SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   NessusWX Vendors:   Kirhenshtein, Victor
NessusWX Discloses Remote Account Passwords to Local Users
SecurityTracker Alert ID:  1009577
SecurityTracker URL:  http://securitytracker.com/id/1009577
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 29 2004
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.4.4 and possibly earlier versions
Description:   An access control vulnerability was reported in NessusWX. A local user can obtain passwords used by the Nessus scanner in conducting network scans.

It is reported that the software stores usernames and passwords in plaintext in files on the target system. The information includes passwords for FTP, IMAP, POP2, POP3, NNTP, SNMP, and SMB (Windows NT Domain) accounts, the report said. The software reportedly stores this information in a preferences configuration file in the 'NessusDB' directory.

The vendor was reportedly notified on December 4, 2003.

Impact:   A local user can obtain passwords for accounts to be scanned by NessusWX.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix.
Vendor URL:  nessuswx.nessus.org/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] NessusWX stores credentials in plain text


This is a multi-part message in MIME format.

------=_NextPart_000_00F8_01C4138E.D5FDCB80
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Software Vendor: NessusWX (nessuswx.nessus.org)
Software Package: NessusWX=20
Versions Affected: 1.4.4 and possibly earlier versions
Synopsis: Username and password for various accounts stored in =
unencrypted plain text

Issue Date: Feb 22, 2004

Vendor Response: Vendor notified December 4, 2003
   Vendor claiming to be working on issue=20

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D

1. Summary

NesussWX is a GPL Windows client for the open source Nessus =
Vulnerability scanner. =20
NessusWX stores the credentials of various types of accounts in =
unencrypted plain=20
text in a configuration file.=20

2. Problem Description

The user saves specific scan configuration settings in sessions created =
within
NessusWX.  For every session a directory is created named the same as =
the
session name with a .session appended to it.  For instance in the case =
of a
session named MySession, the default location for the session =
configuration
files would be in the directory C:\NessusDB\MySession.session.  Every =
session
can save unique Nessus plugin configuration settings.  Among these are
username/password settings for various types of accounts.  These options =
are=20
accessed by selecting a session, and then in the main menu under =
"Session" selecting=20
the "Properties" submenu.  This will display a multi-tabbed dialog.  =
Select the=20
"Plugins" tab and then click on the "Configure Plugins" button.  A =
listbox will=20
be displayed and near the bottom of the list there will be an item named =
"Login=20
Configurations".  When the user saves this logon information, both the =
usernames=20
and passwords are saved in plaintext in the above specified path in a =
file named=20
preferences.  Further,after this information is saved to the file, if =
the user goes=20
back and removes this information using the GUI, the user interface =
indicates that=20
the information has been removed but this is misleading because it is =
still
retained in the configuration file.  This behavior is somewhat =
inconsistent.
Sometimes the entire username/password data is retained in the file and
sometimes the first character of each is removed.  When setting these =
parameters,=20
the user is also not informed of this sensitive information being stored =

insecurely.  This potentially affects the following types of accounts:

FTP
IMAP
POP2
POP3
NNTP
SNMP
SMB (Windows NT Domain)

3. Solution

None at this time.  The vendor agreed to fix the problem by allowing the =
user to=20
password protect the data and also have the data removed properly.  It =
has been=20
over 60 days and the patch has not been made available.=20


------=_NextPart_000_00F8_01C4138E.D5FDCB80
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>
<DIV><FONT size=3D2>Software Vendor: NessusWX =
(nessuswx.nessus.org)<BR>Software=20
Package: NessusWX <BR>Versions Affected: 1.4.4 and possibly earlier=20
versions<BR>Synopsis: Username and password for various accounts stored =
in=20
unencrypted plain text</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Issue Date: Feb 22, 2004</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>Vendor Response: Vendor notified December 4,=20
2003<BR>&nbsp;&nbsp; Vendor claiming to be working on issue =
</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT=20
size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>1. Summary</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>NesussWX is a GPL Windows client for the open source =
Nessus=20
Vulnerability scanner.&nbsp; <BR>NessusWX stores the credentials of =
various=20
types of accounts in unencrypted plain <BR>text in a configuration file. =

</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>2. Problem Description</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>The user saves specific scan configuration settings =
in=20
sessions created within<BR>NessusWX.&nbsp; For every session a directory =
is=20
created named the same as the<BR>session name with a .session appended =
to=20
it.&nbsp; For instance in the case of a<BR>session named MySession, the =
default=20
location for the session configuration<BR>files would be in the =
directory=20
C:\NessusDB\MySession.session.&nbsp; Every session<BR>can save unique =
Nessus=20
plugin configuration settings.&nbsp; Among these =
are<BR>username/password=20
settings for various types of accounts.&nbsp; These options are =
<BR>accessed by=20
selecting a session, and then in the main menu under "Session" selecting =
<BR>the=20
"Properties" submenu.&nbsp; This will display a multi-tabbed =
dialog.&nbsp;=20
Select the <BR>"Plugins" tab and then click on the "Configure Plugins"=20
button.&nbsp; A listbox will <BR>be displayed and near the bottom of the =
list=20
there will be an item named "Login <BR>Configurations".&nbsp; When the =
user=20
saves this logon information, both the usernames <BR>and passwords are =
saved in=20
plaintext in the above specified path in a file named =
<BR>preferences.&nbsp;=20
Further,after this information is saved to the file, if the user goes =
<BR>back=20
and removes this information using the GUI, the user interface indicates =
that=20
<BR>the information has been removed but this is misleading because it =
is=20
still<BR>retained in the configuration file.&nbsp; This behavior is =
somewhat=20
inconsistent.<BR>Sometimes the entire username/password data is retained =
in the=20
file and<BR>sometimes the first character of each is removed.&nbsp; When =
setting=20
these parameters, <BR>the user is also not informed of this sensitive=20
information being stored <BR>insecurely.&nbsp; This potentially affects =
the=20
following types of accounts:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>FTP<BR>IMAP<BR>POP2<BR>POP3<BR>NNTP<BR>SNMP<BR>SMB =
(Windows NT=20
Domain)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>3. Solution</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2>None at this time.&nbsp; The vendor agreed to fix =
the problem=20
by allowing the user to <BR>password protect the data and also have the =
data=20
removed properly.&nbsp; It has been <BR>over 60 days and the patch has =
not been=20
made available. </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2></FONT>&nbsp;</DIV></FONT></DIV></BODY></HTML>

------=_NextPart_000_00F8_01C4138E.D5FDCB80--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC