Lucene search
K

NetIQ Privileged User Manager Default Admin Password

🗓️ 21 Nov 2012 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 29 Views

NetIQ Privileged User Manager Default Admin Passwor

Code
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(62990);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_xref(name:"EDB-ID", value:"22737");

  script_name(english:"NetIQ Privileged User Manager Default Admin Password");
  script_summary(english:"Tries to login using default password");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a web application that is protected by
known default credentials.");
  script_set_attribute(attribute:"description", value:
"Nessus was able to login to the NetIQ Privileged User Manager install
running on the remote host using default, known credentials for the
'admin' user.");
  script_set_attribute(attribute:"solution", value:"Change the default 'admin' password.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:netiq:privileged_user_manager");
  script_set_attribute(attribute:"default_account", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.");

  script_dependencies("netiq_pum_detect.nasl");
  script_require_ports("Services/www", 80, 443);
  script_exclude_keys("global_settings/supplied_logins_only", "Settings/disable_cgi_scanning");
  script_require_keys("www/netiq_pum");

  exit(0);
}

include("audit.inc");
include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

# app runs on port 443 by default, but can be configured to run on port 80
port = get_http_port(default:443);

appname = "NetIQ Privileged User Manager";
kb_appname = "netiq_pum";

install = get_install_from_kb(appname:kb_appname, port:port, exit_on_fail:TRUE);
dir = install['dir'];

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

admin_password = "novell";

# Login
# AMF encoded data
postdata=
  raw_string(0x00,0x00,0x00,0x00,0x00,0x01,
             0x00,0x15) + # len
  "SPF.Util.callModuleEx" + 
  raw_string(0x00,0x02,0x2f,0x34,0x00,0x00,0x00,0x65,0x0a,0x00,0x00,0x00,0x01,
             0x03, # obj
             0x00,0x03) + # len
  "pkt" +
  raw_string(0x03, # obj
             0x00,0x0b) + # len
  "Credentials" +
  raw_string(0x03, # obj
             0x00, 0x04) + # len
  "name" + 
  raw_string(0x02, # str 
             0x00,0x05) + # len
  "admin" + 
  raw_string(0x00,0x06) + # len
  "passwd" +
  raw_string(0x02) + # str
  mkword(strlen(admin_password)) +
  admin_password +
  raw_string(0x00,0x00,0x09, # end obj
             0x00,0x06) + # len
  "method" +  
  raw_string(0x02, # str
             0x00,0x05) + # len
  "login" +
  raw_string(0x00,0x06) + # len
  "module" +
  raw_string(0x02, # str
             0x00,0x04) + # len
  "auth" +
  raw_string(0x00,0x03) + # len
  "uid" +
  raw_string(0x06,
             0x00,0x00,0x09, # end obj
             0x00,0x00,0x09); # end obj

res = http_send_recv3(
  method:'POST',
  item: dir + '/',
  port:port,
  add_headers:make_array(
    'Content-Type', 'application/x-amf', # required
    'x-flash-version', '11,4,402,278'
  ),
  data:postdata, 
  exit_on_fail:TRUE
);

# try to parse out login message
msg = NULL;
msg_search = raw_string(
               0x00, 0x07, # length
               0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, # "message"
               0x02 # string is next
             );

pos = stridx(res[2], msg_search);

if (msg_search >< res[2] && pos >= 0)
{
  len = getword(blob:res[2], pos: pos + strlen(msg_search));
  if (len == NULL) exit(1, "The response from port "+port+" is not long enough to contain the length of message string.");

  if (strlen(res[2]) <  pos + strlen(msg_search) + 2 + len) exit(1, "The response from port "+port+" is not long enough to contain message string.");

  msg = substr(res[2], pos + strlen(msg_search) + 2, pos + strlen(msg_search) + 2 + len - 1);  
}

if (
  !isnull(msg) &&
  (
    'successfully authenticated' >< msg ||
    'Password has expired' >< msg
  ) &&
  'Invalid user name or password' >!< msg
)
{
  if (report_verbosity > 0)
  {
    report = '\nNessus was able to login using default credentials for the \'admin\' user : \n\n' +
    '  Password : ' + admin_password + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(qs:dir, port:port));

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation