<plugin_id>235</plugin_id>
<plugin_name>Cat Soft Serv-U FTP Server Default Administration Account Vulnerability</plugin_name>
<plugin_family>FTP</plugin_family>
<plugin_created_date>2004/09/13</plugin_created_date>
<plugin_created_name>Nico 'Triplex' Spicher</plugin_created_name>
<plugin_created_email>Triplex at IT-Helpnet dot de</plugin_created_email>
<plugin_created_web>http://triplex.it-helpnet.de</plugin_created_web>
<plugin_created_company>http://www.it-helpnet.de</plugin_created_company>
<plugin_updated_name>Nico 'Triplex' Spicher</plugin_updated_name>
<plugin_updated_email>Triplex at IT-Helpnet dot de</plugin_updated_email>
<plugin_updated_web>http://triplex.it-helpnet.de</plugin_updated_web>
<plugin_updated_company>http://www.it-helpnet.de</plugin_updated_company>
<plugin_updated_date>2004/11/13</plugin_updated_date>
<plugin_version>1.1</plugin_version>
<plugin_changelog>Corrected the plugin structure and added the accuracy values in 1.1</plugin_changelog>
<plugin_protocol>tcp</plugin_protocol>
<plugin_port>21</plugin_port>
<plugin_procedure_detection>open|sleep|send USER LocalAdministrator\n|sleep|send PASS #l@$ak#.lk;0@P\n|send list\n|sleep|close|pattern_exists 150</plugin_procedure_detection>
<plugin_detection_accuracy>98</plugin_detection_accuracy>
<plugin_comment>This plugin was written with the ATK-Plugin-Creator [http://triplex.it-helpnet.de].</plugin_comment>
<bug_published_name>aT4r ins4n3</bug_published_name>
<bug_published_email>at4r@ciberdreams.com</bug_published_email>
<bug_published_date>2004/08/08</bug_published_date>
<bug_advisory>http://securityfocus.com/bid/10886/info/</bug_advisory>
<bug_affected>Cat Soft Serv-U FTP Server 3.0 to 5.2</bug_affected>
<bug_vulnerability_class>Configuration</bug_vulnerability_class>
<bug_description>It is reported that the RhinoSoft Serv-U FTP server has a default administration account that is used to authenticate to the site maintenance interface. The weak account can be used to log into the site maintenance interface on the loopback interface only, and to create user accounts.</bug_description>
<bug_solution>If the ftp server is not used it should be de-installed or de-activated. Install the newest patch or bugfix to solve the problem or upgrade to the latest software version which is not vulnerable anymore. Additionally limit unwanted connections and communications with firewalling.</bug_solution>
<bug_fixing_time>Approx. 20 minutes</bug_fixing_time>
<bug_exploit_availability>Yes</bug_exploit_availability>
<bug_exploit_url>http://downloads.securityfocus.com/vulnerabilities/exploits/servulocal.c</bug_exploit_url>
<bug_remote>No</bug_remote>
<bug_local>Yes</bug_local>
<bug_severity>Medium</bug_severity>
<bug_popularity>2</bug_popularity>
<bug_simplicity>5</bug_simplicity>
<bug_impact>8</bug_impact>
<bug_risk>1</bug_risk>
<source_securityfocus_bid>10886</source_securityfocus_bid>
<source_literature>Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X</source_literature>
<source_misc>http://www.computec.ch</source_misc>