Vulnerabilities > CVE-2000-0938 - Unspecified vulnerability in Samba 2.0.7

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
samba
nessus
NVD
Published: 2000-12-19
Updated: 2017-10-10

Summary

Samba Web Administration Tool (SWAT) in Samba 2.0.7 supplies a different error message when a valid username is provided versus an invalid name, which allows remote attackers to identify valid users on the server.

Vulnerable Configurations

Part Description Count
Application
Samba
1

Nessus

NASL familyCGI abuses
NASL idSWAT_GUESSABLE_USERNAMES.NASL
descriptionThe remote SWAT server replies with different error codes when it is issued a bad user name or a bad password. An attacker may use this flaw to obtain the list of user names of the remote host by a brute-force attack. As SWAT does not log login attempts, an attacker may use this flaw even more effectively.
last seen2020-06-01
modified2020-06-02
plugin id10590
published2001-01-08
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10590
titleSamba Web Administration Tool (SWAT) Error Message Username Enumeration
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(10590);
  script_version("1.23");
  script_cvs_date("Date: 2018/11/15 20:50:19");

  script_cve_id("CVE-2000-0938");

  script_name(english:"Samba Web Administration Tool (SWAT) Error Message Username Enumeration");
  script_summary(english:"Detect SWAT server port");

  script_set_attribute(attribute:'synopsis', value:
'The remote service is vulnerable to information disclosure.');
  script_set_attribute(
    attribute:'description',
    value:
'The remote SWAT server replies with different error codes when it is
issued a bad user name or a bad password.

An attacker may use this flaw to obtain the list of user names of the
remote host by a brute-force attack.

As SWAT does not log login attempts, an attacker may use this flaw even
more effectively.'
  );
  script_set_attribute(attribute:'solution', value:'Upgrade to the latest Samba packages.');
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_attribute(attribute:'see_also', value:'https://seclists.org/bugtraq/2000/Oct/442');

  script_set_attribute(attribute:"vuln_publication_date", value:"2000/10/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2001/01/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:samba:samba");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
  script_family(english:"CGI abuses");

  script_dependencies("swat_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/swat");
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_kb_item("Services/swat");
if(!port) exit(0);

if (! get_port_state(port)) exit(0);

 soctcp901 = http_open_socket(port);

 if (soctcp901)
 {
  #
  # First attempt - we try to log in as nosuchuser1234:nopass
  #
  w = http_send_recv3(method:"GET", item:"/", port:port,
    username: "nosuchuser1234", password: "nopass");
  if (isnull(w)) exit(1, "the web server did not answer");
  code1 = w[0];

  #
  # Second attempt - we try to log in as root:nopass
  #
  w = http_send_recv3(method:"GET", item:"/", port:port,
    username: "root", password: "nopass");
  if (isnull(w)) exit(1, "the web server did not answer");
  code2 = w[0];

  if(("401" >< code1)  &&
     ("401" >< code2))
     {
       if(code1 != code2)security_warning(port);
      }
 }

References