We've enabled the following signatures for a limited scan that's
constantly running of subnets on our campus:
* 10343 - MySQL accepts any password
* 10673 - Microsoft's SQL Blank Password
* 11412 - IIS : WebDAV Overflow (MS03-007)
* 11808 - MS Windows RPC buffer overrun
* 11835 - MS Windows RPC buffer overrun
* 11841 - sadmind command execution
* 12080 - FTP Serv-U Server MDTM Stack Overflow Vulnerability
* 12204 - Microsoft Hotfix for KB835732 IIS SSL check
* 12638 - DistCC Detection
* 16232 - VERITAS Backup Exec Agent Browser Remote BO Vulnerability
* 16326 - SMB remote code execution
* 16390 - BrightStor ARCserve/Enterprise Backup Default Account
We've been experiencing a large number of false positives for ID 11412 on
3com switches that's got me confused. As far as I can tell, the following
nasl could should skip any non-IIS servers:
-----snip from iis_webdav_overflow.nasl------
port = get_http_port(default:80);
sig = get_kb_item("www/hmap/" + port + "/description");
if ( sig && "IIS" >!< sig ) exit(0);
-----snip from iis_webdav_overflow.nasl------
It's apparently not working. Here's a sample transaction with one of
those switches that shows it definitely isn't running IIS:
$ echo -e 'GET / HTTP/1.0\nHOST: 10.227.141.240\n\n'|nc 10.aa.bb.cc 80
HTTP/1.0 401 Unauthorized
Server: 3Com/v1.0
WWW-Authenticate:Basic realm="device"
We've had it happen on a half dozen switches around campus now. Any
ideas?
--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
