Lucene search

K
nessusThis script is Copyright (C) 2015-2023 and is owned by Tenable, Inc. or an Affiliate thereof.REALTEK_CVE_2014_8361.NASL
HistoryMay 01, 2015 - 12:00 a.m.

Realtek SDK miniigd SOAP Service RCE

2015-05-0100:00:00
This script is Copyright (C) 2015-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
239

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.97

Percentile

99.8%

According to its banner, the Realtek Software Development Kit is running on the remote device. It is, therefore, affected by a flaw in the miniigd SOAP service due to a failure to properly sanitize user input when handling NewInternalClient requests. An unauthenticated, remote attacker, using a crafted request, can exploit this to execute arbitrary code with root level privileges.

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(83185);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/18");

  script_cve_id("CVE-2014-8361");
  script_bugtraq_id(74330);
  script_xref(name:"ZDI", value:"ZDI-15-155");
  script_xref(name:"EDB-ID", value:"37169");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/10/09");

  script_name(english:"Realtek SDK miniigd SOAP Service RCE");

  script_set_attribute(attribute:"synopsis", value:
"A software development kit running on the remote device is affected by
a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its banner, the Realtek Software Development Kit is
running on the remote device. It is, therefore, affected by a flaw in
the miniigd SOAP service due to a failure to properly sanitize user
input when handling NewInternalClient requests. An unauthenticated,
remote attacker, using a crafted request, can exploit this to execute
arbitrary code with root level privileges.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-155/");
  script_set_attribute(attribute:"solution", value:
"There is currently no fix available. As a workaround, restrict access
to vulnerable devices.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Realtek SDK Miniigd UPnP SOAP Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/01");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:realtek:realtek_sdk");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2015-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("upnp_search.nasl", "http_version.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("upnp/server", "Services/www");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("audit.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

global_var fix, vuln;
vuln = FALSE;

##
# Checks if the given server banner is from a vulnerable
# version of realtek upnpd.  If so, a reporting function is
# called
#
# @param port port number of the service being tested
# @param server server banner advertised on "port"
# @param proto the protocol the port is accessible by (tcp or udp)
##
function _check_realtek_version(port, server, proto)
{
  local_var ver, report, banner;
  server = chomp(server);
  ver = eregmatch(string:server, pattern:"realtek/v((0(\.[0-9.]+)?|1\.[0-3](\.[0-9.]+)?|1)$)", icase:TRUE);

  if (!isnull(ver))
  {
    vuln = TRUE;

    banner = ereg_replace(string:server, pattern:'SERVER: *(.+)', replace:"\1", icase:TRUE);
    report =
      '\n  Server banner     : ' + banner +
      '\n  Installed version : ' + ver[1] + '\n';

    security_report_v4(port:port,
                       proto:proto,
                       severity:SECURITY_HOLE,
                       extra:report);
  }
}

# check the server string retrieved via UDP 1900 by upnp_search.nasl
servers = get_kb_list('upnp/server');
foreach(server in servers) _check_realtek_version(port:1900, server:server, proto:'udp');

# check any server strings retrieved via HTTP
www_ports = get_kb_list('Services/www');

if(!vuln && isnull(www_ports))
  audit(AUDIT_HOST_NOT, 'affected');

foreach port (www_ports)
{
  server = http_server_header(port:port);
  if (empty_or_null(server)) continue;

  _check_realtek_version(port:port, server:server, proto:'tcp');
}

if (!vuln)
  audit(AUDIT_HOST_NOT, 'affected');

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.97

Percentile

99.8%