PENETRATION TESTING REPORT - VULNERABILITY (FOO)
 

[Introduction] [Vulnerability ex1] [Vulnerability ex2] [Port Map] [Graphics] [Proof of Concept] [Report Key] [Exploit Code]

 

 

xxx.xxx.1.11 (foo)

 

 

 

 

 

 

 

 

"rusers" service check

 

 

 

 

Risk Factor:

Medium

 

 

 

Complexity:

Low

 

 

 

Popularity:

Widespread

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Insecure Design

 

 

 

Ease of Fix:

Simple

 

 

 

Description:

The "rusers" ONC RPC service, much like finger, provides information about users currently logged into a Unix system. This information can be used by an attacker to obtain lists of usernames to attempt brute-force password guessing attacks against, and to discover the usage patterns of the system. This check attempts to retrieve information from the rusers service on the target-host.

 

 

 

Security Concerns:

Attackers can use this information to discover usernames and to determine which hosts your remote users are logging in from.

 

 

 

Suggestion:

If this service is not necessary for your network, we suggest that you either disable it by commenting the appropriate line out of the file /etc/inetd.conf or that you install some type of access control facility to restrict contact to your RPC services.  If you are running SunOS 4.1.X, the securelib library available at ftp://coast.cs.purdue.edu/pub/tools/unix/secur elib will provide the ability to restrict RPC daemon access by network address. Like finger rusers can have tcp_wrappers applied to it. It is suggested that with this and any program that is to be run from the inetd daemon, that you install TCP wrappers, available at: ftp://ftp.porcupine.org/pub/security. This tool lets you restrict by IP address and/or hostname whom is allowed to query the rusers daemon. This port will still be shown as active when port scanned, but will drop the connection without providing any information, if the host is not allowed to access the service. Tcp_wrappers also provide much more detailed information to the syslog service than the normal daemon.  Because of this it is a good idea to install tcp_wrappers on any service that you want to run from inetd.

 

 

 

Manager Description:

"rusers" is a public information service that provides information about the users on a networked system. The information provided by "rusers" is often sensitive in nature, and can allow attackers to gather information which can be helpful in launching further attacks.

 

 

 

 

 

 

 

 

 

LOGIN    foo:console   Tue Feb 01 1  2:07:01
.telnet  foo:/dev/pts  Sat Feb 26 2      ??
.telnet  foo:/dev/pts  Sat Feb 26 2      ??
.telnet  foo:/dev/pts  Sat Feb 26 2      ??
.telnet  foo:/dev/pts  Sat Feb 26 2      ??
.rlogin  foo:/dev/pts  Sat Feb 26 2      ??
.rlogin  foo:/dev/pts  Sun Feb 20 2    ??
.telnet  foo:/dev/pts  Sat Feb 26 2      ??
.telnet  foo:/dev/pts  Sat Feb 26 2      ??
.telnet  foo:/dev/pts  Sat Feb 26 2      ??
.telnet  foo:/dev/pts  Tue Feb 22 1      ??
.telnet  foo:/dev/pts  Tue Feb 22 1      ??

 

 

 

 

 

 

 

 

Telnet service banner present

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Simple

 

 

 

Description:

This check obtains and displays the telnet banner which is obtained from the target host when connecting to the telnet service.

 

 

 

Security Concerns:

If your telnet banner contains information identifying your operating system, this knowledge may be used to launch operating system specific attacks against your network.

 

 

 

Suggestion:

If you are concerned about the information displayed in your telnet banner messages, then edit the following files to modify the content of these messages:
   o /etc/issue
   o /etc/issue.net
   o /etc/gettytab
   o /bin/login sources
Additionally, we recommend that if you are providing telnet service that you restrict access to only those sites that you expect remote logins from. TCP wrappers can be configured to restrict internet daemon access to approved remote hosts by editing access rules in the following files:
   o /etc/hosts.allow
   o /etc/hosts.deny
 The TCP wrapper package available at:
 ftp://ftp.porcupine.org/pub/security

 

 

 

Manager Description:

The "telnet" service allows remote users to log into a computer system. Most "telnet" server implementations provide information about the server to telnet clients attempting to log into the system. While this can be used to present warnings to attackers, it more frequently provides information that can be used by an attacker to learn about the configuration of the system. This information can be used by an attacker to more efficiently attack the system.
 
SunOS 5.7

 

 

 

 

 

 

 

 

SMTP banner-check

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

This check collects the message displayed upon connection to the SMTP port of the target-host.

