Vulnerability #1

Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 21/ tcp
• Web application: vsftpd

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a
backdoor which opens a shell on port 6200/tcp.(CVE-2011-2523)

Solution
Upgrade to version later.

Reference
• https://www.securityfocus.com/bid/48539
• https://github.com/rapid7/metasploitframework/blob/master/mo
dules/exploits/unix/ftp/vsftpd_234_backdoor.rb
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
• http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-
download-backdoored.html
•
 Vulnerability #2
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 25/ tcp
• Web application: ssl-dh

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
Transport Layer Security (TLS) services that use anonymous Diffie-Hellman
key exchange only provide protection against passive eavesdropping, and
are vulnerable to active man-in-the-middle attacks which could
completely compromise the confidentiality and integrityof any data
exchanged over the resulting session.

Solution
Upgrade to version later.

Reference
• https://www.ietf.org/rfc/rfc2246.txt
 Vulnerability #3
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 25/ tcp
• Web application: ssl-dh

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
The Transport Layer Security (TLS) protocol contains a flaw that is
triggered when handling Diffie-Hellman key exchanges defined with
the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
to downgrade the security of a TLS session to 512-bit export-grade
cryptography, which is significantly weaker, allowing the attacker
to more easily break the encryption and monitor or tamper with
the encrypted stream. Disclosure date: 2015-5-19(CVE-2015-4000)

Solution
https://cert.tanet.edu.tw/pdf/CVE-2015-4000-check.pdf

Reference
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
• https://www.securityfocus.com/bid/74733
• https://weakdh.org
 Vulnerability #4
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 25/ tcp
• Web application: ssl-dh

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
Transport Layer Security (TLS) services that use Diffie-Hellman groups of
insufficient strength, especially those using one of a few commonly shared
groups, may be susceptible to passive eavesdropping attacks.

Solution
Upgrade to version later.

Reference
• https://weakdh.org
 Vulnerability #5
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 25/ tcp
• Web application: ssl-poodle

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier for
man-in-the-middle attackers to obtain cleartext data via a padding-oracle
attack, aka the "POODLE" issue.(CVE-2014-3566)

Solution
如系統平台使用 Apache 作為網頁伺服器，可調整 SSL 設定為 SSLProtocol +TLSv1
+TLSv1.1 +TLSv1.2 以 停 用 對 SSLv3 的 支 援 ， 並 啟 用 TLS 加 密 連 線 機 制 。
https://ic.cgu.edu.tw/p/16-1016-32594.php?Lang=zh-tw

Reference
• https://www.securityfocus.com/bid/70574
• https://www.openssl.org/~bodo/ssl-poodle.pdf
• https://www.imperialviolet.org/2014/10/14/poodle.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
 Vulnerability #6
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 1099/tcp
• Web application: rmi-vuln-classloader

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
Default configuration of RMI registry allows loading classes from remote
URLs which can lead to remote code execution.

Solution
https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/multi/misc/java_rmi_server.rb

Reference
• https://github.com/rapid7/metasploit-
framework/blob/master/modules/exploits/multi/misc/java_rmi_ser
ver.rb
 Vulnerability #7
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 5432/tcp
• Web application: ssl-ccs-injection

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does
not properly restrict processing of ChangeCipherSpec messages, which
allows man-in-the-middle attackers to trigger use of a zero length master
key in certain OpenSSL-to-OpenSSL communications, and consequently
hijack sessions or obtain sensitive information, via a crafted TLS
handshake, aka the "CCS Injection" vulnerability.(CVE-2014-0224)

Solution
Update OpenSSL

Reference
• http://www.cvedetails.com/cve/2014-0224
• http://www.openssl.org/news/secadv_20140605.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
 Vulnerability #8
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 5432/tcp
• Web application: ssl-dh-params

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
Transport Layer Security (TLS) services that use Diffie-Hellman groups of
insufficient strength, especially those using one of a few commonly shared
groups, may be susceptible to passive eavesdropping attacks.

Solution
Update OpenSSL

Reference
• https://weakdh.org
 Vulnerability #9
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 5432/ tcp
• Web application: ssl-poodle

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier for
man-in-the-middle attackers to obtain cleartext data via a padding-oracle
attack, aka the "POODLE" issue.(CVE-2014-3566)

Solution
如系統平台使用 Apache 作為網頁伺服器，可調整 SSL 設定為 SSLProtocol +TLSv1
+TLSv1.1 +TLSv1.2 以 停 用 對 SSLv3 的 支 援 ， 並 啟 用 TLS 加 密 連 線 機 制 。
https://ic.cgu.edu.tw/p/16-1016-32594.php?Lang=zh-tw

Reference
• https://www.securityfocus.com/bid/70574
• https://www.openssl.org/~bodo/ssl-poodle.pdf
• https://www.imperialviolet.org/2014/10/14/poodle.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
 Vulnerability #10
Target Information
• Target: Metasploitable
• OS: Ubuntu Linux
• Services: Apache 2.2.8
• Ports
o 8180/tcp
• Web application: http-slowloris-check

Test Approach
Nmap command: nmap -script=vuln 192.168.50.24

Vulnerability
Apache HTTP Server 1.x 與 2.x 版允許遠端攻擊者透過部分 HTTP 要求，造成
拒絕服務 (程序中斷)，Slowloris 即為一例，這是因為 2.2.15 之前的版本沒有
mod_reqtimeout 模組所致。(CVE-2007-6750) 影響：Slowloris 攻擊是針對執行
緒網頁伺服器發動的一種拒絕服務 (DoS) 攻擊。它會嘗試傳送無法完成的
HTTP 要求，藉此佔用網頁伺服器上所有可用的要求處理執行緒。由於每個要
求都會耗用一個執行緒，因此 Slowloris 最終會耗盡網頁伺服器的所有連線容
量，有效地拒絕合法使用者進行存取。 「網際網路工程任務推動小組」(RFC 2616)
這種 HTTP 通訊協定規格指出必須使用空白行來表示要求標頭的結尾與裝載
的開頭 (如果有的話)。接收整個要求之後，網頁伺服器就會回應。注意：空白
行的建立方式是傳送連續的兩行新行：<CR><LF><CR><LF> Slowloris 的攻擊方
式是建立多個與網頁伺服器連接的連線。它會利用每個連線傳送不完整的要
求，這些要求中不含結尾的換行序列。攻擊者會定期傳送其他標頭行以使連線
持續作用，但絕不傳送結尾的換行序列。網頁伺服器會使連線保持開啟，預期
接收更多的資訊以完成要求。若攻擊持續下去，長期的 Slowloris 連線就會不
斷增加，最終耗盡所有可用的網頁伺服器連線，使網頁伺服器無法回應其他合
法的要求。(CVE-2007-6750)

Solution
1. update apache version

2. using ssh to connect to server

Reference
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
• http://ha.ckers.org/slowloris/
• https://zh-tw.tenable.com/plugins/nessus/97419