hi, i'm beginning to scan machines and stare at the report output ... and trying to correlate operating systems with vulnerabilities.
i have a colleague running a loaded SuSE 8.2 box, complete with lots of services and not many patches ... makes for a great test bed! i fired up Nessus (2.2.2a), enabled *all* plugins, disabled 'safe checks', and let her rip. the reports says "35 Holes" ... fruitful territory indeed! i can see various Apache vulnerabilities ... CGI ones, yes, i can see those ... sendmail ... yes ... SNMP ... yes ... but then ... i notice that some of the vulnerabilities *seem* to be OS-specific ... and don't match the OS of this box. for example, this scan shows this box as being vulnerable to both IIS and Darwin vulnerabilities ... poking thru the list archives, i can see a number of discussions around this, which i would summarize as follows: -sometimes a vulnerability is *first* discovered (and a plugin written) under one application/OS combination (say, IIS/Windows), and *later* replicated, either precisely or generally, in other combinations (perhaps, Apache/Linux). so the plugin reports an IIS/Windows vulnerability ... but in fact ... this vulnerability, or something similar to it, is found more widely. -sometimes plugins just make mistakes ... they misinterpret what they are seeing. [hey, i'm not complaining here ... my code does that, too!] do i understand this issue correctly? or would anyone offer a different interpretation of what i'm seeing? i include details of this particular scan below, and attach a full copy. --sk stuart kendrick fhcrc [...] ndmp (10000/tcp) High There is a buffer overflow in the remote IIS web server. It is possible to overflow the remote Web server and execute commands as the SYSTEM user. At attacker may make use of this vulnerability and use it to gain access to confidential data and/or escalate their privileges on the Web server. See http://www.eeye.com/html/Research/Advisories/AD20010501.html for more details. Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-023.mspx Risk factor : High CVE : CVE-2001-0241 BID : 2674 [...] [...] ndmp (10000/tcp) High IIS comes with the sample site 'ExAir'. Unfortunately, one of its pages, namely /iissamples/exair/search/advsearch.asp, may be used to make IIS hang, thus preventing it from answering legitimate client requests. Solution : Delete the 'ExAir' sample IIS site. Risk factor : High CVE : CVE-1999-0449 BID : 193 [...] [...] ndmp (10000/tcp) High Cross site scripting, buffer overflow and remote command execution on QuickTime/Darwin Streaming Administration Server. This is due to parsing problems with per script: parse_xml.cgi. The worst of these vulnerabilities allows for remote command execution usually as root or administrator. These servers are installed by default on port 1220. See: http://www.atstake.com/research/advisories/2003/a022403-1.txt Solution: Obtain a patch or new software from Apple or block this port (TCP 1220) from internet access. *** Nessus reports this vulnerability using only *** information that was gathered. Only the existance *** of the potentially vulnerable cgi script was tested. Risk factor : High CVE : CAN-2003-0050, CAN-2003-0051, CAN-2003-0052, CAN-2003-0053, CAN-2003-0054, CAN-2003-0055 BID : 6954, 6955, 6956, 6957, 6958, 6960, 6990 [...]
NESSUS SECURITY SCAN REPORT Created 20.01.2005 Sorted by host names Session Name : J4 Start Time : 20.01.2005 06:04:12 Finish Time : 20.01.2005 10:13:03 Elapsed Time : 0 day(s) 04:08:50 [...] Host: 10.1.2.3 Open ports: Service: ndmp (10000/tcp) Severity: High The 'Perl' CGI is installed and can be launched as a CGI. This is equivalent to giving a free shell to an attacker, with the http server privileges (usually root or nobody). Solution : remove it from /cgi-bin Risk factor : High CVE : CAN-1999-0509 Service: ndmp (10000/tcp) Severity: High It is possible to read arbitrary files on the remote Snapstream PVS server by prepending ../../ in front on the file name. It may also be possible to read ../ssd.ini which contains many informations on the system (base directory, usernames & passwords). Solution : Upgrade your software or change it! Risk factor : High CVE : CVE-2001-1108 BID : 3100 Service: ndmp (10000/tcp) Severity: High At least one of these file or directories is world readable : /webcart/orders/ /webcart/orders/import.txt /webcart/carts/ /webcart/config/ /webcart/config/clients.txt /webcart-lite/orders/import.txt /webcart-lite/config/clients.txt This misconfiguration may allow an attacker to gather the credit card numbers of your clients. Solution : Do not make directories world readable. Risk factor : High CVE : CAN-1999-0610 BID : 2281 Service: ndmp (10000/tcp) Severity: High It is possible to read any file on the remote system by prepending several dots before the file name. Example : GET ........../config.sys Solution : Disable this service and install a real Web Server. Risk factor : High CVE : CVE-1999-0386 Service: ndmp (10000/tcp) Severity: High The 'guestbook.pl' is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Solution : remove it from /cgi-bin. Risk factor : High CVE : CAN-1999-1053 BID : 776 Service: ndmp (10000/tcp) Severity: High The executables 'redirect.exe' and/or 'changepw.exe' exist on this webserver. Some versions of these files are vulnerable to remote exploit. An attacker can use this hole to gain access to confidential data or escalate their privileges on the web server. *** As Nessus solely relied on the existence of the redirect.exe or changepw.exe files, *** this might be a false positive Solution : remove them from cgi-bin or scripts folder. Risk factor : High CVE : CAN-2000-0401 BID : 1256 Service: ndmp (10000/tcp) Severity: High The file VsSetCookie.exe exists on this webserver. Some versions of this file are vulnerable to remote exploit. Solution : remove it from /cgi-bin. To manually test the server, you can try: http://<serverip>/cgi-bin/VsSetCookie.exe?vsuser=<user_name> With a correctly guessed User Name, you will gain full access to the CGI. *** As Nessus solely relied on the banner of the remote host *** this might be a false positive Risk factor : High CVE : CAN-2002-0236 BID : 3784 Service: ndmp (10000/tcp) Severity: High Cross site scripting, buffer overflow and remote command execution on QuickTime/Darwin Streaming Administration Server. This is due to parsing problems with per script: parse_xml.cgi. The worst of these vulnerabilities allows for remote command execution usually as root or administrator. These servers are installed by default on port 1220. See: http://www.atstake.com/research/advisories/2003/a022403-1.txt Solution: Obtain a patch or new software from Apple or block this port (TCP 1220) from internet access. *** Nessus reports this vulnerability using only *** information that was gathered. Only the existance *** of the potentially vulnerable cgi script was tested. Risk factor : High CVE : CAN-2003-0050, CAN-2003-0051, CAN-2003-0052, CAN-2003-0053, CAN-2003-0054, CAN-2003-0055 BID : 6954, 6955, 6956, 6957, 6958, 6960, 6990 Service: ndmp (10000/tcp) Severity: High The CGI 'counter.exe' exists on this webserver. Some versions of this file are vulnerable to remote exploit. An attacker may make use of this file to gain access to confidential data or escalate their privileges on the Web server. Solution : remove it from the cgi-bin or scripts directory. More info can be found at: http://www.securityfocus.com/bid/267 Risk factor : High CVE : CAN-1999-1030 BID : 267 Other references : OSVDB:9826 Service: ndmp (10000/tcp) Severity: High The remote host appears to be vulnerable to the Apache Web Server Chunk Handling Vulnerability. If Safe Checks are enabled, this may be a false positive since it is based on the version of Apache. Although unpatched Apache versions 1.2.2 and above, 1.3 through 1.3.24 and 2.0 through 2.0.36, the remote server may be running a patched version of Apache Solution : Upgrade to version 1.3.26 or 2.0.39 or newer See also : http://httpd.apache.org/info/security_bulletin_20020617.txt http://httpd.apache.org/info/security_bulletin_20020620.txt Risk factor : High CVE : CVE-2002-0392 BID : 5033 Other references : IAVA:2002-A-0008 Service: smtp (25/tcp) Severity: High The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.7 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.8 or greater or if you cannot upgrade, apply patches for 8.10-12 here: http://www.sendmail.org/patchcr.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerability. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. see http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.cert.org/advisories/CA-2003-07.html http://www.kb.cert.org/vuls/id/398025 Risk factor : High CVE : CAN-2002-1337, CVE-2001-1349 BID : 2794, 6991 Other references : IAVA:2003-A-0002 Service: ndmp (10000/tcp) Severity: High It was possible to kill the remote HTTP server sending an invalid request to it ('GET /index.html\n\n'). A cracker may exploit this vulnerability to make your web server crash continually or even execute arbitrary code on your system. Solution : upgrade your software to the latest version Risk factor : High Service: ndmp (10000/tcp) Severity: High The 'plusmail' CGI is installed. Some versions of this CGI have a well known security flaw that lets an attacker read arbitrary file with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin. No patch yet Risk factor : High CVE : CAN-2000-0074 BID : 2653 Service: smtp (25/tcp) Severity: High The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.9 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.10. See also : http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerability. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. Risk factor : High CVE : CAN-2003-0681, CAN-2003-0694 BID : 8641, 8649 Other references : RHSA:RHSA-2003:283-01, SuSE:SUSE-SA:2003:040 Service: ndmp (10000/tcp) Severity: High It seems that the source code of various CGIs can be accessed by requesting the CGI name with a special suffix (.old, .bak, ~ or .copy) Here is the list of CGIs Nessus gathered : /.htaccess.copy You should delete these files. Service: ndmp (10000/tcp) Severity: High The CSNews.cgi exists on this webserver. Some versions of this file are vulnerable to remote exploit. An attacker may make use of this file to gain access to confidential data or escalate their privileges on the Web server. Solution : remove it from the cgi-bin or scripts directory. Risk factor : High CVE : CAN-2002-0923 BID : 4994 Service: http (80/tcp) Severity: High The remote host is running phpMyAdmin, an open-source software written in PHP to handle the administration of MySQL over the Web. The remote version of this software is vulnerable to one (or both) of the following flaws : - An attacker may be able to exploit this software to execute arbitrary commands on the remote host on a server which does not run PHP in safe mode. - An attacker may be able to read arbitrary files on the remote host through the argument 'sql_localfile' of the file 'read_dump.php'. Solution : Upgrade to version 2.6.1-rc1 or newer Risk factor : High CVE : CAN-2004-1147, CAN-2004-1148 BID : 11886 Service: ndmp (10000/tcp) Severity: High The CGI 'cgiWebupdate.exe' exists on this webserver. Some versions of this file are vulnerable to remote exploit. An attacker can use this hole to gain access to confidential data or escalate their privileges on the web server. Solution : remove it from the cgi-bin or scripts folder. *** As Nessus solely relied on the existence of the cgiWebupdate.exe file, *** this might be a false positive Risk factor : High CVE : CAN-2001-1150 BID : 3216 Service: http (80/tcp) Severity: High The remote host is running a version of PHP 4.3 which is older or equal to 4.3.7. PHP is a scripting language which acts as a module for Apache or as a standalone interpreter. There is a bug in the remote version of this software which may allow an attacker to execute arbitrary code on the remote host if the option memory_limit is set. Another bug in the function strip_tags() may allow an attacker to bypass content-restrictions when submitting data and may lead to cross-site-scripting issues. Solution : Upgrade to PHP 4.3.8 Risk factor : High CVE : CAN-2004-0594, CAN-2004-0595 BID : 10724, 10725 Other references : OSVDB:7870, OSVDB:7871 Service: ndmp (10000/tcp) Severity: High The remote web server has one of these shells installed in /cgi-bin : ash, bash, csh, ksh, sh, tcsh, zsh Leaving executable shells in the cgi-bin directory of a web server may allow an attacker to execute arbitrary commands on the target machine with the privileges of the http daemon (usually root or nobody). Solution : Remove all the shells from /cgi-bin. Risk factor : High CVE : CAN-1999-0509 Service: http (80/tcp) Severity: High The remote host is running a version of PHP which is older than 5.0.2. The remote version of this software is vulnerable to a memory disclosure vulnerability in PHP_Variables. An attacker may exploit this flaw to remotely read portions of the memory of the httpd process on the remote host. See also : http://www.php.net/ChangeLog-5.php#5.0.2 Solution : Upgrade to PHP 5.0.2 Risk factor : High BID : 11334 Service: ndmp (10000/tcp) Severity: High The Webnews.exe exists on this webserver. Some versions of this file are vulnerable to remote exploit. Solution : remove it from /cgi-bin. Risk factor : High CVE : CVE-2002-0290 BID : 4124 Service: ndmp (10000/tcp) Severity: High The CGI 'viralator.cgi' is installed. Some versions of this CGI are don't check properly the user input and allow anyone to execute arbitrary commands with the privileges of the web server ** No flaw was tested. Your script might be a safe version. Solutions : Upgrade this script to version 0.9pre2 or newer Risk factor : High CVE : CAN-2001-0849 BID : 3495 Service: http (80/tcp) Severity: High The remote host is running a version of PHP which is older than 5.0.3 or 4.3.10. The remote version of this software is vulnerable to various security issues which may, under certain circumstances, to execute arbitrary code on the remote host, provided that we can pass arbitrary data to some functions, or to bypass safe_mode. See also : http://www.php.net/ChangeLog-5.php#5.0.3 Solution : Upgrade to PHP 5.0.3 or 4.3.10 Risk factor : High BID : 11964, 11981, 11992, 12045 Service: ndmp (10000/tcp) Severity: High There is a buffer overflow in the remote IIS web server. It is possible to overflow the remote Web server and execute commands as the SYSTEM user. At attacker may make use of this vulnerability and use it to gain access to confidential data and/or escalate their privileges on the Web server. See http://www.eeye.com/html/Research/Advisories/AD20010501.html for more details. Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-023.mspx Risk factor : High CVE : CVE-2001-0241 BID : 2674 Service: ndmp (10000/tcp) Severity: High The file ndcgi.exe exists on this webserver. Some versions of this file are vulnerable to remote exploit. Solution : remove it from /cgi-bin. More info can be found at: http://marc.theaimsgroup.com/?l=bugtraq&m=100681274915525&w=2 *** As Nessus solely relied on the existence of the ndcgi.exe file, *** this might be a false positive Risk factor : High CVE : CAN-2001-0922 Service: http (80/tcp) Severity: High The remote host appears to be running a version of Apache which is older than 1.3.29 There are several flaws in this version, which may allow an attacker to possibly execute arbitrary code through mod_alias and mod_rewrite. You should upgrade to 1.3.29 or newer. *** Note that Nessus solely relied on the version number *** of the remote server to issue this warning. This might *** be a false positive Solution : Upgrade to version 1.3.29 See also : http://www.apache.org/dist/httpd/Announcement.html Risk factor : High CVE : CAN-2003-0542 Service: http (80/tcp) Severity: High The remote host appears to be running a version of Apache which is older than 1.3.32. There is a local buffer overflow in htpasswd command in this version, which may allow a local user to gain the privileges of the httpd process. *** Note that Nessus solely relied on the version number *** of the remote server to issue this warning. This might *** be a false positive See also : http://xforce.iss.net/xforce/xfdb/17413 Solution : Upgrade to Apache 1.3.32 when available Risk factor : High Service: ndmp (10000/tcp) Severity: High The Excite for Webservers is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Versions newer than 1.1. are patched. Solution : if you are running version 1.1 or older, then upgrade it. Risk factor : High CVE : CVE-1999-0279 BID : 2248 Service: http (80/tcp) Severity: High The remote host is running phpMyAdmin, an open-source software written in PHP to handle the administration of MySQL over the Web. The remote version of this software is vulnerable to arbitrary command execution due to a lack of user-supplied data sanitization. Solution : Upgrade to version 2.6.0-pl2 or newer Risk factor : High BID : 11391 Service: ndmp (10000/tcp) Severity: High The foxweb.dll or foxweb.exe CGI is installed. Versions 2.5 and below of this CGI program have a security flaw that lets an attacker execute arbitrary code on the remote server. ** Since Nessus just verified the presence of the CGI but could ** not check the version number, this might be a false alarm. Solution : remove it from /cgi-bin or upgrade it Risk factor : High Service: ndmp (10000/tcp) Severity: High IIS comes with the sample site 'ExAir'. Unfortunately, one of its pages, namely /iissamples/exair/search/advsearch.asp, may be used to make IIS hang, thus preventing it from answering legitimate client requests. Solution : Delete the 'ExAir' sample IIS site. Risk factor : High CVE : CVE-1999-0449 BID : 193 Service: ndmp (10000/tcp) Severity: High The remote web server is running a CGI called 'count.pl' which may be used by an attacker to overwrite any existing file on the remote server, with the privileges of the httpd server. An attacker may use this flaw to prevent this host from working properly. Solution : Delete /isapi/count.pl Risk factor : High BID : 7397 Service: ndmp (10000/tcp) Severity: High It is possible to read the include file of PCCS-Mysql, dbconnect.inc on the remote server. This include file contains information such as the username and password used to connect to the database. Solution: Versions 1.2.5 and later are not vulnerable to this issue. A workaround is to restrict access to the .inc file. Risk factor : High CVE : CVE-2000-0707 BID : 1557 Service: smtp (25/tcp) Severity: High The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.8 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.9 or greater or if you cannot upgrade, apply patches for 8.10-12 here: http://www.sendmail.org/patchps.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerability. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. Risk factor : High CVE : CAN-2003-0161 BID : 7230 Other references : RHSA:RHSA-2003:120-01
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
