| Source | Link |
|---|---|
| launchpad | www.launchpad.net/keystone |
| nessus | www.nessus.org/u |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(62354);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_name(english:"OpenStack Keystone Default Credentials");
script_set_attribute(attribute:"synopsis", value:
"The remote web application uses default credentials.");
script_set_attribute(attribute:"description", value:
"It is possible to log into the remote OpenStack Keystone instance by
providing default credentials. Knowing these, an attacker can gain
administrative control of the affected application and would then be
able to read and write to Keystone, which is used as an identity
provider by other services.");
script_set_attribute(attribute:"see_also", value:"https://launchpad.net/keystone");
# https://raw.github.com/openstack/keystone/master/etc/keystone.conf.sample
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?350f4002");
script_set_attribute(attribute:"solution", value:
"Change the credentials.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:ND/RC:ND");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:openstack:keystone");
script_set_attribute(attribute:"default_account", value:"true");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2012-2024 Tenable Network Security, Inc.");
script_dependencies("openstack_keystone_detect.nasl");
script_require_keys("www/openstack_keystone");
script_exclude_keys("Settings/disable_cgi_scanning", "global_settings/supplied_logins_only");
script_require_ports("Services/www", 35357);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("http.inc");
include("json.inc");
include("misc_func.inc");
include("path.inc");
include("webapp_func.inc");
app = "OpenStack Keystone";
# Get the ports that webservers have been found on, defaulting to
# the admin port.
port = get_kb_item("Services/www");
if (isnull(port))
{
port = 35357;
if (!service_is_unknown(port:port)) exit(0, "The service on port " + port + " has been previously identified.");
}
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
# Get details of the install.
name = "openstack_keystone";
install = get_install_from_kb(appname:name, port:port, exit_on_fail:TRUE);
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
dir = install["dir"];
path = dir + "/v2.0/users";
# This only works against the admin API.
get_kb_item_or_exit("www/"+port+"/"+name+"/admin");
# Request the list of users.
token = "ADMIN";
hdrs = make_array("x-auth-token", token);
res = http_send_recv3(
port : port,
method : "GET",
item : path,
add_headers : hdrs,
exit_on_fail : TRUE
);
if (max_index(res) <= 2) exit(1, "The "+app+" service listening on port "+port+" did not return an HTTP response body as expected.");
# Check if we got the list of users.
json = json_read(res[2]);
if (
isnull(json) ||
isnull(json[1]) ||
isnull(json[0]) ||
isnull(json[0]["users"]) ||
!is_list(json[0]["users"])
) exit(0, "Failed to log into " + app + " with default credentials on port " + port + ".");
# Report our findings.
report = NULL;
if (report_verbosity > 0)
{
header = 'Nessus was able to gain access using the following URL';
trailer =
'The following credentials were used :' +
'\n' +
'\n Authentication Token : ' + token;
if (report_verbosity > 1)
{
users = make_list();
foreach user (json[0]["users"])
{
if (typeof(user) != "array")
continue;
name = user["name"];
if(!isnull(name))
users = make_list(users, name);
}
if (max_index(users) > 0)
{
trailer +=
'\n' +
'\nThe following users were returned by our request :' +
'\n' +
'\n ' + join(sort(users), sep:'\n ');
}
}
report = get_vuln_report(items:path, port:port, header:header, trailer:trailer);
}
security_hole(port:port, extra:report);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation