Transcription
SAINTwriter Exploit ReportReport Generated: May 8, 20111.0 IntroductionOn May 7, 2011, at 12:35 PM, a penetration test was conducted using the SAINTexploitTM 7.8 exploit tool.The scan discovered a total of three live hosts, and successfully performed one administrative level exploit, zerouser level exploits, zero privilege elevation exploits, and zero client access exploits. The hosts and problemsdetected are discussed in greater detail in the following sections.2.0 SummaryThe following vulnerability severity levels are used to categorize the vulnerabilities:REMOTE ADMINVulnerabilities successfully exploited by SAINTexploit to gain remote administrative privileges.REMOTE USERVulnerabilities successfully exploited by SAINTexploit to gain remote unprivileged access.PRIVILEGE ELEVATIONVulnerabilities successfully exploited by SAINTexploit to gain elevated privileges after gaining remoteunprivileged access.CLIENT ACCESSVulnerabilities successfully exploited due to a user loading an exploit using a client application such asa browser or media player.UNSUCCESSFULVulnerabilities which were not successfully exploited.The sections below summarize the results of the scan.2.1 Exploited Vulnerabilities by SeverityThis section shows the overall number of vulnerabilities exploited at each severity level.1
2.2 Exploited Hosts by SeverityThis section shows the overall number of hosts exploited at each severity level. The severity level of a host isdefined as the highest vulnerability severity level exploited on that host.2.3 Exploited Vulnerabilities by ClassThis section shows the number of vulnerabilities exploited in each of the following classes.ClassWebMailFile TransferRPCWindows OSPasswordsDescriptionExploits of web servers, CGI programs, and any other software offering an HTTP interfaceExploits of SMTP, IMAP, POP, or web-based mail servicesExploits of FTP and TFTP servicesExploits of Remote Procedure Call servicesMissing hotfixes or vulnerabilities in the registry or SMB sharesMissing or easily guessed user passwords2
BrowsersOtherExploits of web browsersAny exploit that does not fit into one of the above classes2.4 Top 10 Vulnerable HostsThis section shows the most vulnerable hosts detected, and the number of successful exploits run against them.3
2.5 Top 10 Successful ExploitsThis section shows the most successful exploits, and the number of hosts against which they succeeded.2.6 Top 10 ServicesThis section shows the most common services detected, and the number of hosts on which they were detected.4
3.0 OverviewThe following tables present an overview of the hosts discovered on the network and the access level gained oneach.3.1 Host ListThis table presents an overview of the hosts discovered on the network.Host NameNetbiosNamels-chl-v2138.localIP AddressHost Type192.168.0.6Linux2.6.22WindowsXP 0000681000163.2 Exploit ListThis table presents an overview of the exploits executed on the network.Host ccessfulexploitunsuccessfulexploitVulnerability / ServiceAWStats configdir parameter command executionClassWebCVEAWStats migrate parameter command injectionWebCVE-2006-22375
s-chl-v2138.localls-chl-v2138.localBASE base qry common.php file includeWebCVE-2006-2685Cisco IOS HTTP exec path command executionWebCVE-2000-0945Cisco IOS HTTP access level authentication bypassWebCVE-2001-0537CS-MARS JBoss jmx-console accessWebCVE-2006-3733Oracle Secure Backup login.php ora osb lcookiecommand executionOracle Secure Backup login.php rbtool commandinjectionOracle Secure Backup property box.php typeparameter command executionPHP Remote File InclusionWebphpBB viewtopic.php highlight parameter vulnerabilityWebphpRPC decode function command executionWebSamba call trans2open buffer overflowOtherSnort DCE/RPC preprocessor buffer overflowOtherSQL injectionWebSQL injection