Vulnerabilities > CVE-1999-0519 - Unspecified vulnerability in Microsoft products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
NVD
Published: 1997-01-01
Updated: 2022-08-17

Summary

A NETBIOS/SMB share password is the default, null, or missing.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1
OS
Microsoft
3

Nessus

  • NASL familyWindows
    NASL idSMB_NULL_SESSION.NASL
    descriptionThe remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login or password). Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to get information about the remote host.
    last seen2020-03-18
    modified2007-10-04
    plugin id26920
    published2007-10-04
    reporterThis script is Copyright (C) 2007-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/26920
    titleMicrosoft Windows SMB NULL Session Authentication
    code
    #
# (C) Tenable Network Security, Inc.
#
include('compat.inc');

if (description)
{
  script_id(26920);
  script_version("1.34");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/11");

  script_cve_id("CVE-1999-0519", "CVE-1999-0520", "CVE-2002-1117");
  script_bugtraq_id(494);

  script_name(english:"Microsoft Windows SMB NULL Session Authentication");
  script_summary(english:"Attempts to log into the remote host using a NULL session");

  script_set_attribute(attribute:"synopsis", value:"It is possible to log into the remote Windows host with a NULL 
  session.");
  script_set_attribute(attribute:"description", value:"The remote host is running Microsoft Windows. It is possible to 
  log into it using a NULL session (i.e., with no login or password).

  Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to 
  get information about the remote host.");
  # https://support.microsoft.com/en-us/help/143474/restricting-information-available-to-anonymous-logon-users
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c2589f6");
  # https://support.microsoft.com/en-us/help/246261
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?899b4072");
  # http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a33fe205");
  script_set_attribute(attribute:"solution", value:
  "Apply the following registry changes per the referenced Technet advisories :
    Set : 
      - HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1
      - HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1

  Reboot once the registry changes are complete.");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0519");

  script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/04");
  script_set_attribute(attribute:"vuln_publication_date", value:"1999/07/14");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2007-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_login.nasl");
  script_require_keys("SMB/null_session_enabled");
  script_require_ports(139, 445);

  exit(0);
}

include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/null_session_enabled");

port = kb_smb_transport();
# we need the  netbios name of the host
name = kb_smb_name();
if(!name)exit(0);

soc = open_sock_tcp(port);
if(!soc)exit(0);

session_init (socket:soc,hostname:name);

ret = NetUseAdd (login:"", password:"", domain:"", share:"IPC$");

if (ret != 1)
{
  close(soc);
  exit(0);
}

fid = bind_pipe (pipe:"\browser", uuid:"6bffd098-a112-3610-9833-012892020162", vers:0);
if (!isnull(fid))
  security_hole(port:port, extra:"It was possible to bind to the \browser pipe");

NetUseDel ();
  • NASL familyWindows
    NASL idSMB_ACCESSIBLE_SHARES_UNPRIV.NASL
    descriptionThe remote has one or more Windows shares that can be accessed through the network with the given credentials. Depending on the share rights, it may allow an attacker to read/write confidential data.
    last seen2020-06-01
    modified2020-06-02
    plugin id42411
    published2009-11-06
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42411
    titleMicrosoft Windows SMB Shares Unprivileged Access
    code
    #
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(42411);
 script_version ("1.8");

 script_cve_id("CVE-1999-0519", "CVE-1999-0520");
 script_bugtraq_id(8026);

 script_name(english:"Microsoft Windows SMB Shares Unprivileged Access");
 script_summary(english:"Reports up to 100 remote accessible shares");
 
 script_set_attribute(attribute:"synopsis", value:
"It is possible to access a network share." );
 script_set_attribute(attribute:"description", value:
"The remote has one or more Windows shares that can be accessed through
the network with the given credentials. 

Depending on the share rights, it may allow an attacker to read/write
confidential data." );
 script_set_attribute(attribute:"solution", value:
"To restrict access under Windows, open Explorer, do a right click on
each share, go to the 'sharing' tab, and click on 'permissions'." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "1999/07/14");
 script_cvs_date("Date: 2018/07/27 18:38:15");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");
 
 script_dependencies("smb_accessible_shares.nasl");
 script_require_keys("/tmp/10396/report", "/tmp/10396/port");
 exit(0);
}

rep = get_kb_item("/tmp/10396/report");
port = get_kb_item("/tmp/10396/port");
if (port && rep) security_hole(port: port, extra: rep);

References