3 Replies Latest reply: Oct 24, 2014 8:59 AM by hendersonmc RSS

    Interpreting FASL output in the vulnerability CSV spreadsheet?

    jldunn

      I have the magic registry setting set so that FASL output (i.e. 'what it found') shows up in the CSV vulnerability list for an asset report:

      https://kc.mcafee.com/corporate/index?page=content&id=KB73271

      (a much-recommended tweak!)

       

      In some cases I am able to figure out what the FASL output (as listed in the CSV) means.  In some cases it's a godsend!  But for some output I'm confused.  For example:

       

      889175APY7K~2012.12.19~4.2.1~iphone

       

      What does that mean?  Something about iphone, for sure, and there's a date and version number, but is that what it was looking for, or what it found?  And what's that initial sequence of characters?

       

      I don't have easy access to this particular system, and so I can't easily attempt to verify by hand.

      In general, how is the FASL output presented/how does one interpret it?

       

      J.

        • 1. Re: Interpreting FASL output in the vulnerability CSV spreadsheet?

          Hi J.

           

          Any clues as to which script returned that output?  I might be able to tell by checking the script.

           

          Thanks!
          Cathy

          • 2. Re: Interpreting FASL output in the vulnerability CSV spreadsheet?
            jldunn

            Vulnerability IDs 1266, 12811, 12953, 13388, 14184, 12591, 12566, and 12372 all return that particular FASL output string.

            The vulnerability names for all but the last one are in the format

            (HTXXX) Apple iO(S Multiple Vulnerabilities Prior To [a version number]

            The last vuln name is

            Apple iOS CoreGraphics FreeType Remote Code Execution

            (I'm guessing that the 4.2.1 is the version the script found/current version, since the version number is constant between the detections.)

            Does that help with identifying a the script?

             

            And I gather, based on your answer, that the FASL output doesn't necessarily follow any particular pattern?  It's script-dependent, or rather, dependent on how the developer wrote the script?

             

            Thanks,

            j.

            • 3. Re: Interpreting FASL output in the vulnerability CSV spreadsheet?
              hendersonmc

              Yes, FASL scripts do not have a pattern, other than they tend to document what was relevant to flagging the system.

               

              You know that the FASL scripts are viewable with appropriate access, I assume.

               

              p.s. I looked at a few of the FIDs... they were all identifying vulnerabilities based on the iOS version.

               

              // Copyright 2011 McAfee, Inc.

               

              FASL.vulnID                = 12811;

              FASL.attackType                = ATTACK_NONINTRUSIVE;

              FASL.os                    = OS_WINDOWS;

              FASL.protocol                 = PROTOCOL_TCP;

              FASL.filtertype                = MODULE_FILTER;

              FASL.filters[whamRequiredCredentials]    = WHAM_CREDENTIALS_ADMIN;

              FASL.filters[whamRequiredServices]    = WHAM_SERVICES_REGISTRY;

              FASL.filters[whamRequiredShares]     = WHAM_SHARES_C;

               

              include("netbios-helpers.fasl3.inc");

              include("ios-itunes.fasl3.inc");

              include("report.fasl3.inc");

               

              function faslmain()

              {

                  var vl = [

                      ["iPhone", "3.0", "4.2.2"], // old iPhone 3GS and iPhone 4 (GSM)

                      ["iPhone", "4.3", "5.0"], // iPhone 3GS and iPhone 4 (GSM)

                      ["iPad", "3.2", "5.0"],

                      ["iPod", "3.1", "5.0"]

                  ];

               

                  try

                  {

                      var r = compareiDeviceVersion(vl); //Compare to see if the iDevice has any of versions listed above

               

                      if (r)

                      {

                          RptEZ(r);     // this is what generates the FASL output

                          return VULNERABLE;

                      }

                  }

                  catch (e)

                  {

                      if (ReturnValueHandler(e))

                          return INDETERMINATE;

                  }

               

                  return NOTVULNERABLE;

              }