Network Vulnerability Assessment Report
07.10.2005
Sorted by host names

Session name: ASUSAAM6020BIStart Time:07.10.2005 15:45:54
Finish Time:07.10.2005 15:57:06
Elapsed:0 day(s) 00:11:11
Total records generated:20
high severity:3
Medium severity:1
informational:16


Summary of scanned hosts

HostHolesWarningsOpen portsState
10.0.0.36315Finished


10.0.0.36

ServiceSeverityDescription
ftp (21/tcp)
Info
Port is open
ssh (22/tcp)
Info
Port is open
telnet (23/tcp)
Info
Port is open
www (80/tcp)
Info
Port is open
snmp (161/udp)
Info
Port is open
ssh (22/tcp)
High

You are running a version of OpenSSH which is older than 3.7.1

Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.

An exploit for this issue is rumored to exist.


Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.

If you are running a RedHat host, make sure that the command :
rpm -q openssh-server

Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)

Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
snmp (161/udp)
High

SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
www (80/tcp)
High

The following URLs seem to be vulnerable to various SQL injection
techniques :

/cgi-bin/webcm?var:main='UNION'
/cgi-bin/webcm?var:main='
/cgi-bin/webcm?var:main='%22
/cgi-bin/webcm?var:main=9%2c+9%2c+9
/cgi-bin/webcm?var:main='bad_bad_value
/cgi-bin/webcm?var:main=bad_bad_value'
/cgi-bin/webcm?var:main='+OR+'
/cgi-bin/webcm?var:main='WHERE
/cgi-bin/webcm?var:main=%3B
/cgi-bin/webcm?var:main='OR



An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.


Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityreviews/5DP0N1P76E.html
snmp (161/udp)
Medium
A SNMP server is running on this host
The following versions are supported
SNMP version1
SNMP version2c

www (80/tcp)
Info
A web server is running on this port
ftp (21/tcp)
Info
An FTP server is running on this port.
Here is its banner :
220 FTPU ready.

ftp (21/tcp)
Info
Remote FTP server banner :
220 FTPU ready.


www (80/tcp)
Info
The following directories were discovered:
/cgi-bin, /html

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

Other references : OWASP:OWASP-CM-006
www (80/tcp)
Info
The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/cgi-bin/webcm (var:main [menu] var:style [style5] getpage [../html/defs/style5/menus/menu.html] errorpage [../html/index.html] var:pagename [home] var:errorpagename [home] var:menu [home] var:menutitle [Home] var:pagetitle [Home] var:pagemaster [home] login:command/username [] login:command/password [] )

www (80/tcp)
Info
The remote web server type is :




telnet (23/tcp)
Info
A telnet server seems to be running on this port
ssh (22/tcp)
Info
An ssh server is running on this port
general/udp
Info
For your information, here is the traceroute to 10.0.0.36 :
10.0.0.59
10.0.0.36

telnet (23/tcp)
Info
Remote telnet banner :


BusyBox on (none) login:
ssh (22/tcp)
Info
Remote SSH version : SSH-2.0-OpenSSH_3.6p1