Send Nessus mailing list submissions to
nessus@list.nessus.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mail.nessus.org/mailman/listinfo/nessus
or, via email, send a message with subject or body 'help' to
nessus-request@list.nessus.org
You can reach the person managing the list at
nessus-owner@list.nessus.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Nessus digest..."
Today's Topics:
1. Vista and MS06-035, MS06-040 (Doty, Timothy T.)
2. Re: Vista and MS06-035, MS06-040 (Renaud Deraison)
3. Re: Nikto on Nessus 3 Client? (Ramos, Jaime J.)
4. LDAP allows anonymous binds (PJ Bender)
5. Re: Nikto on Nessus 3 Client? (George A. Theall)
6. Re: LDAP allows anonymous binds (George A. Theall)
7. implications/feasibility of running nessus with higher
privilege levels (SantoshKumar_Mishra)
8. Re: implications/feasibility of running nessus with higher
privilege levels (Doug Nordwall)
9. Plugin 26919 (Nelson, C.M.)
10. Re: LDAP allows anonymous binds (Mike.Vasquez@cityofmesa.org)
11. Re: Plugin 26919 (Ron Gula)
----------------------------------------------------------------------
Message: 1
Date: Tue, 13 Nov 2007 11:49:36 -0600
From: "Doty, Timothy T." <tdoty@umr.edu>
Subject: Vista and MS06-035, MS06-040
To: <Nessus@list.nessus.org>
Message-ID:
<400F112177526C4589D2971B414956675DD4@MST-VMAIL3.srv.mst.edu>
Content-Type: text/plain; charset="us-ascii"
I have at least one system on our network that is reported as being
vulnerable to MS06-035 and MS06-040. However, the computer is supposedly
running Vista which is not listed as being affected. All I've managed to
find with Google is an indication that Vista beta 2 build 5381 didn't crash
so that Vista may be unaffected.
Is there any more information?
Tim Doty
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7362 bytes
Desc: not available
Url :
http://mail.nessus.org/pipermail/nessus/attachments/20071113/2eade36a/attachment-0001.bin
------------------------------
Message: 2
Date: Tue, 13 Nov 2007 18:53:58 +0100
From: Renaud Deraison <deraison@nessus.org>
Subject: Re: Vista and MS06-035, MS06-040
To: Nessus List <Nessus@list.nessus.org>
Message-ID: <4517BC4A-9C02-4E9F-B29A-06C9683E27E4@nessus.org>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Hi Tim,
On Nov 13, 2007, at 6:49 PM, Doty, Timothy T. wrote:
I have at least one system on our network that is reported as being
vulnerable to MS06-035 and MS06-040. However, the computer is
supposedly
running Vista which is not listed as being affected. All I've
managed to
find with Google is an indication that Vista beta 2 build 5381
didn't crash
so that Vista may be unaffected.
Is there any more information?
The plugins should not have fired, since the remote host is running
Vista. Could you send us the kb of the tested host ?
-- Renaud
------------------------------
Message: 3
Date: Tue, 13 Nov 2007 11:06:51 -0800
From: "Ramos, Jaime J." <jjramos@pelco.com>
Subject: Re: Nikto on Nessus 3 Client?
To: <theall@tenablesecurity.com>
Cc: nessus@list.nessus.org
Message-ID:
<609E6C541B96344484A45ED7B6275D7A0384322E@CA-EVS02.pelco.org>
Content-Type: text/plain; charset="us-ascii"
There is no option as you described under the "Advanced" tab. The only
option I see under "Advanced" regarding Nikto is:
1. Under the top drop-down box
2. Select HTTP NIDS evasion
3. At the bottom of window there is "Random case sensitivity (Nikto
only)
Nessus Client v3.0.0 (build 2G161_Q)
I described my setup incorrectly; I corrected it below...
**************************
I'm having problems obtaining a Nikto Report from the NessusClient
v3.0.0 (GUI)
.... Here's the setup: Scanning an XP SP2 machine w/ IIS.
Nessus 3.0.6 Build 283 for Linux on my CentOS 4.4 machine with Nikto
integration.
NessusClient v3.0.0 on the CentOS and XP SP2 machines
Nessus Console v.1.4.5 on a Win XP SP2 machine.
I can run a scan from the XP SP2 machine using the Nessus Console 1.4.5
and the report will show the "Nikto Report" just fine but I do not get
anything that even looks like a Nikto report when scanning from the
CentOS or XP machine using the NessusClient v3.0.0
NessusClient v3.0.0
Using the Default policy I enabled all plugins, (seen Nikto there and
checked), CGI scanning, thorough and experimental scanning.
If you need any additional information let me know...
****Your reply was...Under the "Advanced" tab, select the "Nikto (NASL
wrapper)" pull-down and make sure "Enable Nikto" is checked.
George
--
theall@tenablesecurity.com
Jaime Ramos
Engineering
OEM-NST
559-292-1981
ex: 6215
Confidentiality Notice:
The information contained in this transmission is legally
privileged and confidential, intended only for the use of the
individual(s) or entities named above. This email and any files
transmitted with it are the property of Pelco. If the reader of
this message is not the intended recipient, or an employee or agent
responsible for delivering this message to the intended recipient,
you are hereby notified that any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful. If you receive
this communication in error, please notify us immediately by
telephone call to +1-559-292-1981 or forward the e-mail to
administrator@pelco.com and then permanently delete the e-mail and
destroy all soft and hard copies of the message and any
attachments. Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20071113/6658b43c/attachment-0001.html
------------------------------
Message: 4
Date: Tue, 13 Nov 2007 09:30:15 -0800
From: "PJ Bender" <PBender@bannerbank.com>
Subject: LDAP allows anonymous binds
To: <nessus@list.nessus.org>
Message-ID:
<FB0DACE37FB9FB4C8EDD7FAEAA8B28CA0D48C5@SVEXC000010.corp.bannerbank.com>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
When Nessus was run against our two Domain Controllers, we received the
following report:
Synopsis: It is possible to disclose LDAP information.
Description: Improperly configured LDAP servers will allow any user to
connect to
the server and query it for information.
Solution: Disable NULL BIND on your LDAP server
Risk Factor : Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE : CVE-1999-0385
BID : 503
Now when we look for a method to disable the null bind on out LDAP server, we
are directed to a Microsoft update for MS Exchange 5.5. Since, we do use
Exchange 5.5, I don't think it is this problem.
Can someone let me know where I can go to find a method(s) to disable the
null bind on my Windows 2003 LDAP server(s)?
Thank you
P. J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20071113/99dece10/attachment-0001.html
------------------------------
Message: 5
Date: Tue, 13 Nov 2007 16:08:17 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: Nikto on Nessus 3 Client?
To: nessus@list.nessus.org
Message-ID: <473A1241.1060705@tenablesecurity.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
On 11/13/07 14:06, Ramos, Jaime J. wrote:
There is no option as you described under the ?Advanced? tab. The only
option I see under ?Advanced? regarding Nikto is:
...
3. At the bottom of window there is ?Random case sensitivity (Nikto only)
Really? If that's true, you must be connecting to a Nessus 2.x server as
plugin #10890 (http_ids_evasion.nasl) is disabled in Nessus 3.x.
George
--
theall@tenablesecurity.com
------------------------------
Message: 6
Date: Tue, 13 Nov 2007 21:52:10 -0500
From: "George A. Theall" <theall@tenablesecurity.com>
Subject: Re: LDAP allows anonymous binds
To: nessus@list.nessus.org
Message-ID: <473A62DA.7090001@tenablesecurity.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
On 11/13/07 12:30, PJ Bender wrote:
When Nessus was run against our two Domain Controllers, we received
the following report:
*Synopsis*: It is possible to disclose LDAP information.
...
*Solution*: Disable NULL BIND on your LDAP server
...
I don?t think it is this problem.
FWIW, the plugin actually tries to query a server without authenticating
(ie, a "NULL BIND") and checks for a response. So it might be useful to
capture packets to/from the affected LDAP services and see what is being
returned.
Can someone let me know where I can go to find a method(s) to disable
the null bind on my Windows 2003 LDAP server(s)?
