ID DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL Type nessus Reporter Tenable Modified 2018-06-13T00:00:00
Description
This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.
#
# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>
#
include("compat.inc");
if (description)
{
script_id(11208);
script_version("1.23");
script_cvs_date("Date: 2018/06/13 18:56:26");
script_cve_id("CVE-1999-0502");
script_name(english:"Netscape Enterprise Default Administrative Password");
script_summary(english:"Netscape Enterprise Default Administrative Password");
script_set_attribute(attribute:"synopsis", value:
"The remote web server uses a default set of administrative
credentials.");
script_set_attribute(attribute:"description", value:
"This host is running Netscape Enterprise Server. The administrative
interface for this web server is using the default username and
password of 'admin'. An attacker can use this to reconfigure the web
server, cause a denial of service condition, or gain access to this
host.");
script_set_attribute(attribute:"solution", value:
"Please assign the web administration console a difficult-to-guess
password.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:TF/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'SSH User Code Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2003/02/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2003/01/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:netscape:enterprise_server");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2003-2018 Digital Defense Inc.");
script_family(english:"CGI abuses");
script_dependencies("find_service1.nasl", "http_version.nasl");
script_exclude_keys("global_settings/supplied_logins_only");
script_require_ports("Services/www", 8888);
exit(0);
}
#
# The script code starts here
#
include("audit.inc");
include("global_settings.inc");
include("http_func.inc");
include("misc_func.inc");
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
debug = 0;
ports = add_port_in_list(list:get_kb_list("Services/www"), port:8888);
foreach port (ports)
{
if ( !get_port_state(port) ) continue;
banner = get_http_banner(port:port);
if ( ! banner || ("Netscape" >!< banner && "iPlanet" >!< banner ) ) continue;
soc = http_open_socket(port);
if (soc)
{
# HTTP auth = "admin:admin"
req = http_get(item:"/https-admserv/bin/index", port:port);
req = req - string("\r\n\r\n");
req = string(req, "\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\n\r\n");
send(socket:soc, data:req);
buf = http_recv(socket:soc);
http_close_socket(soc);
if (isnull(buf)) continue;
if(debug == 1) display("\n\n", buf, "\n\n");
if (("Web Server Administration Server" >< buf) && ("index?tabs" >< buf))
{
security_hole(port:port);
}
}
}
{"id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "bulletinFamily": "scanner", "title": "Netscape Enterprise Default Administrative Password", "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "published": "2003-01-22T00:00:00", "modified": "2018-06-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "reporter": "Tenable", "references": [], "cvelist": ["CVE-1999-0502"], "type": "nessus", "lastseen": "2018-06-14T07:16:51", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-1999-0502"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 2, "enchantments": {}, "hash": "d6a93334bd3bfabd79230adaa9d133aaa7f5d75ea3ab5e150d16cc29d4017e59", "hashmap": [{"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "c9f65a157ee0c008f49ceb824b338829", "key": "sourceData"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "6561e7f0cbf888bba052bd3a00991a64", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2017-08-15T00:00:50", "modified": "2017-08-14T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"$Revision: 1.22 $\");\n script_cvs_date(\"$Date: 2017/08/14 14:06:24 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n script_osvdb_id(876);\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2017 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 2, "lastseen": "2017-08-15T00:00:50"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-1999-0502"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 1, "enchantments": {}, "hash": "99768be175de18d950e28d5cffeda519b88789a90165da121988a6b4ce13ff46", "hashmap": [{"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "c0e036f0b735289e03687c1f000fa3bb", "key": "sourceData"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "75fcd9b819be70f3c96fb4b4a93a6d2c", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2016-09-26T17:24:14", "modified": "2013-12-17T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.2", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"$Revision: 1.21 $\");\n script_cvs_date(\"$Date: 2013/12/17 12:13:59 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n script_osvdb_id(876);\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2013 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:24:14"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:netscape:enterprise_server"], "cvelist": ["CVE-1999-0502"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "This host is running Netscape Enterprise Server. The administrative interface for this web server is using the default username and password of 'admin'. An attacker can use this to reconfigure the web server, cause a denial of service condition, or gain access to this host.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "1dfd3a0dfbb850bf7e10ec8426b81e001c93dea1a84a2c00eb41446f379e8c63", "hashmap": [{"hash": "f30dcde820d74d06c44e89b1aea48cc1", "key": "cpe"}, {"hash": "7eb531fab9baccff0d26d8bcaaef08b3", "key": "cvelist"}, {"hash": "8c83b45fe3314d874ecb5ca06a6853a9", "key": "href"}, {"hash": "bea5b83d3a056039813089e7aa7f7e9a", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "fda8e40dc036fe94d2de7e8e2f04d215", "key": "title"}, {"hash": "c9f65a157ee0c008f49ceb824b338829", "key": "sourceData"}, {"hash": "0f7b2b6116974dd09c18819d572d0d3f", "key": "description"}, {"hash": "a9fdec0651ce29ae373f57a8811ed9a7", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "6561e7f0cbf888bba052bd3a00991a64", "key": "modified"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=11208", "id": "DDI_NETSCAPE_ENTERPRISE_DEFAULT_ADMINISTRATIVE_PASSWORD.NASL", "lastseen": "2017-10-29T13:36:56", "modified": "2017-08-14T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "11208", "published": "2003-01-22T00:00:00", "references": [], "reporter": "Tenable", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"$Revision: 1.22 $\");\n script_cvs_date(\"$Date: 2017/08/14 14:06:24 $\");\n\n script_cve_id(\"CVE-1999-0502\");\n script_osvdb_id(876);\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2017 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "title": "Netscape Enterprise Default Administrative Password", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2017-10-29T13:36:56"}], "edition": 4, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "f30dcde820d74d06c44e89b1aea48cc1"}, {"key": "cvelist", "hash": "7eb531fab9baccff0d26d8bcaaef08b3"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "0f7b2b6116974dd09c18819d572d0d3f"}, {"key": "href", "hash": "8c83b45fe3314d874ecb5ca06a6853a9"}, {"key": "modified", "hash": "5299677d29a0b2004584ce465e834b3e"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "bea5b83d3a056039813089e7aa7f7e9a"}, {"key": "published", "hash": "a9fdec0651ce29ae373f57a8811ed9a7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "c3cfa671ed1d1d7a82d3bb037beeb99f"}, {"key": "title", "hash": "fda8e40dc036fe94d2de7e8e2f04d215"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "d8f3f9c73ec5bfc1d07ce5278f1b1c768c6745689decf8db00c0a5bee64774ce", "viewCount": 0, "enchantments": {"vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# This script was written by Forrest Rae <forrest.rae@digitaldefense.net>\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11208);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-1999-0502\");\n\n script_name(english:\"Netscape Enterprise Default Administrative Password\");\n script_summary(english:\"Netscape Enterprise Default Administrative Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This host is running Netscape Enterprise Server. The administrative\ninterface for this web server is using the default username and\npassword of 'admin'. An attacker can use this to reconfigure the web\nserver, cause a denial of service condition, or gain access to this\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Please assign the web administration console a difficult-to-guess\npassword.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:TF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SSH User Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:netscape:enterprise_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8888);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\ndebug = 0;\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:8888);\n\nforeach port (ports)\n{\n\tif ( !get_port_state(port) ) continue;\n\tbanner = get_http_banner(port:port);\n\tif ( ! banner || (\"Netscape\" >!< banner && \"iPlanet\" >!< banner ) ) continue;\n\tsoc = http_open_socket(port);\n\n\tif (soc)\n\t{\n\n\t\t# HTTP auth = \"admin:admin\"\n\n\n\t\treq = http_get(item:\"/https-admserv/bin/index\", port:port);\n \t\treq = req - string(\"\\r\\n\\r\\n\");\n \t\treq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\thttp_close_socket(soc);\n\t\tif (isnull(buf)) continue;\n\n\t\tif(debug == 1) display(\"\\n\\n\", buf, \"\\n\\n\");\n\n\n\t\tif ((\"Web Server Administration Server\" >< buf) && (\"index?tabs\" >< buf))\n\t\t{\n\t\t\tsecurity_hole(port:port);\n\t\t}\n\t}\n}\n\n", "naslFamily": "CGI abuses", "pluginID": "11208", "cpe": ["cpe:/a:netscape:enterprise_server"]}
{"result": {"cve": [{"id": "CVE-1999-0502", "type": "cve", "title": "CVE-1999-0502", "description": "A Unix account has a default, null, blank, or missing password.", "published": "1998-03-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0502", "cvelist": ["CVE-1999-0502"], "lastseen": "2016-09-03T02:14:57"}], "nessus": [{"id": "ACCOUNT_DEBUG_SYNNET.NASL", "type": "nessus", "title": "Default Password (synnet) for 'debug' Account", "description": "The account 'debug' on the remote host uses the password 'synnet'. An attacker may use it to gain further privileges on this system.", "published": "2005-03-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=17289", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:27:52"}, {"id": "ACCOUNT_ROOT_DEFAULT.NASL", "type": "nessus", "title": "Default Password (default) for 'root' Account", "description": "The account 'root' on the remote host has the password 'default'.\n\nAn attacker may leverage this issue to gain administrative access to the affected system.\n\nNote that F5 Networks is known to use these credentials to provide complete administrative access to its appliances.", "published": "2014-07-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=76941", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-22T01:08:13"}, {"id": "ACCOUNT_ROOT_ABC123.NASL", "type": "nessus", "title": "Default Password (abc123) for 'root' Account", "description": "The account 'root' on the remote host has the password 'abc123'. \n\nAn attacker may leverage this issue to gain full access to the affected system. \n\nNote that Junos Space is known to use these credentials by default.", "published": "2013-04-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65820", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:33:09"}, {"id": "ACCOUNT_PATROL_PATROL.NASL", "type": "nessus", "title": "Default Password (patrol) for 'patrol' Account", "description": "The account 'patrol' on the remote host has the password 'patrol'. An attacker may leverage this issue to gain access to the affected system and launch further attacks against it.", "published": "2010-10-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=50426", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:31:08"}, {"id": "ACCOUNT_ROOT_SYSTEM.NASL", "type": "nessus", "title": "Default Password 'system' for 'root' Account", "description": "The account 'root' on the remote host has the default password 'system'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "published": "2016-10-28T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=94397", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:33:03"}, {"id": "ACCOUNT_MOTHER_FUCKER.NASL", "type": "nessus", "title": "Default Password 'f****r' for 'mother' Account", "description": "The account 'mother' on the remote host has the default password 'f****r'. A remote attacker can exploit this issue to gain administrative access to the affected system.\n\nNote that this username / password combination was found in the leaked source from the Mirai botnet. The password has been masked in this description.", "published": "2016-10-28T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=94375", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:29:39"}, {"id": "ACCOUNT_ADMIN_SMCADMIN.NASL", "type": "nessus", "title": "Default Password 'smcadmin' for 'admin' Account", "description": "The account 'admin' on the remote host has the default password 'smcadmin'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "published": "2016-10-28T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=94371", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:28:32"}, {"id": "ACCOUNT_ADMIN_1111.NASL", "type": "nessus", "title": "Default Password '1111' for 'admin' Account", "description": "The account 'admin' on the remote host has the default password '1111'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "published": "2016-10-28T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=94360", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:24:54"}, {"id": "ACCOUNT_ADMIN_ADMINIWSS85.NASL", "type": "nessus", "title": "Default