Problem in detection of KB4516044 (Windows Server 2016 September 2019 Security Update)

Hello,

I ran into a problem on Windows Server 2016 detecting KB4516044 as missing using the community feed on 7.03.

The problem seems to be the location of the .rsrc record in the ntoskrnl.exe file. It’s offset is much higher then in i.e urlmon.dll.

When I raise max_recurs to 22 (or higher) on line 788 in plugins/secpod_smb_func.inc (inside the GetVer function) KB4516044 is detected as missing.

With “max_recurs=20” the .rsrc record is never found and rsrc_start remains null. The function then exits:
if( isnull( rsrc_start ) ) {
return NULL;
}

I think the file plugins/secpod_smb_func.inc should be changed at line 788 setting max_recurs=22 (or higher) to take into account the .rsrc record with a higher offset.

Regards,

Bauke

(This might be related to: Fetch_file_version returns FALSE for Ntoskrnl.exe )

1 Like

Hi Bauke,
thank you for the information. We will check this.

Greetings

2 Likes

Forgot to mention: The checked ntoskrnl.exe version is 10.0.14393.3179 (2019-08 Security update). It has 25 sections, the .rsrc section is number 24.

1 Like

Any updates?

Are you using the community Feed or the GSF ?

Please be aware that new Windows Server NVTs are no longer present at the community feed.

The current nvt’s in the community feed are targeted both at server and client versions, see gb_ms_kb4519338.nasl for example. This script still checks for Ntoskrnl.exe and it probably suffers the same problem as before, with GetVer in secpod_smb_func.inc limiting the number of sections checked to 21. The solution is to remove or raise this limit. I’ve been running with a limit of 100 since reporting this issue without problems.

Hi Btgehem,

Fixed the issue. Thanks!

Regards,
Antu

3 Likes

I know similar issue was reported Fetch_file_version returns FALSE for Ntoskrnl.exe, but looks like there is no follow up on that.
My problem is that a lot of scripts reading ntoskrnl.exe are not reporting vulnerabilities which should be reported based on the version of the file. For example, 2022/microsoft/gb_ms_kb5018419.nasl, and others. Looks like the file is not read by the script or fetch_file_version has some bugs. I tested locally with different OS. This seems to happen ONLY in windows server 2019.

I followed suggestion in Problem in detection of KB4516044 (Windows Server 2016 September 2019 Security Update), basically made value of max_recurs to 100 at
secpod_smb_func.inc:#779, and it worked.

2 Likes