Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CA License vulnerability plugin

from [Patrice . Arnal] Network Security [Permanent Link]
Subject: CA License vulnerability plugin
Date: Wed, 23 Mar 2005 18:22:20 +0100 
Hello

I am in trouble with that plugin, as I am trying to check which machines 
are really vulnerable.

I launched it against some Unix servers and got 1 vulnerable on port 10203 
and one not vulnerable with port 10203 opened.
I checked as indicated by the CA site :
( http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp 
)

quazar# strings /opt/CA/ca_lic/licrmt | grep BUILD
LICAGENT BUILD INFO = /1.0.18/Jul 24 2003/17:52:23

frillsrm02p#  strings /opt/CA/ca_lic/licrmt | grep BUILD
LICAGENT BUILD INFO = /1.0.18/Jul 24 2003/17:52:23

I then tried a telnet on port 10203 and issued "A0 GETCONFIG SELF 0 <EOM>"
got this :

Quazar :

A0 GCR HOSTNAME<QUAZAR>
HARDWARE<Unknown>LOCALE<unknown>
IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>
OS<SunOS 5.8>OLFFILE<0 0 0>SERVER<RMT>
VERSION<3 1.53>
NETWORK<155.132.26.73 sxb.bsf.alcatel.fr 255.255.252.0>
MACHINE<SUN_SUNW.Ultra-5.10_1_*>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 
0>RMTV<1.00><EOM> 

Frillsrm02p :

A0 GCR HOSTNAME<FRILLSRM02P>
HARDWARE<Unknown>LOCALE<unknown>
IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>
OS<SunOS 5.8>OLFFILE<0 0 0>SERVER<RMT>
VERSION<3 1.53>
NETWORK<155.132.24.237 sxb.bsf.alcatel.fr255.255.254.0>
MACHINE<SUN_SUNW.Sun-Fire-V440_4_*>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 
0>RMTV<1.00><EOM>

A second nessus test on these two machines said "not vulnerable"  for 
both, with TCP 10203 port open.

According to CA the /1.0.18/ build should be vulnerable. ( 1.0.15 to 1.4.6 
) and given the date of the build, that seems normal.

I think that the Nessus plugin is baffled by the space between 3 1.53 

More, the version issued by the A0 GETCONFIG command does not seem to be 
related to the LICAGENT version.

Can you help me on determining exactly which machines are vulnerable or 
not ?

I was not able to do the same test on a window machine : the telnet did 
not answer to the request.

Cordialement / Mit freundlichen GrÃÃen / Best regards,
Patrice Arnal 
ISS - DataCenter â E&S 
Alcatel ICT Services 

1rte Dr A.Schweitzer - 67408 - ILLKIRCH - FRANCE 
Phone : +33 (0) 3 90 67 74 22 / 2187 74 22
Fax : +33 (0) 3 90 67 72 07
Mobile: +33 (0) 6 06 07 67 68 08
Mailto: patrice.arnal@alcatel.fr 

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: NASL Hanging CUPS, Paul Melson
Next by Date:  port range problem, Pete Duffin
Previous by Thread:  Scan a subnet behind a firewall, Rick Eagles
Next by Thread:  Re: CA License vulnerability plugin, Nicolas Pouvesle
Indexes:  [Date] [Thread] [Top] [All Lists]