authentication bypassWebTikiWiki file upload vulnerability (jhot.php)WebApache Tomcat JK Web Server Connector URIworker map buffer overflowTWiki revision control shell command injectionWebWebCVE-2005-2877TWiki Search.pm shell command 50/TCPSMBWWWWWW (Secure)WWW (non-standard port 3689)WWW (non-standard port 9050)bootpc (68/UDP)discard (9/UDP)http (80/TCP)https (443/TCP)microsoft-ds (445/TCP)netbios-ssn (139/TCP)printer (515/TCP)tftp (69/UDP)not vulnerable to cross-site scripting: /webbrowse-e61/webbrowse-e61/uploadnot vulnerable to cross-site scripting: 006-5276CVE-2006-4602
0.12192.168.0.12192.168.0.12192.168.0.12not vulnerable to cross-site scripting: /webbrowse/webbrowse/uploadAdobe Flash Player Flash Content Parsing CodeExecutionAWStats migrate parameter command injectionOtherCVE-2010-3654WebCVE-2006-2237BASE base qry common.php file includeWebCVE-2006-2685CA ARCserve D2D Axis2 default passwordWebCVE-2010-0219CA XOsoft Control Service entry point.aspx RemoteCode ExecutionCisco IOS HTTP exec path command executionWebCVE-2010-1223WebCVE-2000-0945Cisco IOS HTTP access level authentication bypassWebCVE-2001-0537CS-MARS JBoss jmx-console accessWebCVE-2006-3733Easy Chat Server Authentication Request BufferOverflowAdobe Flash Player authplay.dll vulnerabilityWebOtherCVE-2009-1862Adobe Flash Player callMethod Bytecode MemoryCorruptionFrontPage fp30reg.dll remote debug buffer overflowOtherCVE-2011-0611WebCVE-2003-0822HP Data Protector Manager MMD Service StackBuffer OverflowHP Operations Manager hidden Tomcat accountOtherWebCVE-2009-3843HP OpenView Performance Insight Server BackdoorAccountHP Performance Manager Apache Tomcat PolicyBypassHP Power Manager formExportDataLogs bufferoverflowHP Power Manager formLogin buffer 9-3999WebCVE-2010-4113HP Power Manager Remote Code ExecutionWebCVE-2009-2685HP Universal CMDB Server Axis2 default passwordWebCVE-2010-0219IBM Rational Quality Manager and Test LabManager Policy BypassInternet Explorer iepeers.dll use-after-free Internet Explorer IFRAME buffer overflowBrowsersCVE-2004-1050InterSystems Cache HTTP Stack Buffer OverflowWebRedHat JBoss Enterprise Application Platform JMXConsole Authentication BypassJRun mod jrun WriteToLog buffer overflowWebCVE-2010-0738WebCVE-2004-0646Microsoft WMI Administrative Tools ActiveX ControlAddContextRef vulnerabilityMicrosoft Windows Movie MakerIsValidWMToolsStream buffer overflowOtherCVE-2010-3973OtherCVE-2010-02657
8.0.12192.168.0.12Nagios statuswml.cgi Command InjectionWebCVE-2009-2288Windows NetDDE buffer 854WindowsOSWebCVE-2007-6701Novell Client NetIdentity Agent XTIERRPCPIPEpointer dereference vulnerabilityNovell Client nwspool.dll buffer overflowNovell Client 4.91 SP4 nwspool.dll buffer overflowNovell iManager EnteredClassName buffer overflowCVE-2009-1350CVE-2010-1929Novell iManager getMultiPartParameters file uploadvulnerabilityHP OpenView Network Node Managergetnnmdata.exe CGI Hostname buffer overflowHP OpenView NNM getnnmdata.exe CGI ICountParameter Buffer OverflowHP OpenView Network Node Managergetnnmdata.exe CGI MaxAge buffer overflowHP OpenView Network Node Manager malformeddisplayWidth option to jovgraph.exeHP OpenView Network Node ManagernnmRptConfig.exe CGI Template Buffer OverflowHP OpenView Network Node ManagernnmRptConfig.exe nameParams text1 BufferOverflowHP OpenView Network Node ManagernnmRptConfig.exe schd select1 Remote CodeExecutionHP OpenView Network Node ManagerOpenView5.exe buffer overflowHP OpenView Network Node Manager ovalarm.exeAccept-Language buffer overflowHP OpenView Network Node Manager ovlogin.exebuffer overflowHP OpenView Network Node Managerovwebsnmpsrv.exe buffer overflow via jovgraph.exeHP OpenView Network Node Managersnmpviewer.exe CGI Stack Buffer OverflowHP OpenView Network Node Manager Toolbar.exeCGI buffer overflowServ-U Web Client session cookie handling bufferoverflowWindows password weaknessWebPasswordsCVE-1999-0503Snort Back Orifice Pre-Processor buffer overflowOtherCVE-2005-3252Snort DCE/RPC preprocessor buffer overflowOtherCVE-2006-5276Apache Struts2 XWork ParameterInterceptor securitybypassSymantec Alert Management System Intel AlertHandler command executionTikiWiki file upload vulnerability (jhot.php)WebCVE-2010-1870WebCVE-2006-4602Trend Micro OfficeScan cgiRecvFile.exeComputerName buffer 1WebCVE-2010-1552WebCVE-2008-0067WebOther
