Security Scans From Beyond the Clue



  • <font face="Courier New" size="2">We were deploying a new application on an existing web server farm. Part of the deployment process, however, 
    is that we had to have the box and application scanned by the security department.<o:p></o:p>
    </font>
    <font face="Courier New" size="2"><o:p></o:p>The engineer (and I use the term loosely) used a product called Nessus to run the system scan. No problem there other than 
    Nessus returning lots of messages like:<o:p></o:p>
    </font>
    <font face="Courier New" size="2">"Post 4153 is open. This could be a trojan. You should scan your system with a good anti-virus program."<o:p></o:p></font>
    <font face="Courier New" size="2"><o:p></o:p>...which are pretty much useless when the report has several dozen of them on a server that is internal only, 
    isn't used for accessing the Internet and is just over one year old (Windows 2003) and isn't the purpose to tell the administrator
    that there is a vulnerability; not that the port that a known vuln works on is open and you should check it just to be sure?<o:p></o:p>
    </font>
    <font face="Courier New" size="2">The real fun started when he sent us the results for his web application scan. 
    The results included vulnerabilities like the following:<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2">------------------------------------------------------------<o:p></o:p></font>
    <font color="#0000ff" face="Courier New" size="2">/............\temp\temp.class - Cisco ACS 2.6.x and 3.0.1 (build 40) allows authenticated remote users 
    to retrieve any file from the system. Upgrade to the latest version. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /..%2F..%2F..%2F..%2F..%2F../windows/repair/sam - BadBlue server is vulnerable to multiple remote exploits. 
    See http://www.securiteam.com/exploits/5HP0M2A60G.html for more information. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._ - BadBlue server is vulnerable to multiple remote exploits. 
    See http://www.securiteam.com/exploits/5HP0M2A60G.html for more information. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam - BadBlue server is vulnerable to multiple remote exploits. 
    See http://www.securiteam.com/exploits/5HP0M2A60G.html for more information. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /[SecCheck]/..%2f../ext.ini - BadBlue server is vulnerable to multiple remote exploits. 
    See http://www.securiteam.com/exploits/5HP0M2A60G.html for more information. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /modules.php?name=Members_List&letter=All&sortby=pass - 
    PHP Nuke module allows user names and passwords to be viewed.
    See http://www.frog-man.org/tutos/PHP-Nuke6.0-Members_List-Your_Account.txt for other SQL exploits in this module. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /file/../../../../../../../../etc/ - The Icecast server allows the file system to be probed for directory structure, 
    but does not allow arbitrary file retrieval. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /../../../../winnt/repair/sam._ - Sam backup successfully retrieved. (GET)<o:p></o:p></font>
    <font color="#0000ff" face="Courier New" size="2"> /cgi-bin/%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%57%69%6E%64%6F%77%73%2Fping.exe%20127.0.0.1 - 
    Specially formatted strings allow command execution. Upgrade to version 1.15 or higher.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0011. (GET)<o:p></o:p>
    </font>
    <font color="#0000ff" face="Courier New" size="2"> /temp/ - This might be interesting... (GET)<o:p></o:p></font>
    <font face="Courier New" size="2"><font color="#0000ff">------------------------------------------------------------</font><o:p></o:p></font>
    <font face="Courier New" size="2"><o:p></o:p>Again, this is a Windows 2003 server. 
    </font>
    • <font face="Courier New" size="2">It is not a Cisco IOS.
      </font>
    • <font face="Courier New" size="2">It isn't running BadBlue
      </font>
    • <font face="Courier New" size="2">It isn't running Icecast
      </font>
    • <font face="Courier New" size="2">It isn't running PHP for that matter.<o:p></o:p></font>
    <font face="Courier New" size="2">So, we asked the engineer how he got this data. His response included: <o:p></o:p></font>
    <font face="Courier New" size="2">"The results come from automated tools and scripts, thus they are not 100% accurate to your individual system...the results 
    must be verified locally.
    If you don't use specific modules or apps, then don't worry about them. Links are provided to sites
    with more information about things identified..."
    <o:p></o:p>
    </font>
    <font face="Courier New" size="2">All right. Doesn't make much sense to us, telling us we may have a vulnerability according to the scan but only we would know 
    for sure, so we checked out one of the sites: http://www.securiteam.com/exploits/5HP0M2A60G.html <o:p></o:p>
    </font>
    <font face="Courier New" size="2">This article, published in July of 2002 (WTF!?) is for version 1.5 of BadBlue. 2.7.1 is the current release. To make matters worse, 
    the page indicates that a group called "ElectronicSouls" are the ones who found the exploit and their website is:
    http://www.0x4553.org/ (caution! don't go here if small children are around or you are easily offended, get my drift?)<o:p></o:p>
    </font>
    <font face="Courier New" size="2">We then asked this engineer if he could reproduce just one of the vulnerabilities. Specifically, the one for BadBlue. 
    The page above has perl code to determine if a server has this vulnerability. We ran it on all our servers:
    they all turned up negative.<o:p></o:p>
    </font>
    <font face="Courier New" size="2"><o:p></o:p>I came very close to telling the engineer that his front door at home was unlocked and he needed to check it. 
    I couldn't verify it was, but I ran a scan on his house from my desktop and, although not 100% accurate to his house,
    it could only be verified locally. If he didn't have a front door, he could ignore my scan...just like we're going to ignore his.<o:p></o:p>
    </font>
    <font face="Courier New" size="2"><o:p> </o:p></font>



  • I particularly like the last 7 words of your post.



  • You mean you're actually not using an intranet Windows server to run an Icecast streaming radio? I am shocked!



  • If I had to guess, I would assume that nessus is including these in the web server vuln list because your webserver is not responding appropriately to the probes... perhaps it's responding with 200, 302, or no response, rather than throwing a 500 or 404


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.