A remote code execution vulnerability exists in the Network News Transfer Protocol (NNTP) component of affected operating systems.An attacker who successfully exploits this vulnerability could take complete control of an affected system.Microsoft has released a patch to address this issue. Apply the patch from Microsoft Security Bulletin MS04-036 to fix this issue.200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed

Apache Web server includes a proxying module (mod_proxy) to provide a proxy/cache for FTP, HTTP, and SSL.

A remote buffer overflow vulnerability exists in Apache mod_proxy. The vulnerability occurs in the proxyutil.c source file. The source of the issue is that users can pass a negative value to be used as the length in a memory copy operation. Specifically, the length value is passed to the ap_bread() function, which results in a memcpy() with a negative length argument. This could permit a malicious user to corrupt process memory. This may triggered if a remote user specifies a negative Content-Length: HTTP header field to be passed through the proxy.

The successful exploitation of this vulnerability will likely result in a denial of service. There is also an unconfirmed potential for the execution of arbitrary code.

It has been conjectured that FreeBSD may permit exploitation since its memcpy() implementation will copy data backwards, potentially allowing for corruption of sensitive variables that affect execution flow of the program. Apache also calls signal handling routines when encountering a SEGV, which may provide an exploitation vector for this vulnerability.

Apache has fixed the security issue in the development tree, but they have not released a fixed version yet. Check Apache's Web site for updates.

Multiple other vendors have released patched versions of their own distributions of the software. This includes Mandrake, Debian, Gentoo, OpenPKG, OpenBSD, SGI, IBM, and HP. Check the individual distributions' Web sites for download information.

No results available

Successful TCP connections were established to firewalled/filtered ports using the CONNECT method allowed by the HTTP proxy server. These ports were otherwise inaccessible because direct TCP connection attempts to them failed.

Note that the service only tried to connect to the firewalled/filtered ports. No attempts were made to detect potential vulnerabilities that may exist on the daemons/services listening on these ports.

This vulnerability may be exploited to bypass the security rules set up on the firewall or filtering device to protect the internal network.Reconfigure your proxy server to disable the CONNECT method and/or restrict its access.

Port	Server Banner or Version
443

PCAnywhere seems to be installed on this computer. PCAnywhere is a complete administration tool, allowing remote administrators to control the computer as if they were physically logged on.With PCAnywhere installed, a malicious remote user could take complete control of the computer.

If you did not intentionally install PCAnywhere for remote maintenance reasons, then it should be removed.

If this application was intentionally installed and is currently in use, then we recommend that you follow all vendor suggested guidelines to make it safe. For more information, refer to the Addressing Security with pcAnywhere PDF document.

Detected service pcanywhere and os Windows 2000 Service Pack 4
Detected on TCP port 5631.

A null session connection to the IPC$ share was successful. NetBIOS access can be obtained with any authenticated account on this host. Therefore unauthorized users can steal the remote user list. This kind of attack is commonly exploited by users with weak passwords, such as the GUEST account.By exploiting this vulnerability, unauthorized users can launch brute force password attacks and other intrusive attacks based on collected information. Employee, customer, and partner information may be gathered. Spamming the user list is also possible.It is recommended that you disable null sessions. Read this Microsoft document called How to Use the RestrictAnonymous Registry Value for more information.

For Windows NT, setting this registry value limits only certain interfaces to this data. It is not possible to completely eliminate this vulnerability through a registry setting.

There is another interesting Microsoft document called Local Policies about Windows security policies settings for local policies.

Windows XP onwards Microsoft has added more granular control to the anonymous user access by adding couple of more DWORD registry values in the same key location as RestrictAnonymous, RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous = 1 to restrict share information access, RestrictAnonymousSAM = 1 to prevent enumeration of SAM accounts (User Accounts) and EveryoneIncludesAnonymous = 0 to prevent null-sessions from having any rights.

If possible, filter out Microsoft networking ports such as TCP ports 135, 137, 138, 139, and UDP ports 135, 137, 138.

Aministratt

TsInternetUser

IUSR_1

IWAM_1

1$

Successful TCP connections were established to open ports on the host using the CONNECT method allowed by the HTTP proxy server.This vulnerability may be exploited to connect to your internal network that is otherwise unaccssible.Reconfigure your proxy server to disable the CONNECT method or restrict its access.Based on server's reply:
HTTP/1.1 200 Connection established
Via: 1.1 server1,
we have used the proxy to successfully connect (CONNECT 127.0.0.1:<port>) to following ports:
443

Unauthorized users can modify all SNMP information because the access password is not secure.The system can be attacked in a number of ways--by route redirection, denial of service, complete loss of network service, reboots or crashes, and traffic monitoring.If SNMP access is not required on this system, then disallow it. Otherwise, use a secure un-guessable "community name", and restrict the hosts that talk SNMP with your system to a defined list of IP addresses.public

Anonymous users can obtain a full contact or user list using LDAP access.Unauthorized users can obtain a list of your commercial contacts, customers or users. With this information, an attacker might try to gain information about your network through social engineering, a method of interacting with people in order to trick them into disclosing sensitive information.

Please note that the results below represent only the first 5 entries that could be extracted from the server.

Restrict access to your LDAP server using an authentication policy.cn: Anonymous Logon
instanceType: 4
distinguishedName: CN=Anonymous Logon,CN=WellKnown Security Principals,CN=Conf
iguration,DC=domainserver,DC=dom
objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=ah
bdomain,DC=dom
objectClass: top
objectClass: foreignSecurityPrincipal
objectGUID:: /EL+jwCYBUCcREB6xr9VVQ==
objectSid:: AQEAAAAAAAUHAAAA
name: Anonymous Logon
uSNChanged: 1304
uSNCreated: 1304
whenChanged: 20020117183856.0Z
whenCreated: 20020117183856.0Z

cn: Authenticated Users
instanceType: 4
distinguishedName: CN=Authenticated Users,CN=WellKnown Security Principals,CN=
Configuration,DC=domainserver,DC=dom
objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=ah
bdomain,DC=dom
objectClass: top
objectClass: foreignSecurityPrincipal
objectGUID:: rUeav5hiDEOcIPrT1zf1ig==
objectSid:: AQEAAAAAAAULAAAA
name: Authenticated Users
uSNChanged: 1299
uSNCreated: 1299
whenChanged: 20020117183856.0Z
whenCreated: 20020117183856.0Z

cn: Batch
instanceType: 4
distinguishedName: CN=Batch,CN=WellKnown Security Principals,CN=Configuration,
DC=domainserver,DC=dom
objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=ah
bdomain,DC=dom
objectClass: top
objectClass: foreignSecurityPrincipal
objectGUID:: XCL4li5e60mnB3DNd407YA==
objectSid:: AQEAAAAAAAUDAAAA
name: Batch
uSNChanged: 1301
uSNCreated: 1301
whenChanged: 20020117183856.0Z
whenCreated: 20020117183856.0Z

cn: Creator Group
instanceType: 4
distinguishedName: CN=Creator Group,CN=WellKnown Security Principals,CN=Config
uration,DC=domainserver,DC=dom
objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=ah
bdomain,DC=dom
objectClass: top
objectClass: foreignSecurityPrincipal
objectGUID:: a/MCrZ8qtE6MTKpL9WNqWw==
objectSid:: AQEAAAAAAAMBAAAA
name: Creator Group
uSNChanged: 1297
uSNCreated: 1297
whenChanged: 20020117183856.0Z
whenCreated: 20020117183856.0Z

cn: Creator Owner
instanceType: 4
distinguishedName: CN=Creator Owner,CN=WellKnown Security Principals,CN=Config
uration,DC=domainserver,DC=dom
objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=ah
bdomain,DC=dom
objectClass: top
objectClass: foreignSecurityPrincipal
objectGUID:: 3mWCrlcxHUGykm///qGOfQ==
objectSid:: AQEAAAAAAAMAAAAA
name: Creator Owner
uSNChanged: 1296
uSNCreated: 1296
whenChanged: 20020117183856.0Z
whenCreated: 20020117183856.0Z

Network News Transfer Protocol (NNTP) is a protocol used to process posting, distributing, searching and archiving news articles posted to Usenet newsgroups. By default, NNTP runs if Windows NT 4.0 Option Pack or Windows 2000 Server are installed. It is not installed by default on Windows NT 4.0 or Windows 2000 Professional.

Due to a flaw in the Microsoft NNTP service, it's possible for a host to be led to consume all available memory resources. This behavior is the result of flaws in the server's memory management.

Malformed news postings submitted repeatedly to an affected host will result in the accumulation of allocated memory that is not freed after use.

By exploiting this vulnerability, it's possible to exhaust the memory resources of the target system, potentially impacting the NNTP service and other applications running on the affected host.

You must restart your system in order to regain normal functionality.

Note: Since we don't exploit Denial Of Service vulnerabilities, we can't detect whether or not your machine is patched. If you've already applied the appropriate patch, then you can safely ignore this warning.

Microsoft Security Bulletin MS01-043 contains information about which patch should be applied to your system and where to get it. 200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed

SNMP requests are messages sent from manager to agent systems. They typically poll the agent for current performance or configuration information, ask for the next SNMP object in a Management Information Base (MIB), or modify the configuration settings of the agent.

SNMP traps are messages sent from agent to manager systems. They typically notify the manager that some event has occured or otherwise provide information about the status of the agent.

Multiple vulnerabilities have been discovered in the request and trap handling in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP request and trap messages.

Possible consequences include causing a denial of service condition and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product.Fixes are available for several systems. Please contact your vendor for more information. Detected service snmp and os Windows 2000 Service Pack 4

RootDSE is a standard attribute defined in the LDAP Version 3.0 specification. RootDSE contains information about the directory server, including its capabilities and configuration. The search response will contain a standard set of information, which is defined in the following RFC:

RFC 2251-Lightweight Directory Access Protocol(v3)

The root DSE (DSA-Specific Entry) data can be retrieved from an LDAPv3 server by performing a base-level search with a null BaseDN and filter ObjectClass=*. The root DSE publishes information about the LDAP server, including which LDAP versions it supports, any supported SASL mechanisms, supported controls, and the DN for its subschemaSubentry. In addition to server information, operational attributes may be exposed that allow for extended administration functionality.

The information gathered can be used to launch further attacks against the system or network hosting the LDAP service.currentTime: 20041018195934.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domainserver,DC=dom
dsServiceName: CN=NTDS Settings,CN=CANCAN1,CN=Servers,CN=Default-First-Site
-Name,CN=Sites,CN=Configuration,DC=domainserver,DC=dom
namingContexts: CN=Schema,CN=Configuration,DC=domainserver,DC=dom
namingContexts: CN=Configuration,DC=domainserver,DC=dom
namingContexts: DC=domainserver,DC=dom
defaultNamingContext: DC=domainserver,DC=dom
schemaNamingContext: CN=Schema,CN=Configuration,DC=domainserver,DC=dom
configurationNamingContext: CN=Configuration,DC=domainserver,DC=dom
rootDomainNamingContext: DC=domainserver,DC=dom
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxActiveQueries
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MaxNotificationPerConn
highestCommittedUSN: 574688
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
dnsHostName: cancan1.domainserver.dom
ldapServiceName: domainserver.dom:cancan1$@DOMAINSERVER.DOM
serverName: CN=CANCAN1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
nfiguration,DC=domainserver,DC=dom
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1791
isSynchronized: TRUE
isGlobalCatalogReady: TRUE