Vulnerability IDs 1266, 12811, 12953, 13388, 14184, 12591, 12566, and 12372 all return that particular FASL output string.
The vulnerability names for all but the last one are in the format
(HTXXX) Apple iO(S Multiple Vulnerabilities Prior To [a version number]
The last vuln name is
Apple iOS CoreGraphics FreeType Remote Code Execution
(I'm guessing that the 4.2.1 is the version the script found/current version, since the version number is constant between the detections.)
Does that help with identifying a the script?
And I gather, based on your answer, that the FASL output doesn't necessarily follow any particular pattern? It's script-dependent, or rather, dependent on how the developer wrote the script?
Yes, FASL scripts do not have a pattern, other than they tend to document what was relevant to flagging the system.
You know that the FASL scripts are viewable with appropriate access, I assume.
p.s. I looked at a few of the FIDs... they were all identifying vulnerabilities based on the iOS version.
// Copyright 2011 McAfee, Inc.
FASL.vulnID = 12811;
FASL.attackType = ATTACK_NONINTRUSIVE;
FASL.os = OS_WINDOWS;
FASL.protocol = PROTOCOL_TCP;
FASL.filtertype = MODULE_FILTER;
FASL.filters[whamRequiredCredentials] = WHAM_CREDENTIALS_ADMIN;
FASL.filters[whamRequiredServices] = WHAM_SERVICES_REGISTRY;
FASL.filters[whamRequiredShares] = WHAM_SHARES_C;
var vl = [
["iPhone", "3.0", "4.2.2"], // old iPhone 3GS and iPhone 4 (GSM)
["iPhone", "4.3", "5.0"], // iPhone 3GS and iPhone 4 (GSM)
["iPad", "3.2", "5.0"],
["iPod", "3.1", "5.0"]
var r = compareiDeviceVersion(vl); //Compare to see if the iDevice has any of versions listed above
RptEZ(r); // this is what generates the FASL output