Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasCopyright (C) 2012 Greenbone Networks GmbHOPENVAS:801979
HistoryJan 10, 2012 - 12:00 a.m.

OpenVAS Scanner Symlink Attack Local Privilege Escalation Vulnerability

2012-01-1000:00:00
Copyright (C) 2012 Greenbone Networks GmbH
plugins.openvas.org
15

0.0004 Low

EPSS

Percentile

5.1%

JSON

This host is installed with OpenVAS Scanner and is prone to
privilege escalation vulnerability.

###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_openvas_scanner_prev_escl_vuln.nasl 7823 2017-11-20 08:54:04Z cfischer $
#
# OpenVAS Scanner Symlink Attack Local Privilege Escalation Vulnerability
#
# Authors:
# Antu Sanadi <[email protected]>
#
# Copyright:
# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_insight = "The flaw is due to the application passing a predictable temporary
  filename to the '-r' parameter of the ovaldi application, which can be
  exploited to overwrite arbitrary files via symlink attacks.

  NOTE: This vulnerability exists when ovaldi support enabled.";

tag_impact = "Successful exploitation allows local user on a client or server system can
  gain access to the administrator or root account thus taking full control
  of the system.
  Impact Level: Application.";
tag_affected = "OpenVAS Project OpenVAS Scanner 3.2.4";
tag_solution = "Upgrade to OpenVAS Scanner 4 or later,
  For updates refer to http://www.openvas.org/software.html";
tag_summary = "This host is installed with OpenVAS Scanner and is prone to
  privilege escalation vulnerability.";

if(description)
{
  script_id(801979);
  script_version("$Revision: 7823 $");
  script_cve_id("CVE-2011-3351");
  script_bugtraq_id(49460);
  script_tag(name:"cvss_base", value:"5.1");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"$Date: 2017-11-20 09:54:04 +0100 (Mon, 20 Nov 2017) $");
  script_tag(name:"creation_date", value:"2012-01-10 17:29:46 +0530 (Tue, 10 Jan 2012)");
  script_name("OpenVAS Scanner Symlink Attack Local Privilege Escalation Vulnerability");
  script_xref(name : "URL" , value : "http://seclists.org/oss-sec/2011/q3/432");
  script_xref(name : "URL" , value : "http://www.securelist.com/en/advisories/45836");
  script_xref(name : "URL" , value : "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641327");

  script_tag(name:"qod_type", value:"executable_version");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2012 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("login/SSH/success");
  script_exclude_keys("ssh/no_linux_shell");

  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name : "insight" , value : tag_insight);
  exit(0);
}

include("ssh_func.inc");
include("version_func.inc");

sock = ssh_login_or_reuse_connection();
if(!sock){
  exit(0);
}

foreach command (make_list("openvasd"))
{
  ## Find the command path
  openvasName = find_file(file_name:command, file_path:"/", useregex:TRUE,
                         regexpar:"$", sock:sock);

  ## Check for each path
  foreach binaryName (openvasName)
  {
    openvasVer = get_bin_version(full_prog_name:chomp(binaryName),
             version_argv:"--version", ver_pattern:"OpenVAS.(Scanner)?.?([0-9.]+)",
             sock:sock);

    ## check for the version
    if(openvasVer[2])
    {
      if(version_is_less_equal(version:openvasVer[2], test_version:"3.2.4"))
      {
        security_message(0);
        close(sock);
        exit(0);
      }
    }
  }
}
close(sock);

Related

ubuntucve 1
openvas 1
cvelist 1
cve 1
nvd 1
prion 1
ubuntucve
ubuntucve
CVE-2011-3351
2019-11-25 00:00:00
openvas
openvas
OpenVAS Scanner Symlink Attack Local Privilege Escalation Vulnerability
2012-01-10 00:00:00
cvelist
cvelist
CVE-2011-3351
2019-11-25 21:45:05
cve
cve
CVE-2011-3351
2019-11-25 22:15:11
nvd
nvd
CVE-2011-3351
2019-11-25 22:15:11
prion
prion
Code injection
2019-11-25 22:15:00

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for OPENVAS:801979
ubuntucve1openvas1cvelist1cve1nvd1prion1