Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Podręcznik Użytkownika Pobierz pdf (Strona 63)

Passive Vulnerability Scanner Network Client Detection

id=1010

hs_dport=25

clientissue

name=Buffer overflow in multiple IMAP clients

description=The remote e-mail client is Mozilla 1.3 or 1.4a which is vulnerable to a

boundary condition error whereby a malicious IMAP server may be able to crash

or execute code on the client.

solution=Upgrade to either 1.3.1 or 1.4a

risk=HIGH

match=^From:

match=^To:

match=^Date:

match=^User-Agent: Mozilla

match=!^Received:

regex=^User-Agent: Mozilla/.* \(.*rv:(1\.3|1\.4a)

Match patterns that begin with the “^” symbol mean that at least one line in the packet payload must begin with the

following pattern. Match patterns that begin with the “!” symbol indicate that the string must NOT match anything in the

packet payload. In this case, the “!” and “^” symbols are combined to indicate that we should not evaluate any packet

whose payload contains a line starting with the pattern “Received:”.

The “^” is more expensive to evaluate than the “>” symbol. So, while both match patterns “^<pattern>” and “><pattern>”

would find “<pattern>” at the beginning of a packet payload, the use of “>” is more desirable as it is less costly. Use “^”

when looking for the occurrence of a string at the beginning of a line, but not at the beginning of the packet payload. In the

latter case, use the “>” character instead.

The Passive Vulnerability Scanner can Match “Previous” Packets

The PVS allows matching on patterns in the current packet as well as patterns in the previous packet in the current session.

This plugin shows how we can make use of this feature to determine if a Unix password file is sent by a web server:

id=1001

name=Password file obtained by HTTP (GET)

family=Generic

sport=80

description=It seems that a Unix password file was sent by the remote web server when

the following request was made :\n%P\nWe saw : \n%L

pmatch=>GET /

pmatch=HTTP/1.

match=root

match=daemon

match=bin

regex=root:.*:0:0:.*:.*

Here we see match patterns for a root entry in a Unix password file. We also see pmatch patterns that would match

against a packet that makes an HTTP GET request to a web server. The match patterns apply the current packet in a

session and the pmatch patterns apply to the packet that was captured immediately before the current one in the current

session. To explain this visually, we are looking for occurrences of the following:

GET / HTTP/1.*

1) client -------------------------> server:port 80

1 2 ... 58 59 60 61 62 63 64 65 66 67 68 ... 78 79

Komentarze do niniejszej Instrukcji

Brak uwag

Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0 Podręcznik Użytkownika Strona 63

Komentarze do niniejszej Instrukcji

Powiązane produkty i podręczniki dla Oprogramowanie Red Hat NETWORK BASIC - USER REFERENCE GUIDE 4.0