Checkbox Survey 6.12 <= 6.18 RCE

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(161325);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2021-27852");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/02");

  script_name(english:"Checkbox Survey 6.12 <= 6.18 RCE");

  script_set_attribute(attribute:"synopsis", value:
"Checkbox Survey is affected by an arbitrary code execution.");
  script_set_attribute(attribute:"description", value:
"Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Prior to version 7.0, 
Checkbox Survey implements its own View State functionality by accepting a _VSTATE argument, which it then
deserializes using LosFormatter. Because this data is manually handled by the Checkbox Survey code, the ASP.NET
ViewState Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create
arbitrary data that will be deserialized, resulting in arbitrary code execution.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.kb.cert.org/vuls/id/706695");
  # https://www.checkbox.com/news/2021/08/checkbox-version-6-security-vulnerability-announcement/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06d71f98");
  script_set_attribute(attribute:"solution", value:
"Update to Checkbox Survey 7.0 or later");
  script_set_attribute(attribute:"agent", value:"windows");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-27852");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/03/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/05/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:checkbox:survey");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("checkbox_survey_win_installed.nbin", "checkbox_survey_web_api_detect.nbin");
  script_require_keys("installed_sw/Checkbox Survey");

  exit(0);
}

include('vcf.inc');

var app_info = vcf::combined_get_app_info(app:'Checkbox Survey');

vcf::check_granularity(app_info:app_info, sig_segments:2);

var constraints = [
  { 'min_version' : '6.12', 'max_version' : '6.18', 'fixed_display':'7.0' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);