Converting a NASL check

Custom vulnerability check data is not compatible with the Insight Platform

If you are an InsightVM subscriber that leverages the custom vulnerability check capabilities described in this article, be aware that any custom checks you create and any scan data derived from those checks will be contained in and limited to the on-premises Security Console. Custom checks and their scan results do not travel upstream to the Insight Platform. This means they will not exist in InsightVM's cloud-based features and experiences, such as Dashboards, Remediation Projects, and Goals and SLAs.

This tutorial assumes that you know the basics of writing vulnerability checks in the Security Console.

Many users may be familiar with the Nessus Attack Scripting Language (NASL). This is a vulnerability test development language introduced originally by Nessus and now supported by OpenVAS. This tutorial shows how to convert a NASL check to a Security Console check.

NASL check from OpenVAS

This script checks for a remote command execution vulnerability in a monitoring product called Alchemy Eye.

alchemy_eye_http.nasl

1
#
2
# This script was written by Drew Hintz ( http://guh.nu )
3
#
4
# It is based on scripts written by Renaud Deraison and HD Moore
5
#
6
# See the Nessus Scripts License for details
7
#
8
if(description)
9
{
10
script_id(10818);
11
script_bugtraq_id(3599);
12
script_version("$Revision: 38 $");
13
script_cve_id("CVE-2001-0871");
14
name["english"] = "Alchemy Eye HTTP Command Execution";
15
script_name(english:name["english"]);
16
desc["english"] = string("Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows. The product contains a built-in HTTP server for remote monitoring and control. This HTTP server allows arbitrary commands to be run on the server by a remote attacker. (Taken from the security announcement by http://www.rapid7.com.)
17
18
Solution : Either disable HTTP access in Alchemy Eye, or require authentication for Alchemy Eye. Both of these can be set in the Alchemy Eye preferences.
19
20
More Information : http://www.securityfocus.com/archive/1/243404
21
Risk factor : High");
22
23
script_description(english:desc["english"]);
24
summary["english"] = "Determines if arbitrary commands can be executed by Alchemy Eye";
25
script_summary(english:summary["english"]);
26
script_category(ACT_GATHER_INFO);
27
script_copyright(english:"This script is Copyright (C) 2001 H D Moore & Drew Hintz ( http://guh.nu )");
28
family["english"] = "CGI abuses";
29
script_family(english:family["english"]);
30
script_dependencie("find_service.nes", "http_version.nasl");
31
script_require_keys("www/alchemy");
32
script_require_ports("Services/www", 80);
33
exit(0);
34
}
35
36
include("http_func.inc");
37
include("http_keepalive.inc");
38
39
port = get_http_port(default:80);
40
41
if(!get_port_state(port))exit(0);
42
43
function check(req)
44
{
45
req = http_get(item:req, port:port);
46
r = http_keepalive_send_recv(port:port, data:req);
47
if ( r == NULL ) exit(0);
48
pat = "ACCOUNTS | COMPUTER";
49
if(pat >< r) {
50
security_hole(port:port);
51
exit(0);
52
}
53
return(0);
54
}
55
56
dir[0] = "/PRN";
57
dir[1] = "/NUL";
58
dir[2] = "";
59
60
for(d=0;dir[d];d=d+1)
61
{
62
url = string("/cgi-bin", dir[d], "/../../../../../../../../WINNT/system32/net.exe");
63
check(req:url);
64
}

Writing the same check in the Security Console

Here is how to write the equivalent check in Security Console format. Remember that the Security Console separates the vulnerability metadata from the vulnerability check, so create two files: one for the metadata and one for the actual check. This vulnerability has two alternate solutions that the user can choose from, both of which are classed as workarounds (as opposed to patches). This solution data is used to assemble the most efficient remediation report given the user's preferences.

cmty-alchemy-eye-http-cmd-exec.xml

xml
1
<?xml version='1.0' encoding='UTF-8'?>
2
<Vulnerability id="cmty-alchemy-eye-http-cmd-exec" published=" 2001-11-30" added="2010-03-14" modified="2010-03-14" version="2.0">
3
<name>Alchemy Eye HTTP Remote Command Execution</name>
4
<severity>9</severity>
5
<pci severity="5"/>
6
<Tags><tag>Community</tag><tag>Web</tag></Tags>
7
<cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>
8
<AlternateIds>
9
<id name="URL">http://www.rapid7.com/security-center/advisories/R7-0001.jsp</id>
10
<id name="CVE">CVE-2001-0871</id>
11
<id name="BID">3599</id>
12
</AlternateIds>
13
<Description>
14
<p>Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows. The product contains
15
a built-in HTTP server for remote monitoring and control. This HTTP server allows arbitrary commands to be run on
16
the server by a remote attacker.</p>
17
</Description>
18
<Solutions>
19
<Solution id="cmty-alchemy-eye-disable-http" time="20m">
20
<summary>Disable the Alchemy Eye HTTP server</summary>
21
<workaround>
22
<p>Disable HTTP access completely via Preferences. You must restart the product for this to take effect.</p>
23
</workaround>
24
</Solution>
25
<Solution id="cmty-alchemy-eye-http-require-auth" time="30m">
26
<summary>Configure HTTP authentication</summary>
27
<workaround>
28
<p>Require HTTP authentication via Preferences. You must restart the product for this to take effect. This
29
is only possible with versions 2.6.x and later (earlier versions have no authentication option).</p>
30
</workaround>
31
</Solution>
32
</Solutions>
33
</Vulnerability>

cmty-alchemy-eye-http-cmd-exec.vck

Remember to escape the | (pipe) character in the regular expression.

xml
1
<VulnerabilityCheck id="cmty-alchemy-eye-http-cmd-exec" scope="endpoint">
2
<NetworkService type="HTTP|HTTPS">
3
<Product name="Alchemy Eye"/>
4
</NetworkService>
5
<HTTPCheck>
6
<HTTPRequest method="GET">
7
<URI>/cgi-bin/../../../../WINNT/system32/net.exe</URI>
8
<URI>/cgi-bin/NUL/../../../../WINNT/system32/net.exe</URI>
9
<URI>/cgi-bin/PRN/../../../../WINNT/system32/net.exe</URI>
10
</HTTPRequest>
11
<HTTPResponse code="200">
12
<regex>ACCOUNTS \| COMPUTER</regex>
13
</HTTPResponse>
14
</HTTPCheck>
15
</VulnerabilityCheck>