 

 

 

Security Concerns:

The SMTP port banner usually contains specific information about version of SMTP agent that you are using.  This information can be used to launch specific attacks against software with known vulnerabilities. Sendmail, the most popular SMTP server for unix has an extensive history of security problems.  Knowledge of specific version information allows an attacker to predict what sort of attacks may be successful against your system.

 

 

 

Suggestion:

Sendmail users can modify banner information by editing the sendmail configuration file /etc/sendmail.cf Sendmail's current version is 8.9.1.  You should check the sendmail web site for the latest version and upgrade your installation to the latest version. Most all earlier versions of sendmail have security problems.  You can check for the latest version at http://www.sendmail.org. If you are not running sendmail as your SMTP agent, then consult the documentation about modifying the version information displayed by your mail daemon.

 

 

 

Manager Description:

"SMTP" is the protocol used to deliver all Internet electronic mail. SMTP is driven by mail servers, which listen to requests from SMTP clients to deliver or forward mail. Most SMTP server implementations provide information about the server to SMTP clients attempting to transmit mail messages. While this can be used to present warnings to attackers, it more frequently provides information that can be used by an attacker to learn about the configuration of the mail system. This information can be used by an attacker to more efficiently attack the system.
 
220 foo ESMTP Sendmail 8.9.1b+Sun/8.9.1; Sat, 26 Feb 2000 22:19:34 +0100 (MET)

 

 

 

 

 

 

 

 

FTP banner check

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The FTP banner check attempts to gather banner information from the ftp daemon.

 

 

 

Security Concerns:

If the FTP banner your host displays specific version information, an attacker can determine what attacks will be successful against your system.

 

 

 

Suggestion:

If you are running a configurable FTP server such as WU-FTP or if you have access to the source code for the version of ftpd you are using you may want to make modifications to restrict the information displayed in the ftpd banner. If source code for your version of ftp is unavailable, you can pick up  wu-ftp at: ftp://ftp.academ.com/pub/wu-ftpd/private/  please read the .message file. The directory is not browsable, but the message will point you to the place to pick up the server software. FTP can also be protected with tcp_wrappers. It is suggested that with this and any program that is to be run from the inetd daemon, that you install TCP wrappers, available at:  ftp://ftp.porcupine.org/pub/security. This tool lets you restrict by IP address and/or hostname whom is allowed to query the ftp daemon.  This port will still be shown as active when port scanned, but will drop the connection without providing any information, if the host is not allowed to access the service. Tcp_wrappers also provide much more detailed information to the syslog service than the normal daemon.  Because of this it is a good idea to install tcp_wrappers on any service that you want to run from inetd.

 

 

 

Manager Description:

"FTP" is a protocol that allows files to be transferred between machines on the Internet. FTP servers listen for requests from FTP clients to transfer files, optionally requiring them to log in with a username and password. Many FTP server implementations provide information about the server to FTP clients attempting to log into the system. While this can be used to present warnings to attackers, it more frequently provides information that can be used by an attacker to learn about the configuration of the system. This information can be used by an attacker to more efficiently attack the system.
 
220 foo FTP server (Version wu-2.6.0(1) Mon Nov 22 12:00:11 MET 1999) ready.

 

 

 

 

 

 

 

 

ESMTP check

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Widespread

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

This checks to see if a mailer daemon supports extended SMTP commands via ehlo.

 

 

 

Security Concerns:

The ehlo command is used by mail transport agents to query which extended SMTP commands a remote mailer will accept. The more a remote user can discern about your mailer the more likely it is that they can devise a way to exploit your version of sendmail.

 

 

 

Suggestion:

We suggest you run a suitable front end for sendmail, or modify your sendmail code to only return information you feel is safe for the outside world to have. One way to protect your mailer is to run it in a more protected environment, the SMAPd tool in the TIS Firewall Toolkit does this. For more information on smapd which is part of the firewall toolkit see: http://www.tis.com/research/software/fwtk_o ver.html.  The toolkit is free, but not distributable. Visit the page for further details or download the kit directly at: http://www.tis.com/research/software/fwtk_d own.html

 

 

 

 

250-foo Hello c18763090.telekabel.chello.nl [212.187.63.90], pleased to meet you
 250-EXPN
 250-VERB
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ONEX
 250-ETRN
 250-XUSR
 250 HELP

 

 

 

 

 

 

 

 

Routing table retrieved

 

 

 

 

Risk Factor:

Medium

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The routing table has been retrieved from the target host's routing daemon.  This service utilizes RIP (Routing Information Protocol) to maintain an updated list of routes and routing information for the host it is running on.

 

 

 

Security Concerns:

Outside access to your routing table reveals a significant amount of information about the internal structure of your network which can be used to engineer attacks on your systems.

 

 

 

Suggestion:

We suggest you ensure any requests to the routing daemon be filtered at your internet gateway. This will also protect your network from an attacker attempting to add false routing entries to your hosts.

 

 

 

 

RIPv1 284 bytes
   0.0.0.0                 metric  2 default  
   192.168.1.0         metric  3        
   xxx.xxx.0.0         metric  1          
   192.168.169.0     metric  2        
   192.168.10.0      metric 2         
   195.169.80.0      metric 2         
   195.169.81.0      metric 2         
   195.169.82.0      metric 2         
   195.169.83.0      metric 2         
   195.169.84.0      metric 2         
   195.169.85.0      metric 2         
   195.169.86.0      metric 2         
   195.169.87.0      metric 2         
   145.88.0.0          metric 2

 

 

 

 

 

 

 

 

rpc.rquotad check

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Insecure Design

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The check attempts to poll rpc.rquotad on the target-host for user quota information.

 

 

 

Security Concerns:

The rpc.rquotad service provides quota information about NFS mounted filesystems. No authentication is performed by this service, so this information is provided to anyone who makes a request. 

 

 

 

Suggestion:

rpc.rquotad is usually started out of inetd. If this service is not  necessary, you should comment it out of the /etc/inetd.conf file and restart inetd with the following command:
 kill -HUP <pid of inetd>
Alternatively, tcp_wrappers could be installed. Tcp_wrappers lets you filter who is allowed access to services started out of inetd based on IP address or host/domain name. While rpc.rquotad may be a necessary service, it is unlikely that the entire network needs access to it.  Tcp_wrappers can be found at: 
 ftp://ftp.porcupine.org/pub/security
Since this service does not authenticate requests, consider installing some type of host-based access control for your RPC daemons. The securelib replacement libraries for SunOS 4.1.X provides access control functionality. Securelib is available at:
 http://www.cs.purdue.edu/coast/archive/data /categ50.html

 

 

 

 

 

 

 

 

rpc.sprayd check

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Insecure Design

 

 

 

Ease of Fix:

Simple

 

 

 

Description:

The rpc.sprayd service is offered to administrators to determine traffic statistics on a network.  An administrator can send the service a stream of packets, and is presented with statistics on the number of packets which have been received.

 

 

 

Security Concerns:

rpc.sprayd could be used by remote users to plan a denial of service attack.

 

 

 

Suggestion:

The rpc.sprayd service should normally be disabled unless you are testing your network. rpc.sprayd is usually started out of inetd.  If this service is not  necessary, you should comment it out of the /etc/inetd.conf file and restart inetd:
kill -HUP <pid of inetd>
Alternatively, tcp_wrappers could be installed. Tcp_wrappers let you filter who is allowed access to the services started out of inetd based on IP address or host/domain name. While rpc.sprayd may be a necessary service, it is unlikely that the entire network needs access to it.  Tcp_wrappers can be found at: 
ftp://ftp.porcupine.org/pub/security

 

 

 

 

 

 

 

 

ICMP timestamp obtained

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Insecure Design

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The system time was obtained from the target host utilizing a capability present within the ICMP protocol. The ICMP protocol provides an operation to query a remote host for the current system time.

 

 

 

Security Concerns:

This information may be used by an attacker when attacking time based authentication protocols.

 

 

 

Suggestion:

Disallow ICMP timestamp requests through your firewall.

 

 

 

 

ICMP Timestamp Reply: 22:20:01

 

 

 

 

 

 

 

 

ICMP netmask obtained

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Insecure Design

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The netmask was obtained from the target host utilizing a capability present within the ICMP protocol. The ICMP protocol provides an operation to query a remote host for the network netmask.

 

 

 

Security Concerns:

This information can assist an attacker in determining the internal structure of your network, as well as the routing scheme.

 

 

 

Suggestion:

Disallow ICMP Netmask requests through your firewall.

 

 

 

 

ICMP Netmask Reply: 255.255.255.0

 

 

 

 

 

 

 

 

WWW Web Server Version

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Widespread

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Difficult

 

 

 

Description:

This check returns the version of WWW server running on the remote host, if it is available.

 

 

 

Security Concerns:

Ensure that you are running the most current version of your web server software. An attacker can use the version information from your web server to determine if there are any known vulnerabilities present. To see if your web server gives this information, from a telnet window, try connecting to port 80 (or whatever port your web server is running on). Then issue a command such as:
 GET / HTTP/1.0
 The beginning of the reply from the server (in this case a proxy server) may have the server information in it, generally with a "Server:"  heading line. In the case below, we see that the proxy server is version 3.5 of Netscape's proxy server.
 HTTP/1.0 200 OK
 Proxy-agent: Netscape-Proxy/3.5
 Date: Fri, 18 Sep 1998 06:41:01 GMT
 Accept-ranges: bytes
 Last-modified: Fri, 31 Jul 1998 19:23:47 GMT
Content-length: 939
Content-type: application/x-ns-proxy-autoconfig
 
Apache/1.3.9 (Unix)

 

 

 

 

 

 

 

 

"portmapper" or "rpcbind" RPC service present

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Widespread

 

 

 

Impact:

Authorization ::Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The portmapper service was found running on the target host. Since RPC services do not run on well known ports this service is used to map RPC services to the dynamic port numbers that they currently reside on. RPC  client programs use this service when they make a connection to a remote RPC server.

 

 

 

Security Concerns:

This service can be used to survey your hosts for vulnerable RPC services.

 

 

 

Suggestion:

We suggest that you restrict access to this service at your router by adding filter rules that prevent outside access to any TCP or UDP port 111 on your internal network. Be aware that it is not necessary to be able to contact the portmapper service to make connections to RPC services. Specialized portscanning software can find RPC services without being able to make a connection to the portmapper.

 

 

 

References:

See the Unix manual pages for the "portmap" (BSD based systems) or "rpcbind" (System V based systems) services.

 

 

 

 

    program vers proto  port
     100000   4  tcp    111 portmapper
     100000    3   tcp   111  portmapper
     100000    2   tcp   111  portmapper
     100000    4   udp   111  portmapper
     100000    3   udp   111  portmapper
     100000    2   udp   111  portmapper
     100024    1   udp 32772  status
     100024    1   tcp 32771  status
     100021    1   udp   4045  nlockmgr
     100021    2   udp   4045  nlockmgr
     100021    3   udp   4045  nlockmgr
     100021    4   udp   4045  nlockmgr   
     100133    1   udp 32772
     100133    1   tcp 32771
     100021    1   tcp   4045  nlockmgr
     100021    2   tcp   4045  nlockmgr
     100021    3   tcp   4045  nlockmgr
     100232  10   udp 32773  sadmind
     100011    1   udp 32774  rquotad
     100021    4   tcp   4045  nlockmgr
     100002    2   udp 32775  rusersd
     100002    3   udp 32775  rusersd
     100002    2   tcp 32772  rusersd
     100002    3   tcp 32772  rusersd
     100012    1   udp 32776  sprayd
     100008    1   udp 32777  walld
     100083    1   tcp 32773  ttdbserverd
     100221    1   tcp 32774  kcmsd
     100235    1   tcp 32775
     100068    2   udp 32778  cmsd
     100068    3   udp 32778  cmsd
     100068    4   udp 32778  cmsd
     100068    5   udp 32778  cmsd
     100005    1   udp 32781  mountd
     100005    2   udp 32781  mountd
     100005    3   udp 32781  mountd
     100005    1   tcp 32778  mountd
     100005    2   tcp 32778  mountd
     100005    3   tcp 32778  mountd
     100003    2   udp   2049  nfs
     100003    3   udp   2049  nfs
     100227    2   udp   2049  nfs_acl
     100227    3   udp   2049  nfs_acl
     100003    2   tcp   2049  nfs
     100003    3   tcp   2049  nfs
     100227    2   tcp   2049  nfs_acl
     100227    3   tcp   2049  nfs_acl
     100249    1   udp 32783
     100249    1   tcp 32781
     300598    1   udp 32786
     300598    1   tcp 32782
  805306368    1   udp 32786
  805306368    1   tcp 32782
     100068    2   tcp 57706  cmsd
     100068    3   tcp 57706  cmsd
     100068    4   tcp 57706  cmsd
     100068    5   tcp 57706  cmsd

 

 

 

 

 

 

 

 

Sendmail VRFY and EXPN check

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Simple

 

 

 

Description:

This check attempts to get additional user information from the SMTP port of the target host with the VRFY and EXPN commands.  VRFY can be used to identify valid user accounts on the system, whereas EXPN can be used to identify the delivery addresses of mail aliases and mailing lists.

 

 

 

Suggestion:

Your mailer should not allow remote users to use either EXPN or VRFY. These commands can provide a great deal of information that could be used by an attacker to compromise your system. We suggest you remove your mailer's ability to use the EXPN or VRFY commands.  For systems with Sendmail Version 8, the VRFY command can be disabled by entering the "novrfy" command in the sendmail.cf configuration file.   The EXPN command can be disabled in Sendmail Version 8 by entering the "noexpn" command in the sendmail.cf file.

