Search...

Trend Micro ServerProtect Detection

2007-02-21T00:00:00

ID TRENDMICRO_SERVERPROTECT_DETECT.NASL
Type nessus
Reporter This script is Copyright (C) 2007-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-09-14T00:00:00

Description

The remote host is running Trend Micro ServerProtect for Windows / NetWare, an antivirus / antispyware for Windows and NetWare servers.

                                        
                                            #
# (C) Tenable Network Security
#
# 


include("compat.inc");

if (description)
{
 script_id(24679);
 script_version("1.16");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/14");

 name["english"] = "Trend Micro ServerProtect Detection";
 script_name(english:name["english"]);
 
 script_set_attribute(attribute:"synopsis", value:
"The remote host is running an antivirus." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Trend Micro ServerProtect for Windows /
NetWare, an antivirus / antispyware for Windows and NetWare servers." );
 script_set_attribute(attribute:"solution", value:"n/a");
 script_set_attribute(attribute:"risk_factor", value:"None" );
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/02/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:trend_micro:serverprotect");
script_set_attribute(attribute:"asset_inventory", value:"True");
script_end_attributes();

 
 summary["english"] = "Checks for ServerProtect version";
 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 script_family(english:"Service detection");

 script_copyright(english:"This script is Copyright (C) 2007-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

 script_require_ports(5168);
 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("install_func.inc");
include("misc_func.inc");
include ('smb_func.inc');

 
port = 5168;
if ( ! get_port_state(port) )
  exit(0);

soc = open_sock_tcp (port);
if (!soc)
  exit (0);

ret = dce_rpc_bind(cid:session_get_cid(), uuid:"25288888-bd5b-11d1-9d53-0080c83a5c2c", vers:1);
send (socket:soc, data:ret);
resp = recv (socket:soc, length:4096);

if (!resp)
{
 close (soc);
 exit (0); 
}

ret = dce_rpc_parse_bind_ack (data:resp);
if (isnull (ret) || (ret != 0))
{
 close (soc);
 exit (0);
}

data = 
	raw_dword(d:0x000A0006)  +
	raw_dword(d:0) +
	raw_dword(d:0) +
	raw_dword(d:0x300);


ret = dce_rpc_request (code:0x00, data:data);
send (socket:soc, data:ret);
resp = recv (socket:soc, length:4096);

resp = dce_rpc_parse_response (data:resp);
if (strlen(resp) != 0x308)
  exit (0);

code = get_dword(blob:resp, pos:strlen(resp)-4);

# not valid ip -&gt; exit
if (code != 0x6ab)
{
 pattern = get_string(blob:resp, pos:8, _type:0);
 version = get_string(blob:resp, pos:28, _type:0);
 engine = get_string(blob:resp, pos:56, _type:0);
 path = get_string(blob:resp, pos:76, _type:0);

 # Make sure there's something to report.
 if (
   !ereg(pattern:"^[0-9]", string:pattern) &&
   !ereg(pattern:"^[0-9]", string:version) &&
   !ereg(pattern:"^[0-9]", string:engine) &&
   !ereg(pattern:"^[0-9]", string:path)
 )
 {
   security_note(port);
 }
 else
 {
   set_kb_item(name:"Antivirus/TrendMicro/ServerProtect", value:version);

   report = 
     '\n  Pattern : ' + pattern +
     '\n  Version : ' + version +
     '\n  Engine  : ' + engine +
     '\n  Path    : ' + path + '\n';
   security_note(port:port, extra:report);
  }

  app = "Trend Micro ServerProtect";
  cpe = "cpe:/a:trend_micro:serverprotect";  

  if (empty_or_null(path))
    path = "Failed to retrieve path.";

  register_install(
    app_name : app,
    version  : version,
    path     : path,
    port     : port, # This is an unusual case but both port and path can be specified
    cpe      : cpe
  );
}
else security_note(port);

JSON Vulners Source

Initial Source

{"id": "TRENDMICRO_SERVERPROTECT_DETECT.NASL", "type": "nessus", "bulletinFamily": "scanner", "title": "Trend Micro ServerProtect Detection", "description": "The remote host is running Trend Micro ServerProtect for Windows / NetWare, an antivirus / antispyware for Windows and NetWare servers.", "published": "2007-02-21T00:00:00", "modified": "2020-09-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/24679", "reporter": "This script is Copyright (C) 2007-2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-10-16T16:08:12", "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["TRENDMICRO_SERVERPROTECT_AGRPCCLN_OVERFLOW.NASL", "TRENDMICRO_SERVERPROTECT_EARTHAGENT_OVERFLOW.NASL", "TRENDMICRO_SERVERPROTECT_INSTALLED.NASL", "TRENDMICRO_SERVERPROTECT_MULTIPLE.NASL", "TRENDMICRO_SERVERPROTECT_MULTIPLE2.NASL"]}], "rev": 4}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "pluginID": "24679", "sourceData": "#\n# (C) Tenable Network Security\n#\n# \n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24679);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/14\");\n\n name[\"english\"] = \"Trend Micro ServerProtect Detection\";\n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running an antivirus.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Trend Micro ServerProtect for Windows /\nNetWare, an antivirus / antispyware for Windows and NetWare servers.\" );\n script_set_attribute(attribute:\"solution\", value:\"n/a\");\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/02/21\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:trend_micro:serverprotect\");\nscript_set_attribute(attribute:\"asset_inventory\", value:\"True\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Checks for ServerProtect version\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_require_ports(5168);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\ninclude ('smb_func.inc');\n\n \nport = 5168;\nif ( ! get_port_state(port) )\n exit(0);\n\nsoc = open_sock_tcp (port);\nif (!soc)\n exit (0);\n\nret = dce_rpc_bind(cid:session_get_cid(), uuid:\"25288888-bd5b-11d1-9d53-0080c83a5c2c\", vers:1);\nsend (socket:soc, data:ret);\nresp = recv (socket:soc, length:4096);\n\nif (!resp)\n{\n close (soc);\n exit (0); \n}\n\nret = dce_rpc_parse_bind_ack (data:resp);\nif (isnull (ret) || (ret != 0))\n{\n close (soc);\n exit (0);\n}\n\ndata = \n\traw_dword(d:0x000A0006) +\n\traw_dword(d:0) +\n\traw_dword(d:0) +\n\traw_dword(d:0x300);\n\n\nret = dce_rpc_request (code:0x00, data:data);\nsend (socket:soc, data:ret);\nresp = recv (socket:soc, length:4096);\n\nresp = dce_rpc_parse_response (data:resp);\nif (strlen(resp) != 0x308)\n exit (0);\n\ncode = get_dword(blob:resp, pos:strlen(resp)-4);\n\n# not valid ip -> exit\nif (code != 0x6ab)\n{\n pattern = get_string(blob:resp, pos:8, _type:0);\n version = get_string(blob:resp, pos:28, _type:0);\n engine = get_string(blob:resp, pos:56, _type:0);\n path = get_string(blob:resp, pos:76, _type:0);\n\n # Make sure there's something to report.\n if (\n !ereg(pattern:\"^[0-9]\", string:pattern) &&\n !ereg(pattern:\"^[0-9]\", string:version) &&\n !ereg(pattern:\"^[0-9]\", string:engine) &&\n !ereg(pattern:\"^[0-9]\", string:path)\n )\n {\n security_note(port);\n }\n else\n {\n set_kb_item(name:\"Antivirus/TrendMicro/ServerProtect\", value:version);\n\n report = \n '\\n Pattern : ' + pattern +\n '\\n Version : ' + version +\n '\\n Engine : ' + engine +\n '\\n Path : ' + path + '\\n';\n security_note(port:port, extra:report);\n }\n\n app = \"Trend Micro ServerProtect\";\n cpe = \"cpe:/a:trend_micro:serverprotect\"; \n\n if (empty_or_null(path))\n path = \"Failed to retrieve path.\";\n\n register_install(\n app_name : app,\n version : version,\n path : path,\n port : port, # This is an unusual case but both port and path can be specified\n cpe : cpe\n );\n}\nelse security_note(port);\n", "naslFamily": "Service detection", "cpe": ["cpe:/a:trend_micro:serverprotect"], "solution": "", "nessusSeverity": "Info", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": [], "_state": {"dependencies": 1646362127}}