{"id": "OPENWRT_BLANK_TELNET_PASSWORD.NASL", "bulletinFamily": "scanner", "title": "OpenWrt Router with a Blank Password (telnet check)", "description": "The remote host is running OpenWrt, an open source Linux distribution\nfor embedded devices, especially routers. \n\nIt is currently configured without a password, which is the case by\ndefault. Anyone can connect to the device via Telnet and gain\nadministrative access to it.", "published": "2009-07-23T00:00:00", "modified": "2009-07-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/40354", "reporter": "This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.", "references": ["http://oldwiki.openwrt.org/OpenWrtDocs%282f%29Using.html"], "cvelist": ["CVE-1999-0508"], "type": "nessus", "lastseen": "2021-01-20T13:01:23", "edition": 23, "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0508"]}, {"type": "osvdb", "idList": ["OSVDB:785", "OSVDB:624", "OSVDB:872", "OSVDB:625", "OSVDB:824", "OSVDB:820", "OSVDB:399", "OSVDB:263", "OSVDB:382", "OSVDB:620"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SNMP/SNMP_LOGIN"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231010753", "OPENVAS:136141256231018413", "OPENVAS:10820", "OPENVAS:136141256231010778", "OPENVAS:10999", "OPENVAS:136141256231011004", "OPENVAS:136141256231018414", "OPENVAS:136141256231023938", "OPENVAS:136141256231011203", "OPENVAS:136141256231018415"]}, {"type": "nessus", "idList": ["MIKROTIK_BLANK_PASSWORD.NASL", "DDI_AIRCONNECT_DEFAULT_PASSWORD.NASL", "ALLIED_TELESYN_TELNET.NASL", "DDI_ENHYDRA_DEFAULT.NASL", "3COM_SWITCHES.NASL", "DDI_F5_DEFAULT_SUPPORT.NASL", "ALLIED_TELESYN_WEB.NASL", "SHIVA_DEFAULT_PASS.NASL", "DDI_LANROVER_BLANK_PASSWORD.NASL", "DDI_LINKSYS_ROUTER_DEFAULT_PASSWORD.NASL"]}], "modified": "2021-01-20T13:01:23", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-01-20T13:01:23", "rev": 2}, "vulnersScore": 5.8}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(40354);\n script_version(\"1.9\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"OpenWrt Router with a Blank Password (telnet check)\");\n script_summary(english:\"Tries to access OpenWrt without a password\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote router does not have a password set.\"\n );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is running OpenWrt, an open source Linux distribution\nfor embedded devices, especially routers. \n\nIt is currently configured without a password, which is the case by\ndefault. Anyone can connect to the device via Telnet and gain\nadministrative access to it.\" );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://oldwiki.openwrt.org/OpenWrtDocs%282f%29Using.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Set a password for the device.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(\n attribute:\"plugin_publication_date\", \n value:\"2009/07/23\"\n );\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"telnet_func.inc\");\n\n\nport = get_kb_item(\"Services/telnet\");\nif (!port) port = 23;\nif (!get_tcp_port_state(port)) exit(0, \"No Telnet service was detected.\");\n\n\nbanner = get_telnet_banner(port:port);\nif (\n banner &&\n \"Use 'passwd' to set your login password\" >< banner &&\n \"W I R E L E S S F R E E D O M\" >< banner &&\n \"root@\" >< banner\n)\n{\n # Unless we're paranoid, make sure it's really OpenWrt.\n if (report_paranoia < 2)\n {\n soc = open_sock_tcp(port);\n if (soc)\n {\n res = telnet_negotiate(socket:soc);\n res += recv_until(socket:soc, pattern:\"root@\");\n if (!res)\n {\n close(soc);\n exit(0, \"Didn't receive a command prompt.\");\n }\n send(socket:soc, data:'cat /proc/version\\r\\n');\n\n res = recv_until(socket:soc, pattern:\"OpenWrt\");\n if (!res)\n {\n close(soc);\n exit(0, \"'/proc/version' doesn't mention OpenWrt.\");\n }\n close(soc);\n }\n else exit(1, \"Can't open a socket to verify it's really OpenWrt.\");\n }\n\n set_kb_item(name:\"openwrt/blank_telnet_password\", value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = string(\n \"\\n\",\n \"The remote device uses the following banner :\\n\",\n \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n banner, \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n}\nexit(0, \"The host is not affected.\");\n", "naslFamily": "CGI abuses", "pluginID": "40354", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:36:55", "description": "An account on a router, firewall, or other network device has a default, null, blank, or missing password.", "edition": 2, "cvss3": {}, "published": "1998-06-01T04:00:00", "title": "CVE-1999-0508", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0508"], "modified": "2008-09-09T12:34:00", "cpe": [], "id": "CVE-1999-0508", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0508", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nMany Cisco devices ship without a default password for access, and without a default password for administration. This allows an attacker complete access to the device, and can result in lost of confidentiality, integrity and/or availability.\n## Solution Description\nSet exec and enable passwords immediately after installation. Refer to the manual for the device.\n## Short Description\nMany Cisco devices ship without a default password for access, and without a default password for administration. This allows an attacker complete access to the device, and can result in lost of confidentiality, integrity and/or availability.\n## References:\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "1999-01-01T00:00:00", "published": "1999-01-01T00:00:00", "id": "OSVDB:625", "href": "https://vulners.com/osvdb/OSVDB:625", "title": "Cisco Devices Ship Without Default Passwords", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, the Shiva Integrator installs with a default password. The root account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nAn attacker is able to telnet to this device and gain access.\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, the Shiva Integrator installs with a default password. The root account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:10500](https://vulners.com/search?query=pluginID:10500)\nGeneric Informational URL: http://www.ispeed.org/password.htm\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Intel\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:399", "id": "OSVDB:399", "type": "osvdb", "title": "Shiva Integrator Default Password", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Nessus Plugin ID:11004](https://vulners.com/search?query=pluginID:11004)\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2001-01-01T00:00:00", "published": "2001-01-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:824", "id": "OSVDB:824", "title": "Ipswitch WhatsUp Gold Default Admin Account", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nThis host appears to be the running the Apache Tomcat Servlet engine with the default accounts still configured. A potential intruder could reconfigure this service in a way that grants system access.\n## Technical Description\nChecks for a set of common account by try to request /admin/contextAdmin/contextList.jsp\n## Solution Description\nChange the default passwords by editing the admin-users.xml file located in the /conf/users subdirectory of the Tomcat installation.\n## Short Description\nThis host appears to be the running the Apache Tomcat Servlet engine with the default accounts still configured. A potential intruder could reconfigure this service in a way that grants system access.\n## References:\nVendor URL: http://tomcat.apache.org/\n[Nessus Plugin ID:11204](https://vulners.com/search?query=pluginID:11204)\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2000-01-19T00:00:00", "published": "2000-01-19T00:00:00", "id": "OSVDB:872", "href": "https://vulners.com/osvdb/OSVDB:872", "title": "Apache Tomcat Multiple Default Accounts", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, AOLserver installs with a default password. The nsadmin account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, AOLserver installs with a default password. The nsadmin account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\nVendor URL: http://aolserver.sourceforge.net/\nVendor Specific Solution URL: http://www.aolserver.com/docs/admin/security.html\n[Nessus Plugin ID:10753](https://vulners.com/search?query=pluginID:10753)\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:624", "id": "OSVDB:624", "title": "AOLserver Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 1816\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "1999-01-01T00:00:00", "published": "1999-01-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:263", "id": "OSVDB:263", "type": "osvdb", "title": "Cayman DSL Router Default Passwordless Account", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, PostgresSQL installs without a default password for the postgres user account. This username and password combination is publicly known and documented. This allows attackers to trivially access the program or system with administrative priveleges.\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, PostgresSQL installs without a default password for the postgres user account. This username and password combination is publicly known and documented. This allows attackers to trivially access the program or system with administrative priveleges.\n## Manual Testing Notes\nuser: postgres\npassword: (blank)\n## References:\n[Nessus Plugin ID:10483](https://vulners.com/search?query=pluginID:10483)\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=PostgreSQL\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "1999-07-17T00:00:00", "published": "1999-07-17T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:382", "id": "OSVDB:382", "type": "osvdb", "title": "PostgreSQL Server Default Password", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, 3COM SuperStack II switches install with a default password. The security account has a password of security which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nDefault username and password combinations: \nusername:security\npassword:security \n\nusername:manager\npassword:manager \n\nusername:monitor\npassword:monitor\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well. \n## Short Description\nBy default, 3COM SuperStack II switches install with a default password. The security account has a password of security which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:10747](https://vulners.com/search?query=pluginID:10747)\nGeneric Informational URL: http://www.phenoelit.de/dpl/dpl.html\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=3COM\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:620", "id": "OSVDB:620", "title": "3Com SuperStack II Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, Nortel switches and routers install with a default password. The rwa account has a password of rwa which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nDefault accounts and passwords: \nrwa/rwa \nrw/rw \nl3/l3 \nl2/l2 \nl1/l1 \nl4admin/l4admin \nslbadmin/slbadmin \noperator/operator \nl4oper/l4oper \nslbop/slbop \nro/ro\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, Nortel switches and routers install with a default password. The rwa account has a password of rwa which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:10989](https://vulners.com/search?query=pluginID:10989)\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Nortel\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "id": "OSVDB:812", "href": "https://vulners.com/osvdb/OSVDB:812", "title": "Nortel Networks Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, the AirConnect wireless access point installs with a default password. The comcomcom account has a password of comcomcom which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, the AirConnect wireless access point installs with a default password. The comcomcom account has a password of comcomcom which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\nVendor URL: http://www.3com.com/products/en_US/detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B\n[Nessus Plugin ID:10961](https://vulners.com/search?query=pluginID:10961)\nISS X-Force ID: 6270\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=3COM\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "id": "OSVDB:785", "href": "https://vulners.com/osvdb/OSVDB:785", "title": "3Com AirConnect AP Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T04:54:12", "description": "The remote router has no password. An intruder\nmay connect to it and disable it easily.", "edition": 22, "published": "2000-03-12T00:00:00", "title": "Cayman DSL Router Unauthenticated Access", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "PASSWORDLESS_CAYMAN_ROUTER.NASL", "href": "https://www.tenable.com/plugins/nessus/10345", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10345);\n script_version (\"1.16\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Cayman DSL Router Unauthenticated Access\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to log in to the remote router without any\npassword.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote router has no password. An intruder\nmay connect to it and disable it easily.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Set a strong password.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2000/03/12\");\n script_cvs_date(\"Date: 2018/08/13 14:32:36\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1999/01/01\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_summary(english:\"Notifies that the remote cayman router has no password\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Misc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude('telnet_func.inc');\nport = get_kb_item(\"Services/telnet\");\nif(!port) port = 23;\n\nif(get_port_state(port))\n{\n buf = get_telnet_banner(port:port);\n if ( ! buf || \"Terminal shell\" >!< buf ) exit(0);\n soc = open_sock_tcp(port);\n if(soc)\n {\n buf = telnet_negotiate(socket:soc);\n if(\"Terminal shell\" >< buf)\n \t{\n\t r = recv(socket:soc, length:2048);\n\t b = buf + r;\n\t if(\"completed login\" >< b)security_hole(port);\n\t}\n close(soc);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T05:32:40", "description": "The remote Shiva router uses the default password. \nThis means that anyone who has (downloaded) a user manual can \ntelnet to it and reconfigure it to lock you out of it, and to \nprevent you to use your internet connection.", "edition": 22, "published": "2000-08-31T00:00:00", "title": "Shiva Integrator Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "SHIVA_DEFAULT_PASS.NASL", "href": "https://www.tenable.com/plugins/nessus/10500", "sourceData": "#\n# This script was written by Stefaan Van Dooren <stefaanv@kompas.be>\n#\n# See the Nessus Scripts License for details\n#\n# Changes by Tenable\n# - only attempt to login if the policy allows it (10/25/11 and 6/2015)\n# - Updated to use compat.inc, added CVSS score (11/20/2009)\n# - Updated to use global_settings.inc (6/2015)\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10500);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2018/08/13 14:32:36\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Shiva Integrator Default Password\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote router can be accessed with default credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Shiva router uses the default password. \nThis means that anyone who has (downloaded) a user manual can \ntelnet to it and reconfigure it to lock you out of it, and to \nprevent you to use your internet connection.\");\n script_set_attribute(attribute:\"solution\", value:\n\"telnet to this router and set a different password immediately.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2000/08/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n \n script_copyright(english:\"This script is Copyright (C) 2000-2018 Stefaan Van Dooren\");\n\n script_require_ports(23);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n \n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\n\nport = 23;\nif(get_port_state(port))\n{\n\tif (supplied_logins_only) exit(0, \"Policy is configured to prevent trying default user accounts\");\n\tsoc = open_sock_tcp(port);\n\tif(soc)\n\t{\n\t\tdata = string(\"hello\\n\\r\");\n\t\tsend(data:data, socket:soc);\n\t\tbuf = recv(socket:soc, length:4096);\n\t\tif (\"ntering privileged mode\" >< buf)\n\t\t\tsecurity_hole(port);\n\t\tclose(soc);\n\t}\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T12:47:39", "description": "This system appears to be running the Enhydra application server\nconfigured with the default administrator password of 'enhydra'. A\npotential intruder could reconfigure this service and use it to obtain\nfull access to the system.", "edition": 17, "published": "2003-01-22T00:00:00", "title": "Enhydra Multiserver Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2003-01-22T00:00:00", "cpe": [], "id": "DDI_ENHYDRA_DEFAULT.NASL", "href": "https://www.tenable.com/plugins/nessus/11202", "sourceData": "#\n# This script was written by H D Moore <hdmoore@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n# Changes by Tenable:\n# - Revised plugin family (1/21/2009)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11202);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Enhydra Multiserver Default Password\");\n script_summary(english:\"Enhydra Multiserver Default Admin Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote application server is protected with default administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This system appears to be running the Enhydra application server\nconfigured with the default administrator password of 'enhydra'. A\npotential intruder could reconfigure this service and use it to obtain\nfull access to the system.