Have you searched Microsoft's site? For example: check out the
discussion of "dsHeuristics" in:
http://support.microsoft.com/kb/326690/
George
--
theall@tenablesecurity.com
------------------------------
Message: 7
Date: Wed, 14 Nov 2007 13:01:05 +0530
From: "SantoshKumar_Mishra" <SantoshKumar_Mishra@satyam.com>
Subject: implications/feasibility of running nessus with higher
privilege levels
To: <nessus@list.nessus.org>
Message-ID:
<6B3162E26E189F4EB74B8FB9345ED4FD050F65C1@certsrv.satyam.com>
Content-Type: text/plain; charset="iso-8859-1"
Dear All,
Can you please suggest the implications/feasibility of running nessus with
higher privilege levels which include 'local checks'.
Appreciate if can reply a bit early.
Thanks,
Santosh
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or
distribution or forwarding of any or all of the contents in this message is
STRICTLY PROHIBITED. If you are not the intended recipient, please contact
the sender by email and delete all copies; your cooperation in this regard is
appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20071114/6b7e6c8b/attachment-0001.html
------------------------------
Message: 8
Date: Wed, 14 Nov 2007 06:00:56 -0800
From: "Doug Nordwall" <raleel@gmail.com>
Subject: Re: implications/feasibility of running nessus with higher
privilege levels
To: SantoshKumar_Mishra <SantoshKumar_Mishra@satyam.com>
Cc: nessus@list.nessus.org
Message-ID:
<752305c00711140600j644f0d77o2502cd0f6105061@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
well, i'm not sure exactly in what context you are "running nessus" from. If
you are referring to running the local checks as someone with higher
privileges, then I can say that is how they are designed to run. Most of the
information that comes out of them is supposed to be administrator/root
level.
If you are talking about running the client as root, then it's not a big
deal. i've done it.
The server needs to be run as rot, IIRC.
On Nov 13, 2007 11:31 PM, SantoshKumar_Mishra <
SantoshKumar_Mishra@satyam.com> wrote:
Dear All,
Can you please suggest the* implications/feasibility of running nessus
with higher privilege levels which include 'local checks'.*
Appreciate if can reply a bit early.
Thanks,
Santosh
DISCLAIMER:
This email (including any attachments) is intended for the sole use of the
intended recipient/s and may contain material that is CONFIDENTIAL AND
PRIVATE COMPANY INFORMATION. Any review or reliance by others or copying or
distribution or forwarding of any or all of the contents in this message is
STRICTLY PROHIBITED. If you are not the intended recipient, please contact
the sender by email and delete all copies; your cooperation in this regard
is appreciated..
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
--
Doug Nordwall
Unix, Network, and Security Administrator
You mean the vision is subject to low subscription rates?!!? - Scott Stone,
on MMORPGs
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20071114/489fc7ef/attachment-0001.html
------------------------------
Message: 9
Date: Wed, 14 Nov 2007 14:50:00 -0000
From: "Nelson, C.M." <cmn@leicester.ac.uk>
Subject: Plugin 26919
To: <Nessus@list.nessus.org>
Message-ID:
<9B71985304C4914AACE30A5BD6A087710A895AEC@sumac.cfs.le.ac.uk>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
Plugin 26919 says:
........
Synopsis : It is possible to log into the remote host. Description : The
remote host is running one of the Microsoft Windows operating systems. It was
possible to log into it as a guest user using a random account.
In the group policy change the setting for 'Network access: Sharing and
security model for local accounts' from 'Guest only - local users
authenticate as Guest' to 'Classic - local users authenticate as themselves'.
/ CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
........
Could someone explain what the significance or seriousness of this is? Does
it suggest a remote or local exploit is possible? If so what can be achieved
and how can I confirm that the report is correct?
--
Carl Nelson,
Information Security Office,
IT Services,
University of Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
------------------------------
Message: 10
Date: Wed, 14 Nov 2007 08:35:18 -0700
From: Mike.Vasquez@cityofmesa.org
Subject: Re: LDAP allows anonymous binds
To: nessus@list.nessus.org
Message-ID:
<OF127AC5B3.63A18A4E-ON07257393.0054BDDC-07257393.0055A100@cityofmesa.org>
Content-Type: text/plain; charset="iso-8859-1"
I did some research on the issue and the information for me was
inconclusive --
I found this post:
http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2005-10/0239.html
Date: Wed, 19 Oct 2005 12:07:35 -0400
You can't disable anonymous/NULL bind. LDAP V3 requires it for the
rootdse.
