MS04-028 Exploitation Backdoor Account Detection

high Nessus Plugin ID 14818

Synopsis

It is possible to log into the remote host without a password.

Description

It was possible to log into the remote host with the login 'X' and a blank password.

A widely available exploit, using one of the vulnerabilities described in the Microsoft Bulletin MS04-028 creates such an account. This probably means that the remote host has been compromised by the use of this exploit.

Solution

Re-install the operating system on this host, as it has likely been compromised.

See Also

https://seclists.org/bugtraq/2004/Sep/149

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-028

Plugin Details

Severity: High

ID: 14818

File Name: smb_login_as_x.nasl

Version: 1.28

Type: local

Family: Backdoors

Published: 9/24/2004

Updated: 11/15/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Excluded KB Items: global_settings/supplied_logins_only, SMB/any_login

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/14/2004

Reference Information

CVE: CVE-2004-0200

BID: 11173

MSFT: MS04-028

MSKB: 833987