Vulnerabilities > CVE-2001-0960

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
ca
broadcom
nessus
NVD
Published: 2001-09-15
Updated: 2021-04-07

Summary

Computer Associates ARCserve for NT 6.61 SP2a and ARCserve 2000 7.0 stores the backup agent user name and password in cleartext in the aremote.dmp file in the ARCSERVE$ hidden share, which allows local and remote attackers to gain privileges.

Vulnerable Configurations

Part Description Count
Application
Ca
1
Application
Broadcom
2

Nessus

NASL familyWindows
NASL idARCSERVE_HIDDEN_SHARE.NASL
descriptionThe remote host has an accessible ARCSERVE$ share. Several versions of ARCserve store the backup agent username and password in a plaintext file on this share. An attacker may use this flaw to obtain the password file of the remote backup agent, and use it to gain privileges on this host.
last seen2020-06-01
modified2020-06-02
plugin id11105
published2002-08-22
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11105
titleCA BrightStor ARCserve Backup Agent Credential Disclosure
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
 script_id(11105);
 script_version("1.25");
 script_cvs_date("Date: 2018/11/15 20:50:26");
 script_cve_id("CVE-2001-0960");
 script_bugtraq_id(3343);

 script_name(english:"CA BrightStor ARCserve Backup Agent Credential Disclosure");
 script_summary(english:"Connects to ARCSERVE$");

 script_set_attribute(attribute:"synopsis", value:"Backup share can be accessed without authentication.");
 script_set_attribute(attribute:"description", value:
"The remote host has an accessible ARCSERVE$ share.

Several versions of ARCserve store the backup agent username and
password in a plaintext file on this share.

An attacker may use this flaw to obtain the password file of the
remote backup agent, and use it to gain privileges on this host.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Sep/171");
 script_set_attribute(attribute:"solution", value:
"Limit access to this share to the backup account and domain
administrator.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/09");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/22");

script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();


 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");
 script_dependencies("netbios_name_get.nasl",
 		     "smb_login.nasl");
 script_require_keys("SMB/name", "SMB/login", "SMB/password", "SMB/transport");
 script_require_ports(139, 445);
 exit(0);
}

include ("smb_func.inc");
include("audit.inc");

port = kb_smb_transport();
if(!port) port = 139;

name = kb_smb_name();
if(!name)exit(0);

#if(!get_port_state(port))exit(0);

#soc = open_sock_tcp (port);
#if (!soc) exit (0);

#session_init(socket:soc, hostname:name);
if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');


r = NetUseAdd(login:NULL, password:NULL, domain:NULL, share:"ARCSERVE$");
if ( r != 1 )
{
 exit(1);
}

# Open current directory in read mode
handle = CreateFile (file:"", desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_DIRECTORY,
                     share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);
if ( ! isnull (handle) )
{
 CloseFile(handle:handle);
 security_hole (port);
}

NetUseDel ();

References