report of a nessus scan - rejås datakonsult ab...1.2 details of the vulnerabilities nessus report...
TRANSCRIPT
Report of a Nessus scan
Nessus Security Scanner
November 26, 2002
i
CONTENTS Nessus Report
Contents
1 ftp.lab.rejas.net iv1.1 Open ports (TCP and UDP) . . . . . . . . . . . . . . . . . . . . iv1.2 Details of the vulnerabilities . . . . . . . . . . . . . . . . . . . . . iv
1.2.1 Problems regarding : ftp (21/tcp) . . . . . . . . . . . . . iv1.2.2 Problems regarding : ssh (22/tcp) . . . . . . . . . . . . . v1.2.3 Problems regarding : smtp (25/tcp) . . . . . . . . . . . . vi1.2.4 Problems regarding : general/tcp . . . . . . . . . . . . . . viii1.2.5 Problems regarding : general/udp . . . . . . . . . . . . . viii1.2.6 Problems regarding : general/icmp . . . . . . . . . . . . . viii
A List of port scanners used during this session x
B List of plugins used during this session x
ii
CONTENTS Nessus Report
Introduction
In this test, Nessus has tested 1 host and found 5 severe security holes, aswell as 4 security warnings and 5 notes.These problems can easily be used tobreak into your network. You should have a close look at them and correctthem as soon as possible.Note that there is a big number of problems for a single network of this size.We strongly suggest that you correct them as soon as you can, although weknow it is not always possible.You should have a look at (see Appendix A and B page x and page x for theexhaustive list of what was tested).On the overall, Nessus has given to the security of this network the mark Ebecause of the number of vulnerabilities found. A script kid should be able tobreak into your network rather easily.There is room for improvement, and we strongly suggest that you take theappropriate measures to solve these problems as soon as possible Ifyou were considering hiring some security consultant to determine the securityof your network, we strongly suggest you do so, because this should save yournetwork.
iii
Nessus Report
1 ftp.lab.rejas.net
1.1 Open ports (TCP and UDP)
ftp.lab.rejas.net has the following ports that are open :
• ftp (21/tcp)
• ssh (22/tcp)
• smtp (25/tcp)
• imap2 (143/tcp)
• general/tcp
• general/udp
• general/icmp
You should disable the services that you do not use, as they are potential securityflaws.
1.2 Details of the vulnerabilities
1.2.1 Problems regarding : ftp (21/tcp)
Security holes :
• It was possible to make the remote FTP server crash
by sending the command ’CWD ~{’.
It is very likely that an attacker can use this
flaw to execute arbitrary code on the remote
server, thus obtaining a root shell on
this system.
Solution : upgrade your FTP server.
Risk factor : High
• You seem to be running a vulnerable FTP server version which is known
to be exploitable. Upgrade your ftp server software to the latest version.
Security warnings :
iv
1.2 Details of the vulnerabilities Nessus Report
• The FTP service allows anonymous logins. If you do not
want to share data with anyone you do not know, then you should
deactivate
the anonymous account, since it can only cause troubles.
Under most Unix system, doing :
echo ftp >> /etc/ftpusers
will correct this.
Risk factor : Low
CVE : CAN-1999-0497
• It is possible to gather the
real path of the public area of the ftp server
(like /home/ftp) by issuing the following
command :
CWD
This problem may help an attacker to find where
to put a .rhost file using other security
flaws.
Risk factor : Low
CVE : CVE-1999-0201
Security note :
• Remote FTP server banner :
pc105.lab.rejas.net ftp server (version wu-2.4.2-academ[beta-17](1)
tue jun 9 10:43:14 edt 1998) ready.
1.2.2 Problems regarding : ssh (22/tcp)
Security holes :
• You are running a version of SSH which is
older than version 1.2.32,
or a version of OpenSSH which is older than
2.3.0.
This version is vulnerable to a flaw which allows
an attacker to gain a root shell on this host.
Solution :
Upgrade to version 1.2.32 of SSH which solves this problem,
or to version 2.3.0 of OpenSSH
v
1.2 Details of the vulnerabilities Nessus Report
More information:
http://www.core-sdi.com/advisories/ssh1_deattack.htm
Risk factor : High
CVE : CAN-2001-0144
•
You are running a version of OpenSSH which is older than 3.0.2.
Versions prior than 3.0.2 are vulnerable to an enviroment
variables export that can allow a local user to execute
command with root privileges.
This problem affect only versions prior than 3.0.2, and when
the UseLogin feature is enabled (usually disabled by default)
Solution : Upgrade to OpenSSH 3.0.2 or apply the patch for prior
versions. (Available at: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH)
Risk factor : High (If UseLogin is enabled, and locally)
Security note :
• Remote SSH version : ssh-1.99-openssh_2.2.0p1
1.2.3 Problems regarding : smtp (25/tcp)
Security holes :
• The remote host is subject to the
’smad’ attack, which prevents sendmail
from accepting legitimate connections.
A cracker may use this flaw to prevent you
from receiving any email, thus lowering the
interest of being connected to internet.
This attack is specific to some versions of the
Linux kernel.
Solution : upgrade your Linux kernel to a newer
version.
Risk factor : Serious
vi
1.2 Details of the vulnerabilities Nessus Report
Security warnings :
• The remote SMTP server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much informations.
Solution : if you are using sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
Security note :
• Remote SMTP server banner :
pc105.lab.rejas.net ESMTP Sendmail 8.8.7/8.8.7
Sun, 19 May 2002 22:51:02 +0200
214-This is Sendmail version 8.8.7214-Topics:
214-HELO EHLO MAIL RCPT DATA
214-RSET NOOP QUIT HELP VRFY
214-EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214-For local information send email to Postmaster at your site.
vii
1.2 Details of the vulnerabilities Nessus Report
214 End of HELP info
1.2.4 Problems regarding : general/tcp
Security note :
• Nmap found that this host is running Linux 2.0.34-38
1.2.5 Problems regarding : general/udp
Security note :
• For your information, here is the traceroute to 192.168.100.105 :
192.168.100.105
1.2.6 Problems regarding : general/icmp
Security warnings :
• The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
viii
1.2 Details of the vulnerabilities Nessus Report
Conclusion
A security scanner, such as Nessus, is not a garantee of the security of yournetwork.A lot of factors can not be tested by a security scanner : the practices of theusers of the network, the home-made services and CGIs, and so on... So, youshould not have a false sense of security now that the test are done. We recom-mand that you monitor actively what happens on your firewall, and that youuse some tools such as tripwire to restore your servers more easily in the caseof an intrusion.In addition to that, you must know that new security holes are found each week.That is why we recommand that you visit http://www.nessus.org/scripts.html,which is a page that contains the test for all the holes that are published onpublic mailing lists such as BugTraq (see http://www.securityfocus.com fordetails) and test the security of your network on a (at least) weekly basis withthe checks that are on this page.This report was generated with Nessus, the open-sourced security scanner. Seehttp://www.nessus.org for more information
ix
Nessus Report
A List of port scanners used during this session
• Nmap
B List of plugins used during this session
• Services
• SSH Kerberos issue
• Solaris finger disclosure
• Using NetBIOS to retrieve information from a Windows host
• SMB log in
• SMB accessible registry
• SMB Registry : permissions of WinVNC’s key
• SMB Registry : permissions of winlogon
• SMB Registry : permissions of keys that can change common paths
• SMB Registry : value of SFCDisable
• SSH1 CRC-32 compensation attack
• SMB Registry : permissions of Schedule
• FreeBSD 4.1.1 Finger
• Trin00 for Windows Detect
• SMB Registry : permissions of keys that can lead to admin
• Trin00 Detect
• QueSO
• SubSeven
• SMB Registry : permissions of the RAS key
• Stacheldraht Detect
• An SNMP Agent is running
• Default community names of the SNMP Agent
• SNMP VACM
• Obtain OS type via SNMP
x
Nessus Report
• MySQL Server version
• SMB Registry : is the remote host a PDC/BDC
• Obtain processes list via SNMP
• Enumerate Lanman shares via SNMP
• HTTP version spoken
• No 404 check
