|
|
xxx.xxx.1.11 (foo)
|
|
|
|
|
|
|
|
|
|
|
"rusers" service check
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Insecure Design
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
The "rusers" ONC RPC service, much like finger, provides information about users currently logged into a Unix system.
This information can be used by an attacker to obtain lists of usernames to attempt brute-force password guessing attacks against, and to discover the usage patterns of the system. This check attempts to retrieve information from the rusers service on the target-host.
|
|
|
|
|
Security Concerns:
|
Attackers can use this information to discover usernames and to determine which hosts your remote users are logging in from.
|
|
|
|
|
Suggestion:
|
If this service is not necessary for your network, we suggest that you either disable it by commenting the appropriate line out of the file /etc/inetd.conf or that you install some type of
access control facility to restrict contact to your RPC services. If you are running SunOS 4.1.X, the securelib library available at ftp://coast.cs.purdue.edu/pub/tools/unix/secur elib will
provide the ability to restrict RPC daemon access by network address. Like finger rusers can have tcp_wrappers applied to it.
It is suggested that with this and any program that is to be run from the inetd daemon, that you install TCP wrappers, available at: ftp://ftp.porcupine.org/pub/security. This tool lets you restrict by IP address and/or hostname whom is allowed to query the rusers daemon. This port will still be shown as active when port scanned, but will drop the connection without providing any information, if the host is not allowed to access the service. Tcp_wrappers also provide much more detailed information to the syslog service than the normal daemon. Because of this it is a good idea to install tcp_wrappers on any service that you want to run from inetd.
|
|
|
|
|
Manager Description:
|
"rusers" is a public information service that provides information about the users on a networked system. The information provided by "rusers" is often sensitive in nature,
and can allow attackers to gather information which can be helpful in launching further attacks.
|
|
|
|
|
|
|
|
|
|
|
|
LOGIN foo:console Tue Feb 01 1 2:07:01
.telnet foo:/dev/pts Sat Feb 26 2 ??
.telnet foo:/dev/pts Sat Feb 26 2 ??
.telnet foo:/dev/pts Sat Feb 26 2 ??
.telnet foo:/dev/pts Sat Feb 26 2 ??
.rlogin foo:/dev/pts Sat Feb 26 2 ??
.rlogin foo:/dev/pts Sun Feb 20 2 ??
.telnet foo:/dev/pts Sat Feb 26 2 ??
.telnet foo:/dev/pts Sat Feb 26 2 ??
.telnet foo:/dev/pts Sat Feb 26 2 ??
.telnet foo:/dev/pts Tue Feb 22 1 ??
.telnet foo:/dev/pts Tue Feb 22 1 ??
|
|
|
|
|
|
|
|
|
|
|
Telnet service banner present
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This check obtains and displays the telnet banner which is obtained from the target host when connecting to the telnet service.
|
|
|
|
|
Security Concerns:
|
If your telnet banner contains information identifying your operating system, this knowledge may be used to launch operating system specific attacks against your network.
|
|
|
|
|
Suggestion:
|
If you are concerned about the information displayed in your telnet banner messages, then edit the following files to modify the content of these messages:
o /etc/issue
o /etc/issue.net
o /etc/gettytab
o /bin/login sources
Additionally, we recommend that if you are providing telnet service that you restrict access to
only those sites that you expect remote logins from. TCP wrappers can be configured to restrict internet daemon access to approved remote hosts by editing access rules in the following files:
o /etc/hosts.allow
o /etc/hosts.deny
The TCP wrapper package available at:
ftp://ftp.porcupine.org/pub/security
|
|
|
|
|
Manager Description:
|
The "telnet" service allows remote users to log into a computer system. Most "telnet" server implementations provide information about the server to telnet clients attempting
to log into the system. While this can be used to present warnings to attackers, it more frequently provides information that can be used by an attacker to learn about the configuration of the
system. This information can be used by an attacker to more efficiently attack the system.
