what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OpenVAS Security Advisory OVSA20110118

OpenVAS Security Advisory OVSA20110118
Posted Jan 26, 2011
Authored by Tim Brown at OpenVAS

It has been identified that OpenVAS Manager is vulnerable to command injection due to insufficient validation of user supplied data when processing OMP requests. It has been identified that this vulnerability allows privilege escalation within the OpenVAS Manager but more complex injection may allow arbitrary code to be executed with the privileges of the OpenVAS Manager on vulnerable systems.

tags | advisory, arbitrary
advisories | CVE-2011-0018
SHA-256 | 465e38dd18df584bf3d5f7eda261e4615381784ac40a6d293ea96a4cc69f27a3

OpenVAS Security Advisory OVSA20110118

Change Mirror Download
OpenVAS Security Advisory (OVSA20110118)
Date: 18th January 2011
Product: OpenVAS Manager <= 1.0.3 and 2.0rc2
Vendor: OpenVAS <http://www.openvas.org/>
Risk: Medium

Summary

It has been identified that OpenVAS Manager is vulnerable to command
injection due to insufficient validation of user supplied data when
processing OMP requests. It has been identified that this vulnerability
allows privilege escalation within the OpenVAS Manager but more complex
injection may allow arbitrary code to be executed with the privileges of
the OpenVAS Manager on vulnerable systems. CVE-2011-0018 has been assigned
to this vulnerability.

The vulnerable code path is only accessible to authenticated users of
OpenVAS Manager however it may also be triggered either directly or
by using a cross-site request forgery based attack via the Greenbone
Security Assistant web application.

Current Status

As of the 20th January 2011, the state of the vulnerabilities is believed
to be as follows. A patch has been supplied by Greenbone Networks which
it successfully resolves this vulnerability. New releases of both 1.0.x
and 2.0.x have also been created which incorporate this patch. Note that
the cross-site address forgery elements of this vulnerability have not
yet been addressed in the Greenbone Security Assistant web application.

Technical Details

It has been identified that OpenVAS Manager is vulnerable to command
injection due to insufficient validation of user supplied data when
processing OMP requests. It has been identified that this vulnerability
allows an authenticated user of the Greenbone Security Assistant web
application (which communicates with OpenVAS Manager using OMP) to
escalate their privileges with just a few clicks although more complex
attacks may also be possible.

Escalation of privileges can be achieved accessing the Greenbone Security
Assistant, creating an escalator with a modified POST request as follows:

Content-Disposition: form-data; name="method_data:to_address"

none@none>/var/lib/openvas/users/alexander/isadmin

The processing of this request causes GSA to make a request to OpenVAS Manager
which causes the command below to be executed with the privileges of the
OpenVAS Manager (typically root) using the email() function from manage_sql.c:

command = g_strdup_printf ("echo \""
"To: %s\n"
"From: %s\n"
"Subject: %s\n"
"\n"
"%s\""
" | /usr/sbin/sendmail %s"
" > /dev/null 2>&1",
to_address,
from_address ? from_address : "automated@openvas.org",
subject,
body,
to_address);
...
if (ret = system (command)...

As you can see, an attacker can influence both the to and from addresses
within the concatenated string. The OpenVAS Manager uses the presence
of the file isadmin to determine the privileges associated with the
account.

The vulnerable code path is only accessible to authenticated users of
OpenVAS Manager however it may also be triggered either directly or
by using a cross-site request forgery based attack via the Greenbone
Security Assistant web application.

Fix

OpenVAS recommends that the publicly available patches are applied. If
building from source, then either patch r9974 (trunk) or r9976 (1.0.x)
should be obtained from the OpenVAS SVN repository. A fresh tarball
containing the latest stable release can be obtained from:

* http://wald.intevation.org/frs/download.php/829/openvas-manager-1.0.4.tar.gz

In the event that OpenVAS has been supplied as part of a distribution
then the vendor or organisation concerned should be contacted for a
patch.

History

On 14th January 2011, Ronald Kingma contacted Greenbone Networks to
report the described vulnerability affecting OpenVAS Manager.

Greenbone Networks began working on patches to resolve the vulnerability.
Over the weekend of the 15th and 16th of January, Greenbone Networks
applied patches to resolve the vulnerability in trunk and the 1.0
branch respectively.

On the 17th, Greenbone Networks contacted the OpenVAS security team
to notify them of the vulnerability and request assistance in
coordinating the disclosure.

The OpenVAS security team, Greenbone Networks and Ronald opened a
dialogue in order to draft this advisory and on the 18th, CVE-2011-0018
was assigned for this vulnerability.

The OpenVAS security team continued evaluating the vulnerability,
identifying that it may also be triggered using a cross-site request
forgery based attack.

OpenVAS Manager 1.0.4 was released on the 19th.

Thanks

OpenVAS would like to thank Ronald Kingma and Alexander van Eee
of ISSX for their help in reporting the vulnerability.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close