HP LeftHand OS Console Discovery Detection

2013-02-14T00:00:00
ID HP_LEFTHAND_CONSOLE_DISCOVERY.NASL
Type nessus
Reporter Tenable
Modified 2017-06-30T00:00:00

Description

The HP LeftHand OS (formerly SAN/iQ) console discovery service, used by systems such as the HP Virtual SAN Appliance, is running on the remote host. This service allows management applications to discover storage nodes.

                                        
                                            #TRUSTED 9bfb274786e7dd1098ce942f4287fd05deb1401c1c9dc0a51a5af4bfe0f604bf4da95794575d7f3a06eaee020cc4bd6ec950e81db80a9a574604647321249be3e2ba2f5559ef650a749e37cbe80c6fbafc9c7fb999549e0041417b3f3a3f67e04d2d9bad0ae3ed08f4819c4c3b2ebd58de364116f3dbbbf49b167fd60adb276b756be0d63b09e597b06fb88046dc695b1232b44e94618a375262d6555499813329f2aac64a30e26bfa27d58a0526623060a1a8cb69d1cb2b16efd90bc600e9bff554f5b54131e41f2e887caabd908248ed738ab304cd941eff1e2f91fbd8b34abde17d858c011e39a44ef5169017b97d9374405c1b8d1ae25d7c3de5c641c7c3fb4d23cb3316a230a2dee2d67a00ab9e7ea973663e9a8cca3c92edc500895cd4b6ffe777e584f84dbfc6270217e116e588de1c98c6a7ae45aa754bd9137279563db22fd097aefc71b331cf353e4f81e7769027583f0c929cb74ead6aa49f2ddd142ee760455e3a7f1cb6f7e7aff58289d117672121414abe28d68fa26729c828f94f2f1b3b448c69a62de1f657f674841093108439e5b3753d97dfeb4f8a6b8c54b13ee98e06bb688096affd78e126b2d19e2f62cae0d8e0d2f8e1797738d1dbd42ca6d9f27cbd865c690dc93b9fe2cbf92ca0043fc48ca91598a3ac2cfb2150520084ce6aaf4d78f356392331f73257cc017165f84a5acd4e2484bf4369397b
#
# (C) Tenable Network Security, Inc.
#

if (!defined_func("recvfrom")) exit(1, "recvfrom() not defined.");

include("compat.inc");

if (description)
{
  script_id(64631);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2017/06/30");

  script_name(english:"HP LeftHand OS Console Discovery Detection");
  script_summary(english:"Attempts to get info from the service");

  script_set_attribute(attribute:"synopsis", value:"A discovery service is running on the remote host.");
  script_set_attribute(attribute:"description", value:
"The HP LeftHand OS (formerly SAN/iQ) console discovery service, used
by systems such as the HP Virtual SAN Appliance, is running on the
remote host. This service allows management applications to discover
storage nodes.");
  # https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=StoreVirtualSW
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8cc8713e");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:san/iq");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Service detection");

  script_copyright(english:"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.");

  script_dependencies("find_service2.nasl");
  script_require_ports("Services/unknown", 27491);

  exit(0);
}

include("audit.inc");
include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");

if ( TARGET_IS_IPV6 ) exit(1, "IPv6 is not supported");

function check_results(data, port, udp)
{
  local_var fields, report, group;
  if (isnull(data))
    return FALSE;

  fields = split(data, sep:'\x00', keep:FALSE);
  if (fields[0] != 'NSMreply:ver0.01')
    return FALSE;

  report = '';

  if (fields[3] != '')
    report += '\n  MAC address : ' + fields[3];
  if (fields[5] != '')
    report += '\n  Hostname : ' + fields[5];
  if (fields[8] != '')
    report += '\n  RAID configuration : ' + fields[8];
  if (fields[9] != '')
  {
    if (udp)
      set_kb_item(name:'lefthand_os/udp/' + port + '/version', value:fields[9]);
    else
      set_kb_item(name:'lefthand_os/' + port + '/version', value:fields[9]);
    report += '\n  Software version : ' + fields[9];
  }
  if (fields[11] != '')
  {
    group = fields[11];
    if (group == 'NO_SYSTEM_ID')
      group = 'none';
    report += '\n  Management group : ' + group;
  }
  if (fields[13] != '')
    report += '\n  Model : ' + fields[13];

  # the plugin can always expect to get some kind of results.
  # if there were no results, it's possible this is some other protocol
  if (report == '')
    return FALSE;

  if (udp)
    register_service(port:port, proto:'saniq_console_discovery', ipproto:'udp');
  else
    register_service(port:port, proto:'saniq_console_discovery');

  replace_kb_item(name:"HP/LeftHandOS", value:TRUE);

  if (report_verbosity > 0)
  {
    report =
      '\nNessus was able to gather the following information :\n' +
      report + '\n';
    if (udp)
      security_note(port:port, extra:report, proto:'udp');
    else
      security_note(port:port, extra:report);
  }
  else
  {
    if (udp)
      security_note(port:port, proto:'udp');
    else
      security_note(port:port);
  }

  return TRUE;
}

# first check UDP 27491
port = 27491;
soc = open_sock_udp(27491);
if (soc)
  soc2 = bind_sock_udp();

# don't know what this function does when it fails, but this seems like a reasonable check
if (!isnull(soc2) && soc2[0])
{
  recv_soc = soc2[0];
  sport = soc2[1];

  req =
    'NSMRequest:ver0.01\x00' +
    sport + '\x00' +
    '14\x00' +
    'UDP_DIRECT:' + get_host_ip() + '\x00';
  send(socket:soc, data:req);
  close(soc);

  res = recvfrom(socket:recv_soc, src:get_host_ip(), port:sport);
  close(recv_soc);
  udp_detected = check_results(data:res[0], port:port, udp:TRUE);
}

# then check TCP. the plugin forks at this point if thorough_tests is enabled
if (thorough_tests)
{
  port = get_unknown_svc(27491);
  if (!port) audit(AUDIT_SVC_KNOWN);
  if (!silent_service(port)) audit(AUDIT_FN_FAIL, 'silent_service', strcat('false for port ', port));
}
else port = 27491;
if (known_service(port:port)) exit(0, 'The service listening on port ' + port + ' has already been identified.');
if (!get_tcp_port_state(port)) audit(AUDIT_PORT_CLOSED, port);

soc = open_sock_tcp(port);
if (soc)
{
  req =
    'NSMRequest:ver0.01\x00' +
    '3449\x00' +
    '14\x00' +
    'TCP_DIRECT:' + get_host_ip() + '\x00';
  send(socket:soc, data:req);

  # the length isn't sent in the response, it's just a stream
  # of null delimited fields. 2k should be more than enough
  res = recv(socket:soc, length:2048);
  close(soc);
  tcp_detected = check_results(data:res, port:port);
}

if (!udp_detected && !tcp_detected)
  exit(0, 'The service was not detected on UDP 27491 or TCP ' + port + '.');
else if (!udp_detected)
  audit(AUDIT_NOT_DETECT, 'Console Discovery', strcat(port, ' (UDP)'));
else if (!tcp_detected)
  audit(AUDIT_NOT_DETECT, 'Console Discovery', port);