Hello,
This is my first post to this list; hopefully I've chosen the correct list
for this post.
During testing of my local network, I found that a rule, account_root.nasl
that comes with Nessus 2.0.1 wasn't working correctly. The target box was a
solaris 9 server which I had setup to be unpassworded. Going through
default_account.inc, I found a few problems with the code that were keeping
it from working:
- Not all login impls will skip the password prompt whenever it's an
unpassworded account. The following lines seem to assume that if you have a
null password, login won't send you the password prompt.
/---------------------------- Cut -------------------------/
send(socket:soc, data:string(login, "\r\n"));
res = recv_line(socket:soc, length:4096);
if(isnull(password) && ("word:" >< res))
{
close(soc);
return(0);
}
/---------------------------- Cut -------------------------/
Additionally, this code won't work anyway, because telnet echos the input
(unless echo is turned off, but this script doesn't appear to address that
with telnet options). Therefore, you'll always end up with the username\r\n
in res at this point of the code.
- Input is often flushed prior to reading the password prompt. This script
SEEMS to be trying to dump everything to the network, letting a recv_line
loop check for the "success strings". This won't work if the telnet daemon
flushes the input prior to printing the password: prompt. I changed the
recv_line after the login prompt printout to be a recv, and then checked for
"word:".
- In the "recv_line" loop, the substring "ogin:" is checked for prior to the
egrep pattern. This won't work for Solaris, which uses "Last login:" as
part of the login banner. Therefore, this will be caught by the "ogin:"
check and the script will fail, despite having successfully logged in.
...
So here is my patch. Note that it does NOT deal with login implementations
that don't prompt for the password when the account specified is blank. If
anyone knows which OS does this, I can fix up the script.
Brian Costello
btx@calyx.net
/------------------------------CUT------------------------/
--- default_account.inc.orig Mon Mar 31 17:03:50 2003
+++ default_account.inc Mon Mar 31 17:05:34 2003
@@ -15,7 +15,6 @@
#
-
function _check_telnet(port, login, password)
{
local_var soc, res;
@@ -32,20 +31,32 @@
send(socket:soc, data:string(login, "\r\n"));
-res = recv_line(socket:soc, length:4096);
-if(isnull(password) && ("word:" >< res))
+res = string(recv(socket:soc, length:4096, timeout:3));
+
+# Still need to deal with no password: prompt with passwordless account!
+
+# If we didn't get the password prompt in the post-login response, fail
+
+if ("word:" >!< res)
{
close(soc);
return(0);
}
+
if(password)
{
- send(socket:soc, data:string(password, "\r\n"));
- res = recv_line(socket:soc, length:4096);
+ send(socket:soc, data:string(password, "\r\n"));
+}
+else
+{
+ send(socket:soc, data:string("\r\n"));
}
+res = recv_line(socket:soc, length:4096);
+
send(socket:soc, data:string("id\r\n"));
res = recv_line(socket:soc, length:4096);
+
while(res)
{
if("ogin incorrect" >< res)
@@ -53,6 +64,12 @@
close(soc);
return(0);
}
+
+ if(egrep(pattern:"(uid=)|(Last login)", string:res))
+ {
+ close(soc);
+ return(1);
+ }
if("ogin:" >< res)
{
@@ -60,11 +77,6 @@
return(0);
}
- if(egrep(pattern:"(uid=)|(Last login)", string:res))
- {
- close(soc);
- return(1);
- }
res = recv_line(socket:soc, length:4096);
}
close(soc);
/------------------------------CUT------------------------/
btx
This is my first post to this list; hopefully I've chosen the correct list
for this post.
During testing of my local network, I found that a rule, account_root.nasl
that comes with Nessus 2.0.1 wasn't working correctly. The target box was a
solaris 9 server which I had setup to be unpassworded. Going through
default_account.inc, I found a few problems with the code that were keeping
it from working:
- Not all login impls will skip the password prompt whenever it's an
unpassworded account. The following lines seem to assume that if you have a
null password, login won't send you the password prompt.
/---------------------------- Cut -------------------------/
send(socket:soc, data:string(login, "\r\n"));
res = recv_line(socket:soc, length:4096);
if(isnull(password) && ("word:" >< res))
{
close(soc);
return(0);
}
/---------------------------- Cut -------------------------/
Additionally, this code won't work anyway, because telnet echos the input
(unless echo is turned off, but this script doesn't appear to address that
with telnet options). Therefore, you'll always end up with the username\r\n
in res at this point of the code.
- Input is often flushed prior to reading the password prompt. This script
SEEMS to be trying to dump everything to the network, letting a recv_line
loop check for the "success strings". This won't work if the telnet daemon
flushes the input prior to printing the password: prompt. I changed the
recv_line after the login prompt printout to be a recv, and then checked for
"word:".
- In the "recv_line" loop, the substring "ogin:" is checked for prior to the
egrep pattern. This won't work for Solaris, which uses "Last login:" as
part of the login banner. Therefore, this will be caught by the "ogin:"
check and the script will fail, despite having successfully logged in.
...
So here is my patch. Note that it does NOT deal with login implementations
that don't prompt for the password when the account specified is blank. If
anyone knows which OS does this, I can fix up the script.
Brian Costello
btx@calyx.net
/------------------------------CUT------------------------/
--- default_account.inc.orig Mon Mar 31 17:03:50 2003
+++ default_account.inc Mon Mar 31 17:05:34 2003
@@ -15,7 +15,6 @@
#
-
function _check_telnet(port, login, password)
{
local_var soc, res;
@@ -32,20 +31,32 @@
send(socket:soc, data:string(login, "\r\n"));
-res = recv_line(socket:soc, length:4096);
-if(isnull(password) && ("word:" >< res))
+res = string(recv(socket:soc, length:4096, timeout:3));
+
+# Still need to deal with no password: prompt with passwordless account!
+
+# If we didn't get the password prompt in the post-login response, fail
+
+if ("word:" >!< res)
{
close(soc);
return(0);
}
+
if(password)
{
- send(socket:soc, data:string(password, "\r\n"));
- res = recv_line(socket:soc, length:4096);
+ send(socket:soc, data:string(password, "\r\n"));
+}
+else
+{
+ send(socket:soc, data:string("\r\n"));
}
+res = recv_line(socket:soc, length:4096);
+
send(socket:soc, data:string("id\r\n"));
res = recv_line(socket:soc, length:4096);
+
while(res)
{
if("ogin incorrect" >< res)
@@ -53,6 +64,12 @@
close(soc);
return(0);
}
+
+ if(egrep(pattern:"(uid=)|(Last login)", string:res))
+ {
+ close(soc);
+ return(1);
+ }
if("ogin:" >< res)
{
@@ -60,11 +77,6 @@
return(0);
}
- if(egrep(pattern:"(uid=)|(Last login)", string:res))
- {
- close(soc);
- return(1);
- }
res = recv_line(socket:soc, length:4096);
}
close(soc);
/------------------------------CUT------------------------/
btx