Vulners
Lucene search
NetSarang Xftp 5 Backdoor Trojan (ShadowPad)
| Source | Link |
|---|---|
| securelist | www.securelist.com/shadowpad-in-corporate-networks/81432/ |
| nessus | www.nessus.org/u |
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(102709);
script_version("1.4");
script_cvs_date("Date: 2018/08/08 12:52:14");
script_name(english: "NetSarang Xftp 5 Backdoor Trojan (ShadowPad)");
script_summary(english:"Checks the Xftp 5 install for a trojaned nssock2.dll file.");
script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by a trojan
backdoor.");
script_set_attribute(attribute:"description", value:
"The Xftp 5, an FTP client for Windows, installed on the remote host
has a nssock2.dll file identified by its MD5 hash that is infected
with a trojan backdoor.
The affected file includes an encrypted payload that could be
remotely activated by a knowledgeable attacker.");
script_set_attribute(attribute:"see_also", value:"https://securelist.com/shadowpad-in-corporate-networks/81432/");
# https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8956bf87");
script_set_attribute(attribute:"solution", value:"Upgrade to Xshell 5 Build 1326 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/04");
script_set_attribute(attribute:"patch_publication_date", value:"2017/08/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("smb_hotfixes_fcheck.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
product = "Xftp 5";
trojan_hash = "97363d50a279492fda14cbab53429e75";
port = kb_smb_transport();
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
path = get_registry_value(
handle:hklm,
item:"SOFTWARE\NetSarang\Xftp\5\Path"
);
RegCloseKey(handle:hklm);
close_registry(close:TRUE);
if (isnull(path))
audit(AUDIT_NOT_INST, product);
trojan_dll = hotfix_append_path(path:path, value:"nssock2.dll");
data = hotfix_get_file_contents(trojan_dll);
if (data)
hash = MD5(data);
else
exit(1, "Failed to read nssock2.dll.");
if(hash == trojan_hash)
{
report =
'\n Path : ' + trojan_dll +
'\n';
security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);
exit(0);
}
else
{
audit(AUDIT_INST_PATH_NOT_VULN, product, path);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Aug 2018 12:52Current
5.5Medium risk
Vulners AI Score5.5