Resin MS-DOS Device Request Path Disclosure

#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security
#      Erik Anderson <[email protected]> (nb: domain no longer exists)
#      Added BugtraqID

# Source:
# From:"Peter_Grundl" <[email protected]>
# To:"bugtraq" <[email protected]>
# Subject: KPMG-2002033: Resin DOS device path disclosure
# Date: Wed, 17 Jul 2002 11:33:59 +0200

include('compat.inc');

if (description)
{
  script_id(11048);
  script_version("1.40");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2002-2090");
  script_bugtraq_id(5252);

  script_name(english:"Resin MS-DOS Device Request Path Disclosure");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to disclose information about the remote host.");
  script_set_attribute(attribute:"description", value:
"Resin will reveal the physical path of the webroot when asked for a
special DOS device, e.g.  lpt9.xtp

An attacker may use this flaw to gain further knowledge about the
remote filesystem layout.");
  script_set_attribute(attribute:"solution", value:
"Upgrade to a later software version.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/07/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2002/07/17");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:caucho_technology:resin");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_MIXED_ATTACK);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2002-2024 Tenable Network Security, Inc.");

  script_dependencies("iis_detailed_error.nasl", "404_path_disclosure.nasl");
  script_require_keys("www/resin");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 8080, 8282);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8282);
if (get_kb_item("www/"+port+"/iis_detailed_errors"))  exit(0, "The web server listening on port "+port+" appears to be an instance of IIS that returns detailed error messages.");
if (get_kb_item("www/"+port+"/generic_path_disclosure"))  exit(0, "The web server listening on port "+port+" is known to be affected by a generic path disclosure vulnerability.");


# Requesting a DOS device may hang some servers
# According to Peter Grundl's advisory:
# Vulnerable:
# Resin 2.1.1 on Windows 2000 Server
# Resin 2.1.2 on Windows 2000 Server
# <[email protected]> added Resin 2.1.0
# Not Vulnerable:
# Resin 2.1.s020711 on Windows 2000 Server
#
# The banner for snapshot 020604 looks like this:
# Server: Resin/2.1.s020604

if (report_paranoia < 2)
{
  banner = get_http_banner(port: port, exit_on_fail:TRUE);
  if ("Resin" >!< banner) exit(1, "The web server listening on port "+port+" does not appear to be Resin.");
}

url = "/aux.xtp";

res = test_generic_path_disclosure(item: url,
                                   method: "GET",
                                   port: port,
                                   path_type: "windows",
                                   filename: "aux.xtp",
                                   exit_on_fail: TRUE);

if (!res) exit(0, "The web server listening on port "+port+" is not affected.");