Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2004-2016 Tenable Network Security, Inc.NIS_GET_PASSWD_MAP.NASL
HistoryMay 13, 2004 - 12:00 a.m.

NIS passwd.byname Map Disclosure

2004-05-1300:00:00
This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.
www.tenable.com
13
JSON

This script fetches the remote NIS β€˜passwd.byname’ map, provided that the NIS domain name could be obtained.

#
# (C) Tenable Network Security, Inc.
#

include( 'compat.inc' );

if (description)
{
	script_id(12238);
	script_version("1.19");
 script_cvs_date("Date: 2018/08/13 14:32:37");


	script_name(english:"NIS passwd.byname Map Disclosure");
	script_summary(english:"checks the presence of a RPC service");

  script_set_attribute(
    attribute:'synopsis',
    value:'The remote service is vulnerable to information disclosure'
  );

  script_set_attribute(
    attribute:'description',
    value:"This script fetches the remote NIS 'passwd.byname' map, provided that
the NIS domain name could be obtained."
  );

  script_set_attribute(
    attribute:'solution',
    value: "Disable NIS if it is not required."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");

  script_set_attribute(
    attribute:'see_also',
    value:'http://securitydigest.org/zardoz/archive/211'
  );


 script_set_attribute(attribute:"plugin_publication_date", value:"2004/05/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

	script_category(ACT_GATHER_INFO);
	script_family(english:"RPC");
	script_copyright(english:"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.");
	script_dependencie("bootparamd_get_nis_domain.nasl");
	script_require_keys("RPC/NIS/domain");
	exit(0);
}


include("misc_func.inc");
include("sunrpc_func.inc");

global_var i, len, tcp;

function pad(len)
{
 local_var _i, pad, ret;

 ret= "";
 for(_i = 0; _i < len ; _i = _i + 1)
 {
  ret = string(ret, raw_string(0));
 }
 return(ret);
}

function extract_key(data, tot)
{
 local_var len, len_hi, len_lo, s;

 s = "";
 len_hi = ord(data[34+tcp+tot]);
 len_lo = ord(data[35+tcp+tot]);
 len = len_hi * 256;
 len = len + len_lo;
 s = "";
 for(i=0;i<len;i=i+1)
 {
  s = string(s, data[36+tcp+i+tot]);
 }
 return(s);
}

function extract_data(data)
{
 local_var align, end, entry, f, flag, str, tot;

 str = "";
 end =  strlen(data);
 tot = 0;
 flag = 1;
 f = 3;
 for(;flag;)
 {
  entry = extract_key(data:data, tot:tot);
  align = 4 - len % 4;
  if(align == 4)align = 0;
  tot = tot + i + align + 4;
  if((tot + 40) > strlen(data))flag = 0;
  if(f > 2)
  {
   if(strlen(entry))  str = string(str, entry, "\n");
  f = 1;
  }
  else f = f + 1;
 }
 return(str);
}

nis_dom = get_kb_item("RPC/NIS/domain");
if(!nis_dom)exit(0);

soc = 0;

RPC_PROG = 100004;
port = get_rpc_port2(program:RPC_PROG, protocol:IPPROTO_TCP);
if (port && get_tcp_port_state(port)) {
	tcp = 4;
	soc = open_priv_sock_tcp(dport:port);
	}

if(!soc)
{
 port = get_rpc_port2(program:RPC_PROG, protocol:IPPROTO_UDP);
 if ( ! port || ! get_udp_port_state(port)) exit(0);
 tcp = 0;
 soc = open_priv_sock_udp(dport:port);
}

if(!soc)exit(0);


len = strlen(nis_dom);
x = len % 256;
y = len / 256;

align = 4 - len%4;
if(align == 4)align = 0;
pad = pad(len:align);
map = "passwd.byname";
len = strlen(map);
x2  = len % 256;
y2  = len / 256;
align = 4 - len%4;
if(align == 4)align = 0;
pad2 = pad(len:align);

req = raw_string(0xDE, 0xAD,
	0xBE, 0xEF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x02, 0x00, 0x01, 0x86, 0xA4, 0x00, 0x00,
	0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	y, x) + nis_dom + pad + raw_string(0x00, 0x00, y2, x2) +
	map + pad2;

tot_len = strlen(req);
tot_len_hi = tot_len / 256;
tot_len_lo = tot_len % 256;

if(tcp)req = raw_string(0x80, 0x00, tot_len_hi, tot_len_lo) + req;
send(socket:soc, data:req);
if ( tcp ) {
	 data = recv(socket:soc, length:4);
	 if ( ! data ) exit(0);
	 len = ord(data[2]) * 256 + ord(data[3]);
	}
else {
	data = NULL;
	len = 65535;
	}

data += recv(socket:soc, length:len);
if ( ! data ) exit(0);
mapcontent = extract_data(data:data);


if(strlen(mapcontent))
{
 report = string("It was possible to extract the map ", map, " using the NIS domain name ",
nis_dom, " :\n", mapcontent);

 if(tcp)security_warning(port:port, extra:report);
 else security_warning(proto:"udp", port:port, extra:report);
}
JSON