9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.932 High
EPSS
Percentile
99.0%
Netatalk is prone to an unauthenticated code execution
vulnerability.
# SPDX-FileCopyrightText: 2020 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:netatalk:netatalk";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.117047");
script_version("2024-03-15T05:06:15+0000");
script_tag(name:"last_modification", value:"2024-03-15 05:06:15 +0000 (Fri, 15 Mar 2024)");
script_tag(name:"creation_date", value:"2020-11-17 11:11:18 +0000 (Tue, 17 Nov 2020)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2019-10-09 23:38:00 +0000 (Wed, 09 Oct 2019)");
script_cve_id("CVE-2018-1160");
script_name("Netatalk < 3.1.12 Arbitrary Code Execution Vulnerability - Active Check");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2020 Greenbone AG");
script_family("General");
script_dependencies("gb_netatalk_asip_afp_detect.nasl");
script_require_ports("Services/appleshare", 548);
script_mandatory_keys("netatalk/detected");
script_tag(name:"summary", value:"Netatalk is prone to an unauthenticated code execution
vulnerability.");
script_tag(name:"vuldetect", value:"The following checks are done to verify this vulnerability:
- sends a crafted OpenSession request with an overwritten server quantum
- checks if the remote host is accepting the request
- checks if the remote host is reflecting the crafted / overwritten server quantum back in the
response");
script_tag(name:"impact", value:"A remote unauthenticated attacker can leverage this vulnerability
to achieve arbitrary code execution.");
script_tag(name:"insight", value:"Netatalk is vulnerable to an out of bounds write in
dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data.");
script_tag(name:"affected", value:"Netatalk prior to version 3.1.12.");
script_tag(name:"solution", value:"Update to version 3.1.12 or later.");
script_xref(name:"URL", value:"https://netatalk.io/3.1/ReleaseNotes3.1.12");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/106301");
script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/46034/");
script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/46048/");
script_xref(name:"URL", value:"https://www.exploit-db.com/exploits/46675/");
script_xref(name:"URL", value:"http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html");
script_xref(name:"URL", value:"https://www.tenable.com/security/research/tra-2018-48");
script_xref(name:"URL", value:"https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("host_details.inc");
include("byte_func.inc");
include("dump.inc");
if( ! port = get_app_port( cpe:CPE, service:"appleshare" ) )
exit( 0 );
if( ! get_app_location( cpe:CPE, port:port, nofork:TRUE ) )
exit( 0 );
if( ! soc = open_sock_tcp( port ) )
exit( 0 );
# nb: (this will be reflected back to us by a vulnerable target)
server_quantum = raw_string( 0xfe, 0xca, 0x1d, 0xc0 );
quantum_pkt = raw_string( 0xad, 0xaa, 0xaa, 0xba, # Overwrites attn_quantum
0x00, 0x00, 0x00, 0x00 ); # Overwrites datasize
quantum_pkt += server_quantum; # Overwrites server_quantum (this will be reflected back to us by a vulnerable target)
option_pkt = raw_string( 0x01 ); # Option: Attention quantum (1)
option_pkt += mkbyte( strlen( quantum_pkt ) ); # Length (of the quantum_pkt)
data = option_pkt + quantum_pkt;
full_pkt = mkbyte( 0 ); # Flags: Request (0x00)
full_pkt += mkbyte( 4 ); # Command: OpenSession (4)
full_pkt += mkword( 1 ); # Request ID: 1
full_pkt += mkdword( 0 ); # Data offset: 0
full_pkt += mkdword( strlen( data ) ); # Length (of the data)
full_pkt += mkdword( 0 ); # Reserved
full_pkt += data;
send( socket:soc, data:full_pkt );
res = recv( socket:soc, length:1024 );
close( soc );
if( ! res || strlen( res ) < 22 ) # nb: Insufficient length (e.g. no Option like Server quantum included)
exit( 0 );
# n.b.: A vulnerable target is responding with something like e.g. the following below,
# whereas an invulnerable target doesn't reply at all.
# 0x00: 01 04 00 01 00 00 00 00 00 00 00 0C 00 00 00 00 ................
# 0x10: 00 04 C0 1D CA FE 02 04 00 00 00 80 ............
if( res[0] == mkbyte( 1 ) && # Flags: Reply (0x01)
res[1] == mkbyte( 4 ) && # Command: OpenSession (4)
getword( blob:res, pos:2 ) == 1 && # Request ID: 1
getdword( blob:res, pos:4 ) == 0 ) { # Error code: success (0)
check = getdword( blob:server_quantum );
# nb: Test system had returned the quantum in little-endian byte order
if( getdword( blob:res, pos:18 ) == check )
vuln = TRUE;
# ... but we're checking big-endian as well just to be sure.
set_byte_order( BYTE_ORDER_LITTLE_ENDIAN );
if( getdword( blob:res, pos:18 ) == check )
vuln = TRUE;
# nb: Only used for the reporting below (don't use it in the checks above)
check_le = getdword( blob:server_quantum );
if( vuln ) {
report = "The target system has been found vulnerable because it reflects back the overwritten ";
report += "server quantum " + check + " (big-endian) / " + check_le + " (little-endian) as a response ";
report += 'to a crafted OpenSession request sent by the scanner.\n\n';
report += "Note: Patched (fixed) systems are known to not response at all to such a crafted request.";
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );
}
exit( 0 );
packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
www.securityfocus.com/bid/106301
github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
netatalk.io/3.1/ReleaseNotes3.1.12
www.exploit-db.com/exploits/46034/
www.exploit-db.com/exploits/46048/
www.exploit-db.com/exploits/46675/
www.tenable.com/security/research/tra-2018-48
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.932 High
EPSS
Percentile
99.0%