\");\n script_set_attribute(attribute:\"solution\", value:\"Set a strong password for the 'admin' account.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2003-2020 Digital Defense Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8001);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nport = get_http_port(default:8001, embedded:TRUE);\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\nbanner = get_http_banner(port:port);\nif ( ! banner || \"Enhydra\" >!< banner ) exit(0, \"The web server listening on port \"+port+\" does not look like an Enhydra application server.\");\n\nreq = http_get(item:\"/Admin.po?proceed=yes\", port:port);\nreq = req - string(\"\\r\\n\\r\\n\");\nreq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46ZW5oeWRyYQ==\\r\\n\\r\\n\");\nbuf = http_keepalive_send_recv(port:port, data:req);\n\nif (\"Enhydra Multiserver Administration\" >< buf) security_hole(port);\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Enhydra application server\", port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T00:51:46", "description": "The Allied Telesyn Router/Switch has the default password set.\n\nThe attacker could use this default password to gain remote access to\nyour switch or router. This password could also be potentially used to\ngain other sensitive information about your network from the device.", "edition": 21, "published": "2005-06-03T00:00:00", "title": "Allied Telesyn Router/Switch Web Interface Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "ALLIED_TELESYN_WEB.NASL", "href": "https://www.tenable.com/plugins/nessus/18413", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18413);\n script_version(\"$Revision: 1.12 $\");\n script_cvs_date(\"$Date: 2012/08/15 21:05:11 $\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(english:\"Allied Telesyn Router/Switch Web Interface Default Password\");\n script_summary(english:\"Logs into Allied Telesyn routers and switches Web interface with default password\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains an account with a default password set.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The Allied Telesyn Router/Switch has the default password set.\n\nThe attacker could use this default password to gain remote access to\nyour switch or router. This password could also be potentially used to\ngain other sensitive information about your network from the device.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Connect to this Router/Switch and set a strong password.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/06/03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2012 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80, embedded: 1);\n\nif (report_paranoia < 2)\n{\n banner = get_http_banner (port:port, exit_on_fail: 1);\n if (\"Server: ATR-HTTP-Server\" >!< banner)\n exit(0, \"The web server on port \"+port+\" is not ATR-HTTP-Server.\");\n}\n\nw = http_send_recv3(method:\"GET\", item:\"/\", port:port, \n username: \"\", password: \"\", exit_on_fail: 1);\n\nif (w[0] !~ \"^HTTP/1\\.[01] +401 \")\n exit(0, build_url(port: port, qs:\"/\") + \" is not protected.\");\n\nus = \"manager\"; pa = \"friend\";\n\nw = http_send_recv3(method:\"GET\", item:\"/\", port:port, \n username: us, password: pa, exit_on_fail: 1);\n\nif (w[0] =~ \"^HTTP/1\\.[01] +200 \")\n if (report_verbosity <= 0)\n security_hole(port);\n else\n security_hole(port: port, extra: \n'\\nThe following URIs will exhibit the flaw :\\n\\n'\n+ build_url(port: port, qs:\"/\") + '\\n'\n+ build_url(port: port, qs:\"/\", username: us, password: pa) + '\\n');\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T12:47:39", "description": "The remote F5 Networks device has the default password set for the\n'support' user account. This account normally provides read/write\naccess to the web configuration utility. An attacker could take\nadvantage of this to reconfigure your systems and possibly gain shell\naccess to the system with super-user privileges.", "edition": 16, "published": "2001-12-06T00:00:00", "title": "F5 Device Default Support Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2001-12-06T00:00:00", "cpe": [], "id": "DDI_F5_DEFAULT_SUPPORT.NASL", "href": "https://www.tenable.com/plugins/nessus/10820", "sourceData": "#\n# Copyright 2001 by H D Moore <hdmoore@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Output formatting, family change (8/22/09)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10820);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"F5 Device Default Support Password\");\n script_summary(english:\"F5 Device Default Support Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is protected with default administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote F5 Networks device has the default password set for the\n'support' user account. This account normally provides read/write\naccess to the web configuration utility. An attacker could take\nadvantage of this to reconfigure your systems and possibly gain shell\naccess to the system with super-user privileges.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Remove the 'support' account entirely or change the password of this\naccount to something that is difficult to guess.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/12/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2001-2020 Digital Defense Inc.\");\n script_family(english:\"Misc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 443);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nport = get_http_port(default:443, embedded:TRUE);\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\nuser = 'support';\npass = 'support';\n\nsoc = http_open_socket(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\nreq = string(\"GET /bigipgui/bigconf.cgi?command=bigcommand&CommandType=bigpipe HTTP/1.0\\r\\nAuthorization: Basic \", base64(str:user+':'+pass), \"\\r\\n\\r\\n\");\nsend(socket:soc, data:req);\nbuf = http_recv(socket:soc);\nhttp_close_socket(soc);\n\nif (!isnull(buf) && (\"/bigipgui/\" >< buf) && (\"System Command\" >< buf))\n{\n if (report_verbosity > 0)\n {\n report = '\\n User : ' + user +\n '\\n Password : ' + pass +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n set_kb_item(name:\"Services/www/\" + port + \"/embedded\", value:TRUE);\n}\nelse exit(0, \"The web server listening on port \"+port+\" is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T00:51:46", "description": "The remote device appears to be a Bay Networks Accelar 1200 Switch \nthat can be accessed using default credentials. An attacker could\nleverage this issue to gain administrative access to the affected\ndevice. This password could also be potentially used to gain other\nsensitive information about the network from the device.", "edition": 21, "published": "2005-06-03T00:00:00", "title": "Bay Networks Accelar 1200 Switch Default Password (password) for 'usrname' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "ACCELAR_1200.NASL", "href": "https://www.tenable.com/plugins/nessus/18415", "sourceData": "#\n# This script was written by Charles Thier <cthier@thethiers.net>\n#\n# GPLv2\n#\n\n# Changes by Tenable:\n# - only attempt to login if the policy allows it (10/25/11)\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18415);\n script_version(\"$Revision: 1.15 $\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(english:\"Bay Networks Accelar 1200 Switch Default Password (password) for 'usrname' Account\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote network device can be accessed with default credentials.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote device appears to be a Bay Networks Accelar 1200 Switch \nthat can be accessed using default credentials. An attacker could\nleverage this issue to gain administrative access to the affected\ndevice. This password could also be potentially used to gain other\nsensitive information about the network from the device.\" );\n # http://web.archive.org/web/20050209060646/http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Nortel\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?35874295\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Telnet to the device and change the default password.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/06/03\");\n script_cvs_date(\"$Date: 2015/09/24 20:59:26 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Logs into Bay Networks switches with default password\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2015 Charles Thier\");\n script_family(english:\"Misc.\");\n script_require_ports(23);\n exit(0);\n}\n\n\n#\n# The script code starts here\n#\n\ninclude(\"telnet_func.inc\");\nusrname = \"rwa\";\npassword = \"rwa\";\n\nport = 23;\nif (! get_port_state(port)) exit(0, \"TCP port \"+port+\" is closed.\");\nif ( get_kb_item(\"global_settings/supplied_logins_only\") ) exit(0, \"Policy is configured to prevent trying default user accounts\");\n\n\ntnb = get_telnet_banner(port:port);\nif ( ! tnb ) exit(1, \"No telnet banner on port \"+port+\".\");\n\nif (\"Accelar 1200\" >!< tnb) exit(0, \"The remote Telnet server is not Accelar 1200.\");\n\nsoc = open_sock_tcp(port);\nif (! soc) exit(1, \"TCP connection failed to port \"+port+\".\");\n\n answer = recv(socket:soc, length:4096);\n if(\"ogin:\" >< answer)\n {\n send(socket:soc, data:string(usrname, \"\\r\\n\"));\n answer = recv(socket:soc, length:4096);\n send(socket:soc, data:string(password, \"\\r\\n\"));\n answer = recv(socket:soc, length:4096);\n if(\"Accelar-1200\" >< answer)\n {\n report = string(\n \"\\n\",\n \"Nessus was able to gain access using the following credentials :\\n\",\n \"\\n\",\n \" User : \", usrname, \"\\n\",\n \" Password : \", password, \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n }\n close(soc);\n\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T00:51:50", "description": "The pcAnywhere service does not require a password to access the\ndesktop of this system. If this machine is running Windows 95, 98, or\nME, gaining full control of the machine is trivial. If this system is\nrunning NT or 2000 and is currently logged out, an attacker can still\nspy on and hijack a legitimate user's session when they login.", "edition": 22, "published": "2001-11-07T00:00:00", "title": "Symantec pcAnywhere Service Unrestricted Access", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "DDI_UNPROTECTED_PCANYWHERE.NASL", "href": "https://www.tenable.com/plugins/nessus/10798", "sourceData": "#\n# This script was written by H D Moore\n#\n\n# Changes by Tenable:\n# - Revised plugin title, changed family (1/22/09)\n# - Revised plugin title, output formatting, family change (9/08/09)\n# - Revised plugin title (1/29/11)\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10798);\n script_version (\"$Revision: 1.27 $\");\n script_cvs_date(\"$Date: 2012/08/15 21:05:11 $\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Symantec pcAnywhere Service Unrestricted Access\");\n script_summary(english:\"Unprotected PC Anywhere Service\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote access service on this port allows unrestricted access.\");\n script_set_attribute(attribute:\"description\", value:\n\"The pcAnywhere service does not require a password to access the\ndesktop of this system. If this machine is running Windows 95, 98, or\nME, gaining full control of the machine is trivial. If this system is\nrunning NT or 2000 and is currently logged out, an attacker can still\nspy on and hijack a legitimate user's session when they login.\");\n script_set_attribute(attribute:\"solution\", value:\n\"1. Open the PC Anywhere application as an Administrator. \n2. Right click on the Host object you are using and select Properties.\n3. Select the Caller Access tab. \n4. Switch the authentication type to Windows or PC Anywhere.\n5. If you are using PC Anywhere authentication, set a strong password.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\n\"2001/11/07\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2012 Digital Defense Incorporated\");\n script_family(english:\"Windows\");\n script_dependencies(\"find_service1.nasl\", \"PC_anywhere_tcp.nasl\");\n script_require_ports(\"Services/pcanywheredata\", 5631);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ndebug = 0;\n\ncl[0] = raw_string (0x00, 0x00, 0x00, 0x00);\nsv[0] = \"nter\";\n\ncl[1] = raw_string (0x6f, 0x06, 0xff);\nsv[1] = raw_string (0x1b, 0x61);\n\ncl[2] = raw_string (0x6f, 0x61, 0x00, 0x09, 0x00, 0xfe, 0x00,\n 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00);\n \nsv[2] = raw_string (0x1b, 0x62);\n\ncl[3] = raw_string (0x6f, 0x62, 0x01, 0x02, 0x00, 0x00, 0x00); \nsv[3] = raw_string (0x65, 0x6e);\n\ncl[4] = raw_string(0x6f, 0x49, 0x00, 0x4c, 0x20, 0x20, 0x20, 0x20,\n 0x20, 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x09, 0xff, 0x05, 0x00, 0x00, 0x00,\n 0x60, 0x24, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06,\n 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,\n 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x31);\nsv[4] = raw_string(0x1b, 0x16);\n\ncl[5] = raw_string(0x6f, 0x73, 0x02, 0x01, 0x00, 0x02);\nsv[5] = \"Service Pack\";\n\nport = get_kb_item(\"Services/pcanywheredata\");\nif(!port)port = 5631;\n\nif(get_port_state(port))\n{\n soc = open_sock_tcp(port);\n if(soc)\n {\n\n for(d=0;cl[d];d=d+1)\n {\n if(debug)display(\":: entering level \", d, \"\\n\");\n send(socket:soc, data:cl[d]);\n r = recv(socket:soc, length:2048);\n\t if(!r)exit(0);\n \n # no minimum encryption level set\n if(d == 2)\n {\n if((\"Reducing\" >< r) && (\"encryption\" >< r))\n {\n if(debug)display(\"Warning: no minimum encryption level set.\\n\");\n }\n if((\"denying\" >< r) && (\"cannot connect at level\" >< r))\n {\n if(debug)display(\"Warning: plugin exiting because a minimum encryption level has been set.\\n\");\n exit(0); \n }\n }\n \n # user authentication\n if(d == 3)\n {\n if((\"Enter user name\" >< r) || (\"Enter login name\" >< r))\n {\n if(debug)display(\"Warning: plugin exiting because user authentication needed.\\n\");\n exit(0); \n }\n }\n \n if( sv[d] >!< r)\n {\n \n close(soc);\n if(debug)display(\"exiting at level \", d, \"\\n\");\n exit(0);\n }\n }\n security_hole(port:port);\n\tclose(soc);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T00:51:50", "description": "This device is a Motorola Vanguard router and has no password set. An\nattacker can reconfigure this device without providing any\nauthentication.", "edition": 21, "published": "2003-01-22T00:00:00", "title": "Motorola Vanguard with No Password (telnet check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "DDI_MOTOROLA_VANGUARD_NO_PASS.NASL", "href": "https://www.tenable.com/plugins/nessus/11203", "sourceData": "#\n# This script was written by Geoff Humes <geoff.humes@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Revised plugin title (9/2/09)\n# - Revised plugin title (10/29/09)\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n\tscript_id(11203);\n\tscript_version(\"$Revision: 1.10 $\");\n\tscript_cvs_date(\"$Date: 2012/08/15 21:05:11 $\");\n\n\tscript_cve_id(\"CVE-1999-0508\");\n\n\tscript_name(english:\"Motorola Vanguard with No Password (telnet check)\");\n\tscript_summary(english:\"Attempts to log into Vanguards.\");\n \n\n\tscript_set_attribute(attribute:\"synopsis\", value:\n\"The router does have a password.\");\n\tscript_set_attribute(attribute:\"description\", value:\n\"This device is a Motorola Vanguard router and has no password set. An\nattacker can reconfigure this device without providing any\nauthentication.\");\nscript_set_attribute(attribute:\"solution\", value:\n\"Please set a strong password for this device.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\tscript_set_attribute(attribute:\"plugin_publication_date\", value:\n\"2003/01/22\");\n\tscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\tscript_end_attributes();\n\n\tscript_category(ACT_GATHER_INFO);\n\tscript_copyright(english:\"This script is Copyright (C) 2003-2012 Digital Defense\");\n\tscript_family(english:\"Misc.\");\n\tscript_require_ports(23);\n \n\texit(0);\n}\n\ninclude('telnet_func.inc');\n\nfunction greprecv(socket, pattern)\n{\n local_var buffer, cnt, _r;\n buffer = \"\";\n cnt = 0;\n while(1)\n {\n _r = recv_line(socket:socket, length:4096);\n if(strlen(_r) == 0)return(0);\n buffer = string(buffer, _r);\n if(ereg(pattern:pattern, string:_r))return(buffer);\n cnt = cnt + 1;\n if(cnt > 1024)return(0);\n }\n}\n\n#\n# The script code starts here\n#\nport = 23;\n\n\nif(get_port_state(port))\n{\n\tbanner = get_telnet_banner(port:port);\n\tif ( ! banner || \"OK\" >!< banner ) exit(0);\n\n\tsoc = open_sock_tcp(port);\n\tif(soc)\n\t{\n\t\tbuf = greprecv(socket:soc, pattern:\".*OK.*\");\n\t\tif(!buf)exit(0);\n\t\tsend(socket:soc, data:string(\"atds0\\r\\n\"));\n\t\tbuf = greprecv(socket:soc, pattern:\".*Password.*\");\n\t\tif(!buf)exit(0);\n\t\tsend(socket:soc, data:string(\"\\r\\n\"));\n\t\tbuf = greprecv(socket:soc, pattern:\".*Logout.*\");\n\t\tif(buf)security_hole(port);\n\t\tclose(soc);\n\t}\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:21:49", "description": "The remote host appears to be an Avaya P330 Stackable Switch with its\ndefault password set. \n\nAn attacker could use this default password to gain remote access to\nthe affected switch. This password could also be potentially used to\ngain other sensitive information about the remote network from the\nswitch.", "edition": 21, "published": "2005-03-28T00:00:00", "title": "Avaya P330 Stackable Switch Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "AVAYA_SWITCHES.NASL", "href": "https://www.tenable.com/plugins/nessus/17638", "sourceData": "#\n# This script was written by Charles Thier <cthier@thethiers.net>\n#\n# GPLv2\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(17638);\n script_version(\"$Revision: 1.11 $\");\n script_cvs_date(\"$Date: 2012/08/15 21:05:11 $\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(english:\"Avaya P330 Stackable Switch Default Password\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote switch can be accessed with default root credentials.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be an Avaya P330 Stackable Switch with its\ndefault password set. \n\nAn attacker could use this default password to gain remote access to\nthe affected switch. This password could also be potentially used to\ngain other sensitive information about the remote network from the\nswitch.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phenoelit-us.org/dpl/dpl.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Telnet to this switch and change the default password.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/28\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n summary[\"english\"] = \"Logs into Avaya switches with default password\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2012 Charles Thier\");\n script_family(english:\"Misc.\");\n script_require_ports(23);\n exit(0);\n}\n\n\n#\n# The script code starts here\n#\n\ninclude(\"telnet_func.inc\");\nusrname = string(\"root\\r\\n\");\npassword = string(\"root\\r\\n\");\n\nport = 23;\nif(get_port_state(port))\n{\n\ttnb = get_telnet_banner(port:port);\n\tif ( ! tnb ) exit(0);\n if (\"Welcome to P330\" >< tnb)\n {\n soc = open_sock_tcp(port);\n if(soc)\n {\n answer = recv(socket:soc, length:4096);\n if(\"ogin:\" >< answer)\n {\n send(socket:soc, data:usrname);\n answer = recv(socket:soc, length:4096);\n send(socket:soc, data:password);\n answer = recv(socket:soc, length:4096);\n if(\"Password accepted\" >< answer)\n {\n security_hole(port:23);\n }\n }\n close(soc);\n }\n\n }\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T00:51:50", "description": "The remote Linksys router accepts the default password 'admin' for\nthe web administration console. This console provides read/write\naccess to the router's configuration. An attacker could take\nadvantage of this to reconfigure the router and possibly re-route\ntraffic.", "edition": 22, "published": "2002-06-05T00:00:00", "title": "Linksys Router Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "DDI_LINKSYS_ROUTER_DEFAULT_PASSWORD.NASL", "href": "https://www.tenable.com/plugins/nessus/10999", "sourceData": "#\n# This script is Copyright (C) Digital Defense Inc.\n# Author: Forrest Rae <forrest.rae@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10999);\n script_version(\"$Revision: 1.14 $\");\n script_cvs_date(\"$Date: 2013/12/17 12:13:59 $\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Linksys Router Default Password\");\n script_summary(english:\"Linksys Router Default Password (admin)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote system can be accessed with a default administrator\naccount.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Linksys router accepts the default password 'admin' for\nthe web administration console. This console provides read/write\naccess to the router's configuration. An attacker could take\nadvantage of this to reconfigure the router and possibly re-route\ntraffic.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Change the password for this account.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2002-2013 Digital Defense Inc.\");\n script_family(english:\"CISCO\");\n\n script_dependencie(\"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(80, 8080);\n script_require_keys(\"Services/www\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nport = 80;\nif (!get_port_state(port)) port = 8080;\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\nsvc = get_kb_item(\"Known/tcp/\"+port);\nif (!isnull(svc) && svc != \"www\") exit(0, \"The service listening on port \"+port+\" is not a web server.\");\n\nsoc = open_sock_tcp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n# HTTP auth = \":admin\"\n# req = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic OmFkbWlu\\r\\n\\r\\n\");\n\n# HTTP auth = \"admin:admin\"\nreq = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\n# Both work, second is used to be RFC compliant.\n\nsend(socket:soc, data:req);\nbuf = http_recv(socket:soc);\nclose(soc);\n\nif (\n \"Status.htm\" >< buf && \n \"DHCP.htm\" >< buf && \n \"Log.htm\" >< buf &&\n \"Security.htm\" >< buf\n) security_hole(port:port);\nelse exit(0, \"The web server listening on port \"+port+\" is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:10:07", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This AirConnect wireless access point still has the \n default password set for the web interface. This could \n be abused by an attacker to gain full control over the\n wireless network settings.", "modified": "2017-05-01T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10961", "href": "http://plugins.openvas.org/nasl.php?oid=10961", "type": "openvas", "title": "AirConnect Default Password", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_AirConnect_Default_Password.nasl 6053 2017-05-01 09:02:51Z teissa $\n# Description: AirConnect Default Password\n#\n# Authors:\n# H D Moore\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This AirConnect wireless access point still has the \n default password set for the web interface. This could \n be abused by an attacker to gain full control over the\n wireless network settings.\";\n\ntag_solution = \"Change the password to something difficult to\n guess via the web interface.\";\n\n# Information about the AP provided by Brian Caswell\n\nif(description)\n{\n script_id(10961);\n script_version(\"$Revision: 6053 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-01 11:02:51 +0200 (Mon, 01 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n name = \"AirConnect Default Password\";\n script_name(name);\n\n\n\n summary = \"3Com AirConnect AP Default Password\";\n\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_copyright(\"This script is Copyright (C) 2002 Digital Defense Inc.\");\n\n family = \"Privilege escalation\";\n script_family(family);\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\");\n \n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nfunction sendrequest (request, port)\n{\n reply = http_keepalive_send_recv(data:request, port:port);\n if( reply == NULL ) exit(0);\n return(reply);\n}\n\n#\n# The script code starts here\n#\n\n\nport = get_http_port(default:80);\n\nif(!get_port_state(port)){ exit(0); }\n\nreq = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic Y29tY29tY29tOmNvbWNvbWNvbQ==\\r\\n\\r\\n\");\n\nreply = sendrequest(request:req, port:port);\n\nif (\"SecuritySetup.htm\" >< reply)\n{\n security_message(port:port);\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:05", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This Linksys Router has the default password \nset for the web administration console. \nThis console provides read/write access to the\nrouter's configuration. An attacker could take\nadvantage of this to reconfigure the router and \npossibly re-route traffic.", "modified": "2017-04-27T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10999", "href": "http://plugins.openvas.org/nasl.php?oid=10999", "type": "openvas", "title": "Linksys Router Default Password", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_Linksys_Router_Default_Password.nasl 6040 2017-04-27 09:02:38Z teissa $\n# Description: Linksys Router Default Password\n#\n# Authors:\n# Forrest Rae <forrest.rae@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This Linksys Router has the default password \nset for the web administration console. \nThis console provides read/write access to the\nrouter's configuration. An attacker could take\nadvantage of this to reconfigure the router and \npossibly re-route traffic.\";\n\ntag_solution = \"Please assign the web administration\n console a difficult to guess password.\";\n\nif(description)\n{\n\tscript_id(10999);\n\tscript_version(\"$Revision: 6040 $\");\n\tscript_tag(name:\"last_modification\", value:\"$Date: 2017-04-27 11:02:38 +0200 (Thu, 27 Apr 2017) $\");\n\tscript_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\tscript_cve_id(\"CVE-1999-0508\");\n\tname = \"Linksys Router Default Password\";\n\tscript_name(name);\n\tsummary = \"Linksys Router Default Password\";\n\tscript_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\tscript_copyright(\"This script is Copyright (C) 2002 Digital Defense Inc.\");\n\tfamily = \"General\";\n\tscript_family(family);\n\tscript_dependencies(\"find_service.nasl\");\n\tscript_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n\texit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nif (!get_port_state(port))port = 8080;\n\nif(get_port_state(port))\n{\n\tsoc = open_sock_tcp(port);\n\tif (soc)\n\t{\n\t\n\t\t# HTTP auth = \":admin\"\n\t\t# req = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic OmFkbWlu\\r\\n\\r\\n\");\n\t\t\n\t\t# HTTP auth = \"admin:admin\"\n\t\treq = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\t\t\n\t\t# Both work, second is used to be RFC compliant.\n\t\t\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\t\n\t\tclose(soc);\n\t\tif ((\"Status.htm\" >< buf) && (\"DHCP.htm\" >< buf) && (\"Log.htm\" >< buf) && (\"Security.htm\" >< buf) ||\n\t\t (\"next_file=Setup.htm\" >< buf && \"Checking JavaScript Support\" >< buf) #WAG120N\n\t\t )\n\t\t{\n\t\t\tsecurity_message(port:port);\n\t\t}\n\t}\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-06-11T15:22:34", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The remote host appears to be an Avaya P330 Stackable Switch with its default password set.", "modified": "2020-06-09T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231017638", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231017638", "type": "openvas", "title": "Avaya P330 Stackable Switch found with default password", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Avaya P330 Stackable Switch found with default password\n#\n# Authors:\n# Charles Thier <cthier@thethiers.net>\n#\n# Copyright:\n# Copyright (C) 2005 Charles Thier\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.17638\");\n script_version(\"2020-06-09T14:44:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 14:44:58 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Avaya P330 Stackable Switch found with default password\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2005 Charles Thier\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/avaya_p330/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_add_preference(name:\"Use complete password list (not only vendor specific passwords)\", type:\"checkbox\", value:\"no\");\n\n script_tag(name:\"solution\", value:\"Telnet to this switch and change the default password.\");\n\n script_tag(name:\"summary\", value:\"The remote host appears to be an Avaya P330 Stackable Switch with its default password set.\");\n\n script_tag(name:\"impact\", value:\"The attacker could use this default password to gain remote access\n to your switch. This password could also be potentially used to\n gain other sensitive information about your network from the switch.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"default_credentials.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\n# If optimize_test = no\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) )\n exit( 0 );\n\nport = telnet_get_port( default:23 );\nbanner = telnet_get_banner( port:port );\nif( ! banner || \"Welcome to P330\" >!< banner )\n exit( 0 );\n\np = script_get_preference( \"Use complete password list (not only vendor specific passwords)\" );\nif( \"yes\" >< p ) {\n clist = try();\n} else {\n clist = try( vendor:\"avaya\" );\n}\nif( ! clist ) exit( 0 );\n\nforeach credential( clist ) {\n\n # Handling of user uploaded credentials which requires to escape a ';' or ':'\n # in the user/password so it doesn't interfere with our splitting below.\n credential = str_replace( string:credential, find:\"\\;\", replace:\"#sem_legacy#\" );\n credential = str_replace( string:credential, find:\"\\:\", replace:\"#sem_new#\" );\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) ) {\n # nb: ';' was used pre r9566 but was changed to ':' as a separator as the\n # GSA is stripping ';' from the NVT description. Keeping both in here\n # for backwards compatibility with older scan configs.\n user_pass = split( credential, sep:\";\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) )\n continue;\n }\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n user = str_replace( string:user, find:\"#sem_legacy#\", replace:\";\" );\n pass = str_replace( string:pass, find:\"#sem_legacy#\", replace:\";\" );\n user = str_replace( string:user, find:\"#sem_new#\", replace:\":\" );\n pass = str_replace( string:pass, find:\"#sem_new#\", replace:\":\" );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n soc = open_sock_tcp( port );\n if( ! soc ) continue;\n\n answer = recv( socket:soc, length:4096 );\n if( \"ogin:\" >< answer ) {\n send( socket:soc, data:string( user, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n send( socket:soc, data:string( pass, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n\n if( \"Password accepted\" >< answer ) {\n security_message( port:port, data:\"It was possible to login with the credentials '\" + user + \":\" + pass + \"'.\" );\n }\n }\n close( soc );\n}\n\nexit( 0 );\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-08T11:44:09", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The PC Anywhere service does not require a password to access\nthe desktop of this system. If this machine is running Windows 95,\n98, or ME, gaining full control of the machine is trivial. If\nthis system is running NT or 2000 and is currently logged out, an\nattacker can still spy on and hijack a legitimate user's session when\nthey login.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10798", "href": "http://plugins.openvas.org/nasl.php?oid=10798", "type": "openvas", "title": "Unprotected PC Anywhere Service", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_Unprotected_PCanywhere.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Unprotected PC Anywhere Service\n#\n# Authors:\n# H D Moore\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Incorporated\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The PC Anywhere service does not require a password to access\nthe desktop of this system. If this machine is running Windows 95,\n98, or ME, gaining full control of the machine is trivial. If\nthis system is running NT or 2000 and is currently logged out, an\nattacker can still spy on and hijack a legitimate user's session when\nthey login.\";\n\ntag_solution = \"1. Open the PC Anywhere application as an Administrator. \n2. Right click on the Host object you are using and select Properties.\n3. Select the Caller Access tab. \n4. Switch the authentication type to Windows or PC Anywhere.\n5. If you are using PC Anywhere authentication, set a strong password.\";\n\nif(description)\n{\n script_id(10798);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n name = \"Unprotected PC Anywhere Service\";\n script_name(name);\n\n\n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n \n script_copyright(\"This script is Copyright (C) 2002 Digital Defense Incorporated\");\n family = \"General\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"PC_anywhere_tcp.nasl\");\n script_require_ports(\"Services/pcanywheredata\", 5631);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ndebug = 0;\n\ncl[0] = raw_string (0x00, 0x00, 0x00, 0x00);\nsv[0] = \"nter\";\n\ncl[1] = raw_string (0x6f, 0x06, 0xff);\nsv[1] = raw_string (0x1b, 0x61);\n\ncl[2] = raw_string (0x6f, 0x61, 0x00, 0x09, 0x00, 0xfe, 0x00,\n 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00);\n \nsv[2] = raw_string (0x1b, 0x62);\n\ncl[3] = raw_string (0x6f, 0x62, 0x01, 0x02, 0x00, 0x00, 0x00); \nsv[3] = raw_string (0x65, 0x6e);\n\ncl[4] = raw_string(0x6f, 0x49, 0x00, 0x4c, 0x20, 0x20, 0x20, 0x20,\n 0x20, 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x09, 0xff, 0x05, 0x00, 0x00, 0x00,\n 0x60, 0x24, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06,\n 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,\n 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x31);\nsv[4] = raw_string(0x1b, 0x16);\n\ncl[5] = raw_string(0x6f, 0x73, 0x02, 0x01, 0x00, 0x02);\nsv[5] = \"Service Pack\";\n\nport = get_kb_item(\"Services/pcanywheredata\");\nif(!port)port = 5631;\n\nif(get_port_state(port))\n{\n soc = open_sock_tcp(port);\n if(soc)\n {\n\n for(d=0;cl[d];d=d+1)\n {\n if(debug)display(\":: entering level \", d, \"\\n\");\n send(socket:soc, data:cl[d]);\n r = recv(socket:soc, length:2048);\n\t if(!r)exit(0);\n \n # no minimum encryption level set\n if(d == 2)\n {\n if((\"Reducing\" >< r) && (\"encryption\" >< r))\n {\n if(debug)display(\"Warning: no minimum encryption level set.\\n\");\n }\n if((\"denying\" >< r) && (\"cannot connect at level\" >< r))\n {\n if(debug)display(\"Warning: plugin exiting because a minimum encryption level has been set.\\n\");\n exit(0); \n }\n }\n \n # user authentication\n if(d == 3)\n {\n if((\"Enter user name\" >< r) || (\"Enter login name\" >< r))\n {\n if(debug)display(\"Warning: plugin exiting because user authentication needed.\\n\");\n exit(0); \n }\n }\n \n if(! sv[d] >< r)\n {\n \n close(soc);\n if(debug)display(\"exiting at level \", d, \"\\n\");\n exit(0);\n }\n }\n security_message(port:port);\n\tclose(soc);\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-07T12:41:55", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The Shiva LanRover has no password set for the\n root user account.", "modified": "2019-06-06T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010998", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010998", "type": "openvas", "title": "Shiva LanRover Blank Password", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Shiva LanRover Blank Password\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Incorporated\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10998\");\n script_version(\"2019-06-06T07:39:31+0000\");\n script_tag(name:\"last_modification\", value:\"2019-06-06 07:39:31 +0000 (Thu, 06 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Shiva LanRover Blank Password\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"This script is Copyright (C) 2002 Digital Defense Incorporated\");\n script_family(\"Privilege escalation\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/shiva/lanrover/detected\");\n\n script_tag(name:\"solution\", value:\"Telnet to this device and change the\n password for the root account via the passwd command. Please ensure any other\n accounts have strong passwords set.\");\n\n script_tag(name:\"summary\", value:\"The Shiva LanRover has no password set for the\n root user account.\");\n\n script_tag(name:\"impact\", value:\"An attacker is able to telnet to this system and\n gain access to any phone lines attached to this device. Additionally, the LanRover\n can be used as a relay point for further attacks via the telnet and rlogin functionality\n available from the administration shell.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\nport = 23;\nif(!get_port_state(port))exit(0);\n\nbanner = telnet_get_banner(port:port);\nif ( ! banner || \"@ Userid:\" >!< banner ) exit(0);\n\nsoc = open_sock_tcp(port);\nif(soc)\n{\n r = telnet_negotiate(socket:soc);\n\n if(\"@ Userid:\" >< r)\n {\n send(socket:soc, data:string(\"root\\r\\n\"));\n r = recv(socket:soc, length:4096);\n\n if(\"Password?\" >< r)\n {\n send(socket:soc, data:string(\"\\r\\n\"));\n r = recv(socket:soc, length:4096);\n\n if (\"Shiva LanRover\" >< r)\n {\n security_message(port:port);\n }\n }\n }\n close(soc);\n}", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-12T15:08:24", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This system appears to be running the Enhydra application\n server configured with the default administrator password of ", "modified": "2020-05-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011202", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011202", "type": "openvas", "title": "Enhydra Multiserver Default Password", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Enhydra Multiserver Default Password\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2003 Digital Defense Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11202\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Enhydra Multiserver Default Password\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2003 Digital Defense Inc.\");\n script_family(\"Default Accounts\");\n script_dependencies(\"gb_get_http_banner.nasl\", \"gb_default_credentials_options.nasl\");\n script_mandatory_keys(\"Enhydra/banner\");\n script_require_ports(\"Services/www\", 8001);\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Please set a strong password of the 'admin' account.\");\n\n script_tag(name:\"summary\", value:\"This system appears to be running the Enhydra application\n server configured with the default administrator password of 'enhydra'.\");\n\n script_tag(name:\"impact\", value:\"An attacker could reconfigure this service and use\n it to obtain full access to the system.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default:8001);\nbanner = http_get_remote_headers(port:port);\nif(! banner || \"Enhydra\" >!< banner)\n exit(0);\n\nurl = \"/Admin.po?proceed=yes\";\nreq = http_get_req(port:port, url:url, add_headers:make_array(\"Authorization\", \"Basic YWRtaW46ZW5oeWRyYQ==\"));\nres = http_keepalive_send_recv(data:req, port:port);\nif(!res)\n exit(0);\n\nif(\"Enhydra Multiserver Administration\" >< res) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-09T14:40:29", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This device is a Motorola Vanguard router and has\n no password set. An attacker can reconfigure\n this device without providing any authentication.", "modified": "2019-09-06T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011203", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011203", "type": "openvas", "title": "Motorola Vanguard with No Password", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Motorola Vanguard with No Password\n#\n# Authors:\n# Geoff Humes <geoff.humes@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2003 Digital Defense\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11203\");\n script_version(\"2019-09-06T14:17:49+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-06 14:17:49 +0000 (Fri, 06 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Motorola Vanguard with No Password\");\n script_category(ACT_ATTACK);\n script_copyright(\"This script is Copyright (C) 2003 Digital Defense\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/banner/available\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Please set a strong password for this device.\");\n\n script_tag(name:\"summary\", value:\"This device is a Motorola Vanguard router and has\n no password set. An attacker can reconfigure\n this device without providing any authentication.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\nfunction greprecv( socket, pattern ) {\n\n local_var buffer, cnt, _r;\n\n buffer = \"\";\n cnt = 0;\n while( 1 ) {\n _r = recv_line( socket:socket, length:4096 );\n if( strlen( _r ) == 0 ) return FALSE;\n buffer = string( buffer, _r );\n if( ereg( pattern:pattern, string:_r ) ) return buffer;\n cnt++;\n if( cnt > 1024 ) return FALSE;\n }\n}\n\nport = telnet_get_port( default:23 );\n\nbanner = telnet_get_banner( port:port );\nif ( ! banner || \"OK\" >!< banner ) exit( 0 );\n\nsoc = open_sock_tcp( port );\n\nif( soc ) {\n\n buf = greprecv( socket:soc, pattern:\".*OK.*\" );\n if( ! buf ) {\n close( soc );\n exit( 0 );\n }\n\n send( socket:soc, data:string( \"atds0\\r\\n\" ) );\n buf = greprecv( socket:soc, pattern:\".*Password.*\" );\n\n if( ! buf ) {\n close( soc );\n exit( 0 );\n }\n\n send( socket:soc, data:string( \"\\r\\n\" ) );\n buf = greprecv( socket:soc, pattern:\".*Logout.*\" );\n if( buf ) security_message( port:port );\n close( soc );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T08:39:59", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This F5 Networks system still has the default\n password set for the support user account. This account normally provides read/write\n access to the web configuration utility.", "modified": "2020-05-05T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010820", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010820", "type": "openvas", "title": "F5 Device Default Support Password (HTTP)", "sourceData": "# OpenVAS Vulnerability Test\n# Description: F5 Device Default Support Password\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2001 Digital Defense Inc.\n# Copyright (C) 2001 H D Moore <hdmoore@digitaldefense.net>\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10820\");\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"F5 Device Default Support Password (HTTP)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2001 Digital Defense Inc.\");\n script_family(\"Default Accounts\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"gb_default_credentials_options.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_exclude_keys(\"Settings/disable_cgi_scanning\", \"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Remove the support account entirely or\n change the password of this account to something that is difficult to guess.\");\n\n script_tag(name:\"summary\", value:\"This F5 Networks system still has the default\n password set for the support user account. This account normally provides read/write\n access to the web configuration utility.\");\n\n script_tag(name:\"impact\", value:\"An attacker could take advantage of this to reconfigure\n your systems and possibly gain shell access to the system with super-user privileges.