Report of a Nessus scan Nessus Security Scanner November 26, 2002 i Nessus Report CONTENTS Contents 1 pc119.lab.rejas.net 1.1 Open ports (TCP and UDP) . . . . . . . . . . . . 1.2 Details of the vulnerabilities . . . . . . . . . . . . . 1.2.1 Problems regarding : unknown (135/tcp) . 1.2.2 Problems regarding : netbios-ssn (139/tcp) 1.2.3 Problems regarding : unknown (1025/tcp) . 1.2.4 Problems regarding : unknown (5000/tcp) . 1.2.5 Problems regarding : general/tcp . . . . . . 1.2.6 Problems regarding : netbios-ns (137/udp) 1.2.7 Problems regarding : general/udp . . . . . 1.2.8 Problems regarding : general/icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv . iv . iv . iv . v . vi . vi . vi . vii . viii . viii A List of port scanners used during this session x B List of plugins used during this session x ii Nessus Report CONTENTS Introduction In this test, Nessus has tested 1 host and found 1 severe security holes, as well as 9 security warnings and 9 notes.These problems can easily be used to break into your network. You should have a close look at them and correct them as soon as possible. Note that there is a big number of problems for a single network of this size. We strongly suggest that you correct them as soon as you can, although we know it is not always possible. You should have a look at (see Appendix A and B page x and page x for the exhaustive list of what was tested). On the overall, Nessus has given to the security of this network the mark E because of the number of vulnerabilities found. A script kid should be able to break into your network rather easily. There is room for improvement, and we strongly suggest that you take the appropriate measures to solve these problems as soon as possible If you were considering hiring some security consultant to determine the security of your network, we strongly suggest you do so, because this should save your network. iii Nessus Report 1 pc119.lab.rejas.net 1.1 Open ports (TCP and UDP) pc119.lab.rejas.net has the following ports that are open : • unknown (135/tcp) • netbios-ssn (139/tcp) • unknown (445/tcp) • unknown (1025/tcp) • unknown (5000/tcp) • general/tcp • netbios-ns (137/udp) • general/udp • general/icmp You should disable the services that you do not use, as they are potential security flaws. 1.2 1.2.1 Details of the vulnerabilities Problems regarding : unknown (135/tcp) Security warnings : • DCE services running on the remote can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low Security note : • The DCE Service ’wzcsvc’ is running on this host Type : ncalrpc UUID : f706820d-511f-e80a-3007-6d740be8cee9 iv Nessus Report 1.2 Details of the vulnerabilities • The DCE Service ’wzcsvc’ is running on this host Type : ncalrpc UUID : 8e52b00d-a937-cfc0-1182-2daa51e40000 • The DCE Service ’wzcsvc’ is running on this host Type : ncalrpc UUID : 74ef1c0d-a40a-0641-4e83-aedc74fb1cdd 1.2.2 Problems regarding : netbios-ssn (139/tcp) Security holes : • . It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the ’guest’ access . All the smb tests will be done as ’’/’’ Security warnings : • The host SID can be obtained remotely. Its value is : JENNY : 5-21-3978503659-1904607352-3529363498 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 Risk factor : Low CVE : CAN-2000-1200 • A ’rfpoison’ packet has been sent to the remote host. This packet is supposed to crash the ’services.exe’ process, rendering the system instable. If you see that this attack was successful, have a look at this page : http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2 CVE : CVE-1999-0721 Security note : • The remote native lan manager is : Windows 2000 LAN Manager The remote Operating System is : Windows 5.1 The remote SMB Domain Name is : NYGATAN v Nessus Report 1.2 Details of the vulnerabilities 1.2.3 Problems regarding : unknown (1025/tcp) Security note : • A DCE service is listening on 192.168.100.119:1025 : Type: ncacn_ip_tcp UUID : f706820d-511f-e80a-3007-6d740be8cee9 • A DCE service is listening on 192.168.100.119:1025 : Type: ncacn_ip_tcp UUID : 8e52b00d-a937-cfc0-1182-2daa51e40000 • A DCE service is listening on 192.168.100.119:1025 : Type: ncacn_ip_tcp UUID : 74ef1c0d-a40a-0641-4e83-aedc74fb1cdd 1.2.4 Problems regarding : unknown (5000/tcp) Security warnings : • a web server is running on this port • The Sambar webserver is running. It provides a webinterface for sending emails. You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want. Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server! See http://www.toppoint.de/~hscholz/sambar for more information. Solution : Try to disable this module. There might be a patch in the future. Risk factor : High 1.2.5 Problems regarding : general/tcp Security warnings : vi Nessus Report 1.2 Details of the vulnerabilities • Microsoft Windows 95 and 98 clients have the ability to bind multiple TCP/IP stacks on the same MAC address, simply by having the protocol addded more than once in the Network Control panel. The remote host has several TCP/IP stacks with the same IP binded on the same MAC adress. As a result, it will reply several times to the same packets, such as by sending multiple ACK to a single SYN, creating noise on your network. If several hosts behave the same way, then your network will be brought down. Solution : remove all the IP stacks except one in the remote host Risk factor : Medium • The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk factor : Low Security note : • Nmap found that this host is running Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000 1.2.6 Problems regarding : netbios-ns (137/udp) Security warnings : • . The following 4 NetBIOS names have been gathered : JENNY JENNY NYGATAN NYGATAN . The remote host has the following MAC address on its adapter : 0x00 0x30 0xf1 0x34 0x84 0xf5 vii Nessus Report 1.2 Details of the vulnerabilities If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium 1.2.7 Problems regarding : general/udp Security note : • For your information, here is the traceroute to 192.168.100.119 : 192.168.100.119 1.2.8 Problems regarding : general/icmp Security warnings : • The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentifications protocols. Solution : filter out the icmp timestamp requests (13), and the outgoing icmp timestamp replies (14). Risk factor : Low CVE : CAN-1999-0524 viii Nessus Report 1.2 Details of the vulnerabilities Conclusion A security scanner, such as Nessus, is not a garantee of the security of your network. A lot of factors can not be tested by a security scanner : the practices of the users of the network, the home-made services and CGIs, and so on... So, you should not have a false sense of security now that the test are done. We recommand that you monitor actively what happens on your firewall, and that you use some tools such as tripwire to restore your servers more easily in the case of an intrusion. In addition to that, you must know that new security holes are found each week. That is why we recommand that you visit http://www.nessus.org/scripts.html, which is a page that contains the test for all the holes that are published on public mailing lists such as BugTraq (see http://www.securityfocus.com for details) and test the security of your network on a (at least) weekly basis with the checks that are on this page. This report was generated with Nessus, the open-sourced security scanner. See http://www.nessus.org for more information ix Nessus Report A List of port scanners used during this session • Nmap B List of plugins used during this session • Services • SSH Kerberos issue • Solaris finger disclosure • Using NetBIOS to retrieve information from a Windows host • SMB log in • SMB accessible registry • SMB Registry : permissions of WinVNC’s key • SMB Registry : permissions of winlogon • SMB Registry : permissions of keys that can change common paths • SMB Registry : value of SFCDisable • SSH1 CRC-32 compensation attack • SMB Registry : permissions of Schedule • FreeBSD 4.1.1 Finger • Trin00 for Windows Detect • SMB Registry : permissions of keys that can lead to admin • Trin00 Detect • QueSO • SubSeven • SMB Registry : permissions of the RAS key • Stacheldraht Detect • An SNMP Agent is running • Default community names of the SNMP Agent • SNMP VACM • Obtain OS type via SNMP x Nessus Report • MySQL Server version • SMB Registry : is the remote host a PDC/BDC • Obtain processes list via SNMP • Enumerate Lanman shares via SNMP • HTTP version spoken • No 404 check • HTTP Server type and version • Zope ZClass permission mapping bug • Zope Image updating Method • SSH Server type and version • SSH 3.0.0 • Zope DoS • SMB fully accessible registry • SMB Registry : missing winreg • Enumerate Lanman services via SNMP • Zope DocumentTemplate package problem • Zeus shows the content of the cgi scripts • Obtain network interfaces list via SNMP • YaBB • Windmail.exe allows any user to execute arbirary comands • WebSpeed remote configuration • SMB enum services • The messenger service is running • webspirs.cgi • The alerter service is running • TalentSoft Web version detection+ • cfinger’s version • TalentSoft Web Input Validation Bug Vulnerability+ xi Nessus Report • WebLogic Server /%00/ bug • webdriver • SMB Registry : permissions of HKLM • Enumerate Lanman users via SNMP • IIS : Directory listing through WebDAV • RPC portmapper • NFS export • Directory listing through WebDAV • Tomcat’s snoop servlet gives too much information • Webalizer Cross Site Scripting Vulnerability • WebsitePro buffer overflow • Shaft Detect • vqServer web travesal vulnerablity • tooltalk format string • SMB Registry : Autologon • way-board • WebActive world readable log file • ustorekeeper • fam service • ttawebtop • Detect talkd server port and protocol version • ASP/ASA source using Microsoft Translate f: bug • Tripwire for Webpages Detection • SMB Registry : NT4 Service Pack version • RPC Endpoint Mapper can Cause RPC Service to Fail • Default password router Zyxel • Textor Webmasters CGI Allows Remote Command Execution • Detect CIS ports xii Nessus Report • thttpd ssi file retrieval • technote’s main.cgi • OpenSSH UseLogin Environment Variables • Jakarta Tomcat Path Disclosure • Microsoft’s SQL UDP Info Query • SWC Overflow • SMB Registry : Win2k Service Pack version • IrDA access violation patch • Redhat Stronghold File System Disclosure • mstream agent Detect • Interactive Story Directory Traversal Vulnerability • Microsoft’s SQL Blank Password • store.cgi • Shiva Integrator Default Password • Reading CGI script sources using /cgi-bin-sdb • SQLQHit Directory Stracture Disclosure • Malformed request to index server • SIX Webboard’s generate.cgi • LDAP allows anonymous binds • sojourn.cgi • in.fingerd |command@host bug • ShopPlus Arbitrary Command Execution • LDAP allows null bases • Shopping Cart Arbitrary Command Execution (Hassan) • SimpleServer remote execution • Kerberos PingPong attack • Cobalt siteUserMod cgi • Malformed request to domain controller xiii Nessus Report • DNS AXFR • sglMerchant Information Disclosure Vulnerability • sendtemp.pl • Tomcat’s /admin is world readable • Passwordless Cayman DSL router • sdbsearch.cgi • Directory listing through Sambar’s search.dll • DHCP server info gathering • Sambar webserver pagecount hole • cfingerd format string attack • Malformed PPTP Packet Stream vulnerability • Savant original form CGI access • Sambar Web Server CGI