|
Security Issues
and Fixes: 151.108.232.190
|
|
Type
|
Port
|
Issue and Fix
|
|
Warning
|
smtp (25/tcp)
|
The remote SMTP server is vulnerable to a flaw in its authentication
process.
This vulnerability allows any unauthorized user to successfully
authenticate and use the remote SMTP server.
An attacker may use this flaw to use this SMTP server
as a spam relay.
Solution : see http://www.microsoft.com/technet/security/bulletin/MS01-037.asp.
Risk factor : High
CVE : CVE-2001-0504
BID : 2988
Nessus ID : 10703
|
|
Warning
|
smtp (25/tcp)
|
It is possible to authenticate to the remote SMTP service
by logging in as a NULL session.
An attacker may use this flaw to use your SMTP server as a
spam relay.
Solution : http://www.microsoft.com/technet/security/bulletin/MS02-011.asp
Risk factor : Medium
CVE : CVE-2002-0054
BID : 4205
Nessus ID : 11308
|
|
Warning
|
smtp (25/tcp)
|
It is possible to make the remote SMTP server fail
and restart by sending it malformed input.
The service will restart automatically, but all the connections
established at the time of the attack will be dropped.
An attacker may use this flaw to make mail delivery to your site
less efficient.
Solution : http://www.microsoft.com/technet/security/bulletin/MS02-012.asp
Risk factor : Medium
CVE : CVE-2002-0055
BID : 4204
Nessus ID : 10885
|
|
Informational
|
smtp (25/tcp)
|
An SMTP server is running on this port
Here is its banner :
220 test-angzauqoig Microsoft ESMTP MAIL Service,
Version: 5.0.2195.2966 ready at Mon,
31 Mar 2003 11:21:37 -0800
Nessus ID : 10330
|
|
Informational
|
smtp (25/tcp)
|
Remote SMTP server banner :
220 test-angzauqoig Microsoft ESMTP MAIL Service,
Version: 5.0.2195.2966 ready at Mon,
31 Mar 2003 11:22:06 -0800
This is probably: Microsoft Exchange version 5.0.2195.2966 ready at Mon, 31 Mar 2003 11:22:06 -0800
Nessus ID : 10263
|
|
Informational
|
smtp (25/tcp)
|
For some reason, we could not send the EICAR test string to
this MTA
Nessus ID : 11034
|
|
Vulnerability
|
http (80/tcp)
|
The IIS server appears to have the .HTR ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .HTR extension, and any other
unused ISAPI extensions
if they are not required for the operation of your site.
Solution:
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .htr from the list.
Risk factor : High
CVE : CAN-2002-0071
BID : 4474
Nessus ID : 10932
|
|
Vulnerability
|
http (80/tcp)
|
When IIS receives a user request to run a script, it renders
the request in a decoded canonical form, then performs
security checks on the decoded request. A vulnerability
results because a second, superfluous decoding pass is
performed after the initial security checks are completed.
Thus, a specially crafted request could allow an attacker to
execute arbitrary commands on the IIS Server.
Solution: See MS advisory MS01-026(Superseded by ms01-044)
See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
Risk factor : High
CVE : CVE-2001-0507,
CVE-2001-0333
BID : 2708
Nessus ID : 10671
|
|
Vulnerability
|
http (80/tcp)
|
The remote host has FrontPage Server Extensions (FPSE) installed.
There is a denial of service / buffer overflow condition
in the program 'shtml.exe' which comes with it. However,
no public detail has been given regarding this issue yet,
so it's not possible to remotely determine wether
you are
vulnerable to this flaw or not.
If you are, an attacker may use it to crash your web server
(FPSE 2000) or execute arbitrary code (FPSE 2002). Please
see the Microsoft Security Bulletin MS02-053 to determine
if you are vulnerable or not.
*** Nessus did not actually check for this flaw,
so this
*** might be a false positive
Solution : See http://www.microsoft.com/technet/security/bulletin/ms02-053.asp
Risk factor : High
CVE : CAN-2002-0692
BID : 5804
Nessus ID : 11311
|
|
Vulnerability
|
http (80/tcp)
|
There's a buffer overflow in the remote web server through
the ISAPI filter.
It is possible to overflow the remote web server and execute
commands as user SYSTEM.
Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
Risk factor : High
CVE : CVE-2001-0544,
CVE-2001-0545,
CAN-2001-0506,
CVE-2001-0507,
CAN-2001-0508,
CVE-2001-0500
BID : 2690, 3190, 3194, 3195
Nessus ID : 10685
|
|
Vulnerability
|
http (80/tcp)
|
The IIS server appears to have the .SHTML ISAPI filter mapped.
