hi,
i'm beginning to scan machines and stare at the report output ... and
trying to correlate operating systems with vulnerabilities.
i have a colleague running a loaded SuSE 8.2 box, complete with lots of
services and not many patches ... makes for a great test bed! i fired up
Nessus (2.2.2a), enabled *all* plugins, disabled 'safe checks', and let
her rip. the reports says "35 Holes" ... fruitful territory indeed!
i can see various Apache vulnerabilities ... CGI ones, yes, i can see
those ... sendmail ... yes ... SNMP ... yes ...
but then ... i notice that some of the vulnerabilities *seem* to be
OS-specific ... and don't match the OS of this box. for example, this
scan shows this box as being vulnerable to both IIS and Darwin
vulnerabilities ...
poking thru the list archives, i can see a number of discussions around
this, which i would summarize as follows:
-sometimes a vulnerability is *first* discovered (and a plugin written)
under one application/OS combination (say, IIS/Windows), and *later*
replicated, either precisely or generally, in other combinations (perhaps,
Apache/Linux). so the plugin reports an IIS/Windows vulnerability ... but
in fact ... this vulnerability, or something similar to it, is found more
widely.
-sometimes plugins just make mistakes ... they misinterpret what they are
seeing. [hey, i'm not complaining here ... my code does that, too!]
do i understand this issue correctly? or would anyone offer a different
interpretation of what i'm seeing?
i include details of this particular scan below, and attach a full copy.
--sk
stuart kendrick
fhcrc
[...]
ndmp (10000/tcp)
High
There is a buffer overflow in the remote IIS web server.
It is possible to overflow the remote Web server and execute
commands as the SYSTEM user.
At attacker may make use of this vulnerability and use it to
gain access to confidential data and/or escalate their privileges
on the Web server.
See http://www.eeye.com/html/Research/Advisories/AD20010501.html
for more details.
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms01-023.mspx
Risk factor : High
CVE : CVE-2001-0241
BID : 2674
[...]
[...]
ndmp (10000/tcp)
High
IIS comes with the sample site 'ExAir'. Unfortunately,
one of its pages, namely /iissamples/exair/search/advsearch.asp, may
be used to make IIS hang, thus preventing it from answering legitimate
client requests.
Solution : Delete the 'ExAir' sample IIS site.
Risk factor : High
CVE : CVE-1999-0449
BID : 193
[...]
[...]
ndmp (10000/tcp)
High
Cross site scripting, buffer overflow and remote command
execution on QuickTime/Darwin Streaming Administration
Server.
This is due to parsing problems with per script:
parse_xml.cgi.
The worst of these vulnerabilities allows for remote
command execution usually as root or administrator.
These servers are installed by default on port 1220.
See:
http://www.atstake.com/research/advisories/2003/a022403-1.txt
Solution: Obtain a patch or new software from Apple or
block this port (TCP 1220) from internet access.
*** Nessus reports this vulnerability using only
*** information that was gathered. Only the existance
*** of the potentially vulnerable cgi script was tested.
Risk factor : High
CVE : CAN-2003-0050, CAN-2003-0051, CAN-2003-0052, CAN-2003-0053,
CAN-2003-0054, CAN-2003-0055
BID : 6954, 6955, 6956, 6957, 6958, 6960, 6990
[...]
full-of-holes.txt
Description: Text document
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
