Vulnerabilities > CVE-2001-0960

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
broadcom
ca
critical
nessus
NVD
Published: 2001-09-15
Updated: 2021-04-07

Summary

Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 stores the backup agent user name and password in cleartext in the aremote.dmp file in the ARCSERVE$ hidden share, which allows local and remote attackers to gain privileges.

Vulnerable Configurations

Part Description Count
Application
Broadcom
2
Application
Ca
1

Nessus

NASL familyWindows
NASL idARCSERVE_HIDDEN_SHARE.NASL
descriptionThe remote host has an accessible ARCSERVE$ share. Several versions of ARCserve store the backup agent username and password in a plaintext file on this share. An attacker may use this flaw to obtain the password file of the remote backup agent, and use it to gain privileges on this host.
last seen2020-06-01
modified2020-06-02
plugin id11105
published2002-08-22
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11105
titleCA BrightStor ARCserve Backup Agent Credential Disclosure
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(11105);
 script_version("1.25");
 script_cvs_date("Date: 2018/11/15 20:50:26");
 script_cve_id("CVE-2001-0960");
 script_bugtraq_id(3343);

 script_name(english:"CA BrightStor ARCserve Backup Agent Credential Disclosure");
 script_summary(english:"Connects to ARCSERVE$");

 script_set_attribute(attribute:"synopsis", value:"Backup share can be accessed without authentication.");
 script_set_attribute(attribute:"description", value:
"The remote host has an accessible ARCSERVE$ share.

Several versions of ARCserve store the backup agent username and
password in a plaintext file on this share.

An attacker may use this flaw to obtain the password file of the
remote backup agent, and use it to gain privileges on this host.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Sep/171");
 script_set_attribute(attribute:"solution", value:
"Limit access to this share to the backup account and domain
administrator.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/09");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/22");

script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();


 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");
 script_dependencies("netbios_name_get.nasl",
 		     "smb_login.nasl");
 script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/transport");
 script_require_ports(139, 445);
 exit(0);
}

include ("smb_func.inc");
include("audit.inc");

port = kb_smb_transport();
if(!port) port = 139;

name = kb_smb_name();
if(!name)exit(0);

#if(!get_port_state(port))exit(0);

#soc = open_sock_tcp (port);
#if (!soc) exit (0);

#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');


r = NetUseAdd(login:NULL, password:NULL, domain:NULL, share:"ARCSERVE$");
if ( r != 1 )
{
 exit(1);
}

# Open current directory in read mode
handle = CreateFile (file:"", desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_DIRECTORY,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if ( ! isnull (handle) )
{
 CloseFile(handle:handle);
 security_hole (port);
}

NetUseDel ();

References