ID INGRES_IIGCD_DETECT.NASL Type nessus Reporter Tenable Modified 2018-11-15T00:00:00
Description
The remote service is an Ingres Data Access Server, which translates requests from the JDBC driver and .NET Data Provider into an internal format and forwards them to the appropriate DBMS server.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(25636);
script_version("1.8");
script_cvs_date("Date: 2018/11/15 20:50:24");
script_name(english:"Ingres Data Access Server Detection");
script_summary(english:"Tries to log in to Ingres Data Access Server");
script_set_attribute(attribute:"synopsis", value:
"A database service is listening on the remote host." );
script_set_attribute(attribute:"description", value:
"The remote service is an Ingres Data Access Server, which translates requests
from the JDBC driver and .NET Data Provider into an internal format and forwards
them to the appropriate DBMS server." );
script_set_attribute(attribute:"see_also", value:"http://docs.actian.com" );
script_set_attribute(attribute:"solution", value:
"Limit incoming traffic to this port if desired." );
script_set_attribute(attribute:"risk_factor", value:"None" );
script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Service detection");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("find_service1.nasl");
script_require_ports("Services/unknown", 21071);
exit(0);
}
include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");
if (thorough_tests && !get_kb_item("global_settings/disable_service_discovery") )
{
port = get_unknown_svc(21071);
if (!port) exit(0);
}
else port = 21071;
if (known_service(port:port)) exit(0);
if (!get_tcp_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (!soc) exit(0);
uid = "nessus";
db = "demodb";
user = SCRIPT_NAME;
my_host = this_host_name();
my_ip = this_host();
set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);
# Try to initiate a connection.
init =
"JCTLCR" +
raw_string(0x01, 0x01, 0x02, 0x02, 0x01, 0x0f, 0x06, 0x04) +
"DMML" +
raw_string(
0x03, 0x0d, 0x01, 0x01, 0x06, 0x03, 0x08, 0xb8,
0x97, 0xc4, 0xdf, 0x07, 0x89, 0xe3, 0xf1
);
send(socket:soc, data:mkword(strlen(init)+2)+init);
res = recv(socket:soc, length:256, min:2);
# If it looks like that worked because...
if (
# the word at the first byte is the packet length and...
strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&
# the string after the packet length looks right and...
stridx(res, "JCTLCC") == 2 &&
# we see "DMML" in the output
"DMML" >< res
)
{
# Try to log in.
req =
"DMTLDTDMML" + # magic?
mkword(strlen(db+uid+user+my_host+my_ip)+37) +
raw_string(0x01, 0x03) + # ?
mkword(0x01) + # database
mkword(strlen(db)) + db +
mkword(0x02) + # db username
mkword(strlen(uid)) + uid +
mkword(0x03) + # encrypted password
mkword(0x08) +
raw_string(0xc8, 0xb6, 0xd1, 0x7e, 0x65, 0x26, 0x56, 0xcb) +
raw_string( # ?
0x10, 0x00, 0x01, 0x00, 0x01
) +
mkword(0x11) + # account username on client
mkword(strlen(user)) + user +
mkword(0x12) + # client hostname
mkword(strlen(my_host)) + my_host +
mkword(0x13) + # client ip
mkword(strlen(my_ip)) + my_ip;
send(socket:soc, data:mkword(strlen(req)+2)+req);
res = recv(socket:soc, length:256, min:2);
# If it looks like a valid response because...
if (
# the word at the first byte is the packet length and...
strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&
(
# either the server shut down the connection or...
stridx(res, "DMTLDR") == 2 ||
(
# the string after the packet length looks right and...
stridx(res, "DMTLDTDMML") == 2 &&
# we see "DMML" in the output
"DMML" >< res
)
)
)
{
# Shut down the connection cleanly unless the server's already done that.
if ("DMTLDR" >!< res)
{
req = "DMTLDR";
send(socket:soc, data:mkword(strlen(req)+2)+req);
res = recv(socket:soc, length:256, min:2);