ceserviceserviceserviceserviceserviceserviceremote adminTrend Micro OfficeScan Policy Server CGI bufferoverflowTWiki revision control shell command injectionWebCVE-2008-1365WebCVE-2005-2877TWiki Search.pm shell command injectionWebCVE-2004-1037Windows LSASS buffer tComputer Associates Alert Notification Server bufferoverflowComputer Associates Alert Notification Server opcode23 buffer overflowHP Data Protector Manager MMD Service StackBuffer OverflowWindows NetDDE buffer overflowWindowsOSOtherOtherCVE-2007-4620Windows Plug and Play buffer overflowWindows RPC DCOM interface buffer overflowWindows RRAS memory corruption vulnerabilityWindows Server Service buffer overflowWindows Server Service buffer overflow MS08-067Windows Thumbnail ViewCreateSizedDIBSECTION buffer overflowWindows Workstation serviceNetpManageIPCConnect buffer overflowWireshark LWRES dissector buffer overflow1900/UDPSMBWWW (non-standard port 2869)epmap (135/TCP)isakmp (500/UDP)microsoft-ds (445/TCP)microsoft-ds (445/UDP)netbios-dgm (138/UDP)netbios-ns (137/UDP)ntp (123/UDP)Windows RPC DCOM interface buffer 04-0206OtherCVE-2006-5854Novell Client nwspool.dll EnumPrinters buffer overflowOtherCVE-2008-0639Novell Client 4.91 SP4 nwspool.dll buffer overflowCVE-2007-6701Windows password weaknessWindowsOSPasswordsSnort Back Orifice Pre-Processor buffer overflowOtherCVE-2005-3252Novell Client NetIdentity Agent XTIERRPCPIPEpointer dereference vulnerabilityNovell Client nwspool.dll buffer overflow9CVE-2009-1350CVE-1999-0503
68.0.14192.168.0.14192.168.0.14192.168.0.14Apache Struts2 XWork ParameterInterceptor securitybypassSymantec Alert Management System Intel AlertHandler command executionWindows DNS server RPC management interfacebuffer overflowWindows Plug and Play buffer overflowWindows Server Service buffer overflow MS08-067Windows Workstation serviceNetpManageIPCConnect buffer overflow1025/TCP1026/TCP1028/UDPSMBepmap (135/TCP)isakmp (500/UDP)microsoft-ds (445/TCP)microsoft-ds (445/UDP)netbios-dgm (138/UDP)netbios-ns (137/UDP)ntp (123/UDP)Found password hash: Administrator : 500 :4bd0f3d13d038cc3935d0e10d22e87c7 :bd09d74cbc4777b88b0ea5a7df135b03Found password hash: Guest : 501 :31d6cfe0d16ae931b73c59d7e0c089c0 :aad3b435b51404eeaad3b435b51404eeFound password hash: SUPPORT 388945a0 : 1001: 5502b52ab1b5d056655969b871c44809 07-1748WindowsOSWindowsOSWindowsOSCVE-2005-19834.0 DetailsThe following sections provide details on the specific exploits executed on each host.4.1 ls-chl-v2138.localIP Address: 192.168.0.6Scan time: May 07 12:35:06 2011Host type: Linux 2.6.22AWStats configdir parameter command executionSeverity: Unsuccessful ExploitResolutionUpgrade to AWStats 6.3 or nce/vulnerabilities/display.php?id 185&type 6-4691
LimitationsExploit works on AWStats 6.2 on Linux.AWStats migrate parameter command injectionSeverity: Unsuccessful ExploitCVE: CVE-2006-2237ResolutionUpgrade to AWStats 6.6 or higher, or disable the AllowToUpdateStatsFromBrowser option in theAWStats configuration BASE base qry common.php file includeSeverity: Unsuccessful ExploitCVE: CVE-2006-2685ResolutionUpgrade to BASE 1.2.5 or 00LimitationsIn order for this exploit to succeed, the register globals option must be enabled in the PHP configuration, andthe Apache log file must exist in a common location.Cisco IOS HTTP exec path command executionSeverity: Unsuccessful ExploitCVE: CVE-2000-0945ResolutionSet an enable password on the Cisco ationsExploit works on Cisco Catalyst 3500 XL devices with the enable password unset.Cisco IOS HTTP access level authentication bypassSeverity: Unsuccessful ExploitCVE: CVE-2001-053711
ResolutionApply the fix referenced in cisco-sa-20010627-ios-http-level. Alternatively, disable the HTTP interface or useTACACS or Radius for ories/CA-2001-14.htmlLimitationsExploit works on Cisco IOS 11.3 through 12.2.The target must have the HTTP interface enabled and be using local authentication in order for the exploit tosucceed.CS-MARS JBoss jmx-console accessSeverity: Unsuccessful ExploitCVE: CVE-2006-3733ResolutionUpgrade to CS-MARS 4.2.1 or higher or apply the upgrade referenced in Cisco Security w.securityfocus.com/archive/1/440641Oracle Secure Backup login.php ora osb lcookie command executionSeverity: Unsuccessful ExploitResolutionApply the patch referenced in the Oracle Critical Patch Update for January ce/vulnerabilities/display.php?id 768LimitationsExploit works on Oracle Secure Backup 10.1.0.3.When exploiting Windows targets, SAINTexploit must be able to bind to port 69/UDP.When exploiting Linux targets, the "nc" utility must be installed on the target platform.The IO-Socket-SSL PERL module is required for this exploit to run. This module is available from http://www.cpan.org/modules/by-module/IO/.Oracle Secure Backup login.php rbtool command injectionSeverity: Unsuccessful Exploit12
ResolutionApply the patch referenced in the Oracle Critical Patch Update Advisory - January visories/ZDI-09-003/LimitationsExploit works on Oracle Secure Backup 10.1.0.3.The IO-Socket-SSL PERL module is required for this exploit to run. This module is available from http://www.cpan.org/modules/by-module/IO/.When the target is Windows, this exploit must be able to bind to port 69/UDP in order to succeed.When the target is Linux, the target must have the "nc" utility in order for the exploit to succeed.Oracle Secure Backup property box.php type parameter command executionSeverity: Unsuccessful ExploitResolutionApply the patch referenced in the Oracle Critical Patch Update for July 678LimitationsExploit works on Oracle Secure Backup 10.2.0.3.When the target is Windows, this exploit must be able to bind to port 69/UDP in order to succeed.When exploiting Linux targets, the netcat ("nc") utility must be installed on the target platform.The IO-Socket-SSL PERL module is required for this exploit to run. This module is available from http://www.cpan.org/modules/by-module/IO/.PHP Remote File InclusionSeverity: Unsuccessful ExploitResolutionFix the vulnerable code so that included path names cannot be manipulated by the user.The vulnerability can also be mitigated by setting the following variables in the PHP configuration file:register globals Offallow url include Off13
safe mode ile-InclusionLimitationsThis exploit works against Unix and Linux operating systems.The exploit requires the register globals and allow url include PHP settings to be on, and thesafe mode PHP setting to be off.The telnet and mkfifo programs must exist on the target in order for the shell connection to beestablished.phpBB viewtopic.php highlight parameter vulnerabilitySeverity: Unsuccessful ExploitResolutionUpgrade to the latest version of ives/bugtraq/2005-06/0256.htmlphpRPC decode function command executionSeverity: Unsuccessful ExploitResolutionphpRPC is no longer maintained by the author, so no fix is available. If phpRPC is installed as part ofanother product, contact the vendor of that product for a fix. Otherwise, remove phpRPC from the hives/bugtraq/2006-02/0507.htmlSamba call trans2open buffer overflowSeverity: Unsuccessful ExploitResolutionUpgrade to Samba 2.2.8a or /2003-04/0100.htmlLimitations14
