Apache on Windows < 1.3.24 / 2.0.x < 2.0.34 DOS Batch File Arbitrary Command Execution

2002-04-1800:00:00

www.tenable.com

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.108

Percentile

95.1%

JSON

Apache for Win32 prior to 1.3.24 and 2.0.x prior to 2.0.34-beta is shipped with a default script, ‘/cgi-bin/test-cgi.bat’, that allows an attacker to remotely execute arbitrary commands on the host subject to the permissions of the affected application.

An attacker can send a pipe character ‘|’ with commands appended as parameters, which are then executed by Apache.

#
# This script was written by Matt Moore <[email protected]>
#
#   - Added Synopsis, Reference, CVSS Vector
#   - Modified Description

# Changes by Tenable:
# - Standardized title (4/2/2009)
# - Added Synopsis, Referece, CVSS Vector/Modified Description (4/8/2009)


include("compat.inc");

if (description)
{
 script_id(10938);
 script_version("1.36");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2002-0061");
 script_bugtraq_id(4335);

 script_name(english:"Apache on Windows < 1.3.24 / 2.0.x < 2.0.34 DOS Batch File Arbitrary Command Execution");
 script_summary(english:"Tests for presence of Apache Command execution via .bat vulnerability");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote command execution
vulnerability.");
 script_set_attribute(attribute:"description", value:
"Apache for Win32 prior to 1.3.24 and 2.0.x prior to 2.0.34-beta is
shipped with a default script, '/cgi-bin/test-cgi.bat', that allows an
attacker to remotely execute arbitrary commands on the host subject to
the permissions of the affected application. 

An attacker can send a pipe character '|' with commands appended as
parameters, which are then executed by Apache.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Mar/334");
 script_set_attribute(attribute:"see_also", value:"http://www.apacheweek.com/issues/02-03-29#apache1324");
 script_set_attribute(attribute:"solution", value:"Upgrade to Apache web server 1.3.24 or later.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/03/21");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/04/18");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:http_server");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 script_category(ACT_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2002-2020 Matt Moore");
 script_family(english:"Web Servers");

 script_dependencie("http_version.nasl", "os_fingerprint.nasl");
 script_require_ports("Services/www", 80);
 script_require_keys("installed_sw/Apache");
 exit(0);
}

# Check makes request for cgi-bin/test-cgi.bat?|echo - which should return
# an HTTP 500 error containing the string 'ECHO is on'
# We just check for 'ECHO' (capitalized), as this should remain the same across
# most international versions of Windows(?)

include("global_settings.inc");
include("misc_func.inc");
include("http_func.inc");

port = get_http_port(default:80, embedded:TRUE);
if (!get_port_state(port)) exit(0, "Port "+port+" is not open.");
if ( get_kb_item("Services/www/" + port + "/embedded") ) exit(0, "The web server listening on port "+port+" is embedded.");

banner = get_http_banner(port:port);
if (!banner) exit(1, "Failed to get the banner from the web server listening on port "+port+".");
if ("Server:" >!< banner) exit(0, "The banner from port " + port + " does not have a Server response header.");
if (preg(string:banner, pattern:'Server:.*(Apache-Coyote|Tomcat)')) exit(0, "The web server listening on port " + port + " is Apache Tomcat, not Apache.");
if (preg(pattern:"^Server:.*Apache", string:banner)) exit(0, "The web server listening on port " + port + " is not Apache.");

if (report_paranoia < 2)
{
  os = get_kb_item("Host/OS");
  if (isnull(os)) exit(0, "It was not possible to determine if the host is running Windows.");
  if ("Windows" >!< os) exit(0, "The host does not appear to be running Windows.");
}

soc = http_open_socket(port);
if (!soc) exit(1, "Failed to open a socket on port "+port+".");

url = "/cgi-bin/test-cgi.bat?|echo";
req = http_get(item:url, port:port);
send(socket:soc, data:req);
res = http_recv(socket:soc);
http_close_socket(soc);

if (preg(pattern:"^HTTP/[0-9]\.[0-9] 500 ", string:res)) exit(0, "The web server listening on port "+port+" did not return a 500 response code as expected.");
if ("ECHO" >< res)
{
  if (report_verbosity > 0)
  {
    report = '\n' + "Nessus was able to execute the command 'ECHO' on the remote host using" +
             '\n' + 'the following URL :' +
             '\n' +
             '\n' + '  ' + build_url(port:port, qs:url) +
             '\n';
    if (report_verbosity > 1)
    {
      report += '\n' + 'This produced the following results :' +
                '\n' + 
                '\n' + res;
    }
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else exit(0, "The web server listening on port "+port+" is not affected.");