SunOS 5.7
|
|
|
|
|
|
|
|
|
|
|
SMTP banner-check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
This check collects the message displayed upon connection to the SMTP port of the target-host.
|
|
|
|
|
Security Concerns:
|
The SMTP port banner usually contains specific information about version of SMTP agent that you are using. This information can be used to launch specific attacks against software with known vulnerabilities. Sendmail, the most popular SMTP server for unix has an extensive history of security problems. Knowledge of specific version information allows an attacker to predict what sort of attacks may be successful against your system.
|
|
|
|
|
Suggestion:
|
Sendmail users can modify banner information by editing the sendmail configuration file /etc/sendmail.cf Sendmail's current version is 8.9.1. You should check the sendmail web
site for the latest version and upgrade your installation to the latest version. Most all earlier versions of sendmail have security problems. You can check for the latest version at http://www.sendmail.org. If you are not running sendmail as your SMTP agent, then consult the documentation about modifying the version information displayed by your mail daemon.
|
|
|
|
|
Manager Description:
|
"SMTP" is the protocol used to deliver all Internet electronic mail. SMTP is driven by mail servers, which listen to requests from SMTP clients to deliver or forward mail. Most SMTP
server implementations provide information about the server to SMTP clients attempting to transmit mail messages. While this can be used to present warnings to attackers, it more frequently provides
information that can be used by an attacker to learn about the configuration of the mail system. This information can be used by an attacker to more efficiently attack the system.
220 foo ESMTP Sendmail 8.9.1b+Sun/8.9.1; Sat, 26 Feb 2000 22:19:34 +0100 (MET)
|
|
|
|
|
|
|
|
|
|
|
FTP banner check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The FTP banner check attempts to gather banner information from the ftp daemon.
|
|
|
|
|
Security Concerns:
|
If the FTP banner your host displays specific version information, an attacker can determine what attacks will be successful against your system.
|
|
|
|
|
Suggestion:
|
If you are running a configurable FTP server such as WU-FTP or if you have access to the source code for the version of ftpd you are using you may want to make modifications to restrict the
information displayed in the ftpd banner. If source code for your version of ftp is unavailable, you can pick up wu-ftp at: ftp://ftp.academ.com/pub/wu-ftpd/private/
please read the .message file. The directory is not browsable, but the message will point you to the place to pick up the server software. FTP can also be protected with tcp_wrappers. It is suggested that with this and any program that is to be run from the inetd daemon, that you install TCP wrappers, available at: ftp://ftp.porcupine.org/pub/security. This tool lets you restrict by IP address and/or hostname whom is allowed to query the ftp daemon. This port will still be shown as active when port scanned, but will drop the connection without providing any information, if the host is not allowed to access the service. Tcp_wrappers also provide much more detailed information to the syslog service than the normal daemon. Because of this it is a good idea to install tcp_wrappers on any service that you want to run from inetd.
|
|
|
|
|
Manager Description:
|
"FTP" is a protocol that allows files to be transferred between machines on the Internet. FTP servers listen for requests from FTP clients to transfer files, optionally requiring them
to log in with a username and password. Many FTP server implementations provide information about the server to FTP clients attempting to log into the system. While this can be used to present
warnings to attackers, it more frequently provides information that can be used by an attacker to learn about the configuration of the system. This information can be used by an attacker to more
efficiently attack the system.
220 foo FTP server (Version wu-2.6.0(1) Mon Nov 22 12:00:11 MET 1999) ready.
|
|
|
|
|
|
|
|
|
|
|
ESMTP check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
This checks to see if a mailer daemon supports extended SMTP commands via ehlo.
|
|
|
|
|
Security Concerns:
|
The ehlo command is used by mail transport agents to query which extended SMTP commands a remote mailer will accept. The more a remote user can discern
about your mailer the more likely it is that they can devise a way to exploit your version of sendmail.
|
|
|
|
|
Suggestion:
|
We suggest you run a suitable front end for sendmail, or modify your sendmail code to only return information you feel is safe for the outside world to have. One way to protect your mailer is to
run it in a more protected environment, the SMAPd tool in the TIS Firewall Toolkit does this. For more information on smapd which is part of the firewall toolkit see:
http://www.tis.com/research/software/fwtk_o ver.html. The toolkit is free, but not distributable.
Visit the page for further details or download the kit directly at: http://www.tis.com/research/software/fwtk_d own.html
|
|
|
|
|
|
250-foo Hello c18763090.telekabel.chello.nl [212.187.63.90], pleased to meet you
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
|
|
|
|
|
|
|
|
|
|
|
Routing table retrieved
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The routing table has been retrieved from the target host's routing daemon. This service utilizes RIP (Routing Information Protocol) to maintain an updated list of routes and routing
information for the host it is running on.
|
|
|
|
|
Security Concerns:
|
Outside access to your routing table reveals a significant amount of information about the internal structure of your network which can be used to engineer attacks on your systems.
|
|
|
|
|
Suggestion:
|
We suggest you ensure any requests to the routing daemon be filtered at your internet gateway. This will also protect your network from an attacker attempting to add false routing entries to
your hosts.
|
|
|
|
|
|
RIPv1 284 bytes
0.0.0.0 metric 2 default
192.168.1.0 metric 3
xxx.xxx.0.0 metric 1
192.168.169.0 metric 2
192.168.10.0 metric 2
195.169.80.0 metric 2
195.169.81.0 metric 2
195.169.82.0 metric 2
195.169.83.0 metric 2
195.169.84.0 metric 2
195.169.85.0 metric 2
195.169.86.0 metric 2
195.169.87.0 metric 2
145.88.0.0 metric 2
|
|
|
|
|
|
|
|
|
|
|
rpc.rquotad check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Insecure Design
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The check attempts to poll rpc.rquotad on the target-host for user quota information.
|
|
|
|
|
Security Concerns:
|
The rpc.rquotad service provides quota information about NFS mounted filesystems.
No authentication is performed by this service, so this information is provided to anyone who makes a request.
|
|
|
|
|
Suggestion:
|
rpc.rquotad is usually started out of inetd. If this service is not necessary, you should comment it out of the /etc/inetd.conf file and restart inetd with the following command:
kill -HUP <pid of inetd>
Alternatively, tcp_wrappers could be installed. Tcp_wrappers lets you filter who is allowed access to services started out of inetd based on IP address or
host/domain name. While rpc.rquotad may be a necessary service, it is unlikely that the entire network needs access to it. Tcp_wrappers can be found at:
ftp://ftp.porcupine.org/pub/security
Since this service does not authenticate requests, consider installing some type of host-based access control for your RPC daemons.
The securelib replacement libraries for SunOS 4.1.X provides access control functionality. Securelib is available at:
http://www.cs.purdue.edu/coast/archive/data /categ50.html
|
|
|
|
|
|
|
|
|
|
|
rpc.sprayd check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Insecure Design
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
The rpc.sprayd service is offered to administrators to determine traffic statistics on a network. An administrator can send the service a stream of packets, and is presented with
statistics on the number of packets which have been received.
|
|
|
|
|
Security Concerns:
|
rpc.sprayd could be used by remote users to plan a denial of service attack.
|
|
|
|
|
Suggestion:
|
The rpc.sprayd service should normally be disabled unless you are testing your network. rpc.sprayd is usually started out of inetd. If this service is not necessary, you should comment it out of the /etc/inetd.conf file and restart inetd:
kill -HUP <pid of inetd>
Alternatively, tcp_wrappers could be installed. Tcp_wrappers let you filter who is allowed access to the services started out of inetd based on IP address or
host/domain name. While rpc.sprayd may be a necessary service, it is unlikely that the entire network needs access to it. Tcp_wrappers can be found at:
ftp://ftp.porcupine.org/pub/security
|
|
|
|
|
|
|
|
|
|
|
ICMP timestamp obtained
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Insecure Design
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The system time was obtained from the target host utilizing a capability present within the ICMP protocol. The ICMP protocol provides an operation to query a remote host for the current system time.
|
|
|
|
|
Security Concerns:
|
This information may be used by an attacker when attacking time based authentication protocols.
|
|
|
|
|
Suggestion:
|
Disallow ICMP timestamp requests through your firewall.
|
|
|
|
|
|
ICMP Timestamp Reply: 22:20:01
|
|
|
|
|
|
|
|
|
|
|
ICMP netmask obtained
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Insecure Design
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The netmask was obtained from the target host utilizing a capability present within the ICMP protocol. The ICMP protocol provides an operation to query a remote host for the network netmask.
|
|
|
|
|
Security Concerns:
|
This information can assist an attacker in determining the internal structure of your network, as well as the routing scheme.
|
|
|
|
|
Suggestion:
|
Disallow ICMP Netmask requests through your firewall.
|
|
|
|
|
|
ICMP Netmask Reply: 255.255.255.0
|
|
|
|
|
|
|
|
|
|
|
WWW Web Server Version
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Difficult
|
|
|
|
|
Description:
|
This check returns the version of WWW server running on the remote host, if it is available.
|
|
|
|
|
Security Concerns:
|
Ensure that you are running the most current version of your web server software.