Exploit works on Samba 2.2.x.Snort DCE/RPC preprocessor buffer overflowSeverity: Unsuccessful ExploitCVE: CVE-2006-5276ResolutionUpgrade to Snort 2.6.1.3 or ory-2007-02-19.htmlLimitationsExploit works on Snort 2.6.1.1 on Windows and Snort 2.6.1.2 on Red Hat 8, and requires port 445/TCP tobe open on the target.SQL injectionSeverity: Unsuccessful ExploitResolutionModify the web program to remove invalid characters from input parameters before using them in loit works on MySQL, Oracle Database, and Microsoft SQL Server.In order for the exploit to succeed, the vulnerable parameter must be present in an HTML form which isaccessible by following links from the home page of a web site. The web program must display the result ofthe affected query somewhere in the response page. The success of the exploit may also depend on thestructure of the affected query.If using the https protocol, the exploit requires the IO-Socket-SSL PERL module to be installed on thescanning host. This module is available from http://www.cpan.org/modules/by-module/IO/.SQL injection authentication bypassSeverity: Unsuccessful ExploitResolutionModify the web program to remove invalid characters from input parameters before using them in SQLqueries.References15
-Injection.htmlLimitationsIn order for the exploit to succeed, the login form must be accessible by following links from the home page ofa web site. The web program must allow authentication based on the response of a simple username andpassword query.If using the https protocol, the exploit requires the IO-Socket-SSL PERL module to be installed on thescanning host. This module is available from http://www.cpan.org/modules/by-module/IO/.TikiWiki file upload vulnerability (jhot.php)Severity: Unsuccessful ExploitCVE: CVE-2006-4602ResolutionUpgrade to TikiWiki 1.9.5 or 33Apache Tomcat JK Web Server Connector URI worker map buffer overflowSeverity: Unsuccessful ExploitResolutionUpgrade to mod jk 1.2.21 or s/ZDI-07-008/LimitationsExploit works on Apache Tomcat JK Web Server Connector 1.2.19 for Apache HTTP Server 2.0.58 onWindows and Apache Tomcat JK Web Server Connector 1.2.20 for Apache HTTP Server 2.0.58 on Linux.Apache, Apache Tomcat, and the JK Web Server Connector must be properly configured on the target inorder for this exploit to succeed.IPv6 support for this exploit is only available for Linux targets.TWiki revision control shell command injectionSeverity: Unsuccessful ExploitCVE: CVE-2005-2877ResolutionApply the patch referenced in CIAC Bulletin P-307.References16
5-09/0154.htmlTWiki Search.pm shell command injectionSeverity: Unsuccessful ExploitCVE: CVE-2004-1037ResolutionApply the update referenced in CIAC Bulletin ives/bugtraq/2004-11/0181.html873/TCPSeverity: Service3689/TCPSeverity: Service8873/TCPSeverity: Service9050/TCPSeverity: ServiceSMBSeverity: ServiceWWWSeverity: ServiceWWW (Secure)Severity: ServiceWWW (non-standard port 3689)Severity: ServiceWWW (non-standard port 9050)Severity: Servicebootpc (68/UDP)Severity: Servicediscard (9/UDP)Severity: Servicehttp (80/TCP)Severity: Service17
https (443/TCP)Severity: Servicemicrosoft-ds (445/TCP)Severity: Servicenetbios-ssn (139/TCP)Severity: Serviceprinter (515/TCP)Severity: Servicetftp (69/UDP)Severity: Service4.2 192.168.0.12IP Address: 192.168.0.12Scan time: May 02 05:23:02 2011Host type: Windows XP SP2Netbios Name: XPAdobe Flash Player Flash Content Parsing Code ExecutionSeverity: Unsuccessful ExploitCVE: CVE-2010-3654ResolutionApply the patches referenced in APSA10-05 when they become available. In the interim, follow the relevantdirections for mitigating the vulnerability in Adobe sExploit works on Adobe Reader 9.4.0 and the user must open the exploit file in Adobe Reader.AWStats migrate parameter command injectionSeverity: Unsuccessful ExploitCVE: CVE-2006-2237ResolutionUpgrade to AWStats 6.6 or higher, or disable the AllowToUpdateStatsFromBrowser option in theAWStats configuration 18
