Vulnerabilities > CVE-1999-0508
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL local
low complexity
nessus
metasploit
Summary
An account on a router, firewall, or other network device has a default, null, blank, or missing password.
Metasploit
description | This module logs in to SNMP devices using common community names. |
id | MSF:AUXILIARY/SCANNER/SNMP/SNMP_LOGIN |
last seen | 2020-06-02 |
modified | 2019-06-27 |
published | 2011-11-20 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0508 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/snmp/snmp_login.rb |
title | SNMP Community Login Scanner |
Nessus
NASL family Databases NASL id POSTGRESQL_UNPASSWORDED.NASL description It is possible to connect to the remote PostgreSQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database. last seen 2020-06-01 modified 2020-06-02 plugin id 10483 published 2000-07-27 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10483 title PostgreSQL Default Unpassworded Account code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(10483); script_version("1.24"); script_cvs_date("Date: 2018/08/13 14:32:36"); script_cve_id("CVE-1999-0508"); script_name(english:"PostgreSQL Default Unpassworded Account"); script_summary(english:"Attempts to log into the remote PostgreSQL daemon"); script_set_attribute(attribute:"synopsis", value:"The remote database server can be accessed without a password."); script_set_attribute(attribute:"description", value: "It is possible to connect to the remote PostgreSQL database server using an unpassworded account. This may allow an attacker to launch further attacks against the database."); script_set_attribute(attribute:"solution", value: "Log into this host and set a password for any affected accounts using the 'ALTER USER' command. In addition, configure the service by editing the file 'pg_hba.conf' to require a password (or Kerberos) authentication for all remote hosts that have legitimate access to this service and to require a password locally using the line 'local all password'."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SNMP Community Scanner'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"1999/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2000/07/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"default_account", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc."); script_family(english:"Databases"); script_dependencies("postgresql_detect.nasl"); script_require_ports("Services/postgresql", 5432); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_service(svc:"postgresql", default:5432, exit_on_fail:TRUE); # # Request the database 'template1' as the user 'postgres' or 'pgsql' # zero = raw_string(0x00); user[0] = "postgres"; user[1] = "pgsql"; for(i=0;i<2;i=i+1) { soc = open_sock_tcp(port); if (!soc) audit(AUDIT_PORT_CLOSED, port); usr = user[i]; len = 224 - strlen(usr); req = raw_string(0x00, 0x00, 0x01, 0x28, 0x00, 0x02, 0x00, 0x00, 0x74, 0x65, 0x6D, 0x70, 0x6C, 0x61, 0x74, 0x65, 0x31) + crap(data:zero, length:55) + usr + crap(data:zero, length:len); send(socket:soc, data:req); r = recv(socket:soc, length:5); r2 = recv(socket:soc, length:1024); if((r[0]=="R") && (strlen(r2) == 10)) { dbs = ""; req = raw_string(0x51) + "select * from pg_database;" + raw_string(0x00); send(socket:soc, data:req); r = recv(socket:soc, length:65535); #display(r); close(soc); skip = 87; ok = 1; while(ok) { db = ""; len = ord(r[skip]); len_r = strlen(r); lenskip = len + skip; if(lenskip > len_r)ok = 0; else { len = ord(r[skip]) - 4; for(i=0;i<len;i=i+1) db = db + r[skip+i+1]; dbs = dbs + ". " + db + string("\n"); skip = skip + len + 21 + len; if(skip > strlen(r))ok=0; } } report = string( "\n", "Nessus was able to log in as the user '", usr, "'.\n", "\n", "Here is the list of the databases on the remote host :\n", "\n", dbs, "\n" ); security_hole(port:port, extra:report); set_kb_item(name: 'postgresql/no_pass/'+port, value: TRUE); exit(0); } close(soc); }
NASL family Misc. NASL id DDI_LANROVER_BLANK_PASSWORD.NASL description The Shiva LanRover has no password set for the root user account. An attacker is able to telnet to this system and gain access to any phone lines attached to this device. Additionally, the LanRover can be used as a relay point for further attacks via the telnet and rlogin functionality available from the administration shell. last seen 2020-06-01 modified 2020-06-02 plugin id 10998 published 2002-06-05 reporter This script is Copyright (C) 2002-2018 Digital Defense Incorporated source https://www.tenable.com/plugins/nessus/10998 title Shiva LanRover Blank Password code # # This script was written by H D Moore <[email protected]> # # See the Nessus Scripts License for details # include("compat.inc"); if(description) { script_id(10998); script_version ("1.11"); script_cvs_date("Date: 2018/08/09 17:06:37"); script_cve_id("CVE-1999-0508"); script_name(english:"Shiva LanRover Blank Password"); script_summary(english:"Checks for a blank password for the root account"); script_set_attribute(attribute:"synopsis", value: "The remote network device does not use an administrative password."); script_set_attribute(attribute:"description", value: "The Shiva LanRover has no password set for the root user account. An attacker is able to telnet to this system and gain access to any phone lines attached to this device. Additionally, the LanRover can be used as a relay point for further attacks via the telnet and rlogin functionality available from the administration shell."); script_set_attribute(attribute:"solution", value: "Telnet to this device and change the password for the root account via the passwd command. Please ensure any other accounts have strong passwords set."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'SNMP Community Scanner'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/06/05"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2018 Digital Defense Incorporated"); script_family(english:"Misc."); script_dependencie("find_service1.nasl"); script_require_ports("Services/telnet", 23); exit(0); } include('telnet_func.inc'); port = 23; if(!get_port_state(port))exit(0); banner = get_telnet_banner(port:port); if ( ! banner || "@ Userid:" >!< r ) exit(0); soc = open_sock_tcp(port); if(soc) { r = telnet_negotiate(socket:soc); if("@ Userid:" >< r) { send(socket:soc, data:string("root\r\n")); r = recv(socket:soc, length:4096); if("Password?" >< r) { send(socket:soc, data:string("\r\n")); r = recv(socket:soc, length:4096); if ("Shiva LanRover" >< r) { security_hole(port:port); } } } close(soc); }
NASL family Web Servers NASL id MIKROTIK_BLANK_PASSWORD_WWW.NASL description The remote host is running MikroTik RouterOS without a password for its last seen 2020-06-01 modified 2020-06-02 plugin id 39420 published 2009-06-17 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39420 title MikroTik RouterOS with Blank Password (HTTP) NASL family CISCO NASL id CISCO_DEFAULT_PW.NASL description The remote Cisco router has a default password set. A remote, unauthenticated attacker can exploit this to gain administrative access. last seen 2020-04-30 modified 2006-12-23 plugin id 23938 published 2006-12-23 reporter This script is Copyright (C) 2006-2020 Javier Fernandez-Sanguino and Renaud Deraison source https://www.tenable.com/plugins/nessus/23938 title Cisco Device Default Password NASL family CGI abuses NASL id DDI_UNPROTECTED_SITESCOPE.NASL description The remote SiteScope web service has no password set. An attacker who can connect to this server can view usernames and passwords stored in the preferences section or reconfigure the service. last seen 2020-06-01 modified 2020-06-02 plugin id 10778 published 2001-09-28 reporter This script is Copyright (C) 2001-2018 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/10778 title SiteScope Web Service Unpassworded Access NASL family Misc. NASL id PASSWORDLESS_CAYMAN_ROUTER.NASL description The remote router has no password. An intruder may connect to it and disable it easily. last seen 2020-06-01 modified 2020-06-02 plugin id 10345 published 2000-03-12 reporter This script is Copyright (C) 2000-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10345 title Cayman DSL Router Unauthenticated Access NASL family Web Servers NASL id DDI_ENHYDRA_DEFAULT.NASL description This system appears to be running the Enhydra application server configured with the default administrator password of last seen 2020-06-01 modified 2020-06-02 plugin id 11202 published 2003-01-22 reporter This script is Copyright (C) 2003-2018 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/11202 title Enhydra Multiserver Default Password NASL family Web Servers NASL id ALLIED_TELESYN_WEB.NASL description The Allied Telesyn Router/Switch has the default password set. The attacker could use this default password to gain remote access to your switch or router. This password could also be potentially used to gain other sensitive information about your network from the device. last seen 2020-06-01 modified 2020-06-02 plugin id 18413 published 2005-06-03 reporter This script is Copyright (C) 2005-2012 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18413 title Allied Telesyn Router/Switch Web Interface Default Password NASL family CISCO NASL id DDI_LINKSYS_ROUTER_DEFAULT_PASSWORD.NASL description The remote Linksys router accepts the default password last seen 2020-06-01 modified 2020-06-02 plugin id 10999 published 2002-06-05 reporter This script is Copyright (C) 2002-2013 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/10999 title Linksys Router Default Password NASL family CISCO NASL id CISCO_NO_PW.NASL description The remote host appears to be a Cisco router or switch with no password set. This can allow a remote attacker to login to the device and take control of it. last seen 2020-06-01 modified 2020-06-02 plugin id 10754 published 2001-09-07 reporter This script is Copyright (C) 2001-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10754 title Cisco Multiple Devices Unpassworded Account NASL family Misc. NASL id DDI_MOTOROLA_VANGUARD_NO_PASS.NASL description This device is a Motorola Vanguard router and has no password set. An attacker can reconfigure this device without providing any authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 11203 published 2003-01-22 reporter This script is Copyright (C) 2003-2012 Digital Defense source https://www.tenable.com/plugins/nessus/11203 title Motorola Vanguard with No Password (telnet check) NASL family CGI abuses NASL id DDI_JAVASERVER_DEFAULT.NASL description The remote host is running the Sun JavaServer. This server has the default username and password of admin. An attacker can use this to gain complete control over the web server configuration and possibly execute commands. last seen 2020-06-01 modified 2020-06-02 plugin id 10995 published 2002-06-05 reporter This script is Copyright (C) 2002-2018 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/10995 title Sun JavaServer Default Admin Password NASL family Windows NASL id DDI_UNPROTECTED_PCANYWHERE.NASL description The pcAnywhere service does not require a password to access the desktop of this system. If this machine is running Windows 95, 98, or ME, gaining full control of the machine is trivial. If this system is running NT or 2000 and is currently logged out, an attacker can still spy on and hijack a legitimate user last seen 2020-06-01 modified 2020-06-02 plugin id 10798 published 2001-11-07 reporter This script is Copyright (C) 2002-2012 Digital Defense Incorporated source https://www.tenable.com/plugins/nessus/10798 title Symantec pcAnywhere Service Unrestricted Access NASL family Misc. NASL id SHIVA_DEFAULT_PASS.NASL description The remote Shiva router uses the default password. This means that anyone who has (downloaded) a user manual can telnet to it and reconfigure it to lock you out of it, and to prevent you to use your internet connection. last seen 2020-06-01 modified 2020-06-02 plugin id 10500 published 2000-08-31 reporter This script is Copyright (C) 2000-2018 Stefaan Van Dooren source https://www.tenable.com/plugins/nessus/10500 title Shiva Integrator Default Password NASL family Misc. NASL id ACCELAR_1200.NASL description The remote device appears to be a Bay Networks Accelar 1200 Switch that can be accessed using default credentials. An attacker could leverage this issue to gain administrative access to the affected device. This password could also be potentially used to gain other sensitive information about the network from the device. last seen 2020-06-01 modified 2020-06-02 plugin id 18415 published 2005-06-03 reporter This script is Copyright (C) 2005-2015 Charles Thier source https://www.tenable.com/plugins/nessus/18415 title Bay Networks Accelar 1200 Switch Default Password (password) for 'usrname' Account NASL family Misc. NASL id ALLIED_TELESYN_TELNET.NASL description The remote device appears to be an Allied Telesyn router or switch that can be accessed using default credentials. An attacker could leverage this issue to gain administrative access to the affected device. This password could also be potentially used to gain other sensitive information about the network from the device. last seen 2020-06-01 modified 2020-06-02 plugin id 18414 published 2005-06-03 reporter This script is Copyright (C) 2005-2015 Charles Thier source https://www.tenable.com/plugins/nessus/18414 title Allied Telesyn Router/Switch Default Password NASL family CGI abuses NASL id OPENWRT_BLANK_TELNET_PASSWORD.NASL description The remote host is running OpenWrt, an open source Linux distribution for embedded devices, especially routers. It is currently configured without a password, which is the case by default. Anyone can connect to the device via Telnet and gain administrative access to it. last seen 2020-06-01 modified 2020-06-02 plugin id 40354 published 2009-07-23 reporter This script is Copyright (C) 2009-2017 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40354 title OpenWrt Router with a Blank Password (telnet check) NASL family CGI abuses NASL id DDI_WHATSUP_DEFAULT.NASL description This WhatsUp Gold server still has the default password for the admin user account. An attacker can use this account to probe other systems on the network and obtain sensitive information about the monitored systems. last seen 2020-06-01 modified 2020-06-02 plugin id 11004 published 2002-06-05 reporter This script is Copyright (C) 2002-2018 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/11004 title Ipswitch WhatsUp Gold Default Admin Account NASL family Web Servers NASL id DDI_TOMCAT_DEFAULT_ACCOUNTS.NASL description This host appears to be the running the Apache Tomcat Servlet engine with the default accounts still configured. A potential intruder could reconfigure this service in a way that grants system access. last seen 2020-03-26 modified 2003-01-22 plugin id 11204 published 2003-01-22 reporter This script is Copyright (C) 2003-2020 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/11204 title Apache Tomcat Default Accounts NASL family Misc. NASL id AVAYA_SWITCHES.NASL description The remote host appears to be an Avaya P330 Stackable Switch with its default password set. An attacker could use this default password to gain remote access to the affected switch. This password could also be potentially used to gain other sensitive information about the remote network from the switch. last seen 2020-06-01 modified 2020-06-02 plugin id 17638 published 2005-03-28 reporter This script is Copyright (C) 2005-2012 Charles Thier source https://www.tenable.com/plugins/nessus/17638 title Avaya P330 Stackable Switch Default Password NASL family Misc. NASL id 3COM_SWITCHES.NASL description The 3Com Superstack 3 switch has the default passwords set. The attacker could use these default passwords to gain remote access to your switch and then reconfigure the switch. These passwords could also be potentially used to gain sensitive information about your network from the switch. last seen 2020-06-01 modified 2020-06-02 plugin id 10747 published 2001-08-29 reporter This script is Copyright (C) 2001-2018 Patrik Karlsson source https://www.tenable.com/plugins/nessus/10747 title 3Com Superstack 3 Switch Multiple Default Accounts NASL family Misc. NASL id MIKROTIK_BLANK_PASSWORD.NASL description The remote host is running MikroTik RouterOS without a password for its last seen 2020-06-01 modified 2020-06-02 plugin id 30213 published 2008-02-11 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/30213 title MikroTik RouterOS with Blank Password (telnet check) NASL family Misc. NASL id NORTEL_PASSPORT_DEFAULT_PASS.NASL description The remote switch/routers uses the default password. This means that anyone who has (downloaded) a user manual can telnet to it and gain administrative access. last seen 2020-06-01 modified 2020-06-02 plugin id 10989 published 2002-06-05 reporter This script is Copyright (C) 2002-2018 Rui Bernardino source https://www.tenable.com/plugins/nessus/10989 title Nortel/Bay Networks Default Password NASL family Misc. NASL id DDI_AIRCONNECT_DEFAULT_PASSWORD.NASL description This AirConnect wireless access point still has the default password set for the web interface. This could be abused by an attacker to gain full control over the wireless network settings. last seen 2020-06-01 modified 2020-06-02 plugin id 10961 published 2002-05-22 reporter This script is Copyright (C) 2002-2018 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/10961 title AirConnect Default Password NASL family Misc. NASL id DDI_F5_DEFAULT_SUPPORT.NASL description The remote F5 Networks device has the default password set for the last seen 2020-06-01 modified 2020-06-02 plugin id 10820 published 2001-12-06 reporter This script is Copyright (C) 2001-2014 Digital Defense Inc. source https://www.tenable.com/plugins/nessus/10820 title F5 Device Default Support Password