Return to the 2006 Operating System Vulnerability Summary on OmniNerd

List of hosts

192.168.1.2

High Severity problem(s) found

192.168.1.2

Scan time :

Start time :	Sun Feb 25 21:12:37 2007
End time :	Sun Feb 25 21:25:08 2007

Number of vulnerabilities :

Open ports :	53
Low :	35
Medium :	1
High :	3

Information about the remote host :

Operating system :	Mac OS X 10.4
NetBIOS name :	TESTING
DNS name :	(unknown)

[^] Back to 192.168.1.2

Port svrloc (427/tcp)

SLP Server Detection (tcp)

Synopsis :

The remote server supports the Service Location Protocol.

Description :

The remote server understands Service Location Protocol (SLP), a
protocol that allows network applications to discover the existence,
location, and configuration of various services in an enterprise
network environment. A server that understands SLP can either be a
service agent (SA), which knows the location of various services, or a
directory agent (DA), which acts as a central repository for service
location information.

See also :

http://www.ietf.org/rfc/rfc2608.txt

Solution :

Limit incoming traffic to this port if desired.

Risk factor :

None

Plugin output :

An SLP Service Agent is listening on this port.

Nessus ID : 23777

[^] Back to 192.168.1.2

Port mdns (5353/udp)

mDNS Detection

The remote host is running the RendezVous (also known as ZeroConf or mDNS)
protocol.

This protocol allows anyone to dig information from the remote host, such
as its operating system type and exact version, its hostname, and the list
of services it is running.

We could extract the following information :

Computer name : TESTING.local.
Ethernet addr : 00:30:65:c1:70:42
Computer Type : PowerMac5,1
Operating System : Mac OS X 10.4

Solution : You should filter incoming traffic to this port if you do not use
this protocol.

Risk factor : Low

Nessus ID : 12218

[^] Back to 192.168.1.2

Port netbios-ns (137/tcp)

Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 5 NetBIOS names have been gathered :

TESTING = Computer name
TESTING = Messenger Service
TESTING = File Server Service
WORKGROUP = Workgroup / Domain name
WORKGROUP = Browser Service Elections

This SMB server seems to be a SAMBA server (MAC address is NULL).
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.2

Port ntp (123/udp)

NTP read variables

It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.

It was possible to gather the following information from the remote NTP host :

version='ntpd 4.1.1@1.786 Sun Mar 20 15:40:56 PST 2005 (1)',
processor='Power Macintosh', system='Darwin8.0.0', leap=3, stratum=16,
precision=-17, rootdelay=0.000, rootdispersion=14.400, peer=0,
refid=0.0.0.0, reftime=0x00000000.00000000, poll=4,
clock=0xc98cb2cd.5d03b81b, state=0, offset=0.000, frequency=0.000,
jitter=0.008, stability=0.000

Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor : Low

Nessus ID : 10884

[^] Back to 192.168.1.2

Port general/udp

Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.2 : 192.168.1.250 192.168.1.2 Nessus ID : 10287

[^] Back to 192.168.1.2

Port vnc (5900/tcp)

Identify unknown services with GET
A VNC server is running on this port Nessus ID : 17975

VNC security types
The remote VNC server supports those security types: + 30 Nessus ID : 19288

[^] Back to 192.168.1.2

Port ssh (22/tcp)

Services
An ssh server is running on this port Nessus ID : 10330

SSH Server type and version
Remote SSH version : SSH-1.99-OpenSSH_3.8.1p1 Remote SSH supported authentication : gssapi-with-mic,publickey,gssapi,password,keyboard-interactive Nessus ID : 10267

SSH protocol versions supported
The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 SSHv1 host key fingerprint : bd:98:b4:bb:1f:c5:b4:fb:b8:66:66:65:7a:9c:2e:bf SSHv2 host key fingerprint : 9d:54:57:15:e1:7d:64:43:98:b6:19:1c:09:1c:a4:28 Nessus ID : 10881

SSH protocol version 1 enabled

Synopsis :

The remote service offers an insecure cryptographic protocol

Description :

The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically
safe so they should not be used.

Solution :

Disable compatiblity with version 1 of the protocol.

