CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
EPSS
Percentile
79.5%
The remote device appears to be a HP StorageWorks MSA P2000 series.
There is a hidden, undocumented account named ‘admin’ secured with a default password of ‘!admin’.
A remote attacker can exploit this to gain privileged access to the management interface.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(51369);
script_version("1.29");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/08/05");
script_cve_id("CVE-2010-4115");
script_bugtraq_id(45386);
script_xref(name:"Secunia", value:"42583");
script_xref(name:"IAVB", value:"2010-B-0118-S");
script_name(english:"HP StorageWorks MSA P2000 Hidden 'admin' User Default Credentials");
script_summary(english:"Tries to login as admin / !admin");
script_set_attribute(
attribute:"synopsis",
value:"The remote device has an account with default credentials."
);
script_set_attribute(
attribute:"description",
value:
"The remote device appears to be a HP StorageWorks MSA P2000 series.
There is a hidden, undocumented account named 'admin' secured with a
default password of '!admin'.
A remote attacker can exploit this to gain privileged access to the
management interface."
);
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Dec/102");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Dec/260");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-015/");
# https://support.hpe.com/hpsc/doc/public/display?action=submitDocDisplay&docId=emr_na-c02660754
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?08b08d05");
script_set_attribute(attribute:"solution", value:
"Use the workaround described in the HP security bulletin SSRT100356.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-4115");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/13");
script_set_attribute(attribute:"patch_publication_date", value:"2010/12/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"cpe", value:"cpe:/h:hp:storageworks_modular_smart_array");
script_set_attribute(attribute:"default_account", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Gain a shell remotely");
script_copyright(english:"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_detect.nasl", "telnet.nasl", "broken_web_server.nasl", "ftpserver_detect_type_nd_version.nasl", "DDI_FTP_Any_User_Login.nasl", "account_check.nasl");
script_require_ports("Services/ssh", 22, "Services/telnet", 23, "Services/ftp", 21);
script_exclude_keys("global_settings/supplied_logins_only");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("http.inc");
include("ftp_func.inc");
enable_ssh_wrappers();
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
LOGIN_SUCCESS = 0;
LOGIN_FAILED = -1;
PORT_CLOSED = -2;
CONNECTION_FAILED = -3;
NO_PROMPT = -4;
NO_RESPONSE = -5;
global_var user, errors;
function get_error_msg(code, port)
{
if (code == LOGIN_FAILED)
return 'The login attempt on port '+port+' failed.';
else if (code == PORT_CLOSED)
return 'Port '+port+' is not open.';
else if (code == CONNECTION_FAILED)
return 'Failed to open a socket on port '+port+'.';
else if (code == NO_PROMPT)
return 'Unable to get telnet prompt from port '+port+'.';
else if (code == NO_RESPONSE)
return 'The service on port '+port+' failed to respond.';
else
return 'Unexpected error on port '+port+'.';
}
function check_ssh(port, login, password)
{
local_var soc, res, line, payload, remote_channel;
checking_default_account_dont_report = TRUE;
if (!get_port_state(port)) return PORT_CLOSED;
# Prevent a FP
if ( get_kb_item("login/auth/broken") || get_kb_item("login/unix/auth/broken" ) ) return PORT_CLOSED;
_ssh_socket = open_sock_tcp(port);
if ( !_ssh_socket ) return CONNECTION_FAILED;
res = ssh_login(login:login, password:password);
if (res == LOGIN_SUCCESS)
