Converting a NASL check to NeXpose

Document created by techeditor on Apr 7, 2011Last modified by techeditor on Dec 20, 2013
Version 17Show Document
  • View in full screen mode

This tutorial assumes that you already know how the basics of Writing Vulnerability Checks in NeXpose. This tutorial assumes that you have NeXpose installed. You can download NeXpose Community Edition for free.

Many users may be familiar with NASL, the Nessus Attack Scripting Language. This is a vulnerability test development language introduced originally by Nessus and now supported by OpenVAS. This tutorial shows how to convert a NASL check to a NeXpose check.

Let's pick a simple NASL check that is included with OpenVAS under the GPL license. This script checks for a remote command execution vulnerability in a monitoring product called Alchemy Eye. I picked this example because it happens to be the first vulnerability publicly disclosed by Rapid7 back in 2001, and oddly enough the NASL script is copyright by HD Moore. Funny how things work in this industry :)

 

NASL check from OpenVAS

................................................................................ ................................................................................ ...................................................................

alchemy_eye_http.nasl


#
# This script was written by Drew Hintz ( http://guh.nu )
#
# It is based on scripts written by Renaud Deraison and  HD Moore
#
# See the Nessus Scripts License for details
#

if(description)
{
script_id(10818);
script_bugtraq_id(3599);
script_version("$Revision: 38 $");
script_cve_id("CVE-2001-0871");
name["english"] = "Alchemy Eye HTTP Command Execution";
script_name(english:name["english"]);

desc["english"] = string("
Alchemy Eye and Alchemy Network Monitor are network management
tools for Microsoft Windows. The product contains a built-in HTTP
server for remote monitoring and control. This HTTP server allows
arbitrary commands to be run on the server by a remote attacker.
(Taken from the security announcement by http://www.rapid7.com.)

Solution : Either disable HTTP access in Alchemy Eye, or require
authentication for Alchemy Eye. Both of these can be set in the
Alchemy Eye preferences.

More Information : http://www.securityfocus.com/archive/1/243404

Risk factor : High");

script_description(english:desc["english"]);

summary["english"] = "Determines if arbitrary commands can be executed by Alchemy Eye";

script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2001 H D Moore & Drew Hintz ( http://guh.nu )");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "http_version.nasl");
script_require_keys("www/alchemy");
script_require_ports("Services/www", 80);
exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);

if(!get_port_state(port))exit(0);

function check(req)
{
req = http_get(item:req, port:port);
r = http_keepalive_send_recv(port:port, data:req);
if ( r == NULL ) exit(0);
pat = "ACCOUNTS | COMPUTER";
if(pat >< r) {
        security_hole(port:port);
        exit(0);
        }
return(0);
}

dir[0] = "/PRN";
dir[1] = "/NUL";
dir[2] = "";

for(d=0;dir[d];d=d+1)
{
        url = string("/cgi-bin", dir[d], "/../../../../../../../../WINNT/system32/net.exe");
        check(req:url);
}

 

Writing the same check in NeXpose

................................................................................ ................................................................................ ...................................................................

Here is how to write the equivalent check in NeXpose format. Remember that NeXpose separates the vulnerability metadata from the vulnerability check, so you will create two files: one for the metadata and one for the actual check. This vulnerability has two alternate solutions that the user can choose from, both of which are classed as workarounds (as opposed to patches). This solution data is used by NeXpose to assemble the most efficient remediation report given the user's preferences.

 

cmty-alchemy-eye-http-cmd-exec.xml


<?xml version='1.0' encoding='UTF-8'?>
<Vulnerability id="cmty-alchemy-eye-http-cmd-exec" published=" 2001-11-30" added="2010-03-14" modified="2010-03-14" version="2.0">
  <name>Alchemy Eye HTTP Remote Command Execution</name>
  <severity>9</severity>
  <pci severity="5"/>
  <Tags><tag>Community</tag><tag>Web</tag></Tags>
  <cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>
  <AlternateIds>
    <id name="URL">http://www.rapid7.com/security-center/advisories/R7-0001.jsp</id> 
    <id name="CVE">CVE-2001-0871</id>
    <id name="BID">3599</id>
  </AlternateIds>
  <Description>
     <p>Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows.  The product contains
     a built-in HTTP server for remote monitoring and control.  This HTTP server allows arbitrary commands to be run on
     the server by a remote attacker.</p>
  </Description>
  <Solutions>
    <Solution id="cmty-alchemy-eye-disable-http" time="20m">
      <summary>Disable the Alchemy Eye HTTP server</summary>
      <workaround>
        <p>Disable HTTP access completely via Preferences. You must restart the product for this to take effect.</p>
      </workaround>
    </Solution>
    <Solution id="cmty-alchemy-eye-http-require-auth" time="30m">
      <summary>Configure HTTP authentication</summary>
      <workaround>
        <p>Require HTTP authentication via Preferences. You must restart the product for this to take effect. This
        is only possible with versions 2.6.x and later (earlier versions have no authentication option).</p>
      </workaround>
    </Solution>
  </Solutions>
</Vulnerability>

 

cmty-alchemy-eye-http-cmd-exec.vck


Don't forget to escape the | (pipe) character in the regular expression.

 

<VulnerabilityCheck id="cmty-alchemy-eye-http-cmd-exec" scope="endpoint">
   <NetworkService type="HTTP|HTTPS">
      <Product name="Alchemy Eye"/>
   </NetworkService>
   <HTTPCheck>
      <HTTPRequest method="GET">
        <URI>/cgi-bin/../../../../WINNT/system32/net.exe</URI>
        <URI>/cgi-bin/NUL/../../../../WINNT/system32/net.exe</URI>
        <URI>/cgi-bin/PRN/../../../../WINNT/system32/net.exe</URI>
      </HTTPRequest>
      <HTTPResponse code="200">
         <regex>ACCOUNTS \| COMPUTER</regex>
      </HTTPResponse>
   </HTTPCheck>
</VulnerabilityCheck>

Attachments

    Outcomes