Password 'adminIWSS85' for 'admin' Account", "description": "The account 'admin' on the remote host has the default password 'adminIWSS85'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "published": "2017-04-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=99246", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:25:52"}, {"id": "ACCOUNT_ROOT_ADMINIWSS85.NASL", "type": "nessus", "title": "Default Password 'adminIWSS85' for 'root' Account", "description": "The account 'root' on the remote host has the default password 'adminIWSS85'. A remote attacker can exploit this issue to gain administrative access to the affected system.", "published": "2017-04-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=99247", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-21T07:27:57"}], "metasploit": [{"id": "MSF:AUXILIARY/SCANNER/FTP/FTP_LOGIN", "type": "metasploit", "title": "FTP Authentication Scanner", "description": "This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.", "published": "2011-11-11T04:39:13", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-03-06T21:06:17"}, {"id": "MSF:AUXILIARY/SCANNER/HTTP/DELL_IDRAC", "type": "metasploit", "title": "Dell iDRAC Default Login", "description": "This module attempts to login to a iDRAC webserver instance using default username and password. Tested against Dell Remote Access Controller 6 - Express version 1.50 and 1.85", "published": "2012-09-26T08:02:38", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-03-06T21:08:41"}, {"id": "MSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_XMLRPC_LOGIN", "type": "metasploit", "title": "Wordpress XML-RPC Username/Password Login Scanner", "description": "This module attempts to authenticate against a Wordpress-site (via XMLRPC) using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options.", "published": "2014-07-25T13:24:09", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-02-06T08:23:01"}, {"id": "MSF:AUXILIARY/SCANNER/HTTP/JOOMLA_BRUTEFORCE_LOGIN", "type": "metasploit", "title": "Joomla Bruteforce Login Utility", "description": "This module attempts to authenticate to Joomla 2.5. or 3.0 through bruteforce attacks", "published": "2014-07-18T04:49:25", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-10T23:45:33"}, {"id": "MSF:AUXILIARY/SCANNER/NNTP/NNTP_LOGIN", "type": "metasploit", "title": "NNTP Login Utility", "description": "This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension. This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.", "published": "2017-06-15T20:25:40", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-02-18T15:09:23"}, {"id": "MSF:AUXILIARY/SCANNER/TELNET/BROCADE_ENABLE_LOGIN", "type": "metasploit", "title": "Brocade Enable Login Check Scanner", "description": "This module will test a range of Brocade network devices for a privileged logins and report successes. The device authentication mode must be set as 'aaa authentication enable default local'. Telnet authentication, e.g. 'enable telnet authentication', should not be enabled in the device configuration. This module has been tested against the following devices: ICX6450-24 SWver 07.4.00bT311, FastIron WS 624 SWver 07.2.02fT7e1", "published": "2015-03-06T14:41:14", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-18T17:43:18"}, {"id": "MSF:AUXILIARY/SCANNER/POSTGRES/POSTGRES_LOGIN", "type": "metasploit", "title": "PostgreSQL Login Utility", "description": "This module attempts to authenticate against a PostgreSQL instance using username and password combinations indicated by the USER_FILE, PASS_FILE, and USERPASS_FILE options. Note that passwords may be either plaintext or MD5 formatted hashes.", "published": "2010-03-25T01:05:23", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-01T01:41:30"}, {"id": "MSF:AUXILIARY/SCANNER/HTTP/DLINK_DIR_615H_HTTP_LOGIN", "type": "metasploit", "title": "D-Link DIR-615H HTTP Login Utility", "description": "This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-615 Hardware revision H devices. It is possible that this module also works with other models.", "published": "2013-03-27T08:26:23", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-02-04T08:23:07"}, {"id": "MSF:AUXILIARY/SCANNER/HTTP/DLINK_DIR_SESSION_CGI_HTTP_LOGIN", "type": "metasploit", "title": "D-Link DIR-300B / DIR-600B / DIR-815 / DIR-645 HTTP Login Utility", "description": "This module attempts to authenticate to different D-Link HTTP management services. It has been tested successfully on D-Link DIR-300 Hardware revision B, D-Link DIR-600 Hardware revision B, D-Link DIR-815 Hardware revision A and DIR-645 Hardware revision A devices. It is possible that this module also works with other models.", "published": "2013-04-04T19:41:10", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-11-10T23:43:48"}, {"id": "MSF:AUXILIARY/SCANNER/WINRM/WINRM_LOGIN", "type": "metasploit", "title": "WinRM Login Utility", "description": "This module attempts to authenticate to a WinRM service. It currently works only if the remote end allows Negotiate(NTLM) authentication. Kerberos is not currently supported. Please note: in order to use this module without SSL, the 'AllowUnencrypted' winrm option must be set. Otherwise adjust the port and set the SSL options in the module as appropriate.", "published": "2012-10-25T15:16:12", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-01-11T12:02:14"}], "openvas": [{"id": "OPENVAS:136141256231011000", "type": "openvas", "title": "MPEi/X Default Accounts", "description": "This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.", "published": "2005-11-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011000", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-04-06T11:15:56"}, {"id": "OPENVAS:136141256231012641", "type": "openvas", "title": "Default password router Pirelli AGE mB", "description": "The remote host is a Pirelli AGE mB (microBusiness) router with its\n default password set (admin/microbusiness).", "published": "2005-11-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231012641", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-04-23T21:41:31"}, {"id": "OPENVAS:136141256231011208", "type": "openvas", "title": "Netscape Enterprise Default Administrative Password", "description": "This host is running the Netscape Enterprise Server. The Administrative\n interface for this web server, which operates on port 8888/TCP, is using\n the default username and password of 'admin'.", "published": "2005-11-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011208", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-07-27T10:49:40"}, {"id": "OPENVAS:11000", "type": "openvas", "title": "MPEi/X Default Accounts", "description": "This host has one or more accounts with a blank \npassword. Please see the data section for a list \nof these accounts.", "published": "2005-11-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=11000", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-12-08T11:44:11"}], "osvdb": [{"id": "OSVDB:876", "type": "osvdb", "title": "Netscape Enterprise Default Administrative Password", "description": "## Vulnerability Description\nBy default, Netscape Enterprise Server administrative interface installs with a default password. The admin account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nDefault:\nUsername:admin\nPassword:admin\n\nThe Administrative interface operates on port 8888/TCP\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, Netscape Enterprise Server administrative interface installs with a default password. The admin account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:11208](https://vulners.com/search?query=pluginID:11208)\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Netscape\n[CVE-1999-0502](https://vulners.com/cve/CVE-1999-0502)\n", "published": "2003-02-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:876", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-04-28T13:19:55"}, {"id": "OSVDB:822", "type": "osvdb", "title": "MPE/iX Default Accounts", "description": "## Vulnerability Description\nThis host has one or more accounts with a blank password. Please see the data section for a list of these accounts.\n## Short Description\nThis host has one or more accounts with a blank password. Please see the data section for a list of these accounts.\n## References:\n[Nessus Plugin ID:11000](https://vulners.com/search?query=pluginID:11000)\n[CVE-1999-0502](https://vulners.com/cve/CVE-1999-0502)\n", "published": "2001-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:822", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-04-28T13:19:55"}, {"id": "OSVDB:3118", "type": "osvdb", "title": "Unix Password Authentication Security Point of Failure", "description": "## Vulnerability Description\nPasswords are a cornerstone of computer security. Virtually every sensitive computer resource requires one or more passwords to access it in any context. Most virtual authentication methods are based on some form of password, or security token. Given that passwords are chosen by the user, who tends to pick words easily remembered, along with poor password implementation, weak passwords are a common method for network intrusion. Despite decades of reliance upon these passwords, systems still ship with no password, easily guessed passwords, or no mechanisms to force users to maintain strong passwords. This often leads to passwords that are weak and easy to compromise.\n\n## Solution Description\nWhile it is an accepted fact of security that any password can be guessed given sufficient resources, every organization should attempt to maintain strong passwords to deter and delay such compromises. The following measures can be taken to help in this process:\n\n1. Passwords should be sufficiently complex:\na. Be at least eight characters in length\nb. Contain upper case, lower case, and special characters\nc. Not be a word in any language or found in any dictionary\nd. Not bear any resemblence to the user, family, pets, etc.\n2. Enforce password history. Ensure users must pick a new unique password and can not re-use old passwords.\n3. Maximum password age. After a set amount of time (recommended 30 - 90 days), the password should expire and force users to select a new one.\n4. Test password security by attempting to \"crack\" passwords. Only do so with written permission from a CEO/CSO/CxO.\n5. Ensure users are educated on password security and the importance of passwords. This includes training on what not to do regarding passwords (ie: share them, write them down).\n## Short Description\nPasswords are a cornerstone of computer security. Virtually every sensitive computer resource requires one or more passwords to access it in any context. Most virtual authentication methods are based on some form of password, or security token. Given that passwords are chosen by the user, who tends to pick words easily remembered, along with poor password implementation, weak passwords are a common method for network intrusion. Despite decades of reliance upon these passwords, systems still ship with no password, easily guessed passwords, or no mechanisms to force users to maintain strong passwords. This often leads to passwords that are weak and easy to compromise.\n\n## References:\nOther Solution URL: http://www.openwall.com/john/\nKeyword: SANS Top 20 2002 Unix Issue #10\nKeyword: SANS Top 20 2001 General Issue #02\nKeyword: SANS Top 20 2003 Unix Issue #04\nKeyword: SANS Top 20 2000 General Issue #08\nGeneric Informational URL: http://www.sans.org/top20/oct02.php#U10\nGeneric Informational URL: http://www.sans.org/top20/top20_oct01.php\nGeneric Informational URL: http://www.sans.org/top20/top10.php\nGeneric Informational URL: http://www.sans.org/top20/#u4\n[CVE-1999-0502](https://vulners.com/cve/CVE-1999-0502)\n[CVE-1999-0501](https://vulners.com/cve/CVE-1999-0501)\n", "published": "1980-01-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:3118", "cvelist": ["CVE-1999-0502", "CVE-1999-0501"], "lastseen": "2017-04-28T13:19:57"}], "zdt": [{"id": "1337DAY-ID-27399", "type": "zdt", "title": "SSH - User Code Execution Exploit", "description": "Exploit for multiple platform in category remote exploits", "published": "2017-03-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/27399", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-01-02T03:17:37"}, {"id": "1337DAY-ID-20781", "type": "zdt", "title": "SSH User Code Execution Vulnerability", "description": "This Metasploit module utilizes a stager to upload a base64 encoded binary which is then decoded, chmod'ed and executed from the command shell.", "published": "2013-05-16T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/20781", "cvelist": ["CVE-1999-0502"], "lastseen": "2018-01-02T19:09:15"}, {"id": "1337DAY-ID-23029", "type": "zdt", "title": "Varnish Cache CLI Interface Remote Code Execution Exploit", "description": "This Metasploit module attempts to login to the Varnish Cache (varnishd) CLI instance using a bruteforce list of passwords. This Metasploit module will also attempt to read the /etc/shadow root password hash if a valid password is found. It is possible to execute code as root with a valid password, however this is not yet implemented in this module.", "published": "2014-12-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://0day.today/exploit/description/23029", "cvelist": ["CVE-1999-0502", "CVE-2009-2936"], "lastseen": "2018-02-17T23:28:09"}], "packetstorm": [{"id": "PACKETSTORM:121655", "type": "packetstorm", "title": "SSH User Code Execution", "description": "", "published": "2013-05-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/121655/SSH-User-Code-Execution.html", "cvelist": ["CVE-1999-0502"], "lastseen": "2016-12-05T22:22:26"}, {"id": "PACKETSTORM:129674", "type": "packetstorm", "title": "Varnish Cache CLI Interface Remote Code Execution", "description": "", "published": "2014-12-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/129674/Varnish-Cache-CLI-Interface-Remote-Code-Execution.html", "cvelist": ["CVE-1999-0502", "CVE-2009-2936"], "lastseen": "2016-12-05T22:20:57"}], "saint": [{"id": "SAINT:BF189A05AE2FE4C91F81F7C6BF891621", "type": "saint", "title": "SSH password weakness", "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "published": "2011-01-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "cvelist": ["CVE-1999-0502"], "lastseen": "2016-10-03T15:01:54"}, {"id": "SAINT:D03628286E2696A69838C01360532538", "type": "saint", "title": "SSH password weakness", "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "published": "2011-01-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "cvelist": ["CVE-1999-0502"], "lastseen": "2016-12-14T16:58:04"}, {"id": "SAINT:713447983665FEF2B21EA1044C36B51E", "type": "saint", "title": "SSH password weakness", "description": "Added: 01/05/2011 \nCVE: [CVE-1999-0502](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0502>) \n\n\n### Background\n\nPasswords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access. \n\n### Problem\n\nAdministrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system. \n\n### Resolution\n\nProtect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight charactes long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. \n\n### References\n\n<http://www.securityfocus.com/infocus/1537> \n\n\n### Limitations\n\nThe target must be running the ssh service in order for the exploit to succeed. \n\nThe OpenSSH client must be installed on the SAINTexploit host. \n\n### Platforms\n\nLinux \nUnix \nCisco \n \n\n", "published": "2011-01-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ssh_login", "cvelist": ["CVE-1999-0502"], "lastseen": "2017-01-10T14:03:42"}], "rapid7community": [{"id": "RAPID7COMMUNITY:617B5BC20B34DB327AAA03E2FFF1602C", "type": "rapid7community", "title": "Metasploit Wrapup", "description": "<!-- [DocumentBodyStart:21bee29d-bc1c-445d-bbc8-c80143602f51] --><div class=\"jive-rendered-content\"><p>With Hacker Summer Camp 2017 wrapped up and folks now recovering from it, why not grab a drink and read up on what's new with Metasploit?</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Where there's smoke...</h2><p>At least <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fblob%2Fmaster%2Fdocumentation%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fipfire_oinkcode_exec.md\" rel=\"nofollow\" target=\"_blank\">a few versions</a> of open source firewall IPFire contain a post-auth RCE vulnerability, and we (well, you!) now have <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fipfire_oinkcode_exec\" target=\"_blank\">a module to help exploit that</a>. Due to how an incoming <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.snort.org%2Foinkcodes\" rel=\"nofollow\" target=\"_blank\">Snort Oinkcode</a> is processed via HTTP POST request, the IPFire software leaves itself open for shoving a payload in as the Oinkcode and having it executed. Like throwing water on an IPFire...</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Razer's edge</h2><p>Synapse, a computer peripheral configuration application from popular peripheral device vendor <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.razerzone.com%2F\" rel=\"nofollow\" target=\"_blank\">Razer</a>, contains an access control vulnerability in their rzpnk.sys driver. Exploiting this vuln allows privilege escalation, including reading and writing of other process' memory and remote code execution. And there's a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Flocal%2Frazer_zwopenprocess\" target=\"_blank\">new module for this</a>. As of this writing, this vulnerability has not yet been patched (and considering Synapse will auto-install on peripheral connect—at least under Windows 10—there may be many susceptible targets out there!).</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Scanner Lightly</h2><p>And we've landed a few new aux modules for your scanning pleasure: <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Frdp%2Frdp_scanner\" target=\"_blank\">RDP</a> and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fnntp%2Fnntp_login\" target=\"_blank\">NNTP</a>. While RDP is likely familiar to many readers, NNTP (<a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FNetwork_News_Transfer_Protocol\" rel=\"nofollow\" target=\"_blank\">Network News Transfer Protocol</a>) might be less so. But you never know what a target might be running...</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Mo' Meterpreter</h2><p>We've had some improvements to a couple of our Meterpreters to share.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p><em>Windows Meterpreter</em></p><ul><li>screen capture of <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwiki.archlinux.org%2Findex.php%2FHiDPI\" rel=\"nofollow\" target=\"_blank\">HiDPI</a> screen is now supported (and captures the full screen)</li><li>new threads are now automatically setup to not throw a dialog box or crash notification on failure</li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><p><em>macOS/OSX Meterpreter</em></p><ul><li>native-code Meterpreter now available</li><li>microphone audio streaming is supported</li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Feed me, RSS!</h2><p>Had a desire to follow what your sessions are up to via an RSS feed? If so, rejoice! There's now a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8612\" rel=\"nofollow\" target=\"_blank\">new framework plugin</a> for doing exactly that thanks to <span class=\"citation\">@mubix</span>.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Rise of the robots.txt</h2><p>In an effort to make framework's HttpServer a bit less leaky, <span class=\"citation\">@dbfarrow</span> added the ability to serve up a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpull%2F8735\" rel=\"nofollow\" target=\"_blank\">canned 'plz no crawl/index my pagez' robot.txt response</a> for clients who request it. And, for those clients who do request it and honor it, that canned response should be enough to shoo them off from accessing files HttpServer is hosting...</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>New Modules</h2><p><em>Exploit modules</em> <em>(5 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fipfire_oinkcode_exec\" target=\"_blank\">IPFire proxy.cgi RCE</a> by 0x09AL and h00die</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fmulti%2Fmisc%2Fmsf_rpc_console\" target=\"_blank\">Metasploit RPC Console Command Execution</a> by Brendan Coles</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Funix%2Fwebapp%2Fvicidial_user_authorization_unauth_cmd_exec\" target=\"_blank\">VICIdial user_authorization Unauthenticated Command Execution</a> by Brendan Coles</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fhttp%2Feasychatserver_seh\" target=\"_blank\">Easy Chat Server User Registeration Buffer Overflow (SEH)</a> by Aitezaz Mohsin and Marco Rivoli</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Flocal%2Frazer_zwopenprocess\" target=\"_blank\">Razer Synapse rzpnk.sys ZwOpenProcess</a> by Spencer McIntyre exploits CVE-2017-9769</li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><p><em>Auxiliary and post modules</em> <em>(2 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fnntp%2Fnntp_login\" target=\"_blank\">NNTP Login Utility</a> by Brendan Coles exploits CVE-1999-0502</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Frdp%2Frdp_scanner\" target=\"_blank\">Identify endpoints speaking the Remote Desktop Protocol (RDP)</a> by Jon Hart</li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Get it</h2><p>As always, you can update to the latest Metasploit Framework with <code>msfupdate</code> and you can get more details on the changes since the last blog post from GitHub:</p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpulls%3Fq%3Dis%3Apr%2Bmerged%3A%25222017-07-12T17%3A05%3A27-05%3A00%2B..%2B2017-07-28T09%3A59%3A11-07%3A00%2522\" rel=\"nofollow\" target=\"_blank\">Pull Requsts 4.15.0...4.15.4</a></li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fcompare%2F4.15.0...4.15.4\" rel=\"nofollow\" target=\"_blank\">Full diff 4.15.0...4.15.4</a></li></ul><p>To install fresh, check out the open-source-only <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fwiki%2FNightly-Installers\" rel=\"nofollow\" target=\"_blank\">Nightly Installers</a>, or the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload.jsp\" target=\"_blank\">binary installers</a> which also include the commercial editions.</p></div><!-- [DocumentBodyEnd:21bee29d-bc1c-445d-bbc8-c80143602f51] -->", "published": "2017-08-07T13:34:12", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://community.rapid7.com/community/metasploit/blog/2017/08/04/metasploit-wrapup", "cvelist": ["CVE-1999-0502", "CVE-2017-9769"], "lastseen": "2017-08-10T08:08:35"}]}}