An attacker can use the version information from your web server to determine if there are any known vulnerabilities present. To see if your web server gives this information, from a telnet window, try connecting to port 80 (or whatever port your web server is running on). Then issue a command such as:
GET / HTTP/1.0
The beginning of the reply from the server (in this case a proxy server) may have the server information in it, generally with
a "Server:" heading line. In the case below, we see that the proxy server is version 3.5 of Netscape's proxy server.
HTTP/1.0 200 OK
Proxy-agent: Netscape-Proxy/3.5
Date: Fri, 18 Sep 1998 06:41:01 GMT
Accept-ranges: bytes
Last-modified: Fri, 31 Jul 1998 19:23:47 GMT
Content-length: 939
Content-type:
application/x-ns-proxy-autoconfig
Apache/1.3.9 (Unix)
|
|
|
|
|
|
|
|
|
|
|
"portmapper" or "rpcbind" RPC service present
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Authorization ::Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The portmapper service was found running on the target host.
Since RPC services do not run on well known ports this service is used to map RPC services to the dynamic port numbers that they currently reside on. RPC client programs use this service when they make a connection to a remote RPC server.
|
|
|
|
|
Security Concerns:
|
This service can be used to survey your hosts for vulnerable RPC services.
|
|
|
|
|
Suggestion:
|
We suggest that you restrict access to this service at your router by adding filter rules that prevent outside access to any TCP or UDP port 111 on your internal network.
Be aware that it is not necessary to be able to contact the portmapper service to make connections to RPC services. Specialized portscanning software can find RPC services without being able to make a connection to the portmapper.
|
|
|
|
|
References:
|
See the Unix manual pages for the "portmap" (BSD based systems) or "rpcbind" (System V based systems) services.
|
|
|
|
|
|
program vers proto port
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32772 status
100024 1 tcp 32771 status
100021 1 udp 4045 nlockmgr
100021 2 udp 4045 nlockmgr
100021 3 udp 4045 nlockmgr
100021 4 udp 4045 nlockmgr
100133 1 udp 32772
100133 1 tcp 32771
100021 1 tcp 4045 nlockmgr
100021 2 tcp 4045 nlockmgr
100021 3 tcp 4045 nlockmgr
100232 10 udp 32773 sadmind
100011 1 udp 32774 rquotad
100021 4 tcp 4045 nlockmgr
100002 2 udp 32775 rusersd
100002 3 udp 32775 rusersd
100002 2 tcp 32772 rusersd
100002 3 tcp 32772 rusersd
100012 1 udp 32776 sprayd
100008 1 udp 32777 walld
100083 1 tcp 32773 ttdbserverd
100221 1 tcp 32774 kcmsd
100235 1 tcp 32775
100068 2 udp 32778 cmsd
100068 3 udp 32778 cmsd
100068 4 udp 32778 cmsd
100068 5 udp 32778 cmsd
100005 1 udp 32781 mountd
100005 2 udp 32781 mountd
100005 3 udp 32781 mountd
100005 1 tcp 32778 mountd
100005 2 tcp 32778 mountd
100005 3 tcp 32778 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100227 2 udp 2049 nfs_acl
100227 3 udp 2049 nfs_acl
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100227 2 tcp 2049 nfs_acl
100227 3 tcp 2049 nfs_acl
100249 1 udp 32783
100249 1 tcp 32781
300598 1 udp 32786
300598 1 tcp 32782
805306368 1 udp 32786
805306368 1 tcp 32782
100068 2 tcp 57706 cmsd
100068 3 tcp 57706 cmsd
100068 4 tcp 57706 cmsd
100068 5 tcp 57706 cmsd
|
|
|
|
|
|
|
|
|
|
|
Sendmail VRFY and EXPN check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This check attempts to get additional user information from the SMTP port of the target host with the VRFY and EXPN commands. VRFY can be used to identify valid user accounts on the
system, whereas EXPN can be used to identify the delivery addresses of mail aliases and mailing lists.
|
|
|
|
|
Suggestion:
|
Your mailer should not allow remote users to use either EXPN or VRFY.
These commands can provide a great deal of information that could be used by an attacker to compromise your system. We suggest you remove your mailer's ability to use the EXPN or VRFY commands. For systems with Sendmail Version 8, the VRFY command can be disabled by entering the "novrfy" command in the sendmail.cf configuration file. The EXPN command can be disabled in Sendmail Version 8 by entering the "noexpn" command in the sendmail.cf file.
|
|
|
|
|
|
|
|
|
|
|
rpc.statd link/unlink check
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Data Integrity
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
rpc.statd (or simply statd on some machines) is used to interact with rpc.lockd to ensure file locking keeps state on NFS servers. Many versions of rpc.statd have a vulnerability whereby
they can be forced to unlink, (delete) or create files as root remotely. This check discerns whether your version of rpc.statd is vulnerable to attack. There is no method to verify
whether this attack worked remotely. We attempt to create a file in /tmp called tigerteam.statd. If this file exists on the specified host, then your host is vulnerable.
|
|
|
|
|
Security Concerns:
|
Remote users can remove any files on your workstations.
|
|
|
|
|
Suggestion:
|
This particular program is essential to an NFS environment, if you are running a vulnerable version it is suggested that you approach your vendor for a patch to this problem.
|
|
|
|
|
References:
|
CERT Advisory CA-96.09.rpc.statd
ftp://ftp.cert.org/pub/cert_advisories/CA-96.0 9.rpc.statd
SGI Advisory 19960301-01-P
ftp://sgigate.sgi.com/security/19960301-01-P
|
|
|
|
|
|
|
|
|
|
|
Mount & NIS services on non-reserved ports check
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
System Integrity
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
This checks for mount daemon and NIS services running on non privileged ports. Any of the above services running on non-reserved are most likely vulnerable to port hijacking. If a user can hijack these services, he can then intercept or supply data from or to client programs.
|
|
|
|
|
Suggestion:
|
This problem has been solved in newer releases of Free UNIX's such as OpenBSD and Linux. Commercial vendors have yet to address this problem as of the date this was written at (09/20/96). We suggest you check with your vendor for a fix.
|
|
|
|
|
|
|
|
|
|
|
Sequential port allocation check
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Difficult
|
|
|
|
|
Description:
|
This check is designed to test if a host will spawn its listening ports in sequential order. If this is the case, attackers can implement host spoofing techniques to services which
poll other hosts for authentication. Examples of such services include, for instance, any service which requires authentication from DNS servers.
|
|
|
|
|
Suggestion:
|
We suggest that, if possible, you ensure that your host does not spawn ports sequentially.
|
|
|
|
|
|
|
|
|
|
|
NFS - world exports found
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Confidentiality::Data Integrity::Authorization ::Availability ::Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
The target host was found to have directories exported to "everyone" via NFS. By exporting directories to "everyone", anyone who can connect to the target host is able
to access these file systems.
|
|
|
|
|
Security Concerns:
|
If the target file systems contain any sensitive information, any user who is able to reach the target host is able to read this information, as well as possibly modify it.
|
|
|
|
|
Suggestion:
|
It is recommended that you immediately place access restrictions on the specified file systems, if you are not intending to export them to "everyone". It is also recommended that
you prevent the NFS service from passing through your border router by blocking port 2049 TCP and 2049 UDP, if you do not require outsiders to access this host via NFS.
|
|
|
|
|
References:
|
CERT Advisory CA-91:21.SunOS.NFS.Jumbo.and.fsir and ftp://ftp.cert.org/pub/cert_advisories/CA-91:2 1.SunOS.NFS.Jumbo.and.fsir and
CERT Advisory CA-92:15.Multiple.SunOS.vulnerabilities.patc
hed ftp://ftp.cert.org/pub/cert_advisories/CA-92:1 5.Multiple.SunOS.vulnerabilities.patched
CERT Advisory CA-93:15.SunOS.and.Solaris.vulnerabilities ftp://ftp.cert.org/pub/cert_advisories/CA-93:1
5.SunOS.and.Solaris.vulnerabilities
CERT Advisory CA-94:02.REVISED.SunOS.rpc.mountd.vuln erability ftp://ftp.cert.org/pub/cert_advisories/CA-
94:02.REVISED.SunOS.rpc.mountd.vulnerabi lity
CERT Advisory CA-94:15.NFS.Vulnerabilities
ftp://ftp.cert.org/pub/cert_advisories/CA-94:1 5.NFS.Vulnerabilities
|
|
|
|
|
|
/
/usr
/usr/local
/var
/disk3
|
|
|
|
|
|
|
|
|
|
|
MOUNTD - exported file system list retrieved
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Confidentiality::Data Integrity::Authorization ::Availability ::Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
A list of exported file systems was retrieved from the target host. An attacker may this list to infer a trust relationship on the network, as well as discover file systems utilize which
may be exported without restriction.
