Vulners
Lucene search
BeanShell Remote Server Mode Arbitrary Code Execution
| Source | Link |
|---|---|
| beanshell | www.beanshell.org/manual/remotemode.html |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(58975);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_name(english:"BeanShell Remote Server Mode Arbitrary Code Execution");
script_set_attribute(attribute:"synopsis", value:
"A shell is listening on the remote host.");
script_set_attribute(attribute:"description", value:
"The remote host is running a BeanShell interpreter in remote server
mode. This allows network clients to connect to the interpreter and
execute BeanShell commands and arbitrary Java code. A remote,
unauthenticated attacker could exploit this to execute arbitrary
code.");
script_set_attribute(attribute:"see_also", value:"http://www.beanshell.org/manual/remotemode.html");
script_set_attribute(attribute:"solution", value:
"Filter incoming traffic to this port or disable this service.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/03");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:beanshell_project:beanshell");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Gain a shell remotely");
script_copyright(english:"This script is Copyright (C) 2012-2022 Tenable Network Security, Inc.");
script_dependencies("find_service1.nasl");
script_require_ports("Services/BeanShell");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
port = get_service(svc:'BeanShell', exit_on_fail:TRUE);
soc = open_sock_tcp(port);
if (!soc)
audit(AUDIT_SOCK_FAIL, port);
# ignored
banner = recv_line(socket:soc, length:1024);
prompt = recv_line(socket:soc, length:1024);
java = 'java.lang.System.getProperty("java.version")';
bsh = 'print(' + java + ');';
send(socket:soc, data:bsh + '\n');
ver = recv_line(socket:soc, length:1024);
ver = chomp(ver);
close(soc);
if (ver !~ '^[0-9._-]+$')
audit(AUDIT_RESP_BAD, port);
if (report_verbosity > 0)
{
report =
'\nNessus executed the following BeanShell/Java code :\n\n' +
bsh + '\n' +
'\nWhich returned the following JRE version :\n\n' +
ver + '\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2022 00:00Current
6Medium risk
Vulners AI Score6