Search...

PostgreSQL no password

2013-10-07T00:00:00

ID OPENVAS:1361412562310103798
Type openvas
Reporter Copyright (C) 2013 Greenbone Networks GmbH
Modified 2020-01-28T00:00:00

Description

It was possible to login into the remote PostgreSQL as user postgres without using a password.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# PostgreSQL no password
#
# Authors:
# Michael Meyer &lt;michael.meyer@greenbone.net&gt;
#
# Copyright:
# Copyright (C) 2013 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/a:postgresql:postgresql";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.103798");
  script_version("2020-01-28T13:26:39+0000");
  script_tag(name:"last_modification", value:"2020-01-28 13:26:39 +0000 (Tue, 28 Jan 2020)");
  script_tag(name:"creation_date", value:"2013-10-07 14:28:02 +0200 (Mon, 07 Oct 2013)");
  script_tag(name:"cvss_base", value:"9.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:P/A:P");
  script_name("PostgreSQL no password");
  script_category(ACT_ATTACK);
  script_family("Default Accounts");
  script_copyright("Copyright (C) 2013 Greenbone Networks GmbH");
  script_dependencies("postgresql_detect.nasl", "gb_default_credentials_options.nasl");
  script_require_ports("Services/postgresql", 5432);
  script_mandatory_keys("postgresql/detected");
  script_exclude_keys("default_credentials/disable_default_account_checks");

  script_tag(name:"solution", value:"Set a password as soon as possible.");

  script_tag(name:"summary", value:"It was possible to login into the remote PostgreSQL as user postgres without using a password.");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"Mitigation");

  exit(0);
}

if(get_kb_item("default_credentials/disable_default_account_checks"))
  exit(0);

include("host_details.inc");

function check_login(user, port) {

  local_var soc, req, len, data, res, typ, code, x;

  soc = open_sock_tcp(port);
  if (!soc) exit(0);

  h = raw_string((0x03 &gt;&gt; 8) & 0xFF, 0x03 & 0xFF,(0x00 &gt;&gt; 8) & 0xFF, 0x00 & 0xFF);
  null = raw_string(0);

  req = string(h,
               "user",null,user,
               null,
               "database",null,"postgres",
               null,
               "client_encoding",null,"UNICODE",
               null,
               "DateStyle",null,"ISO",
               null,null);

  len = strlen(req) + 4;
  req = raw_string((len &gt;&gt; 24 ) & 0xff,(len &gt;&gt; 16 ) & 0xff, (len &gt;&gt;  8 ) & 0xff,(len) & 0xff) + req;

  send(socket:soc, data:req);
  res = recv(socket:soc, length:1);
  if (isnull(res) || res[0] != "R") {
    close(soc);
    exit(0);
  }

  res += recv(socket:soc, length:4);
  if (strlen(res) &lt; 5) {
    close(soc);
    exit(0);
  }

  x = substr(res, 1, 4);

  len = ord(x[0]) &lt;&lt; 24 | ord(x[1]) &lt;&lt; 16 | ord(x[2]) &lt;&lt; 8 | ord(x[3]);
  res += recv(socket:soc, length:len);

  if(strlen(res) &lt; len || strlen(res) &lt; 8) {
    close(soc);
    return FALSE;
  }

  typ = substr(res, strlen(res)-6,strlen(res)-5);
  typ = ord(typ[1]);

  if(typ != 0) {
    close(soc);
    return FALSE;
  }

  recv(socket:soc, length:65535);

  sql = "select version();";
  sqllen = strlen(sql) + 5;
  slen = raw_string((sqllen &gt;&gt; 24 ) & 0xff,(sqllen &gt;&gt; 16 ) & 0xff, (sqllen &gt;&gt;  8 ) & 0xff,(sqllen) & 0xff);

  req = raw_string(0x51) + slen + sql + raw_string(0x00);
  send(socket:soc, data:req);

  res = recv(socket:soc, length:1);

  if(isnull(res) || res[0] != "T") {
    close(soc);
    return FALSE;
  }

  res += recv(socket:soc, length:1024);

  close(soc);

  if("PostgreSQL" &gt;&lt; res && "SELECT" &gt;&lt; res) return TRUE;
  return FALSE;
}

if(!port = get_app_port(cpe:CPE, service:"postgresql"))
  exit( 0 );

if(!get_app_location(cpe:CPE, port:port, nofork:TRUE))
  exit( 0 );

if(check_login(port:port, user:"postgres")) {
  security_message(port:port);
  exit(0);
}

exit(99);

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310103798", "type": "openvas", "bulletinFamily": "scanner", "title": "PostgreSQL no password", "description": "It was possible to login into the remote PostgreSQL as user postgres without using a password.", "published": "2013-10-07T00:00:00", "modified": "2020-01-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103798", "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "references": [], "cvelist": [], "lastseen": "2020-01-29T20:40:11", "viewCount": 19, "enchantments": {"dependencies": {"references": [], "modified": "2020-01-29T20:40:11", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2020-01-29T20:40:11", "rev": 2}, "vulnersScore": -0.4}, "pluginID": "1361412562310103798", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# PostgreSQL no password\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:postgresql:postgresql\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103798\");\n script_version(\"2020-01-28T13:26:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-28 13:26:39 +0000 (Tue, 28 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-10-07 14:28:02 +0200 (Mon, 07 Oct 2013)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:P/A:P\");\n script_name(\"PostgreSQL no password\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"postgresql_detect.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/postgresql\", 5432);\n script_mandatory_keys(\"postgresql/detected\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_tag(name:\"solution\", value:\"Set a password as soon as possible.\");\n\n script_tag(name:\"summary\", value:\"It was possible to login into the remote PostgreSQL as user postgres without using a password.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"host_details.inc\");\n\nfunction check_login(user, port) {\n\n local_var soc, req, len, data, res, typ, code, x;\n\n soc = open_sock_tcp(port);\n if (!soc) exit(0);\n\n h = raw_string((0x03 >> 8) & 0xFF, 0x03 & 0xFF,(0x00 >> 8) & 0xFF, 0x00 & 0xFF);\n null = raw_string(0);\n\n req = string(h,\n \"user\",null,user,\n null,\n \"database\",null,\"postgres\",\n null,\n \"client_encoding\",null,\"UNICODE\",\n null,\n \"DateStyle\",null,\"ISO\",\n null,null);\n\n len = strlen(req) + 4;\n req = raw_string((len >> 24 ) & 0xff,(len >> 16 ) & 0xff, (len >> 8 ) & 0xff,(len) & 0xff) + req;\n\n send(socket:soc, data:req);\n res = recv(socket:soc, length:1);\n if (isnull(res) || res[0] != \"R\") {\n close(soc);\n exit(0);\n }\n\n res += recv(socket:soc, length:4);\n if (strlen(res) < 5) {\n close(soc);\n exit(0);\n }\n\n x = substr(res, 1, 4);\n\n len = ord(x[0]) << 24 | ord(x[1]) << 16 | ord(x[2]) << 8 | ord(x[3]);\n res += recv(socket:soc, length:len);\n\n if(strlen(res) < len || strlen(res) < 8) {\n close(soc);\n return FALSE;\n }\n\n typ = substr(res, strlen(res)-6,strlen(res)-5);\n typ = ord(typ[1]);\n\n if(typ != 0) {\n close(soc);\n return FALSE;\n }\n\n recv(socket:soc, length:65535);\n\n sql = \"select version();\";\n sqllen = strlen(sql) + 5;\n slen = raw_string((sqllen >> 24 ) & 0xff,(sqllen >> 16 ) & 0xff, (sqllen >> 8 ) & 0xff,(sqllen) & 0xff);\n\n req = raw_string(0x51) + slen + sql + raw_string(0x00);\n send(socket:soc, data:req);\n\n res = recv(socket:soc, length:1);\n\n if(isnull(res) || res[0] != \"T\") {\n close(soc);\n return FALSE;\n }\n\n res += recv(socket:soc, length:1024);\n\n close(soc);\n\n if(\"PostgreSQL\" >< res && \"SELECT\" >< res) return TRUE;\n return FALSE;\n}\n\nif(!port = get_app_port(cpe:CPE, service:\"postgresql\"))\n exit( 0 );\n\nif(!get_app_location(cpe:CPE, port:port, nofork:TRUE))\n exit( 0 );\n\nif(check_login(port:port, user:\"postgres\")) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "Default Accounts", "immutableFields": []}