CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:N/A:N
EPSS
Percentile
96.4%
The remote host is running the rstatd RPC service. This service provides information such as :
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(10227);
script_version("1.34");
script_cvs_date("Date: 2019/10/04 16:48:26");
script_cve_id("CVE-1999-0624");
script_name(english:"RPC rstatd Service Detection");
script_summary(english:"Checks the presence of a RPC service");
script_set_attribute(attribute:"synopsis", value:
"It is possible to leak information about the remote server.");
script_set_attribute(attribute:"description", value:
"The remote host is running the rstatd RPC service. This service provides
information such as :
- the CPU usage
- the system uptime
- the network usage");
script_set_attribute(attribute:"solution", value:
"Disable this service if it is not needed.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:N");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0624");
script_set_attribute(attribute:"plugin_publication_date", value:"1999/08/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
script_family(english:"RPC");
script_dependencie("rpc_portmap.nasl");
script_require_keys("rpc/portmap");
exit(0);
}
#
# The script code starts here
#
include ("misc_func.inc");
include ("sunrpc_func.inc");
days = make_list('Sun','Mon','Tue','Wed','Thu','Fri','Sat');
months = make_list('Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec');
# converts a unix timestamp to a human readable format
function convert_unixtime()
{
local_var timestamp, clock, ret;
timestamp = _FCT_ANON_ARGS[0];
if (isnull(timestamp)) return NULL;
if ( timestamp < 0 || timestamp >= 2147483647 ) return NULL;
clock = localtime(timestamp);
ret = NULL;
ret = days[clock["wday"]] + " ";
if ( clock["mday"] < 10 ) ret += "0";
ret = strcat(ret, months[clock["mon"] - 1], " ", clock["mday"], ", ", clock["year"], " ");
if ( clock["hour"] < 10 ) ret = strcat(ret, "0");
ret = strcat(ret, clock["hour"], ":");
if ( clock["min"] < 10 ) ret = strcat(ret, "0");
ret = strcat(ret, clock["min"], ":");
if ( clock["sec"] < 10 ) ret = strcat(ret, "0");
ret = strcat(ret, clock["sec"]);
return ret;
}
function uptime (sec)
{
return string (sec/3600, "h ", (sec/60)%60, "m ", sec%60, "s");
}
RPC_PROG = 100001;
tcp = 0;
port = get_rpc_port2(program:RPC_PROG, protocol:IPPROTO_UDP);
if (!port)
{
port = get_rpc_port2(program:RPC_PROG, protocol:IPPROTO_TCP);
tcp = 1;
}
if(port)
{
if(tcp)
{
if (! get_tcp_port_state(port)) exit(0, "TCP port "+port+" is not open.");
soc = open_sock_tcp (port);
if (!soc) exit(1, "Failed to open a socket on port "+port+".");
udp = FALSE;
}
else
{
if (! get_udp_port_state(port)) exit(0, "UDP port "+port+" is not open.");
soc = open_sock_udp (port);
if (!soc) exit(1, "Failed to open a socket on UDP port "+port+".");
udp = TRUE;
}
data = NULL;
packet = rpc_packet (prog:RPC_PROG, vers:3, proc:0x01, data:data, udp:udp);
data = rpc_sendrecv (socket:soc, packet:packet, udp:udp);
if (isnull(data) || (strlen(data) != 104))
exit(1, "Unexpected response received on port "+port+".");
# calc the load avg to two decimal places
avgload[0] = getdword(blob:data, pos:72);
avgload[1] = getdword(blob:data, pos:76);
avgload[2] = getdword(blob:data, pos:80);
for (i = 0; i < max_index(avgload); i++)
{
whole = avgload[i] / 256;
tens = avgload[i] * 10 / 256 % 10;
hundreds = avgload[i] * 100 / 256 % 10;
thousands = avgload[i] * 1000 / 256 % 10;
if (thousands >= 5) hundreds++;
if (hundreds == 10)
{
hundreds = 0;
tens++;
}
if (tens == 10)
{
tens = 0;
whole++;
}
avgload[i] = string(whole, '.', tens, hundreds);
}
report = string (
"\n",
"uptime: ", uptime(sec:getdword(blob:data, pos:92) - getdword(blob:data, pos:84)),
"\n",
"local time: ", convert_unixtime(getdword(blob:data, pos:92)), "\n",
"cpu usage: ",
"user ", getdword(blob:data,pos:0), ", ",
"nice ", getdword(blob:data,pos:4), ", ",
"system ", getdword(blob:data,pos:8), ", ",
"idle ", getdword(blob:data,pos:12),
"\n",
"load average: ", join(avgload, sep:', '), "\n",
"interrupts: ", getdword(blob:data, pos:48), "\n",
"context switches: ", getdword(blob:data, pos:68), "\n",
"disk transfer: ",
"d1 ", getdword(blob:data,pos:16), ", ",
"d2 ", getdword(blob:data,pos:20), ", ",
"d3 ", getdword(blob:data,pos:24), ", ",
"d4 ", getdword(blob:data,pos:28),
"\n",
"memory: ",
"pagein ", getdword(blob:data,pos:32), ", ",
"pageout ", getdword(blob:data,pos:36), ", ",
"swapin ", getdword(blob:data,pos:40), ", ",
"swapout ", getdword(blob:data,pos:44),
"\n",
"networking: ",
"rx packets ", getdword(blob:data,pos:52), ", ",
"rx errors ", getdword(blob:data,pos:56), ", ",
"tx packets ", getdword(blob:data,pos:100), ", ",
"tx errors ", getdword(blob:data,pos:60), ", ",
"collisions ", getdword(blob:data,pos:64),
"\n"
);
if (tcp)
security_note(port:port, extra:report);
else
security_note(port:port, protocol:"udp", extra:report);
}