Return to the 2006 Operating System Vulnerability Summary on OmniNerd

List of hosts

192.168.1.5

High Severity problem(s) found

192.168.1.5

Scan time :

Start time :	Sun Feb 11 00:20:53 2007
End time :	Sun Feb 11 00:40:43 2007

Number of vulnerabilities :

Open ports :	89
Low :	67
Medium :	3
High :	1

Information about the remote host :

Operating system :	Linux Kernel 2.4, Linux Kernel 2.6
NetBIOS name :	(unknown)
DNS name :	(unknown)

[^] Back to 192.168.1.5

Port ftp (21/tcp)

Services
An FTP server is running on this port. Here is its banner : 220 ProFTPD 1.3.0 Server (ProFTPD Default Installation) [192.168.1.5] Nessus ID : 10330

FTP Server Detection
Synopsis : An FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 ProFTPD 1.3.0 Server (ProFTPD Default Installation) [192.168.1.5] Nessus ID : 10092

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port ipp (631/tcp)

Services
A web server is running on this port Nessus ID : 10330

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

HMAP
This web server was fingerprinted as CUPS/1.1 [forbidden access] which is consistent with the displayed banner: CUPS/1.1 Nessus ID : 11919

HTTP Server type and version
The remote web server type is : CUPS/1.1 Nessus ID : 10107

[^] Back to 192.168.1.5

Port telnet (23/tcp)

Services
A telnet server seems to be running on this port Nessus ID : 10330

Telnet Server Detection

Synopsis :

A telnet server is listening on the remote port

Description :

The remote host is running a telnet server.
Using telnet is not recommended as logins, passwords and commands
are transferred in clear text.

An attacker may eavesdrop on a telnet session and obtain the
credentials of other users.

Solution :

Disable this service and use SSH instead

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)

Plugin output:

Remote telnet banner:

TESTING login:

Nessus ID : 10281

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

TESO in.telnetd buffer overflow

The Telnet server does not return an expected number of replies
when it receives a long sequence of 'Are You There' commands.
This probably means it overflows one of its internal buffers and
crashes. It is likely an attacker could abuse this bug to gain
control over the remote host's superuser.

For more information, see:
http://www.team-teso.net/advisories/teso-advisory-011.tar.gz

Solution: Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : High
CVE : CVE-2001-0554
BID : 3064
Other references : IAVA:2001-t-0008

Nessus ID : 10709

[^] Back to 192.168.1.5

Port hmmp-ind (612/tcp)

rpcinfo -p
RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port general/udp

Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 : 192.168.1.250 192.168.1.5 Nessus ID : 10287

[^] Back to 192.168.1.5

Port domain (53/udp)

DNS Cache Snooping

Synopsis :

Remote DNS server is vulnerable to Cache Snooping attacks.

Description :

The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.

For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 12217

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

Usable remote name server

Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.

Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678

Nessus ID : 10539

DNS Server Fingerprint
The remote name server could be fingerprinted as being : ISC BIND 9.2.3 Nessus ID : 11951

[^] Back to 192.168.1.5

Port uucp (540/tcp)

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port npmp-trap (609/udp)

rpcinfo -p
RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111

[^] Back to 192.168.1.5

Port login (513/tcp)

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port domain (53/tcp)

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

Version of BIND

Synopsis :

It is possible to obtain the version number of the remote DNS server.

Description :

The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.