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default:443);\n\nreq = string(\"GET /bigipgui/bigconf.cgi?command=bigcommand&CommandType=bigpipe HTTP/1.0\\r\\nAuthorization: Basic c3VwcG9ydDpzdXBwb3J0\\r\\n\\r\\n\");\nbuf = http_send_recv(port:port, data:req);\n\nif ((\"/bigipgui/\" >< buf) && (\"System Command\" >< buf)) {\n security_message(port:port);\n}\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-11T15:22:33", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The remote host appears to be an Bay Networks Accelar 1200 Switch with\n its default password set.", "modified": "2020-06-09T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231018415", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231018415", "type": "openvas", "title": "Bay Networks Accelar 1200 Switch found with default password", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Bay Networks Accelar 1200 Switch found with default password\n#\n# Authors:\n# Charles Thier <cthier@thethiers.net>\n#\n# Copyright:\n# Copyright (C) 2005 Charles Thier\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.18415\");\n script_version(\"2020-06-09T14:44:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 14:44:58 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Bay Networks Accelar 1200 Switch found with default password\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2005 Charles Thier\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(23); # the port can't be changed on the device\n script_mandatory_keys(\"telnet/bay_networks/accelar_1200/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_add_preference(name:\"Use complete password list (not only vendor specific passwords)\", type:\"checkbox\", value:\"no\");\n\n script_tag(name:\"solution\", value:\"Telnet to this switch and change the default password.\");\n\n script_tag(name:\"summary\", value:\"The remote host appears to be an Bay Networks Accelar 1200 Switch with\n its default password set.\");\n\n script_tag(name:\"impact\", value:\"The attacker could use this default password to gain remote access\n to your switch. This password could also be potentially used to\n gain other sensitive information about your network from the switch.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"default_credentials.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\n# If optimize_test = no\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) ) exit( 0 );\n\nport = 23; # the port can't be changed on the device\nif( ! get_port_state( port ) )\n exit( 0 );\n\nbanner = telnet_get_banner( port:port );\nif( ! banner || \"Accelar 1200\" >!< banner )\n exit( 0 );\n\np = script_get_preference( \"Use complete password list (not only vendor specific passwords)\" );\nif( \"yes\" >< p ) {\n clist = try();\n} else {\n clist = try(vendor:\"accelar\");\n}\nif( ! clist ) exit( 0 );\n\nforeach credential( clist ) {\n\n # Handling of user uploaded credentials which requires to escape a ';' or ':'\n # in the user/password so it doesn't interfere with our splitting below.\n credential = str_replace( string:credential, find:\"\\;\", replace:\"#sem_legacy#\" );\n credential = str_replace( string:credential, find:\"\\:\", replace:\"#sem_new#\" );\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) ) {\n # nb: ';' was used pre r9566 but was changed to ':' as a separator as the\n # GSA is stripping ';' from the NVT description. Keeping both in here\n # for backwards compatibility with older scan configs.\n user_pass = split( credential, sep:\";\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) )\n continue;\n }\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n user = str_replace( string:user, find:\"#sem_legacy#\", replace:\";\" );\n pass = str_replace( string:pass, find:\"#sem_legacy#\", replace:\";\" );\n user = str_replace( string:user, find:\"#sem_new#\", replace:\":\" );\n pass = str_replace( string:pass, find:\"#sem_new#\", replace:\":\" );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n soc = open_sock_tcp( port );\n if( ! soc ) continue;\n\n answer = recv( socket:soc, length:4096 );\n if( \"ogin:\" >< answer ) {\n send( socket:soc, data:string( user, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n send( socket:soc, data:string( pass, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n\n if( \"Accelar-1200\" >< answer ) {\n security_message( port:port, data:\"It was possible to login with the credentials '\" + user + \":\" + pass + \"'.\" );\n }\n }\n close( soc );\n}\n\nexit( 0 );\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-24T16:37:05", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The remote Shiva router uses the default password.\n This means that anyone who has (downloaded) a user manual can\n telnet to it and reconfigure it to lock you out of it, and to\n prevent you to use your internet connection.", "modified": "2020-03-24T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010500", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010500", "type": "openvas", "title": "Shiva Integrator Default Password", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Shiva Integrator Default Password\n#\n# Authors:\n# Stefaan Van Dooren <stefaanv@kompas.be>\n#\n# Copyright:\n# Copyright (C) 2000 Stefaan Van Dooren\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10500\");\n script_version(\"2020-03-24T06:41:42+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-24 06:41:42 +0000 (Tue, 24 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-1999-0508\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Shiva Integrator Default Password\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2000 Stefaan Van Dooren\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/banner/available\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Telnet to this router and set a different password immediately.\");\n\n script_tag(name:\"summary\", value:\"The remote Shiva router uses the default password.\n This means that anyone who has (downloaded) a user manual can\n telnet to it and reconfigure it to lock you out of it, and to\n prevent you to use your internet connection.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\n\nport = telnet_get_port( default:23 );\n\nsoc = open_sock_tcp( port );\nif( ! soc )\n exit( 0 );\n\ndata = string( \"hello\\n\\r\" );\nsend( data:data, socket:soc );\nbuf = recv( socket:soc, length:4096 );\n\nclose( soc );\n\nif( \"ntering privileged mode\" >< buf ) {\n security_message( port:port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-06-02T00:02:17", "description": "This module logs in to SNMP devices using common community names.\n", "published": "2011-11-20T02:12:07", "type": "metasploit", "title": "SNMP Community Login Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0508"], "modified": "2019-06-27T22:06:32", "id": "MSF:AUXILIARY/SCANNER/SNMP/SNMP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/community_string_collection'\nrequire 'metasploit/framework/login_scanner/snmp'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::AuthBrute\n\n def initialize\n super(\n 'Name' => 'SNMP Community Login Scanner',\n 'Description' => %q{\n This module logs in to SNMP devices using common community names.\n },\n 'Author' => 'hdm',\n 'References' =>\n [\n [ 'CVE', '1999-0508'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(161),\n OptEnum.new('VERSION', [true, 'The SNMP version to scan', '1', ['1', '2c', 'all']]),\n OptString.new('PASSWORD', [ false, 'The password to test' ]),\n OptPath.new('PASS_FILE', [ false, \"File containing communities, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"snmp_default_pass.txt\")\n ])\n ])\n\n deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'PASSWORD_SPRAY')\n end\n\n # Operate on a single host so that we can take advantage of multithreading\n def run_host(ip)\n\n collection = Metasploit::Framework::CommunityStringCollection.new(\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD']\n )\n\n scanner = Metasploit::Framework::LoginScanner::SNMP.new(\n host: ip,\n port: rport,\n cred_details: collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n version: datastore['VERSION'],\n framework: framework,\n framework_module: self,\n queue_size: 100\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential} (Access level: #{result.access_level}); Proof (sysDescr.0): #{result.proof}\"\n report_service(\n :host => ip,\n :port => rport,\n :proto => 'udp',\n :name => 'snmp',\n :info => result.proof,\n :state => 'open'\n )\n else\n invalidate_login(credential_data)\n print_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})\"\n end\n end\n end\n\n def rport\n datastore['RPORT']\n end\n\n\n\n\nend\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/snmp/snmp_login.rb"}]}