Nessus Report ftp

townripeData Management

Jan 31, 2013 (4 years and 7 months ago)

635 views

N
essus
介紹及報表分析

姓名:呂芳發


Computer Center, National Central University.

大綱


N
essus
介紹


報表分析


風險評分標準及相關資料庫


案例



Computer Center, National Central University.

系統弱點掃描


網路上作業系統或應用軟體存在許多漏洞


利用工具發現系統弱點


改善系統弱點
,
確保系統安全



Computer Center, National Central University.

Nessus
主要特點


R. Deraison
成立一個計劃,命名為
Nessus
,在透過許多同好的協
助與網路社群討論修改,於
1998

4
月首次發表
Nessus


免費下載、功能強大、架構完整、更新迅速且相當容易使用的主
機安全稽核掃瞄軟體


發展目的是幫助系統管理者搜尋系統主機的弱點所在,讓系統管
理者對主機進行錯誤的更正或防護,以避免被入侵者攻擊


Nessus
的可延伸性使得掃描更具有發展空間,因為它隨意增加原
本所沒有的偵測模式,而外掛模組
(Plugins)
就是對每個安全漏洞
的描述和稽核,因此擴充外掛模組就可提升軟體的稽核能力


Computer Center, National Central University.

Nessus
主要特點


外掛
Plugins
:使用者可依需求修改外掛模組,而不需修改內部核
心的程式碼


時常性更新弱點資料庫:
Nessus
的開發維護人員每天專注於檢查
最新的安全漏洞


支援作業平台包括:
Linux, FreeBSD, Solaris, Windows



Computer Center, National Central University.

系統弱點掃描


工具軟體
:
N
essus
-
3.0.6.1(http://www.nessus.org/)


Computer Center, National Central University.

N
essus
使用


Computer Center, National Central University.

N
essus
使用








Computer Center, National Central University.

N
essus
掃描結果說明


掃瞄位址:顯示目前掃描及狀況分析的主機
IP


訊息代碼
(Plugin information)
:顯示此弱點代表的
ID
碼,透過這個
ID
碼可以到
Nessus
網站找到此弱點更詳
細的說明


弱點
(Vulnerability)
:顯示風險等級,若是
”hole”
狀況
,請立即處理相關安全問題


狀況描述
(Description)
:描述這個弱點發生的原因


解決方法
(Solution)
:提供管理人員解決上述弱點的解
決方案與建議。


Computer Center, National Central University.

N
essus Report








Computer Center, National Central University.

N
essus Report

Nessus
的分析報告包含三種安全等級:


安全紀錄(
Notes
):透過測試的結果,可以
獲得某些系統資訊。


安全警告(
Warning
):測試的結果,可能影
響系統安全




安全漏洞(
Hole
):測試的結果,嚴重影響到
系統安全。


Computer Center, National Central University.

Common Vulnerability Scoring
System

䍖CS




弱點(
vulnerabilities
)是網絡安全中的一個重要因素
,
通用弱點評價系


CVSS
)是由
美國國家基礎建設諮
詢委員會

(
NIAC)
開發的一個開放並且能夠被產品廠商
免費採用的標準。


使用標準的數學方程式,來判定威脅的嚴重性,列入
評估標準的因素,還包括安全弱點能否被遠端利用,
或是攻擊者是否需要登入,才能利用此一弱點。


利用該標準,可以對弱點進行評分,幫助我們判斷修
復不同弱點的優先等級。


Computer Center, National Central University.

Common Vulnerability Scoring
System

䍖CS




Computer Center, National Central University.

Common Vulnerability Scoring
System

䍖CS




如果漏洞既可遠程利用,又可以本地利用,取
值應該為遠程利用的值。



攻擊複雜度的值為低
/

/
高。



需要認證的例子,如需要預先有
Email

FTP

帳號等




Computer Center, National Central University.

Common Vulnerability Scoring
System

䍖CS



BaseScore = round_to_1_decimal

(10 * AccessVector


* AccessComplexity


* Authentication


* ((ConfImpact * ConfImpactBias)


+ (IntegImpact * IntegImpactBias)


+ (AvailImpact * AvailImpactBias))

)




Computer Center, National Central University.

Common Vulnerability Scoring
System

䍖CS



Medium / CVSS Base Score : 5

(AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)

該漏洞的影響為中,
CVSS
基本評價分值為
5
分,其中分項取值表格



--------------------------------------------------

--



BASE METRIC EVALUATION SCORE


--------------------------------------------------

--



Access Vector [Remote](1.00)


Access Complexity [Low] (1.00)


Authentication[Not
-
Required](1.00)


Confidentiality Impact[Partial] (0.70)


Integrity Impact[Partial] (0.70)


Availability Impact [None](0.00)


Impact Bias [Normal](0.333)


--------------------------------------------------

--



BASE FORMULABASE SCORE


--------------------------------------------------

--



round(10 * 1.0 * 1.0 * 1.0 * (0.7 * 0.333) +


(0.7 * 0.333) + (1.0 * 0.333)) == (4.66)



Computer Center, National Central University.

IAVs



IAVA
-



Information Assurance Vulnerability Alert


alerts of high priority ,must be eradicated from
the network



IAVB
-

bulletins of medium priority , do not pose an
immediate threat


IAVT
-

technical notes on vulnerabilities , without
remediation urgency


Computer Center, National Central University.

C
VE



Common Vulnerabilities and Exposures


free for public use


CVE is a dictionary of publicly known
information security vulnerabilities and
exposures.


http://cve.mitre.org/data/downloads/allcve
s.html


Computer Center, National Central University.

OSVDB



開放原始碼弱點資料庫(
The Open Source
Vulnerability Database
,簡稱
OSVDB



將網際網路相關軟體的安全瑕疵分類,供使用者查
詢。


http://osvdb.org/


Computer Center, National Central University.

N
essus Report







rtsp (554/tcp)

Synopsis

:

The remote RTSP(Real Time Streaming Protocol) server is prone to a buffer overflow attack.

Description

:

The remote host is running Helix Server or Helix DNA Server, a media

streaming server.

The version of the Helix server installed on the remote host

reportedly contains a heap overflow that is triggered using an RTSP

command with multiple 'Require' headers. An unauthenticated remote

attacker can leverage this flaw to execute arbitrary code subject to

the privileges under which it operates, by default LOCAL SYSTEM on

Windows.

Solution
:

Upgrade to Helix Server / Helix DNA Server version 11.1.4 or later.

Risk Factor

:

Critical / CVSS Base Score : 10.0

(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)



Computer Center, National Central University.

N
essus Report







mysql (3306/tcp)

Synopsis

:

An unpassworded database server is listening on the remote port.


Description

:

The remote host is running MySQL, an open
-
source database server. It

is possible to connect to the remote database using one of the

following unpassworded accounts :


-

root

-

anonymous


This may allow an attacker to launch further attacks against the

database.

Solution
:

Disable the anonymous account or set a password for the root account.

Risk Factor

:

High / CVSS Base Score : 7

(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)



Computer Center, National Central University.

N
essus Report







ftp (21/tcp)

Synopsis

:


You seem to be running an FTP server which is vulnerable.

An attacker may use this problem to execute arbitrary commands on this host.

Solution
: Upgrade your ftp server software to the latest version.


Risk Factor

: High


CVE : CVE
-
2001
-
0249, CVE
-
2001
-
0550

BID : 2550, 3581

Other references : IAVA:2001
-
b
-
0004, OSVDB:686, OSVDB:8681

Plugin ID :

10821



Computer Center, National Central University.

N
essus Report








Computer Center, National Central University.

N
essus Report








Computer Center, National Central University.

N
essus Report








Computer Center, National Central University.

N
essus Report







ftp (21/tcp)

The remote FTP server is vulnerable to a SQL injection when

it processes the USER command.


An attacker may exploit this flaw to log into the remote host

as any user.


Solution
: If the remote server is ProFTPd, upgrade to ProFTPD 1.2.10 when

available, or switch the SQL backend to PostgreSQL.


Risk Factor

: High

BID : 7974

Plugin ID :
11768



Computer Center, National Central University.

N
essus Report







http (80/tcp)


The following URLs seem to be vulnerable to BLIND SQL injection

techniques :

/internal/news.php?
-
=&user_id='+AND+'b'>'a&password=

/internal/news.php?
-
=&user_id=+AND+1=1&password=

/internal/news.php?
-
=&user_id=+AND+1=1)&password=

/internal/news.php?
-
=&user_id=/**/&password=


An attacker may exploit this flaws to bypass authentication

or to take the control of the remote database.


Solution
: Modify the relevant CGIs so that they properly escape arguments


Risk Factor

: High


See Also

:
http://www.securitydocs.com/library/2651

Plugin ID :
11139



Computer Center, National Central University.

N
essus Report


SQL Injection

是使用者輸入的資料中夾帶

SQL
指令,在設計不良的程式忽略了檢查,這些夾
帶進去的指令就會被資料庫伺服器誤認為是正
常的
SQL
指令而執行,因此招致到破壞。


利用
SQL Injection

可植入惡意程式。



Computer Center, National Central University.

N
essus Report







http (80/tcp)


The following URLs seem to be vulnerable to various SQL injection techniques :

/doclink/formlink01.asp?
-
='

+OR+'

a'

<'

b&link_cat=
校園環保業務相關表單及範例

/doclink/formlink01.asp?
-
='

)+OR+('

b'

))/*&link_cat=
校園環保業務相關表單及範例

/doclink/formlink01.asp?
-
=&link_cat='

+OR+'

))/*

An attacker may exploit this flaws to bypass authentication

or to take the control of the remote database.

Solution
: Modify the relevant CGIs so that they properly escape arguments

Risk Factor

: High

See Also

:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Plugin ID :
11139



Computer Center, National Central University.

N
essus Report







http (80/tcp)


The remote host is using a version vulnerable of mod_ssl which is

older than 2.8.19. There is a format string condition in the

log functions of the remote module which may allow an attacker to

execute arbitrary code on the remote host.

Solution: Upgrade to version 2.8.19 or newer


Risk Factor : High

CVE : CVE
-
2004
-
0700

BID : 10736

Other references : OSVDB:7929

Plugin ID :
13651



Computer Center, National Central University.

N
essus Report







http (80/tcp)



The remote host is running a version of PHP which is older than 5.0.3 or

4.3.10.


The remote version of this software is vulnerable to various security

issues which may, under certain circumstances, to execute arbitrary code

on the remote host, provided that we can pass arbitrary data to some

functions.

See Also

:
http://www.php.net/ChangeLog
-
5.php#5.0.3


Solution
: Upgrade to PHP 5.0.3 or 4.3.10


Risk Factor

: High

CVE : CVE
-
2004
-
1018, CVE
-
2004
-
1019, CVE
-
2004
-
1020, CVE
-
2004
-
1063, CVE
-
2004
-
1064, CVE
-
2004
-
1065

BID : 11964, 11981, 11992, 12045

Other references : OSVDB:12410

Plugin ID :
15973



Computer Center, National Central University.

N
essus Report







http (80/tcp)


The remote host appears to be running a version of Apache which is older

than 1.3.29


There are several flaws in this version, which may allow an attacker to

possibly execute arbitrary code through mod_alias and mod_rewrite.


You should upgrade to 1.3.29 or newer.


Note that Nessus solely relied on the version number

of the remote server to issue this warning. This might

be a false positive

Solution
: Upgrade to version 1.3.29

See Also

:
http://www.apache.org/dist/httpd/Announcement.html

Risk Factor

: High

CVE : CVE
-
2003
-
0542

BID : 8911

Other references : OSVDB:2733, OSVDB:7611

Plugin ID :
11915



Computer Center, National Central University.

N
essus Report







http (80/tcp)



We could DELETE the file '/puttest1.html'on your web server

This allows an attacker to destroy some of your pages

Description:

Synopsis :The remote web server allows PUT and/or DELETE method(s).


Solution
: Disable PUT and/or DELETE method(s) in the web server configuration.


Risk Factor

: High

BID : 12141

Other references : OSVDB:397, OSVDB:5646, OWASP:OWASP
-
CM
-
001

Plugin ID :
10498



Computer Center, National Central University.

N
essus Report







http (80/tcp)


This host is running the Microsoft IIS web server. This web server contains

a configuration flaw that allows the retrieval of the global.asa file.

This file may contain sensitive information such as database passwords,

internal addresses, and web application configuration options. This

vulnerability may be caused by a missing ISAPI map of the .asa extension

to asp.dll.

Solution


To restore the .asa map:

Open Internet Services Manager. Right
-
click on the affected web server and choose Properties

from the context menu. Select Master Properties, then Select WWW Service
--
> Edit
--
> Home

Directory
--
> Configuration. Click the Add button, specify C:
\
winnt
\
system32
\
inetsrv
\
asp.dll

as the executable (may be different depending on your installation), enter .asa as the extension,

limit the verbs to GET,HEAD,POST,TRACE, ensure the Script Engine box is checked and click OK.

Risk Factor

: High


Plugin ID :
10991



Computer Center, National Central University.

N
essus Report







http (80/tcp)


The remote host is using a version of OpenSSL which is

older than 0.9.6m or 0.9.7d


There are several bug in this version of OpenSSL which may allow

an attacker to cause a denial of service against the remote host.


Solution
: Upgrade to version 0.9.6m (0.9.7d) or newer


Risk Factor

: High

CVE : CVE
-
2004
-
0079, CVE
-
2004
-
0081, CVE
-
2004
-
0112

BID : 9899

Other references : IAVA:2004
-
B
-
0006, OSVDB:4316, OSVDB:4317, OSVDB:4318

Plugin ID :
12110




Computer Center, National Central University.

N
essus Report







snmp (161/udp)

Synopsis :

The community name of the remote SNMP server can be guessed.

Description :

It is possible to obtain the default community names of the remote

SNMP server.

An attacker may use this information to gain more knowledge about

the remote host, or to change the configuration of the remote

system .

Solution:

Disable the SNMP service on the remote host if you do not use it,

filter incoming UDP packets going to this port, or change the default community string.

Risk Factor :

High / CVSS Base Score : 7.5

(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Plugin output :

The remote SNMP server replies to the following default community

strings :private ,public ,cisco

Plugin ID :
10264



Computer Center, National Central University.

N
essus Report







compaq
-
evm (619/tcp)

The remote NFS server allows users to use a 'cd ..' command

to access other directories besides the NFS file system.

The listing of /cdrom is :

-

.

-

..

After having sent a 'cd ..' request, the list of files is :

-

dev


backup


home


tmp
-

usr

-

var


stand


etc


cdrom


bin


boot


lib
-

libexec

-

mnt


proc


rescue


root


sbin


sys
-

.cshrc

-

.profile


COPYRIGHT


compat
-

entropy

An attacker may use this flaw to read every file on this host


Solution
: Contact your vendor for a patch


Risk Factor

: High

CVE : CVE
-
1999
-
0166

Plugin ID :
11357



Computer Center, National Central University.

Thank You!