Solution :

It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf

Risk factor :

None

Plugin output:

The version of the remote BIND server is : 9.3.2-P1
Other references : OSVDB:23

Nessus ID : 10028

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port general/tcp

IP protocols scan
The following IP protocols are accepted on this host: 1 ICMP 2 IGMP 6 TCP 17 UDP Nessus ID : 14788

OS Identification
The remote host is running one of these operating systems : Linux Kernel 2.4 Linux Kernel 2.6 Nessus ID : 11936

Information about the scan

Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/11 0:20
Scan duration : 1190 sec

Nessus ID : 19506

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)

[^] Back to 192.168.1.5

Port smtp (25/tcp)

Services
An SMTP server is running on this port Here is its banner : 220 TESTING.local.net ESMTP Sendmail 8.13.8/8.13.8; Sun, 11 Feb 2007 00:18:51 -0500 Nessus ID : 10330

smtpscan
This server could be fingerprinted as being Sendmail 8.12.2-8.12.5 Nessus ID : 11421

SMTP Server Detection

Synopsis :

An SMTP server is listening on the remote port.

Description :

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.

Solution :

Disable this service if you do not use it, or filter incoming traffic
to this port.

Risk factor :

None

Plugin output :

Remote SMTP server banner :
220 TESTING.local.net ESMTP Sendmail 8.13.8/8.13.8; Sun, 11 Feb 2007 00:18:51 -0500

Nessus ID : 10263

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

SMTP too long line
Some antivirus scanners dies when they process an email with a too long string without line breaks. Such a message was sent. If there is an antivirus on your MTA, it might have crashed. Please check its status right now, as it is not possible to do it remotely Nessus ID : 11270

SMTP antivirus scanner DoS
The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely BID : 3027 Nessus ID : 11036

[^] Back to 192.168.1.5

Port pop3 (110/tcp)

Services
A pop3 server is running on this port Nessus ID : 10330

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port finger (79/tcp)

Services
A finger server seems to be running on this port Nessus ID : 10330

Finger

The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...

Here is the output we obtained for 'root' :

Login: root Name: (null)
Directory: /root Shell: /bin/bash
On since Sat Feb 10 23:40 (EST) on tty1 40 minutes 32 seconds idle
Mail last read Sat Feb 10 16:07 2007 (EST)
No Plan.

Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Other references : OSVDB:11451

Nessus ID : 10068

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port submission (587/tcp)

Services
An SMTP server is running on this port Here is its banner : 220 TESTING.local.net ESMTP Sendmail 8.13.8/8.13.8; Sun, 11 Feb 2007 00:18:52 -0500 Nessus ID : 10330

smtpscan
This server could be fingerprinted as being Sendmail 8.12.2-8.12.5 Nessus ID : 11421

SMTP Server Detection

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

SMTP too long line
Some antivirus scanners dies when they process an email with a too long string without line breaks. Such a message was sent. If there is an antivirus on your MTA, it might have crashed. Please check its status right now, as it is not possible to do it remotely Nessus ID : 11270

SMTP antivirus scanner DoS
The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely BID : 3027 Nessus ID : 11036

[^] Back to 192.168.1.5

Port sunrpc (111/tcp)

RPC portmapper
The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205 Nessus ID : 10223

rpcinfo -p
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111

Identd scan
identd reveals that this service is running as user 1 Nessus ID : 14674

[^] Back to 192.168.1.5

Port http (80/tcp)

Services
A web server is running on this port Nessus ID : 10330

Unconfigured web server

Synopsis :

The remote web server is not, or is not properly configured.

Description :

The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.

Solution :

Disable this service, as you do not use it

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Other references : OSVDB:2117

Nessus ID : 11422

Identd scan
identd reveals that this service is running as user 99 Nessus ID : 14674

Directory Scanner
The following directories were discovered: /cgi-bin, /icons, /manual While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 Nessus ID : 11032

HMAP
This web server was fingerprinted as Apache/1.3.27-37 (Unix) which is consistent with the displayed banner: Apache/1.3.37 (Unix) Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Apache/1.3.37 (Unix) Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Nessus ID : 10107

Apache Remote Username Enumeration Vulnerability

Synopsis :

The remote Apache server can be used to guess the presence of a given
user name on the remote host.

Description :

When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.

For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.

If the username requested does not exist, then Apache will reply with
a different error code. Therefore, an attacker may exploit this
vulnerability to guess the presence of a given user name on the remote
host.

