Plugin 10394 has been good for finding blank admin passwords, but one system that has been flagged multiple times is an Apple airport extreme base station. No other airport base station, extreme or otherwise, has been so flagged so I believe the issue has to do with how the base station is configured.
The user has looked at the plugin nasl as available online and I looked over
it cursorily. Nothing appears wrong there. The user has applied the most
recent firmware update to his base station with no change in behavior.
This base station does have a drive attached which is available via SMB/CIFS
so the question is not whether or not SMB is available but whether the
station is vulnerable. Complicating matters somewhat the user has disabled
the drive share in an attempt to avoid the nessus alerts being generated so
I will need to coordinate with the user to ensure valid scanning of the
system in terms of the originally observed behavior.
Its been a while since I used the smbclient (commandline) but as far as I
can tell from the terminal window output provided by the user he was able to
connect to IPC$ as "administrator" without providing a password. However the
login appears to be unprivileged (that is, ls returns an error). In
particular:
[EMAIL PROTECTED] ~ $ smbclient -U administrator -N // some.system.name/IPC$
WARNING: The "printer admin" option is deprecated Domain=[MYDOMAIN]
OS=[Apple Base Station] Server=[CIFS 4.30]
smb: \> ls
ERRDOS - ERRbadpath (Directory invalid.) listing \*
0 blocks of size 0. 13 blocks available
It looks to me as if supplying the username "administrator" without a
password works to authenticate against the SMB/CIFS server, but as it is not
a windows computer with an "administrator" account it lacks the privileges
that would make this truly a "hole" severity vulnerability. In fact, looking
through the full scan results again I notice 14818 (Possible GDI+
compromise) pops up as well. This one reports "It was possible to log into
the remote host with the login 'X' and a blank password." which further
suggests to me that *any* account name can be used to "login" without a
password.
I'm not sure about dependency issues, but I also note plugin 24786 (Nessus
Windows Scan not performed with admin privileges) appears to contradict
plugin 10394's assertion of admin access. Perhaps this plugin's appearance
could downgrade the reported severity of 10394? If nothing else I may use
this approach in our reporting tools.
Any thoughts on this?
Tim Doty
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
