I am often astonished as to just how many vulnerability checks are included with Nessus. There is something to be said for the scope of the nearly 40,000+ plugins (the numbering of the plugins started at 10001). On October 19, 2010, Nessus plugin number 50,000 was published into the feed. Let's go back and take a look at some of the first plugins:
The "official" first numbered Nessus plugin in the feed is ColdFusion Multiple Vulnerabilities (File Upload/Manipulation) - Plugin ID 10001. I found some interesting information about this vulnerability:
"Although this vulnerability has been known for a while we think it is worse than originally thought. Users can upload and potentially execute files on the web server. Furthermore, few sites seem to have fixed the problem. Major commercial, government, and military sites have been found to still be vulnerable. We hope this advisory helps get the word out to all those webmasters.
The reference cited in the plugin points to a Bugtraq mail list posting that reads:
"In issue 54, volume 8 of Phrack Magazine dated December 25, 1998, rain.forest.puppy describes a security problem with installations of Cold Fusion Application Server when the online documentation is installed."
It seems that while the industry is always changing, some things remain the same (such as vendors not rushing to fix every vulnerability publicly disclosed).
Nessus author Renaud Deraison recalls the oldest plugin, independent of numbering, being "finger.nasl" (Plugin 10068), originally written in C for the first version of Nessus, and later converted to the NASL scripting language. If you thought that older plugins have no relevance today, here is the output of plugin 10068, which was triggered during a vulnerability scan on a "modern day" network:
Following are some of the other plugin milestones:
- Plugin ID 20000: MS05-047: Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) - This plugin was released in 2005, when remotely exploitable vulnerabilities in Windows systems were of great concern, spawning commentary such as "The standard practice of blocking ports 139 and 445 TCP will help slow exploitation of this.".
- Plugin ID 30000: [DSA1465] DSA-1465-2 apt-listchanges - A bug in the Debian command line "apt-listchanges" that allows for potential local privilege escalation.
- Plugin IS 40000: SuSE 11.0 Security Update: java-1_6_0-openjdk (2009-03-12) - An update to the Java OpenJDK.
- Plugin ID 50000: MS10-075: Vulnerability in Media Player Network Sharing Service Could Allow Remote Code Execution (2281679) (uncredentialed check) - A remote check for MS10-075.
I don't know about you, but I am looking forward to the next 50,000 plugins!