OpenVAS Manager – Command Injection

• Exploit Database
• 16 阅读

• 作者： Tim Brown
  日期： 2011-01-31
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/16086/

• Source: http://securityreason.com/securityalert/8048
  
  Summary
  
  It has been identified that OpenVAS Manager is vulnerable to command
  injection
  due to insufficient validation of user supplied data when processing OMP
  requests. It has been identified that this vulnerability allows privilege
  escalation within the OpenVAS Manager but more complex injection may allow
  
  arbitrary code to be executed with the privileges of the OpenVAS Manager on
  
  vulnerable systems. CVE-2011-0018 has been assigned to this vulnerability.
  
  The vulnerable code path is only accessible to authenticated users of
  OpenVAS
  Manager however it may also be triggered either directly or by using a
  cross-
  site request forgery based attack via the Greenbone Security Assistant web
  
  application.
  
  Current Status
  
  As of the 20th January 2011, the state of the vulnerabilities is believed
  to
  be as follows. A patch has been supplied by Greenbone Networks which it
  successfully resolves this vulnerability. New releases of both 1.0.x and
  2.0.x
  have also been created which incorporate this patch. Note that the
  cross-site
  address forgery elements of this vulnerability have not yet been addressed
  in
  the Greenbone Security Assistant web application.
  
  Thanks
  
  OpenVAS would like to thank Ronald Kingma and Alexander van Eee of ISSX for
  
  their help in reporting the vulnerability.
  -- 
  Tim Brown
  <mailto:timb (at) openvas (dot) org [email concealed]>
  <http://www.openvas.org/>
  OpenVAS Security Advisory (OVSA20110118)
  Date: 18th January 2011
  Product: OpenVAS Manager <= 1.0.3 and 2.0rc2
  Vendor: OpenVAS <http://www.openvas.org/>
  Risk: Medium
  
  Summary
  
  It has been identified that OpenVAS Manager is vulnerable to command
  injection due to insufficient validation of user supplied data when
  processing OMP requests. It has been identified that this vulnerability
  allows privilege escalation within the OpenVAS Manager but more complex
  injection may allow arbitrary code to be executed with the privileges of
  the OpenVAS Manager on vulnerable systems. CVE-2011-0018 has been
  assigned
  to this vulnerability.
  
  The vulnerable code path is only accessible to authenticated users of
  OpenVAS Manager however it may also be triggered either directly or
  by using a cross-site request forgery based attack via the Greenbone
  Security Assistant web application.
  
  Current Status
  
  As of the 20th January 2011, the state of the vulnerabilities is believed
  to be as follows. A patch has been supplied by Greenbone Networks which
  it successfully resolves this vulnerability. New releases of both 1.0.x
  and 2.0.x have also been created which incorporate this patch. Note that
  the cross-site address forgery elements of this vulnerability have not
  yet been addressed in the Greenbone Security Assistant web application.
  
  Technical Details
  
  It has been identified that OpenVAS Manager is vulnerable to command
  injection due to insufficient validation of user supplied data when
  processing OMP requests. It has been identified that this vulnerability
  allows an authenticated user of the Greenbone Security Assistant web
  application (which communicates with OpenVAS Manager using OMP) to
  escalate their privileges with just a few clicks although more complex
  attacks may also be possible.
  
  Escalation of privileges can be achieved accessing the Greenbone Security
  Assistant, creating an escalator with a modified POST request as follows:
  
  Content-Disposition: form-data; name="method_data:to_address"
  
  none@none>/var/lib/openvas/users/alexander/isadmin
  
  The processing of this request causes GSA to make a request to OpenVAS
  Manager
  which causes the command below to be executed with the privileges of the
  OpenVAS Manager (typically root) using the email() function from
  manage_sql.c:
  
  command = g_strdup_printf ("echo \""
  "To: %s\n"
  "From: %s\n"
  "Subject: %s\n"
  "\n"
  "%s\""
  " | /usr/sbin/sendmail %s"
  " > /dev/null 2>&1",
  to_address,
  from_address ? from_address : "automated (at)
  openvas (dot) org [email concealed]",
  subject,
  body,
  to_address);
  ...
  if (ret = system (command)...
  
