Plugins, Glorious Plugins
In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. We polled Tenable employees in our research and content groups to find some of our favorite plugins released this year,and compiled the following list:
- DD-WRT HTTP Daemon Metacharacter Injection Remote Code Execution - This vulnerability allows remote attackers to inject commands via a flaw in the HTTP management web application on embedded systems running DD-WRT. It was misunderstood by some as as being a much lower impact, because by default the remote management port was only available via the "trusted" or "LAN" interface. However, it was demonstrated that a client-side attack could actually be used to exploit this vulnerability in an article titled, "Using Metasploit DD-WRT Exploit Module Thru Pivot".
Tenable’s Director of Research, George Theall, notes, "This tests for an old-school vulnerability in some router software. Not only is it interesting to see such vulnerabilities still around in 2009, the plugin also uses an interesting technique to be able to retrieve the command output so we can display it in the plugin's report."
- Windows Remote Registry Enable/Disable - For remote authenticated checks to run on Windows systems, the remote registry service needs to be enabled. While this may not be a service you wish to run on all your systems, this plugin solves that problem by temporarily enabling and then disabling the remote registry service when the scan has completed.
Ron Gula observes, "Leaving the registry service running on Windows computers that are part of a domain can be a security risk. This plugin lets you perform credentialed registry queries even if the service is not running. Nessus uses the scan credentials to enable to service, perform the needed tests and disable it after it is finished."
- PCI Test Requirements - Back in April of 2009, I wrote a blog posted titled, "PCI DSS Auditing Linux, Apache, PHP & MySQL with Nessus 4". This post highlighted the PCI DSS auditing plugins within Nessus against a real-world application.
Ron Gula comments, "Most scanners tell you if you are compliant or not. Nessus actually tells you how to perform the test correctly and why. It also lets you do a partial scan so you can see if you fixed an item that had been making you non-compliant without having to do a full test again."
- USB Drives Enumeration - In 2009, over 218 million records fell into the wrong hands due to some form of breach (According to a report generated by DataLossDB). Some of those data loss incidents can be attributed to removable media such as USB thumb drives. A blog post written by Ron Gula titled "USB Device History Auditing with Nessus" provides more detail on this capability.
Tenable’s Nessus SME, Brian Martin, notes, "USB drives are terribly convenient, and terrible for corporate security. Performing a credentialed scan of a Windows host will find USB drives plugged into a machine, and may give great insight as to who is bringing files in or out of work."
- Malware Infected Host - In a blog post titled, "Detecting Malware Distribution With Nessus", Ron describes how certain strains of malware are spreading over HTTP by setting up their own web servers to propagate. This Nessus plugin will seek out and report on these types of HTTP servers.
Ron Gula says, "This plugin looks for EXEs being served on the network most likely from a compromised host. It is a great way to quickly scan a server and see if it is indeed pushing out executable files."
- Dell Remote Access Controller Default Password (calvin) for 'root' Account - This was my own addition to the list. I just love plugins that find default passwords, and it’s even better if they give me root! I explain more about this vulnerability in this blog post titled, "Root Is Just A Few Clicks Away".
- Conficker Detection (uncredentialed check) - Conficker was one of the major malware releases in 2009. This Nessus plugin could detect it on remote systems without using credentials.
Tenable’s Research Engineer, Mehul Revankar, observes, "This plugin deserves to be the Numero Uno of all 2009 plugins, because of the obvious hoopla surrounding it :). But the real reason I like this plugin is because it drove us to include messages with exit() calls, which I believe has been a big plus for Nessus overall."
- Backported Security Patches (HTTP) - This is also one of my favorite plugins. In my blog post titled, "Advantages Of Running Both Network & Authenticated Nessus Scans" you can see it in action against a Fedora Linux installation.
Ron says, "There are actually three separate back-ported plugins for FTP, SSH and HTTP. These plugins look at Linux distribution banners for common FTP, HTTP and SSH services that seem as if they have not been patched, but are in fact most likely to have been fixed. These plugins give Nessus a very low false positive rate when scanning without credentials."
- Microsoft Windows SMB Shares Access - I am also a big fan of this plugin. I use it all the time to find sensitive information that is accessible on the network I am testing. I wrote a post on using this plugin in conjunction with the nessuscmd tool titled, "nessuscmd Tip: Finding Open SMB File Shares".
Brian Martin observes, "The plugin that keeps on giving! A simple plugin, but one of the most likely to fire during an internal audit where Windows machines are found. The shared drives could contain nothing or they could contain the entire HR database. Viewing the results of this plugin are like opening gifts on Christmas morning."
- Enhanced Web Application Testing Plugins - It was a unanimous decision from the folks here at Tenable: the web application testing plugins grab the top honors this year. I wrote about them extensively earlier this year, including a blog post titled, "Enhanced Web Application Attacks Added To Nessus", a demonstration video, and and a webcast.
Ron Gula notes, "In 2009, Tenable enhanced many web application tests for Nessus and split this across many different plugins. I've worked with several organizations who have had great success performing automated scans on their servers looking for SQL injection issues."
Brian Martin adds, "One little NASL can sink an entire PCI certification! Cross site scripting (XSS) is more than pop-up parlor tricks, and entirely too common in applications and web pages. Everyone from banks to credit card companies to computer security companies are finding they are vulnerable to XSS flaws."
Mehul Revankar says, "Not a plugin per-se, but bunch of enhanced web app tests that didn't exist with all the new options before ‘09. I like to torture webapps with these tests before starting to work on a plugin for the app. You never know what you might find out :)."
George Theall observes, "While these are more than five plugins, as a group they represent a whole new type of functionality for us."
Luke Tamagna-Darr adds, “I was interested in seeing these develop, as I dont think a lot of people saw Nessus as a web-app scanner. With these plugins it gives customers one more use for Nessus which is always good."
Tenable Research Engineer, Luke Tamagna-Darr comments, “With conficker beign one of the more significant of worms in terms of the news that it generated, this was a big plus for us to have a plugin that detected it. It even had one customer admitting to wanting to kiss Renaud.”
While this year's list certainly is impressive, I can't wait to see what next year brings! I want to thank everyone for their feedback, in particular the Tenable folks who contributed to this article:
- Ron Gula, Chief Executive Officer
- George Theall, Director of Research
- Brian Martin, Nessus SME
- Mehul Revankar, Vulnerability Research Engineer
- Luke Tamagna-Darr, Vulnerability Research Engineer