Marvell QConvergeConsole (QCC) FlashValidatorServiceImpl decryptFile Path Traversal RCE

###
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(140188);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/03");

  script_cve_id("CVE-2020-15639");
  script_xref(name:"ZDI", value:"ZDI-20-967");

  script_name(english:"Marvell QConvergeConsole (QCC) FlashValidatorServiceImpl decryptFile Path Traversal RCE");

  script_set_attribute(attribute:"synopsis", value:
"The remote web application is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Marvell QConvergeConsole GUI running on the remote host is
affected by a path traversal vulnerability in the decryptFile method
of the FlashValidatorServiceImpl class in the FlashValidator web
application. An unauthenticated, remote attacker can exploit this, 
via specially crafted message(s), to execute arbitrary code on the
host with SYSTEM or root privileges.

Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
  # https://www.marvell.com/content/dam/marvell/en/public-collateral/fibre-channel/marvell-fibre-channel-security-advisory-2020-07.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0975c4e9");
  script_set_attribute(attribute:"solution", value:
"Upgrade QConvergeConsole GUI to version 5.5.0.73 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-15639");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/08/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/08/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/09/02");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:marvell:qconvergeconsole");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("qcc_detect.nbin");
  script_require_keys("installed_sw/QLogic QConvergeConsole");
  script_require_ports("Services/www", 8080, 8443);

  exit(0);
}

include('http.inc');
include('install_func.inc');
include('debug.inc');

app = 'QLogic QConvergeConsole';

# Exit if app is not detected on the target host.
get_install_count(app_name:app, exit_if_zero:TRUE);

# Exit if app is not detected on this http port.
port = get_http_port(default:8080);
install = get_single_install(
  app_name : app,
  port     : port
);

headers = {'X-GWT-Permutation':'abcd'};
url = '/FlashValidator/com.qlogic.qms.hba.gwt.FlashValidator/FlashValidatorService';

if(get_port_transport(port) == ENCAPS_IP)
  scheme = 'http';
else
  scheme = 'https';
  
data = '7|0|' + # GWT version and flags
  # 7 strings to follow in the string table below
  '7|' +
  #
  # Start of the string table, which is one-based when referencing
  # an element in the table.
  #
  # Base URL of the GWT app
  scheme + '://' + get_host_ip() + ':' + port +
  '/FlashValidator/com.qlogic.qms.hba.gwt.FlashValidator/|' +
  # Serialization policy file
  'serialization_policy|'+
  # Service interface
  'com.qlogic.qms.hba.gwt.client.FlashValidatorService|' +
  # Method to call
  'decryptFile|' +
  # Parameter type used in decryptFile(String infile, String outfile)
  'java.lang.String/2004016611|' +
  # Value for the first param (input file)
  'infile|' +
  # Value for the second param (output file)
  'outfile|' +
  #
  # end of the string table
  #

  # Reference the GWT app URL base, policy file, service interface
  # and method
  '1|2|3|4|' + 
  # decryptFile has 2 parameters
  '2|' +
  # The type of the first param is a String
  '5|' +
  # The type of the second param is a String
  '5|' +
  # The value of the first param
  '6|';
  # We would have specified the value for the second param here.
  # But we intentionally omit that to cause a GWT exception.
  # This is to avoid a successful decryptFile() call because a
  # successful call would create a file on the remote host, making the
  # plugin a destructive one.
  
res = http_send_recv3(
  port            : port,
  method          : 'POST',
  item            : url,
  data            : data,
  content_type    : 'text/x-gwt-rpc; charset=UTF-8',
  add_headers     : headers,
  exit_on_fail    : TRUE
);

# Patched QCC removed the FlashValidator webapp altogether, so the
# endpoint for the decryptFile() call does not exist
if(' 404 ' >< res[0])
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, build_url(port:port, qs:install['path']));
# Vulnerable QCC returns 200, but the call was not successful
# because the second parameter for decryptFile() was missing.
else if (' 200 ' >< res[0])
{
  dbg::log(msg:res[0] + res[1], ddata:res[2]);
  report =
    'Nessus was able to detect the issue using the following ' +
    'request : ' +
    '\n' + http_last_sent_request();
  security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);
}
# Unexpected
else
{
  dbg::log(msg:res[0] + res[1], ddata:res[2]);
  audit(AUDIT_RESP_BAD, port);
}