VMware ESXi Multiple Vulnerabilities (VMSA-2016-0010) - Active Check

# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.105853");
  script_version("2024-03-08T15:37:10+0000");
  script_tag(name:"last_modification", value:"2024-03-08 15:37:10 +0000 (Fri, 08 Mar 2024)");
  script_tag(name:"creation_date", value:"2016-08-08 13:06:24 +0200 (Mon, 08 Aug 2016)");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2018-10-09 20:00:00 +0000 (Tue, 09 Oct 2018)");

  script_cve_id("CVE-2016-5331");

  script_tag(name:"qod_type", value:"remote_vul");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("VMware ESXi Multiple Vulnerabilities (VMSA-2016-0010) - Active Check");

  script_category(ACT_ATTACK);

  script_copyright("Copyright (C) 2016 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_vmware_esx_web_detect.nasl");
  script_mandatory_keys("VMware/ESX/port");

  script_tag(name:"summary", value:"ESXi contains an HTTP header injection vulnerability due to
  lack of input validation. An attacker can exploit this issue to set arbitrary HTTP response
  headers and cookies, which may allow for cross-site scripting and malicious redirect attacks.");

  script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");

  script_tag(name:"affected", value:"VMWare ESXi 6.0 without patch ESXi600-201603101-SG.");

  script_tag(name:"solution", value:"Apply the missing patch(es).");

  script_xref(name:"URL", value:"http://www.vmware.com/security/advisories/VMSA-2016-0010.html");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");

if( ! port = get_kb_item( "VMware/ESX/port" ) )
  exit( 0 );

vtstrings = get_vt_strings();
vtstring = vtstrings["default"];
vtstring_lo = vtstrings["lowercase"];

co = "Set-Cookie:%20" + vtstring + "=" + rand();
co_s = str_replace( string:co, find:"%20", replace:" " );

h1 = vtstring_lo + ":%20" + rand();
h1_s = str_replace( string:h1, find:"%20", replace:" " );

url = "/?syss%0d%0a" + co + "%0d%0a" + h1;

req = http_get( item:url, port:port );
buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );

if( buf =~ "^HTTP/1\.[01] 303" ) {
  if( egrep( pattern:"^" + co_s, string:buf ) && egrep( pattern:"^" + h1_s, string:buf ) ) {
    report = http_report_vuln_url( port:port, url:url );
    report += '\n\nResponse:\n\n' + buf;
    security_message( port:port, data:report );
    exit( 0 );
  }
}

exit( 99 );