| Date: | Sunday, March 10, 2002 16:21:01 |
| User Name: | xxxxxxxxxxxxxxxxxxxxxx |
| Company: | xxxxxxxxxxxxxx |
| Session ID: | 112 |
| Session Name: | Test 1 |
| Current Job ID: | 131 |
| Current Job Date: | March 10, 2002 4:19:31 PM |
|
|
| Vulnerability name: | Anonymous Remote Registry Access |
| Vulnerability description: |
| The Registry database on Windows NT systems contains very important information. This machine allows unauthenticated access to the registry database. This means that various configuration parameters can be read or modified. |
 List of vulnerable hosts |
| Vulnerability name: | Microsoft Windows NT RPC Endpoint Mapper Denial of Service Vulnerability |
| Vulnerability description: |
| RPC (Remote Procedure Call) services is used on dynamically assigned UDP and TCP ports. The RPC Endpoint Mapper service that uses the same port at the RPC service on the host to reply to a client request. When sending a malformed request to the RPC Endpoint Mapper running on port 135 it results in service stopping to respond. This will cause access to be denied to legitimate users. |
| List of vulnerable hosts |
| Vulnerability name: | NT Posix SubSystem Enabled |
| Vulnerability description: |
| The POSIX subsystem is an optional module of Windows NT. When enabled, some security holes (trojans) are opened, e.g. it is possible to create a file with a lower-case name that will be detected in a search prior to a file with an upper case name. This test requires access to the remote registry. |
| List of vulnerable hosts |
| Vulnerability name: | OS/2 Subsystem Enabled |
| Vulnerability description: |
| The OS/2 subsystem is an optional module of Windows NT. When enabled, some security holes exist. For example, processes may still exist after the user has logged out. An attacker could exploit this to install a Trojan Horse. This test requires access to the remote registry. |
| List of vulnerable hosts |
| Vulnerability name: | Privilege "Act as part of the operating system" Enabled |
| Vulnerability description: |
| The "Act as part of the operating system" privilege allows a process to perform as a secure, trusted part of the operating system. A user or group has been found to have this privilege. In a secure installation, this privilege must be reserved only for administrators. |
| List of vulnerable hosts |
| Vulnerability name: | Unsecured Registry Access |
| Vulnerability description: |
| The registry database, a critical part of Windows NT configuration, can be accessed remotely for remote administration purposes. If the system does not use the features provided by Microsoft to enforce remote registry access restrictions, a wide range of attacks can possibly occur, including gaining administrator access or making the system unusable. |
| List of vulnerable hosts |
|
|
| Vulnerability name: | .reg Files Associated With Regedit.exe |
| Vulnerability description: |
| regedit.exe is the program used to edit the registry database, and contains a lot of sensitive information. It has been found that files with the extension .reg are associated with regedit.exe. If a malicious user convinces a user of the target system to open a specially constructed .reg file (e.g. mail, URL download), the naive user could make unwanted changes to his system. This check requires access to the remote registry. |
| List of vulnerable hosts |
| Vulnerability name: | Apache - HTTP Server is Outdated |
| Vulnerability description: |
| The Apache server version is 1.3.12 or earlier. These versions contain various security problems and should not be used. |
| List of vulnerable hosts |
| Vulnerability name: | AT&T VNC Service Available |
| Vulnerability description: |
| VNC, which stands for Virtual Network Computing, is a software package freely available from AT&T corporation. This solution is dedicated to remotely access desktops for a user with adequate privileges. Thus, privileges are possible. The remote server is running VNC. VNC permits a console to be displayed remotely. |
| List of vulnerable hosts |
| Vulnerability name: | DCOM Enabled |
| Vulnerability description: |
| DCOM is used for remote function execution. Although no specific exploits are known, it is good practice to disable DCOM unless needed. This test checks the value of a specific registry key. This test needs administrator access to the remote registry in order to succeed. |
| List of vulnerable hosts |
| Vulnerability name: | discard/udp Service is Running |
| Vulnerability description: |
| Discard/UDP was designed to debug TCP/IP. When a discard/udp server (port 9) receives a packet, it just throws it away. No answer is returned. An attacker can use this service to waste the network bandwidth. |
| List of vulnerable hosts |
| Vulnerability name: | DNS Server Enabled |
| Vulnerability description: |
| DNS servers are critical components of the Internet infrastructure. They are also used on intranet infrastructures. If a DNS server is ever compromised by an attacker, the whole network is at risk. Attacks such as Denial Of Service or impersonation can occur. A DNS server is not a security hazard by itself, but simply means that the system security must be double-checked. |
| List of vulnerable hosts |
| Vulnerability name: | DNS Zone Transfer |
| Vulnerability description: |
| Zone transfers are aimed to update information of a secondary name server from a primary name server (DNS servers). It brings about a security issue. Indeed, any host can get access to these information. |
| List of vulnerable hosts |
| Vulnerability name: | HTTP Directory Listing |
| Vulnerability description: |
| HTTP servers have a common feature: unless it is forbidden by explicit configuration, the server will return a directory listing when no default index file is present. This can give away valuable information to a potential intruder. |
| List of vulnerable hosts |
| Vulnerability name: | Incorrect System Clock Vulnerability |
| Vulnerability description: |
| If a system does not report correct time, it results in difficulties for time evaluation. Timestamps and log entries become then hardly manageable to control what's happening on your network and when. |
| List of vulnerable hosts |
| Vulnerability name: | LDAP Null Base |
| Vulnerability description: |
| A user can obtain directory listings if LDAP allows a NULL base in an LDAP search. If LDAP allows a NULL base in an LDAP search, a user can run a search that returns information on "namingContexts" and "supported controls". An attacker can use this information for malicious activity such as accessing directory listings. |
| List of vulnerable hosts |
| Vulnerability name: | Microsoft IE Import/Export Favorites Vulnerability |
| Vulnerability description: |
| Internet Explorer 5.0 and 5.01 allow remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. |
| List of vulnerable hosts |
| Vulnerability name: | Microsoft IIS 4.0/5.0 Multiple Vulnerabilities |
| Vulnerability description: |
| Several vulnerabilities have been found affecting Microsoft IIS 4.0 and 5.0. - A denial of service vulnerability that could enable an attacker to cause the IIS 4.0 service to fail, if URL redirection has been enabled. The .Code Red. worm generates traffic that can in some cases exploit this vulnerability, the result of which is that an IIS 4.0 machine that wasn.t susceptible to infection via the worm could nevertheless have its service disrupted by the worm. - A denial of service vulnerability that could enable an attacker to temporarily disrupt service on an IIS 5.0 web server. WebDAV doesn.t correctly handle the particular type of a very long, invalid request. Such a request would cause the IIS 5.0 service to fail ; by default, it would automatically restart. - A denial of service vulnerability involving the way IIS 5.0 interprets the content containing a particular type of invalid MIME header. If an attacker placed the content containing such a defect onto a server and then requested it, the IIS 5.0 service would be unable to serve any content until a spurious entry was removed from the File Type table for the site. - A buffer overrun vulnerability involving the code that performs server-side include (SSI) directives. An attacker who had the ability to place content onto a server could include a malformed SSI directive that, when the content was processed, would result in code of the attacker.s choice running in Local System context. - A privilege elevation vulnerability that results from a flaw in a table that IIS 5.0 consults when determining whether a process should in-process or out-of-process. IIS 5.0 contains a table that lists the system files that should always run in-process. However, the list provides the files using relative as well as absolute addressing, the result of which is that any file whose name matched that of a file on the list would run in-process. In addition to including all previously released security patches, this patch also includes fixes for five newly discovered security vulnerabilities affecting IIS 4.0 and 5.0 : In addition, this patch eliminates a side effect of the previous IIS cumulative patch (discussed in the Caveats section of Microsoft Security Bulletin MS01-026) by restoring proper functioning of UPN-style logons via FTP and W3SVC. |
| List of vulnerable hosts |
| Vulnerability name: | Microsoft Internet Explorer Cookie Disclosure Vulnerability |
| Vulnerability description: |
| Internet Explorer contains a vulnerability, which could allow an attacker to construct an URL that would allow a malicious website ie information associated with an arbitrary website. This vulnerability is due to an error parsing hostnames. Specially formatted hostnames can lead to malicious websites being able to read and modify the cookies that other websites have set. Successful exploitation of this vulnerability could lead to the disclosure of sensitive information such as session IDs, authentication information, etc. This could assist in further attacks against the user or the webservers that issued the cookies. |
| List of vulnerable hosts |
| Vulnerability name: | Microsoft Network Monitor Multiple Buffer Overflow Vulnerabilities |
| Vulnerability description: |
| Network Monitor is a network administration tool installed as an option with Microsoft Windows NT 4.0 and Windows 2000. Network Monitor allows administrators to monitor network traffic. This vulnerability affects both basic and full versions of Network Monitor. It contains a buffer overflow vulnerability that allows code to be executed on the remote computer with the privilege levels of the current user and remote attacker to gain privileged access and execute arbitrary code on any computer running Network Monitor that displays this captured data. Administrative privileges are required to run Network Monitor. |
| List of vulnerable hosts |