• HTTP Server type and version
• Zope ZClass permission mapping bug
• Zope Image updating Method
• SSH Server type and version
• SSH 3.0.0
• Zope DoS
• SMB fully accessible registry
• SMB Registry : missing winreg
• Enumerate Lanman services via SNMP
• Zope DocumentTemplate package problem
• Zeus shows the content of the cgi scripts
• Obtain network interfaces list via SNMP
• YaBB
• Windmail.exe allows any user to execute arbirary comands
• WebSpeed remote configuration
• SMB enum services
• The messenger service is running
• webspirs.cgi
• The alerter service is running
• TalentSoft Web version detection+
• cfinger’s version
• TalentSoft Web Input Validation Bug Vulnerability+
xi
Nessus Report
• WebLogic Server /%00/ bug
• webdriver
• SMB Registry : permissions of HKLM
• Enumerate Lanman users via SNMP
• IIS : Directory listing through WebDAV
• RPC portmapper
• NFS export
• Directory listing through WebDAV
• Tomcat’s snoop servlet gives too much information
• Webalizer Cross Site Scripting Vulnerability
• WebsitePro buffer overflow
• Shaft Detect
• vqServer web travesal vulnerablity
• tooltalk format string
• SMB Registry : Autologon
• way-board
• WebActive world readable log file
• ustorekeeper
• fam service
• ttawebtop
• Detect talkd server port and protocol version
• ASP/ASA source using Microsoft Translate f: bug
• Tripwire for Webpages Detection
• SMB Registry : NT4 Service Pack version
• RPC Endpoint Mapper can Cause RPC Service to Fail
• Default password router Zyxel
• Textor Webmasters CGI Allows Remote Command Execution
• Detect CIS ports
xii
Nessus Report
• thttpd ssi file retrieval
• technote’s main.cgi
• OpenSSH UseLogin Environment Variables
• Jakarta Tomcat Path Disclosure
• Microsoft’s SQL UDP Info Query
• SWC Overflow
• SMB Registry : Win2k Service Pack version
• IrDA access violation patch
• Redhat Stronghold File System Disclosure
• mstream agent Detect
• Interactive Story Directory Traversal Vulnerability
• Microsoft’s SQL Blank Password
• store.cgi
• Shiva Integrator Default Password
• Reading CGI script sources using /cgi-bin-sdb
• SQLQHit Directory Stracture Disclosure
• Malformed request to index server
• SIX Webboard’s generate.cgi
• LDAP allows anonymous binds
• sojourn.cgi
• in.fingerd |command@host bug
• ShopPlus Arbitrary Command Execution
• LDAP allows null bases
• Shopping Cart Arbitrary Command Execution (Hassan)
• SimpleServer remote execution
• Kerberos PingPong attack
• Cobalt siteUserMod cgi
• Malformed request to domain controller
xiii
Nessus Report
• DNS AXFR
• sglMerchant Information Disclosure Vulnerability
• sendtemp.pl
• Tomcat’s /admin is world readable
• Passwordless Cayman DSL router
• sdbsearch.cgi
• Directory listing through Sambar’s search.dll
• DHCP server info gathering
• Sambar webserver pagecount hole
• cfingerd format string attack
• Malformed PPTP Packet Stream vulnerability
• Savant original form CGI access
• Sambar Web Server CGI scripts
• Determine which version of BIND name daemon is running
• BIND vulnerable to ZXFR bug
• Roxen Server /%00/ bug
• ROADS’ search.pl
• Useable remote name server
• Raptor FW version 6.5 detection
• Nortel Networks passwordless router (user level)
• quickstore traversal
• NTLMSSP Privilege Escalation
• OpenSSH < 2.1.1 UseLogin feature
• processit
• Power Up Information Disclosure
• BIND vulnerable to overflows
• Poll It v2.0 cgi
• Determine if Bind 9 is running
xiv
Nessus Report
• PHPix directory traversal vulnerability
• php safemode
• Winsock Mutex vulnerability
• PHP-Nuke’ opendir
• Amanda client version
• PHP-Nuke Gallery Add-on File View
• Nortel Networks passwordless router (manager level)
• PHP-Nuke copying files security vulnerability (admin.php)
• Unpassworded MySQL
• AFS client version
• php log
• php IMAP overflow
• Unprotected PC Anywhere Service
• Incomplete TCP/IP packet vulnerability
• php file upload
• Finger redirection check
• PHP3 Physical Path Disclosure Vulnerability
• PHP-Nuke security vulnerability (bb_smilies.php)
• EXPN and VRFY commands
• WebShield
• phorum’s common.cgi
• Traceroute
• phpMyExplorer dir traversal
• perlcal
• TFN Detect
• /perl directory browsable ?
