Pen testing questions

Corio, Jim Jim.Corio at cingular.com
Fri Nov 19 15:44:06 EST 2004 

Those results could be expected if you were using 'Safe Scan' options. 
 
With any vulnerability scan process you are going to have a number of
returns that have to be validated by the system owner or you as the
security analyst.  Specifically, with Safe Scans, you are only looking
for potential indicators of a vulnerability without running scenarios
that may explicitly trigger the vulnerability.
 
In any case, if you are sure of the configuration (have touched the box,
know it's configuration) then you can accept these as false positives.
If you are not sure of the configuration (SA say's he patched the box,
but didn't reboot, fw changes may allow this, etc...) then you need to
take the next step and validate the findings.
 
 

	-----Original Message-----
	From: nessus-bounces at list.nessus.org
[mailto:nessus-bounces at list.nessus.org] On Behalf Of Rob Notaro
	Sent: Friday, November 19, 2004 12:00 PM
	To: nessus at list.nessus.org
	Subject: Pen testing questions
	
	

	I recently pen tested a domain I oversee and came across the
following holes that were puzzlers.

	 

	snmp (161/tcp) High It was possible to

	crash either the remote host or the firewall

	in between us and the remote host by sending

	an UDP packet of null size going to port 161 (snmp)

	This flaw may allow an attacker to shut down

	your network.

	 

	CVE : CVE-2000-0221

	BID : 1009

	 

	 

	My gear is behind a Cisco router and PIX not Nortel as the
Bugtraq ID suggests.  I'm also blocking all SNMP traffic at the router
and firewall so I'm not sure why this went off.

	 

	http (80/tcp) High It was possible to make IIS use 100% of the
CPU by

	sending it malformed extension data in the URL

	requested, preventing him to serve web pages

	to legitimate clients.

	Solution : Microsoft has made patches available at :

	- For Internet Information Server 4.0:

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20906

	- For Internet Information Server 5.0:

	http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20904

	Risk factor : High

	CVE : CVE-2000-

	 

	 

	 

	Already have SP3 on Win2k which negates this update. 

	 

	general/tcp High It was possible to crash the remote

	machine by flooding it with ICMP type 9 packets.

	A cracker may use this attack to make this

	host crash continuously, preventing you

	from working properly.

	Solution : upgrade your Windows 9x operating system or change
it.

	Reference : http://support.microsoft.com/default.aspx?scid=KB

	en-us

	q216141

	 

	and

	 

	http (80/tcp) High The remote web server dies when an URL
consisting of a

	long invalid string of % is sent.

	A cracker may use this flaw to make your server crash
continually.

	Solution : upgrade your server or firewall it.

	Risk factor : High

	 

	Running Windows 2000 server with latest patches on this machine.

	 

	 

	smtp (25/tcp) High It was possible to perform

	a denial of service against the remote

	Interscan SMTP server by sending it a special long HELO command.

	This problem allows an attacker to prevent

	your Interscan SMTP server from handling requests.

	Solution : contact your vendor for a patch.

	Risk factor : High

	CVE : CAN-1999-1529

	BID : 787

	 

	 

	Exchange 2003 on Windows 2000 with latest patches.  

	 

	general/udp High It was possible

	to make the remote server crash

	using the 'bonk' attack.

	An attacker may use this flaw

	shut down this server, thus

	preventing your network from

	working properly.

	Solution : contact your operating

	system vendor for a patch.

	Risk factor : High

	CVE : CAN-1999-0258

	 

	 

	Is this a false positive?  Fully patches Win2K server.

	 

	 

	 

	Confidentiality Disclosure:  The information contained in this
electronic mail transmission is confidential, and is intended only for
the stated entity or individual recipient of the transmission.  If you
are not the intended recipient, you are hereby notified that any review,
disclosure, copying, distribution, or reliance upon the content of this
communication is strictly prohibited.  If you have received this
electronic mail transmission in error, please reply to the sender, and
delete this message from your in-box and Internet server.
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.nessus.org/pipermail/nessus/attachments/20041119/c68e98cc/attachment.html

More information about the Nessus mailing list