Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / l2tpd_overflow.nasl < prev next >

Wrap

Text File | 2005-01-14 | 2KB | 72 lines

# # # This script is (C) 2003 Renaud Deraison # # if (description) { script_id(11388); script_bugtraq_id(5451); script_cve_id("CVE-2002-0872", "CVE-2002-0873"); script_version ("$Revision: 1.7 $"); script_name(english:"l2tpd < 0.68 overflow"); desc["english"] = " The remote host is running a version of l2tpd which is older or equal to 0.67. This version is vulnerable to a buffer overflow which may allow an attacker to gain a root shell on this host. In addition, this program does not initialize its random number generator. Therefore, an attacker may predict some key values and hijack L2TP sessions established to this host. Solution : upgrade to l2tpd 0.68 or newer Risk factor : High"; script_description(english:desc["english"]); script_summary(english:"Determines the version of the remote l2tpd"); script_category(ACT_GATHER_INFO); script_family(english:"Gain root remotely"); script_copyright(english:"This script is Copyright (C) 2003 Renaud Deraison"); exit(0); } function find_firmware(rep) { local_var i, firmware; for(i=12;i<strlen(rep);i++) { len = ord(rep[i]) * 256 + ord(rep[i+1]); if(ord(rep[i]) & 0x80)len -= 0x80 * 256; if(ord(rep[i+5]) == 6) { firmware = ord(rep[i+6]) * 256 + ord(rep[i+7]); return firmware; } else i += len - 1; } return NULL; } req = raw_string(0xC8, 2, 0, 20, 0, 0, 0, 0,0,0,0,0,0,8, 0,0,0,0,0,0); soc = open_sock_udp(1701); send(socket:soc, data:req); r = recv(socket:soc, length:1024); if(!r)exit(0); close(soc); if(("l2tpd" >< r) || ("Adtran" >< r)) { firmware = find_firmware(rep:r); hi = firmware / 256; lo = firmware % 256; if((hi == 0x06) && (lo <= 0x70))security_hole(port:1701, proto:"udp"); }