Xanda's Blog !~!

Using AlienVault NVT Feed with Nessus 4 on Mac

Mar
21

Here is my simple howto and modified AlienVault NVT sync script to be use with Nessus 4 on Mac OS

First thing first, you need to have Nessus and MacPorts installed

Then install the md5sha1sum package

sudo port install md5sha1sum

Use the following modified script and let it automagically fetch the NVT feed for you

#!/bin/bash
#
# OpenVAS
# Description: Synchronize with with NVT feed.
# This shell script synchronizes the local set of
# OpenVAS Network Vulerability Tests (NVTs) and
# associated includefiles with a given upstream
# feed of updated or new files.
#
# Authors:
# Lukas Grunwald <l.grunwald@dn-systems.de>
# Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>
# xanda <adnanDOTshukorATgmailDOTcom>
#
# Copyright DN-Systems Enterprise Internet Solutions GmbH 2007
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Slight modifications, 2008/07 AlienVault VRT - code@alienvault.com
# Slight modifications, 2008/08 Vlatko Kosturjak Kost <kostATlinuxDOThr>
# Slight modifications, 2010/03 xanda - adnanDOTshukorATgmailDOTcom
 
 
SCANNER=$1
 
if [ "x$SCANNER" = "x" ]
then
    echo "Usage: $0 nessus"
    exit
fi
 
if [ ! $SCANNER = "nessus" ]
then
    echo "Usage: $0 nessus"
    exit
fi
 
# Plugin dir
if [ "x$NVT_DIR" = "x" ]; then
       # Plugin dir
       if [ $SCANNER = "nessus" ]; then
               NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"
       fi
fi
 
# The URL of the plugin feed
FEED=rsync://feed.alienvault.com:/nvt-feed
 
findcmd()
{
  CMD=$1
 
SRCH=/usr/bin:/usr/ucb:/usr/sbin:/sw/bin:/sbin:/usr/local/bin:/usr/local/sbin:/opt/local/bin:/opt/local/sbin
  SAVEIFS=$IFS
  IFS=:
  set $SRCH
  IFS=$SAVEIFS
  for dir
    do
      [ -x $dir/$CMD ] && {
                echo $dir/$CMD
                return
                }
   done
}
 
chk_system_tools(){
echo "Searching for required system tools ..."
 
RSYNC=`findcmd rsync`
MD5SUM=`findcmd md5sum`
 
if [ -z "$RSYNC" ]; then
  echo "Error: RSYNC not found";
  exit -1
fi
 
if [ -z "$MD5SUM" ]; then
  echo "Error: MD5SUM not found";
  exit -1
fi
}
 
sync_nvts (){
  echo "Synchonizing NVTs via RSYNC ..."
 
  mkdir -p "$NVT_DIR"
  eval "rsync -av --progress \"$FEED\" \"$NVT_DIR\""
 
  echo "Synchronization successful."
}
 
echo "AlienVault NVT Feed Sync"
echo " "
echo "Configured Scanner: $SCANNER"
echo "Configured NVT Feed: $FEED"
echo "Synchronized into: $NVT_DIR"
echo " "
echo " "
 
chk_system_tools
sync_nvts
 
echo " "
echo " "
echo "Please restart your scanner daemon"
chmod +x alienvault-nvt-feed.sh

Make sure you stop the Nessus server first before run the script!

sudo ./alienvault-nvt-feed.sh nessus

Enjoy! 😉

Securityfocus : Change in Focus

Mar
11

Beginning March 15, 2010 SecurityFocus will begin a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus’ mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months.

Read more HERE

SpamAssassin Milter Plugin ‘mlfi_envrcpt()’ Remote Arbitrary Command Injection Vulnerability

Mar
09

Can you spot the security bug? 🙂

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
  struct context *sctx = (struct context*)smfi_getpriv(ctx);
  SpamAssassin* assassin = sctx->assassin;
  FILE *p;
#if defined(__FreeBSD__)
  int rv;
#endif
 
  debug(D_FUNC, "mlfi_envrcpt: enter");
 
  if (flag_expand)
  {
  /* open a pipe to sendmail so we can do addressexpansion */
 
    char buf[1024];
    char *fmt="%s -bv \"%s\" 2>&1";
 
#if defined(HAVE_SNPRINTF)
    snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
    sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
 
    debug(D_RCPT, "calling %s", buf);
 
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
    rv = pthread_mutex_lock(&popen_mutex);
    if (rv)
    {
      debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
      abort();
    }
#endif
 
    p = popen(buf, "r");
    if (!p)
    {
      debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
      assassin->expandedrcpt.push_back(envrcpt[0]);