Discussion:
secpod_reg_enum.nasl
(too old to reply)
Christian Fischer
2018-09-29 11:30:53 UTC
Permalink
Hi,

i've stumbled over this older mailing list post which seems to got lost
back then in 2017.
I've noticed that in many cases, the key name is very similar to the
InstallName value, apart from the '.mum' on the end, would it not be
better to just use the key name value for the 'egrep' ?
While doing a review of the mentioned code part i have seen quite a lot
room for improvements:

It seems the only place where this collected info is used is the
"hotfix_missing" function of secpod_reg.inc.

As the mentioned function is only evaluating registry items matching the
following pattern:

"[P|p]ackage.?[0-9]*.?for.?KB.*"

(which exists in each of the called registry keys and not only in the
"InstallName" sub key) there is indeed absolutely no reason to do
another request for the "InstallName" of each sub key (which could be
quite a lot) and just use the previously enumerated item name instead.

I've just commited some code changes related to secpod_reg_enum.nasl and
some additional improvements to secpod_reg.inc into our SCM system a few
minutes ago. Those changes should hit the feeds around Tuesday next week.
Not sure if this is the correct place to post about this, but let me
know if not.
It was indeed the correct place back then in 2017. Starting from
tomorrow (30.09.) the openvas-plugins is shut down [1] and we're happy
to receive such reports in the "Vulnerability tests" category of the new
community platform [2].

[1]
http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-August/001408.html

[2] https://community.greenbone.net/c/vulnerability-tests

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Hi
Not sure if this is the correct place to post about this, but let me
know if not.
I've noticed that a particular script; secpod_reg_enum.nasl; is taking
an innordinate length of time to complete. I have set the timeout to
various values and can get the script to complete, but this script alone
is taking over 12 minutes to run.
So, I had a look at it. What it seems to do; and please correct me if
I'm wrong; is scan the registry and make a list of all entries in the
hotfix registry key, whatever that is. It then goes through that list,
one by one, and extracts the 'InstallName' key value for each.
foreach item (registry_enum_keys(key:key))
{
  Name = registry_get_sz(key:key + item , item:"InstallName");
  if(egrep(pattern:"\KB[0-9]+", string:Name))
  {
        path = key +item + Name ;
        Name = str_replace(find:"\", replace:"/", string:path);
        name = "SMB/Registry/HKLM/" + Name ;
        set_kb_item(name:name, value:TRUE);
  }
}
I've noticed that in many cases, the key name is very similar to the
InstallName value, apart from the '.mum' on the end, would it not be
better to just use the key name value for the 'egrep' ?
Regards
Roger
Loading...