Appendix E • Nessus Plug-ins 509 Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely RealServer G2 buffer overrun CAN-1999-0271 Gain root remotely Oracle9iAS too long URL CVE-2001-0836 3443 Gain root remotely Webalizer Cross Site Scripting Vulnerability CAN-2001-0835 3473 Gain root remotely Multiple IRC daemons format string attack 8038 Gain root remotely Imail’s imap buffer overflow CAN-1999-1557 502 Gain root remotely l2tpd < 0.68 overflow CVE-2002-0872, CVE-2002-0873 Gain root remotely HTTP negative Content- Length buffer overflow Gain root remotely Solaris lpd remote command execution 3274 Gain root remotely Webserver4everyone too long URL Gain root remotely IIS : WebDAV Overflow (MS03-007) CAN-2003-0109 7116 Gain root remotely dwhttpd format string 5384 Gain root remotely Various pop3 overflows CAN-2002-0799, CVE-1999-0822 789, 790, 830, 894, 942, 1965, 2781, 2811, 4055, 4295, 4614 Gain root remotely IIS buffer overflow CVE-1999-0874 307 Gain root remotely OpenSSH < 2.1.1 UseLogin feature CVE-2000-0525 1334 Gain root remotely BIND 4.x resolver overflow CAN-2002-0684 7228 Gain root remotely INN version check (2) CVE-2000-0472 1316 Howlett_AppE.fm Page 509 Friday, June 25, 2004 1:50 PM 510 Appendix E • Nessus Plug-ins Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely OpenSSH Channel Code Off by 1 CVE-2002-0083 4241 Gain root remotely Buffer overflow in FreeBSD 2.x lpd CVE-1999-0299 Gain root remotely OpenSSH UseLogin Environment Variables CVE-2001-0872 3614 Gain root remotely SOCKS4A hostname overflow CAN-2002-1001 5138 Gain root remotely HTTP 1.0 header overflow Gain root remotely X Font Service Buffer Overflow CAN-2002-1317 Gain root remotely IIS ASP ISAPI filter Overflow CVE-2002-0079, CAN-2002-0079, CAN-2002-0147, CVE-2002-0149 4485 Gain root remotely snmpXdmid overflow CVE-2001-0236 2417 Gain root remotely PPTP overflow CAN-2003-0213 7316 Gain root remotely HTTP version number overflow Gain root remotely rsync modules Gain root remotely SSH setsid() vulnerability Gain root remotely Microsoft RPC Interface Buffer Overrun (KB824146) CAN-2003-0715, CAN-2003-0528, CAN-2003-0605 8458 Gain root remotely rlogin -froot CVE-1999-0113 458 Gain root remotely XMail APOP Overflow CAN-2000-0841 1652 Gain root remotely Buffer overflow in AIX lpd CAN-2001-0671 Gain root remotely TESO in.telnetd buffer overflow CVE-2001-0554 3064 Howlett_AppE.fm Page 510 Friday, June 25, 2004 1:50 PM Appendix E • Nessus Plug-ins 511 Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely ePolicy orchestrator format string CAN-2002-0690 7111 Gain root remotely Too long authorization Gain root remotely yppasswdd overflow CVE-2001-0779 2763 Gain root remotely mibiisa overflow CVE-2002-0797, CAN-2002-0796 4933, 4932 Gain root remotely IIS .HTR overflow CVE-2002-0364, CAN-2002-0071, CAN-2002-0364 4855 Gain root remotely BIND vulnerable to overflows CVE-2001-0010, CVE-2001-0011, CVE-2001-0012, CVE-2001-0013 2302 Gain root remotely Too long POST command Gain root remotely ICEcap default password CVE-2000-0350 1216 Gain root remotely BIND vulnerable CVE-1999-0833, CVE-1999-0837, CVE-1999-0848, CVE-1999-0849 788 Gain root remotely SysV /bin/login buffer overflow (telnet) CVE-2001-0797 3681, 7481 Gain root remotely Delegate overflow CVE-2000-0165 808 Gain root remotely Knox Arkeia buffer overflow CAN-1999-1534 661 Gain root remotely Netwin’s Dmail ETRN overflow CVE-2000-0490 1297 Gain root remotely Samba Unicode Buffer Overflow CVE-1999-0182 Gain root remotely Abyss httpd overflow 8062, 8064 Gain root remotely ICECast Format String CVE-2001-0197 2264 Gain root remotely PXE server overflow 7129 Howlett_AppE.fm Page 511 Friday, June 25, 2004 1:50 PM 512 Appendix E • Nessus Plug-ins Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely NSM format strings vulnerability Gain root remotely Buffer overflow in BSD in.lpd CVE-2001-0670, CAN-1999-0061 3252 Gain root remotely dtspcd overflow CVE-2001-0803 3517 Gain root remotely Header overflow against HTTP proxy CAN-2002-0133 3904 Gain root remotely OpenSSH AFS/Kerberos ticket/token passing CVE-2002-0575, CAN-2002-0575 4560 Gain root remotely NT IIS 5.0 Malformed HTTP Printer Request Header Buffer Overflow Vulnerability CVE-2001-0241 2674 Gain root remotely Unreal Engine flaws 6770, 6771, 6772, 6773, 6774, 6775 Gain root remotely Rockliffe’s MailSite overflow CVE-2000-0398 1244 Gain root remotely pam_smb / pam_ntdom overflow CAN-2000-0843 1666 Gain root remotely OpenLink web config buffer overflow CVE-1999-0943 Gain root remotely MonkeyWeb POST with too much data CAN-2003-0218 Gain root remotely DHCP server overflow / format string bug CAN-2003-0026, CAN-2002-0702, CAN-2003-0039 4701, 6627, 6628 Gain root remotely Boozt index.cgi overflow 6281 Gain root remotely thttpd 2.04 buffer overflow CVE-2000-0359 1248 Gain root remotely Samba Buffer Overflow 5587 Gain root remotely rsync array overflow CAN-2002-0048 3958 Gain root remotely Generic format string Howlett_AppE.fm Page 512 Friday, June 25, 2004 1:50 PM Appendix E • Nessus Plug-ins 513 Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely rpc.nisd overflow CVE-1999-0008 104 Gain root remotely BIND vulnerable to cached RR overflow CAN-2002-1219 Gain root remotely irix rpc.passwd overflow CAN-2002-0357 4939 Gain root remotely Portable SSH OpenSSH < 3.7.1p2 CAN-2003-0786, CAN-2003-0787 8677 Gain root remotely uw-imap buffer overflow CVE-1999-0005 130 Gain root remotely IIS ISAPI Overflow CVE-2001-0544, CVE-2001-0545, CVE-2001-0506, CVE-2001-0507, CVE-2001-0508, CVE-2001-0500 2690, 3190, 3194, 3195 Gain root remotely IRIX Objectserver CVE-2000-0245 1079 Gain root remotely SSH1 CRC-32 compen- sation attack CVE-2001-0144 2347 Gain root remotely remwatch CAN-1999-0246 Gain root remotely Xitami Web Server buffer overflow Gain root remotely Samba TNG multiple flaws CAN-2003-0085 7206, 7106 Gain root remotely Gnu Cfserv remote buffer overflow CAN-2003-0849 8699 Gain root remotely Imail’s imonitor buffer overflow CVE-1999-1046, CVE-2000-0056 502, 504, 506, 914 Gain root remotely qpopper buffer overflow CVE-1999-0006 133 Gain root remotely sadmind command execution CAN-2003-0722 8615 Gain root remotely rpc.walld format string CVE-2002-0573 4639 Gain root remotely SysV /bin/login buffer overflow (rlogin) CVE-2001-0797 3681 Howlett_AppE.fm Page 513 Friday, June 25, 2004 1:50 PM 514 Appendix E • Nessus Plug-ins Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely Too long URL CVE-2000-0002, CVE-2000-0065, CAN-2001-1250 2979, 6994, 7067, 7280 Gain root remotely HTTP User-Agent overflow CVE-2001-0836 3443, 3449, 7054 Gain root remotely HTTP 1.1 header overflow Gain root remotely Piranha's RH6.2 default password CAN-2000-0248 1148 Gain root remotely SOCKS4 username overflow Gain root remotely Communigate Pro overflow CVE-1999-0865 860 Gain root remotely ntpd overflow CVE-2001-0414 2540 Gain root remotely Avirt gateway insecure telnet proxy CAN-2002-0134 3901 Gain root remotely IRCd OperServ Raw Join DoS 8131 Gain root remotely fakeidentd overflow 5351 Gain root remotely Oracle Application Server Overflow CAN-2001-0419 2569 Gain root remotely Netware Perl CGI overflow CAN-2003-0562 Gain root remotely ePolicy orchestrator multiple issues CAN-2003-0148, CAN-2003-0149, CAN-2003-0616 Gain root remotely HTTP header overflow CVE-2000-0182 Gain root remotely Usermin Session ID Spoofing CAN-2003-0101 6915 Gain root remotely klogind overflow CVE-2001-0035 Gain root remotely Xtramail pop3 overflow CAN-1999-1511 791 Howlett_AppE.fm Page 514 Friday, June 25, 2004 1:50 PM Appendix E • Nessus Plug-ins 515 Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely BIND 9 overflow CAN-2002-0684 Gain root remotely Netware Perl CGI overflow CAN-2003-0562 Gain root remotely iPlanet unauthorized sensitive data retrieval CVE-2001-0327 Gain root remotely iPlanet chunked encoding CVE-2002-0845 5433 Gain root remotely SCO i2odialogd buffer overrun CVE-2000-0026 Gain root remotely IIS FrontPage DoS II CVE-2001-0341 2906 Gain root remotely Tinyproxy heap overflow CVE-2001-0129 2217 Gain root remotely lpd, dvips and remote command execution CVE-2001-1002 3241 Gain root remotely cachefsd overflow CAN-2002-0084, CVE-2002-0033 4631 Gain root remotely Rover pop3 overflow CVE-2000-0060 894 Gain root remotely SmartServer pop3 overflow 790 Gain root remotely OpenSSH <= 3.3 CVE-2002-0639, CVE-2002-0640, CAN-2002-0639, CAN-2002-0640 5093 Gain root remotely Buffer overflow in Solaris in.lpd CVE-2001-0353 2894 Gain root remotely HTTP Cookie overflow Gain root remotely BIND Buffer overflows in the DNS stub resolver library CAN-2002-0029 6186 Gain root remotely vpopmail input validation bug CVE-2000-0583 1418 Gain root remotely xfstt possible code execution CAN-2003-0581 8182 Howlett_AppE.fm Page 515 Friday, June 25, 2004 1:50 PM 516 Appendix E • Nessus Plug-ins Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely Webmin Session ID Spoofing CAN-2003-0101 6915 Gain root remotely apcupsd overflows CVE-2001-0040, CAN-2003-0098, CAN-2003-0099 2070, 6828, 7200 General Oracle Web Administra- tion Server Detection General SHOUTcast Server DoS detector vulnerability CAN-2001-1304 General Compaq WBEM Server Detection General Amanda client version General SMTP Server type and version General Detect talkd server port and protocol version CVE-1999-0048 General Formmail Version Infor- mation Disclosure CAN-2001-0357 General MySQL Server version General clarkconnectd detection 6934 General PHP-Nuke sql_debug Information Disclosure 3906 General Oracle Applications One- Hour Install Detect General DCShop exposes sensitive files CAN-2001-0821 2889 General Access Point detection General robot(s).txt exists on the Web Server General HealthD detection Howlett_AppE.fm Page 516 Friday, June 25, 2004 1:50 PM Appendix E • Nessus Plug-ins 517 Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) General Oracle Jserv Executes out- side of doc_root CAN-2001-0307 General WWW fingerprinting General News Server type and version General LinuxConf grants network access CAN-2000-0017 General Enhydra Multiserver Default Password General A CVS pserver is running General Determine which version of BIND name daemon is running General F5 Device Default Support Password General WhatsUp Gold Default Admin Account General Kerberos IV crypto- graphic weaknesses CAN-2003-0138 7113 General Mediahouse Statistics Web Server Detect CVE-2000-0776 1568 General SHOUTcast Server log- files XSS General FTP Server type and version General Ultraseek Web Server Detect General IRC daemon identification General Network Chemistry Wire- less Sensor Detection General DNS AXFR CAN-1999-0532 Howlett_AppE.fm Page 517 Friday, June 25, 2004 1:50 PM 518 Appendix E • Nessus Plug-ins Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) General Determine if Bind 9 is running General SSH protocol version 1 enabled General TTL Anomaly detection General HTTP Server type and version General Linksys Router Default Password General Cobalt Web Administra- tion Server Detection General BIND vulnerable to DNS storm CAN-2002-1221, CAN-2002-1219, CAN-2002-1220 6159, 6160, 6161 General Amanda Index Server version General NetGear Router Default Password General Relative IP Identification number change General Useable remote name server CVE-1999-0024 678 General POP3 Server type and version General SSL ciphers General UDDI detection General DNS Server Detection General vqServer administrative port CVE-2000-0766 1610 General SiteScope Web Manageg- ment Server Detect Howlett_AppE.fm Page 518 Friday, June 25, 2004 1:50 PM . SSH OpenSSH < 3.7.1p2 CAN-2003-0786, CAN-2003-0787 8677 Gain root remotely uw-imap buffer overflow CVE-1999-0005 130 Gain root remotely IIS ISAPI Overflow CVE-2001- 0544 , CVE-2001- 0545 ,. 1316 Howlett_AppE.fm Page 509 Friday, June 25, 2004 1:5 0 PM 510 Appendix E • Nessus Plug-ins Family Plug-in Name CVE ID Number(s) BugTraq ID Number(s) Gain root remotely OpenSSH Channel Code Off by 1 CVE-2002-0083. lpd CAN-2001-0671 Gain root remotely TESO in.telnetd buffer overflow CVE-2001-0 554 3064 Howlett_AppE.fm Page 510 Friday, June 25, 2004 1:5 0 PM Appendix E • Nessus Plug-ins 511 Family Plug-in Name CVE ID Number(s) BugTraq