Mak Kolybabi

Tools

I'm passionate about building tools to make my life, and the lives of my coworkers better. While working on Nessus at Tenable, I built Pedant: a static analysis, query, and test framework for NASL (Nessus Attack Scripting Language). The primary goal of Pedant was to ensure that if one of our team ever made a programming mistake, it would be a one-time occurrence, by coding a check for the mistake into the framework.

Plugins

When I started at Tenable in January 2011, I worked in the Nessus Plugins Team. While there, I wrote many, many plugins. I later transferred to the Reverse Engineering Team, where I wrote fewer, more challenging plugins. I also wrote and expanded on many libraries, and even worked on the core Nessus Engine, but since such contributions are more difficult to track, I did not kept a list of them. Below is the list of plugins that I either wrote, or gutted and then completely rewrote, during my 3+ years at Tenable.

  1. OpenSSH 2.5.x - 2.9 Multiple Vulnerabilities
  2. AnalogX Proxy SOCKS4a DNS Hostname Handling Remote Overflow
  3. NEC SOCKS4 Module Username Handling Remote Overflow
  4. Apache mod_suexec Multiple Privilege Escalation Vulnerabilities
  5. Apache Mixed Platform AddType Directive Information Disclosure
  6. OpenSSH < 3.4p1 scp Traversal Arbitrary File Overwrite
  7. Samba SWAT 3.0.2 - 3.0.4 HTTP Basic Auth base64 Buffer Overflow
  8. Sendmail < 8.13.8 Header Processing Overflow DoS
  9. Oracle HTTP Server, January 2007 Critical Patch Update
  10. Oracle HTTP Server, October 2006 Critical Patch Update
  11. OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing
  12. SSL Cipher Suites Supported
  13. Derby Network Server Detection
  14. Oracle GlassFish Server Administration Console Default Credentials
  15. OpenSSH < 2.5.2 / 2.5.2p2 Multiple Information Disclosure Vulnerabilities
  16. OpenSSH < 2.9.9 / 2.9p2 Symbolic Link 'cookies' File Removal
  17. Portable OpenSSH < 3.8p1 Multiple Vulnerabilities
  18. OpenSSH < 4.7 Trusted X11 Cookie Connection Policy Bypass
  19. SSL Certificate commonName Mismatch
  20. SSL Certificate with Wrong Hostname
  21. Atlassian JIRA Detection
  22. BlackMoon FTP Server Denial of Service
  23. Asterisk main/utils.c ast_uri_encode() CallerID Information Overflow (AST-2011-001)
  24. HP LoadRunner Unspecified Arbitrary Remote Code Execution
  25. WordPress < 3.0.2 'do_trackbacks()' Function SQL Injection
  26. Exim < 4.74 Local Privilege Escalation
  27. SSL Session Resume Supported
  28. OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
  29. OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher Issue
  30. OpenSSL OCSP Stapling Denial of Service
  31. OpenSSH Legacy Certificate Signing Information Disclosure
  32. WordPress < 3.0.5 Multiple Vulnerabilities
  33. MediaWiki CSS Comments XSS
  34. Majordomo Detection
  35. Majordomo 2 _list_file_get() Function Traversal Arbitrary File Access
  36. Mod_auth_mysql Multibyte Encoding SQL Injection
  37. Asterisk main/udptl.c Buffer Overflows (AST-2011-002)
  38. ISC BIND 9.7.1-9.7.2-P3 IXFR / DDNS Update Combined with High Query Rate DoS
  39. Request Tracker 3.0.0-3.8.9rc1 Security Bypass and Information Disclosure
  40. Apache Derby 'BUILTIN' Authentication Insecure Password Hashing
  41. HP StorageWorks File Migration Agent Detection
  42. HP StorageWorks File Migration Agent Unauthorized Access
  43. Lotus Sametime Detection
  44. IBM Lotus Sametime Server stconf.nsf messageString Parameter XSS
  45. GIT gitweb git_search Shell Metacharacter Arbitrary Command Execution
  46. Wing FTP Server SFTP Connection Unspecified DoS
  47. MediaWiki Backslash Escaped CSS Comments XSS
  48. MediaWiki API XSS
  49. IBM Tivoli Monitoring Java Unspecified Vulnerability
  50. SSL / TLS Renegotiation DoS
  51. Plone Detection
  52. Plone Security Bypass
  53. DB2 9.7 < Fix Pack 4 Multiple Vulnerabilities
  54. HP SiteScope Detection
  55. HP SiteScope XSS
  56. IBM Tivoli Directory Server Vulnerabilities (credentialed check)
  57. BlackBerry Enterprise Server Web Desktop Manager XSS (KB26296)
  58. Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure
  59. ISC BIND Response Policy Zones RRSIG Query Assertion Failure DoS
  60. FTP Service AUTH TLS Plaintext Command Injection
  61. NNTP Service STARTTLS Plaintext Command Injection
  62. MS11-035: Vulnerability in WINS Could Allow Remote Code Execution (2524426)
  63. SMTP Authentication Methods
  64. Anonymous SMTP Authentication Enabled
  65. SMTP Service Cleartext Login Permitted
  66. Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption
  67. Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption (exploit)
  68. Adobe RoboHelp FlashHelp Unspecified XSS (APSB11-09) (credentialed check)
  69. Adobe RoboHelp FlashHelp Unspecified XSS (APSB11-09) (uncredentialed check)
  70. VisiWave Site Survey Report VWR File Handling Overflow
  71. ACAP Service STARTTLS Plaintext Command Injection
  72. XMPP Service STARTTLS Plaintext Command Injection
  73. IBM Lotus Notes Attachment Handling Multiple Buffer Overflows
  74. ISC BIND 9 Large RRSIG RRsets Negative Caching Remote DoS
  75. Wing FTP Server Detection
  76. Wing FTP Server LDAP Authentication Bypass
  77. Symantec Mail Security for Domino Installed
  78. Symantec Mail Security KeyView PRZ Processing Buffer Overflow
  79. MS11-037: Vulnerability in MHTML Could Allow Information Disclosure (2544893)
  80. MS11-038: Vulnerability in OLE Automation Could Allow Remote Code Execution (2476490)
  81. MS11-041: Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2525694)
  82. Flash Player < 10.3.181.26 Multiple Vulnerabilities (APSB11-18)
  83. Shockwave Player < 11.6.0.626 (APSB11-17)
  84. Adobe Acrobat < 10.1 / 9.4.5 / 8.3 Multiple Vulnerabilities (APSB11-16)
  85. Adobe Reader < 10.1 / 9.4.5 / 8.3 Multiple Vulnerabilities (APSB11-16)
  86. Wireshark 1.4.5 Denial of Service
  87. Foxit Reader < 4.0.0.0619 Freetype Engine Remote Integer Overflow
  88. Adobe ColdFusion Remote Development Services
  89. Adobe ColdFusion Remote Development Services Enabled Without Authentication
  90. ISC BIND Response Policy Zones (RPZ) DNAME / CNAME Parsing Remote DoS
  91. ISC BIND 9 Unspecified Packet Processing Remote DoS
  92. Adobe ColdFusion Multiple Vulnerabilities (APSB11-04) (credentialed check)
  93. MS11-055: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2560847)
  94. MS11-056: Vulnerabilities in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2507938)
  95. HP iNode Management Center Remote Code Execution (HPSB3C02687)
  96. IBM Tivoli Storage Manager Client Multiple Buffer Overflows (swg21457604)
  97. SAP GUI Detection
  98. SAP GUI saplogon.ini File Buffer Overflow (Note 1504547)
  99. BlackBerry Enterprise Server Administration API Unspecified Remote Vulnerability (KB27258)
  100. MS11-060: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2560978)
  101. MS11-068: Vulnerability in Windows Kernel Could Allow Denial of Service (2556532)
  102. MS11-069: Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
  103. IBM Lotus Domino Installed
  104. BlackBerry Enterprise Server PNG and TIFF Image Processing Vulnerabilities (KB27244)
  105. Mozilla Thunderbird 3.1 < 3.1.12 Multiple Vulnerabilities
  106. Mozilla Thunderbird < 6.0 Multiple Vulnerabilities
  107. Oracle GlassFish Console
  108. Oracle GlassFish HTTP Server Version
  109. Oracle GlassFish Server Administration Console GET Request Authentication Bypass
  110. Check Point SSL Network Extender ActiveX Control Remote Code Execution
  111. EMC AutoStart ftAgent Multiple Remote Code Execution Vulnerabilities
  112. OpenVPN Server Detection
  113. HP SiteScope Default Credentials
  114. Wireshark 1.4.x < 1.4.9 Multiple Vulnerabilities
  115. Wireshark 1.6.x < 1.6.2 Multiple Vulnerabilities
  116. MS11-070: Vulnerability in WINS Could Allow Elevation of Privilege (2571621)
  117. MS11-074: Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)
  118. SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions
  119. SSL Certificate Chain Not Sorted
  120. SSL Certificate Chain Contains Unnecessary Certificates
  121. MS11-085: Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)
  122. Oracle HTTP Server Version
  123. SAP Dynamic Information and Action Gateway Detection
  124. SIP Username Enumeration
  125. SSL / TLS Versions Supported
  126. SSL Perfect Forward Secrecy Cipher Suites Supported
  127. FTPS Plaintext Fallback Security Bypass
  128. MS11-096: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)
  129. MS11-097: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)
  130. MS11-098: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (2633171)
  131. Asterisk Multiple Vulnerabilities (AST-2011-013 / AST-2011-014)
  132. NNTP Authentication Methods
  133. Anonymous NNTP Authentication Enabled
  134. NNTP Service Cleartext Login Permitted
  135. Cyrus IMAPd NNTP AUTHINFO USER Command Parsing Authentication Bypass
  136. Winamp < 5.623 Multiple Integer Overflows
  137. PuTTY Detection
  138. PuTTY Password Local Information Disclosure
  139. SSL Certificate Chain Analysis
  140. op5 Portal Detection
  141. op5 Portal Arbitrary Command Execution
  142. op5 Monitor Detection
  143. op5 Config Arbitrary Command Execution
  144. op5 Monitor Credential Leak
  145. op5 Monitor Persistent Session Cookie
  146. SSL Self-Signed Certificate
  147. Oracle Application Server Multiple Vulnerabilities
  148. SimpleSAMLphp Detection
  149. SimpleSAMLphp logout.php link_href Parameter XSS
  150. Oracle GlassFish Server 2.1.1 < 2.1.1 Patch15 Administration Component Unspecified Vulnerability
  151. Oracle GlassFish Server 3.1.1 < 3.1.1.2 Administration Component Unspecified Vulnerability
  152. Oracle GlassFish Server 3.0.1 / 3.1.1 < 3.0.1.5 / 3.1.1.3 Administration Component Unspecified Vulnerability
  153. HP Data Protector Media Operations Server 'DBServer.exe' Remote Code Execution
  154. Scientific Toolworks Understand 'wintab32.dll' DLL Loading Arbitrary Code Execution
  155. LuraWave JP2 ActiveX Control < 2.1.5.11 jp2_x.dll Remote Buffer Overflow
  156. LuraWave JP2 Browser Plug-In < 2.1.1.11 npjp2.dll Remote Buffer Overflow
  157. Astaro Security Gateway Detection
  158. Citrix XenServer Web Self Service Detection
  159. MS12-019: Vulnerability in DirectWrite Could Allow Denial of Service (2665364)
  160. MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
  161. Novell ZENworks Detection
  162. Novell ZENworks Control Center Detection
  163. Novell ZENworks Configuration Management 10.3 < 10.3.4 Multiple Vulnerabilities
  164. 7-Technologies AQUIS Detection
  165. 7-Technologies AQUIS Unspecified Path Subversion Arbitrary DLL Injection Code Execution
  166. 7-Technologies TERMIS Detection
  167. 7-Technologies TERMIS Unspecified Path Subversion Arbitrary DLL Injection Code Execution
  168. Novell GroupWise / Oracle Outside In Lotus 123 v4 Parser Unspecified Remote Code Execution
  169. Symantec Enterprise Vault / Oracle Outside In Multiple Vulnerabilities (SYM12-004)
  170. Lenovo ThinkManagement Console Detection
  171. Lenovo ThinkManagement Console RunAMTCommand Operation -PutUpdateFileCore Command Parsing Arbitrary File Upload
  172. MS12-028: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2639185)
  173. Citrix XenServer Workload Balancer Detection
  174. SSL Resume With Different Cipher Issue
  175. Citrix XenServer vSwitch Controller Detection
  176. Citrix XenServer vSwitch Controller < 2.0.0+build11349 Multiple Vulnerabilities
  177. Oracle GlassFish Server 3.1.1 < 3.1.1.3 Multiple Vulnerabilities (April 2012 CPU)