 

 

 

 

 

 

 

 

rpc.statd link/unlink check 

 

 

 

 

Risk Factor:

High

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Widespread

 

 

 

Impact:

Data Integrity

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

rpc.statd (or simply statd on some machines) is used to interact with rpc.lockd to ensure file locking keeps state on NFS servers.  Many versions of rpc.statd have a vulnerability whereby they can be forced to unlink, (delete) or create files as root remotely.  This check discerns whether your version of rpc.statd is vulnerable to attack.  There is no method to verify whether this attack worked remotely.  We attempt to create a file in /tmp called tigerteam.statd. If this file exists on the specified host, then your host is vulnerable.

 

 

 

Security Concerns:

Remote users can remove any files on your workstations.

 

 

 

Suggestion:

This particular program is essential to an NFS environment, if you are running a vulnerable version it is suggested that you approach your vendor for a patch to this problem.

 

 

 

References:

CERT Advisory CA-96.09.rpc.statd
ftp://ftp.cert.org/pub/cert_advisories/CA-96.0 9.rpc.statd
SGI Advisory 19960301-01-P
ftp://sgigate.sgi.com/security/19960301-01-P

 

 

 

 

 

 

 

 

Mount & NIS services on non-reserved ports check

 

 

 

 

Risk Factor:

Medium

 

 

 

Complexity:

Low

 

 

 

Popularity:

Obscure

 

 

 

Impact:

System Integrity

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

This checks for mount daemon and NIS services running on non privileged ports. Any of the above services running on non-reserved are most likely vulnerable to port hijacking.  If a user can hijack these services, he can then intercept or supply data from or to client programs.

 

 

 

Suggestion:

This problem has been solved in newer releases of Free UNIX's such as OpenBSD and Linux. Commercial vendors have yet to address this problem as of the date this was written at (09/20/96). We suggest you check with your vendor for a fix.

 

 

 

 

 

 

 

 

Sequential port allocation check

 

 

 

 

Risk Factor:

Medium

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Difficult

 

 

 

Description:

This check is designed to test if a host will spawn its listening ports in sequential order.  If this is the case, attackers can implement host spoofing techniques to services which poll other hosts for authentication. Examples of such services include, for instance, any service which requires authentication from DNS servers.

 

 

 

Suggestion:

We suggest that, if possible, you ensure that your host does not spawn ports sequentially.

 

 

 

 

 

 

 

 

NFS - world exports found

 

 

 

 

Risk Factor:

High

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Confidentiality::Data Integrity::Authorization ::Availability ::Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Simple

 

 

 

Description:

The target host was found to have directories exported to "everyone" via NFS.  By exporting directories to "everyone", anyone who can connect to the target host is able to access these file systems.

 

 

 

Security Concerns:

If the target file systems contain any sensitive information, any user who is able to reach the target host is able to read this information, as well as possibly modify it.

 

 

 

Suggestion:

It is recommended that you immediately place access restrictions on the specified file systems, if you are not intending to export them to "everyone".  It is also recommended that you prevent the NFS service from passing through your border router by blocking port 2049 TCP and 2049 UDP, if you do not require outsiders to access this host via NFS.

 

 

 

References:

CERT Advisory CA-91:21.SunOS.NFS.Jumbo.and.fsir and ftp://ftp.cert.org/pub/cert_advisories/CA-91:2 1.SunOS.NFS.Jumbo.and.fsir and
CERT Advisory CA-92:15.Multiple.SunOS.vulnerabilities.patc hed ftp://ftp.cert.org/pub/cert_advisories/CA-92:1 5.Multiple.SunOS.vulnerabilities.patched
CERT Advisory CA-93:15.SunOS.and.Solaris.vulnerabilities ftp://ftp.cert.org/pub/cert_advisories/CA-93:1 5.SunOS.and.Solaris.vulnerabilities
CERT Advisory CA-94:02.REVISED.SunOS.rpc.mountd.vuln erability ftp://ftp.cert.org/pub/cert_advisories/CA-         94:02.REVISED.SunOS.rpc.mountd.vulnerabi lity
CERT Advisory CA-94:15.NFS.Vulnerabilities
ftp://ftp.cert.org/pub/cert_advisories/CA-94:1 5.NFS.Vulnerabilities

 

 

 

 

/
/usr
/usr/local
/var
/disk3

 

 

 

 

 

 

 

 

MOUNTD - exported file system list retrieved

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Popular

 

 

 

Impact:

Confidentiality::Data Integrity::Authorization ::Availability ::Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

A list of exported file systems was retrieved from the target host.  An attacker may this list to infer a trust relationship on the network, as well as discover file systems utilize which may be exported without restriction.