  As you can see, an attacker can influence both the to and from addresses
  within the concatenated string. The OpenVAS Manager uses the presence
  of the file isadmin to determine the privileges associated with the
  account.
  
  The vulnerable code path is only accessible to authenticated users of
  OpenVAS Manager however it may also be triggered either directly or
  by using a cross-site request forgery based attack via the Greenbone
  Security Assistant web application.
  
  Fix
  
  OpenVAS recommends that the publicly available patches are applied. If
  building from source, then either patch r9974 (trunk) or r9976 (1.0.x)
  should be obtained from the OpenVAS SVN repository. A fresh tarball
  containing the latest stable release can be obtained from:
  
  * http://wald.intevation.org/frs/download.php/829/openvas-manager-1.0.4.ta
  r.gz
  
  In the event that OpenVAS has been supplied as part of a distribution
  then the vendor or organisation concerned should be contacted for a
  patch.
  
  History
  
  On 14th January 2011, Ronald Kingma contacted Greenbone Networks to
  report the described vulnerability affecting OpenVAS Manager.
  
  Greenbone Networks began working on patches to resolve the vulnerability.
  Over the weekend of the 15th and 16th of January, Greenbone Networks
  applied patches to resolve the vulnerability in trunk and the 1.0
  branch respectively.
  
  On the 17th, Greenbone Networks contacted the OpenVAS security team
  to notify them of the vulnerability and request assistance in
  coordinating the disclosure.
  
  The OpenVAS security team, Greenbone Networks and Ronald opened a
  dialogue in order to draft this advisory and on the 18th, CVE-2011-0018
  was assigned for this vulnerability.
  
  The OpenVAS security team continued evaluating the vulnerability,
  identifying that it may also be triggered using a cross-site request
  forgery based attack.
  
  OpenVAS Manager 1.0.4 was released on the 19th.
  
  Thanks
  
  OpenVAS would like to thank Ronald Kingma and Alexander van Eee
  of ISSX for their help in reporting the vulnerability.
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.10 (GNU/Linux)
  
  iQIcBAABCAAGBQJNPrfPAAoJEPJhpTVyySo71YkQAMFHectZJUW8CZ4i4+w4v4OO
  THVIFh3mJHUVrKnJerueEPk0cxmMvnIoAhx6L9gbrNbQccPWW7vS64zSJaY3Os9+
  u4GVIFIr3/pPcBL4T8hCRQSs0esJKBPfCNt4YEXFGWhp+s4TkcR9kOs+gFc0kfrw
  Zc5fWDG/fJvEh5RyIGSj+dKvVjCa5hvsPqXl0pN6Dr2DscCVwX2I3yyy7bOJAwAp
  BY68qqFWorshWC9KdvkcYSuSdkTZmIOHFsafcvXn1Po/e5zGp9U+smA4zxy67s/o
  wry3VxSJf/CzLKuK+GCDBPjfx3PnvoWxyZeDfuJ6Tikk8aOpPA28bvVliXFViR5I
  4GmNo/e6QUxio7jYjW4hmh2HmNAGjNmAhibaHDmuRtR7Qq25I9EL9DiX2oH0ytNB
  AwTB6syFm88E8LQPm2vSMn/GKcitK97rdyUQ/lBcPU419SPBWYC3Wr2pkR9EiSw6
  AjyRrUqe3EC+IAYn6xmOdKyuNXsAvobe57a3AeyUON3tuMVCfWZu4tlYEjHO/bY9
  rlfO1Oqj0ZziBmLwVyXHpjZVYnms8WTSV479jUfCbUckxJsXB8cLnV72TPoBd2Zy
  ha+JgGwGt0BUPcq1MzLhjqYGg2VPYzKCtlcql74F/cRgEF/wvXjys53Vhv17Cukb
  pg+nMuyc9kAdHLnkvLR6
  =MOuA
  -----END PGP SIGNATURE-----