At least one remote vulnerability has been discovered for the
.SHTML filter. This is detailed in Microsoft Advisory MS02-018
and results in a denial of service access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .SHTML extension, and any other
unused ISAPI extensions
if they are not required for the operation of your site.
An attacker may use this flaw to prevent the remote service
from working properly.
*** Nessus reports this vulnerability using only
*** information that was gatherered. Use caution
*** when testing without safe checks enabled
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
and/or unmap the shtml/shtm
isapi filters.
To unmap the .shtml
extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .shtml/shtm and sht from the list.
Risk factor : Medium
CVE : CAN-1999-1376,
CVE-2000-0226,
CAN-2002-0072
BID : 4479
Nessus ID : 10937
|
|
Warning
|
http (80/tcp)
|
Your webserver supports the TRACE and/or TRACK
methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan
tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Risk factor : Medium
Nessus ID : 11213
|
|
Warning
|
http (80/tcp)
|
The remote web server appears to be running with
Frontpage extensions.
You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.
Risk factor : High if your configuration file is
not well set up
CVE : CAN-2000-0114
Nessus ID : 10077
|
|
Warning
|
http (80/tcp)
|
The IIS server appears to have the .IDA ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .IDA extension, and any other
unused ISAPI extensions
if they are not required for the operation of your site.
Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .ida from the list.
Risk factor : Medium
CVE : CAN-2002-0500
BID : 2880
Nessus ID : 10695
|
|
Warning
|
http (80/tcp)
|
This IIS Server appears to vulnerable to one of the cross site
scripting
attacks described in MS02-018. The default '404' file returned by IIS uses
scripting to output a link to
top level domain part of the url requested. By
crafting a particular URL it is possible to insert arbitrary script into
the
page for execution.
The presence of this vulnerability also indicates that you are vulnerable
to the other issues identified in MS02-018 (various remote buffer overflow
and cross site scripting attacks...)
References:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
http://jscript.dk/adv/TL001/
Risk factor : Medium
CVE : CAN-2002-0074
BID : 4483
Nessus ID : 10936
|
|
Warning
|
http (80/tcp)
|
IIS 5 has support for the Internet Printing Protocol(IPP), which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommend
you disable it if you do not use this functionality.
Solution:
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .printer from the list.
Reference : http://online.securityfocus.com/archive/1/181109
Risk factor : Low
Nessus ID : 10661
|
|
Informational
|
http (80/tcp)
|
A web server is running on this port
Nessus ID : 10330
|
|
Informational
|
http (80/tcp)
|
The remote web server type is :
Microsoft-IIS/5.0
Solution : You can use urlscan to change reported
server for IIS.
Nessus ID : 10107
|
|
Warning
|
loc-srv (135/tcp)
|
DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC000001ec.00000001]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC000001ec.00000001]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC000001ec.00000001]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncalrpc[LRPC000001ec.00000001]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncalrpc[LRPC000002b4.00000001]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncalrpc[LRPC000002b4.00000001]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncalrpc[ntsvcs]
Annotation: Messenger Service
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\ntsvcs]
Annotation: Messenger Service
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\scerpc]
Annotation: Messenger Service
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncalrpc[OLE5]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncalrpc[INETINFO_LPC]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\INETINFO]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncalrpc[OLE5]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncalrpc[INETINFO_LPC]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\INETINFO]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncalrpc[SMTPSVC_LPC]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\SMTPSVC]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncalrpc[OLE5]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncalrpc[INETINFO_LPC]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\INETINFO]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncalrpc[SMTPSVC_LPC]
Nessus ID : 10736
|
|
Informational
|
loc-srv (135/tcp)
|
A DCE service is listening on this host
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_np:\\TEST-ANGZAUQOIG[\PIPE\SMTPSVC]
Nessus ID : 10736
|
|
Vulnerability
|
netbios-ssn (139/tcp)
|
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
. All the smb tests will be done as ''/''
CVE : CAN-1999-0504,
CAN-1999-0506,
CVE-2000-0222
BID : 990
Nessus ID : 10394
|
|
Warning
|
netbios-ssn (139/tcp)
|
The domain SID can be obtained remotely. Its value is :
WORKGROUP : 0-0-0-0-0
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
|
|
Warning
|
netbios-ssn (139/tcp)
|
The host SID can be obtained remotely. Its value is :
TEST-ANGZAUQOIG : 5-21-1708537768-706699826-2146802419
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
|
|
Warning
|
netbios-ssn (139/tcp)
|
Here is the browse list of the remote host :
INTSERVTEST01 -
RIVERA-LAP -
TEST-ANGZAUQO -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Nessus ID : 10397
|
|
Informational
|
netbios-ssn (139/tcp)
|
The remote native lan manager is :
Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : WORKGROUP
Nessus ID : 10785
|
|
Informational
|
https (443/tcp)
|
An unknown service is running on this port.