• Standard & Poors detection
• PCCS-Mysql User/Password Exposure
xv
Nessus Report
• Usable remote proxy
• DoSable squid proxy server
• pals-cgi
• pagelog.cgi
• SMTP Authentication Error
• ows-bin
• VisualRoute Web Server Detection
• Domain account lockout vulnerability
• Outlook Web anonymous access
• TCP Chorusing
• MacOS X Finder reveals contents of Apache Web files
• MacOS X Finder reveals contents of Apache Web directories
• OpenSSH < 3.0.1
• Oracle XSQL Sample Application Vulnerability
• Cisco password not set
• Novell Groupwise WebAcc Information Disclosure
• ypxfrd service
• Check for dangerous Novell webserver default files
• Webserver file request parsing
• PIX’s smtp content filtering
• Tests for Nimda Worm infected HTML files
• ipop2d reads arbitrary files
• INN version check (2)
• Checkpoint SecuRemote information leakage
• ypupdated service
• news desk
• netscape publishingXpert 2 PSUser problem
• LPC and LPC Ports Vulnerabilities patch
xvi
Nessus Report
• SWAT allows the obtention of user names by brute force
• ypbind service
• newdsn.exe check
• walld service
• Oracle tnslsnr version query
• Netscape Server ?wp bug
• PFTP login check
• Netscape Enterprise INDEX request problem
• Cayman DSL router one char login
• Netauth
• SMTP Server type and version
• Sendmail mime overflow
• Netscape Administration Server admin password
• yppasswd service
• Telnet Client NTLM Authentication Vulnerability
• tektronix’s _ncl_items.shtml
• tfsd service
• Detect the presence of Napster
• Insecure Napster clone
• ncbook/book.cgi
• Finger dot at host feature
• Novell Web Server NDS Tree Browsing
• Oracle Applications One-Hour Install Detect
• DoSable Oracle WebCache server
• Anonymous FTP enabled
• Guild FTPd tells if a given file exists
• sawmill allows the reading of the first line of any file
• sawmill password
xvii
Nessus Report
• multihtml cgi
• tooltalk service
• RDS / MDAC Vulnerability (msadcs.dll) located
• statmon service
• Microsoft’s Index server reveals ASP source code
• Malformed RPC Packet patch
• Solaris FTPd tells if a user exists
• ctss.idc check
• Sendmail 8.11 local overflow
• MiniVend Piped command
• Alcatel ADSL Modem with Firewalling off
• mmstdod.cgi
• statd service
• Lotus Notes ?OpenServer Information Disclosure
• sprayd service
• mailnews.cgi
• Serv-U Directory traversal
• Still Image Service Privilege Escalation patch
• Checks for listrec.pl
• snmp service
• KW whois
• OpenSSH 2.3.1 authentication bypass vulnerability
• Allaire JRun directory browsing vulnerability
• Buffer Overrun in ITHouse Mail Server v1.04
• Allaire JRun Directory Listing
• showfhd service
• InterScan VirusWall Remote Configuration Vulnerability
• Axis Camera Default Password
xviii
Nessus Report
• infosrch.cgi
• Local Security Policy Corruption
• Broker FTP files listing
• IMP Session Hijacking Bug
• selection service
• /iisadmin is world readable
• sched service
• Check for dangerous IIS default files
• GuildFTPD Directory Traversal
• IIS SHTML Cross Site vulnerability
• Exchange Malformed MIME header
• IIS dangerous sample files
• Service Control Manager Named Pipe Impersonation patch
• sadmin service
• /scripts/repost.asp
• rusersd service
• Content-Location HTTP Header
• Passwordless Alacatel ADSL Modem
• IIS 5.0 WebDav Memory Leakage
• SHOUTcast Server DoS detector vulnerability
• WFTP login check
• Windows NT ftp ’guest’ account
• IIS .IDA ISAPI filter applied
• rstatd service
• Check for IIS .cnf file leakage
• rquotad service
• Relative Shell Path patch
• IIS directory traversal
xix
Nessus Report
• Finger backdoor
• Test Microsoft IIS Source Fragment Disclosure
• Sendmail mailing to programs
• Check for bdir.htr files
• Mediahouse Statistics Web Server Detect
• MySQL buffer overflow
• IIS Remote Command Execution
• rje mapper service
• IIS IDA/IDQ Path Disclosure
• rexd service
• IIS 5 .printer ISAPI filter applied
• NetBIOS Name Server Protocol Spoofing patch
• The ACC router shows configuration without authentication
• idq.dll directory traversal
• FTP Server type and version
• IBM-HTTP-Server View Code
• nsemntd service
• Read any file thanks to ~nobody/
• Sendmail mailing to files
• Boa file retrieval
• nsed service
• eXtropia Web Store remote file retrieval
• OpenSSH 2.5.x -> 2.9.x adv.option
• NT ResetBrowser frame & HostAnnouncement flood patc
• Web Shopper remote file retrieval
• FTP site exec
• ht://Dig’s htsearch potential exposure/dos
• nlockmgr service
xx
Nessus Report
• /iisadmpwd/aexp2.htr
• 3Com Superstack II switch with default password
• ht://Dig’s htsearch reveals web server path
• nfsd service
• htgrep
• Sendmail’s from |program
• NT IP fragment reassembly patch not applied (jolt2)
• htdig
• FTP real path
• hsx directory traversal
• llockmgr service
• HSWeb document path
• keyserv service
• ftp.pl shows the listing of any dir
• FTPd tells if a user exists
• shtml.exe reveals full path
• etherstatd service
• Formmail Version Information Disclosure
• SMB Registry : SQL7 Patches
• Default accounts
• Microsoft Frontpage dvwssr.dll backdoor
• Sendmail redirection check
• Microsoft Exchange Public Folders Information Leak
• database service
• EZShopper 3.0
• FTP bounce check
• E-Shopping Cart Arbitrary Command Execution (WebDiscount)
• cmsd service
xxi
Nessus Report
• empower cgi path
• Finger zero at host feature
• SMB LanMan Pipe Server browse listing
• Unify eWave ServletExec 3.0C file upload
• automountd service
• /doc directory browsable ?
• /doc/packages directory browsable ?
• Linux FTP backdoor
• Lotus Domino administration databases
• Proxy accepts POST requests
• amd service
• DCShop exposes sensitive files
• Sendmail DEBUG
• DBMan CGI server information leakage
• Passwordless Wingate installed
• Dansie Shopping Cart backdoor
• alis service
• CVSWeb detection
• CVSWeb 1.80 gives a shell to cvs commiters
• SSH Overflow
• commerce.cgi
• X25 service
• dcforum
• 3270 mapper service
• CodeRed version X detection
• Sendmail ’decode’ flaw
• SMB shares enumeration
• SMB get domain SID
xxii
Nessus Report
• SMB use domain SID to enumerate users
• SMB log in as users
• SMB Windows9x password verification vulnerability
• Cisco IOS HTTP Configuration Arbitrary Administrative Access
• sunlink mapper service
• Cisco Catalyst Web Execution
• News Server type and version
• Detect Server type and version via Telnet
• cgiforum
• Relative IP Identification number change
• CGIEmail’s Cross Site Scripting Vulnerability (cgicso)
• Quote of the day
• directory pro web traversal
• SMB shares access
• JRun’s viewsource.jsp
• Portal of Doom
• CGIEmail’s CGICso (Send CSO via CGI) Command Execution Vulnerability
• Detect presence of PGPNet server and its version
• ColdFusion Debug Mode
• CERN httpd problem
• NIS server
• calendar_admin.pl
• Cart32 ChangeAdminPassword
• Telnet
• bizdb1-search.cgi located
• icmp timestamp request
• BroadVision Physical Path Disclosure Vulnerability
• icmp netmask request
xxiii
Nessus Report
• Sun’s Java Web Server remote command execution
• Echo port open
• bb-hostsvc.sh
• Mail relaying
• NTMail3 spam feature
• Basilix includes download
• Finger
• auktion.cgi
• DeepThroat
• ASP source using %2e trick
• Daytime
• ASP source using ::$DATA trick
• Chargen
• Apache UserDir Sensitive Information Disclosure
• Passwordless HP LaserJet
• Usable remote proxy on any port
• Apache::ASP source.asp
• bootparamd service
• Check for Apache Multiple / vulnerability
• SiteScope Web Managegment Server Detect
• SSH Insertion Attack
• Apache /server-status accessible
• Apache /server-info accessible
• Apache Directory Listing
• BIND vulnerable
• Apache Auth Module SQL Insertion Attack
• qpopper euidl problem
• anacondaclip
xxiv
Nessus Report
• BackOrifice
• Anaconda remote file retrieval
• Cisco 675 passwordless router
• bypass Axis Storpoint CD authentification
• MySQL various flaws
• A1Stats
• Alchemy Eye HTTP Command Execution
• PC Anywhere
