Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasThis script is Copyright (C) 2006 Justin SeitzOPENVAS:80053
HistoryOct 24, 2008 - 12:00 a.m.

DataWizard FTPXQ Default Accounts

2008-10-2400:00:00
This script is Copyright (C) 2006 Justin Seitz
plugins.openvas.org
7

0.005 Low

EPSS

Percentile

72.6%

JSON

The remote FTP server has one or more default test accounts.

Description :

The version of DataWizard FTPXQ that is installed on the remote host
has one or more default accounts setup which can allow an attacker to
read and/or write arbitrary files on the system.

# OpenVAS Vulnerability Test
# $Id: datawizard_ftpxq_test_accts.nasl 7164 2017-09-18 08:41:02Z cfischer $
# Description: Tries to read a file via FTPXQ.
#
# Authors:
# Justin Seitz <[email protected]>
#
# Copyright:
# Copyright (C) 2006 Justin Seitz
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "The remote FTP server has one or more default test accounts. 

Description :

The version of DataWizard FTPXQ that is installed on the remote host
has one or more default accounts setup which can allow an attacker to
read and/or write arbitrary files on the system.";

tag_solution = "Disable or change the password for any unnecessary user accounts.";

if (description)
{
	# set script identifiers
	script_id(80053);;
	script_version("$Revision: 7164 $");
	script_tag(name:"last_modification", value:"$Date: 2017-09-18 10:41:02 +0200 (Mon, 18 Sep 2017) $");
	script_tag(name:"creation_date", value:"2008-10-24 23:33:44 +0200 (Fri, 24 Oct 2008)");
    script_tag(name:"cvss_base", value:"6.4");
    script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:N");
	
	script_cve_id("CVE-2006-5569");
	script_bugtraq_id(20721);
	script_xref(name:"OSVDB", value:"30010");

	name = "DataWizard FTPXQ Default Accounts";

	script_name(name);

	script_category(ACT_GATHER_INFO);
  script_tag(name:"qod_type", value:"remote_vul");
	script_copyright("This script is Copyright (C) 2006 Justin Seitz");
	
	script_family("FTP");

	script_dependencies("ftpserver_detect_type_nd_version.nasl");
	script_exclude_keys("ftp/msftpd", "ftp/ncftpd", "ftp/fw1ftpd", "ftp/vxftpd");
	script_require_ports("Services/ftp", 21);
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 script_xref(name : "URL" , value : "http://attrition.org/pipermail/vim/2006-November/001107.html");
	exit(0);

}

include("global_settings.inc");
include("ftp_func.inc");

#
#	Verify we can talk to the FTP server, if not exit
#
port = get_kb_item("Services/ftp");
if(!port)port = 21;
if (!get_port_state(port)) exit(0);


banner = get_ftp_banner(port:port);
if (!banner || "FtpXQ FTP" >!< banner) exit(0);

#
#
#		Now let's attempt to login with the default test account.
#
#

soc = open_sock_tcp(port);
if(!soc) exit(0);

n = 0;
acct[n] = "anonymous";
pass[n] = "";
n++;
acct[n] = "test";
pass[n] = "test";

file = '\\boot.ini';
contents = "";
info = "";
for (i=0; i<max_index(acct); i++) {
  login = acct[i];
  password = pass[i];

  if (ftp_authenticate(socket:soc, user:login, pass:password)) {
    info += "  " + login + "/" + password + '\n';

    if (strlen(contents) == 0) {
      #
      #
      #	We have identified that we have logged in with the account, let's try to read boot.ini.
      #
      # 
      port2 = ftp_pasv(socket:soc);
      if (!port2) exit(0);
      soc2 = open_sock_tcp(port2, transport:ENCAPS_IP);
      if (!soc2) exit(0);

      attackreq = string("RETR ", file);
      send(socket:soc, data:string(attackreq, "\r\n"));
      attackres = ftp_recv_line(socket:soc);
      if (egrep(string:attackres, pattern:"^(425|150) ")) {
        attackres2 = ftp_recv_data(socket:soc2);

        # There's a problem if it looks like a boot.ini.
        if ("[boot loader]" >< attackres2)
          contents = attackres2;
      }
    }
  }
}

if (info) {
  info = string("The remote version of FTPXQ has the following\n",
    "default accounts enabled :\n\n",
    info);

  if ("test/test" >< info)
    info = string(info, "\n",
      "Note that the test account reportedly allows write access to the entire\n",
      "filesystem, although OpenVAS did not attempt to verify this.\n");

  if (contents)
    info = string(info, "\n",
      "In addition, OpenVAS was able to use one of the accounts to read ", file, " :\n",
      "\n",
      contents);

  security_message(data:info, port:port);
}
ftp_close(socket:soc);

Related

nessus 1
cve 1
openvas 1
nessus
nessus
DataWizard FTPXQ Default Accounts
2006-11-14 00:00:00
cve
cve
CVE-2006-5569
2006-10-27 16:07:00
openvas
openvas
DataWizard FTPXQ Default Accounts
2008-10-24 00:00:00

0.005 Low

EPSS

Percentile

72.6%

JSON
Related for OPENVAS:80053
nessus1cve1openvas1