{"id": "OPENWRT_BLANK_TELNET_PASSWORD.NASL", "bulletinFamily": "scanner", "title": "OpenWrt Router with a Blank Password (telnet check)", "description": "The remote host is running OpenWrt, an open source Linux distribution\nfor embedded devices, especially routers. \n\nIt is currently configured without a password, which is the case by\ndefault. Anyone can connect to the device via Telnet and gain\nadministrative access to it.", "published": "2009-07-23T00:00:00", "modified": "2009-07-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/40354", "reporter": "This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.", "references": ["http://oldwiki.openwrt.org/OpenWrtDocs%282f%29Using.html"], "cvelist": ["CVE-1999-0508"], "type": "nessus", "lastseen": "2021-01-20T13:01:23", "edition": 23, "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-0508"]}, {"type": "osvdb", "idList": ["OSVDB:824", "OSVDB:872", "OSVDB:624", "OSVDB:785", "OSVDB:812", "OSVDB:382", "OSVDB:399", "OSVDB:620", "OSVDB:817", "OSVDB:625"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/SNMP/SNMP_LOGIN"]}, {"type": "nessus", "idList": ["CISCO_NO_PW.NASL", "DDI_ENHYDRA_DEFAULT.NASL", "DDI_AIRCONNECT_DEFAULT_PASSWORD.NASL", "DDI_JAVASERVER_DEFAULT.NASL", "MIKROTIK_BLANK_PASSWORD_WWW.NASL", "DDI_TOMCAT_DEFAULT_ACCOUNTS.NASL", "POSTGRESQL_UNPASSWORDED.NASL", "SHIVA_DEFAULT_PASS.NASL", "CISCO_DEFAULT_PW.NASL", "3COM_SWITCHES.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231010778", "OPENVAS:10753", "OPENVAS:136141256231010798", "OPENVAS:136141256231010747", "OPENVAS:136141256231023938", "OPENVAS:136141256231011203", "OPENVAS:10820", "OPENVAS:10961", "OPENVAS:136141256231018414", "OPENVAS:136141256231010820"]}], "modified": "2021-01-20T13:01:23", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-01-20T13:01:23", "rev": 2}, "vulnersScore": 5.8}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(40354);\n script_version(\"1.9\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"OpenWrt Router with a Blank Password (telnet check)\");\n script_summary(english:\"Tries to access OpenWrt without a password\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote router does not have a password set.\"\n );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host is running OpenWrt, an open source Linux distribution\nfor embedded devices, especially routers. \n\nIt is currently configured without a password, which is the case by\ndefault. Anyone can connect to the device via Telnet and gain\nadministrative access to it.\" );\n script_set_attribute(\n attribute:\"see_also\", \n value:\"http://oldwiki.openwrt.org/OpenWrtDocs%282f%29Using.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Set a password for the device.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(\n attribute:\"plugin_publication_date\", \n value:\"2009/07/23\"\n );\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"telnet_func.inc\");\n\n\nport = get_kb_item(\"Services/telnet\");\nif (!port) port = 23;\nif (!get_tcp_port_state(port)) exit(0, \"No Telnet service was detected.\");\n\n\nbanner = get_telnet_banner(port:port);\nif (\n banner &&\n \"Use 'passwd' to set your login password\" >< banner &&\n \"W I R E L E S S F R E E D O M\" >< banner &&\n \"root@\" >< banner\n)\n{\n # Unless we're paranoid, make sure it's really OpenWrt.\n if (report_paranoia < 2)\n {\n soc = open_sock_tcp(port);\n if (soc)\n {\n res = telnet_negotiate(socket:soc);\n res += recv_until(socket:soc, pattern:\"root@\");\n if (!res)\n {\n close(soc);\n exit(0, \"Didn't receive a command prompt.\");\n }\n send(socket:soc, data:'cat /proc/version\\r\\n');\n\n res = recv_until(socket:soc, pattern:\"OpenWrt\");\n if (!res)\n {\n close(soc);\n exit(0, \"'/proc/version' doesn't mention OpenWrt.\");\n }\n close(soc);\n }\n else exit(1, \"Can't open a socket to verify it's really OpenWrt.\");\n }\n\n set_kb_item(name:\"openwrt/blank_telnet_password\", value:TRUE);\n\n if (report_verbosity > 0)\n {\n report = string(\n \"\\n\",\n \"The remote device uses the following banner :\\n\",\n \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\",\n banner, \"\\n\",\n crap(data:\"-\", length:30), \" snip \", crap(data:\"-\", length:30), \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n}\nexit(0, \"The host is not affected.\");\n", "naslFamily": "CGI abuses", "pluginID": "40354", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:36:55", "description": "An account on a router, firewall, or other network device has a default, null, blank, or missing password.", "edition": 2, "cvss3": {}, "published": "1998-06-01T04:00:00", "title": "CVE-1999-0508", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-0508"], "modified": "2008-09-09T12:34:00", "cpe": [], "id": "CVE-1999-0508", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0508", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nMany Cisco devices ship without a default password for access, and without a default password for administration. This allows an attacker complete access to the device, and can result in lost of confidentiality, integrity and/or availability.\n## Solution Description\nSet exec and enable passwords immediately after installation. Refer to the manual for the device.\n## Short Description\nMany Cisco devices ship without a default password for access, and without a default password for administration. This allows an attacker complete access to the device, and can result in lost of confidentiality, integrity and/or availability.\n## References:\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "1999-01-01T00:00:00", "published": "1999-01-01T00:00:00", "id": "OSVDB:625", "href": "https://vulners.com/osvdb/OSVDB:625", "title": "Cisco Devices Ship Without Default Passwords", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, the Shiva Integrator installs with a default password. The root account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nAn attacker is able to telnet to this device and gain access.\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, the Shiva Integrator installs with a default password. The root account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:10500](https://vulners.com/search?query=pluginID:10500)\nGeneric Informational URL: http://www.ispeed.org/password.htm\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Intel\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:399", "id": "OSVDB:399", "type": "osvdb", "title": "Shiva Integrator Default Password", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[Nessus Plugin ID:11004](https://vulners.com/search?query=pluginID:11004)\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2001-01-01T00:00:00", "published": "2001-01-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:824", "id": "OSVDB:824", "title": "Ipswitch WhatsUp Gold Default Admin Account", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nThis host appears to be the running the Apache Tomcat Servlet engine with the default accounts still configured. A potential intruder could reconfigure this service in a way that grants system access.\n## Technical Description\nChecks for a set of common account by try to request /admin/contextAdmin/contextList.jsp\n## Solution Description\nChange the default passwords by editing the admin-users.xml file located in the /conf/users subdirectory of the Tomcat installation.\n## Short Description\nThis host appears to be the running the Apache Tomcat Servlet engine with the default accounts still configured. A potential intruder could reconfigure this service in a way that grants system access.\n## References:\nVendor URL: http://tomcat.apache.org/\n[Nessus Plugin ID:11204](https://vulners.com/search?query=pluginID:11204)\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2000-01-19T00:00:00", "published": "2000-01-19T00:00:00", "id": "OSVDB:872", "href": "https://vulners.com/osvdb/OSVDB:872", "title": "Apache Tomcat Multiple Default Accounts", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, Nortel switches and routers install with a default password. The rwa account has a password of rwa which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nDefault accounts and passwords: \nrwa/rwa \nrw/rw \nl3/l3 \nl2/l2 \nl1/l1 \nl4admin/l4admin \nslbadmin/slbadmin \noperator/operator \nl4oper/l4oper \nslbop/slbop \nro/ro\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, Nortel switches and routers install with a default password. The rwa account has a password of rwa which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:10989](https://vulners.com/search?query=pluginID:10989)\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Nortel\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "id": "OSVDB:812", "href": "https://vulners.com/osvdb/OSVDB:812", "title": "Nortel Networks Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, Sun JavaServer installs with a default password. The admin account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nThe service runs on port 9090\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, Sun JavaServer installs with a default password. The admin account has a password of admin which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\nSnort Signature ID: 1859\n[Nessus Plugin ID:10995](https://vulners.com/search?query=pluginID:10995)\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "id": "OSVDB:817", "href": "https://vulners.com/osvdb/OSVDB:817", "title": "Sun JavaServer Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, 3COM SuperStack II switches install with a default password. The security account has a password of security which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Technical Description\nDefault username and password combinations: \nusername:security\npassword:security \n\nusername:manager\npassword:manager \n\nusername:monitor\npassword:monitor\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well. \n## Short Description\nBy default, 3COM SuperStack II switches install with a default password. The security account has a password of security which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\n[Nessus Plugin ID:10747](https://vulners.com/search?query=pluginID:10747)\nGeneric Informational URL: http://www.phenoelit.de/dpl/dpl.html\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=3COM\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:620", "id": "OSVDB:620", "title": "3Com SuperStack II Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, AOLserver installs with a default password. The nsadmin account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, AOLserver installs with a default password. The nsadmin account has no password which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\nVendor URL: http://aolserver.sourceforge.net/\nVendor Specific Solution URL: http://www.aolserver.com/docs/admin/security.html\n[Nessus Plugin ID:10753](https://vulners.com/search?query=pluginID:10753)\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:624", "id": "OSVDB:624", "title": "AOLserver Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "## Vulnerability Description\nBy default, the AirConnect wireless access point installs with a default password. The comcomcom account has a password of comcomcom which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Solution Description\nImmediately after installation, change all default install passwords to a unique and secure password. When possible, change default accounts to custom names as well.\n## Short Description\nBy default, the AirConnect wireless access point installs with a default password. The comcomcom account has a password of comcomcom which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\nVendor URL: http://www.3com.com/products/en_US/detail.jsp?tab=support&pathtype=support&sku=3CRWE74796B\n[Nessus Plugin ID:10961](https://vulners.com/search?query=pluginID:10961)\nISS X-Force ID: 6270\nGeneric Informational URL: http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=3COM\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "2002-09-12T00:00:00", "published": "2002-09-12T00:00:00", "id": "OSVDB:785", "href": "https://vulners.com/osvdb/OSVDB:785", "title": "3Com AirConnect AP Default Password", "type": "osvdb", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-0508"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 1816\n[CVE-1999-0508](https://vulners.com/cve/CVE-1999-0508)\n", "modified": "1999-01-01T00:00:00", "published": "1999-01-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:263", "id": "OSVDB:263", "type": "osvdb", "title": "Cayman DSL Router Default Passwordless Account", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2020-06-02T00:02:17", "description": "This module logs in to SNMP devices using common community names.\n", "published": "2011-11-20T02:12:07", "type": "metasploit", "title": "SNMP Community Login Scanner", "bulletinFamily": "exploit", "cvelist": ["CVE-1999-0508"], "modified": "2019-06-27T22:06:32", "id": "MSF:AUXILIARY/SCANNER/SNMP/SNMP_LOGIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/community_string_collection'\nrequire 'metasploit/framework/login_scanner/snmp'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::AuthBrute\n\n def initialize\n super(\n 'Name' => 'SNMP Community Login Scanner',\n 'Description' => %q{\n This module logs in to SNMP devices using common community names.\n },\n 'Author' => 'hdm',\n 'References' =>\n [\n [ 'CVE', '1999-0508'] # Weak password\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n Opt::RPORT(161),\n OptEnum.new('VERSION', [true, 'The SNMP version to scan', '1', ['1', '2c', 'all']]),\n OptString.new('PASSWORD', [ false, 'The password to test' ]),\n OptPath.new('PASS_FILE', [ false, \"File containing communities, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"snmp_default_pass.txt\")\n ])\n ])\n\n deregister_options('USERNAME', 'USER_FILE', 'USERPASS_FILE', 'PASSWORD_SPRAY')\n end\n\n # Operate on a single host so that we can take advantage of multithreading\n def run_host(ip)\n\n collection = Metasploit::Framework::CommunityStringCollection.new(\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD']\n )\n\n scanner = Metasploit::Framework::LoginScanner::SNMP.new(\n host: ip,\n port: rport,\n cred_details: collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n version: datastore['VERSION'],\n framework: framework,\n framework_module: self,\n queue_size: 100\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: self.fullname,\n workspace_id: myworkspace_id\n )\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n\n print_good \"#{ip}:#{rport} - Login Successful: #{result.credential} (Access level: #{result.access_level}); Proof (sysDescr.0): #{result.proof}\"\n report_service(\n :host => ip,\n :port => rport,\n :proto => 'udp',\n :name => 'snmp',\n :info => result.proof,\n :state => 'open'\n )\n else\n invalidate_login(credential_data)\n print_error \"#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})\"\n end\n end\n end\n\n def rport\n datastore['RPORT']\n end\n\n\n\n\nend\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/snmp/snmp_login.rb"}], "nessus": [{"lastseen": "2021-03-01T00:52:26", "description": "The remote device appears to be an Allied Telesyn router or switch\nthat can be accessed using default credentials. An attacker could\nleverage this issue to gain administrative access to the affected\ndevice. This password could also be potentially used to gain other\nsensitive information about the network from the device.", "edition": 23, "published": "2005-06-03T00:00:00", "title": "Allied Telesyn Router/Switch Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "ALLIED_TELESYN_TELNET.NASL", "href": "https://www.tenable.com/plugins/nessus/18414", "sourceData": "#\n#\n# This script was written by Charles Thier <cthier@thethiers.net>\n#\n# GPLv2\n#\n\n# Changes by Tenable:\n# - only attempt to login if the policy allows it (10/25/11)\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18414);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2015/09/24 20:59:28 $\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(english:\"Allied Telesyn Router/Switch Default Password\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote network device can be accessed with default credentials.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote device appears to be an Allied Telesyn router or switch\nthat can be accessed using default credentials. An attacker could\nleverage this issue to gain administrative access to the affected\ndevice. This password could also be potentially used to gain other\nsensitive information about the network from the device.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.phenoelit-us.org/dpl/dpl.html\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Telnet to the device and change the default password.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/06/03\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Logs into Allied Telesyn routers and switches with default password\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2015 Charles Thier\");\n script_family(english:\"Misc.\");\n script_require_ports(23);\n \n exit(0);\n}\n\n\n#\n# The script code starts here\n#\n\ninclude(\"telnet_func.inc\");\nusrname = \"manager\";\npassword = \"friend\";\n\nport = 23;\nif(get_port_state(port))\n{\n if ( get_kb_item(\"global_settings/supplied_logins_only\") ) exit(0, \"Policy is configured to prevent trying default user accounts\");\n tnb = get_telnet_banner(port:port);\n if ( ! tnb ) exit(0);\n\n if (\"TELNET session\" >< tnb)\n {\n soc = open_sock_tcp(port);\n if(soc)\n {\n answer = recv(socket:soc, length:4096);\n if(\"ogin:\" >< answer)\n {\n send(socket:soc, data:string(usrname, \"\\r\\n\"));\n answer = recv(socket:soc, length:4096);\n send(socket:soc, data:string(password, \"\\r\\n\"));\n answer = recv(socket:soc, length:4096);\n if(\"Manager\" >< answer)\n {\n report = string(\n \"\\n\",\n \"Nessus was able to gain access using the following credentials :\\n\",\n \"\\n\",\n \" User : \", usrname, \"\\n\",\n \" Password : \", password, \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n }\n close(soc);\n }\n\n }\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-01T00:52:25", "description": "The remote device appears to be a Bay Networks Accelar 1200 Switch \nthat can be accessed using default credentials. An attacker could\nleverage this issue to gain administrative access to the affected\ndevice. This password could also be potentially used to gain other\nsensitive information about the network from the device.", "edition": 23, "published": "2005-06-03T00:00:00", "title": "Bay Networks Accelar 1200 Switch Default Password (password) for 'usrname' Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "ACCELAR_1200.NASL", "href": "https://www.tenable.com/plugins/nessus/18415", "sourceData": "#\n# This script was written by Charles Thier <cthier@thethiers.net>\n#\n# GPLv2\n#\n\n# Changes by Tenable:\n# - only attempt to login if the policy allows it (10/25/11)\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18415);\n script_version(\"$Revision: 1.15 $\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(english:\"Bay Networks Accelar 1200 Switch Default Password (password) for 'usrname' Account\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote network device can be accessed with default credentials.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote device appears to be a Bay Networks Accelar 1200 Switch \nthat can be accessed using default credentials. An attacker could\nleverage this issue to gain administrative access to the affected\ndevice. This password could also be potentially used to gain other\nsensitive information about the network from the device.\" );\n # http://web.archive.org/web/20050209060646/http://www.cirt.net/cgi-bin/passwd.pl?method=showven&ven=Nortel\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?35874295\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Telnet to the device and change the default password.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/06/03\");\n script_cvs_date(\"$Date: 2015/09/24 20:59:26 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Logs into Bay Networks switches with default password\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2015 Charles Thier\");\n script_family(english:\"Misc.\");\n script_require_ports(23);\n exit(0);\n}\n\n\n#\n# The script code starts here\n#\n\ninclude(\"telnet_func.inc\");\nusrname = \"rwa\";\npassword = \"rwa\";\n\nport = 23;\nif (! get_port_state(port)) exit(0, \"TCP port \"+port+\" is closed.\");\nif ( get_kb_item(\"global_settings/supplied_logins_only\") ) exit(0, \"Policy is configured to prevent trying default user accounts\");\n\n\ntnb = get_telnet_banner(port:port);\nif ( ! tnb ) exit(1, \"No telnet banner on port \"+port+\".\");\n\nif (\"Accelar 1200\" >!< tnb) exit(0, \"The remote Telnet server is not Accelar 1200.\");\n\nsoc = open_sock_tcp(port);\nif (! soc) exit(1, \"TCP connection failed to port \"+port+\".\");\n\n answer = recv(socket:soc, length:4096);\n if(\"ogin:\" >< answer)\n {\n send(socket:soc, data:string(usrname, \"\\r\\n\"));\n answer = recv(socket:soc, length:4096);\n send(socket:soc, data:string(password, \"\\r\\n\"));\n answer = recv(socket:soc, length:4096);\n if(\"Accelar-1200\" >< answer)\n {\n report = string(\n \"\\n\",\n \"Nessus was able to gain access using the following credentials :\\n\",\n \"\\n\",\n \" User : \", usrname, \"\\n\",\n \" Password : \", password, \"\\n\"\n );\n security_hole(port:port, extra:report);\n }\n }\n close(soc);\n\n\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T08:51:49", "description": "This WhatsUp Gold server still has the default password for the admin\nuser account. An attacker can use this account to probe other systems\non the network and obtain sensitive information about the monitored\nsystems.", "edition": 17, "published": "2002-06-05T00:00:00", "title": "Ipswitch WhatsUp Gold Default Admin Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2002-06-05T00:00:00", "cpe": [], "id": "DDI_WHATSUP_DEFAULT.NASL", "href": "https://www.tenable.com/plugins/nessus/11004", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# Copyright 2001 by H D Moore <hdmoore@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Revised plugin title, changed family (4/13/2009)\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(11004);\n script_version(\"1.20\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Ipswitch WhatsUp Gold Default Admin Account\");\n script_summary(english:\"WhatsUp Gold Default Admin Account\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This WhatsUp Gold server still has the default password for the admin\nuser account. An attacker can use this account to probe other systems\non the network and obtain sensitive information about the monitored\nsystems.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Login to this system and either disable the admin account or assign\nit a difficult to guess password.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\n\"2002/06/05\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2002-2021 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\nif (!get_port_state(port)) exit(0, \"Port \"+port+\" is not open.\");\n\nif (supplied_logins_only) exit(0, \"The 'Do not log in with user accounts not specified in the policy' preference setting is enabled.\");\n\nsoc = http_open_socket(port);\nif (!soc) exit(1, \"Failed to open a socket on port \"+port+\".\");\n\nreq = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic YWRtaW46YWRtaW4K\\r\\n\\r\\n\");\nsend(socket:soc, data:req);\nbuf = http_recv(socket:soc);\nhttp_close_socket(soc);\n\nif (!isnull(buf) && \"Whatsup Gold\" >< buf && \"Unauthorized User\" >!< buf)\n{\n security_hole(port:port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T12:47:39", "description": "This system appears to be running the Enhydra application server\nconfigured with the default administrator password of 'enhydra'. A\npotential intruder could reconfigure this service and use it to obtain\nfull access to the system.", "edition": 17, "published": "2003-01-22T00:00:00", "title": "Enhydra Multiserver Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2003-01-22T00:00:00", "cpe": [], "id": "DDI_ENHYDRA_DEFAULT.NASL", "href": "https://www.tenable.com/plugins/nessus/11202", "sourceData": "#\n# This script was written by H D Moore <hdmoore@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n# Changes by Tenable:\n# - Revised plugin family (1/21/2009)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11202);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Enhydra Multiserver Default Password\");\n script_summary(english:\"Enhydra Multiserver Default Admin Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote application server is protected with default administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This system appears to be running the Enhydra application server\nconfigured with the default administrator password of 'enhydra'. A\npotential intruder could reconfigure this service and use it to obtain\nfull access to the system.\");\n script_set_attribute(attribute:\"solution\", value:\"Set a strong password for the 'admin' account.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2003-2020 Digital Defense Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 8001);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nport = get_http_port(default:8001, embedded:TRUE);\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\nbanner = get_http_banner(port:port);\nif ( ! banner || \"Enhydra\" >!< banner ) exit(0, \"The web server listening on port \"+port+\" does not look like an Enhydra application server.\");\n\nreq = http_get(item:\"/Admin.po?proceed=yes\", port:port);\nreq = req - string(\"\\r\\n\\r\\n\");\nreq = string(req, \"\\r\\nAuthorization: Basic YWRtaW46ZW5oeWRyYQ==\\r\\n\\r\\n\");\nbuf = http_keepalive_send_recv(port:port, data:req);\n\nif (\"Enhydra Multiserver Administration\" >< buf) security_hole(port);\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Enhydra application server\", port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T12:47:39", "description": "The remote F5 Networks device has the default password set for the\n'support' user account. This account normally provides read/write\naccess to the web configuration utility. An attacker could take\nadvantage of this to reconfigure your systems and possibly gain shell\naccess to the system with super-user privileges.", "edition": 16, "published": "2001-12-06T00:00:00", "title": "F5 Device Default Support Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2001-12-06T00:00:00", "cpe": [], "id": "DDI_F5_DEFAULT_SUPPORT.NASL", "href": "https://www.tenable.com/plugins/nessus/10820", "sourceData": "#\n# Copyright 2001 by H D Moore <hdmoore@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Output formatting, family change (8/22/09)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10820);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"F5 Device Default Support Password\");\n script_summary(english:\"F5 Device Default Support Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is protected with default administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote F5 Networks device has the default password set for the\n'support' user account. This account normally provides read/write\naccess to the web configuration utility. An attacker could take\nadvantage of this to reconfigure your systems and possibly gain shell\naccess to the system with super-user privileges.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Remove the 'support' account entirely or change the password of this\naccount to something that is difficult to guess.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/12/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2001-2020 Digital Defense Inc.\");\n script_family(english:\"Misc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 443);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nport = get_http_port(default:443, embedded:TRUE);\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\nuser = 'support';\npass = 'support';\n\nsoc = http_open_socket(port);\nif (!soc) audit(AUDIT_SOCK_FAIL, port);\n\nreq = string(\"GET /bigipgui/bigconf.cgi?command=bigcommand&CommandType=bigpipe HTTP/1.0\\r\\nAuthorization: Basic \", base64(str:user+':'+pass), \"\\r\\n\\r\\n\");\nsend(socket:soc, data:req);\nbuf = http_recv(socket:soc);\nhttp_close_socket(soc);\n\nif (!isnull(buf) && (\"/bigipgui/\" >< buf) && (\"System Command\" >< buf))\n{\n if (report_verbosity > 0)\n {\n report = '\\n User : ' + user +\n '\\n Password : ' + pass +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n set_kb_item(name:\"Services/www/\" + port + \"/embedded\", value:TRUE);\n}\nelse exit(0, \"The web server listening on port \"+port+\" is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-16T00:40:14", "description": "This host appears to be the running the Apache Tomcat\nServlet engine with the default accounts still configured.\nA potential intruder could reconfigure this service in a way\nthat grants system access.", "edition": 14, "cvss3": {"score": 7.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2003-01-22T00:00:00", "title": "Apache Tomcat Default Accounts", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2003-01-22T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "DDI_TOMCAT_DEFAULT_ACCOUNTS.NASL", "href": "https://www.tenable.com/plugins/nessus/11204", "sourceData": "#\n# This script was written by Orlando Padilla <orlando.padilla@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - only attempt to login if the policy allows it (10/25/11 and 6/2015)\n# - Updates to formatting and logging functionalities\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11204);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Apache Tomcat Default Accounts\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an application that can be accessed with\ndefault credentials.\" );\n script_set_attribute(attribute:\"description\", value:\n\"This host appears to be the running the Apache Tomcat\nServlet engine with the default accounts still configured.\nA potential intruder could reconfigure this service in a way\nthat grants system access.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Change the default passwords by editing the admin-users.xml file\nlocated in the /conf/users subdirectory of the Tomcat installation.\");\n\tscript_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\tscript_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n\tscript_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-1999-0508\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/01/19\");\n\tscript_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/01/22\");\n\tscript_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n\n\tscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n\tscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"default_account\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright( english:\"This script is Copyright (C) 2003-2020 Digital Defense Inc.\");\n\n script_dependencies(\"find_service1.nasl\", \"http_version.nasl\");\n\tscript_require_ports(\"Services/www\");\n\tscript_require_keys(\"Settings/ParanoidReport\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:8080, embedded:TRUE);\n\nif (report_paranoia < 2)\n{\n banner = get_http_banner(port:port);\n\tif (banner && \"Tomcat\" >!< banner && \"Coyote\" >!< banner) exit(0, \"The web server listening on port \"+ port +\" is not Apache Tomcat\");\n\taudit(AUDIT_PARANOID);\n}\n\nif ( supplied_logins_only ) exit(0, \"Policy is configured to prevent trying default user accounts\");\n\n#assert on init\nflag=1;\n\n#list of default acnts base64()'d\nauth[0]='YWRtaW46dG9tY2F0\\r\\n\\r\\n'; real_auth[0]='admin:tomcat';\nauth[1]='YWRtaW46YWRtaW4=\\r\\n\\r\\n'; real_auth[1]='admin:admin';\nauth[2]='dG9tY2F0OnRvbWNhdA==\\r\\n\\r\\n'; real_auth[2]='tomcat:tomcat';\nauth[3]='cm9vdDpyb290\\r\\n\\r\\n'; real_auth[3]='root:root';\nauth[4]='cm9sZTE6cm9sZTE=\\r\\n\\r\\n'; real_auth[4]='role1:role1';\nauth[5]='cm9sZTpjaGFuZ2V0aGlz\\r\\n\\r\\n'; real_auth[5]='role:changethis';\nauth[6]='cm9vdDpjaGFuZ2V0aGlz\\r\\n\\r\\n'; real_auth[6]='root:changethis';\nauth[7]='dG9tY2F0OmNoYW5nZXRoaXM=\\r\\n\\r\\n'; real_auth[7]='tomcat:changethis';\nauth[8]='eGFtcHA6eGFtcHA=\\r\\n\\r\\n'; real_auth[8]='xampp:xampp';\nauth[9]='YWRtaW46Y2hhbmdldGhpcw==\\r\\n\\r\\n'; real_auth[9]='admin:changethis';\n\n\n#basereq string\nbasereq = http_get(item:'/admin/contextAdmin/contextList.jsp', port:port);\nbasereq = basereq - '\\r\\n\\r\\n';\n\nauthBasic='\\r\\n' + 'Authorization: Basic ';\n\ni = 0;\nfound = 0;\nreport = '\\n';\n\nif(get_port_state(port))\n{\n\tif(http_is_dead(port:port))exit(0, 'The web server on port '+port+' is dead');\n\t\n\t# Check that we need any authorization at all\n\tsoc = http_open_socket(port);\n\tif(!soc) audit(AUDIT_SOCK_FAIL, port);\n\tsend(socket:soc, data:http_get(item:'/admin/contextAdmin/contextList.jsp', port:port));\n\trs = http_recv(socket:soc);\n\t\n\thttp_close_socket(soc);\n\tif(!preg(pattern:\"^HTTP/1\\.[0-1] 401 \", string:rs))audit(AUDIT_HOST_NOT, \"affected\");\n\tif(('<title>Context list</title>' >< rs) || ('<title>Context Admin</title>' >< rs))exit(0);\n\t\n\t\n\twhile( auth[i] )\n\t{\n\t soc = http_open_socket(port);\n\t if(soc)\n\t {\n\t t0 = basereq + authBasic + auth[i];\n\t send(socket:soc,data:t0);\n\t rs = http_recv(socket:soc);\n\n if (!isnull(rs) && !pgrep(pattern:\"Context (list|Admin)\",string:rs))\n {\n\t basereq = http_get(item:'/admin/contextAdmin/contextAdmin.html', port:port);\n\t basereq = basereq - '\\r\\n\\r\\n';\n\t t0 = basereq + authBasic + auth[i];\n\t send(socket:soc,data:t0);\n\t rs = http_recv(socket:soc);\n } \n \n \t # minor changes between versions of jakarta\n\t if(!isnull(rs) && (('<title>Context list</title>' >< rs) || ('<title>Context Admin</title>' >< rs) || '<title>Admin Context</title>' >< rs))\n\t { \n\t\tfound = found + 1;\n\t\tif(found == 1)\n\t\t\treport = '\\nThe following accounts were discovered: \\n\\n' + real_auth[i] + '\\n';\n\t\telse {\n\t\t\treport = report + real_auth[i] + '\\n';\n\t\t}\n\t }\n\t http_close_socket(soc);\n\t i=i+1;\t \n\t }\n\t}\n}\n\n# should we include the plugin description?\nif (found)\n{\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T08:51:48", "description": "The remote host is running the Sun JavaServer. This server has the\ndefault username and password of admin. An attacker can use this to\ngain complete control over the web server configuration and possibly\nexecute commands.", "edition": 23, "published": "2002-06-05T00:00:00", "title": "Sun JavaServer Default Admin Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2002-06-05T00:00:00", "cpe": [], "id": "DDI_JAVASERVER_DEFAULT.NASL", "href": "https://www.tenable.com/plugins/nessus/10995", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# This script written by H D Moore <hdmoore@digitaldefense.net>\n#\n# See the Nessus Scripts License for details\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(10995);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Sun JavaServer Default Admin Password\");\n script_summary(english:\"Sun JavaServer Default Admin Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server uses a default set of administrative\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running the Sun JavaServer. This server has the\ndefault username and password of admin. An attacker can use this to\ngain complete control over the web server configuration and possibly\nexecute commands.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Set the web administration interface to require a password. For more\ninformation please consult the documentation located in the /system/\ndirectory of the web server.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\n\"2002/06/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2002/09/12\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2002-2021 Digital Defense Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 9090);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\nreq = NULL;\nreq = \"/servlet/admin?category=server&method=listAll&Authorization=Digest+\";\nreq = req + \"username%3D%22admin%22%2C+response%3D%22ae9f86d6beaa3f9ecb9a5b7e072a4138%22%2C+\";\nreq = req + \"nonce%3D%222b089ba7985a883ab2eddcd3539a6c94%22%2C+realm%3D%22adminRealm%22%2C+\";\nreq = req + \"uri%3D%22%2Fservlet%2Fadmin%22&service=\";\n\nports = add_port_in_list(list:get_kb_list(\"Services/www\"), port:9090);\n\nforeach port (ports)\n{\n if ( ! get_kb_item(\"Services/www/\" + port + \"/embedded\") )\n {\n soc = http_open_socket(port);\n if (soc)\n {\n req1 = NULL;\n req1 = string(\"GET \", req, \" HTTP/1.0\\r\\n\\r\\n\");\n send(socket:soc, data:req1);\n buf = http_recv(socket:soc);\n http_close_socket(soc);\n if (!isnull(buf) && \"server.javawebserver.serviceAdmin\" >< buf)\n {\n security_hole(port:port);\n }\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T06:05:19", "description": "The remote Shiva router uses the default password. \nThis means that anyone who has (downloaded) a user manual can \ntelnet to it and reconfigure it to lock you out of it, and to \nprevent you to use your internet connection.", "edition": 24, "published": "2000-08-31T00:00:00", "title": "Shiva Integrator Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "SHIVA_DEFAULT_PASS.NASL", "href": "https://www.tenable.com/plugins/nessus/10500", "sourceData": "#\n# This script was written by Stefaan Van Dooren <stefaanv@kompas.be>\n#\n# See the Nessus Scripts License for details\n#\n# Changes by Tenable\n# - only attempt to login if the policy allows it (10/25/11 and 6/2015)\n# - Updated to use compat.inc, added CVSS score (11/20/2009)\n# - Updated to use global_settings.inc (6/2015)\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10500);\n script_version (\"1.15\");\n script_cvs_date(\"Date: 2018/08/13 14:32:36\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"Shiva Integrator Default Password\");\n script_summary(english:\"Attempts to log in to the remote host.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote router can be accessed with default credentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Shiva router uses the default password. \nThis means that anyone who has (downloaded) a user manual can \ntelnet to it and reconfigure it to lock you out of it, and to \nprevent you to use your internet connection.\");\n script_set_attribute(attribute:\"solution\", value:\n\"telnet to this router and set a different password immediately.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2000/08/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n \n script_copyright(english:\"This script is Copyright (C) 2000-2018 Stefaan Van Dooren\");\n\n script_require_ports(23);\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n \n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"global_settings.inc\");\n\nport = 23;\nif(get_port_state(port))\n{\n\tif (supplied_logins_only) exit(0, \"Policy is configured to prevent trying default user accounts\");\n\tsoc = open_sock_tcp(port);\n\tif(soc)\n\t{\n\t\tdata = string(\"hello\\n\\r\");\n\t\tsend(data:data, socket:soc);\n\t\tbuf = recv(socket:soc, length:4096);\n\t\tif (\"ntering privileged mode\" >< buf)\n\t\t\tsecurity_hole(port);\n\t\tclose(soc);\n\t}\n}\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-16T00:40:14", "description": "This AirConnect wireless access point still has the default password\nset for the web interface. This could be abused by an attacker to gain\nfull control over the wireless network settings.", "edition": 16, "published": "2002-05-22T00:00:00", "title": "AirConnect Default Password", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2002-05-22T00:00:00", "cpe": [], "id": "DDI_AIRCONNECT_DEFAULT_PASSWORD.NASL", "href": "https://www.tenable.com/plugins/nessus/10961", "sourceData": "#\n# This script was written by H D Moore\n# Information about the AP provided by Brian Caswell\n#\n# Chnages by Tenable :\n#\n# Added CVSS2 score, revised desc, updated severity.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10961);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-1999-0508\");\n\n script_name(english:\"AirConnect Default Password\");\n script_summary(english:\"3Com AirConnect AP Default Password\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to access the remote wireless access point with default\ncredentials.\");\n script_set_attribute(attribute:\"description\", value:\n\"This AirConnect wireless access point still has the default password\nset for the web interface. This could be abused by an attacker to gain\nfull control over the wireless network settings.\");\nscript_set_attribute(attribute:\"solution\", value:\n\"Change the password to something difficult to guess via the web\ninterface.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SNMP Community Scanner');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/05/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n\n script_copyright(english:\"This script is Copyright (C) 2002-2020 Digital Defense Inc.\");\n script_family(english:\"Misc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nfunction sendrequest (request, port)\n{\n local_var reply;\n reply = http_keepalive_send_recv(data:request, port:port);\n if (isnull(reply)) exit(1, \"The web server listening on port \"+port+\" failed to respond.\");\n return(reply);\n}\n\n#\n# The script code starts here\n#\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nport = get_http_port(default:80, embedded:TRUE);\nif (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\nuser = 'comcomcom';\npass = 'comcomcom';\n\nreq = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic \", base64(str:user+':'+pass), \"\\r\\n\\r\\n\");\nreply = sendrequest(request:req, port:port);\n\nif (\"SecuritySetup.htm\" >< reply)\n{\n if (report_verbosity > 0)\n {\n report = '\\n User : ' + user +\n '\\n Password : ' + pass +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse exit(0, \"The web server listening on port \"+port+\" is not affected.\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T01:41:09", "description": "The remote host appears to be a Cisco router or switch with no\npassword set. This can allow a remote attacker to login to the device\nand take control of it.", "edition": 28, "published": "2001-09-07T00:00:00", "title": "Cisco Multiple Devices Unpassworded Account", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "CISCO_NO_PW.NASL", "href": "https://www.tenable.com/plugins/nessus/10754", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif(description)\n{\n script_id(10754);\n script_cve_id(\"CVE-1999-0508\");\n script_version (\"1.23\");\n \n script_name(english:\"Cisco Multiple Devices Unpassworded Account\");\n script_summary(english:\"Checks for the absence of a password\");\n\n script_set_attribute( attribute:\"synopsis\", value:\n\"It is possible to login to the remote network device without a\npassword.\" );\n script_set_attribute( attribute:\"description\", value:\n\"The remote host appears to be a Cisco router or switch with no\npassword set. This can allow a remote attacker to login to the device\nand take control of it.\" );\n script_set_attribute( attribute:\"solution\", value:\n\"Login and set exec and enable passwords. For more information, refer\nrefer to the manual for the device.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:TF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2001/09/07\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1999/01/01\");\n script_cvs_date(\"Date: 2018/07/25 16:19:22\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n \n script_copyright(english:\"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n exit(0);\n}\n\n\ninclude('telnet_func.inc');\n\nfunction test_cisco(password, port)\n{\n local_var soc, r;\n\n soc = open_sock_tcp(port);\n\n if(soc)\n {\n r = telnet_negotiate(socket:soc);\n r = recv(socket:soc, length:4096);\n send(socket:soc, data:string(password, \"\\r\\n\"));\n r = recv(socket:soc, length:4096);\n send(socket:soc, data:string(\"show ver\\r\\n\"));\n r = recv(socket:soc, length:4096);\n if(\"Cisco Internetwork Operating System Software\" >< r)\n {\n security_hole(port);\n set_kb_item(name: 'CISCO/no_passwd/'+port, value: TRUE);\n }\n close(soc);\n }\n}\n\n\nport = get_kb_item(\"Services/telnet\");\nif(!port)port = 23;\nif(!get_port_state(port))exit(0);\n\nbanner = get_telnet_banner(port:port);\nif ( ! banner || \"User Access Verification\" >!< banner ) exit(0);\n\n\ntest_cisco(password:\"\", port:port);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-12T15:08:22", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The remote web server is running AOL web server (AOLserver) with\n the default username and password set.", "modified": "2020-05-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010753", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010753", "type": "openvas", "title": "AOLserver Default Password", "sourceData": "# OpenVAS Vulnerability Test\n# Description: AOLserver Default Password\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n#\n# Copyright:\n# Copyright (C) 2001 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10753\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_cve_id(\"CVE-1999-0508\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"AOLserver Default Password\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2001 SecuriTeam\");\n script_family(\"Default Accounts\");\n script_dependencies(\"gb_aol_server_detect.nasl\", \"gb_default_credentials_options.nasl\");\n script_mandatory_keys(\"aol/server/detected\");\n script_require_ports(\"Services/www\", 8000);\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Change the default username and password on your web server.\");\n\n script_tag(name:\"summary\", value:\"The remote web server is running AOL web server (AOLserver) with\n the default username and password set.\");\n\n script_tag(name:\"impact\", value:\"An attacker may use this to gain control of the remote web server.\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\nCPE = \"cpe:/a:aol:aolserver\";\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\n\nif(!port = get_app_port(cpe:CPE))\n exit(0);\n\nif(!get_app_location(port:port, cpe:CPE))\n exit(0);\n\nurl = \"/nstelemetry.adp\";\nreq = string(\"GET \", url, \" HTTP/1.0\\r\\nAuthorization: Basic bnNhZG1pbjp4\\r\\n\\r\\n\");\nres = http_send_recv(port:port, data:req);\n\nif(ereg(string:res, pattern:\"^HTTP/1\\.