I don't have an Avirt gateway, so I cannot test, and I cannot even
reproduce the bug (according to the advisory, Avirt declared that there
is *no* bug)
As ISS say that they detect it and we don't, I'd appreciate if they
could verify that this plugin works. Thanks <grin>
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# *unconfirmed* and *untested*
if(description)
{
#script_id(10094);
script_version ("$Revision$");
script_cve_id("CAN-2002-0142");
name["english"] = "Avirt gateway insecure telnet proxy";
script_name(english:name["english"]);
desc["english"] = "
It was possible to connect to the remote telnet server without
password and to get a command prompt with the 'DOS' command.
An attacker may use this flaw to get access on your system.
Solution : Contact your vendor for a patch or disable this service
Risk factor : High";
desc["francais"] = "
Il s'est avéré possible de se connecter au serveur telnet distant
sans mot de passe et d'obtenir un interpréteur de commande avec
l'ordre 'DOS'.
Un pirate peut utiliser cette faille pour prendre pied sur votre
système.
Solution : contactez votre vendeur pour un patch ou
désactivez ce service
Facteur de risque : Elevé";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Remote system compromise through insecure telnet proxy";
summary["francais"] = "prise de contrôle à distance à travers le relais telnet défaillant";
script_summary(english:summary["english"],
francais:summary["francais"]);
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
#family["english"] = "Gain root remotely";
#family["francais"] = "Passer root à distance";
family["english"] = "Untested";
family["francais"] = "Untested";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports("Services/telnet", 23);
exit(0);
}
#
# The script code starts here
#
port = get_kb_item("Services/telnet");
if(!port)port = 23;
if (!get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (!soc) exit(0);
banner = telnet_init(soc);
cmd = string("dos\r\n");
send(socket:soc, data:cmd);
res = recv(socket: soc, length: 512);
display("res=",res,"\n");
close(soc);
flag = egrep(pattern:"^[A-Z]:\\.*> ", string: res);
if (flag) security_hole(port);
reproduce the bug (according to the advisory, Avirt declared that there
is *no* bug)
As ISS say that they detect it and we don't, I'd appreciate if they
could verify that this plugin works. Thanks <grin>
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# *unconfirmed* and *untested*
if(description)
{
#script_id(10094);
script_version ("$Revision$");
script_cve_id("CAN-2002-0142");
name["english"] = "Avirt gateway insecure telnet proxy";
script_name(english:name["english"]);
desc["english"] = "
It was possible to connect to the remote telnet server without
password and to get a command prompt with the 'DOS' command.
An attacker may use this flaw to get access on your system.
Solution : Contact your vendor for a patch or disable this service
Risk factor : High";
desc["francais"] = "
Il s'est avéré possible de se connecter au serveur telnet distant
sans mot de passe et d'obtenir un interpréteur de commande avec
l'ordre 'DOS'.
Un pirate peut utiliser cette faille pour prendre pied sur votre
système.
Solution : contactez votre vendeur pour un patch ou
désactivez ce service
Facteur de risque : Elevé";
script_description(english:desc["english"], francais:desc["francais"]);
summary["english"] = "Remote system compromise through insecure telnet proxy";
summary["francais"] = "prise de contrôle à distance à travers le relais telnet défaillant";
script_summary(english:summary["english"],
francais:summary["francais"]);
script_category(ACT_ATTACK);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
#family["english"] = "Gain root remotely";
#family["francais"] = "Passer root à distance";
family["english"] = "Untested";
family["francais"] = "Untested";
script_family(english:family["english"], francais:family["francais"]);
script_require_ports("Services/telnet", 23);
exit(0);
}
#
# The script code starts here
#
port = get_kb_item("Services/telnet");
if(!port)port = 23;
if (!get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (!soc) exit(0);
banner = telnet_init(soc);
cmd = string("dos\r\n");
send(socket:soc, data:cmd);
res = recv(socket: soc, length: 512);
display("res=",res,"\n");
close(soc);
flag = egrep(pattern:"^[A-Z]:\\.*> ", string: res);
if (flag) security_hole(port);