Lucene search
K

Sun Java Web Console LibWebconsole_Services.SO Remote Format String

🗓️ 23 Apr 2007 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 25 Views

The remote web server is prone to a format string attack. The remote version of this service does not properly sanitize calls to the syslog function. By sending a specially crafted request it is possible to exploit this format string error. An attacker can exploit it to execute code with the privileges of the web server

Related
Refs
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2007-1681
19 Apr 200710:00
cve
Cvelist
CVE-2007-1681
19 Apr 200710:00
cvelist
EUVD
EUVD-2007-1675
7 Oct 202500:30
euvd
NVD
CVE-2007-1681
19 Apr 200710:19
nvd
OpenVAS
Solaris Update for Sun Java Web Console (Lockhart) 121211-02
3 Jun 200900:00
openvas
OpenVAS
Solaris Update for Sun Java Web Console (Lockhart) 121212-02
3 Jun 200900:00
openvas
OpenVAS
Solaris Update for Sun Java Web Console (Lockhart) 121211-02
3 Jun 200900:00
openvas
OpenVAS
Solaris Update for Sun Java Web Console (Lockhart) 121212-02
3 Jun 200900:00
openvas
Prion
Format string
19 Apr 200710:19
prion
securityvulns
n.runs-SA-2007.007 - Sun Solaris 10 - Format string vulnerability
18 Apr 200700:00
securityvulns
Rows per page
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) 
{
  script_id(25082);
  script_version("1.25");
  script_cvs_date("Date: 2018/11/15 20:50:25");

  script_cve_id("CVE-2007-1681");
  script_bugtraq_id(23539);

  script_name(english:"Sun Java Web Console LibWebconsole_Services.SO Remote Format String");
  script_summary(english:"Checks Sun Java Web Console Version");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to a format string attack." );
  script_set_attribute(attribute:"description", value:
"The remote host is running SUN Java Web Console. 

The remote version of this service does not properly sanitize calls
to the syslog function. By sending a specially crafted request
it is possible to exploit this format string error.
An attacker can exploit it to execute code with the privileges of
the web server." );
  script_set_attribute(attribute:"see_also", value:"https://piratebay-proxies.com/best-internet-security/");
  # http://web.archive.org/web/20070504053040/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102854-1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?49b94d2d");
  script_set_attribute(attribute:"solution", value:
"See the vendor's update for information on workarounds and solutions
to this issue.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/04/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value: "cpe:/a:sun:java_web_console");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");
  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
  script_dependencie("http_version.nasl", "ssh_detect.nasl");
  script_require_ports("Services/www", 6789);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (!get_kb_item('Settings/PCI_DSS'))
{
 ssh_port = get_kb_item("Services/ssh");
 if (!ssh_port) exit(0);

 banner = get_kb_item(string("SSH/banner/", ssh_port));
 if ("Sun_SSH" >!< banner) exit(0,"The remote SSH banner on port "+ssh_port+" is not from a Solaris system."); 
}


port = 6789;
if (!get_port_state(port))
  exit(1, "Port "+port+" is not open.");

w = http_send_recv3(method:"GET", item:"/console/html/en/console_version.shtml", port:port,exit_on_fail:TRUE);

if ("<title>Sun Java(TM) Web Console: Version</title>" >!< w[2])
  exit (0,"The remote web server on port "+ port + " does not appear to be Sun Java(TM) Web Console.");

w = http_send_recv3(port: port, item:"/console/html/en/version.txt", method:"GET",exit_on_fail:TRUE);

#res = strcat(w[0], w[1], '\r\n', w[2]);

if (!egrep(pattern:"^[0-9]+\.[0-9]+\.[0-9]+$", string:w[2]))
  exit (1,"Failed to extract version in desired format from Sun Java(TM) Web Console listening on port "+ port+".");

vers = ereg_replace(pattern:"^([0-9]+\.[0-9]+\.[0-9]+)$", string:w[2], replace:"\1");
vers = split(vers, sep:".", keep:FALSE);

if ( (int(vers[0])   < 2) ||
     ((int(vers[0]) == 2) && (int(vers[1]) < 2)) ||
     ((int(vers[0]) == 2) && (int(vers[1]) == 2) && (int(vers[2]) < 6)) )
{
 # don't worry about checking for the 2.2.4 patch in a PCI scan
 if (get_kb_item('Settings/PCI_DSS'))
 {
   if(report_verbosity > 0)
   {
     report = '\n'+
              'Sun Java(TM) Web Console version '+ join(vers,sep:".") + '\n' +
              'is installed on the remote host. Nessus did not attempt to\n' +
              'determine if patches 121211-02 or 121212-02 have been applied.\n';
     security_hole(port:port,extra:report);
   }
   else
     security_hole(port);
   exit(0);
 }

 # patched in 2.2.6 except for solaris 10 ( patched in 2.2.4 )
 w = http_send_recv3(method:"GET", item:"/console/html/en/versionDate.txt", port:port,exit_on_fail:TRUE);

 #res = strcat(w[0], w[1], '\r\n', w[2]);

 if (!egrep(pattern:"^[0-9]+/[0-9]+/[0-9]+$", string:w[2]))
   exit (1,"Failed to extract version date in desired format from Sun Java(TM) Web Console listening on port "+ port+".");
 
 date = ereg_replace(pattern:"^([0-9]+/[0-9]+/[0-9]+)$", string:w[2], replace:"\1");
 date = split(date, sep:"/", keep:FALSE);

 if ( int(date[0])   < 2007 ||
      (int(date[0]) == 2007 && int(date[1]) < 3) )
 {  
   if(report_verbosity > 0)
   {
     report = '\n'+
              'Sun Java(TM) Web Console version '+ join(vers,sep:".") + ' ('+join(date,sep:"/")+ ')\n'+
              'is installed on the remote host.\n';
     security_hole(port:port,extra:report);
   }
   else
     security_hole(port); 
   exit(0);
 }
 else
  exit(0,"Sun Java(TM) Web Console version date '"+ join(date,sep:"/")+"' is newer than 2007/3 and hence not affected.");
}
else
  exit(0,"Sun Java(TM) Web Console version '"+join(vers,sep:".")+"' is installed on port "+ port + " and hence not affected.");

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Nov 2018 20:50Current
5.8Medium risk
Vulners AI Score5.8
CVSS 27.5
EPSS0.04716
25