}
# Register and report the service.
register_service(port:port, ipproto:"tcp", proto:"iigcd");
security_note(port);
}
}
close(soc);
{"id": "INGRES_IIGCD_DETECT.NASL", "bulletinFamily": "scanner", "title": "Ingres Data Access Server Detection", "description": "The remote service is an Ingres Data Access Server, which translates requests from the JDBC driver and .NET Data Provider into an internal format and forwards them to the appropriate DBMS server.", "published": "2007-07-01T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=25636", "reporter": "Tenable", "references": ["http://docs.actian.com"], "cvelist": [], "type": "nessus", "lastseen": "2019-02-21T01:09:58", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote service is an Ingres Data Access Server, which translates requests \nfrom the JDBC driver and .NET Data Provider into an internal format and forwards\nthem to the appropriate DBMS server.", "edition": 3, "enchantments": {"dependencies": {"modified": "2019-01-16T20:07:23", "references": [{"idList": ["PCI_REACHABLE_DATABASE.NASL"], "type": "nessus"}]}, "score": {"value": 5.0, "vector": "NONE"}}, "hash": "176fa01fe2fdc49f23c5457a44f2bc9233672db4fd74fc882d72d42c40dc75d8", "hashmap": [{"hash": "c7c2a1d95fa87ba46b6887a91f1d7a30", "key": "sourceData"}, {"hash": "9ab312a52a5c26af7f3e5dffd6a7e37a", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "a3d3c73c01505d0383b007174b5bb5ac", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9ce2a11c44e387bd4f6e37c1a01c24cd", "key": "href"}, {"hash": "dc52badd8294721323bb558c7467dd52", "key": "title"}, {"hash": "a6b86597c4d55f4a4a95ec3419cfabfa", "key": "references"}, {"hash": "6b414e12f75511d55a834b5e039b9feb", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "90256d5c6119498ae5e11944224ee417", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25636", "id": "INGRES_IIGCD_DETECT.NASL", "lastseen": "2019-01-16T20:07:23", "modified": "2018-11-15T00:00:00", "naslFamily": "Service detection", "objectVersion": "1.3", "pluginID": "25636", "published": "2007-07-01T00:00:00", "references": ["http://docs.actian.com"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25636);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_name(english:\"Ingres Data Access Server Detection\");\n script_summary(english:\"Tries to log in to Ingres Data Access Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A database service is listening on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote service is an Ingres Data Access Server, which translates requests \nfrom the JDBC driver and .NET Data Provider into an internal format and forwards\nthem to the appropriate DBMS server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.actian.com\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Limit incoming traffic to this port if desired.\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/01\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_require_ports(\"Services/unknown\", 21071);\n\n exit(0);\n}\n\n\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (thorough_tests && !get_kb_item(\"global_settings/disable_service_discovery\") )\n{\n port = get_unknown_svc(21071);\n if (!port) exit(0);\n}\nelse port = 21071;\nif (known_service(port:port)) exit(0);\nif (!get_tcp_port_state(port)) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\nuid = \"nessus\";\ndb = \"demodb\";\nuser = SCRIPT_NAME;\nmy_host = this_host_name();\nmy_ip = this_host();\nset_byte_order(BYTE_ORDER_LITTLE_ENDIAN);\n\n\n# Try to initiate a connection.\ninit = \n \"JCTLCR\" + \n raw_string(0x01, 0x01, 0x02, 0x02, 0x01, 0x0f, 0x06, 0x04) +\n \"DMML\" +\n raw_string(\n 0x03, 0x0d, 0x01, 0x01, 0x06, 0x03, 0x08, 0xb8,\n 0x97, 0xc4, 0xdf, 0x07, 0x89, 0xe3, 0xf1\n );\nsend(socket:soc, data:mkword(strlen(init)+2)+init);\nres = recv(socket:soc, length:256, min:2);\n\n\n# If it looks like that worked because...\nif (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n # the string after the packet length looks right and...\n stridx(res, \"JCTLCC\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n) \n{\n # Try to log in.\n req = \n \"DMTLDTDMML\" + # magic?\n mkword(strlen(db+uid+user+my_host+my_ip)+37) +\n raw_string(0x01, 0x03) + # ?\n mkword(0x01) + # database\n mkword(strlen(db)) + db +\n mkword(0x02) + # db username \n mkword(strlen(uid)) + uid +\n mkword(0x03) + # encrypted password\n mkword(0x08) + \n raw_string(0xc8, 0xb6, 0xd1, 0x7e, 0x65, 0x26, 0x56, 0xcb) +\n raw_string( # ?\n 0x10, 0x00, 0x01, 0x00, 0x01\n ) +\n mkword(0x11) + # account username on client\n mkword(strlen(user)) + user +\n mkword(0x12) + # client hostname\n mkword(strlen(my_host)) + my_host +\n mkword(0x13) + # client ip\n mkword(strlen(my_ip)) + my_ip;\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n\n # If it looks like a valid response because...\n if (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n (\n # either the server shut down the connection or...\n stridx(res, \"DMTLDR\") == 2 ||\n (\n # the string after the packet length looks right and...\n stridx(res, \"DMTLDTDMML\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n )\n )\n )\n {\n # Shut down the connection cleanly unless the server's already done that.\n if (\"DMTLDR\" >!< res)\n {\n req = \"DMTLDR\";\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n }\n\n # Register and report the service.\n register_service(port:port, ipproto:\"tcp\", proto:\"iigcd\");\n security_note(port);\n }\n}\nclose(soc);\n", "title": "Ingres Data Access Server Detection", "type": "nessus", "viewCount": 5}, "differentElements": ["description"], "edition": 3, "lastseen": "2019-01-16T20:07:23"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote service is an Ingres Data Access Server, which translates requests from the JDBC driver and .NET Data Provider into an internal format and forwards them to the appropriate DBMS server.", "edition": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "7786d5ca7ccbafd8c09cda183aa79fc99e58408020c70228c06a48d6ae9ed6cb", "hashmap": [{"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "0b641e186e1f68945e42e99b9bd4fbd7", "key": "modified"}, {"hash": "229c5e877ec59f26a35b869526a81b44", "key": "references"}, {"hash": "a3d3c73c01505d0383b007174b5bb5ac", "key": "naslFamily"}, {"hash": "b9fd76ffc28ee667faa174510a48ff5c", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9ce2a11c44e387bd4f6e37c1a01c24cd", "key": "href"}, {"hash": "dc52badd8294721323bb558c7467dd52", "key": "title"}, {"hash": "6b414e12f75511d55a834b5e039b9feb", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "90256d5c6119498ae5e11944224ee417", "key": "pluginID"}, {"hash": "a224107d4a393f0a2aa278771ccbfe3f", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25636", "id": "INGRES_IIGCD_DETECT.NASL", "lastseen": "2016-09-26T17:23:50", "modified": "2011-03-11T00:00:00", "naslFamily": "Service detection", "objectVersion": "1.2", "pluginID": "25636", "published": "2007-07-01T00:00:00", "references": ["http://docs.ingres.com/connectivity/toc"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25636);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2011/03/11 21:18:08 $\");\n\n script_name(english:\"Ingres Data Access Server Detection\");\n script_summary(english:\"Tries to log in to Ingres Data Access Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A database service is listening on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote service is an Ingres Data Access Server, which translates requests \nfrom the JDBC driver and .NET Data Provider into an internal format and forwards\nthem to the appropriate DBMS server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.ingres.com/connectivity/toc\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Limit incoming traffic to this port if desired.\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/01\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2011 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_require_ports(\"Services/unknown\", 21071);\n\n exit(0);\n}\n\n\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (thorough_tests && !get_kb_item(\"global_settings/disable_service_discovery\") )\n{\n port = get_unknown_svc(21071);\n if (!port) exit(0);\n}\nelse port = 21071;\nif (known_service(port:port)) exit(0);\nif (!get_tcp_port_state(port)) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\nuid = \"nessus\";\ndb = \"demodb\";\nuser = SCRIPT_NAME;\nmy_host = this_host_name();\nmy_ip = this_host();\nset_byte_order(BYTE_ORDER_LITTLE_ENDIAN);\n\n\n# Try to initiate a connection.\ninit = \n \"JCTLCR\" + \n raw_string(0x01, 0x01, 0x02, 0x02, 0x01, 0x0f, 0x06, 0x04) +\n \"DMML\" +\n raw_string(\n 0x03, 0x0d, 0x01, 0x01, 0x06, 0x03, 0x08, 0xb8,\n 0x97, 0xc4, 0xdf, 0x07, 0x89, 0xe3, 0xf1\n );\nsend(socket:soc, data:mkword(strlen(init)+2)+init);\nres = recv(socket:soc, length:256, min:2);\n\n\n# If it looks like that worked because...\nif (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n # the string after the packet length looks right and...\n stridx(res, \"JCTLCC\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n) \n{\n # Try to log in.\n req = \n \"DMTLDTDMML\" + # magic?\n mkword(strlen(db+uid+user+my_host+my_ip)+37) +\n raw_string(0x01, 0x03) + # ?\n mkword(0x01) + # database\n mkword(strlen(db)) + db +\n mkword(0x02) + # db username \n mkword(strlen(uid)) + uid +\n mkword(0x03) + # encrypted password\n mkword(0x08) + \n raw_string(0xc8, 0xb6, 0xd1, 0x7e, 0x65, 0x26, 0x56, 0xcb) +\n raw_string( # ?\n 0x10, 0x00, 0x01, 0x00, 0x01\n ) +\n mkword(0x11) + # account username on client\n mkword(strlen(user)) + user +\n mkword(0x12) + # client hostname\n mkword(strlen(my_host)) + my_host +\n mkword(0x13) + # client ip\n mkword(strlen(my_ip)) + my_ip;\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n\n # If it looks like a valid response because...\n if (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n (\n # either the server shut down the connection or...\n stridx(res, \"DMTLDR\") == 2 ||\n (\n # the string after the packet length looks right and...\n stridx(res, \"DMTLDTDMML\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n )\n )\n )\n {\n # Shut down the connection cleanly unless the server's already done that.\n if (\"DMTLDR\" >!< res)\n {\n req = \"DMTLDR\";\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n }\n\n # Register and report the service.\n register_service(port:port, ipproto:\"tcp\", proto:\"iigcd\");\n security_note(port);\n }\n}\nclose(soc);\n", "title": "Ingres Data Access Server Detection", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:23:50"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote service is an Ingres Data Access Server, which translates requests from the JDBC driver and .NET Data Provider into an internal format and forwards them to the appropriate DBMS server.", "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "25970a822a2398e642b66c649334908726bd60ad16bb8ee1ec2a5070967ab4b9", "hashmap": [{"hash": "c7c2a1d95fa87ba46b6887a91f1d7a30", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "a3d3c73c01505d0383b007174b5bb5ac", "key": "naslFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "9ce2a11c44e387bd4f6e37c1a01c24cd", "key": "href"}, {"hash": "dc52badd8294721323bb558c7467dd52", "key": "title"}, {"hash": "a6b86597c4d55f4a4a95ec3419cfabfa", "key": "references"}, {"hash": "6b414e12f75511d55a834b5e039b9feb", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "90256d5c6119498ae5e11944224ee417", "key": "pluginID"}, {"hash": "a224107d4a393f0a2aa278771ccbfe3f", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25636", "id": "INGRES_IIGCD_DETECT.NASL", "lastseen": "2018-11-17T02:54:15", "modified": "2018-11-15T00:00:00", "naslFamily": "Service detection", "objectVersion": "1.3", "pluginID": "25636", "published": "2007-07-01T00:00:00", "references": ["http://docs.actian.com"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25636);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_name(english:\"Ingres Data Access Server Detection\");\n script_summary(english:\"Tries to log in to Ingres Data Access Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A database service is listening on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote service is an Ingres Data Access Server, which translates requests \nfrom the JDBC driver and .NET Data Provider into an internal format and forwards\nthem to the appropriate DBMS server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.actian.com\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Limit incoming traffic to this port if desired.\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/01\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_require_ports(\"Services/unknown\", 21071);\n\n exit(0);\n}\n\n\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (thorough_tests && !get_kb_item(\"global_settings/disable_service_discovery\") )\n{\n port = get_unknown_svc(21071);\n if (!port) exit(0);\n}\nelse port = 21071;\nif (known_service(port:port)) exit(0);\nif (!get_tcp_port_state(port)) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\nuid = \"nessus\";\ndb = \"demodb\";\nuser = SCRIPT_NAME;\nmy_host = this_host_name();\nmy_ip = this_host();\nset_byte_order(BYTE_ORDER_LITTLE_ENDIAN);\n\n\n# Try to initiate a connection.\ninit = \n \"JCTLCR\" + \n raw_string(0x01, 0x01, 0x02, 0x02, 0x01, 0x0f, 0x06, 0x04) +\n \"DMML\" +\n raw_string(\n 0x03, 0x0d, 0x01, 0x01, 0x06, 0x03, 0x08, 0xb8,\n 0x97, 0xc4, 0xdf, 0x07, 0x89, 0xe3, 0xf1\n );\nsend(socket:soc, data:mkword(strlen(init)+2)+init);\nres = recv(socket:soc, length:256, min:2);\n\n\n# If it looks like that worked because...\nif (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n # the string after the packet length looks right and...\n stridx(res, \"JCTLCC\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n) \n{\n # Try to log in.\n req = \n \"DMTLDTDMML\" + # magic?\n mkword(strlen(db+uid+user+my_host+my_ip)+37) +\n raw_string(0x01, 0x03) + # ?\n mkword(0x01) + # database\n mkword(strlen(db)) + db +\n mkword(0x02) + # db username \n mkword(strlen(uid)) + uid +\n mkword(0x03) + # encrypted password\n mkword(0x08) + \n raw_string(0xc8, 0xb6, 0xd1, 0x7e, 0x65, 0x26, 0x56, 0xcb) +\n raw_string( # ?\n 0x10, 0x00, 0x01, 0x00, 0x01\n ) +\n mkword(0x11) + # account username on client\n mkword(strlen(user)) + user +\n mkword(0x12) + # client hostname\n mkword(strlen(my_host)) + my_host +\n mkword(0x13) + # client ip\n mkword(strlen(my_ip)) + my_ip;\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n\n # If it looks like a valid response because...\n if (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n (\n # either the server shut down the connection or...\n stridx(res, \"DMTLDR\") == 2 ||\n (\n # the string after the packet length looks right and...\n stridx(res, \"DMTLDTDMML\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n )\n )\n )\n {\n # Shut down the connection cleanly unless the server's already done that.\n if (\"DMTLDR\" >!< res)\n {\n req = \"DMTLDR\";\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n }\n\n # Register and report the service.\n register_service(port:port, ipproto:\"tcp\", proto:\"iigcd\");\n security_note(port);\n }\n}\nclose(soc);\n", "title": "Ingres Data Access Server Detection", "type": "nessus", "viewCount": 5}, "differentElements": ["description"], "edition": 2, "lastseen": "2018-11-17T02:54:15"}], "edition": 4, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "a224107d4a393f0a2aa278771ccbfe3f"}, {"key": "href", "hash": "9ce2a11c44e387bd4f6e37c1a01c24cd"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "naslFamily", "hash": "a3d3c73c01505d0383b007174b5bb5ac"}, {"key": "pluginID", "hash": "90256d5c6119498ae5e11944224ee417"}, {"key": "published", "hash": "6b414e12f75511d55a834b5e039b9feb"}, {"key": "references", "hash": "a6b86597c4d55f4a4a95ec3419cfabfa"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "c7c2a1d95fa87ba46b6887a91f1d7a30"}, {"key": "title", "hash": "dc52badd8294721323bb558c7467dd52"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "25970a822a2398e642b66c649334908726bd60ad16bb8ee1ec2a5070967ab4b9", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["PCI_REACHABLE_DATABASE.NASL"]}], "modified": "2019-02-21T01:09:58"}, "score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25636);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_name(english:\"Ingres Data Access Server Detection\");\n script_summary(english:\"Tries to log in to Ingres Data Access Server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A database service is listening on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote service is an Ingres Data Access Server, which translates requests \nfrom the JDBC driver and .NET Data Provider into an internal format and forwards\nthem to the appropriate DBMS server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://docs.actian.com\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Limit incoming traffic to this port if desired.