#1 updatereportrisk.pl

[Bruno Santiago]

When I run this script, I got the following error:

*** !! WARNING !! ***

This script will modify the risk ratings and remove
risk text details from
the result text, if it finds a mis-rated result.

It searches for the text "Risk [fF]actor :" in the
result text, assigns the
correct risk rating and then removes the line(s) with
the risk factor text in
it.

If you are executing this on a Production system,
please verify you want to
make this change before continuing.

Enter Y or y to continue. All other input will quit
this script:

DBD::mysql::st execute failed: You have an error in
your SQL syntax; check the m
anual that corresponds to your MySQL server version
for the right syntax to use
near 't, easing social engineering attacks for
example.

Solution: disable this servic' at line 1
at ./updatereportrisk.pl line 89.

[A User]

Logged In: YES
user_id=1546418

This shouldn't occur. Is this running on a Inprotect system
that was upgrade from 0.21 or below?

If so, did you run updatereportHTML.pl in the patches
directory when you upgraded from 0.21 to 0.22.3? If you are
unsure - do not run it twice!

Try adding the following lines above line 89:

print "--------------------\nresultid:
$result[0]\n";
print "newrisk: $newrisk\n";
print "msg: $msg\n";

Post the output for the result which gets printed to the
console just before the error occurs as an attachment here
please. I can't check my e-mail at the moment.

[Bruno Santiago]

Logged In: YES
user_id=1177571

I don't remember if I already ran updatereportHTML.pl, but
I believe yes...

Here are the output:

--------------------
resultid: 19
newrisk: 6
msg:
DBD::mysql::st execute failed: You have an error in your
SQL syntax; check the m
anual that corresponds to your MySQL server version for
the right syntax to use
near 't, easing social engineering attacks for
example.

--------

This is the plugin:
http://www.nessus.org/plugins/index.php?
view=single&id=11222

I believe it is ocurring because of a " ' " Copyright (C)
2003 Michel Arboi
View the source code of this plugin here

Family Useless services
Nessus Plugin ID 11222
Bugtraq ID
CVE ID

Description:

writesrv is running on this port it is used to send
messages to users.
This service gives potential attackers information about
who is connected and who isn't, easing social engineering
attacks for example.

Solution: disable this service if you don't use it

Risk factor : Low

------------

Cheers,

Bruno

[A User]

Logged In: YES
user_id=1546418

Thanks for this - I've just replicated the issue here and
I'm guessing the result it is failing on, is one you run
when your Inprotect installation was running v0.21 or lower?

If so, and you are sure you didn't run updatereportHTML.pl
before, you should run it again. HOWEVER, if you *did* run
it previously, it will mess up any & character and change
it to & which is bad for items already in the results
table as "<", etc...

If you *think* you may have run it before, you need to run
the attached perl script:

[A User]

Logged In: YES
user_id=1546418

Once you have run the attached PERL script, try running
updatereportrisk.pl again - it should be work smoothly.

[Bruno Santiago]

Logged In: YES
user_id=1177571

[root@xxxxxx nessus]# perl updatereportapost.pl
DBI::db=HASH(0x9aa346c)->disconnect invalidates 1 active
statement handle (eithe
r destroy statement handles or call finish on them before
disconnecting) at upda
tereportapost.pl line 32.

[Bruno Santiago]

Logged In: YES
user_id=1177571

I think that it worked now:

Total of 100036 out of a possible 100036 row(s) updated

Thanks

Bruno

[A User]

Logged In: YES
user_id=1546418

Ok - I'll update the script to avoid the disconnect
validation error. Thanks for this.

I would be interested to know the scantime from result id
19. Can you run the SQL call:

SELECT scantime FROM nessus_results WHERE result_id=19;

Run the script again and if it comes back with 0 out of 0
rows updated then you know all worked ok.

[Bruno Santiago]

Logged In: YES
user_id=1177571

mysql> SELECT scantime FROM nessus_results WHERE
result_id=19 \G
*************************** 1. row
***************************
scantime: 20050111180000
1 row in set (0.00 sec)

_______________________________________________

--------------------
resultid: 78351
newrisk: 2
msg:
Total of 1 out of a possible 4 row(s) updated
DBI::db=HASH(0x86eec8c)->disconnect invalidates 1 active
statement handle (eithe
r destroy statement handles or call finish on them before
disconnecting) at ./up
datereportrisk.pl line 102.

[A User]

Logged In: YES
user_id=1546418

Thanks - from the nessus_results output, it seems the
updatereportHTML.pl script wasn't run as the result would
have been generated by Inprotect 0.21 or less.

However, what's worrying is the update "1 out of 4". Can you

[A User]

Modified updatereportHTML.pl script to only convert ' to '

[A User]

Logged In: YES
user_id=1546418

Sorry, hit submit before finishing my last entry.

Can you change the print line where it says $msg to $newmsg,
move the 3 print lines to be before the if statement and
send me the output.

I am keen to understand what the plugin text is and why it
isn't working for those 4 results.

Cheers,

A.
----

[A User]

Logged In: YES
user_id=1546418

In fact, can you post the results here. I don't have access
to my personal e-mail from work.

[Bruno Santiago]

Logged In: YES
user_id=1177571

I changed to:

print "--------------------\nresultid: $result[0]
\n";
print "newrisk: $newrisk\n";
print "newmsg: $newmsg\n";

if (($newmsg ne $result[1]) || $found)
{
etc

And the output was:

[root@vsengn001 patches]# ./updatereportrisk.pl
*** !! WARNING !! ***

This script will modify the risk ratings and remove risk
text details from
the result text, if it finds a mis-rated result.

It searches for the text "Risk [fF]actor :" in the result
text, assigns the
correct risk rating and then removes the line(s) with the
risk factor text in
it.

If you are executing this on a Production system, please
verify you want to
make this change before continuing.

Enter Y or y to continue. All other input will quit this
script:

--------------------
resultid: 78351
newrisk: 2
newmsg: The remote FTP server dies and dump core when
it is
issued a PASV command as soon as the client connects.
The FTP server is very likely to write a world readable
core file
which contains portions of the passwd file. This allows
local users
to obtain the shadowed passwd file.

Risk factor : High.

Solution : Upgrade your FTP server to a newer version or
disable it
CVE : CVE-1999-0075
--------------------
resultid: 207889
newrisk: 7
newmsg:
Synopsis :

A vulnerability in DirectShow could allow remote code
execution.

Description :

The remote host contains a version of DirectX which is
vulnerable
to a remote code execution flaw.

To exploit this flaw, an attacker would need to send a
specially
malformed .avi file to a user on the remote host and have
him
open it.

Solution :

Microsoft has released a set of patches for Windows 2000,
XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms05-
050.mspx

Risk factor :

/ CVSS Base Score : 8
(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2005-2128
BID : 15063
--------------------
resultid: 223081
newrisk: 7
newmsg:
Synopsis :

A vulnerability in DirectShow could allow remote code
execution.

Description :

The remote host contains a version of DirectX which is
vulnerable
to a remote code execution flaw.

To exploit this flaw, an attacker would need to send a
specially
malformed .avi file to a user on the remote host and have
him
open it.

Solution :

Microsoft has released a set of patches for Windows 2000,
XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms05-
050.mspx

Risk factor :

/ CVSS Base Score : 8
(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2005-2128
BID : 15063
Other references : IAVA:2005-A-0029
--------------------
resultid: 223192
newrisk: 7
newmsg:
Synopsis :

A vulnerability in DirectShow could allow remote code
execution.

Description :

The remote host contains a version of DirectX which is
vulnerable
to a remote code execution flaw.

To exploit this flaw, an attacker would need to send a
specially
malformed .avi file to a user on the remote host and have
him
open it.

Solution :

Microsoft has released a set of patches for Windows 2000,
XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms05-
050.mspx

Risk factor :

/ CVSS Base Score : 8
(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2005-2128
BID : 15063
Other references : IAVA:2005-A-0029
Total of 1 out of a possible 4 row(s) updated
DBI::db=HASH(0x9a10c0c)->disconnect invalidates 1 active
statement handle (eithe
r destroy statement handles or call finish on them before
disconnecting) at ./up
datereportrisk.pl line 106.

[A User]

Logged In: YES
user_id=1546418

Excellent stuff.

It's such a pain when Nessus do not standardise plugin
output! I will update the script and repost the 0.22.5
bundle tonight. I'll forward you the updated copy of the
script personally so you don't have to do a full upgrade.

Cheers,

A.
----

[A User]

Logged In: YES
user_id=1546418

Actually, can you do some testing for me?

If you can replace lines 71-80 with the following code,
this should update the one with a . after the risk:

$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Serious\.*
((\n)+|(\s)+| \/ |$)//s;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Critical\.*
((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*High\.*((\n)
+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Medium\.*
((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)
*Medium\/Low\.*((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)
*Low\/Medium\.*((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Low\.*((\n)+|
(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Info\.*((\n)
+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*[nN]one to
High\.*((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*[nN]one\.*
((\n)+|(\s)+| \/ |$)//;

Run the script twice and on the second run, the total
should lower to 3.

If you want to get rid of the PERL warning, add the
following on line 98 before the dbh disconnect:

$query->finish();

[Bruno Santiago]

Logged In: YES
user_id=1177571

[root@vsengn001 patches]# ./updatereportrisk.pl
*** !! WARNING !! ***

This script will modify the risk ratings and remove risk
text details from
the result text, if it finds a mis-rated result.

It searches for the text "Risk [fF]actor :" in the result
text, assigns the
correct risk rating and then removes the line(s) with the
risk factor text in
it.

If you are executing this on a Production system, please
verify you want to
make this change before continuing.

Enter Y or y to continue. All other input will quit this
script:

Total of 0 out of a possible 3 row(s) updated

Can't locate object method "finish" via package "DBI::db"
at ./updatereportrisk.
pl line 99.

[A User]

Logged In: YES
user_id=1546418

Thanks - 1 problem fixed, 2 outstanding! I'll look at the
finish issue - this should be a standard function in the
DBI library.

I've updated the regexp for working out the risk rating and
removing the Nessus Risk Factor test. You will need to
replace lines 59-80 with the following code. This should
work where the Risk Factor is blank and only the CVSS score
is present.

$newrisk=1 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*Serious/s);
$newrisk=1 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*Critical/s);
$newrisk=1 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*\/ CVSS Base Score\s*:\s*10/s);
$newrisk=2 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*High/s);
$newrisk=2 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*\/ CVSS Base Score\s*:\s*[7-9]/s);
$newrisk=3 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*Medium/s);
$newrisk=3 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*\/ CVSS Base Score\s*:\s*[4-6]/s);
$newrisk=4 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*Medium\/Low/s);
$newrisk=5 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*Low\/Medium/s);
$newrisk=6 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*Low/s);
$newrisk=6 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*\/ CVSS Base Score\s*:\s*[2-3]/s);
$newrisk=6 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*\/ CVSS Base Score\s*:\s*1[^0]/s);
$newrisk=7 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*Info/s);
$newrisk=7 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*[nN]one/s);
$newrisk=7 if ($newmsg =~ m/Risk [fF]actor\s*:\s*
(\n)*\/ CVSS Base Score\s*:\s*0/s);
if ($newrisk!=8) { $found=1; }
else { $newrisk=7; }

$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Serious\.*
((\n)+|(\s)+| \/ |$)//s;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Critical\.*
((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*High\.*((\n)
+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Medium\.*
((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)
*Medium\/Low\.*((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)
*Low\/Medium\.*((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Low\.*((\n)+|
(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*Info\.*((\n)
+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*[nN]one to
High\.*((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*[nN]one\.*
((\n)+|(\s)+| \/ |$)//;
$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)* \/ //;

[Bruno Santiago]

Logged In: YES
user_id=1177571

finish fixed... my error, I added the query->finish(); but
forgot to erase dbh->finish()...

I executed 2 times the script but it still with 0 of 3
rows updated...

[root@xx patches]# ./updatereportrisk.pl
*** !! WARNING !! ***

This script will modify the risk ratings and remove risk
text details from
the result text, if it finds a mis-rated result.

It searches for the text "Risk [fF]actor :" in the result
text, assigns the
correct risk rating and then removes the line(s) with the
risk factor text in
it.

If you are executing this on a Production system, please
verify you want to
make this change before continuing.

Enter Y or y to continue. All other input will quit this
script:

Total of 0 out of a possible 3 row(s) updated

[A User]

Logged In: YES
user_id=1546418

OK the regexp for removing the Risk Factor text isn't
firing properly.

Can you make sure the debug print statements are there, re-
run and post the output here so I can make sure the risk
rating calculation regexp fires correctly.

I'm off to a meeting now but will look at it in an hour.

Good news on the finish!

Thanks,

A.

[A User]

Logged In: YES
user_id=1546418

Meeting finished early and thankfully, a fresh a look has
made me spot the error.

Replace line 102 with this:

$newmsg =~ s/Risk [fF]actor\s*:\s*(\n)*\/ //;

Re-run and let me know.

A.

[Bruno Santiago]

Logged In: YES
user_id=1177571

A "space" :-)

Now it's ok!

[ ] 's
__________
[root@vsengn001 patches]# ./updatereportrisk.pl
*** !! WARNING !! ***

This script will modify the risk ratings and remove risk
text details from
the result text, if it finds a mis-rated result.

It searches for the text "Risk [fF]actor :" in the result
text, assigns the
correct risk rating and then removes the line(s) with the
risk factor text in
it.

If you are executing this on a Production system, please
verify you want to
make this change before continuing.

Enter Y or y to continue. All other input will quit this
script:

Total of 3 out of a possible 3 row(s) updated

___________

*** !! WARNING !! ***

This script will modify the risk ratings and remove risk
text details from
the result text, if it finds a mis-rated result.

It searches for the text "Risk [fF]actor :" in the result
text, assigns the
correct risk rating and then removes the line(s) with the
risk factor text in
it.

If you are executing this on a Production system, please
verify you want to
make this change before continuing.

Enter Y or y to continue. All other input will quit this
script:

Total of 0 out of a possible 0 row(s) updated