 

 

 

Suggestion:

The NFS protocol is inherently weak in it's security.  It is recommended that all NFS be restricted at your network router and that proper filtering mechanisms be applied. Ensure that you are running a current NFS implemention.  Also ensure that proper restrictions are placed on all exported file systems.

 

 

 

 

filesystem               restrictions
 /                             everyone
 /usr                        everyone
 /usr/local                everyone
 /var                        everyone
 /disk3                    everyone

 

 

 

 

 

 

 

 

MOUNTD - Linux/Solaris file existence vulnerability

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

Linux and Solaris operating systems allow remote user to determine the existence of files on the remote server via rpc.mountd, the NFS mount daemon.  By analyzing the error messages returned by the rpc.mountd daemon, an attacker can determine whether files exist, without legitimate access to the NFS server. NOTE:  This check may report a false positive on systems that export /etc via NFS.

 

 

 

Security Concerns:

Remote users can search for the existence of key files on a remote server.

 

 

 

Suggestion:

Upgrade your server to a newer release which has this problem fixed.

 

 

 

References:

SecurityFocus Bugtraq database
http://www.securityfocus.com/bid/95

 

 

 

 

/non-existant-file : Permission denied
/etc/passwd : mounted
/etc/group : mounted
/etc/shadow : mounted
/etc/master.passwd : No such file or directory
/etc/hosts.allow : mounted
/etc/hosts.deny : mounted
/vmlinuz : Permission denied

 

 

 

 

 

 

 

 

RIP spoofing check

 

 

 

 

Risk Factor:

High

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Widespread

 

 

 

Impact:

System Integrity::Accountability::Authorization ::Availability

 

 

 

Root Cause:

Insecure Design

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The target host was found to be utilizing RIP (Routing Information Protocol) to obtain routing decision information.  Version 1 RIP is an easily spoofable protocol.  It has been determined that the target host is running RIP version 1.

 

 

 

Suggestion:

It is recommended that you utilize alternate routing protocols in any security critical environments.  It is also recommended that you prevent RIP traffic from entering your network by blocking port 520 UDP at your border router.

 

 

 

 

 

 

 

 

TCP sequence numbers are predictable

 

 

 

 

Risk Factor:

High

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Popular

 

 

 

Impact:

Accountability::Authorization

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

The target host was found to be vulnerable to TCP sequence number prediction attacks.  The host generates TCP sequence numbers in a pattern which can be guessed by an intruder to launch TCP spoofing based attacks.

 

 

 

Security Concerns:

If the target host runs services which rely on the IP address of the client as an authentication mechanism, this service can be exploited by an attacker to mimic a legitimate host.

 

 

 

Suggestion:

If your host is vulnerable to this attack we suggest that you ensure you are not relying on host based authentication for any network based services.  These usually consist of the BSD derived "rsh" service and the "rlogin" service.

 

 

 

References:

CERT Advisory CA-95:01.IP.spoofing
ftp://ftp.cert.org/pub/cert_advisories/CA-95:0 1.IP.spoofing
CIAC Advisory f-08.IP-spoof-hijacked-session
ftp://ciac.llnl.gov/pub/ciac/bulletin/f-fy95/f-08. IP-spoof-hijacked-session
SecurityFocus Bugtraq database
http://www.securityfocus.com/bid/604
SecurityFocus Bugtraq database
http://www.securityfocus.com/bid/107

 

 

 

 

TCP Initial Sequence Numbers
#
##: Sequence Number    Difference
 ---: ---------------  ------------
  0        210131009             0
  1        212003516       1872507
  2        213828587       1825071
  3        215252848       1424261
  4        216127897         875049
  5        217421549       1293652
  6        217471019         49470
  7        219058877       1587858
  8        220348448       1289571
  9        220862329         513881
 10        221321693         459364
 11        221575182         253489
 12        222361418         786236
 13        222768536         407118
 14        223969627       1201091
 15        224367475         397848
 16        224798348         430873
 17        225423332         624984
 18        226084972         661640
 19        226447683         362711
 20        226840931         393248
 21        227171664         330733
 22        227683814         512150
 23        228052229         368415
 24        228400381         348152
 25        229316389         916008
mean <767415.19> variance <269191413760.0000>
run-ups of length 1 : 8
run-ups of length 2 : 1
run-ups of length 3 : 1
run-ups of length 4 : 0
run-ups of length 5 : 0
run-ups of length 6 : 0
Chi-square test with V= -0.4400 for a run length test with 6 categories

 

 

 

 

 

 

 

 

UUCP service check

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Simple

 

 

 

Description:

This check discerns whether the UUCP service is offered on a host.  Many network connected systems are shipped with the UUCP service enabled by default.  This may open up potential security problems.