| Vulnerability name: | Microsoft RDP DoS Vulnerability |
| Vulnerability description: |
| Remote Desktop Protocol (RDP) is the protocol that Windows terminal servers and clients use to communicate with each other. The implementation of the RDP in the terminal service in Windows NT 4.0 and Windows 2000 does not correctly handle a particular series of data packets. If such a series of packets was received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost. By sending a particular sequence of packets to the port associated with RDP on an affected server, an attacker could cause the server to fail. This would require the server operator to reboot the machine in order to restore normal service. |
| List of vulnerable hosts |
| Vulnerability name: | Microsoft Windows NT 4.0 Networking Mutex DoS Vulnerability |
| Vulnerability description: |
| Microsoft Windows NT 4.0 is subject to a denial of service due to the implementation of incorrect permissions in a Mutex object. A local user could gain control of the Mutex on a network machine and deny all network communication. |
| List of vulnerable hosts |
| Vulnerability name: | Microsoft Windows NT/2000 NetBIOS Release Vulnerability |
| Vulnerability description: |
| An attacker can send the NetBIOS name service a NetBIOS Name Release message. It places its name in conflict and it can no longer use it. The problem is due to the insecure design of NetBIOS (it is unauthenticated). |
| List of vulnerable hosts |
| Vulnerability name: | NetBIOS Null Session |
| Vulnerability description: |
| A NetBIOS null session is possible. A null session is established with username "", password "", domain "" (no authentication). It is normally used to list resources (shares). This may allow access to usernames and to the registry database. |
| List of vulnerable hosts |
| Vulnerability name: | NT ResetBrowser frame & HostAnnouncement flood patch not installed |
| Vulnerability description: |
| Windows NT 4.0 and Windows 2000 implement the CIFS Computer Browser protocol. Two vulnerabilities exist because of the inability of administrators to limit whether Master Browsers respond to some frames : The "ResetBrowser Frame" vulnerability, which affects both Windows NT 4.0 and Windows 2000. Like most implementations, the Windows implementation provides the ability for a Master Browser to shut down other browsers via the ResetBrowser frame. However, there is no capability to configure a browser to ignore ResetBrowser frames. This could allow a malicious user to shut down browsers on his subnet as a denial of service attack against the browser service, or, in the worst case, to shut down all browsers and declare his machine the new Master Browser. The "HostAnnouncement Flooding" vulnerability, which does not affect Windows 2000. Because there is no means of limiting the size of the browse table in Windows NT 4.0, a malicious user could send a huge number of bogus HostAnnouncement frames to a Master Browser. The resulting replication traffic could consume most or all of the network bandwidth and cause other problems by processing the table as well. If a firewall was in place and blocking port 138 UDP, neither vulnerability could be exploited by an external user. Even an internal user could only attack browsers on the same subnet as his machine. Normal administrative tools would allow the administrator to determine who had mounted the attack. |
| List of vulnerable hosts |
| Vulnerability name: | NT Terminal Server Multiple Connection Request DoS Vulnerability |
| Vulnerability description: |
| Windows NT 4.0 Terminal Server will start creating a Terminal Server connection immediately upon receiving a TCP connection on port 3389, even before authenticating the system or user making the request. Each connection instance requires about 1MB of memory. If enough requests are made concurrently to a server with low memory and no cap on simultaneous requests, the system will slow down to the point where it is unusable by legitimate users, and in some cases will crash and need to be rebooted. |
| List of vulnerable hosts |
| Vulnerability name: | POP3 Service Is Running Vulnerability |
| Vulnerability description: |
| POP3 is a service that gives access to user mailboxes. Mail User Agents use POP3 to retrieve mail. POP3 is based on a clear username / password transmission and a system running a POP3 server may be vulnerable to a brute force attack against usernames/passwords. |
| List of vulnerable hosts |
| Vulnerability name: | Privilege "Add workstations to the domain" Enabled |
| Vulnerability description: |
| The "Add workstations to the domain" privilege allows a user to add workstations or servers to a particular NT domain. A User or group has been found to have this privilege. In a secure installation, this privilege must be reserved only for NT domain administrators. |
| List of vulnerable hosts |
| Vulnerability name: | Privilege "Bypass traverse checking" Enabled |
| Vulnerability description: |
| The "Bypass traverse checking" privilege allows a user to change directories and access files and subdirectories even if the user has no permission to access parent directories. The user "traverses" the directory tree. A user or group has been found to have this privilege. In a maximum security installation, this privilege must be disabled. |
| List of vulnerable hosts |
| Vulnerability name: | Privilege "Restore Files and Directories" Enabled |
| Vulnerability description: |
| The "Restore Files and Directories" privilege allows users to restore from backup (files, directories, registry keys). A user or group has been found to have this privilege. In a secure installation, this privilege must be reserved only for administrators or backup operators. |
| List of vulnerable hosts |
| Vulnerability name: | Read Access to Application Event Log |
| Vulnerability description: |
| The Application event log should not be accessible by guest users. |
| List of vulnerable hosts |
| Vulnerability name: | Read Access to Security Event Log |
| Vulnerability description: |
| The Security event log should not be accessible by guest users. |
| List of vulnerable hosts |
| Vulnerability name: | Read Access to System Event Log |
| Vulnerability description: |
| The System event log should not be accessible by guest users. |
| List of vulnerable hosts |
| Vulnerability name: | Relative Shell Path patch not installed |
| Vulnerability description: |
| The registry entry for the Windows Shell executable (Explorer.exe) in Windows NT and Windows 2000 uses a relative path name, which allows local users to execute arbitrary commands by inserting a Trojan Horse named Explorer.exe into the %Systemdrive% directory, also known as the "Relative Shell Path" vulnerability. This could provide an opportunity for a malicious user to cause code of his choice to run when another user subsequently logged onto the same machine. Under normal conditions, the malicious user could only exploit this vulnerability on machines that he could interactively log onto. As a result, workstations and terminal servers would be the machines primarily at risk. If standard security recommendations have been followed, normal users will not be given permission to interactively log onto security-critical machines such as domain controllers, print/file servers, ERP servers, web servers, and so forth. |
| List of vulnerable hosts |
| Vulnerability name: | SMB Share List Obtained |
| Vulnerability description: |
| With the Windows file sharing system, an administrator or a user can create a shared resource (disk, partition, printer). However, if restrictions are not defined, by default, everyone has full access to this created shared resource. It may give unsecured and illicit access to the file system. |
| List of vulnerable hosts |
| Vulnerability name: | SMTP Relay is Enabled Vulnerability |
| Vulnerability description: |
| Your SMTP server supports third-party or %style mail relay. Third-party mail relay occurs when a mail server processes a mail message where neither the sender nor the recipient is local to the server.s mail domain. |
| List of vulnerable hosts |
| Vulnerability name: | SNMP Agent on NT |
| Vulnerability description: |
| By default, Windows NT provides information which is normally available only by administrators via SNMP. |
| List of vulnerable hosts |
| Vulnerability name: | WINS Fill Log |
| Vulnerability description: |
| An attacker can fill the WINS event log with repeated connections sending invalid data to port 42, on the TCP protocol of an NT server running WINS. This attack can be performed against NT 2000 as well. |
| List of vulnerable hosts |
| Vulnerability name: | Write Access to Application Event Log |
| Vulnerability description: |
| The Application event log should not be accessible by guest users. |
| List of vulnerable hosts |
| Vulnerability name: | Write Access to Security Event Log |
| Vulnerability description: |
| This event log should not be accessible by guest users. |
| List of vulnerable hosts |
| Vulnerability name: | Write Access to System Event Log |
| Vulnerability description: |
| The System event log should not be accessible by guest users. |
| List of vulnerable hosts |
|
|
| Vulnerability name: | Apache Split-Logfile File Appending Vulnerability |
| Vulnerability description: |
| Split-logfiles in Apache webserver allow separate log files to be created for each individual host name. A problem exists in the implementation of the split-logfile functionality which may allow data supplied by the attacker to be appended to files with the .log extension. An HTTP request with a Host: header that starts with a "/" will cause an error message to be displayed, but will also still append the entry to the appropriate access file. This can be exploited to cause data supplied by the attacker to be appended to an arbitrary .log file if the Host: header is specially crafted. Red Hat Secure Web Server 3.2 is also affected by this issue. |
| List of vulnerable hosts |
| Vulnerability name: | Default Login Name Obtained from Registry Database |
| Vulnerability description: |
| The default login name of the computer is stored in the Registry Database. This could allow an attacker to retrieve a valid login name. |
| List of vulnerable hosts |
| Vulnerability name: | HTTP Available Banner Exposure |
| Vulnerability description: |
| The target host reveals an accurate Web server version. This may be used by attackers trying to exploit known vulnerabilities. |
| List of vulnerable hosts |
| Vulnerability name: | ICMP Timestamp Reply Vulnerability |
| Vulnerability description: |
| Usually, the host responds to ICMP timestamp request by sending an ICMP reply. It can be used to flood your network. |
| List of vulnerable hosts |
| Vulnerability name: | IMAP Server Returns Information in Banner Vulnerability |
| Vulnerability description: |