However, a null bind doesn't necessarily give you access to domain or
config
data. In fact, if you are running Windows Server 2003 AD you have to
specifically enable anonymous access on the ACLs to retrieve data
Here's a kb article about anonymous ldap operations:
http://support.microsoft.com/kb/326690
Anonymous LDAP operations to Active Directory are disabled on Windows
Server 2003 domain controllers
SUMMARY
By default, anonymous Lightweight Directory Access Protocol (LDAP)
operations to Active Directory, other than rootDSE searches and binds, are
not permitted in Microsoft Windows Server 2003.
There's another nice article here:
http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm
Based on that information, I'm not convinced it's a great concern on
Win2k3. I would be interested in the impact of disabling it, per the
information provided. I'm a bit concerned about the possible fallout from
a change.
Thanks,
Mike
"George A. Theall" <theall@tenablesecurity.com>
Sent by: nessus-bounces@list.nessus.org
11/13/2007 07:52 PM
To
nessus@list.nessus.org
cc
Subject
Re: LDAP allows anonymous binds
On 11/13/07 12:30, PJ Bender wrote:
When Nessus was run against our two Domain Controllers, we received
the following report:
*Synopsis*: It is possible to disclose LDAP information.
...
*Solution*: Disable NULL BIND on your LDAP server
...
I don?t think it is this problem.
FWIW, the plugin actually tries to query a server without authenticating
(ie, a "NULL BIND") and checks for a response. So it might be useful to
capture packets to/from the affected LDAP services and see what is being
returned.
Can someone let me know where I can go to find a method(s) to disable
the null bind on my Windows 2003 LDAP server(s)?
Have you searched Microsoft's site? For example: check out the
discussion of "dsHeuristics" in:
http://support.microsoft.com/kb/326690/
George
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://mail.nessus.org/pipermail/nessus/attachments/20071114/c0cae2fd/attachment-0001.html
------------------------------
Message: 11
Date: Wed, 14 Nov 2007 11:13:57 -0500
From: Ron Gula <rgula@tenablesecurity.com>
Subject: Re: Plugin 26919
To: "Nelson, C.M." <cmn@leicester.ac.uk>
Cc: Nessus@list.nessus.org
Message-ID: <473B1EC5.3050808@tenablesecurity.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi Carl,
From where you performed your Nessus scan against this Windows host,
anyone with network access to that system can log into it with a bogus
account.
If this system is outisde of a firewall or reachable by just about
anyone in your organization, this could be a serious problem for you. If
you had to go through extraordinary effort to scan this box (plug in to
a DMZ, get the IT guys to open firewall ports, .etc) this is something
that should be fixed, but won't be as serious.
If your system has any other vulnerabilities, such as a locally
exploitable vulnerability, it may be possible for a remote user to
connect with a guest account and then attempt to become an
administrator. Of course, if the system isn't really hardened, a guest
account might be all the access that a remote user would need to read
files, install a backdoor, turn the system into a bot, launch attacks
against other systems and so on.
To verify that remote access is allowed by this host, you could try
using the smbshell tool from Tenable:
http://cgi.tenablesecurity.com/tenable/smbshell.php
Keep in mind that Windows has many different types of access control for
file access and program execution. The plugin said that it could log in.
Your IT people may have put some level of security of hardening for
'Guest' users or they may not have.
Ron Gula
Tenable Network Security
Nelson, C.M. wrote:
Hi,
Plugin 26919 says:
........
Synopsis : It is possible to log into the remote host. Description : The
remote host is running one of the Microsoft Windows operating systems. It
was possible to log into it as a guest user using a random account.
In the group policy change the setting for 'Network access: Sharing and
security model for local accounts' from 'Guest only - local users
authenticate as Guest' to 'Classic - local users authenticate as
themselves'. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
........
Could someone explain what the significance or seriousness of this is? Does
it suggest a remote or local exploit is possible? If so what can be
achieved and how can I confirm that the report is correct?
--
Carl Nelson,
Information Security Office,
IT Services,
University of Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
------------------------------
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
End of Nessus Digest, Vol 49, Issue 8
*************************************