BASE base qry common.php file includeSeverity: Unsuccessful ExploitCVE: CVE-2006-2685ResolutionUpgrade to BASE 1.2.5 or 00LimitationsIn order for this exploit to succeed, the register globals option must be enabled in the PHP configuration, andthe Apache log file must exist in a common location.CA ARCserve D2D Axis2 default passwordSeverity: Unsuccessful ExploitCVE: CVE-2010-0219ResolutionChange the password for the admin account in the axis2.xml file, which is found in the \ProgramFiles\CA\ARCserve D2D\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf ive/1/515494LimitationsExploit works on CA ARCserve D2D r15.There may be a delay before the exploit succeeds.CA XOsoft Control Service entry point.aspx Remote Code ExecutionSeverity: Unsuccessful ExploitCVE: CVE-2010-1223ResolutionApply the patches referenced in CA Security Notice for CA XOsoft ies/39337/LimitationsExploit works on CA XOsoft Control Service r12.5.Cisco IOS HTTP exec path command executionSeverity: Unsuccessful ExploitCVE: CVE-2000-0945Resolution19
Set an enable password on the Cisco ationsExploit works on Cisco Catalyst 3500 XL devices with the enable password unset.Cisco IOS HTTP access level authentication bypassSeverity: Unsuccessful ExploitCVE: CVE-2001-0537ResolutionApply the fix referenced in cisco-sa-20010627-ios-http-level. Alternatively, disable the HTTP interface or useTACACS or Radius for ories/CA-2001-14.htmlLimitationsExploit works on Cisco IOS 11.3 through 12.2.The target must have the HTTP interface enabled and be using local authentication in order for the exploit tosucceed.CS-MARS JBoss jmx-console accessSeverity: Unsuccessful ExploitCVE: CVE-2006-3733ResolutionUpgrade to CS-MARS 4.2.1 or higher or apply the upgrade referenced in Cisco Security w.securityfocus.com/archive/1/440641Easy Chat Server Authentication Request Buffer OverflowSeverity: Unsuccessful ExploitResolutionEasy Chat Server 2.2 and earlier are vulnerable. Contact the vendor at support@echatserver.com forinformation on when a fix will be available.References20
ploit works on Easy Chat Server 2.2 on Windows 2000 and Windows 2003.Adobe Flash Player authplay.dll vulnerabilitySeverity: Unsuccessful ExploitCVE: CVE-2009-1862ResolutionApply the update referenced in t.org/vuls/id/259425LimitationsExploit works on Flash Player 10.0.22.87 and requires a user to load the exploit page into Internet Explorer 6or 7.After a user loads the exploit page, there may be a delay before the exploit succeeds.Adobe Flash Player callMethod Bytecode Memory CorruptionSeverity: Unsuccessful ExploitCVE: CVE-2011-0611ResolutionUpgrade to Adobe Flash Player 10.2.153.2 for Windows or dvisories/44119/LimitationsExploit works on Adobe Systems Flash Player 10.2.153.1. The targeted user must open the exploit file inInternet Explorer 7.FrontPage fp30reg.dll remote debug buffer overflowSeverity: Unsuccessful ExploitCVE: CVE-2003-0822ResolutionApply the patch referenced in Microsoft Security Bulletin 03-051.References21
http://www.kb.cert.org/vuls/id/279156HP Data Protector Manager MMD Service Stack Buffer OverflowSeverity: Unsuccessful ExploitResolutionApply a patch when it becomes 41735LimitationsExploit works on HP Data Protector Media Operations 6.11.The Media Management Daemon service uses a dynamically assigned TCP port in the range 1024 to 65535.HP Operations Manager hidden Tomcat accountSeverity: Unsuccessful ExploitCVE: CVE-2009-3843ResolutionA
HP Universal CMDB Server Axis2 default password Web CVE-2010-0219 192.168.12 unsuccessful exploit IBM Rational Quality Manager and Test Lab Manager Policy Bypass Web CVE-2010-4094 192.168.12 unsuccessful exploit Internet Explorer iepeers.dll use-after-free vulnerability Browsers CVE-2010-0806
