Netatalk < 3.1.12 Arbitrary Code Execution Vulnerability - Active Check

# SPDX-FileCopyrightText: 2020 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:netatalk:netatalk";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.117047");
  script_version("2024-03-15T05:06:15+0000");
  script_tag(name:"last_modification", value:"2024-03-15 05:06:15 +0000 (Fri, 15 Mar 2024)");
  script_tag(name:"creation_date", value:"2020-11-17 11:11:18 +0000 (Tue, 17 Nov 2020)");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2019-10-09 23:38:00 +0000 (Wed, 09 Oct 2019)");
  script_cve_id("CVE-2018-1160");
  script_name("Netatalk < 3.1.12 Arbitrary Code Execution Vulnerability - Active Check");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2020 Greenbone AG");
  script_family("General");
  script_dependencies("gb_netatalk_asip_afp_detect.nasl");
  script_require_ports("Services/appleshare", 548);
  script_mandatory_keys("netatalk/detected");

  script_tag(name:"summary", value:"Netatalk is prone to an unauthenticated code execution
  vulnerability.");

  script_tag(name:"vuldetect", value:"The following checks are done to verify this vulnerability:

  - sends a crafted OpenSession request with an overwritten server quantum

  - checks if the remote host is accepting the request

  - checks if the remote host is reflecting the crafted / overwritten server quantum back in the
  response");

  script_tag(name:"impact", value:"A remote unauthenticated attacker can leverage this vulnerability
  to achieve arbitrary code execution.");

  script_tag(name:"insight", value:"Netatalk is vulnerable to an out of bounds write in
  dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data.");

  script_tag(name:"affected", value:"Netatalk prior to version 3.1.12.");

  script_tag(name:"solution", value:"Update to version 3.1.12 or later.");

  script_xref(name:"URL", value:"https://netatalk.io/3.1/ReleaseNotes3.1.12");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/106301");
  script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/46034/");
  script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/46048/");
  script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/46675/");
  script_xref(name:"URL", value:"http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html");
  script_xref(name:"URL", value:"https://www.tenable.com/security/research/tra-2018-48");
  script_xref(name:"URL", value:"https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("host_details.inc");
include("byte_func.inc");
include("dump.inc");

if( ! port = get_app_port( cpe:CPE, service:"appleshare" ) )
  exit( 0 );

if( ! get_app_location( cpe:CPE, port:port, nofork:TRUE ) )
  exit( 0 );

if( ! soc = open_sock_tcp( port ) )
  exit( 0 );

# nb: (this will be reflected back to us by a vulnerable target)
server_quantum = raw_string( 0xfe, 0xca, 0x1d, 0xc0 );

quantum_pkt  = raw_string( 0xad, 0xaa, 0xaa, 0xba,   # Overwrites attn_quantum
                           0x00, 0x00, 0x00, 0x00 ); # Overwrites datasize
quantum_pkt += server_quantum;                       # Overwrites server_quantum (this will be reflected back to us by a vulnerable target)

option_pkt  = raw_string( 0x01 );                    # Option: Attention quantum (1)
option_pkt += mkbyte( strlen( quantum_pkt ) );       # Length (of the quantum_pkt)

data = option_pkt + quantum_pkt;

full_pkt  = mkbyte( 0 );                             # Flags: Request (0x00)
full_pkt += mkbyte( 4 );                             # Command: OpenSession (4)
full_pkt += mkword( 1 );                             # Request ID: 1
full_pkt += mkdword( 0 );                            # Data offset: 0
full_pkt += mkdword( strlen( data ) );               # Length (of the data)
full_pkt += mkdword( 0 );                            # Reserved
full_pkt += data;

send( socket:soc, data:full_pkt );
res = recv( socket:soc, length:1024 );
close( soc );

if( ! res || strlen( res ) < 22 ) # nb: Insufficient length (e.g. no Option like Server quantum included)
  exit( 0 );

# n.b.: A vulnerable target is responding with something like e.g. the following below,
# whereas an invulnerable target doesn't reply at all.
# 0x00:  01 04 00 01 00 00 00 00 00 00 00 0C 00 00 00 00    ................
# 0x10:  00 04 C0 1D CA FE 02 04 00 00 00 80                ............

if( res[0] == mkbyte( 1 ) &&             # Flags: Reply (0x01)
    res[1] == mkbyte( 4 ) &&             # Command: OpenSession (4)
    getword( blob:res, pos:2 ) == 1 &&   # Request ID: 1
    getdword( blob:res, pos:4 ) == 0 ) { # Error code: success (0)

  check = getdword( blob:server_quantum );

  # nb: Test system had returned the quantum in little-endian byte order
  if( getdword( blob:res, pos:18 ) == check )
    vuln = TRUE;

  # ... but we're checking big-endian as well just to be sure.
  set_byte_order( BYTE_ORDER_LITTLE_ENDIAN );

  if( getdword( blob:res, pos:18 ) == check )
    vuln = TRUE;

  # nb: Only used for the reporting below (don't use it in the checks above)
  check_le = getdword( blob:server_quantum );

  if( vuln ) {
    report =  "The target system has been found vulnerable because it reflects back the overwritten ";
    report += "server quantum " + check + " (big-endian) / " + check_le + " (little-endian) as a response ";
    report += 'to a crafted OpenSession request sent by the scanner.\n\n';
    report += "Note: Patched (fixed) systems are known to not response at all to such a crafted request.";
    security_message( port:port, data:report );
    exit( 0 );
  }
  exit( 99 );
}

exit( 0 );