Mailing List Archive: Nessus: plugins

su/sudo issues with SSH

Index | Next | Previous | View Threaded

nessus at the-jedi

Dec 28, 2008, 12:36 PM

Post #1 of 3 (2551 views)
Permalink

su/sudo issues with SSH

Hi,

First post, but I've been using Nessus, nasl's and .audit files for a
couple of years now.

I've recently been writing a few plugins that require root privileges,
for example to parse /etc/ssh/sshd_config, so they need to use the new
ability to use su or sudo (which I noticed doesn't appear to feature in
Security Center 3?)

Anyway, I've noticed some oddities which may or may not be bugs.....

Firstly the knowledgebase item "Secret/SSH/sudo-password" does not seem
to return to the script if the password is incorrect. I can only assume
that Nessus tries to login and if it fails unsets the variable - along
with "Secret/SSH/sudo" it seems also.

I was hoping to read the password from the knowledgebase to ensure that
the user had actually given a password and elected to use su/sudo, so I
could otherwise raise a security note saying something like "Plugin
could not run due to lack of root credentials", and exit gracefully
before attempting to login.

The second reason for wanting to check for a sudo-password is that there
seems to be another bug in that if the user elects to use su/sudo in the
GUI, but provides no password, the plugin just sits there doing nothing,
never times out and doesn't send any network traffic....

Also, is the return value of ssh_cmd() a newline terminated string, as
'if (buf !~ "^0\n$") {' doesn't seem to match, but knock off the newline
and dollar, and it works fine.

On a partially un-related note, has anyone else noticed that the options
to use amap, nikto, su, sudo and sometimes nmap are missing from the GUI
when you try to create a new scan policy? I've had to create my policies
and manually edit ~/.nessus-client/Policies.xml to put the items in. The
binaries are all in root's $PATH, so that's not it, and they do work.
v3.0 client/server didn't seem to have the problem.

Nessus 3.2.1 and NessusClient 3.2.1.1 on Fedora Core 9 (32-bit) and 10
(64-bit).

Regards.

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

deraison at nessus

Dec 29, 2008, 5:18 AM

Post #2 of 3 (2404 views)
Permalink

Re: su/sudo issues with SSH [In reply to]

On Dec 28, 2008, at 9:36 PM, Simon John wrote:

> Firstly the knowledgebase item "Secret/SSH/sudo-password" does not
> seem
> to return to the script if the password is incorrect. I can only
> assume
> that Nessus tries to login and if it fails unsets the variable - along
> with "Secret/SSH/sudo" it seems also.

Actually, all the Secret/* KB items are only available to signed
scripts (you probably got an error in nessusd.dump).

You can sign your own scripts if you want, or you can set the option
"nasl_no_signature_checks" to "yes" in nessusd.conf to consider all
scripts as "signed".

[...]
> The second reason for wanting to check for a sudo-password is that
> there
> seems to be another bug in that if the user elects to use su/sudo in
> the
> GUI, but provides no password, the plugin just sits there doing
> nothing,
> never times out and doesn't send any network traffic....

I'll check on this. This is a good point.

>
>
> Also, is the return value of ssh_cmd() a newline terminated string, as
> 'if (buf !~ "^0\n$") {' doesn't seem to match, but knock off the
> newline
> and dollar, and it works fine.

Yes it's new-line terminated, however your regex would not work. =~
and !~ only match a single line, so you'd want "^0$" as a regex.

> On a partially un-related note, has anyone else noticed that the
> options
> to use amap, nikto, su, sudo and sometimes nmap are missing from the
> GUI
> when you try to create a new scan policy? I've had to create my
> policies
> and manually edit ~/.nessus-client/Policies.xml to put the items in.
> The
> binaries are all in root's $PATH, so that's not it, and they do work.
> v3.0 client/server didn't seem to have the problem.

We never experienced this issue. What we are aware of is that if you
edit an existing policy, the newer options won't show up.
Maybe the plugins did not show up because you did a 'nessusd -R' while
these tools where not in your $PATH?

-- Renaud

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

nessus at the-jedi

Dec 29, 2008, 7:25 AM

Post #3 of 3 (2413 views)
Permalink

Re: su/sudo issues with SSH [In reply to]

Renaud Deraison wrote:
> On Dec 28, 2008, at 9:36 PM, Simon John wrote:

[snip]
> Actually, all the Secret/* KB items are only available to signed
> scripts (you probably got an error in nessusd.dump).
>
> You can sign your own scripts if you want, or you can set the option
> "nasl_no_signature_checks" to "yes" in nessusd.conf to consider all
> scripts as "signed".

They are self-signed scripts (nasl -S).

[...]
> We never experienced this issue. What we are aware of is that if you
> edit an existing policy, the newer options won't show up.
> Maybe the plugins did not show up because you did a 'nessusd -R' while
> these tools where not in your $PATH?

Yes that seems to be the case - I've just run 'nessusd -R' and all the
options for Nikto/Amap/Nmap/su/sudo are there now when I create a new
scan policy.

--
Simon John
nessus at the-jedi.co.uk

_______________________________________________
Plugins-writers mailing list
Plugins-writers [at] list
http://mail.nessus.org/mailman/listinfo/plugins-writers

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads