CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS
Percentile
95.4%
The remote host is running ViRobot Linux Server, a commercial anti- virus product for Linux.
According to its banner, the installed version of ViRobot Linux Server suffers from a remote buffer overflow vulnerability in its web-based management interface. By passing specially crafted data through the ‘ViRobot_ID’ and ‘ViRobot_PASS’ cookies when calling the ‘addschup’ CGI script, an unauthenticated attacker may be able to write arbitrary data to root’s crontab entry, thus giving him complete control over the affected host.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description) {
script_id(18494);
script_version("1.20");
script_cve_id("CVE-2005-2041");
script_bugtraq_id(13964);
script_name(english:"ViRobot Linux Server addschup Multiple Overflows");
script_set_attribute(attribute:"synopsis", value:
"The remote server is prone to a remote buffer overflow attack." );
script_set_attribute(attribute:"description", value:
"The remote host is running ViRobot Linux Server, a commercial anti-
virus product for Linux.
According to its banner, the installed version of ViRobot Linux Server
suffers from a remote buffer overflow vulnerability in its web-based
management interface. By passing specially crafted data through the
'ViRobot_ID' and 'ViRobot_PASS' cookies when calling the 'addschup'
CGI script, an unauthenticated attacker may be able to write arbitrary
data to root's crontab entry, thus giving him complete control over
the affected host." );
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?164e1cec" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2005/Jun/188" );
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ef6b0a5" );
script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/15");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/03/14");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
summary["english"] = "Checks for remote buffer overflow vulnerability in ViRobot Linux Server";
script_summary(english:summary["english"]);
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 8080);
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:8080);
# For each CGI directory...
foreach dir (cgi_dirs()) {
# Make sure the affected script exists.
r = http_send_recv3(method: "GET", item:string(dir, "/addschup"), port:port, exit_on_fail: 1);
# If it looks like the script.
if ("<font size=2>You need to authenticate.</font>" >< r[2]) {
# Get the site's index.html -- it has the version number in its title.
r = http_send_recv3(method:"GET", item:"/index.html", port:port, exit_on_fail: 1);
res = r[2];
# There's a problem if the version number is <= 2.0.
if (
egrep(
string:res,
pattern:"<title>ViRobot Linux Server Ver ([01]\..*|2\.0)</title>"
)
) {
security_hole(port);
exit(0);
}
}
}