Lucene search
+L

X Display Manager Control Protocol (XDMCP) Detection

🗓️ 03 Nov 2005 00:00:00Reported by Copyright (C) 2005 Pasi EronenType 
openvas
 openvas
🔗 plugins.openvas.org👁 171 Views

XDMCP protocol detected with plaintext credential transmissio

Code
# SPDX-FileCopyrightText: 2005 Pasi Eronen
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.10891");
  script_version("2023-08-01T13:29:10+0000");
  script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_tag(name:"cvss_base", value:"0.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:N");
  script_name("X Display Manager Control Protocol (XDMCP) Detection");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2005 Pasi Eronen");
  script_family("Service detection");
  script_require_udp_ports(177);

  script_tag(name:"solution", value:"XDMCP should either be disabled or limited in the machines which
  may access the service.");

  script_tag(name:"summary", value:"The XDMCP service is running on the remote host.");

  script_tag(name:"insight", value:"The login and password for XDMCP is transmitted in plaintext.

  This makes the system vulnerable to Man-in-the-middle attacks, making it easy
  for an attacker to steal the credentials of a legitimate user by impersonating
  the XDMCP server. In addition to this, since XDMCP is not a ciphered protocol,
  an attacker has an easier time capturing the keystrokes entered by the user.");

  script_tag(name:"qod_type", value:"remote_active");

  exit(0);
}

port = 177;

if( ! get_udp_port_state( port ) )
  exit( 0 );

soc = open_sock_udp( port );
if( ! soc )
  exit( 0 );

# this magic info request packet
req = raw_string( 0x00, 0x01, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00 );
send( socket:soc, data:req );
result = recv( socket:soc, length:1000 );
close( soc );
if( result && ( result[0] == raw_string( 0x00 ) ) &&
              ( result[1] == raw_string( 0x01 ) ) &&
              ( result[2] == raw_string(0x00 ) ) ) {
  log_message( port:port, protocol:"udp" );
}

exit( 0 );

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation