Lucene search
K

Compaq Web-enabled Management Software Default Account

🗓️ 13 Oct 2003 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 53 Views

Compaq management software uses default passwords, risking sensitive data access and system control.

Code
#%NASL_MIN_LEVEL 70300
# - Written by Christoff Breytenbach <[email protected]>
# - Checks only for passwords on Compaq Web-based / HP System Management
#   Agent on HTTPS (2381/tcp), and not on older versions with login
#   still on HTTP (2301/tcp)
# - Tested on CompaqHTTPServer 4.1, 4.2, 5.0, 5.7
#
# Changes by Tenable:
# - Revised plugin title, changed family (1/21/2009)

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(11879);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_name(english:"Compaq Web-enabled Management Software Default Account");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a web-enabled management application that uses
default login credentials.");
  script_set_attribute(attribute:"description", value:
"The Compaq Web-based Management / HP System Management Agent active on
the remote host is configured with the default, or a predictable,
administrator password.  Depending on the agents integrated, this allows
an attacker to view sensitive and verbose system information, and may
even allow more active attacks such as rebooting the remote system. 
Furthermore, if an SNMP agent is configured on the remote host it may
disclose the SNMP community strings in use, allowing an attacker to set
device configuration if the 'write' community string is uncovered.");
  script_set_attribute(attribute:"solution", value:
"Set a strong password for the administrator account.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/01/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2003-2022 SensePost");

  script_dependencies("http_version.nasl");
  script_exclude_keys("global_settings/supplied_logins_only");
  script_require_ports("Services/www", 2381);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http_func.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

# Check starts here

function https_get(port, request)
{
    local_var result, soc;

    if(get_port_state(port))
    {
         if(port == 2381)soc = open_sock_tcp(port, transport:ENCAPS_SSLv23);
	 else soc = open_sock_tcp(port);
         if(soc)
         {
            send(socket:soc, data:request);
            result = http_recv(socket:soc);
            close(soc);
            return(result);
         }
    }
}

debug = 0;

passlist = make_list ('administrator', 'admin', 'cim', 'cim7', 'password');

if ( thorough_tests )
 port = get_http_port(default:2381, embedded:TRUE);
else
 port = 2381;

req = string("GET /cpqlogin.htm?RedirectUrl=/&RedirectQueryString= HTTP/1.0\r\n\r\n");

if(debug==1) display(req);

retval = https_get(port:port, request:req);
if(retval == NULL) exit(0);

if(debug == 1) display(retval);

if((retval =~ "HTTP/1.[01] 200") && ("Server: CompaqHTTPServer/" >< retval) && ("Cookie: Compaq" >< retval))
{
    foreach pass (passlist) {
        temp1 = strstr(retval, "Set-Cookie: ");
        temp2 = strstr(temp1, ";");
        cookie = temp1 - temp2;
	if ( ! cookie ) continue;
        cookie = str_replace(string:cookie, find:"Set-Cookie", replace:"Cookie");
        poststr = string("redirecturl=&redirectquerystring=&user=administrator&password=", pass);

        req = string("POST /proxy/ssllogin HTTP/1.0\r\n", cookie,
"\r\nContent-Length: ", strlen(poststr), "\r\n\r\n", poststr, "\r\n");

        if(debug==1) display("\n\n***********************\n\n", req);

        retval = https_get(port:port, request:req);

        if(debug==1) display(retval);

        if("CpqElm-Login: success" >< retval)
        {
            if (report_verbosity > 0)
            {
              report = '\n  User     : administrator' +
                       '\n  Password : ' + pass +
                       '\n';
              security_hole(port:port, extra:report);
            }
            else security_hole(port);
            exit(0);
        }
    }
}
audit(AUDIT_LISTEN_NOT_VULN, "Compaq Web-based Management / HP System Management Agent", port);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation