Vulnerabilities > CVE-2002-0134 - Remote SYSTEM Access vulnerability in Avirt Gateway Suite 4.2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
avirt
nessus
NVD
Published: 2002-03-25
Updated: 2016-10-18

Summary

Telnet proxy in Avirt Gateway Suite 4.2 does not require authentication for connecting to the proxy system itself, which allows remote attackers to list file contents of the proxy and execute arbitrary commands via a "dos" command.

Vulnerable Configurations

Part Description Count
Application
Avirt
1

Nessus

NASL familyGain a shell remotely
NASL idAVIRT_GATEWAY_TELNET.NASL
descriptionIt was possible to connect to the remote telnet server without a password and to get a command prompt with the
last seen2020-06-01
modified2020-06-02
plugin id11096
published2002-08-21
reporterThis script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11096
titleAvirt Gateway Suite Telnet Proxy Arbitrary Command Execution
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(11096);
 script_version ("1.21");
 script_cve_id("CVE-2002-0134");
 script_bugtraq_id(3901);

 script_name(english:"Avirt Gateway Suite Telnet Proxy Arbitrary Command Execution");
 script_summary(english:"Remote system compromise through insecure telnet proxy");

 script_set_attribute(attribute:"synopsis", value:
"The remote gateway does not require authentication for connections to
the proxy service." );
 script_set_attribute(attribute:"description", value:
"It was possible to connect to the remote telnet server without a
password and to get a command prompt with the 'DOS' command.

And attacker may use this flaw to get access to your system." );
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=101131669102843&w=2" );
 script_set_attribute(attribute:"solution", value:
"There is no known solution at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2002/08/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2002/01/17");
 script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
 
 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 script_family(english:"Gain a shell remotely");
 script_require_ports("Services/telnet", 23);
 script_dependencies("find_service1.nasl");
 exit(0);
}

#
# The script code starts here
#

include('telnet_func.inc');
port = get_kb_item("Services/telnet");
if(!port)port = 23;
if (!get_port_state(port))  exit(0);

soc = open_sock_tcp(port);
if (!soc) exit(0);

banner = telnet_negotiate(socket:soc);
cmd = string("dos\r\n");
send(socket:soc, data:cmd);
res = recv(socket: soc, length: 512);

close(soc);
flag = egrep(pattern:"^[A-Za-z]:\\.*>", string: res);
if (flag) security_hole(port);

References