Vulnerabilities > CVE-2006-0864 - Authentication Bypass vulnerability in Hauri Virobot 2.020050817

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
hauri
critical
nessus
NVD
Published: 2006-02-23
Updated: 2018-10-18

Summary

filescan in Global Hauri ViRobot 2.0 20050817 does not verify the Cookie HTTP header, which allows remote attackers to gain administrative privileges via an arbitrary cookie value.

Vulnerable Configurations

Part Description Count
Application
Hauri
1

Nessus

NASL familyCGI abuses
NASL idVIROBOT_LINUX_SERVER_FILESCAN_AUTH_BYPASS.NASL
descriptionThe remote host is running ViRobot Linux Server, a commercial antivirus application server. The installed version of ViRobot Linux Server has a flaw such that an attacker can bypass authentication and gain access to its
last seen2020-06-01
modified2020-06-02
plugin id20968
published2006-02-22
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20968
titleViRobot Linux Server filescan Authentication Bypass
code
#
# (C) Tenable Network Security
#


include("compat.inc");

if (description) {
  script_id(20968);
  script_version("1.20");

  script_cve_id("CVE-2006-0864");
  script_bugtraq_id(16768);

  script_name(english:"ViRobot Linux Server filescan Authentication Bypass");
  script_summary(english:"Checks for authentication bypass vulnerability in ViRobot Linux Server's filescan component");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an authentication bypass flaw." );
 script_set_attribute(attribute:"description", value:
"The remote host is running ViRobot Linux Server, a commercial
antivirus application server. 

The installed version of ViRobot Linux Server has a flaw such that an
attacker can bypass authentication and gain access to its 'filescan'
component by supplying a special cookie.  An unauthenticated attacker
may be able to leverage this flaw to delete arbitrary files on the
remote host or disable access to the service by submitting scans of a
large number of large files on the remote host." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/425788/30/0/threaded" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aa2f7f08" );
 script_set_attribute(attribute:"solution", value:
"Apply the vendor patch referenced above." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/22");
 script_cvs_date("Date: 2018/11/15 20:50:19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 8080);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:8080);

# Try to exploit the flaw.
set_http_cookie(name: "HTTP_COOKIE", value: "test");
r = http_send_recv3(method: "GET", item:string("/cgi-bin/filescan"), port:port);
if (isnull(r)) exit(0);

# There's a problem if we gained access.
if (
  "<title>ViRobot Linux Server" >< r[2] &&
  "<form name=dir_form method=post" >< r[2]
) {
  security_hole(port);
}

References