{
# taken from default_account.inc
#
# Some SSH servers do not fully respect the SSH protocol - they
# claim that password authentication succeeded, but then
# they'll refuse any other command. The workaround here is to
# open a SSH, as if we wanted to create an interactive session.
#
# Note that we do not use ssh_open_channel() but a stripped down version
#
payload = putstring(buffer:"session") + raw_int32(i:1) + raw_int32(i:32768) + raw_int32(i:32768);
send_ssh_packet(payload:payload, code:raw_int8(i:90));
payload = recv_ssh_packet();
if ( !isnull(payload) )
{
# Fix for tectia AIX
if (ord(payload[0]) == 95)
{
payload = getstring(buffer:payload, pos:9);
payload = recv_ssh_packet();
}
if ( !isnull(payload) && ord(payload[0]) == 91 )
{
remote_channel = ntol(buffer:payload, begin:5);
payload = raw_int32(i:remote_channel) + putstring(buffer:"pty-req") + raw_int8(i:0) +
putstring(buffer:"vt100") + raw_int32(i:80) + raw_int32(i:24) + raw_int32(i:640) + raw_int32(i:480) +
putstring(buffer:
raw_int8(i:53) + raw_int32(i:0) +
raw_int8(i:72) + raw_int32(i:0) +
raw_int8(i:0));
# SSH_MSG_CHANNEL_REQUEST == 98
send_ssh_packet(payload:payload, code:raw_int8(i:98));
payload = raw_int32(i:remote_channel) + putstring(buffer:"shell") + raw_int8(i:0) ;
# SSH_MSG_CHANNEL_REQUEST == 98
send_ssh_packet(payload:payload, code:raw_int8(i:98));
payload = raw_int32(i:remote_channel) + putstring(buffer:'\n');
send_ssh_packet(payload:payload, code:raw_int8(i:94));
payload = recv_ssh_packet();
if ( !isnull(payload) && ord(payload[0]) == 94 )
{
payload = getstring(buffer:payload, pos:5);
# avoid false positives, such as with Infoblox
if (
"Domain (? for all)" >!< payload &&
"invalid login" >!< payload &&
("ogin:" >!< payload || "Last login: " >< payload) &&
"User Name:" >!< payload &&
"assword:" >!< payload
)
{
set_kb_blob(name:"hp_storageworks/"+port+"/payload", value:payload);
ssh_close_connection();
return LOGIN_SUCCESS;
}
}
}
}
}
ssh_close_connection();
return LOGIN_FAILED;
}
function check_telnet(port, login, password)
{
local_var soc, res, line;
if (!get_port_state(port)) return PORT_CLOSED;
soc = open_sock_tcp(port);
if(!soc) return CONNECTION_FAILED;
res = telnet_negotiate(socket:soc);
res += recv_until(socket:soc, pattern:"login:");
if (!res) return NO_PROMPT;
send(socket:soc, data:login + '\r\n');
res = recv_until(socket:soc, pattern:"Password:");
if (isnull(res))
{
close(soc);
return NO_RESPONSE;
}
send(socket:soc, data:password + '\r\n');
res = recv(socket:soc, length:256);
close(soc);
if (isnull(res)) return NO_RESPONSE;
if ('HP StorageWorks' >< res)
return LOGIN_SUCCESS;
else
return LOGIN_FAILED;
}
function check_web(port, login, password)
{
local_var soc, res, line;
if (!get_port_state(port)) return PORT_CLOSED;
}
function check_ftp(port, login, password)
{
local_var soc, res, line;
if (!get_port_state(port)) return PORT_CLOSED;
soc = open_sock_tcp(port);
if(!soc) return CONNECTION_FAILED;
res = ftp_authenticate(socket:soc, user:user, pass:pass);
close(soc);
if (res)
return LOGIN_SUCCESS;
else
return LOGIN_FAILED;
}
function check_result(port, status)
{
local_var report;
if (status == LOGIN_SUCCESS)
{
if (report_verbosity > 0)
{
report =
'\n Username : ' + user +
'\n Password : ' + pass + '\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else if (status == LOGIN_FAILED)
{
exit(0, 'Logging into the backdoor account failed on port '+port+'.');
}
else if (status != LOGIN_FAILED)
{
errors += get_error_msg(code:status, port:port) + ' '; # global
}
}
user = 'admin';
pass = '!admin';
errors = '';
# Check if each service was detected, and fall back to the
# well known ports by default
ssh_port = 22;
ssh_ports = get_kb_list('Services/ssh');
if (!isnull(ssh_ports))
{
ssh_ports = make_list(ssh_ports);
ssh_port = ssh_ports[0];
}
web_port = 80;
web_ports = get_kb_list('Services/www');
if (!isnull(web_ports))
{
foreach port (web_ports)
{
# There's a broken webserver that listens by default on
# TCP 5989 (WBEM over HTTPS?) which we don't want to test
if (!http_is_broken(port:port))
{
web_port = port;
break;
}
}
}
telnet_port = 23;
telnet_ports = get_kb_list('Services/telnet');
if (!isnull(telnet_ports))
{
telnet_ports = make_list(telnet_ports);
telnet_port = telnet_ports[0];
}
ftp_port = 21;
ftp_ports = get_kb_list('Services/ftp');
if (!isnull(ftp_ports))
{
ftp_ports = make_list(ftp_ports);
ftp_port = ftp_ports[0];
}
# Check each login method for the backdoor. check_result() will
# exit() on the first login success or failure (iff the failure is
# due to invalid credentials)
ret = check_ssh(port:ssh_port, login:user, password:pass);
check_result(port:ssh_port, status:ret);
#ret = check_web(port:web_port, login:user, password:pass);
#check_result(port:web_port, status:ret);
ret = check_telnet(port:telnet_port, login:user, password:pass);
check_result(port:telnet_port, status:ret);
# Avoid the possibility of testing a FTP server that accepts
# any username and password
if (
!get_kb_item('ftp/' + ftp_port + '/anonymous') &&
!get_kb_item('ftp/' + ftp_port + '/backdoor') &&
!get_kb_item('ftp/' + ftp_port + '/broken') &&
!get_kb_item('ftp/' + ftp_port + '/AnyUser')
)
{
ret = check_ftp(port:ftp_port, login:user, password:pass);
check_result(port:ftp_port, status:ret);
}
exit(1, 'Nessus was unable to determine if the backdoor is present due to the following errors: ' +errors);