Much better results with smb_nt_ms03-005.nasl version 1.3! All the reports of hotfixes not being applied went away.
I think some tests still wrongly report vulnerabilities, though. In particular I'm inclined to disbelieve the following three reports:- 1 Vulnerability found on port netbios-ssn (139/tcp) : It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html All the smb tests will be done as 'Administrator'/'****' in domain WORKGROUP CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222 BID : 990 2 Vulnerability found on port netbios-ssn (139/tcp) : The Microsoft Locate service is a name server that maps logical names to network-specific names. There is a security vulnerability in this server which allows an attacker to execute arbitrary code in it by sending a specially crafted packet to it. Maximum Severity Rating: Critical Recommendation: Administrators should install the patch immediately. Affected Software: Microsoft Windows NT 4.0 Microsoft Windows NT 4.0, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP See http://www.microsoft.com/technet/security/bulletin/ms03-001.asp Risk factor : High CVE : CAN-2003-0003 3 Warning found on port netbios-ssn (139/tcp) The remote host is running a version of the shlwapi.dll which crashes when processing a malformed HTML form. An attacker may use this flaw to prevent the users of this host from working properly. To exploit this flaw, an attacker would need to send a malformed HTML file to the remote user, either by e-mail or by making him visit a rogue web site. Solution : None Risk Factor : Low BID : 7402 Also the following shouldn't be an issue on Win2003, is it possible for the test to check better on Win2003? . Warning found on port netbios-ssn (139/tcp) A 'rfpoison' packet has been sent to the remote host. This packet is supposed to crash the 'services.exe' process, rendering the system instable. If you see that this attack was successful, have a look at this page : http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2 CVE : CVE-1999-0980 BID : 754 -----Original Message----- From: Yeomans, Andrew [mailto:[EMAIL PROTECTED] Sent: 09 June 2003 14:50 To: '[EMAIL PROTECTED]' Subject: RE: Errors in scan results for Windows 2003 server Renaud Deraison told me (snipped): >When did you update your plugins for the last time ? Make sure that >smb_nt_ms03-005.nasl's version is 1.3 or newer. > >I commited the changes late friday, so my guess is that you've ran the >non-Win2003-aware plugins. > > -- Renaud That was after my last update, so I'll re-run the tests tomorrow and post results. ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ----------------------------------------------------------------------