\" );\n script_set_attribute(attribute:\"risk_factor\", value:\"None\" );\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/01\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Service detection\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"find_service1.nasl\");\n script_require_ports(\"Services/unknown\", 21071);\n\n exit(0);\n}\n\n\ninclude(\"byte_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nif (thorough_tests && !get_kb_item(\"global_settings/disable_service_discovery\") )\n{\n port = get_unknown_svc(21071);\n if (!port) exit(0);\n}\nelse port = 21071;\nif (known_service(port:port)) exit(0);\nif (!get_tcp_port_state(port)) exit(0);\n\n\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\nuid = \"nessus\";\ndb = \"demodb\";\nuser = SCRIPT_NAME;\nmy_host = this_host_name();\nmy_ip = this_host();\nset_byte_order(BYTE_ORDER_LITTLE_ENDIAN);\n\n\n# Try to initiate a connection.\ninit = \n \"JCTLCR\" + \n raw_string(0x01, 0x01, 0x02, 0x02, 0x01, 0x0f, 0x06, 0x04) +\n \"DMML\" +\n raw_string(\n 0x03, 0x0d, 0x01, 0x01, 0x06, 0x03, 0x08, 0xb8,\n 0x97, 0xc4, 0xdf, 0x07, 0x89, 0xe3, 0xf1\n );\nsend(socket:soc, data:mkword(strlen(init)+2)+init);\nres = recv(socket:soc, length:256, min:2);\n\n\n# If it looks like that worked because...\nif (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n # the string after the packet length looks right and...\n stridx(res, \"JCTLCC\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n) \n{\n # Try to log in.\n req = \n \"DMTLDTDMML\" + # magic?\n mkword(strlen(db+uid+user+my_host+my_ip)+37) +\n raw_string(0x01, 0x03) + # ?\n mkword(0x01) + # database\n mkword(strlen(db)) + db +\n mkword(0x02) + # db username \n mkword(strlen(uid)) + uid +\n mkword(0x03) + # encrypted password\n mkword(0x08) + \n raw_string(0xc8, 0xb6, 0xd1, 0x7e, 0x65, 0x26, 0x56, 0xcb) +\n raw_string( # ?\n 0x10, 0x00, 0x01, 0x00, 0x01\n ) +\n mkword(0x11) + # account username on client\n mkword(strlen(user)) + user +\n mkword(0x12) + # client hostname\n mkword(strlen(my_host)) + my_host +\n mkword(0x13) + # client ip\n mkword(strlen(my_ip)) + my_ip;\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n\n # If it looks like a valid response because...\n if (\n # the word at the first byte is the packet length and...\n strlen(res) > 8 && getword(blob:res, pos:0) == strlen(res) &&\n (\n # either the server shut down the connection or...\n stridx(res, \"DMTLDR\") == 2 ||\n (\n # the string after the packet length looks right and...\n stridx(res, \"DMTLDTDMML\") == 2 &&\n # we see \"DMML\" in the output\n \"DMML\" >< res\n )\n )\n )\n {\n # Shut down the connection cleanly unless the server's already done that.\n if (\"DMTLDR\" >!< res)\n {\n req = \"DMTLDR\";\n send(socket:soc, data:mkword(strlen(req)+2)+req);\n res = recv(socket:soc, length:256, min:2);\n }\n\n # Register and report the service.\n register_service(port:port, ipproto:\"tcp\", proto:\"iigcd\");\n security_note(port);\n }\n}\nclose(soc);\n", "naslFamily": "Service detection", "pluginID": "25636", "cpe": [], "scheme": null}
{"nessus": [{"lastseen": "2019-02-21T01:15:52", "bulletinFamily": "scanner", "description": "The remote host is running a database server that is reachable from the Internet. This violates PCI DSS, section 1.3.7.", "modified": "2018-11-15T00:00:00", "id": "PCI_REACHABLE_DATABASE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=57581", "published": "2012-01-17T00:00:00", "title": "PCI DSS Compliance : Database Reachable from the Internet", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(57581);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_name(english:\"PCI DSS Compliance : Database Reachable from the Internet\");\n script_summary(english:\"Checks a host for PCI DSS compliance\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"Nessus has determined that this host is NOT COMPLIANT with PCI DSS\nrequirements.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is running a database server that is reachable from\nthe Internet. This violates PCI DSS, section 1.3.7.\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Filter incoming traffic to this port.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.pcisecuritystandards.org/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://en.wikipedia.org/wiki/PCI_DSS\"\n );\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/01/17\");\n script_set_attribute(attribute:\"plugin_type\", value:\"summary\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Policy Compliance\");\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\n \"find_service1.nasl\", \"find_service2.nasl\",\n \"mssqlserver_detect.nasl\",\n \"sybase_detect.nasl\",\n \"mysql_unpassworded.nasl\",\n \"oracle_detect.nbin\",\n \"informix_detect.nasl\",\n \"db2_connection_port_detect.nasl\", \"db2_das_detect.nasl\",\n \"db2_interrupt_port_detect.nasl\", \"firebird_detect.nasl\",\n \"ingres_iigcd_detect.nasl\", \"ingres_iigcc_detect.nasl\",\n \"openbase_detect.nasl\", \"postgresql_detect.nasl\", \"soliddb_detect.nasl\",\n \"btrieve_detect.nasl\", \"derby_network_server_detect.nasl\",\n \"hsqldb_detect.nasl\", \"sapdb_detect.nasl\", \"soliddb_detect.nasl\",\n \"versant_oscssd_detect.nasl\", \"sqlanywhere_detect.nbin\",\n \"mongodb_detect.nasl\", \"mongodb_web_admin_detect.nasl\",\n \"memcached_detect.nasl\",\n \"http_version.nasl\",\n \"elasticsearch_detect.nbin\");\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('network_func.inc');\n\nif (!get_kb_item(\"Settings/PCI_DSS\")) exit(0, \"PCI-DSS compliance checking is not enabled.\");\n\n\n\nif (is_private_addr(addr: get_host_ip()) )\n on_internet = 0;\nelse\n on_internet = 1;\n\nif (on_internet == 0) exit(1, \"Nessus can not make a determination because the target has a private address.\");\n\n\ndb_l = make_array(\n 'versant_sqlnw', 'Versant SQL Listener',\n 'mysql', 'MySQL server',\n 'mysql_im', 'MySQL Instance Manager',\n 'versant_sqlnw', 'Versant SQL Listener',\n 'postgresql', 'PostgreSQL server',\n 'mssql', 'MS SQL server',\n 'sybase', 'Sybase / SQL server',\n 'sqlanywhere', 'Sybase SQL Anywhere',\n 'oracle_tnslsnr', 'Oracle TNS listener',\n 'informix', 'Informix server',\n 'db2c_db2', 'DB2 connection port',\n 'db2i_db2', 'DB2 interrupt port', # ?\n 'db2das', 'DB2 Administration Server', # ?\n 'db2', 'DB2 server',\n 'gds_db', 'Firebird / Interbase server',\n 'iigcd', 'Ingres Data Access Server',\n 'iigcc', 'Ingres Communications Server',\n 'openbase', 'Openbase server',\n # 'openbase_admin', 'Openbase administration server',\n 'btrieve', 'Pervasive PSQL / Btrieve server',\n 'derby', 'Derby Network Server',\n 'hsqldb', 'HSQLDB server',\n 'sap_db_vserver', 'SAP DB',\n 'soliddb', 'solidDB server',\n 'versant_oscssd', 'Versant connection services daemon',\n 'mongodb', 'MongoDB Server',\n 'mongodb_rest', 'MongoDB REST Interface',\n 'memcached', 'memcached daemon',\n 'elasticsearch', 'Elasticsearch server',\n 'redis_server', 'Redis key-value store',\n 'frontbase_db', 'Frontbase server',\n 'transbase', 'Transbase server',\n 'sphinxql', 'Sphinx search server',\n 'oracledb', 'Oracle XML DB/Oracle Database'\n);\nl = '';\nforeach svc (keys(db_l))\n{\n if (svc == 'mongodb_rest')\n ports = get_kb_list('mongodb_rest');\n else if (svc == 'oracledb')\n ports = get_kb_list('www/oracledb/port');\n else\n ports = get_kb_list('Services/'+svc);\n\n if (! isnull(ports))\n {\n foreach p (ports)\n {\n if (get_kb_item(svc+'/blocked/'+p)) continue;\n security_hole(port: p, extra: (\"\nA \" + db_l[svc] + \" is listening on this port.\nDatabases should not be reachable from Internet, according to PCI DSS.\n\"));\n }\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