Risk factor :

Low / CVSS Base Score : 3
(AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C)
CVE : CVE-2001-0361
BID : 2344

Nessus ID : 10882

[^] Back to 192.168.1.2

Port ftp (21/tcp)

Services
An FTP server is running on this port. Here is its banner : 220 TESTING.local FTP server (tnftpd 20040810) ready. Nessus ID : 10330

FTP Server Detection
Synopsis : An FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 TESTING.local FTP server (tnftpd 20040810) ready. Nessus ID : 10092

[^] Back to 192.168.1.2

Port ipp (631/tcp)

Services
A web server is running on this port Nessus ID : 10330

Web mirroring
The following CGI have been discovered : Syntax : cginame (arguments [default value]) /jobs (which_jobs [completed] ) /admin/ (op [add-class] ) Nessus ID : 10662

Office files list

The following Acrobat files (.pdf) are available on the remote server :
/overview.pdf
/sum.pdf
/sam.pdf
/spm.pdf
/cmp.pdf
/ipp.pdf
/idd.pdf
/sdd.pdf
/sps.pdf
/ssr.pdf
/translation.pdf
/stp.pdf
/svd.pdf

You should make sure that none of these files contain confidential or
otherwise sensitive information.

An attacker may use these files to gain a more intimate knowledge of
your organization and eventually use them do perform social engineering
attacks (abusing the trust of the personnel of your company).

Solution : sensitive files should not be accessible by everyone, but only
by authenticated users.

Nessus ID : 11419

HMAP
This web server was fingerprinted as CUPS/1.1 which is consistent with the displayed banner: CUPS/1.1 Nessus ID : 11919

HTTP Server type and version
The remote web server type is : CUPS/1.1 Nessus ID : 10107

[^] Back to 192.168.1.2

Port general/tcp

Mac OS X < 10.4.8

Synopsis :

The remote host is missing a Mac OS X update which fixes a security
issue.

Description :

The remote host is running a version of Mac OS X 10.4 which is older than
version 10.4.8.

Mac OS X 10.4.8 contains several security fixes for the following
programs :

- CFNetwork
- Flash Player
- ImageIO
- Kernel
- LoginWindow
- Preferences
- QuickDraw Manager
- SASL
- WebCore
- Workgroup Manager

Solution :

Upgrade to Mac OS X 10.4.8 :
http://www.apple.com/support/downloads/macosx1048updateintel.html
http://www.apple.com/support/downloads/macosx1048updateppc.html
http://www.apple.com/support/downloads/macosxserver1048update.html

See also :

http://docs.info.apple.com/article.html?artnum=304460

Risk factor :

High / CVSS Base Score : 7.0
(AV:L/AC:L/Au:NR/C:C/I:C/A:C/B:N)
CVE : CVE-2006-4390, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640, CVE-2006-4391, CVE-2006-4392, CVE-2006-4397, CVE-2006-4393, CVE-2006-4394, CVE-2006-4387, CVE-2006-4395, CVE-2006-1721, CVE-2006-3946, CVE-2006-4399
BID : 20271

Nessus ID : 22476

OS Identification
The remote host is running Mac OS X 10.4 Nessus ID : 11936

Mac OS X < 10.4.7

Synopsis :

The remote host is missing a Mac OS X update which fixes a security
issue.

Description :

The remote host is running a version of Mac OS X 10.4 which is older than
version 10.4.7.

Mac OS X 10.4.7 contains several security fixes for the following
programs :

- AFP server
- ImageIO
- launched
- OpenLDAP

Solution :

Upgrade to Mac OS X 10.4.7 :
http://www.apple.com/support/downloads/macosxupdate1047intel.html
http://www.apple.com/support/downloads/macosxupdate1047ppc.html
http://www.apple.com/support/downloads/macosxserverupdate1047.html

See also :

http://docs.info.apple.com/article.html?artnum=303973

Risk factor :

High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
CVE : CVE-2006-1468, CVE-2006-1469, CVE-2006-1470
BID : 18724, 18728, 18731, 18733

Nessus ID : 21763

Mac OS X < 10.4.5

Synopsis :

The remote host is missing a Mac OS X update which fixes a security
issue.

Description :

The remote host is running a version of Mac OS X 10.4 which is older than
version 10.4.5.

Mac OS X 10.4.5 contains several security fixes for a local denial of
service vulnerability. A malicious local user may trigger the vulnerability
by invoking an undocumented system call.

Solution :

Upgrade to Mac OS X 10.4.5 :
http://www.apple.com/support/downloads/macosxupdate1045.html
http://www.apple.com/support/downloads/macosxserver1045.html

See also :

http://docs.info.apple.com/article.html?artnum=61798

Risk factor :

Low / CVSS Base Score : 1.6
(AV:L/AC:L/Au:NR/C:N/I:N/A:P/B:N)
CVE : CVE-2006-0382
BID : 16654

Nessus ID : 20911

Mac OS X < 10.4.3

Synopsis :

The remote host is missing a Mac OS X update which fixes security
issues.

Description :

The remote host is running a version of Mac OS X 10.4 which is older than
version 10.4.3.

Mac OS X 10.4.3 contains several security fixes for :

- Finder
- Sofware Update
- memberd
- KeyChain
- Kernel

Solution :

Upgrade to Mac OS X 10.4.3 :
http://www.apple.com/support/downloads/macosxupdate1043.html
http://www.apple.com/support/downloads/macosxserver1043.html

See also :

http://docs.info.apple.com/article.html?artnum=61798

Risk factor :

Low / CVSS Base Score : 2
(AV:L/AC:L/Au:R/C:P/A:N/I:P/B:N)
BID : 15252

Nessus ID : 20113

Mac OS X < 10.4.2
The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.2. Mac OS X 10.4.2 contains several security fixes for : - TCP/IP - Dashboard Solution : http://docs.info.apple.com/article.html?artnum=301948 Risk factor : Medium CVE : CVE-2005-2194, CVE-2005-1333 BID : 14241 Other references : IAVA:2005-t-0015 Nessus ID : 18683

Mac OS X < 10.4.1
The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.1. Mac OS X 10.4.1 contains several security fixes for : - Bluetooth - Dashboard - Kernel - SecurityAgent Solution : http://docs.info.apple.com/article.html?artnum=301630 Risk factor : High CVE : CVE-2005-1474 BID : 13694, 13695, 13696 Nessus ID : 18353

Information about the scan

Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/25 21:12
Scan duration : 751 sec

Nessus ID : 19506

[^] Back to 192.168.1.2

Port general/icmp

Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.2 : 127.0.0.1. Nessus ID : 12264

[^] Back to 192.168.1.2

Port microsoft-ds (445/tcp)

SMB Detection
A CIFS server is running on this port Nessus ID : 11011

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.10
The remote SMB Domain Name is : TESTING

Nessus ID : 10785

SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394

SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

TESTING ( os: 0.0 )

Other references : OSVDB:300

Nessus ID : 10397

[^] Back to 192.168.1.2

Port afpovertcp (548/tcp)

AppleShare IP Server status query

Synopsis :

File sharing service is available.

Description :

The remote host is running an AppleShare IP file service.
By sending DSIGetStatus request on tcp port 548, it was
possible to disclose information about the remote host.

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

This host is running an AppleShare File Services over IP.
Machine type: Macintosh
Server name: TESTING
UAMs: DHCAST128/DHX2/Cleartxt Passwrd/No User Authent
AFP Versions: AFP3.2/AFP3.1/AFPX03/AFP2.2

This AppleShare File Server allows the "guest" user to connect

Nessus ID : 10666

[^] Back to 192.168.1.2

Port printer (515/tcp)

[^] Back to 192.168.1.2

Port eppc (3031/tcp)

[^] Back to 192.168.1.2

Port http (80/tcp)

Services
A web server is running on this port Nessus ID : 10330

Unconfigured web server

Synopsis :

The remote web server is not, or is not properly configured.

Description :

The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.

Solution :

Disable this service, as you do not use it

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Other references : OSVDB:2117

Nessus ID : 11422

Directory Scanner
The following directories were discovered: /cgi-bin, /icons, /manual While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 Nessus ID : 11032

HMAP
This web server was fingerprinted as Apache/1.3.28-33 (Unix) which is consistent with the displayed banner: Apache/1.3.33 (Darwin) Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Apache/1.3.33 (Darwin) Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Nessus ID : 10107

Apache Remote Username Enumeration Vulnerability

Synopsis :

The remote Apache server can be used to guess the presence of a given
user name on the remote host.

Description :

When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.

For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.

If the username requested does not exist, then Apache will reply with
a different error code. Therefore, an attacker may exploit this
vulnerability to guess the presence of a given user name on the remote
host.

Solution :

In httpd.conf, set the 'UserDir' to 'disabled'.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Other references : OSVDB:637

Nessus ID : 10766

[^] Back to 192.168.1.2

Port netbios-ssn (139/tcp)

SMB Detection
An SMB server is running on this port Nessus ID : 11011