  178. Asterisk Manager User Unauthorized Shell Access (AST-2012-004)
  179. Asterisk Heap Buffer Overflow in Skinny Channel Driver (AST-2012-005)
  180. Asterisk Remote Crash Vulnerability in SIP Channel Driver (AST-2012-006)
  181. Novell ZENworks Configuration Management PreBoot Service Opcode Request Parsing Vulnerabilities
  182. MS12-030: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2663830)
  183. MS12-031: Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2597981)
  184. Liferay Portal Detection
  185. Liferay Portal Default Credentials
  186. Liferay Portal < 6.0.6 Multiple Vulnerabilities
  187. Liferay Portal 6.0.5 / 6.0.6 Arbitrary File Download
  188. Liferay Portal 6.1.0 'addUser()' Security Bypass
  189. Windows Flamer / Skywiper Malware Detection
  190. Atlassian Crucible Detection
  191. Atlassian Crucible 2.5.8 / 2.6.8 / 2.7.12 XML Parsing Vulnerability
  192. Atlassian FishEye 2.5.8 / 2.6.8 / 2.7.12 XML Parsing Vulnerability
  193. Atlassian JIRA 5.0.1 XML Parsing Vulnerability
  194. Tornado < 2.2.1 HTTP Response Splitting
  195. Liferay Portal 6.1.0 User Enumeration
  196. Liferay Portal 6.1.0 Forward Target Handling Security Bypass
  197. Liferay Portal upload_progress_poller.jsp XSS
  198. WellinTech KingView History Server Detection
  199. WellinTech KingView Detection
  200. WellinTech KingView 6.53 < 2010-12-15 HistorySvr.exe TCP Request Remote Overflow
  201. WellinTech KingView 6.53 < 2011-11-20 HistoryServer.exe nettransdll.dll Module Op-code 3 Packet Parsing Remote Overflow
  202. WellinTech KingView 6.53 < 2012-03-22 Multiple Vulnerabilities
  203. MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
  204. WellinTech KingOPCServer Detection
  205. WellinTech KingSCADA Detection
  206. WellinTech KingSCADA 3.1 < 2012-04-16 user.db Base-64 Encoding Local Credentials Disclosure
  207. Network UPS Tools Detection
  208. Network UPS Tools Service STARTTLS Command Support
  209. Network UPS Tools Plaintext Authentication
  210. Network UPS Tools < 2.6.4 addchar() Function Buffer Overflow
  211. MikroTik RouterOS Winbox Detection
  212. MikroTik Winbox < 5.17 File Download DoS
  213. Globus Toolkit GridFTP Server Detection
  214. Globus Toolkit GridFTP Server < 3.42 / 6.11 'getpwnam_r()' Authentication Bypass Vulnerability
  215. Quagga < 0.96.4 Zebra Denial of Service Vulnerability
  216. Quagga < 0.99.12 BGPD Denial of Service Vulnerability
  217. Quagga < 0.99.17 BGPD Multiple Vulnerabilities
  218. Quagga < 0.99.18 BGPD Multiple Denial of Service Vulnerabilities
  219. Quagga < 0.99.19 Multiple Vulnerabilities
  220. Quagga < 0.99.20.1 Multiple Vulnerabilities
  221. Quagga < 0.99.21 BGP Denial of Service Vulnerability
  222. Quagga < 0.98.6 / 0.99.4 Multiple Vulnerabilities
  223. Quagga < 0.98.7 / 0.99.7 BGPD Denial of Service Vulnerability
  224. Quagga < 0.99.9 BGPD Multiple Denial of Service Vulnerabilities
  225. Quagga Zebra Detection
  226. Microsoft IIS 6.0 PHP NTFS Stream Authentication Bypass
  227. Check_MK Agent Detection
  228. WellinTech KingHistorian Detection
  229. MS12-050: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502)
  230. Nagios XI < 2011R3.0 Multiple XSS Vulnerabilities
  231. SSL Certificate Chain Contains Weak RSA Keys
  232. MySQL Authentication Protocol Token Comparison Casting Failure Password Bypass
  233. Nagios XI < 2011R1.9 Multiple Vulnerabilities
  234. Nagios XI < 2011R1.9 login.php XSS
  235. Cyberoam Admin Console Detection
  236. SSL Certificate Signed with the Publicly Known Cyberoam Key
  237. Eucalyptus Walrus Detection
  238. Eucalyptus Cloud Controller Console Detection
  239. Eucalyptus Walrus REST Interface Key Verification Authentication Bypass (ESA-03)
  240. SAP Control SOAP Web Service Detection
  241. SAP Host Control SOAP Web Service Detection
  242. SAP Host Control SOAP Web Service 'Database/Name' Command Execution (SAP Note 1341333)
  243. Advanced Message Queuing Protocol Detection
  244. Advanced Message Queuing Protocol Detection STARTTLS Support
  245. Erlang Port Mapper Daemon Detection
  246. OpenStack Glance Detection
  247. OpenStack Keystone Detection
  248. OpenStack Keystone Default Credentials
  249. SSL Compression Methods Supported
  250. TLS Next Protocols Supported
  251. TLS CRIME Vulnerability
  252. SSL Certificate Signed with the Compromised Fortigate Key
  253. SSL Certificate Chain Contains Illegitimate TURKTRUST Intermediate CA
  254. SSL RC4 Cipher Suites Supported
  255. Citrix Access Gateway Administrative Web Interface Detection
  256. Citrix Access Gateway Administrative Web Interface Default Credentials
  257. Citrix Access Gateway User Web Interface Detection
  258. Citrix Access Gateway 5.x < 5.0.4.223524 Unspecified Security Bypass
  259. JBoss Web Services Endpoint Enumeration
  260. JBossWS Endpoint Uses Unsafe Encryption
  261. SAP Control SOAP Web Service Remote Code Execution (SAP Note 1414444)
  262. SSL Null Cipher Suites Supported
  263. IPMI Cipher Suite Zero Authentication Bypass
  264. IPMI Cipher Suites Supported
  265. Adobe PageMaker Detection
  266. Adobe PageMaker 7.0.1 / 7.0.2 Multiple Vulnerabilities (APSA08-10)
  267. Cisco WebEx One-Click Detection
  268. Cisco WebEx One-Click Password Disclosure
  269. Oracle JRockit Detection
  270. Oracle JRockit R27 < R27.7.6 / R28 < R28.2.8 Unspecified Vulnerability (July 2013 CPU)
  271. HP LaserJet PJL Interface Directory Traversal (HPSBPI02575)
  272. Microsoft SQL Server STARTTLS Support
  273. HTTP Cookie 'secure' Property Transport Mismatch
  274. ICAP Server Type and Version
  275. Blue Coat ProxyAV Detection
  276. Blue Coat ProxyAV < 3.2.6.1 Multiple Admin Function CSRF
  277. Polycom SIP Detection
  278. Polycom HDX < 3.1.1.2 Multiple Vulnerabilities
  279. Cisco Unified MeetingPlace Detection
  280. Cisco Unified MeetingPlace Multiple Session Weaknesses
  281. Cisco Unity Detection
  282. Cisco Unity Remote Administration Authentication Bypass (cisco-sa-20081008-unity)
  283. Adobe JRun Detection
  284. Adobe JRun 4.0 Multiple Vulnerabilities (APSB09-12)
  285. SSL Cipher Block Chaining Cipher Suites Supported
  286. SSH Algorithms and Languages Supported
  287. SSH Server CBC Mode Ciphers Enabled
  288. SAP Sybase Adaptive Server Enterprise Detection
  289. SAP Sybase Adaptive Server Enterprise Information Disclosure (SAP Note 1809246)
  290. SAP Sybase Adaptive Server Enterprise Authorization Bypass (SAP Note 1849356)
  291. SAP Sybase Adaptive Server Enterprise Information Disclosure (SAP Note 1887341)
  292. SAP Sybase Adaptive Server Enterprise DoS (SAP Note 1887342)
  293. SAP Sybase Adaptive Server Enterprise SQL Injection (SAP Note 1893440)
  294. SAP Sybase Adaptive Server Enterprise Directory Traversal (SAP Note 1893556)
  295. SAP Sybase Adaptive Server Enterprise Remote Code Execution (SAP Note 1893558)
  296. SAP Sybase Adaptive Server Enterprise Remote Code Execution (SAP Note 1893560)
  297. SAP Sybase Adaptive Server Enterprise DoS (SAP Note 1893561)
  298. SAP Sybase Adaptive Server Enterprise Information Disclosure (SAP Note 1893562)
  299. SuperMicro Device Uses Default SSH Host Key
  300. SuperMicro Device Uses Default SSL Certificate
  301. SSL Certificate Signed using Weak Hashing Algorithm
  302. IPMI Versions Supported
  303. SAP GUI DLL Loading Arbitrary Code Execution (Note 1511179)
  304. SAP Host Agent SOAP Web Service Information Disclosure (SAP Note 1816536)
  305. SAProuter Detection
  306. SAProuter Remote Authentication Bypass (Note 1853140)
  307. Web Site Client Access Policy File Detection
  308. Certificate Revocation List Expiry
  309. NFS Exported Share Information Disclosure
  310. NFS Share User Mountable
  311. NFS Share Export List
  312. Detect RPC over TCP