[01] 200\") && \"AOLserver Telemetry\" >< res) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-02T21:10:05", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This Linksys Router has the default password \nset for the web administration console. \nThis console provides read/write access to the\nrouter's configuration. An attacker could take\nadvantage of this to reconfigure the router and \npossibly re-route traffic.", "modified": "2017-04-27T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10999", "href": "http://plugins.openvas.org/nasl.php?oid=10999", "type": "openvas", "title": "Linksys Router Default Password", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_Linksys_Router_Default_Password.nasl 6040 2017-04-27 09:02:38Z teissa $\n# Description: Linksys Router Default Password\n#\n# Authors:\n# Forrest Rae <forrest.rae@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This Linksys Router has the default password \nset for the web administration console. \nThis console provides read/write access to the\nrouter's configuration. An attacker could take\nadvantage of this to reconfigure the router and \npossibly re-route traffic.\";\n\ntag_solution = \"Please assign the web administration\n console a difficult to guess password.\";\n\nif(description)\n{\n\tscript_id(10999);\n\tscript_version(\"$Revision: 6040 $\");\n\tscript_tag(name:\"last_modification\", value:\"$Date: 2017-04-27 11:02:38 +0200 (Thu, 27 Apr 2017) $\");\n\tscript_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n\tscript_cve_id(\"CVE-1999-0508\");\n\tname = \"Linksys Router Default Password\";\n\tscript_name(name);\n\tsummary = \"Linksys Router Default Password\";\n\tscript_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\tscript_copyright(\"This script is Copyright (C) 2002 Digital Defense Inc.\");\n\tfamily = \"General\";\n\tscript_family(family);\n\tscript_dependencies(\"find_service.nasl\");\n\tscript_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n\texit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nif (!get_port_state(port))port = 8080;\n\nif(get_port_state(port))\n{\n\tsoc = open_sock_tcp(port);\n\tif (soc)\n\t{\n\t\n\t\t# HTTP auth = \":admin\"\n\t\t# req = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic OmFkbWlu\\r\\n\\r\\n\");\n\t\t\n\t\t# HTTP auth = \"admin:admin\"\n\t\treq = string(\"GET / HTTP/1.0\\r\\nAuthorization: Basic YWRtaW46YWRtaW4=\\r\\n\\r\\n\");\n\t\t\n\t\t# Both work, second is used to be RFC compliant.\n\t\t\n\t\tsend(socket:soc, data:req);\n\t\tbuf = http_recv(socket:soc);\n\t\t\n\t\tclose(soc);\n\t\tif ((\"Status.htm\" >< buf) && (\"DHCP.htm\" >< buf) && (\"Log.htm\" >< buf) && (\"Security.htm\" >< buf) ||\n\t\t (\"next_file=Setup.htm\" >< buf && \"Checking JavaScript Support\" >< buf) #WAG120N\n\t\t )\n\t\t{\n\t\t\tsecurity_message(port:port);\n\t\t}\n\t}\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-06-11T15:22:34", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The remote host appears to be an Avaya P330 Stackable Switch with its default password set.", "modified": "2020-06-09T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231017638", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231017638", "type": "openvas", "title": "Avaya P330 Stackable Switch found with default password", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Avaya P330 Stackable Switch found with default password\n#\n# Authors:\n# Charles Thier <cthier@thethiers.net>\n#\n# Copyright:\n# Copyright (C) 2005 Charles Thier\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.17638\");\n script_version(\"2020-06-09T14:44:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 14:44:58 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Avaya P330 Stackable Switch found with default password\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2005 Charles Thier\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/avaya_p330/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_add_preference(name:\"Use complete password list (not only vendor specific passwords)\", type:\"checkbox\", value:\"no\");\n\n script_tag(name:\"solution\", value:\"Telnet to this switch and change the default password.\");\n\n script_tag(name:\"summary\", value:\"The remote host appears to be an Avaya P330 Stackable Switch with its default password set.\");\n\n script_tag(name:\"impact\", value:\"The attacker could use this default password to gain remote access\n to your switch. This password could also be potentially used to\n gain other sensitive information about your network from the switch.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"default_credentials.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\n# If optimize_test = no\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) )\n exit( 0 );\n\nport = telnet_get_port( default:23 );\nbanner = telnet_get_banner( port:port );\nif( ! banner || \"Welcome to P330\" >!< banner )\n exit( 0 );\n\np = script_get_preference( \"Use complete password list (not only vendor specific passwords)\" );\nif( \"yes\" >< p ) {\n clist = try();\n} else {\n clist = try( vendor:\"avaya\" );\n}\nif( ! clist ) exit( 0 );\n\nforeach credential( clist ) {\n\n # Handling of user uploaded credentials which requires to escape a ';' or ':'\n # in the user/password so it doesn't interfere with our splitting below.\n credential = str_replace( string:credential, find:\"\\;\", replace:\"#sem_legacy#\" );\n credential = str_replace( string:credential, find:\"\\:\", replace:\"#sem_new#\" );\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) ) {\n # nb: ';' was used pre r9566 but was changed to ':' as a separator as the\n # GSA is stripping ';' from the NVT description. Keeping both in here\n # for backwards compatibility with older scan configs.\n user_pass = split( credential, sep:\";\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) )\n continue;\n }\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n user = str_replace( string:user, find:\"#sem_legacy#\", replace:\";\" );\n pass = str_replace( string:pass, find:\"#sem_legacy#\", replace:\";\" );\n user = str_replace( string:user, find:\"#sem_new#\", replace:\":\" );\n pass = str_replace( string:pass, find:\"#sem_new#\", replace:\":\" );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n soc = open_sock_tcp( port );\n if( ! soc ) continue;\n\n answer = recv( socket:soc, length:4096 );\n if( \"ogin:\" >< answer ) {\n send( socket:soc, data:string( user, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n send( socket:soc, data:string( pass, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n\n if( \"Password accepted\" >< answer ) {\n security_message( port:port, data:\"It was possible to login with the credentials '\" + user + \":\" + pass + \"'.\" );\n }\n }\n close( soc );\n}\n\nexit( 0 );\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-07T12:41:55", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The Shiva LanRover has no password set for the\n root user account.", "modified": "2019-06-06T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010998", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010998", "type": "openvas", "title": "Shiva LanRover Blank Password", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Shiva LanRover Blank Password\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Incorporated\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10998\");\n script_version(\"2019-06-06T07:39:31+0000\");\n script_tag(name:\"last_modification\", value:\"2019-06-06 07:39:31 +0000 (Thu, 06 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Shiva LanRover Blank Password\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"This script is Copyright (C) 2002 Digital Defense Incorporated\");\n script_family(\"Privilege escalation\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"telnet/shiva/lanrover/detected\");\n\n script_tag(name:\"solution\", value:\"Telnet to this device and change the\n password for the root account via the passwd command. Please ensure any other\n accounts have strong passwords set.\");\n\n script_tag(name:\"summary\", value:\"The Shiva LanRover has no password set for the\n root user account.\");\n\n script_tag(name:\"impact\", value:\"An attacker is able to telnet to this system and\n gain access to any phone lines attached to this device. Additionally, the LanRover\n can be used as a relay point for further attacks via the telnet and rlogin functionality\n available from the administration shell.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\nport = 23;\nif(!get_port_state(port))exit(0);\n\nbanner = telnet_get_banner(port:port);\nif ( ! banner || \"@ Userid:\" >!< banner ) exit(0);\n\nsoc = open_sock_tcp(port);\nif(soc)\n{\n r = telnet_negotiate(socket:soc);\n\n if(\"@ Userid:\" >< r)\n {\n send(socket:soc, data:string(\"root\\r\\n\"));\n r = recv(socket:soc, length:4096);\n\n if(\"Password?\" >< r)\n {\n send(socket:soc, data:string(\"\\r\\n\"));\n r = recv(socket:soc, length:4096);\n\n if (\"Shiva LanRover\" >< r)\n {\n security_message(port:port);\n }\n }\n }\n close(soc);\n}", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-08T11:44:09", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The PC Anywhere service does not require a password to access\nthe desktop of this system. If this machine is running Windows 95,\n98, or ME, gaining full control of the machine is trivial. If\nthis system is running NT or 2000 and is currently logged out, an\nattacker can still spy on and hijack a legitimate user's session when\nthey login.