Home
News
About
Results
Discuss
Links
 

Nessus Scan Report

Solaris 9 OS Scan Default Results

This a new scan for the OS Scan project.  Solaris 9 default install was scanned with Nessus version 1.2.3.   This is the new reporting style Nessus uses.  In this test, you will see that there are 23 potential security problems.  These problems range in everything from information leakage to actual, known holes.


Nessus Scan Report

This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to erradicate these threats.


Scan Details

Hosts which where alive and responding during test

1

Number of security holes found

4

Number of security warnings found

19


Host List

Host(s)

Possible Issue

151.108.233.3

Security hole(s) found


Analysis of Host

Address of Host

Port/Service

Issue regarding Port

151.108.233.3

echo (7/tcp)

Security warning(s) found

151.108.233.3

discard (9/tcp)

No Information

151.108.233.3

daytime (13/tcp)

Security warning(s) found

151.108.233.3

chargen (19/tcp)

Security warning(s) found

151.108.233.3

ftp (21/tcp)

Security notes found

151.108.233.3

ssh (22/tcp)

Security warning(s) found

151.108.233.3

telnet (23/tcp)

Security warning(s) found

151.108.233.3

smtp (25/tcp)

Security warning(s) found

151.108.233.3

time (37/tcp)

No Information

151.108.233.3

finger (79/tcp)

Security warning(s) found

151.108.233.3

sunrpc (111/tcp)

No Information

151.108.233.3

exec (512/tcp)

Security warning(s) found

151.108.233.3

login (513/tcp)

Security warning(s) found

151.108.233.3

shell (514/tcp)

Security warning(s) found

151.108.233.3

printer (515/tcp)

No Information

151.108.233.3

uucp (540/tcp)

No Information

151.108.233.3

submission (587/tcp)

Security notes found

151.108.233.3

unknown (898/tcp)

Security hole found

151.108.233.3

unknown (4045/tcp)

No Information

151.108.233.3

unknown (5987/tcp)

No Information

151.108.233.3

unknown (5988/tcp)

Security notes found

151.108.233.3

x11 (6000/tcp)

Security warning(s) found

151.108.233.3

unknown (6112/tcp)

Security hole found

151.108.233.3

xfs (7100/tcp)

No Information

151.108.233.3

unknown (9010/tcp)

No Information

151.108.233.3

general/tcp

Security notes found

151.108.233.3

snmp (161/udp)

Security hole found

151.108.233.3

daytime (13/udp)

Security warning(s) found

151.108.233.3

echo (7/udp)

Security warning(s) found

151.108.233.3

general/icmp

Security warning(s) found

151.108.233.3

general/udp

Security notes found

151.108.233.3

xdmcp (177/udp)

Security warning(s) found


Security Issues and Fixes: 151.108.233.3

Type

Port

Issue and Fix

Warning

echo (7/tcp)

The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103

Informational

echo (7/tcp)

an echo server is running on this port

Warning

daytime (13/tcp)

The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103

Warning

chargen (19/tcp)

The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.

When contacted, chargen responds with some random (something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

An easy attack is 'pingpong' which IP spoofs a packet between two machines
running chargen. They will commence spewing characters at each other, slowing
the machines down and saturating the network.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103

Informational

chargen (19/tcp)

Chargen is running on this port

Informational

ftp (21/tcp)

a FTP server is running on this port.
Here is its banner :
220 unknown FTP server ready.

Informational

ftp (21/tcp)

Remote FTP server banner :
unknown FTP server ready.

Warning

ssh (22/tcp)


You are running a version of SSH which is older than 3.1.2
and newer or equal to 3.0.0.

There is a vulnerability in this release that may, under
some circumstances, allow users to authenticate using a
password whereas it is not explicitly listed as a valid
authentication mechanism.


An attacker may use this flaw to attempt to brute force
a password using a dictionary attack (if the passwords
used are weak).

Solution :
Upgrade to version 3.1.2 of SSH which solves this problem.

Risk factor : Low

Warning

ssh (22/tcp)


You are running a version of SSH which is
older than (or as old as) version 1.2.27.

If you compiled ssh with kerberos support,
then an attacker may eavesdrop your users
kerberos tickets, as sshd will set
the environment variable KRB5CCNAME to
'none', so kerberos tickets will be stored
in the current working directory of the
user, as 'none'.

If you have nfs/smb shared disks, then an attacker
may eavesdrop the kerberos tickets of your
users using this flaw.

*** If you are not using kerberos, then
*** ignore this warning.

Risk factor : Serious
Solution : use ssh 1.2.28 or newer
CVE : CVE-2000-0575

Warning

ssh (22/tcp)


You are running a version of SSH which is
older than (or as old as) version 1.2.27.
If this version was compiled against the
RSAREF library, then it is very likely to
be vulnerable to a buffer overflow which
may be exploited by an attacker to gain
root on your system.

To determine if you compiled ssh against
the RSAREF library, type 'ssh -V' on the
remote host.

Risk factor : High
Solution : Use ssh 2.x, or do not compile ssh
against the RSAREF library
CVE : CVE-1999-0834

Informational

ssh (22/tcp)

a ssh server is running on this port

Informational

ssh (22/tcp)

Remote SSH version : SSH-2.0-Sun_SSH_1.0

Informational

ssh (22/tcp)

The remote SSH daemon supports the following versions of the
SSH
protocol :

. 1.99
. 2.0

Warning

telnet (23/tcp)

The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.

You should disable this service and use OpenSSH instead.
(www.openssh.com)

Solution : Comment out the 'telnet' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0619

Informational

telnet (23/tcp)

a telnet server seems to be running on this port

Informational

telnet (23/tcp)

Remote telnet banner :


SunOS 5.9

Warning

smtp (25/tcp)

The remote SMTP server
answers to the EXPN and/or VRFY commands.

The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.


Your mailer should not allow remote users to
use any of these commands, because it gives
them too much information.


Solution : if you are using Sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.

Risk factor : Low
CVE : CAN-1999-0531

Informational

smtp (25/tcp)

a SMTP server is running on this port
Here is its banner :
220 unknown ESMTP Sendmail 8.12.2+Sun/8.12.2; Thu,
11 Jul 2002 15:52:06 -0400 (EDT)

Informational

smtp (25/tcp)

Remote SMTP server banner :
unknown ESMTP Sendmail 8.12.2+Sun/8.12.2; Thu,
11 Jul 2002 15:57:53 -0400 (EDT)
214-2.0.0 This is sendmail version 8.12.2+Sun214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation contact Sun Microsystems
214-2.0.0 Technical Support.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

Informational

smtp (25/tcp)

The EICAR test string was sent 2 times. Check your mailbox!

Warning

finger (79/tcp)

The 'finger' service provides useful information
to attackers, since it allow them to gain usernames, check if a machine
is being used, and so on...

Risk factor : Low

Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612

Warning

finger (79/tcp)

The remote finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim

This allows an attacker to use your computer
as a relay to gather information on another
network, making the other network think you
are making the requests.

Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.

Risk factor : Low
CVE : CAN-1999-0105

Warning

exec (512/tcp)


The
rexecd service is open.
Because rexecd does not provide any good
means of authentication, it can be
used by an attacker to scan a third party
host, giving you troubles or bypassing
your firewall.

Solution : comment out the 'exec' line
in /etc/inetd.conf.

Risk factor : Medium
CVE : CAN-1999-0618

Warning

login (513/tcp)

The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.

You should disable this service and use
openssh instead
(www.openssh.com)

Solution : Comment out the 'rlogin' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651

Warning

shell (514/tcp)

The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.

You should disable this service and use ssh instead.

Solution : Comment out the 'rsh' line in /etc/inetd.conf.

Risk factor : Low
CVE : CAN-1999-0651

Informational

submission (587/tcp)

a SMTP server is running on this port
Here is its banner :
220 unknown ESMTP
Sendmail 8.12.2+Sun/8.12.2; Thu, 11 Jul 2002 15:52:41 -0400 (EDT)

Vulnerability

unknown (898/tcp)

The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability. The vulnerability is caused
by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust
level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Risk factor : Medium

Solutions:

Allaire/Macromedia Jrun:
http://www.macromedia.com/software/jrun/download/update/
http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
Microsoft IIS:
http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
Apache:
http://httpd.apache.org/info/css-security/
General:
http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
http://www.cert.org/advisories/CA-2000-02.html

Vulnerability

unknown (898/tcp)

Older versions of JServ (including the version shipped with Oracle9i App Server v1.0.2) are vulnerable to a cross site scripting attack using a request for a
non-existent .JSP file.

Solution:

Upgrade to that latest (and final) version of JServ (available at java.apache.org), or, for preference use TomCat as JServ is no longer maintained.

Risk factor : Medium

Informational

unknown (898/tcp)

a web server is running on this port

Informational

unknown (898/tcp)

The remote web server type is :

Tomcat/2.1

We recommend that you configure your web server to return
bogus versions in order to not leak information

Informational

unknown (898/tcp)

The following directories were discovered:
/images, /
servlet

Informational

unknown (5988/tcp)

a web server is running on this port

Informational

unknown (5988/tcp)

The remote web server type is :

Java/1.4.0_00
javax.wbem.client.adapter.http.transport.HttpServerConnection

We recommend that you configure your web server to return
bogus versions in order to not leak information

Warning

x11 (6000/tcp)

This X server does *not* allow any client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.

Here is the server version : 11.0
Here is the message we received : Client is not authorized to connect to Server

Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
CVE : CVE-1999-0526

Vulnerability

unknown (6112/tcp)


The '
dtspcd' service is running.

Some versions of this daemon are vulnerable to
a buffer overflow attack which allows an attacker
to gain root privileges

*** This warning might be a false positive,
*** as no real overflow was performed

Solution : See http://www.cert.org/advisories/CA-2001-31.html
to determine if you are vulnerable or deactivate
this service (comment out the line 'dtspc' in /etc/inetd.conf)

Risk factor : High
CVE : CVE-2001-0803

Informational

general/tcp

Nmap only scanned 15000 TCP ports out of 65535.
Nmap did not do a UDP scan, I guess.

Informational

general/tcp

QueSO has found out that the remote host OS is
* Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS


CVE : CAN-1999-0454

Informational

general/tcp

The plugin PC_anywhere_tcp.nasl was too slow to finish - the server killed it

Vulnerability

snmp (161/udp)

;;SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517

Informational

snmp (161/udp)

Using SNMP, we could determine that the remote operating system is :
Sun SNMP Agent, Ultra-5_10

Warning

daytime (13/udp)

The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.

In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.

Solution : disable this service in /etc/inetd.conf.

Risk factor : Low
CVE : CVE-1999-0103

Warning

echo (7/udp)

The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.

Risk factor : Low

Solution : comment out 'echo' in /etc/
inetd.conf
CVE : CVE-1999-0103

Warning

general/icmp


The remote host answered to an ICMP_MASKREQ
query and sent us its netmask (255.255.254.0)

An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.

Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.

Risk factor : Low
CVE : CAN-1999-0524

Warning

general/icmp


The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentication protocols.

Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524

Informational

general/udp

For your information, here is the traceroute to 151.108.233.3 :
151.108.233.3

Warning

xdmcp (177/udp)


The plugin sends a XDMCP QUERY request to see if the remote
host is running XDM (or similar display manager) with XDMCP
protocol enabled.

This protocol was used to provide X display connections for old
X terminals. XDMCP is completely insecure, since the traffic and
passwords are not encrypted.

Risk factor : Medium
Solution : Disable XDMCP


This file was generated by Nessus, the open-sourced security scanner.

Privacy Policy
Site Map
All images, content & text (unless other ownership applies) are © copyrighted 2002, Infosecwriters.com. All rights reserved. Comments are property of the respective posters.