Is VT 107303 a false positive?

solved

#1

I’m new to OpenVAS nasl code, so please help me understand if I’m wrong…

I’m getting what I think is a false positive from 1.3.6.1.4.1.25623.1.0.107303, on every accessible Windows device on the network. It spits out all the boilerplate text in the report, but no actual machine-specific information that I would expect to see (such as the report from line 200ff). Perhaps related, I’ve tried running the WMI command myself and all the service paths seem to be quoted correctly.

Could someone please help me understand why this vulnerability could be showing up in my report, but without any detail? Is there a problem with the nasl?

Thanks very much!


#2

Hi,

and thanks for your report. It would be great if you could provide some more details on your observations:

  1. Which OpenVAS/GVM versions (especially openvas-smb) are you using?
  2. Which Feed-Version are you using?
  3. Which Windows versions are you observing this?
  4. Whats the exact output of the VT you’re getting? (It should be either about an uninstall and/or service path)
  5. Whats the output of the following command (replace the related login data with valid ones and use an absolute path to the wmic if required) started on the system running OpenVAS/GVM:
wmic -U "domain\username%password" //Target-IP "SELECT DisplayName, Name, PathName FROM Win32_Service WHERE NOT PathName LIKE '%c:\\windows\\System32%' AND PathName LIKE '% %'"

Note: If unsure about 1. you could monitor How to compare the current used versions of the OpenVAS/GVM packages with the GVM-9 stable release? if it receives any answers, if unsure about 2. please create a new thread in https://community.greenbone.net/c/gse


#3

Thanks for your reply. See the answers to your questions below, but I also think I have some insight into this issue.

If I understand the plugin code correctly, the plugin looks for unquoted service paths AND uninstall paths, but it only shows service paths in the plugin output. In our case, we had unquoted uninstall paths. The plugin was registering as a vulnerability in the report, but not providing any output (besides the boilerplate), so there was no way to know why the plugin had fired. To me, that’s confusing behavior, though I’m not sure if it was intended or a mistake.

Is there any way to get this fixed?

As an aside, how do I learn to become a contributor to the plugins/project? I’d be glad to be able to participate in the community once I start understanding nasl code better.

As promised, the answers to your questions:

  1. GVM 8.0+beta1; OpenVAS Scanner 6.0+beta2; I’ll monitor the other thread you linked and report back about openvas-smb when I figure out how.
  2. We’re using Greenbone Community Feed, currently running plugin set 201810231323.
  3. All the ones we have; XP, 7, 10, Server 2012, 2008, Embedded, and various permutations of those.
  4. No output besides the boilerplate
  5. See below :
    AdobeARMservice Adobe Acrobat Update Service "C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe" Apple Mobile Device Apple Mobile Device "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" Bonjour Service Bonjour Service "C:\Program Files\Bonjour\mDNSResponder.exe" EHttpSrv ESET HTTP Server "C:\Program Files\ESET\ESET Security\ehttpsrv.exe" ekrn ESET Service "C:\Program Files\ESET\ESET Security\ekrn.exe" EraAgentSvc ESET Remote Administrator Agent "C:\Program Files\ESET\RemoteAdministrator\Agent\ERAAgent.exe" eshasrv ESET SHA Service "C:\Program Files\ESET\ESET Security\eshasrv.exe" gupdate Google Update Service (gupdate) "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc gupdatem Google Update Service (gupdatem) "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc gusvc Google Software Updater "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" idsvc Windows CardSpace "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" Lithik-RPC Lithik-RPC "C:\Program Files\lithik\bin\lithik-rpc.exe" MozillaMaintenance Mozilla Maintenance Service "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" NetMsmqActivator Net.Msmq Listener Adapter "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator TeraCopyService TeraCopy Service "C:\Program Files\TeraCopy\TeraCopyService.exe" WMPNetworkSvc Windows Media Player Network Sharing Service "C:\Program Files\Windows Media Player\wmpnetwk.exe"

#4

Hi,

and thanks again for the detailed info.

Not exactly, the plugin will report both in the plugin output but only the “unquoted service” path as a vulnerability and the “uninstall path” as a “log level” entry for the reason explained in the “insight” tag of the plugin.

Please try to revert to a stable release for productive use for the reason explained in SIGSEGV occurred with openvassd 6 from master. This makes sure that this is not just caused by a bug in GVM which is outside of the scope of this category and topic.

Could you specify the output you got which helps a little bit better what you’re seeing? E.g. the plugin might show to different outputs:

  1. The following 'Uninstall' registry entries are using an 'unquoted' path: with a severity of 0.0

  2. The following services are using an 'unquoted' service path: with a severity of 9.3

Which one of the both did you get in your report?

The pinned topic VT Development as well as existing examples or asking questions related to NASL coding / plugin development within this category could be used as a starting point.


#5

I did end up finding the log messages for ‘Uninstall’ registry entries output. This helped us discover our real problem - we were importing vulnerability data into our system based on their CVSS score (which seems to be a constant rather than variable like severity).

Thank you for pointing me in the right direction to figure this out!