 

 

 

Suggestion:

If you are not specifically using UUCP for mail delivery, it is highly recommended that this service be turned off. This can be achieved by editing the file /etc/inetd.conf and placing a '#' character in front of the line:  uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l Which should appear as follows when turned off: #uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l After this change has been made, inetd will have to be restarted.  This can be performed by finding the process ID of inetd, and sending it a -HUP  signal from the command prompt:  kill -HUP PID

 

 

 

 

 

 

 

 

Telnet Daemon TERMCAP check

 

 

 

 

Risk Factor:

High

 

 

 

Complexity:

Medium

 

 

 

Popularity:

Widespread

 

 

 

Impact:

System Integrity

 

 

 

Root Cause:

Software Implementation Problems

 

 

 

Ease of Fix:

Moderate

 

 

 

Description:

This check determines whether the remote telnet daemon is vulnerable to a buffer overflow attack when parsing a terminal capability file. By uploading an alternate termcap file, an attacker can specify the path to this file and cause the telnet daemon to execute arbitrary commands.

 

 

 

Security Concerns:

Remote attackers can obtain superuser access remotely by connecting to the telnet daemon.

 

 

 

Suggestion:

Upgrade your operating system to a more recent version.

 

 

 

 

 

 

 

 

SNMP Community check

 

 

 

 

Risk Factor:

Medium

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Data Integrity::Authorization ::Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Simple

 

 

 

Description:

This check attempts to talk to a hosts SNMP server using some commonly used community names. If a successful connection is made the community is probed to see if it is read-only or read-write.

 

 

 

Security Concerns:

SNMP access provides an attacker with a wide variety of information from an SNMP enabled device.  This information ranges from the type and model of the device, to active network connections, processes running on the host, and users logged into the host. SNMP write access provides an attacker with the ability to alter networking and other device parameters. An attacker with write access can alter the routing and arp tables, bring network interfaces up and down, enable or disable packet forwarding and alter several other networking parameters. In addition, vendor extensions may provide  other control parameters that an attacker can manipulate.  This level of access can lead to denial of service or the compromise of security or confidential information.

 

 

 

Suggestion:

We suggest you correctly configure your SNMP device to only respond to internal private community names. Write access should be disabled where not needed. Packet filtering should be used to limit the hosts that can communicate with the SNMP daemon.

 

 

 

 

'public': read-only

 

 

 

 

 

 

 

 

SNMP MIB-II Miscellaneous data

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Trivial

 

 

 

Description:

This check gathers miscellaneous information from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an attacker who  has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name. A separate SNMP community check is used to probe for SNMP access.

 

 

 

Suggestion:

If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.

 

 

 

 

System Description: Sun SNMP Agent, SPARCstation-10
System Contact: System administrator
System Name: foo
System Location: System administrators office
SNMP Uptime: 66d 21:27:45.03
Ip Forwarding: off

 

 

 

 

 

 

 

 

SNMP MIB-II UDP table

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Trivial

 

 

 

Description:

This check retrieves the table of listening UDP ports from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an attacker who has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name.  A separate SNMP community check is used to probe for SNMP access.

 

 

 

Suggestion:

If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.

 

 

 

 

UDP Table:
0.0.0.0          0
0.0.0.0          7
0.0.0.0          9
0.0.0.0          13
0.0.0.0          19
0.0.0.0          37
0.0.0.0          42
0.0.0.0          111
0.0.0.0          161
0.0.0.0          512
0.0.0.0          514
0.0.0.0          520
0.0.0.0          2049
0.0.0.0          4045
0.0.0.0          6500
0.0.0.0          32771
0.0.0.0          32772
0.0.0.0          32773
0.0.0.0          32774
0.0.0.0          32775
0.0.0.0          32776
0.0.0.0          32777
0.0.0.0          32778
0.0.0.0          32781
0.0.0.0          32783
0.0.0.0          32786
0.0.0.0          32788
0.0.0.0          32789
0.0.0.0          32790
127.0.0.1        32787
132.229.1.11         37602

 

 

 

 

 

 

 

 

SNMP MIB-II Interface Table

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Trivial

 

 

 

Description:

This check retrieves the table of network interfaces from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an attacker who has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name.  A separate SNMP community check is used to probe for SNMP access.