|
|
|
|
|
Suggestion:
|
The NFS protocol is inherently weak in it's security. It is recommended that all NFS be restricted at your network router and that proper filtering mechanisms be applied. Ensure that you
are running a current NFS implemention. Also ensure that proper restrictions are placed on all exported file systems.
|
|
|
|
|
|
filesystem restrictions
/ everyone
/usr everyone
/usr/local everyone
/var everyone
/disk3 everyone
|
|
|
|
|
|
|
|
|
|
|
MOUNTD - Linux/Solaris file existence vulnerability
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
Linux and Solaris operating systems allow remote user to determine the existence of files on the remote server via rpc.mountd, the NFS mount daemon. By analyzing the error messages
returned by the rpc.mountd daemon, an attacker can determine whether files exist, without legitimate access to the NFS server. NOTE: This check may report a false positive on systems that
export /etc via NFS.
|
|
|
|
|
Security Concerns:
|
Remote users can search for the existence of key files on a remote server.
|
|
|
|
|
Suggestion:
|
Upgrade your server to a newer release which has this problem fixed.
|
|
|
|
|
References:
|
SecurityFocus Bugtraq database
http://www.securityfocus.com/bid/95
|
|
|
|
|
|
/non-existant-file : Permission denied
/etc/passwd : mounted
/etc/group : mounted
/etc/shadow : mounted
/etc/master.passwd : No such
file or directory
/etc/hosts.allow : mounted
/etc/hosts.deny : mounted
/vmlinuz : Permission denied
|
|
|
|
|
|
|
|
|
|
|
RIP spoofing check
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
System Integrity::Accountability::Authorization ::Availability
|
|
|
|
|
Root Cause:
|
Insecure Design
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The target host was found to be utilizing RIP (Routing Information Protocol) to obtain routing decision information. Version 1 RIP is an easily spoofable protocol. It has been determined that the target host is running RIP version 1.
|
|
|
|
|
Suggestion:
|
It is recommended that you utilize alternate routing protocols in any security critical environments. It is also recommended that you prevent RIP traffic from entering your network by
blocking port 520 UDP at your border router.
|
|
|
|
|
|
|
|
|
|
|
TCP sequence numbers are predictable
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Accountability::Authorization
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The target host was found to be vulnerable to TCP sequence number prediction attacks. The host generates TCP sequence numbers in a pattern which can be guessed by an intruder to launch TCP
spoofing based attacks.
|
|
|
|
|
Security Concerns:
|
If the target host runs services which rely on the IP address of the client as an authentication mechanism, this service can be exploited by an attacker to mimic a legitimate host.
|
|
|
|
|
Suggestion:
|
If your host is vulnerable to this attack we suggest that you ensure you are not relying on host based authentication for any network based services. These usually consist of the BSD
derived "rsh" service and the "rlogin" service.
|
|
|
|
|
References:
|
CERT Advisory CA-95:01.IP.spoofing
ftp://ftp.cert.org/pub/cert_advisories/CA-95:0 1.IP.spoofing
CIAC Advisory f-08.IP-spoof-hijacked-session
ftp://ciac.llnl.gov/pub/ciac/bulletin/f-fy95/f-08. IP-spoof-hijacked-session
SecurityFocus Bugtraq database
http://www.securityfocus.com/bid/604
SecurityFocus Bugtraq database
http://www.securityfocus.com/bid/107
|
|
|
|
|
|
TCP Initial Sequence Numbers
###: Sequence Number Difference
---: --------------- ------------
0 210131009 0
1 212003516 1872507
2 213828587 1825071
3 215252848 1424261
4 216127897 875049
5 217421549 1293652
6 217471019 49470
7 219058877 1587858
8 220348448 1289571
9 220862329 513881
10 221321693 459364
11 221575182 253489
12 222361418 786236
13 222768536 407118
14 223969627 1201091
15 224367475 397848
16 224798348 430873
17 225423332 624984
18 226084972 661640
19 226447683 362711
20 226840931 393248
21 227171664 330733
22 227683814 512150
23 228052229 368415
24 228400381 348152
25 229316389 916008
mean <767415.19> variance
<269191413760.0000>
run-ups of length 1 : 8
run-ups of length 2 : 1
run-ups of length 3 : 1
run-ups of length 4 : 0
run-ups of length 5 : 0
run-ups of length 6 : 0
Chi-square test with V= -0.4400 for a run length test with 6 categories
|
|
|
|
|
|
|
|
|
|
|
UUCP service check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This check discerns whether the UUCP service is offered on a host. Many network connected systems are shipped with the UUCP service enabled by default. This may open up potential
security problems.
