Sun SPARC Enterprise T5120 and T5220 Default Configuration Root Command Execution

#TRUSTED 1b1a49050b0bdcaaaa4678399ab2838438c857acda7e6e1171302237fc0b1ea4840851b3392e582e44f420b88a605d2e1a90309d15af6c5f1a4bbfd6643daf159e88b24d97993fd3271acacf29d9d9457952f974d59f8619ea82f896f56156dff60dab6c1f56301a9e92044e78376fb7f792211e36205dc06f4efa5c1b1ace62513a4fea8b3ae36d9fd075d61b7681f7cfb3313c6204a8f50f87f1d23de22e00e092c0f8e33d28017cdde74a7847dbafc6a14bf5bc5420784215274d22b7d311da8ed28d2bf84b2902ee8732430b0b23e2a0ab953d9ce71898e57e929a7bbff505294ca8479ffac88aebb57e75051eca31428dba998978d7526d09f7edce43271754d4e42fd19c2a5108d12f361e1b0fd02a065a842dd7c92e41c61704c6fcf0026410c094b33d6b8bec7fbc93a8cfb2c6fed7033bfa30ca79d77637a11f63296061fc3682f298295b9f5216bdbe008bb57b43680c84aa920f31a996f223d2d705b454b47f5dd67e7e3d2d28015fc63b6c10d4b89d2a958a569f80bf70d7aa147cca2986cb217f14765cdda7cbd076ba14f67dd8beeb8844d2b8f600258f88596bea2961d080879cf8a4a9f5960cff54299fab48f30fa07c53cd408a16a834b813aef3657f87d80f2d2aa71e32bb3493dfd71ad40742197402e94daeda64f09029a27c0e82d3970d270ed42c2209e9916f9e6753badb089837df3a6dacb068a8
#TRUST-RSA-SHA256 1283cc9f02a354920cf707ee926e5f708c3391459bffe129fb6dab29f898a02ce7eb58c639c841d4fe1cd84a65fba768db16d6d8f238603de825a121b42d4ade67f792808a2d8066a43645162f66d208f01a2b679cc0be9c6d2614b40f9f7db762219065aadf95fc433ba5ad24e4dfce5319e651f1af5018b4d7605caec68ef041df8e4c96087c74d59f072ec0161aaae3a22d02daa8b30c671977c410e4035de845fff1f411f46acc6b821024e70fceab4c640f315b490adfcc3da9d8c41ab0bfe2f2fa77f3a7713fdee74134be1bf020cb15f46ebf54d9c5861bcc4a57b49ce9e6618eea577d4007f772c860b62baefee394a74f6337a302d967bfb7dcbf6b8090dc9bf5abcb5413d985eb766013c23cf5e41d5673fa73b8fb57c6de5173f8a8140b4bb415033859a1082788d156bb4bb86f25e39013d5dd661e7f80c7f7b86103f16b3cd407d09e8410349d24d2dfd6e95395966c6629c4a15e5bfd4cbc91ae80db91985865dc376f3db32fc289042726090db0a5447fdadbfb32f1ecc3b867b8dd36004d39a87dee814ad8ae97f8e15133f6a34f200db0be3e6aedf2b80bb149adc64101032e48e5634e155f351fa145001f89687cb092e50414f6010d3bb40f48ff6d68caf32ef90b72367847bfa819e0044580f26f724b1c5507db8d0b1730845ae2dceb2256e921af63bed2bc7faaca8ba86566b4e47e3ef262aabe6c
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(69420);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id("CVE-2008-1369");
  script_xref(name:"IAVA", value:"2008-A-0025-S");

  script_name(english:"Sun SPARC Enterprise T5120 and T5220 Default Configuration Root Command Execution");
  script_summary(english:"Check for the configuration of the SPARC Enterprise Image");

  script_set_attribute(attribute:"synopsis", value:
"The remote Solaris host has a misconfigured SSH server.");
  script_set_attribute(attribute:"description", value:
"The remote Sun SPARC Enterprise Server has been mistakenly shipped with
factory settings in the pre-installed Solaris 10 image which configures
the remote SSH server insecurely. As a result, local or remote users may
leverage these misconfigurations to execute arbitrary commands with the
privileges of the root (uid 0) user.");
  script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1018965.1.html");
  script_set_attribute(attribute:"solution", value:
"Follow the steps in the workaround section of the advisory above");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2008-1369");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(264);

  script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2008/03/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2013-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/uname", "Host/local_checks_enabled");

  exit(0);
}

include('ssh_func.inc');
include('local_detection_nix.inc');

get_kb_item_or_exit('Host/local_checks_enabled');

enable_ssh_wrappers();

var buf = NULL;
var cmd_template = NULL;
var ret = NULL;
var uname = NULL;
var report = NULL;
var report_data = {
  'default_login_contains' : FALSE,
  'sshd_contains'          : FALSE,
  'dot_profile_contains'   : FALSE
  };

uname = get_kb_item_or_exit('Host/uname');
if ('SunOS' >!< uname)
  audit(AUDIT_OS_NOT, 'Solaris');

ret = info_connect(exit_on_fail:TRUE);
if (!ret)
  audit(AUDIT_SVC_FAIL, 'SSH', kb_ssh_transport());

# Get full path to grep util
if (!ldnix::grep_supported())
  audit(AUDIT_NOT_INST, 'grep');

grep_path = ldnix::get_command_path(command:"grep");

if (!empty_or_null(grep_path))
  grep_path = grep_path[0];
else
  audit(AUDIT_FN_FAIL, 'ldnix::get_command_path(command:"grep")', NULL);

#
# https://download.oracle.com/sunalerts/1018965.1.html
#
if (ldnix::file_exists(file:'/etc/default/login'))
  buf = ldnix::run_cmd_template_wrapper(
    template: '$1$ CONSOLE= /etc/default/login',
    args: [grep_path]);

if (!empty_or_null(buf))
  report_data['default_login_contains'] = buf;

if ('#CONSOLE=/dev/console' >!< buf) {
  ssh_close_connection();
  audit(AUDIT_HOST_NOT, 'affected');
}

buf = NULL;

if(ldnix::file_exists(file:'/etc/ssh/sshd_config'))
  buf = ldnix::run_cmd_template_wrapper(
    template: '$1$ \'^PermitRootLogin \\+yes\' /etc/ssh/sshd_config',
    args: [grep_path]);

if (!empty_or_null(buf))
 report_data['sshd_contains'] = buf;

if ('PermitRootLogin yes' >!< buf) {
  ssh_close_connection();
  audit(AUDIT_HOST_NOT, 'affected');
}

buf = NULL;

if (ldnix::file_exists(file:'/.profile'))
  buf = ldnix::run_cmd_template_wrapper(
    template: '$1$ "PS1\\|LOGDIR" /.profile',
    args: [grep_path]);

ssh_close_connection();

if (!empty_or_null(buf))
  report_data['dot_profile_contains'] = buf;

if ('PS1=\'ROOT>\'' >!< buf ||
     'LOGDIR=\'/export/home/utslog\'' >!< buf)
  audit(AUDIT_HOST_NOT, 'affected');

# Require all three in order to be marked vuln
if (!report_data['default_login_contains'] ||
  !report_data['sshd_contains'] ||
  !report_data['dot_profile_contains']
)
  audit(AUDIT_HOST_NOT, 'affected');

report =
  '\nNessus was able to detect the vulnerability by locating the ' +
  '\nfollowing items :' +
  '\n' +
  '\nIn file /etc/default/login : \n' + report_data['default_login_contains'] +
  '\nIn file /etc/ssh/sshd_config : \n' + report_data['sshd_contains'] +
  '\nIn file /.profile : \n' + report_data['dot_profile_contains'] +
  '\n';

security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
exit(0);