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10798", "href": "http://plugins.openvas.org/nasl.php?oid=10798", "type": "openvas", "title": "Unprotected PC Anywhere Service", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_Unprotected_PCanywhere.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Unprotected PC Anywhere Service\n#\n# Authors:\n# H D Moore\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Incorporated\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The PC Anywhere service does not require a password to access\nthe desktop of this system. If this machine is running Windows 95,\n98, or ME, gaining full control of the machine is trivial. If\nthis system is running NT or 2000 and is currently logged out, an\nattacker can still spy on and hijack a legitimate user's session when\nthey login.\";\n\ntag_solution = \"1. Open the PC Anywhere application as an Administrator. \n2. Right click on the Host object you are using and select Properties.\n3. Select the Caller Access tab. \n4. Switch the authentication type to Windows or PC Anywhere.\n5. If you are using PC Anywhere authentication, set a strong password.\";\n\nif(description)\n{\n script_id(10798);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n name = \"Unprotected PC Anywhere Service\";\n script_name(name);\n\n\n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_active\");\n \n script_copyright(\"This script is Copyright (C) 2002 Digital Defense Incorporated\");\n family = \"General\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"PC_anywhere_tcp.nasl\");\n script_require_ports(\"Services/pcanywheredata\", 5631);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ndebug = 0;\n\ncl[0] = raw_string (0x00, 0x00, 0x00, 0x00);\nsv[0] = \"nter\";\n\ncl[1] = raw_string (0x6f, 0x06, 0xff);\nsv[1] = raw_string (0x1b, 0x61);\n\ncl[2] = raw_string (0x6f, 0x61, 0x00, 0x09, 0x00, 0xfe, 0x00,\n 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00);\n \nsv[2] = raw_string (0x1b, 0x62);\n\ncl[3] = raw_string (0x6f, 0x62, 0x01, 0x02, 0x00, 0x00, 0x00); \nsv[3] = raw_string (0x65, 0x6e);\n\ncl[4] = raw_string(0x6f, 0x49, 0x00, 0x4c, 0x20, 0x20, 0x20, 0x20,\n 0x20, 0x20, 0x20, 0x20, 0x20, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x09, 0xff, 0x05, 0x00, 0x00, 0x00,\n 0x60, 0x24, 0x00, 0x09, 0x00, 0x00, 0x00, 0x06,\n 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,\n 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x31);\nsv[4] = raw_string(0x1b, 0x16);\n\ncl[5] = raw_string(0x6f, 0x73, 0x02, 0x01, 0x00, 0x02);\nsv[5] = \"Service Pack\";\n\nport = get_kb_item(\"Services/pcanywheredata\");\nif(!port)port = 5631;\n\nif(get_port_state(port))\n{\n soc = open_sock_tcp(port);\n if(soc)\n {\n\n for(d=0;cl[d];d=d+1)\n {\n if(debug)display(\":: entering level \", d, \"\\n\");\n send(socket:soc, data:cl[d]);\n r = recv(socket:soc, length:2048);\n\t if(!r)exit(0);\n \n # no minimum encryption level set\n if(d == 2)\n {\n if((\"Reducing\" >< r) && (\"encryption\" >< r))\n {\n if(debug)display(\"Warning: no minimum encryption level set.\\n\");\n }\n if((\"denying\" >< r) && (\"cannot connect at level\" >< r))\n {\n if(debug)display(\"Warning: plugin exiting because a minimum encryption level has been set.\\n\");\n exit(0); \n }\n }\n \n # user authentication\n if(d == 3)\n {\n if((\"Enter user name\" >< r) || (\"Enter login name\" >< r))\n {\n if(debug)display(\"Warning: plugin exiting because user authentication needed.\\n\");\n exit(0); \n }\n }\n \n if(! sv[d] >< r)\n {\n \n close(soc);\n if(debug)display(\"exiting at level \", d, \"\\n\");\n exit(0);\n }\n }\n security_message(port:port);\n\tclose(soc);\n }\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-09-29T14:08:57", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The Allied Telesyn Router/Switch has the default password set.\n\nThe attacker could use this default password to gain remote access\nto your switch or router. This password could also be potentially used to\ngain other sensitive information about your network from the device.", "modified": "2017-09-26T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:18413", "href": "http://plugins.openvas.org/nasl.php?oid=18413", "type": "openvas", "title": "Allied Telesyn Router/Switch Web interface found with default password", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: Allied_Telesyn_web.nasl 7275 2017-09-26 11:46:31Z cfischer $\n# Description: Allied Telesyn Router/Switch Web interface found with default password\n#\n# Authors:\n# Charles Thier <cthier@thethiers.net>\n# This script was based off of Renaud Deraison's script \n# 11522 Linksys Router default password script.\n#\n# Copyright:\n# Copyright (C) 2005 Charles Thier\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The Allied Telesyn Router/Switch has the default password set.\n\nThe attacker could use this default password to gain remote access\nto your switch or router. This password could also be potentially used to\ngain other sensitive information about your network from the device.\";\n\ntag_solution = \"Connect to this Router/Switch and change the default password.\";\n\nif(description)\n{\n script_id(18413);\n script_version(\"$Revision: 7275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-26 13:46:31 +0200 (Tue, 26 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Allied Telesyn Router/Switch Web interface found with default password\");\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2005 Charles Thier\");\n script_family(\"Default Accounts\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"ATR-HTTP/banner\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\n#\n# The script code starts here\n#\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\n\nport = get_http_port(default:80);\nif(!get_port_state(port))exit(0);\n\nbanner = get_http_banner (port:port);\nif (!banner || (\"Server: ATR-HTTP-Server\" >!< banner))\n exit(0);\n\nurl = \"/\";\nres = http_get_cache(item:url, port:port);\nif ( res == NULL ) exit(0);\nif ( egrep ( pattern:\"^HTTP/.* 401 .*\", string:res ) )\n{\n # nb: Just for the request below\n req = http_get(item:url, port:port);\n req -= string(\"\\r\\n\\r\\n\");\n# Credentials manager:friend\n req += string(\"\\r\\nAuthorization: Basic bWFuYWdlcjpmcmllbmQ=\\r\\n\\r\\n\");\n res = http_keepalive_send_recv(port:port, data:req);\n if (res == NULL ) exit(0);\n if ( egrep ( pattern:\"^HTTP/.* 200 .*\", string:res) )\n\tsecurity_message(port);\n}\n\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-06-11T15:22:33", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "The remote host appears to be an Bay Networks Accelar 1200 Switch with\n its default password set.", "modified": "2020-06-09T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231018415", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231018415", "type": "openvas", "title": "Bay Networks Accelar 1200 Switch found with default password", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Bay Networks Accelar 1200 Switch found with default password\n#\n# Authors:\n# Charles Thier <cthier@thethiers.net>\n#\n# Copyright:\n# Copyright (C) 2005 Charles Thier\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.18415\");\n script_version(\"2020-06-09T14:44:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 14:44:58 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Bay Networks Accelar 1200 Switch found with default password\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2005 Charles Thier\");\n script_family(\"Default Accounts\");\n script_dependencies(\"telnetserver_detect_type_nd_version.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(23); # the port can't be changed on the device\n script_mandatory_keys(\"telnet/bay_networks/accelar_1200/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_add_preference(name:\"Use complete password list (not only vendor specific passwords)\", type:\"checkbox\", value:\"no\");\n\n script_tag(name:\"solution\", value:\"Telnet to this switch and change the default password.\");\n\n script_tag(name:\"summary\", value:\"The remote host appears to be an Bay Networks Accelar 1200 Switch with\n its default password set.\");\n\n script_tag(name:\"impact\", value:\"The attacker could use this default password to gain remote access\n to your switch. This password could also be potentially used to\n gain other sensitive information about your network from the switch.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"telnet_func.inc\");\ninclude(\"default_credentials.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\n# If optimize_test = no\nif( get_kb_item( \"default_credentials/disable_default_account_checks\" ) ) exit( 0 );\n\nport = 23; # the port can't be changed on the device\nif( ! get_port_state( port ) )\n exit( 0 );\n\nbanner = telnet_get_banner( port:port );\nif( ! banner || \"Accelar 1200\" >!