Converting a NASL check

This tutorial assumes that you know the basics of Writing Vulnerability Checks in the Security Console. You can read more about them here.

Many users may be familiar with NASL, the Nessus Attack Scripting Language. This is a vulnerability test development language introduced originally by Nessus and now supported by OpenVAS. This tutorial shows how to convert a NASL check to a Security Console check.

NASL check from OpenVAS

This script checks for a remote command execution vulnerability in a monitoring product called Alchemy Eye.

alchemy_eye_http.nasl

text
1
#
2
# This script was written by Drew Hintz ( http://guh.nu )
3
#
4
# It is based on scripts written by Renaud Deraison and HD Moore
5
#
6
# See the Nessus Scripts License for details
7
#
8
9
if(description)
10
{
11
script_id(10818);
12
script_bugtraq_id(3599);
13
script_version("$Revision: 38 $");
14
script_cve_id("CVE-2001-0871");
15
name["english"] = "Alchemy Eye HTTP Command Execution";
16
script_name(english:name["english"]);
17
18
desc["english"] = string("
19
Alchemy Eye and Alchemy Network Monitor are network management
20
tools for Microsoft Windows. The product contains a built-in HTTP
21
server for remote monitoring and control. This HTTP server allows
22
arbitrary commands to be run on the server by a remote attacker.
23
(Taken from the security announcement by http://www.rapid7.com.)
24
25
Solution : Either disable HTTP access in Alchemy Eye, or require
26
authentication for Alchemy Eye. Both of these can be set in the
27
Alchemy Eye preferences.
28
29
More Information : http://www.securityfocus.com/archive/1/243404
30
31
Risk factor : High");
32
33
script_description(english:desc["english"]);
34
35
summary["english"] = "Determines if arbitrary commands can be executed by Alchemy Eye";
36
37
script_summary(english:summary["english"]);
38
script_category(ACT_GATHER_INFO);
39
script_copyright(english:"This script is Copyright (C) 2001 H D Moore & Drew Hintz ( http://guh.nu )");
40
family["english"] = "CGI abuses";
41
script_family(english:family["english"]);
42
script_dependencie("find_service.nes", "http_version.nasl");
43
script_require_keys("www/alchemy");
44
script_require_ports("Services/www", 80);
45
exit(0);
46
}
47
48
include("http_func.inc");
49
include("http_keepalive.inc");
50
51
port = get_http_port(default:80);
52
53
if(!get_port_state(port))exit(0);
54
55
function check(req)
56
{
57
req = http_get(item:req, port:port);
58
r = http_keepalive_send_recv(port:port, data:req);
59
if ( r == NULL ) exit(0);
60
pat = "ACCOUNTS | COMPUTER";
61
if(pat >< r) {
62
security_hole(port:port);
63
exit(0);
64
}
65
return(0);
66
}
67
68
dir[0] = "/PRN";
69
dir[1] = "/NUL";
70
dir[2] = "";
71
72
for(d=0;dir[d];d=d+1)
73
{
74
url = string("/cgi-bin", dir[d], "/../../../../../../../../WINNT/system32/net.exe");
75
check(req:url);
76
}
77

Writing the same check in the Security Console

Here is how to write the equivalent check in Security Console format. Remember that the Security Console separates the vulnerability metadata from the vulnerability check, so create two files: one for the metadata and one for the actual check. This vulnerability has two alternate solutions that the user can choose from, both of which are classed as workarounds (as opposed to patches). This solution data is used to assemble the most efficient remediation report given the user's preferences.

cmty-alchemy-eye-http-cmd-exec.xml

text
1
<?xml version='1.0' encoding='UTF-8'?>
2
<Vulnerability id="cmty-alchemy-eye-http-cmd-exec" published=" 2001-11-30" added="2010-03-14" modified="2010-03-14" version="2.0">
3
<name>Alchemy Eye HTTP Remote Command Execution</name>
4
<severity>9</severity>
5
<pci severity="5"/>
6
<Tags><tag>Community</tag><tag>Web</tag></Tags>
7
<cvss>(AV:N/AC:L/Au:N/C:P/I:P/A:P)</cvss>
8
<AlternateIds>
9
<id name="URL">http://www.rapid7.com/security-center/advisories/R7-0001.jsp</id>
10
<id name="CVE">CVE-2001-0871</id>
11
<id name="BID">3599</id>
12
</AlternateIds>
13
<Description>
14
<p>Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows. The product contains
15
a built-in HTTP server for remote monitoring and control. This HTTP server allows arbitrary commands to be run on
16
the server by a remote attacker.</p>
17
</Description>
18
<Solutions>
19
<Solution id="cmty-alchemy-eye-disable-http" time="20m">
20
<summary>Disable the Alchemy Eye HTTP server</summary>
21
<workaround>
22
<p>Disable HTTP access completely via Preferences. You must restart the product for this to take effect.</p>
23
</workaround>
24
</Solution>
25
<Solution id="cmty-alchemy-eye-http-require-auth" time="30m">
26
<summary>Configure HTTP authentication</summary>
27
<workaround>
28
<p>Require HTTP authentication via Preferences. You must restart the product for this to take effect. This
29
is only possible with versions 2.6.x and later (earlier versions have no authentication option).</p>
30
</workaround>
31
</Solution>
32
</Solutions>
33
</Vulnerability>

cmty-alchemy-eye-http-cmd-exec.vck

Remember to escape the | (pipe) character in the regular expression.

text
1
<VulnerabilityCheck id="cmty-alchemy-eye-http-cmd-exec" scope="endpoint">
2
<NetworkService type="HTTP|HTTPS">
3
<Product name="Alchemy Eye"/>
4
</NetworkService>
5
<HTTPCheck>
6
<HTTPRequest method="GET">
7
<URI>/cgi-bin/../../../../WINNT/system32/net.exe</URI>
8
<URI>/cgi-bin/NUL/../../../../WINNT/system32/net.exe</URI>
9
<URI>/cgi-bin/PRN/../../../../WINNT/system32/net.exe</URI>
10
</HTTPRequest>
11
<HTTPResponse code="200">
12
<regex>ACCOUNTS \| COMPUTER</regex>
13
</HTTPResponse>
14
</HTTPCheck>
15
</VulnerabilityCheck>