Tenable SecurityCenter PHP Character Handling (TNS-2015-09)

2016-02-29T00:00:00
ID SECURITYCENTER_PHP_5_4_43.NASL
Type nessus
Reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2016-02-29T00:00:00

Description

The SecurityCenter application installed on the remote host contains a bundled version of PHP that is prior to 5.4.43. It is, therefore, affected by an exclamation mark character handling issue in the escapeshellcmd() and escapeshellarg() PHP functions. A remote attacker can exploit this to substitute environment variables.

                                        
                                            #TRUSTED 437a72651944debbf51a1797e48664cbd5b1e73980388287b8338bffbaf920e8731fa06d3a2bf4dfb46c4373e7f7e58688c30f09090bf82ba52d6a56f742a1df53760fc8781a18e9ba5bb9a665873a3ea7e602ad406e636fb6c94237a628a6079be375427ab2e9754eb6c5bb9cbea14530707df6b3c18aa053e0ad37daf5b159690b6cfd72e2046d72100393589ffb1cfd9f556935abc9b8e1f6d897869855e9258b1680af39de28280c5bb35e4a670a4fd6c3f4a59134d3f8bd691cbdc980e36ce6d1a5612142a240a20201fbde64e91bbea28276ac9c4a5894d2dccfcac0d308a821792d85bcfa7155ab7c16ece74de185607a0f033512275b1300d16a2e9a1a50b7315d605abf9c2a9c4a01fcd98e972f34095d9b7209e25b9520ffc82c748e0b68d58a1432cfbfe35e1bcf4beba0ebd70de213560fc3c993069402ac6890d49eab2cc34f8277ca5fb680df68aeff276ed03cff64e57c6cf31f533647b54b56e776c30e81637b81530f7b3bef1c3630c6a9e73f8969788d231931035bbf7034bc00c534002e689a6fd8066f257aef1388dbefcde2e2d9374cc007f898f25a0c4275da30fedb2c55f4a6d83e83164713594a8c84f8b3233ca4fd289b4f5ca02594d36c85ddc8c1f0f4820c9aba38cc3f8a0b4b33d8aed3070fad4baae279692de726743bbf8d0d8cc4063c9906c55732c7149cc2e15a3d8d0efd67399f1a20
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(89027);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/12/14");


  script_name(english:"Tenable SecurityCenter PHP Character Handling (TNS-2015-09)");
  script_summary(english:"Checks the version of PHP in SecurityCenter.");

  script_set_attribute(attribute:"synopsis", value:
"The remote application is affected by a character handling
vulnerability in the bundled version of PHP.");
  script_set_attribute(attribute:"description", value:
"The SecurityCenter application installed on the remote host contains a
bundled version of PHP that is prior to 5.4.43. It is, therefore,
affected by an exclamation mark character handling issue in the
escapeshellcmd() and escapeshellarg() PHP functions. A remote attacker
can exploit this to substitute environment variables.");
  script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2015-09");
  script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=69768");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.4.43");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.5.27");
  script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.11");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant patch as referenced in the vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:'cvss_score_rationale', value:"Score based on analysis of the vendor advisory.");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/02/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin");
  script_require_keys("Host/SecurityCenter/Version", "installed_sw/SecurityCenter", "Host/local_checks_enabled");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("install_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
sc_ver = get_kb_item("Host/SecurityCenter/Version");
port = 0;
if(empty_or_null(sc_ver))
{
  port = 443;
  install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE);
  sc_ver = install["version"];
}
# Affected: SecurityCenter 4.8, 4.8.1, 5.0.0.1
if (sc_ver !~ "^(4\.8($|\.)|5\.0\.0\.)") audit(AUDIT_INST_VER_NOT_VULN, "SecurityCenter", sc_ver);

# Establish running of local commands
if ( islocalhost() )
{
  if ( ! defined_func("pread") ) audit(AUDIT_NOT_DETECT, "pread");
  info_t = INFO_LOCAL;
}
else
{
  sock_g = ssh_open_connection();
  if (! sock_g) audit(AUDIT_HOST_NOT, "able to connect via the provided SSH credentials.");
  info_t = INFO_SSH;
}

line = info_send_cmd(cmd:"/opt/sc4/support/bin/php -v");
if (empty_or_null(line)) line = info_send_cmd(cmd:"/opt/sc/support/bin/php -v");
if (empty_or_null(line))
{
  if(info_t == INFO_SSH) ssh_close_connection();
  audit(AUDIT_UNKNOWN_APP_VER, "PHP (within SecurityCenter)");
}

if(info_t == INFO_SSH) ssh_close_connection();

pattern = "PHP ([0-9.]+) ";
match = pregmatch(pattern:pattern, string:line);
if (isnull(match)) audit(AUDIT_UNKNOWN_APP_VER, "PHP (within SecurityCenter)");
version = match[1];

if (version =~ "^5\.4\.") fix = "5.4.43";
else if (version =~ "^5\.5\.") fix = "5.5.27";
else if (version =~ "^5\.6\.") fix = "5.6.11";
else fix = "5.4.43"; # default to known php release branch used in advisory

if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report = '\n' +
    '\n  SecurityCenter version     : ' + sc_ver +
    '\n  SecurityCenter PHP version : ' + version +
    '\n  Fixed PHP version          : ' + fix +
    '\n';
  security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
  exit(0);
}
else audit(AUDIT_INST_VER_NOT_VULN, "PHP (within SecurityCenter)", version);