 

 

 

Suggestion:

If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.

 

 

 

 

Interface Table:
==== Index: 1
     Descr: lo0
     Type: Loopback
     MTU: 8232
     Speed: 10000000
     PhysAddr: -
     AdminStat: up
     OperStat: up
     In: 0
     InDiscard: 0
     InErr: 0
     InUnkwn: 0
     Out: 0
     OutDiscard: 0
     OutErr: 0
     OutUnknwn: 0
==== Index: 2
     Descr: le0
     Type: ethernet
     MTU: 1500
     Speed: 10000000
     PhysAddr: 08:00:20:1d:8c:91
     AdminStat: up
     OperStat: up
     In: -1050897417
     InDiscard: 57
     InErr: 0
     InUnkwn: 0
     Out: 1059056733
     OutDiscard: 0
     OutErr: 217797
     OutUnknwn: 0

 

 

 

 

 

 

 

 

SNMP MIB-II Address table

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Trivial

 

 

 

Description:

This check retrieves the table of IP addresses from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an attacker who has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name. A separate SNMP community check is used to probe for SNMP access.

 

 

 

Suggestion:

If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.

 

 

 

 

Addr Table:
iface 1    127.0.0.1      mask 255.0.0.0
iface 2    xxx.xxx.1.11   mask 255.255.255.0

 

 

 

 

 

 

 

 

SNMP MIB-II ARP table

 

 

 

 

Risk Factor:

Low

 

 

 

Complexity:

Low

 

 

 

Popularity:

Popular

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Misconfiguration

 

 

 

Ease of Fix:

Trivial

 

 

 

Description:

This check retrieves the ARP table (which contains IP address to hardware address translations) from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an attacker who has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name.  A separate SNMP community check is used to probe for SNMP access.

 

 

 

Suggestion:

If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond  to internal private community names.

 

 

 

 

Arp Table:
iface 1    xxx.xxx.1.1    aa:00:04:00:f3:71    static
iface 1    224.0.0.0      01:00:5e:00:00:00    static
iface 3    xxx.xxx.1.11   08:00:20:1d:8c:91    static

 

 

 

 

 

 

 

 

RPC Scanning Direct

 

 

 

 

Risk Factor:

Medium

 

 

 

Complexity:

High

 

 

 

Popularity:

Obscure

 

 

 

Impact:

Intelligence

 

 

 

Root Cause:

Insecure Design

 

 

 

Ease of Fix:

Infeasible

 

 

 

Description:

The RPC scanning direct check performs a UDP RPC scan of the remote host, attempting to find services by bypassing the portmapper or rpcbind. In many instances, the portmapper (port 111), which translates RPC program numbers to port numbers, is being filtered at an organization's filtering device or firewall.  By directly scanning for RPC services, it is still possible to obtain a full listing of RPC services running on the remote host, and then contact them directly rather than querying the portmapper first. This check is unreliable over long haul networks, due to the unreliability of the UDP transport layer. In the case where this check is being run over a long haul network, some RPC programs which are actually running, may not appear in the scan results.

 

 

 

Suggestion:

We suggest that you review your filtering policy and prevent any RPC traffic from entering your network. RPC has a prior history of security related problems, and many current implementations of RPC programs contain serious security vulnerabilities.

 

 

 

 

UDP port 32786 unknown rpc
UDP port 32783 unknown rpc
UDP port 32773 program 100232
(sadmind) versions 10-10
UDP port 2049 program 100227 (nfs_acl) versions 2-3
UDP port 32778 program 100068 (cmsd) versions 2-5
UDP port 32772 program 100024 (status) versions 1-1
UDP port 4045 program 100021 (nlockmgr) versions 1-4
UDP port 32776 program 100012 (sprayd) versions 1-1
UDP port 32774 program 100011 (rquotad) versions 1-1
UDP port 32777 program 100008 (walld) versions 1-1
UDP port 32781 program 100005 (mountd) versions 1-3
UDP port 32775 program 100002 (rusersd) versions 2-3
UDP port 2049 program 100003 (nfs) versions 2-3
UDP port 111 program 100000 (portmapper) versions 2-4
UDP port 111 program 100000 (portmapper) versions 2-4

 

 

 

 

 

 

 

Please read our instructions before sending files or payments.

 
 
The information on this web site is protected by copyright.  Except as specifically permitted, no portion of this web site  may be distributed or reproduced by any means, or in any form,  without Password Crackers, Inc.'s prior written permission.   2012 Password Crackers, Inc., USA. All rights reserved.