Lucene search
This script is Copyright (C) 2010-2024 Tenable Network Security, Inc.MACOSX_EVOCAM_3_6_8.NASLHistoryJul 08, 2010 - 12:00 a.m.
EvoCam 3.6.6 / 3.6.7 Web Server GET Request Overflow
2010-07-0800:00:00
This script is Copyright (C) 2010-2024 Tenable Network Security, Inc.
www.tenable.com
23
8.1 High
AI Score
Confidence
Low
The version of EvoCam installed on the Mac OS X host is either 3.6.6 or 3.6.7. Such versions reportedly contain a buffer overflow in the Web Server component.
Using an overly long GET request, an unauthenticated remote attacker may be able to leverage this vulnerability to execute arbitrary code on the remote host subject to the privileges under which the application runs.
#TRUSTED 13f344029aea4480e2cecf68c23584fb84e4cffcf24b1bdf5259589791df0989140b752d4194c86f7efc73a748e1689d2745515ec37e36552fa59f9b073b6040dcb0b7f1c8f0d51474e5c4da34d947ffbb5f8eda77aaa0605ead20bb6460882b2c630bb120c655a6c4e66b2a15ae490771b72d86626d0df6ce767c47ed294fc7bf3bcbc159b6c6be5331a41d456de81316d8bd120271842a8ebf143880a66a3a555ea7014acec61071409d36907bced9f0299a4d32d7ad8ed4e943d7a5513310d853ee52b7063e748b775fda787f789e712101dd6ea3905174d45c8ace35cd906dcc3ac06fb07581a92ad45ffb94f2ac30a4d35a130f3ac926f3b4174bfbf642807b0030a90d9daa4069bf76d8458ec3f9897346f61710249df3ea88f22f0a0e61744211e23315cf420d372b9590748cb64513c94557c2e05c94f57af9ec037dff9b070171ffe12252ce7942ee4e4ff05d18429bf903403ed82cc5f4e9c93b2568ae8292ff1c5f1c262d07e0f49f655bea631bc6a7f9a2d387617be06b0f6d3b1c1be7dc076d7f9f6a519fb86813b4a0b28b5585da78c33e995b1681de91ae35f4a6990e6e3db73ec5d126eeb02a682b5e177b18b982947f7992cbf75861d5c60a38b888e6277dd30ddb519ce19d727dffefe6037f4f84e092ae492ffd1429f10fb73fa6efe84230d7bfb50a6d8274e64607a41cfe189256b62b028d2c3eff84
#TRUST-RSA-SHA256 3f76d05d4bba7e01c122e919a28d7e5396bcd53f7f39ae8c3c21e51002177c53bb40d72cdbfe06de2d1501a4cdb3f0b55d743871016bd822db2324e841cb82d512894c1ea07d78538b415df80fbb6d87835fc09201aee45bef86f68234f0c750f18fbcbdf6509b998505404344790714ca188cd11ce06a4fd7806e05d4aac81eb96543c2e5f7f88d1aa0dd115f48d8706bb1bee2385b8d4f2d3d46f5ab437510ebcec0794dd59e2118e429035a9be972776ead44fe8eda0ec00051de555d2f46cec2452a53822dd2da927497bbde06c15698db45c61c2a12f111f2ae194f8a2668b3647435a216381ea2f0e13b70cccbfc8843ce8366288077e15121d6068fd1a23c2da7058f8c74e6633834b2c5306ed5259adb4af9e6c60b8f4df612c5873335f8a6f90f91440bb2219dbdc03693ff08e1ba02b7b788c90f6028287584f7bd8575acfe6bdbd62c5501552e219b2f690f938519a29e90670035a0ee5354dab90f89bc28f41a2c0db29e8c4d18b561d0125f3e2eb47d1eea7d1bd7a376f82bf868bafbaec9556c08079f0e5d50dfa802fa2229278f5c4b35c44770fd78a6df260d3bfa76b29491bdd679b936086a869ec6cbcc2223d4689e0c726f582729c2f86a22235fb90aea952e766fe306c5b30246a54161e9ec16aab474c5bd60739d323515016c7dc5b87178b70b0da2e6578f7d9dc387f661f050b150838a311c8583
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(47682);
script_version("1.16");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/05");
script_cve_id("CVE-2010-2309");
script_bugtraq_id(40489);
script_xref(name:"EDB-ID", value:"13735");
script_name(english:"EvoCam 3.6.6 / 3.6.7 Web Server GET Request Overflow");
script_summary(english:"Checks version of EvoCam");
script_set_attribute(
attribute:"synopsis",
value:
"The remote host has an application that may be susceptible to a remote
buffer overflow attack."
);
script_set_attribute(
attribute:"description",
value:
"The version of EvoCam installed on the Mac OS X host is either 3.6.6
or 3.6.7. Such versions reportedly contain a buffer overflow in the
Web Server component.
Using an overly long GET request, an unauthenticated remote attacker
may be able to leverage this vulnerability to execute arbitrary code
on the remote host subject to the privileges under which the
application runs."
);
script_set_attribute(attribute:"solution", value:"Upgrade to EvoCam 3.6.8 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-2309");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MacOS X EvoCam HTTP GET Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/06/01");
script_set_attribute(attribute:"patch_publication_date", value:"2010/06/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/08");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"MacOS X Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2010-2024 Tenable Network Security, Inc.");
script_dependencies("ssh_get_info.nasl", "http_version.nasl");
script_require_keys("Host/MacOSX/packages", "Settings/ParanoidReport");
script_require_ports("Services/www", 8080);
exit(0);
}
if (!defined_func("bn_random")) exit(0);
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");
enable_ssh_wrappers();
packages = get_kb_item("Host/MacOSX/packages");
if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
# Unless we're paranoid, make sure the service is enabled.
if (get_kb_item("global_settings/report_paranoia") != 'Paranoid')
{
found = FALSE;
ports = add_port_in_list(list:get_kb_list("Services/www"), port:8080);
foreach var port (ports)
{
soc = open_sock_tcp(port);
if (soc)
{
send(socket:soc, data:http_get(item:"/", port:80));
res = recv(socket:soc, length:1024);
if (
strlen(res) &&
(
"<title>EvoCam</title>" >< res ||
'<applet archive="evocam.jar" code="com.evological.evocam.class"' >< res
)
) found = TRUE;
close(soc);
}
if (found) break;
}
if(!found) exit(0, "The EvoCam web server is not listening on the remote host.");
}
function exec(cmd)
{
local_var ret, buf;
if (islocalhost())
buf = pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", cmd));
else
{
ret = ssh_open_connection();
if (!ret) exit(1, "ssh_open_connection() failed.");
buf = ssh_cmd(cmd:cmd);
ssh_close_connection();
}
if (buf !~ "^[0-9]") exit(1, "Failed to get the version - '"+buf+"'.");
buf = chomp(buf);
return buf;
}
plist = "/Applications/EvoCam.app/Contents/Info.plist";
cmd = string(
"cat '", plist, "' | ",
"grep -A 1 CFBundleShortVersionString | ",
"tail -n 1 | ",
'sed \'s/.*string>\\(.*\\)<\\/string>.*/\\1/g\''
);
version = exec(cmd:cmd);
if (!strlen(version)) exit(1, "Can't get version info from '"+plist+"'.");
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
if (
ver[0] == 3 &&
ver[1] == 6 &&
(ver[2] == 6 || ver[2] == 7)
)
{
gs_opt = get_kb_item("global_settings/report_verbosity");
if (gs_opt && gs_opt != 'Quiet')
{
report =
'\n Installed version : ' + version +
'\n Fixed version : 3.6.8\n';
security_hole(port:0, extra:report);
}
else security_hole(0);
}
else exit(0, "The remote host is not affected since EvoCam "+version+" is installed.");
Related
prion
prion
Buffer overflow
2010-06-16 20:30:00
cvelist
cvelist
CVE-2010-2309
2010-06-16 20:00:00
cve
cve
CVE-2010-2309
2010-06-16 20:30:02
canvas
canvas
Immunity Canvas: EVOCAM
2010-06-16 20:30:00
packetstorm
packetstorm
UFO: Alien Invasion IRC Client Buffer Overflow Exploit
2010-07-02 00:00:00