Vulners
Lucene search
NetSarang Xmanager 5 Backdoor Trojan (ShadowPad)
| Source | Link |
|---|---|
| securelist | www.securelist.com/shadowpad-in-corporate-networks/81432/ |
| nessus | www.nessus.org/u |
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(102712);
script_version("1.4");
script_cvs_date("Date: 2018/08/08 12:52:14");
script_name(english: "NetSarang Xmanager 5 Backdoor Trojan (ShadowPad)");
script_summary(english:"Checks the Xmanager 5 install for a trojaned nssock2.dll file.");
script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by a trojan
backdoor.");
script_set_attribute(attribute:"description", value:
"The Xmanager 5, an X server for Windows, installed on the remote
host has a nssock2.dll file identified by its MD5 hash that is
infected with a trojan backdoor.
The affected file includes an encrypted payload that could be remotely
activated by a knowledgeable attacker.");
script_set_attribute(attribute:"see_also", value:"https://securelist.com/shadowpad-in-corporate-networks/81432/");
# https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8956bf87");
script_set_attribute(attribute:"solution", value:"Upgrade to Xshell 5 Build 1326 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/04");
script_set_attribute(attribute:"patch_publication_date", value:"2017/08/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/23");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("smb_hotfixes_fcheck.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
product = "Xmanager 5";
trojan_hash = "97363d50a279492fda14cbab53429e75";
port = kb_smb_transport();
registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
path = get_registry_value(
handle:hklm,
item:"SOFTWARE\NetSarang\Xmanager\5\Path"
);
RegCloseKey(handle:hklm);
close_registry(close:TRUE);
if (isnull(path))
audit(AUDIT_NOT_INST, product);
trojan_dll = hotfix_append_path(path:path, value:"nssock2.dll");
data = hotfix_get_file_contents(trojan_dll);
if (data)
hash = MD5(data);
else
exit(1, "Failed to read nssock2.dll.");
if(hash == trojan_hash)
{
report =
'\n Path : ' + trojan_dll +
'\n';
security_report_v4(severity:SECURITY_HOLE, port:port, extra:report);
exit(0);
}
else
{
audit(AUDIT_INST_PATH_NOT_VULN, product, path);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Aug 2018 12:52Current
5.4Medium risk
Vulners AI Score5.4