Vulnerabilities > CVE-2004-0951 - Unspecified vulnerability in HP Ignite-Ux C.6.2.241

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
hp
nessus
NVD
Published: 2004-12-31
Updated: 2018-10-30

Summary

The make_recovery command for the TFTP server in HP Ignite-UX before C.6.2.241 makes a copy of the password file in the TFTP directory tree, which allows remote attackers to obtain sensitive information.

Vulnerable Configurations

Part Description Count
Application
Hp
1

Nessus

NASL familyMisc.
NASL idTFTP_FILES_HP_IGNITE_UX_PASSWD.NASL
descriptionThe remote host has a vulnerable version of the HP Ignite-UX application installed that exposes the /etc/passwd file to anonymous TFTP access. A remote attacker could use this information to mount further attacks.
last seen2020-06-01
modified2020-06-02
plugin id19509
published2005-08-26
reporterThis NASL script is Copyright (C) 2005-2018 Corsaire Limited.
sourcehttps://www.tenable.com/plugins/nessus/19509
titleHP Ignite-UX TFTP /etc/pass File Disclosure
code
#
# This NASL script was written by Martin O'Neal of Corsaire (http://www.corsaire.com)
# 
# The script will test whether the remote host has one of a number of sensitive  
# files present on the tftp server
#
# DISCLAIMER
# The information contained within this script is supplied "as-is" with 
# no warranties or guarantees of fitness of use or otherwise. Corsaire 
# accepts no responsibility for any damage caused by the use or misuse of 
# this information.
# 

# Changes by Tenable:
# - Revised plugin title, output formatting, family change (8/22/09)

include("compat.inc");

if(description)
{
	script_id(19509);
	script_version ("1.15");
	script_cve_id("CVE-2004-0951");
	script_bugtraq_id(14568);

	script_name(english:"HP Ignite-UX TFTP /etc/pass File Disclosure");
  script_set_attribute(
    attribute:"synopsis",
    value:"The remote TFTP daemon has an information disclosure vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host has a vulnerable version of the HP Ignite-UX
application installed that exposes the /etc/passwd file to anonymous
TFTP access.  A remote attacker could use this information to mount
further attacks."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://research.corsaire.com/advisories/c041123-001.txt"
  );
  script_set_attribute(
    attribute:"solution",
    value:"Apply the appropriate vendor patch."
  );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/26");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/16");
 script_cvs_date("Date: 2018/08/22 16:49:14");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

	script_summary(english:"Determines if the remote host has sensitive files exposed via TFTP (HP Ignite-UX passwd)");
	script_category(ACT_ATTACK);
	script_copyright(english:"This NASL script is Copyright (C) 2005-2018 Corsaire Limited.");
	script_family(english:"Misc.");
	script_dependencies("tftpd_backdoor.nasl");
	script_require_keys("Services/udp/tftp");
	script_exclude_keys('tftp/backdoor'); # Not wise but quicker
 	exit(0);
}

include("data_protection.inc");

############## declarations ################

port = get_kb_item('Services/udp/tftp');
if ( ! port ) exit(0);
if ( get_kb_item("tftp/" + port + "/backdoor") ) exit(0);






############## script ################

include("tftp.inc");
include("dump.inc");

# initialise test
file_name='/var/opt/ignite/recovery/passwd.makrec';
data = tftp_get(port:port,path:file_name);
data = data_protection::redact_etc_passwd(output:data);
tftp_ms_backdoor(port: port, data: data, file: file_name);
if (data)
 security_warning(port:port,proto:"udp", 
               extra: '\nFile content :\n'+hexdump(ddata: data)+'\n');

References