• OmniPro httpd 2.08 scripts source full disclosure
• BEA WebLogic Scripts Server scripts Source Disclosure
• SMB NativeLanMan
• Samba Remote Arbitrary File Creation
• Imap buffer overflow
• Atrium Mercur Mailserver
• 40X HTML Cross Site Scripting vulnerability
• wwwboard passwd.txt
• wrap
• whois_raw
• WebSite pro reveals the physical file path of web directories
• websendmail
• webgais
• Systat
• OmniHTTPd visadmin exploit
• netstat
• view_source
• Cfinger’s search.**@host feature
• uploader.exe
• Upload cgi
xxv
Nessus Report
• thttpd flaw
• Webcart misconfiguration
• test-cgi
• Shells in /cgi-bin
• Roxen counter module
• Proxy accepts CONNECT requests
• printenv
• Cognos Powerplay WE Vulnerability
• PlusMail vulnerability
• php.cgi
• pfdispaly
• perl interpreter can be launched as a CGI
• phf
• Netscape Messenging Server User List
• nph-test-cgi
• nph-publish.cgi
• Netscape FastTrack ’get’
• ICECast Format String
• Netscape Server ?PageServices bug
• Tektronix /ncl_items.html
• MS Personal WebServer ...
• jj cgi
• info2www
• /scripts directory browsable
• IIS perl.exe problem
• icat
• Htmlscript
• Home Free search.cgi directory traversal
xxvi
Nessus Report
• Handler
• guestbook.pl
• guestbook.cgi
• glimpse
• Microsoft Frontpage ’authors’ exploits
• Microsoft Frontpage exploits
• formmail.pl
• Finger cgi
• Faxsurvey
• Dumpenv
• Domino HTTP server exposes the set up of the filesystem
• Count.cgi
• Lotus Domino ?open Vulnerability
• Cobalt RaQ2 cgiwrap
• Excite for WebServers
• /cgi-bin directory browsable ?
• Campas
• RedHat 6.0 cachemgr.cgi
• bigconf
• bb-hist.sh
• AN-HTTPd tests CGIs
• AltaVista Intranet Search
• tst.bat
• alibaba.pl
• get32.exe
• AliBaba path climbing
• ShowCode possible
• IIS possible DoS using ExAir’s search
xxvii
Nessus Report
• IIS possible DoS using ExAir’s query
• ColdFusion Vulnerability
• IIS possible DoS using ExAir’s advsearch
• Cobalt Web Administration Server Detection
• POP3 Server type and version
• ipop2d buffer overflow
• Identd enabled
• INN version check
• LinuxConf grants network access
• DCE Services Enumeration
• Checkpoint FW-1 identification
• CheckPoint Firewall-1 Telnet Authentication Detection
• Checkpoint SecureRemote detection
• F5 Device Default Support Password
• rlogin
• rsh
• LPRng malformed input
• rexecd
• AppleShare IP Server status query
• RTSP Server type and version
• Detect the HTTP RPC endpoint mapper
• Detect SWAT server port
• CheckPoint Firewall-1 Web Authentication Detection
• WinSATAN
• Kazaa / Morpheus Client Detection
• A Nessus Daemon is running
• HealthD detection
• Microsoft’s SQL TCP/IP listener is running
xxviii
Nessus Report
• Oracle tnslsnr security
• PPTP detection and versioning
• MBDMS overflow
• Compaq WBEM Server Detection
• A CVS pserver is running
• SiteScope Web Administration Server Detection
• Eserv traversal
• WorldClient for MDaemon Server Detection
• MySQLs accepts any password
• CA Unicenter’s File Transfer Service is running
• iChat
• MetaInfo servers
• Unpassworded PostgreSQL
• remwatch
• PC Anywhere TCP
• Check for VNC HTTP
• Check for VNC
• X Server
• McAfee myCIO detection
• AOLserver Default Password
• mstream handler Detect
• GateCrasher
• CA Unicenter’s Transport Service is running
• Extent RBS ISP
• FTPGate traversal
• SyGate Backdoor
• Unprotected Netware Management Portal
• NetBeans Java IDE
xxix
Nessus Report
• Ultraseek Web Server Detect
• Oracle Web Administration Server Detection
• vqServer administrative port
• NAI Management Agent leaks info
• HP LaserJet direct print
• Check for Webmin
• NetBus 1.x
• LCDproc server detection
• Amanda Index Server version
• CDK Detect
• Kuang2 the Virus
• NetBus 2.x
• GirlFriend
• NetSphere
• Trinity v3 Detect
• Lion worm
• IRIX Objectserver
• rwhois format string attack
• Linux TFTP get file
• Buffer overflow in WebSitePro webfind.exe
• Sambar /sysadmin directory 2
• Sambar sendmail /session/sendmail
• TFTP get file
• Sambar /cgi-bin/mailit.pl installed ?
• rpm_query CGI
• Piranha’s RH6.2 default password
• Pi3Web tstisap.dll overflow
• Oracle XSQL Stylesheet Vulnerability
xxx
Nessus Report
• Resin traversal
• Master Index directory traversal vulnerability
• Lotus Domino SMTP overflow
• iPlanet Directory Server traversal
• Informix traversal
• IIS ISAPI Overflow
• Cold Fusion Administration Page Overflow
• Analogx Web server traversal
• robot(s).txt exists on the Web Server
• Web server traversal
• Too long URL
• IIS buffer overflow
• FormHandler.cgi
• SysV /bin/login buffer overflow (telnet)
• wu-ftpd mishandles CWD ~{
• wu-ftpd SITE EXEC vulnerability
• Pocsag password
• proftpd 1.2.0preN check
• proftpd exhaustion attack
• NSM format strings vulnerability
• Multiple WarFTPd DoS
• hpux ftpd PASS vulnerability
• FTPD glob Heap Corruption
• ftp writeable directories
• bftpd format string vulnerability
• Writeable FTP root
• FTP CWD ~root
• ftp USER, PASS or HELP overflow
xxxi
Nessus Report
• Ftp PASV on connect crashes the FTP server
• SysV /bin/login buffer overflow (rlogin)
• rsh on finger output
• McAfee myCIO Directory Traversal
• ICEcap default password
• Unprotected SiteScope Service
• BIND buffer overrun
• rwhois format string attack (2)
• RealServer Memory Content Disclosure
• PIX Firewall Manager Directory Traversal
• HP LaserJet display hack
• Too long POST command
• yppasswdd overflow
• Too long authorization
• stream.c
• wwwwais
• WFTP RNTO DoS
• WebLogic Server DoS
• format string attack against statd
• spin_client.cgi buffer overrun
• UDP null size going to SNMP DoS
• Sedum DoS
• WinLogon.exe DoS
• WFTP 2.41 rc11 multiple DoS
• Savant DoS
• EXPN overflow
• ActivePerl perlIS.dll Buffer Overflow
• TESO in.telnetd buffer overflow
xxxii
Nessus Report
• IIS phonebook
• snmpXdmid overflow
• Oracle Application Server Overflow
• Orange DoS
• Nortel Contivity DoS
• GoodTech ftpd DoS
• rfparalyze
• Netscape Enterprise ’../’ buffer overflow
• ntpd overflow
• iWS shtml overflow
• Generic flood
• Imail Host: overflow
• Lotus MAIL FROM overflow
• IIS propfind DoS
• FTP Serv-U 2.5e DoS
• IIS 5.0 PROPFIND Vulnerability
• pam_smb / pam_ntdom overflow
• IIS Malformed Extension Data in URL
• Winnuke
• Marconi ASX DoS
• NT IIS 5.0 Malformed HTTP Printer Request Header Buffer Overflow Vulnerability
• Teardrop
• ICQ Denial of Service attack
• ftp ’glob’ overflow
• Test HTTP dangerous methods
• pimp
• GroupWise buffer overflow
• Interscan 3.32 SMTP Denial
xxxiii
Nessus Report
• IIS FrontPage DoS II
• rfpoison
• Microsoft Frontpage DoS
• OShare
• htimage.exe overflow
• Dragon telnet overflow
• SalesLogix Eviewer WebApp crash
• qpopper buffer overflow
• XMail APOP Overflow
• ftpd strtok() stack overflow
• cisco http DoS
• cisco 675 http DoS
• Nestea
• CISCO view-source DoS
• Land
• AnalogX denial of service by long cgi name
• Delegate overflow
• Imate HELO overflow
• AnalogX denial of service
• EFTP carriage return DoS
• IIS FrontPage DoS
• Linux 2.1.89 - 2.2.17 : 0 length fragment bug
• webdist.cgi
