Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

"blank administrator password security hole" with Airport Extreme Base S

from [Doty, Timothy T.] Network Security [Permanent Link]
Subject: "blank administrator password security hole" with Airport Extreme Base Station
Date: Fri, 31 Aug 2007 09:24:13 -0500 
Plugin 10394 has been good for finding blank admin passwords, but one system
that has been flagged multiple times is an Apple airport extreme base
station. No other airport base station, extreme or otherwise, has been so
flagged so I believe the issue has to do with how the base station is
configured.

The user has looked at the plugin nasl as available online and I looked over
it cursorily. Nothing appears wrong there. The user has applied the most
recent firmware update to his base station with no change in behavior.

This base station does have a drive attached which is available via SMB/CIFS
so the question is not whether or not SMB is available but whether the
station is vulnerable. Complicating matters somewhat the user has disabled
the drive share in an attempt to avoid the nessus alerts being generated so
I will need to coordinate with the user to ensure valid scanning of the
system in terms of the originally observed behavior.

Its been a while since I used the smbclient (commandline) but as far as I
can tell from the terminal window output provided by the user he was able to
connect to IPC$ as "administrator" without providing a password. However the
login appears to be unprivileged (that is, ls returns an error). In
particular:

user@computer ~ $ smbclient -U administrator -N // some.system.name/IPC$
WARNING: The "printer admin" option is deprecated Domain=[MYDOMAIN]
OS=[Apple Base Station] Server=[CIFS 4.30]
smb: \> ls
ERRDOS - ERRbadpath (Directory invalid.) listing \*

                 0 blocks of size 0. 13 blocks available


It looks to me as if supplying the username "administrator" without a
password works to authenticate against the SMB/CIFS server, but as it is not
a windows computer with an "administrator" account it lacks the privileges
that would make this truly a "hole" severity vulnerability. In fact, looking
through the full scan results again I notice 14818 (Possible GDI+
compromise) pops up as well. This one reports "It was possible to log into
the remote host with the login 'X' and a blank password." which further
suggests to me that *any* account name can be used to "login" without a
password.

I'm not sure about dependency issues, but I also note plugin 24786 (Nessus
Windows Scan not performed with admin privileges) appears to contradict
plugin 10394's assertion of admin access. Perhaps this plugin's appearance
could downgrade the reported severity of 10394? If nothing else I may use
this approach in our reporting tools.

Any thoughts on this?

Tim Doty

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • "blank administrator password security hole" with Airport Extreme Base Station, Doty, Timothy T. <=
Previous by Date:  Re: Scanning for Winamp, George A. Theall
Previous by Thread:  Scanning for Winamp, Bob Babcock
Indexes:  [Date] [Thread] [Top] [All Lists]