It is usually reserved for HTTPS
Nessus ID : 10330
|
|
Informational
|
microsoft-ds (445/tcp)
|
A CIFS server is running on this port
Nessus ID : 11011
|
|
Informational
|
NFS-or-IIS (1025/tcp)
|
A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:151.108.232.190[1025]
Nessus ID : 10736
|
|
Informational
|
NFS-or-IIS
(1025/tcp)
|
A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:151.108.232.190[1025]
Nessus ID : 10736
|
|
Informational
|
NFS-or-IIS
(1025/tcp)
|
A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:151.108.232.190[1025]
Nessus ID : 10736
|
|
Informational
|
NFS-or-IIS
(1025/tcp)
|
A DCE service is listening on this port
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:151.108.232.190[1025]
Nessus ID : 10736
|
|
Informational
|
LSA-or-nterm (1026/tcp)
|
A DCE service is listening on this port
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:151.108.232.190[1026]
Nessus ID : 10736
|
|
Informational
|
LSA-or-nterm (1026/tcp)
|
A DCE service is listening on this port
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:151.108.232.190[1026]
Nessus ID : 10736
|
|
Informational
|
ms-lsa (1029/tcp)
|
A DCE service is listening on this port
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_ip_tcp:151.108.232.190[1029]
Nessus ID : 10736
|
|
Informational
|
ms-lsa (1029/tcp)
|
A DCE service is listening on this port
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_ip_tcp:151.108.232.190[1029]
Nessus ID : 10736
|
|
Informational
|
ms-lsa (1029/tcp)
|
A DCE service is listening on this port
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_ip_tcp:151.108.232.190[1029]
Nessus ID : 10736
|
|
Warning
|
unknown (2803/tcp)
|
This IIS Server appears to vulnerable to one of the cross site
scripting
attacks described in MS02-018. The default '404' file returned by IIS uses
scripting to output a link to
top level domain part of the url requested. By
crafting a particular URL it is possible to insert arbitrary script into
the
page for execution.
The presence of this vulnerability also indicates that you are vulnerable
to the other issues identified in MS02-018 (various remote buffer overflow
and cross site scripting attacks...)
References:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
http://jscript.dk/adv/TL001/
Risk factor : Medium
CVE : CAN-2002-0074
BID : 4483
Nessus ID : 10936
|
|
Informational
|
unknown (2803/tcp)
|
A web server is running on this port
Nessus ID : 10330
|
|
Informational
|
unknown (2803/tcp)
|
The remote web server type is :
Microsoft-IIS/5.0
Solution : You can use urlscan to change reported
server for IIS.
Nessus ID : 10107
|
|
Informational
|
msdtc (3372/tcp)
|
An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus
team:
00: 60 3e 0a `>.
Nessus ID : 11154
|
|
Informational
|
general/udp
|
For your information, here is the traceroute
to 151.108.232.190 :
151.108.232.190
Nessus ID : 10287
|
|
Informational
|
general/tcp
|
Remote OS guess : Windows Millennium Edition (Me), Win 2000,
or WinXP
CVE : CAN-1999-0454
Nessus ID : 11268
|
|
Warning
|
general/icmp
|
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
|
|
Warning
|
netbios-ns (137/udp)
|
. The following 7 NetBIOS names have been gathered :
TEST-ANGZAUQOIG
WORKGROUP
TEST-ANGZAUQOIG
TEST-ANGZAUQOIG
WORKGROUP
INet~Services
IS~ST-ANGZAUQOI
. The remote host has the following MAC address on its adapter :
0x00 0x50 0xda 0x5a 0x26 0x11
If you do not want to allow everyone to find the NetBios
name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
|
|
Informational
|
iad1 (1030/udp)
|
A DCE service is listening on this port
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncadg_ip_udp:151.108.232.190[1030]
Nessus ID : 10736
|
|
Informational
|
unknown (1027/udp)
|
A DCE service is listening on this port
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:151.108.232.190[1027]
Annotation: Messenger Service
Nessus ID : 10736
|