Authentication Success Insufficient Access

2018-06-06T00:00:00
ID AUTHENTICATED_HOSTS_INSUFFICIENT_CREDS.NASL
Type nessus
Reporter Tenable
Modified 2018-10-02T00:00:00

Description

Nessus was able to execute credentialed checks because it was possible to log in to the remote host using provided credentials, however the credentials were not sufficiently privileged to allow all requested local checks.

                                        
                                            #TRUSTED 729bad0157df832f3ba754d5c2612804dfa133efb327596be89d33da5a898ba179fa0b6ef10dab0cb5b9cc06df2e1839491fb63aaee1e4a001ecc5c98cdee60d3d89e944248133178bb5f4e9320b376914dace748bbcbfbd93cf1dd3232beeb945ea73753d808f2277a2a37c926b4945a12b6f5828dddfd15ad01c2138a3328b2be0ad885dac41db44d87524e9bb6a822805aeb5bbeac0f733920a0037076bdcacf7895aa66bd8e33527af82efa6e58fbe905d6948c6b29119b6c602958817dc83e341ae0264d6f63684807b69b86721535da0948db46f4e40ddd189a471b59e525b0a64821e07c12a2f7b50b59a8cb70520274b7ed3d520cfabd4964efc97d2a80e04d7e75a5aa4dd5cab9d73c9da7a5ca1c270b2820e3d15d03021d3c72d7411cf82256d379b7e6d2c5e2cd0f3c716f69c0521748bf9d4d9ac443b67ab1485d2f3a630600651c4ce51043d0407e148a9f25b23b2895afa7db66c03096a670d87a9a64df3e08ef41b9e3a9f8ee06e868323687d6d9712c25cfcbf676f5c5f29ff3b9b13ecbf278eac6f7bb1fc62f23efb36307944b1227189917f04a8e6337d031fa3f40069949e4d708be8064189e45c374ccb73ecad55e71fcd9131df3d01a6958f4c05b41d08c147601cc24da636236f8b3e35ee77561822c082f41c7ddb0e9667144b7fe7a5a23646bc2797c517273892dd557d1a37af48892550ec95d0
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(110385);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/10/02");

  script_name(english:"Authentication Success Insufficient Access");
  script_summary(english: "Reports successfully authenticated hosts with insufficient access.");

  script_set_attribute(attribute:"synopsis", value:
"Nessus was able to log in to the remote host using the provided
credentials. The provided credentials were not sufficient to do all
requested local checks.");
  script_set_attribute(attribute:"description", value:
"Nessus was able to execute credentialed checks because it was
possible to log in to the remote host using provided credentials,
however the credentials were not sufficiently privileged to allow all
requested local checks.");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/06");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"plugin_type", value:"summary");
  script_end_attributes();

  script_category(ACT_END);
  script_family(english:"Settings");

  script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  # No dependencies, since this is an ACT_END plugin
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("data_protection.inc");
include("spad_log_func.inc");
include("lcx.inc");

global_var auth_ok_count = 0;
function report_problems(prefix, proto, db, port, user)
{
  if (lcx::check_localhost() && (proto == "SMB" || proto == "SSH"))
    return 0;

  local_var kb_prefix = prefix + proto + "/" + port;
  local_var report = '';
  local_var problem_list, problem;

  if (!get_kb_list(kb_prefix + "/Success")) return 0;
  auth_ok_count++;
  if (proto == 'SSH' && !lcx::has_ssh_priv_failures()) return 0;
  if (proto != 'SSH' && !get_kb_list(kb_prefix + "/Problem")) return 0;

  report += '  Protocol        : ' + proto;
  report += '\n  Port            : ' + port;

  report =
    '\nNessus was able to log in to the remote host as ' + user + ',' +
    '\nhowever this credential did not have sufficient privileges for' +
    '\nall planned checks:\n\n' + report;

  if(proto == 'SMB')
  {
    problem_list = get_kb_list(kb_prefix + "/Problem");
    if(!isnull(problem_list))
    {
      report += '\n\nProblems:\n';

      foreach problem(problem_list)
      {
        problem = data_protection::sanitize_user_paths(report_text:problem);
        report += "  Permission was denied while " + problem + '.\n';
      }

      report += '\n';
    }

  }

  security_report_v4(port:port, extra:report, severity:SECURITY_NOTE);

  return 1;
}

successes = get_kb_list("Host/Auth/*/Success");

num_reported = 0;

pat = "^Host/Auth/([A-Za-z]+/[0-9]+)/.*";
foreach win (keys(successes))
{
  match = pregmatch(pattern:pat, string:win, icase:FALSE);
  if (isnull(match)) continue;

  protoport = match[1];
  tmp = split(protoport, sep:'/', keep:FALSE);
  num_reported += report_problems(prefix:"Host/Auth/", proto:tmp[0], port:tmp[1], user:successes[win]);
}

if (num_reported == 0)
{
  if (auth_ok_count > 0)
    exit(0, "Authentication successes did not report access or privilege issues.");
  else if (lcx::svc_available())
    exit(0, "No authentication successes using user supplied credentials to report.");
  else exit(0, "No local checks ports or services were detected.");
}