• Firewall/1 UDP port 0 DoS
• w3-msql overflow
• GAMSoft TelSrv 1.4/1.5 Overflow
• thttpd 2.04 buffer overflow
• Dragon FTP overflow
xxxiv
Nessus Report
• php.cgi buffer overrun
• Bonk
• Netscape Enterprise ’Accept’ buffer overflow
• Netwin’s DMail ETRN overflow
• Oracle Web Server denial of Service
• Axent Raptor’s DoS
• MSQL CGI overflow
• bftpd chown overflow
• MediaHouse Statistic Server Buffer Overflow
• + + ATH0 modem hangup+
• imagemap.exe
• Ascend Kill
• NT IIS Malformed HTTP Request Header DoS Vulnerability
• Wingate denial of service
• IIS ’GET ../../’
• wu-ftpd SITE NEWER vulnerability
• Eicon Diehl LAN ISDN modem DoS
• XTramil MTA ’HELO’ denial
• uw-imap buffer overflow after logon
• netscape imap buffer overflow after logon
• Domino HTTP Denial
• cgitest.exe buffer overrun
• Annex DoS
• Alibaba 2.0 buffer overflow
• vftpd buffer overflow
• WebSite 1.0 buffer overflow
• OpenLink web config buffer overflow
• SunKill
xxxv
Nessus Report
• vpopmail input validation bug
• smad
• wu-ftpd buffer overflow
• ProFTPd buffer overflow
• RealServer denial of Service
• ProFTPd pre6 buffer overflow
• TFS SMTP 3.2 MAIL FROM overflow
• Livingston Portmaster crash
• proftpd mkdir buffer overflow
• HELO overflow
• Hyperbomb
• IIS FTP server crash
• SLMail MTA ’HELO’ denial
• qpopper LIST buffer overflow
• FTP ServU CWD overflow
• Cassandra NNTP Server DoS
• BFTelnet DoS
• Ftp PASV denial of service
• SLMail denial of service
• AIX ftpd buffer overflow
• Tinyproxy heap overflow
• IMAP4rev1 buffer overflow after logon
• Notes MTA denial
• MDaemon crash
• Xtramail pop3 overflow
• MDaemon DoS
• Oops buffer overflow
• Check for RealServer DoS
xxxvi
Nessus Report
• CSM Mail server MTA ’HELO’ denial
• CMail’s MAIL FROM overflow
• Wingate POP3 USER overflow
• Chameleon SMTPd overflow
• WindowsNT DNS flood denial
• Xitami Web Server buffer overflow
• SmartServer pop3 overflow
• SuSE’s identd overflow
• Netscape Enterprise Server DoS
• Buffer overflow in Solaris in.lpd
• Microsoft’s SQL TCP/IP denial of service
• WindowsNT PPTP flood denial
• Novell Border Manager
• RealServer G2 buffer overrun
• Imail’s imonitor buffer overflow
• UltraSeek 3.1.x Remote DoS
• NAI Management Agent overflow
• FakeBO buffer overflow
• LCDproc buffer overflow
• uw-imap buffer overflow
• Rover pop3 overflow
• Various pop3 overflows
• Ken! DoS
• Imail’s imap buffer overflow
• RealServer Ramgen crash (ramcrash)
• SLMail:27 denial of service
• pnserver crash
• Rockliffe’s MailSite overflow
xxxvii
Nessus Report
• WINS UDP flood denial
• SCO i2odialogd buffer overrun
• klogind overflow
• Knox Arkeia buffer overflow
• Mercure WebView WebClient
• Microsoft Media Server 4.1 - DoS
• VirusWall’s catinfo overflow
• MDaemon Worldclient crash
• MDaemon Webconfig crash
• NAI PGP Cert Server DoS
• Yahoo Messenger Denial of Service attack
• iParty
• Cisco DoS
• Communigate Pro overflow
• Gauntlet overflow
• HotSync Manager Denial of Service attack
• XTramail control denial
• libgtop_daemon format string
xxxviii