Return to the 2006 Operating System Vulnerability Summary on OmniNerd

List of hosts

192.168.1.5

High Severity problem(s) found

192.168.1.5

Scan time :

Start time :	Sun Feb 11 20:41:42 2007
End time :	Sun Feb 11 20:47:53 2007

Number of vulnerabilities :

Open ports :	19
Low :	17
Medium :	2
High :	7

Information about the remote host :

Operating system :	Microsoft Windows XP
NetBIOS name :	TESTING
DNS name :	(unknown)

[^] Back to 192.168.1.5

Port epmap (135/udp)

Buffer Overrun in Messenger Service (real test)

A security vulnerability exists in the Messenger Service that could allow
arbitrary code execution on an affected system. An attacker who successfully
exploited this vulnerability could be able to run code with Local System
privileges on an affected system, or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.

This plugin actually checked for the presence of this flaw.

Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx

Risk factor : High
CVE : CVE-2003-0717
BID : 8826
Other references : IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007, OSVDB:10936

Nessus ID : 11890

[^] Back to 192.168.1.5

Port cap (1026/tcp)

DCE Services Enumeration

MS Task Scheduler vulnerability

Synopsis :

Arbitrary code can be executed on the remote host.

Description :

There is a flaw in the Task Scheduler application which could allow a
remote attacker to execute code remotely. There are many attack vectors
for this flaw. An attacker, exploiting this flaw, would need to either
have the ability to connect to the target machine or be able to coerce a
local user to either install a .job file or browse to a malicious website.

Solution :

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2004-0212
BID : 10708

Nessus ID : 13852

[^] Back to 192.168.1.5

Port ssdp (1900/udp)

scan for UPNP hosts
Microsoft Universal Plug n Play is running on this machine. This service is dangerous for many different reasons. Solution: To disable UPNP, see http://grc.com/UnPnP/UnPnP.htm Risk factor : High CVE : CVE-2001-0876 BID : 3723 Nessus ID : 10829

[^] Back to 192.168.1.5

Port netbios-ns (137/tcp)

Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 8 NetBIOS names have been gathered :

TESTING = Computer name
WORKGROUP = Workgroup / Domain name
TESTING = Messenger Service
TESTING = File Server Service
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser
VNUTZ = Messenger Username

The remote host has the following MAC address on its adapter :
08:00:46:1c:f9:fc
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.5

Port ntp (123/udp)

NTP read variables
An NTP (Network Time Protocol) server is listening on this port. Risk factor : Low Nessus ID : 10884

[^] Back to 192.168.1.5

Port netbios-ns (137/udp)

NetBIOS Name Service Reply Information Leakage

The remote host is running a version of the NetBT name service which
suffers from a memory disclosure problem.

An attacker may send a special packet to the remote NetBT name
service, and the reply will contain random arbitrary data from the
remote host memory. This arbitrary data may be a fragment from the
web page the remote user is viewing, or something more serious like a
POP password or anything else.

An attacker may use this flaw to continuously 'poll' the content of
the memory of the remote host and might be able to obtain sensitive
information.

Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-034.mspx
Risk factor : Medium
CVE : CVE-2003-0661
BID : 8532
Other references : OSVDB:2507

Nessus ID : 11830

[^] Back to 192.168.1.5

Port ms-lsa (1028/udp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port isakmp (500/udp)

IPSEC IKE detection

Synopsis :

A VPN server is listening on the remote port.

Description :

The remote host seems to be enabled to do Internet Key
Exchange (IKE). This is typically indicative of a VPN server.
VPN servers are used to connect remote hosts into internal
resources.

Make sure that the use of this VPN endpoint is done in accordance with
your corporate security policy.

Solution :

If this service is not needed, disable it or filter incoming traffic
to this port.

Risk factor :

None

Nessus ID : 11935

[^] Back to 192.168.1.5

Port general/udp

Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 : 192.168.1.250 192.168.1.5 Nessus ID : 10287

[^] Back to 192.168.1.5

Port general/icmp

icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is 3 seconds

CVE : CVE-1999-0524

Nessus ID : 10114

Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 : 192.168.1.5. Nessus ID : 12264

[^] Back to 192.168.1.5

Port epmap (135/tcp)

DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Risk factor :

None

Plugin output :

The following DCERPC services are available locally :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : srrpc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : senssvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : trkwks

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : keysvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : tapsrvlpc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE5

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : tapsrvlpc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE5

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : tapsrvlpc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE5

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : tapsrvlpc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : OLE5

Nessus ID : 10736

[^] Back to 192.168.1.5

Port microsoft-ds (445/tcp)

SMB Detection
A CIFS server is running on this port Nessus ID : 11011

DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Risk factor :

None

Plugin output :

The following DCERPC services are available remotely :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\msgsvc
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\srvsvc
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\SECLOGON
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \pipe\trkwks
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\AudioSrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \pipe\tapsrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\AudioSrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \pipe\tapsrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\AudioSrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \pipe\tapsrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\AudioSrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \pipe\tapsrv
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\wkssvc
Netbios name : \\TESTING

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \pipe\keysvc
Netbios name : \\TESTING

Nessus ID : 10736

ASN.1 Parsing Vulnerabilities (NTLM check)

Synopsis :

Arbitrary code can be executed on the remote host.

Description :

The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.

To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.

This particular check sent a malformed NTLM packet and determined that
the remote host is not patched.

Solution :

http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2003-0818
BID : 9633, 9635, 9743, 13300
Other references : IAVA:2004-A-0001, OSVDB:3902

Nessus ID : 12054

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Windows 5.1
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : TESTING

Nessus ID : 10785

Microsoft Hotfix for KB835732 (SMB check)

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
LSASS service.

Description :

The remote version of Windows contains a flaw in the function
DsRolerUpgradeDownlevelServer of the Local Security Authority
Server Service (LSASS) which may allow an attacker to execute
arbitrary code on the remote host with the SYSTEM privileges.

A series of worms (Sasser) are known to exploit this vulnerability
in the wild.

Solution :

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
Other references : IAVA:2004-A-0006

Nessus ID : 12209

SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394

SMB accessible registry

Synopsis :

Access the remote Windows Registry.

Description :

It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.

Risk factor :

None

Nessus ID : 10400

Vulnerability in Server Service Could Allow Remote Code Execution (917159) - Network check

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.

Description :

The remote host is vulnerable to heap overflow in the 'Server' service which
may allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.

In addition to this, the remote host is also vulnerable to an information
disclosure vulnerability in SMB which may allow an attacker to obtain
portions of the memory of the remote host.

Solution :

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Risk factor :

High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
CVE : CVE-2006-1314, CVE-2006-1315
BID : 18891, 18863

Nessus ID : 22034

SMB null param count DoS
The remote host is vulnerable to a denial of service attack in its SMB stack. An attacker may exploit this flaw to crash the remote host remotely, without any kind of authentication. Solution : http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx Risk factor : High CVE : CVE-2002-0724 BID : 5556 Nessus ID : 11110

[^] Back to 192.168.1.5

Port commplex-main (5000/tcp)

[^] Back to 192.168.1.5

Port general/tcp

IP protocols scan
The following IP protocols are accepted on this host: 1 ICMP 2 IGMP 6 TCP 17 UDP 47 GRE 255 Nessus ID : 14788

OS Identification
The remote host is running Microsoft Windows XP Nessus ID : 11936

Information about the scan

Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/11 20:41
Scan duration : 371 sec

Nessus ID : 19506

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)

SMB Detection
An SMB server is running on this port Nessus ID : 11011