionmailer_fc16.nasl?root=openvas&view=markup
Fedora Update for rubygem-actionmailer FEDORA-2012-7535

r13487 841007 gb_ubuntu_USN_1447_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1447_1.nasl?root=openvas&view=markup
Ubuntu Update for libxml2 USN-1447-1

r13487 864240 gb_fedora_2012_7293_drupal6-og_fc16.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_fedora_2012_7293_drupal6-og_fc16.nasl?root=openvas&view=markup
Fedora Update for drupal6-og FEDORA-2012-7293

r13487 841011 gb_ubuntu_USN_1448_1.nasl
http://wald.intevation.org/scm/viewvc.php/trunk/openvas-plugins/scripts/gb_ubuntu_USN_1448_1.nasl?root=openvas&view=markup
Ubuntu Update for linux USN-1448-1

== Metasploit modules (3) ==

r15309 http://metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/manage/powershell/exec_powershell.rb
Windows Manage PowerShell Download and/or Execute

r15314 http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/license/flexnet_lmgrd_bof.rb
FlexNet License Server Manager lmgrd Buffer Overflow

r15317 http://metasploit.com/redmine/projects/framework/repository/entry/modules/post/osx/admin/say.rb
OSX Text to Speech

== Nessus plugins (19) ==

59226 ubuntu_USN-1448-1.nasl
http://nessus.org/plugins/index.php?view=single&id=59226
USN-1448-1 : linux vulnerabilities

59225 ubuntu_USN-1447-1.nasl
http://nessus.org/plugins/index.php?view=single&id=59225
USN-1447-1 : libxml2 vulnerability

59224 redhat-RHSA-2012-0683.nasl
http://nessus.org/plugins/index.php?view=single&id=59224
RHSA-2012-0683: bind-dyndb-ldap

59223 redhat-RHSA-2012-0678.nasl
http://nessus.org/plugins/index.php?view=single&id=59223
RHSA-2012-0678: postgresql84

59222 redhat-RHSA-2012-0677.nasl
http://nessus.org/plugins/index.php?view=single&id=59222
RHSA-2012-0677: postgresql

59221 mandriva_MDVSA-2012-079.nasl
http://nessus.org/plugins/index.php?view=single&id=59221
MDVSA-2012:079 : sudo

59220 freebsd_pkg_78c39232a34511e19d81d0df9acfd7e5.nasl
http://nessus.org/plugins/index.php?view=single&id=59220
FreeBSD : sympa -- Multiple Security Bypass Vulnerabilities
(78c39232-a345-11e1-9d81-d0df9acfd7e5)

59219 fedora_2012-7802.nasl
http://nessus.org/plugins/index.php?view=single&id=59219
Fedora 15 2012-7802

59218 fedora_2012-7777.nasl
http://nessus.org/plugins/index.php?view=single&id=59218
Fedora 16 2012-7777

59217 fedora_2012-7597.nasl
http://nessus.org/plugins/index.php?view=single&id=59217
Fedora 16 2012-7597

59216 debian_DSA-2477.nasl
http://nessus.org/plugins/index.php?view=single&id=59216
Debian DSA-2477-1 : sympa - authorization bypass

59215 debian_DSA-2476.nasl
http://nessus.org/plugins/index.php?view=single&id=59215
Debian DSA-2476-1 : pidgin-otr - format string vulnerability

59214 centos_RHSA-2012-0678.nasl
http://nessus.org/plugins/index.php?view=single&id=59214
CentOS : RHSA-2012-0678

59213 centos_RHSA-2012-0677.nasl
http://nessus.org/plugins/index.php?view=single&id=59213
CentOS : RHSA-2012-0677

59212 centos_RHSA-2012-0676.nasl
http://nessus.org/plugins/index.php?view=single&id=59212
CentOS : RHSA-2012-0676

59211 phpmyadmin_pmasa_2011_17.nasl
http://nessus.org/plugins/index.php?view=single&id=59211
phpMyAdmin simplexml_load_string() Function Information Disclosure
(PMASA-2011-17)

59210 symantec_web_gateway_upload_file_rce.nasl
http://nessus.org/plugins/index.php?view=single&id=59210
Symantec Web Gateway upload_file() Remote Code Execution (SYM12-006)
(intrusive check)

59209 symantec_web_gateway_sym12-006.nasl
http://nessus.org/plugins/index.php?view=single&id=59209
Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006)
(version check)

59208 symantec_web_gateway_ipchange_rce.nasl
http://nessus.org/plugins/index.php?view=single&id=59208
Symantec Web Gateway ipchange.php Shell Command Injection (SYM12-006)
(intrusive check)
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

[patch] Bug in httpspider.LinkExtractor

Daniel Miller — 2012-05-22T16:03:47

List,

Two bugs and a code structure improvement in this patch to the 
httpspider library, found while working with the http-chrono script.

First bug, the LinkExtractor portion of httpspider doesn't check for a 
negative maxdepth (indicating no limit), and rejects all links.

Second bug, the withinhost and withindomain matching functions would 
throw an error when presented with a URL without a host portion. 
Example: <a href="http://">link</a>. I threw in a test for parsed_u.host 
== nil, assuming that that would fail either of the checks.

Lastly, the attached patch fixes moves the function definition for 
validate_link out of the innermost loop of the LinkExtractor.parse 
function. It had been declared as a closure over url, then called on the 
very next line. I chose to move it to a method of the LinkExtractor 
class, in case it should ever need to be overridden, but it could have 
just as easily been inlined.

Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Nmap 6 Zenmap problem

2012-05-22T11:14:47

Hi ...

... I think Zenmap is an Universal Binary App cause is doesn’t start  
on my PowerBook G4 running OS 10.4.11 anymore ...
... the Installer Readme told me that PPC and 10.4 is no problem ...

vernetzungsvoll,

Clemens Schaber · Wels · Austria




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

zenmap-crash

Thomas Neumayer — 2012-05-22T09:52:15

hi,

after scanning about 188 hosts i wanted to filter them.
"op:80" was just fine. i wanted to extend that to "op:80 or op:8080" it  
crashed


Version: 6.00
Traceback (most recent call last):
   File "zenmapGUI\ScanInterface.pyo", line 247, in filter_hosts
   File "zenmapCore\NetworkInventory.pyo", line 498, in apply_filter
   File "zenmapCore\NetworkInventory.pyo", line 448, in _match_all_args
   File "zenmapCore\NetworkInventory.pyo", line 458, in match_keyword
   File "zenmapCore\NetworkInventory.pyo", line 471, in match_os
   File "zenmapCore\SearchResult.pyo", line 155, in match_os
KeyError: 'osmatches'



greetings
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

6.0 bug

Scott Schmit — 2012-05-22T13:04:47

None of the default scans appear to be working. It is not able to ping any of the hosts. Removed 6.0 and reinstalled 5.5 and was able to ping and define open ports and other command line switches. Tried multiple host, and verified they were up and pingable from this host. I would be willing to answer other question if need. Just email if you like.



Scott R. Schmit
Systems Engineer
Mobile:    864.616.7953
Desk:       864.307.0766
Fax:          864.307.0866
Email:    sschmit< at >csioutfitters.com<mailto:sschmit< at >csioutfitters.com>
[cid:image001.png< at >01CD37F9.EFD1C960]



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

scanning a /8

Michael Right — 2012-05-22T13:19:14

Hi,

Would it be faster to scan a /8 using a single nmap instance or
splitting it into a bunch of smaller networks and running multiple
parallel nmaps?

Thanks
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/