I ran into a problem on Windows Server 2016 detecting KB4516044 as missing using the community feed on 7.03.
The problem seems to be the location of the .rsrc record in the ntoskrnl.exe file. It’s offset is much higher then in i.e urlmon.dll.
When I raise max_recurs to 22 (or higher) on line 788 in plugins/secpod_smb_func.inc (inside the GetVer function) KB4516044 is detected as missing.
With “max_recurs=20” the .rsrc record is never found and rsrc_start remains null. The function then exits:
if( isnull( rsrc_start ) ) {
return NULL;
}
I think the file plugins/secpod_smb_func.inc should be changed at line 788 setting max_recurs=22 (or higher) to take into account the .rsrc record with a higher offset.
The current nvt’s in the community feed are targeted both at server and client versions, see gb_ms_kb4519338.nasl for example. This script still checks for Ntoskrnl.exe and it probably suffers the same problem as before, with GetVer in secpod_smb_func.inc limiting the number of sections checked to 21. The solution is to remove or raise this limit. I’ve been running with a limit of 100 since reporting this issue without problems.
I know similar issue was reported Fetch_file_version returns FALSE for Ntoskrnl.exe, but looks like there is no follow up on that.
My problem is that a lot of scripts reading ntoskrnl.exe are not reporting vulnerabilities which should be reported based on the version of the file. For example, 2022/microsoft/gb_ms_kb5018419.nasl, and others. Looks like the file is not read by the script or fetch_file_version has some bugs. I tested locally with different OS. This seems to happen ONLY in windows server 2019.