Solution :

In httpd.conf, set the 'UserDir' to 'disabled'.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Other references : OSVDB:637

Nessus ID : 10766

HTTP TRACE Method Enabled

Synopsis :

Debugging functions are enabled on the remote HTTP server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give
him their credentials.

Solution :

Disable these methods.

See also :

http://www.kb.cert.org/vuls/id/867593

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

Solution :
Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Other references : OSVDB:877

Nessus ID : 11213

[^] Back to 192.168.1.5

Port time (37/tcp)

Services
A time server seems to be running on this port Nessus ID : 10330

[^] Back to 192.168.1.5

Port general/icmp

icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The difference between the local and remote clocks is 121 seconds

CVE : CVE-1999-0524

Nessus ID : 10114

Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 : 192.168.1.5. 192.168.1.5. Nessus ID : 12264

[^] Back to 192.168.1.5

Port ssh (22/tcp)

Services
An ssh server is running on this port Nessus ID : 10330

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

SSH Server type and version
Remote SSH version : SSH-1.99-OpenSSH_4.4 Remote SSH supported authentication : publickey,password,keyboard-interactive Nessus ID : 10267

SSH protocol versions supported
The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 SSHv1 host key fingerprint : f3:9f:86:37:11:4b:00:73:74:67:57:04:fb:a2:f9:9d SSHv2 host key fingerprint : 61:55:b9:69:3f:d4:dd:0a:9f:19:22:48:78:50:b1:86 Nessus ID : 10881

SSH protocol version 1 enabled

Synopsis :

The remote service offers an insecure cryptographic protocol

Description :

The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically
safe so they should not be used.

Solution :

Disable compatiblity with version 1 of the protocol.

Risk factor :

Low / CVSS Base Score : 3
(AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C)
CVE : CVE-2001-0361
BID : 2344

Nessus ID : 10882

[^] Back to 192.168.1.5

Port imap (143/tcp)

Services
An IMAP server is running on this port Nessus ID : 10330

Get the IMAP Banner

Synopsis :

An IMAP server is running on the remote host.

Description :

An IMAP (Internet Message Access Protocol) server is
installed and running on the remote host.

Risk factor :

None

Plugin output :

The remote imap server banner is :
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS AUTH=LOGIN] [192.168.1.5] IMAP4rev1 2004.357 at Sun, 11 Feb 2007 00:18:54 -0500 (EST)

Nessus ID : 11414

Identd scan
identd reveals that this service is running as user 0 Nessus ID : 14674

[^] Back to 192.168.1.5

Port ident (113/tcp)

Services
An identd server is running on this port Nessus ID : 10330

Identd enabled

The remote host is running an ident (also known as 'auth') daemon.

The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.

Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd

Risk factor : Low
CVE : CVE-1999-0629

Nessus ID : 10021

Identd scan
identd reveals that this service is running as user 99 Nessus ID : 14674

[^] Back to 192.168.1.5

Port shell (514/tcp)

Rsh Server Detection

Synopsis :

The rsh service is running.

Description :

The remote host is running the 'rsh' service. This service is dangerous in
the sense that it is not ciphered - that is, everyone can sniff the data
that passes between the rsh client and the rsh server. This includes logins
and passwords.

Also, it may allow poorly authenticated logins without passwords. If the
host is vulnerable to TCP sequence number guessing (from any network)
or IP spoofing (including ARP hijacking on a local network) then it may
be possible to bypass authentication.

Finally, rsh is an easy way to turn file-write access into full logins
through the .rhosts or rhosts.equiv files.

You should disable this service and use ssh instead.

Solution :

Comment out the 'rsh' line in /etc/inetd.conf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C)
CVE : CVE-1999-0651

Nessus ID : 10245

[^] Back to 192.168.1.5

Port sunrpc (111/udp)

rpcinfo -p
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111