scripts • Determine which version of BIND name daemon is running • BIND vulnerable to ZXFR bug • Roxen Server /%00/ bug • ROADS’ search.pl • Useable remote name server • Raptor FW version 6.5 detection • Nortel Networks passwordless router (user level) • quickstore traversal • NTLMSSP Privilege Escalation • OpenSSH < 2.1.1 UseLogin feature • processit • Power Up Information Disclosure • BIND vulnerable to overflows • Poll It v2.0 cgi • Determine if Bind 9 is running xiv Nessus Report • PHPix directory traversal vulnerability • php safemode • Winsock Mutex vulnerability • PHP-Nuke’ opendir • Amanda client version • PHP-Nuke Gallery Add-on File View • Nortel Networks passwordless router (manager level) • PHP-Nuke copying files security vulnerability (admin.php) • Unpassworded MySQL • AFS client version • php log • php IMAP overflow • Unprotected PC Anywhere Service • Incomplete TCP/IP packet vulnerability • php file upload • Finger redirection check • PHP3 Physical Path Disclosure Vulnerability • PHP-Nuke security vulnerability (bb_smilies.php) • EXPN and VRFY commands • WebShield • phorum’s common.cgi • Traceroute • phpMyExplorer dir traversal • perlcal • TFN Detect • /perl directory browsable ? • Standard & Poors detection • PCCS-Mysql User/Password Exposure xv Nessus Report • Usable remote proxy • DoSable squid proxy server • pals-cgi • pagelog.cgi • SMTP Authentication Error • ows-bin • VisualRoute Web Server Detection • Domain account lockout vulnerability • Outlook Web anonymous access • TCP Chorusing • MacOS X Finder reveals contents of Apache Web files • MacOS X Finder reveals contents of Apache Web directories • OpenSSH < 3.0.1 • Oracle XSQL Sample Application Vulnerability • Cisco password not set • Novell Groupwise WebAcc Information Disclosure • ypxfrd service • Check for dangerous Novell webserver default files • Webserver file request parsing • PIX’s smtp content filtering • Tests for Nimda Worm infected HTML files • ipop2d reads arbitrary files • INN version check (2) • Checkpoint SecuRemote information leakage • ypupdated service • news desk • netscape publishingXpert 2 PSUser problem • LPC and LPC Ports Vulnerabilities patch xvi Nessus Report • SWAT allows the obtention of user names by brute force • ypbind service • newdsn.exe check • walld service • Oracle tnslsnr version query • Netscape Server ?wp bug • PFTP login check • Netscape Enterprise INDEX request problem • Cayman DSL router one char login • Netauth • SMTP Server type and version • Sendmail mime overflow • Netscape Administration Server admin password • yppasswd service • Telnet Client NTLM Authentication Vulnerability • tektronix’s _ncl_items.shtml • tfsd service • Detect the presence of Napster • Insecure Napster clone • ncbook/book.cgi • Finger dot at host feature • Novell Web Server NDS Tree Browsing • Oracle Applications One-Hour Install Detect • DoSable Oracle WebCache server • Anonymous FTP enabled • Guild FTPd tells if a given file exists • sawmill allows the reading of the first line of any file • sawmill password xvii Nessus Report • multihtml cgi • tooltalk service • RDS / MDAC Vulnerability (msadcs.dll) located • statmon service • Microsoft’s Index server reveals ASP source code • Malformed RPC Packet patch • Solaris FTPd tells if a user exists • ctss.idc check • Sendmail 8.11 local overflow • MiniVend Piped command • Alcatel ADSL Modem with Firewalling off • mmstdod.cgi • statd service • Lotus Notes ?OpenServer Information Disclosure • sprayd service • mailnews.cgi • Serv-U Directory traversal • Still Image Service Privilege Escalation patch • Checks for listrec.pl • snmp service • KW whois • OpenSSH 2.3.1 authentication bypass vulnerability • Allaire JRun directory browsing vulnerability • Buffer Overrun in ITHouse Mail Server v1.04 • Allaire JRun Directory Listing • showfhd service • InterScan VirusWall Remote Configuration Vulnerability • Axis Camera Default Password xviii Nessus Report • infosrch.cgi • Local Security Policy Corruption • Broker FTP files listing • IMP Session Hijacking Bug • selection service • /iisadmin is world readable • sched service • Check for dangerous IIS default files • GuildFTPD Directory Traversal • IIS SHTML Cross Site vulnerability • Exchange Malformed MIME header • IIS dangerous sample files • Service Control Manager Named Pipe Impersonation patch • sadmin service • /scripts/repost.asp • rusersd service • Content-Location HTTP Header • Passwordless Alacatel ADSL Modem • IIS 5.0 WebDav Memory Leakage • SHOUTcast Server DoS detector vulnerability • WFTP login check • Windows NT ftp ’guest’ account • IIS .IDA ISAPI filter applied • rstatd service • Check for IIS .cnf file leakage • rquotad service • Relative Shell Path patch • IIS directory traversal xix Nessus Report • Finger backdoor • Test Microsoft IIS Source Fragment Disclosure • Sendmail mailing to programs • Check for bdir.htr files • Mediahouse Statistics Web Server Detect • MySQL buffer overflow • IIS Remote Command Execution • rje mapper service • IIS IDA/IDQ Path Disclosure • rexd service • IIS 5 .printer ISAPI filter applied • NetBIOS Name Server Protocol Spoofing patch • The ACC router shows configuration without authentication • idq.dll directory traversal • FTP Server type and version • IBM-HTTP-Server View Code • nsemntd service • Read any file thanks to ~nobody/ • Sendmail mailing to files • Boa file retrieval • nsed service • eXtropia Web Store remote file retrieval • OpenSSH 2.5.x -> 2.9.x adv.option • NT ResetBrowser frame & HostAnnouncement flood patc • Web Shopper remote file retrieval • FTP site exec • ht://Dig’s htsearch potential exposure/dos • nlockmgr service xx Nessus Report • /iisadmpwd/aexp2.htr • 3Com Superstack II switch with default password • ht://Dig’s htsearch reveals web server path • nfsd service • htgrep • Sendmail’s from |program • NT IP fragment reassembly patch not applied (jolt2) • htdig • FTP real path • hsx directory traversal • llockmgr service • HSWeb document path • keyserv service • ftp.pl shows the listing of any dir • FTPd tells if a user exists • shtml.exe reveals full path • etherstatd service • Formmail Version Information Disclosure • SMB Registry : SQL7 Patches • Default accounts • Microsoft Frontpage dvwssr.dll backdoor • Sendmail redirection check • Microsoft Exchange Public Folders Information Leak • database service • EZShopper 3.0 • FTP bounce check • E-Shopping Cart Arbitrary Command Execution (WebDiscount) • cmsd service xxi Nessus Report • empower cgi path • Finger zero at host feature • SMB LanMan Pipe Server browse listing • Unify eWave ServletExec 3.0C file upload • automountd service • /doc directory browsable ? • /doc/packages directory browsable ? • Linux FTP backdoor • Lotus Domino administration databases • Proxy accepts POST requests • amd service • DCShop exposes sensitive files • Sendmail DEBUG • DBMan CGI server information leakage • Passwordless Wingate installed • Dansie Shopping Cart backdoor • alis service • CVSWeb detection • CVSWeb 1.80 gives a shell to cvs commiters • SSH Overflow • commerce.cgi • X25 service • dcforum • 3270 mapper service • CodeRed version X detection • Sendmail ’decode’ flaw • SMB shares enumeration • SMB get domain SID xxii Nessus Report • SMB use domain SID to enumerate users • SMB log in as users • SMB Windows9x password verification vulnerability • Cisco IOS HTTP Configuration Arbitrary Administrative Access • sunlink mapper service • Cisco Catalyst Web Execution • News Server type and version • Detect Server type and version via Telnet • cgiforum • Relative IP Identification number change • CGIEmail’s Cross Site Scripting Vulnerability (cgicso) • Quote of the day • directory pro web traversal • SMB shares access • JRun’s viewsource.jsp • Portal of Doom • CGIEmail’s CGICso (Send CSO via CGI) Command Execution Vulnerability • Detect presence of PGPNet server and its version • ColdFusion Debug Mode • CERN httpd problem • NIS server • calendar_admin.pl • Cart32 ChangeAdminPassword • Telnet • bizdb1-search.cgi located • icmp timestamp request • BroadVision Physical Path Disclosure Vulnerability • icmp netmask request xxiii Nessus Report • Sun’s Java Web Server remote command execution • Echo port open • bb-hostsvc.sh • Mail relaying • NTMail3 spam feature • Basilix includes download • Finger • auktion.cgi • DeepThroat • ASP source using %2e trick • Daytime • ASP source using ::$DATA trick • Chargen • Apache UserDir Sensitive Information Disclosure • Passwordless HP LaserJet • Usable remote proxy on any port • Apache::ASP source.asp • bootparamd service • Check for Apache Multiple / vulnerability • SiteScope Web Managegment Server Detect • SSH Insertion Attack • Apache /server-status accessible • Apache /server-info accessible • Apache Directory Listing • BIND vulnerable • Apache Auth Module SQL Insertion Attack • qpopper euidl problem • anacondaclip xxiv Nessus Report • BackOrifice • Anaconda remote file retrieval • Cisco 675 passwordless router • bypass Axis Storpoint CD authentification • MySQL various flaws • A1Stats • Alchemy Eye HTTP Command Execution • PC Anywhere • OmniPro httpd 2.08 scripts source full disclosure • BEA WebLogic Scripts Server scripts Source Disclosure • SMB NativeLanMan • Samba Remote Arbitrary File Creation • Imap buffer overflow • Atrium Mercur Mailserver • 40X HTML Cross Site Scripting vulnerability • wwwboard passwd.txt • wrap • whois_raw • WebSite pro reveals the physical file path of web directories • websendmail • webgais • Systat • OmniHTTPd visadmin exploit • netstat • view_source • Cfinger’s search.**@host feature • uploader.exe • Upload cgi xxv Nessus Report • thttpd flaw • Webcart misconfiguration • test-cgi • Shells in /cgi-bin • Roxen counter module • Proxy accepts CONNECT requests • printenv • Cognos Powerplay WE Vulnerability • PlusMail vulnerability • php.cgi • pfdispaly • perl interpreter can be launched as a CGI • phf • Netscape Messenging Server User List • nph-test-cgi • nph-publish.cgi • Netscape FastTrack ’get’ • ICECast Format String • Netscape Server ?PageServices bug • Tektronix /ncl_items.html • MS Personal WebServer ... • jj cgi • info2www • /scripts directory browsable • IIS perl.exe problem • icat • Htmlscript • Home Free search.cgi directory traversal xxvi Nessus Report • Handler • guestbook.pl • guestbook.cgi • glimpse • Microsoft Frontpage ’authors’ exploits • Microsoft Frontpage exploits • formmail.pl • Finger cgi • Faxsurvey • Dumpenv • Domino HTTP server exposes the set up of the filesystem • Count.cgi • Lotus Domino ?open Vulnerability • Cobalt RaQ2 cgiwrap • Excite for WebServers • /cgi-bin directory browsable ? • Campas • RedHat 6.0 cachemgr.cgi • bigconf • bb-hist.sh • AN-HTTPd tests CGIs • AltaVista Intranet Search • tst.bat • alibaba.pl • get32.exe • AliBaba path climbing • ShowCode possible • IIS possible DoS using ExAir’s search xxvii Nessus Report • IIS possible DoS using ExAir’s query • ColdFusion Vulnerability • IIS possible DoS using ExAir’s advsearch • Cobalt Web Administration Server Detection • POP3 Server type and version • ipop2d buffer overflow • Identd enabled • INN version check • LinuxConf grants network access • DCE Services Enumeration • Checkpoint FW-1 identification • CheckPoint Firewall-1 Telnet Authentication Detection • Checkpoint SecureRemote detection • F5 Device Default Support Password • rlogin • rsh • LPRng malformed input • rexecd • AppleShare IP Server status query • RTSP Server type and version • Detect the HTTP RPC endpoint mapper • Detect SWAT server port • CheckPoint Firewall-1 Web Authentication Detection • WinSATAN • Kazaa / Morpheus Client Detection • A Nessus Daemon is running • HealthD detection • Microsoft’s SQL TCP/IP listener is running xxviii Nessus Report • Oracle tnslsnr security • PPTP detection and versioning • MBDMS overflow • Compaq WBEM Server Detection • A CVS pserver is running • SiteScope Web Administration Server Detection • Eserv traversal • WorldClient for MDaemon Server Detection • MySQLs accepts any password • CA Unicenter’s File Transfer Service is running • iChat • MetaInfo servers • Unpassworded PostgreSQL • remwatch • PC Anywhere TCP • Check for VNC HTTP • Check for VNC • X Server • McAfee myCIO detection • AOLserver Default Password • mstream handler Detect • GateCrasher • CA Unicenter’s Transport Service is running • Extent RBS ISP • FTPGate traversal • SyGate Backdoor • Unprotected Netware Management Portal • NetBeans Java IDE xxix Nessus Report • Ultraseek Web Server Detect • Oracle Web Administration Server Detection • vqServer administrative port • NAI Management Agent leaks info • HP LaserJet direct print • Check for Webmin • NetBus 1.x • LCDproc server detection • Amanda Index Server version • CDK Detect • Kuang2 the Virus • NetBus 2.x • GirlFriend • NetSphere • Trinity v3 Detect • Lion worm • IRIX Objectserver • rwhois format string attack • Linux TFTP get file • Buffer overflow in WebSitePro webfind.exe • Sambar /sysadmin directory 2 • Sambar sendmail /session/sendmail • TFTP get file • Sambar /cgi-bin/mailit.pl installed ? • rpm_query CGI • Piranha’s RH6.2 default password • Pi3Web tstisap.dll overflow • Oracle XSQL Stylesheet Vulnerability xxx Nessus Report • Resin traversal • Master Index directory traversal vulnerability • Lotus Domino SMTP overflow • iPlanet Directory Server traversal • Informix traversal • IIS ISAPI Overflow • Cold Fusion Administration Page Overflow • Analogx Web server traversal • robot(s).txt exists on the Web Server • Web server traversal • Too long URL • IIS buffer overflow • FormHandler.cgi • SysV /bin/login buffer overflow (telnet) • wu-ftpd mishandles CWD ~{ • wu-ftpd SITE EXEC vulnerability • Pocsag password • proftpd 1.2.0preN check • proftpd exhaustion attack • NSM format strings vulnerability • Multiple WarFTPd DoS • hpux ftpd PASS vulnerability • FTPD glob Heap Corruption • ftp writeable directories • bftpd format string vulnerability • Writeable FTP root • FTP CWD ~root • ftp USER, PASS or HELP overflow xxxi Nessus Report • Ftp PASV on connect crashes the FTP server • SysV /bin/login buffer overflow (rlogin) • rsh on finger output • McAfee myCIO Directory Traversal • ICEcap default password • Unprotected SiteScope Service • BIND buffer overrun • rwhois format string attack (2) • RealServer Memory Content Disclosure • PIX Firewall Manager Directory Traversal • HP LaserJet display hack • Too long POST command • yppasswdd overflow • Too long authorization • stream.c • wwwwais • WFTP RNTO DoS • WebLogic Server DoS • format string attack against statd • spin_client.cgi buffer overrun • UDP null size going to SNMP DoS • Sedum DoS • WinLogon.exe DoS • WFTP 2.41 rc11 multiple DoS • Savant DoS • EXPN overflow • ActivePerl perlIS.dll Buffer Overflow • TESO in.telnetd buffer overflow xxxii Nessus Report • IIS phonebook • snmpXdmid overflow • Oracle Application Server Overflow • Orange DoS • Nortel Contivity DoS • GoodTech ftpd DoS • rfparalyze • Netscape Enterprise ’../’ buffer overflow • ntpd overflow • iWS shtml overflow • Generic flood • Imail Host: overflow • Lotus MAIL FROM overflow • IIS propfind DoS • FTP Serv-U 2.5e DoS • IIS 5.0 PROPFIND Vulnerability • pam_smb / pam_ntdom overflow • IIS Malformed Extension Data in URL • Winnuke • Marconi ASX DoS • NT IIS 5.0 Malformed HTTP Printer Request Header Buffer Overflow Vulnerability • Teardrop • ICQ Denial of Service attack • ftp ’glob’ overflow • Test HTTP dangerous methods • pimp • GroupWise buffer overflow • Interscan 3.32 SMTP Denial xxxiii Nessus Report • IIS FrontPage DoS II • rfpoison • Microsoft Frontpage DoS • OShare • htimage.exe overflow • Dragon telnet overflow • SalesLogix Eviewer WebApp crash • qpopper buffer overflow • XMail APOP Overflow • ftpd strtok() stack overflow • cisco http DoS • cisco 675 http DoS • Nestea • CISCO view-source DoS • Land • AnalogX denial of service by long cgi name • Delegate overflow • Imate HELO overflow • AnalogX denial of service • EFTP carriage return DoS • IIS FrontPage DoS • Linux 2.1.89 - 2.2.17 : 0 length fragment bug • webdist.cgi • Firewall/1 UDP port 0 DoS • w3-msql overflow • GAMSoft TelSrv 1.4/1.5 Overflow • thttpd 2.04 buffer overflow • Dragon FTP overflow xxxiv Nessus Report • php.cgi buffer overrun • Bonk • Netscape Enterprise ’Accept’ buffer overflow • Netwin’s DMail ETRN overflow • Oracle Web Server denial of Service • Axent Raptor’s DoS • MSQL CGI overflow • bftpd chown overflow • MediaHouse Statistic Server Buffer Overflow • + + ATH0 modem hangup+ • imagemap.exe • Ascend Kill • NT IIS Malformed HTTP Request Header DoS Vulnerability • Wingate denial of service • IIS ’GET ../../’ • wu-ftpd SITE NEWER vulnerability • Eicon Diehl LAN ISDN modem DoS • XTramil MTA ’HELO’ denial • uw-imap buffer overflow after logon • netscape imap buffer overflow after logon • Domino HTTP Denial • cgitest.exe buffer overrun • Annex DoS • Alibaba 2.0 buffer overflow • vftpd buffer overflow • WebSite 1.0 buffer overflow • OpenLink web config buffer overflow • SunKill xxxv Nessus Report • vpopmail input validation bug • smad • wu-ftpd buffer overflow • ProFTPd buffer overflow • RealServer denial of Service • ProFTPd pre6 buffer overflow • TFS SMTP 3.2 MAIL FROM overflow • Livingston Portmaster crash • proftpd mkdir buffer overflow • HELO overflow • Hyperbomb • IIS FTP server crash • SLMail MTA ’HELO’ denial • qpopper LIST buffer overflow • FTP ServU CWD overflow • Cassandra NNTP Server DoS • BFTelnet DoS • Ftp PASV denial of service • SLMail denial of service • AIX ftpd buffer overflow • Tinyproxy heap overflow • IMAP4rev1 buffer overflow after logon • Notes MTA denial • MDaemon crash • Xtramail pop3 overflow • MDaemon DoS • Oops buffer overflow • Check for RealServer DoS xxxvi Nessus Report • CSM Mail server MTA ’HELO’ denial • CMail’s MAIL FROM overflow • Wingate POP3 USER overflow • Chameleon SMTPd overflow • WindowsNT DNS flood denial • Xitami Web Server buffer overflow • SmartServer pop3 overflow • SuSE’s identd overflow • Netscape Enterprise Server DoS • Buffer overflow in Solaris in.lpd • Microsoft’s SQL TCP/IP denial of service • WindowsNT PPTP flood denial • Novell Border Manager • RealServer G2 buffer overrun • Imail’s imonitor buffer overflow • UltraSeek 3.1.x Remote DoS • NAI Management Agent overflow • FakeBO buffer overflow • LCDproc buffer overflow • uw-imap buffer overflow • Rover pop3 overflow • Various pop3 overflows • Ken! DoS • Imail’s imap buffer overflow • RealServer Ramgen crash (ramcrash) • SLMail:27 denial of service • pnserver crash • Rockliffe’s MailSite overflow xxxvii Nessus Report • WINS UDP flood denial • SCO i2odialogd buffer overrun • klogind overflow • Knox Arkeia buffer overflow • Mercure WebView WebClient • Microsoft Media Server 4.1 - DoS • VirusWall’s catinfo overflow • MDaemon Worldclient crash • MDaemon Webconfig crash • NAI PGP Cert Server DoS • Yahoo Messenger Denial of Service attack • iParty • Cisco DoS • Communigate Pro overflow • Gauntlet overflow • HotSync Manager Denial of Service attack • XTramail control denial • libgtop_daemon format string xxxviii