|
|
|
|
|
Suggestion:
|
If you are not specifically using UUCP for mail delivery, it is highly recommended that this service be turned off. This can be achieved by editing the file /etc/inetd.conf and placing a '#'
character in front of the line: uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l Which should appear as follows when turned off:
#uucp stream tcp nowait uucp /usr/sbin/tcpd /usr/lib/uucp/uucico -l After this change has been made, inetd will have to be restarted. This can be performed by finding the process ID of inetd, and sending it a -HUP signal from the command prompt: kill -HUP PID
|
|
|
|
|
|
|
|
|
|
|
Telnet Daemon TERMCAP check
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
System Integrity
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
This check determines whether the remote telnet daemon is vulnerable to a buffer overflow attack when parsing a terminal capability file. By uploading an alternate termcap file, an attacker can specify the path to this file and cause the telnet daemon to execute arbitrary commands.
|
|
|
|
|
Security Concerns:
|
Remote attackers can obtain superuser access remotely by connecting to the telnet daemon.
|
|
|
|
|
Suggestion:
|
Upgrade your operating system to a more recent version.
|
|
|
|
|
|
|
|
|
|
|
SNMP Community check
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Data Integrity::Authorization ::Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This check attempts to talk to a hosts SNMP server using some commonly used community names. If a successful connection is made the community is probed to see if it is read-only or read-write.
|
|
|
|
|
Security Concerns:
|
SNMP access provides an attacker with a wide variety of information from an SNMP enabled device. This information ranges from the type and model of the device, to active network
connections, processes running on the host, and users logged into the host. SNMP write access provides an attacker with the ability to alter networking and other device parameters.
An attacker with write access can alter the routing and arp tables, bring network interfaces up and down, enable or disable packet forwarding and alter several other networking parameters. In addition, vendor extensions may provide other control parameters that an attacker can manipulate. This level of access can lead to denial of service or the compromise of security or confidential information.
|
|
|
|
|
Suggestion:
|
We suggest you correctly configure your SNMP device to only respond to internal private community names. Write access should be disabled where not needed. Packet filtering should be used to limit the hosts that can communicate with the SNMP daemon.
|
|
|
|
|
|
'public': read-only
|
|
|
|
|
|
|
|
|
|
|
SNMP MIB-II Miscellaneous data
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Trivial
|
|
|
|
|
Description:
|
This check gathers miscellaneous information from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an attacker
who has read access to SNMP. This check uses the community name specified in
the configuration file and does not attempt to guess the community name. A separate SNMP community check is used to probe for SNMP access.
|
|
|
|
|
Suggestion:
|
If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.
|
|
|
|
|
|
System Description: Sun SNMP Agent, SPARCstation-10
System Contact: System administrator
System Name: foo
System Location: System administrators office
SNMP Uptime: 66d 21:27:45.03
Ip Forwarding: off
|
|
|
|
|
|
|
|
|
|
|
SNMP MIB-II UDP table
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Trivial
|
|
|
|
|
Description:
|
This check retrieves the table of listening UDP ports from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an
attacker who
has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name. A separate SNMP community check is used to probe for SNMP access.
|
|
|
|
|
Suggestion:
|
If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.
|
|
|
|
|
|
UDP Table:
0.0.0.0 0
0.0.0.0 7
0.0.0.0 9
0.0.0.0 13
0.0.0.0 19
0.0.0.0 37
0.0.0.0 42
0.0.0.0 111
0.0.0.0 161
0.0.0.0 512
0.0.0.0 514
0.0.0.0 520
0.0.0.0 2049
0.0.0.0 4045
0.0.0.0 6500
0.0.0.0 32771
0.0.0.0 32772
0.0.0.0 32773
0.0.0.0 32774
0.0.0.0 32775
0.0.0.0 32776
0.0.0.0 32777
0.0.0.0 32778
0.0.0.0 32781
0.0.0.0 32783
0.0.0.0 32786
0.0.0.0 32788
0.0.0.0 32789
0.0.0.0 32790
127.0.0.1 32787
132.229.1.11 37602
|
|
|
|
|
|
|
|
|
|
|
SNMP MIB-II Interface Table
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Trivial
|
|
|
|
|
Description:
|
This check retrieves the table of network interfaces from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an
attacker who has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name. A separate SNMP community check is
used to probe for SNMP access.