< banner )\n exit( 0 );\n\np = script_get_preference( \"Use complete password list (not only vendor specific passwords)\" );\nif( \"yes\" >< p ) {\n clist = try();\n} else {\n clist = try(vendor:\"accelar\");\n}\nif( ! clist ) exit( 0 );\n\nforeach credential( clist ) {\n\n # Handling of user uploaded credentials which requires to escape a ';' or ':'\n # in the user/password so it doesn't interfere with our splitting below.\n credential = str_replace( string:credential, find:\"\\;\", replace:\"#sem_legacy#\" );\n credential = str_replace( string:credential, find:\"\\:\", replace:\"#sem_new#\" );\n\n user_pass = split( credential, sep:\":\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) ) {\n # nb: ';' was used pre r9566 but was changed to ':' as a separator as the\n # GSA is stripping ';' from the NVT description. Keeping both in here\n # for backwards compatibility with older scan configs.\n user_pass = split( credential, sep:\";\", keep:FALSE );\n if( isnull( user_pass[0] ) || isnull( user_pass[1] ) )\n continue;\n }\n\n user = chomp( user_pass[0] );\n pass = chomp( user_pass[1] );\n\n user = str_replace( string:user, find:\"#sem_legacy#\", replace:\";\" );\n pass = str_replace( string:pass, find:\"#sem_legacy#\", replace:\";\" );\n user = str_replace( string:user, find:\"#sem_new#\", replace:\":\" );\n pass = str_replace( string:pass, find:\"#sem_new#\", replace:\":\" );\n\n if( tolower( pass ) == \"none\" ) pass = \"\";\n\n soc = open_sock_tcp( port );\n if( ! soc ) continue;\n\n answer = recv( socket:soc, length:4096 );\n if( \"ogin:\" >< answer ) {\n send( socket:soc, data:string( user, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n send( socket:soc, data:string( pass, \"\\r\\n\" ) );\n answer = recv( socket:soc, length:4096 );\n\n if( \"Accelar-1200\" >< answer ) {\n security_message( port:port, data:\"It was possible to login with the credentials '\" + user + \":\" + pass + \"'.\" );\n }\n }\n close( soc );\n}\n\nexit( 0 );\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-15T15:06:54", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This host appears to be the running the Apache Tomcat\n Servlet engine with the default accounts still configured.", "modified": "2020-05-11T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011204", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011204", "type": "openvas", "title": "Apache Tomcat Default Account (HTTP)", "sourceData": "# Copyright (C) 2003 Digital Defense Inc.\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11204\");\n script_version(\"2020-05-11T13:25:52+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-11 13:25:52 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"Apache Tomcat Default Account (HTTP)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2003 Digital Defense Inc.\");\n script_family(\"Default Accounts\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"apache/tomcat/http/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Change the default passwords by editing the\n admin-users.xml file located in the /conf/users subdirectory of the Tomcat installation.\");\n\n script_tag(name:\"summary\", value:\"This host appears to be the running the Apache Tomcat\n Servlet engine with the default accounts still configured.\");\n\n script_tag(name:\"impact\", value:\"A potential intruder could reconfigure this service in a way\n that grants system access.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service:\"www\" ) )\n exit( 0 );\n\nif( ! get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\n#list of default acnts base64()'d\nauth[0] = \"YWRtaW46Y2hhbmdldGhpcw==\\r\\n\\r\\n\";\nreal_auth[0] = \"admin:tomcat\";\nauth[1] = \"YWRtaW46dG9tY2F0Cg==\\r\\n\\r\\n\";\nreal_auth[1] = \"admin:admin\";\nauth[2] = \"YWRtaW46YWRtaW4K\\r\\n\\r\\n\";\nreal_auth[2] = \"tomcat:tomcat\";\nauth[3] = \"dG9tY2F0OnRvbWNhdAo=\\r\\n\\r\\n\";\nreal_auth[3] = \"admin:tomcat\";\nauth[4] = \"cm9vdDpyb290Cg==\\r\\n\\r\\n\";\nreal_auth[4] = \"root:root\";\nauth[5] = \"cm9sZTE6cm9sZTEK\\r\\n\\r\\n\";\nreal_auth[5] = \"role1:role1\";\nauth[6] = \"cm9sZTpjaGFuZ2V0aGlzCg==\\r\\n\\r\\n\";\nreal_auth[6] = \"role:changethis\";\nauth[7] = \"cm9vdDpjaGFuZ2V0aGlzCg==\\r\\n\\r\\n\";\nreal_auth[7] = \"root:changethis\";\nauth[8] = \"dG9tY2F0OmNoYW5nZXRoaXMK\\r\\n\\r\\n\";\nreal_auth[8] = \"tomcat:changethis\";\nauth[9] = \"eGFtcHA6eGFtcHA=\\r\\n\\r\\n\";\nreal_auth[9] = \"xampp:xampp\";\n\nurl = \"/admin/contextAdmin/contextList.jsp\";\n\nbasereq = http_get( item:url, port:port );\nbasereq = basereq - \"\\r\\n\\r\\n\";\n\nauthBasic = \"Authorization: Basic \";\n\ni = 0;\nfound = 0;\nreport = \"\";\n\nreq = http_get( item:url, port:port );\nbuf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\nif( ! ereg( pattern:\"^HTTP/1\\.[01] 401 \", string:buf ) )\n exit( 0 );\n\nif( \"<title>Context list</title>\" >< buf || \"<title>Context Admin</title>\" >< buf )\n exit( 0 );\n\nwhile( auth[i] ) {\n\n t0 = basereq;\n t1 = authBasic;\n t1 = t1 + auth[i];\n t0 = t0 + t1;\n\n buf = http_keepalive_send_recv( port:port, data:t0, bodyonly:FALSE );\n\n if( \"<title>Context list</title>\" >< buf || \"<title>Context Admin</title>\" >< buf ) {\n found++;\n if( found == 1 ) {\n accounts = \"The following accounts were discovered: \\n\" + real_auth[i] + \"\\n\";\n } else {\n accounts = accounts + real_auth[i] + \"\\n\";\n }\n }\n i++;\n}\n\nif( found ) {\n report = http_report_vuln_url( port:port, url:url );\n report += '\\n\\n' + accounts;\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T08:39:55", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This AirConnect wireless access point still has the\n default password set for the web interface.", "modified": "2020-05-05T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010961", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010961", "type": "openvas", "title": "AirConnect Default Password", "sourceData": "# OpenVAS Vulnerability Test\n# Description: AirConnect Default Password\n#\n# Authors:\n# H D Moore\n#\n# Copyright:\n# Copyright (C) 2002 Digital Defense Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10961\");\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n script_name(\"AirConnect Default Password\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2002 Digital Defense Inc.\");\n script_family(\"Default Accounts\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"gb_default_credentials_options.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\", \"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Change the password to something difficult to\n guess via the web interface.\");\n\n script_tag(name:\"summary\", value:\"This AirConnect wireless access point still has the\n default password set for the web interface.\");\n\n script_tag(name:\"impact\", value:\"This could be abused by an attacker to gain full control\n over the wireless network settings.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default:80);\n\nurl = \"/\";\nreq = http_get_req(port:port, url:url, add_headers:make_array(\"Authorization\", \"Basic Y29tY29tY29tOmNvbWNvbWNvbQ==\"));\nres = http_keepalive_send_recv(data:req, port:port);\nif(!res)\n exit(0);\n\nif(\"SecuritySetup.htm\" >< res) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-08T11:44:03", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0508"], "description": "This system appears to be running the Enhydra application\nserver configured with the default administrator password\nof 'enhydra'. A potential intruder could reconfigure this \nservice and use it to obtain full access to the system.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:11202", "href": "http://plugins.openvas.org/nasl.php?oid=11202", "type": "openvas", "title": "Enhydra Multiserver Default Password", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: DDI_Enhydra_Default.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Enhydra Multiserver Default Password\n#\n# Authors:\n# H D Moore <hdmoore@digitaldefense.net>\n#\n# Copyright:\n# Copyright (C) 2003 Digital Defense Inc.\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"This system appears to be running the Enhydra application\nserver configured with the default administrator password\nof 'enhydra'. A potential intruder could reconfigure this \nservice and use it to obtain full access to the system.\";\n\ntag_solution = \"Please set a strong password of the 'admin' account.\";\n\nif(description)\n{\n script_id(11202);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-1999-0508\");\n\n name = \"Enhydra Multiserver Default Password\";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_copyright(\"This script is Copyright (C) 2003 Digital Defense Inc.\");\n family = \"General\";\n script_family(family);\n\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"Enhydra/banner\");\n script_require_ports(\"Services/www\", 8001);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\nport = get_http_port(default:8001);\nif ( ! port ) exit(0);\n\nbanner = get_http_banner(port:port);\nif ( ! banner || \"Enhydra\" >!< banner ) exit(0);\n\nif(get_port_state(port))\n {\n req = http_get(item:\"/Admin.po?proceed=yes\", port:port);\n req = req - string(\"\\r\\n\\r\\n\");\n req = string(req, \"\\r\\nAuthorization: Basic YWRtaW46ZW5oeWRyYQ==\\r\\n\\r\\n\");\n buf = http_keepalive_send_recv(port:port, data:req);\n if(\"Enhydra Multiserver Administration\" >< buf)\n {\n security_message(port);\n } \n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}