| The IMAP server sends an informative message to clients, including a version number. It could reveal potential vulnerabilities to the outside world. |
| List of vulnerable hosts |
| Vulnerability name: | Insufficient Minimum Password Length Vulnerability |
| Vulnerability description: |
| The host has a minimum required password length which is less than 6 characters. In order to hinder brute force attacks, passwords should be required to be at least six characters. |
| List of vulnerable hosts |
| Vulnerability name: | Insufficient Password History Length Vulnerability |
| Vulnerability description: |
| The host has a password history length which is less than 3. The account policy is not secure if password can be reused. A new password must not match any of the previous 3 passwords. |
| List of vulnerable hosts |
| Vulnerability name: | Local User on Workstation is Present |
| Vulnerability description: |
| Some sites require that all user accounts on workstations are managed through the domain. A local user account has been found on a non-domain controller. |
| List of vulnerable hosts |
| Vulnerability name: | Maximum Password Age Incorrect Vulnerability |
| Vulnerability description: |
| Passwords should be changed on a regular basis. A maximum password age which is longer than 42 days has been detected. |
| List of vulnerable hosts |
| Vulnerability name: | Minimum Password Age Incorrect Vulnerability |
| Vulnerability description: |
| The minimum password age is shorter than 1 day. A value of 1 to 2 days is recommended. Passwords should not be changed too rapidly, or some users will set a newly changed password to one they have used previously. |
| List of vulnerable hosts |
| Vulnerability name: | NetBIOS Groups Enumerated Through Null Session |
| Vulnerability description: |
| A listing of groups present on the target host was retrieved. Windows NT provides enumeration functions for enumerating groups on the network. By default, Windows 2000, Windows NT 4.0 and 3.51 allow anonymous logon users (also known as NULL session connections) to list group names. |
| List of vulnerable hosts |
| Vulnerability name: | NetBIOS Names Retrieved |
| Vulnerability description: |
| NetBIOS is the session-level API in Windows networking. A networked Windows machine usually reveals several names including: - computer name - domain name - logged-in username They can be retrieved via a simple access to the NetBIOS name service (UDP port 137). |
| List of vulnerable hosts |
| Vulnerability name: | Network Transport List Available |
| Vulnerability description: |
| A listing of network transports which are present on the target host could be retrieved. Windows NT/2000 provides functions to enumerate hardware addresses of the network cards and all the network transports installed on the host. |
| List of vulnerable hosts |
| Vulnerability name: | Password Policy Information Available |
| Vulnerability description: |
| Password policy information is available to non-authenticated users for all Windows NT systems prior to 4.0 with Service Pack 3 and the lsa2-fix. An attacker can access lockout information for users and global groups in a security database. |
| List of vulnerable hosts |
| Vulnerability name: | POP3 Server Returns Information in Banner Vulnerability |
| Vulnerability description: |
| By opening a POP3 connection to the target host, it is possible to retrieve information on the live system, and infer potential vulnerabilities. |
| List of vulnerable hosts |
| Vulnerability name: | Privilege "Increase Quota" Enabled |
| Vulnerability description: |
| This privilege is currently unused by Windows NT. However, it is not normally granted to any users or groups. |
| List of vulnerable hosts |
| Vulnerability name: | Privilege "Replace Process Level Token" Enabled |
| Vulnerability description: |
| The "Modify firmware environment values" privilege allows users to modify security access tokens. A User or group has been found to have this privilege. In a secure installation, this privilege must be reserved only for power administrators. It could be used to gain administrator status. |
| List of vulnerable hosts |
| Vulnerability name: | Red Hat Linux Apache Remote Username Enumeration Vulnerability |
| Vulnerability description: |
| By default, Apache web server running on RedHat could reveal information indicating whether a user exists on the host or not. You can induce if a user exists or not depending on the response returned by the server when asked user's home page. |
| List of vulnerable hosts |
| Vulnerability name: | SMTP Available Banner Vulnerability |
| Vulnerability description: |
| By opening an SMTP connection to the target, it is possible to retrieve useful information in its banner. It could be used for further attacks. |
| List of vulnerable hosts |
| Vulnerability name: | SMTP Forgery |
| Vulnerability description: |
| When a SMTP host is opening a connection, it uses the HELO <domain> command to identify itself. If the SMTP server accepts any domain name in the HELO command, attackers will more easily be able to forge mail from the server. |
| List of vulnerable hosts |
| Vulnerability name: | Traceroute Is Possible |
| Vulnerability description: |
| The traceroute application maps the route to the host. It releases information on the routing path, including names of intermediate routers and the internal IP addressing scheme. |
| List of vulnerable hosts |