|
|
|
|
|
Suggestion:
|
If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.
|
|
|
|
|
|
Interface Table:
==== Index: 1
Descr: lo0
Type: Loopback
MTU: 8232
Speed: 10000000
PhysAddr: -
AdminStat: up
OperStat: up
In: 0
InDiscard: 0
InErr: 0
InUnkwn: 0
Out: 0
OutDiscard: 0
OutErr: 0
OutUnknwn: 0
==== Index: 2
Descr: le0
Type: ethernet
MTU: 1500
Speed: 10000000
PhysAddr: 08:00:20:1d:8c:91
AdminStat: up
OperStat: up
In: -1050897417
InDiscard: 57
InErr: 0
InUnkwn: 0
Out: 1059056733
OutDiscard: 0
OutErr: 217797
OutUnknwn: 0
|
|
|
|
|
|
|
|
|
|
|
SNMP MIB-II Address table
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Trivial
|
|
|
|
|
Description:
|
This check retrieves the table of IP addresses from the SNMP daemon with the community name provided in the configuration file. This check retrieves information that is available to an attacker
who has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community name.
A separate SNMP community check is used to probe for SNMP access.
|
|
|
|
|
Suggestion:
|
If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.
|
|
|
|
|
|
Addr Table:
iface 1 127.0.0.1 mask 255.0.0.0
iface 2 xxx.xxx.1.11 mask 255.255.255.0
|
|
|
|
|
|
|
|
|
|
|
SNMP MIB-II ARP table
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Trivial
|
|
|
|
|
Description:
|
This check retrieves the ARP table (which contains IP address to hardware address translations) from the SNMP daemon with the community name provided in the configuration file. This check
retrieves information that is available to an attacker who has read access to SNMP. This check uses the community name specified in the configuration file and does not attempt to guess the community
name. A separate SNMP community check is used to probe for SNMP access.
|
|
|
|
|
Suggestion:
|
If this check was successful with a common SNMP community name such as "public", we suggest you reconfigure your SNMP device to only respond to internal private community names.
|
|
|
|
|
|
Arp Table:
iface 1 xxx.xxx.1.1 aa:00:04:00:f3:71 static
iface 1
224.0.0.0 01:00:5e:00:00:00 static
iface 3 xxx.xxx.1.11 08:00:20:1d:8c:91 static
|
|
|
|
|
|
|
|
|
|
|
RPC Scanning Direct
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
High
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Insecure Design
|
|
|
|
|
Ease of Fix:
|
Infeasible
|
|
|
|
|
Description:
|
The RPC scanning direct check performs a UDP RPC scan of the remote host, attempting to find services by bypassing the portmapper or rpcbind.
In many instances, the portmapper (port 111), which translates RPC program numbers to port numbers, is being filtered at an organization's filtering device or firewall. By directly scanning for RPC services, it is still possible to obtain a full listing of RPC services running on the remote host, and then contact them directly rather than querying the portmapper first. This check is unreliable over long haul networks, due to the unreliability of the UDP transport layer. In the case where this check is being run over a long haul network, some RPC programs which are actually running, may not appear in the scan results.
|
|
|
|
|
Suggestion:
|
We suggest that you review your filtering policy and prevent any RPC traffic from entering your network.
RPC has a prior history of security related problems, and many current implementations of RPC programs contain serious security vulnerabilities.
|
|
|
|
|
|
UDP port 32786 unknown rpc
UDP port 32783 unknown rpc
UDP port 32773 program 100232
(sadmind) versions 10-10
UDP port 2049 program 100227 (nfs_acl) versions 2-3
UDP port 32778 program 100068 (cmsd) versions 2-5
UDP port 32772 program 100024 (status) versions 1-1
UDP port 4045 program 100021 (nlockmgr) versions 1-4
UDP port 32776 program 100012
(sprayd) versions 1-1
UDP port 32774 program 100011 (rquotad) versions 1-1
UDP port 32777 program 100008 (walld) versions 1-1
UDP port 32781 program 100005 (mountd) versions 1-3
UDP port
32775 program 100002 (rusersd) versions 2-3
UDP port 2049 program 100003 (nfs) versions 2-3
UDP port 111 program 100000 (portmapper) versions 2-4
UDP port 111 program 100000 (portmapper)
versions 2-4
|
|
|
|
|
|
|
|
PENETRATION TESTING REPORT - VULNERABILITY (FOO)