Vulnerabilities > CVE-2007-4061 - Multiple vulnerability in Nessus vulnerability Scanner 3.0.6

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

nessus

critical

nessus

exploit available

NVD

Published: 2007-07-30

Updated: 2017-09-29

Summary

Directory traversal vulnerability in a certain ActiveX control in Nessus Vulnerability Scanner 3.0.6 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the argument to the saveNessusRC method, which writes text specified by the addsetConfig method, possibly related to the SCANCTRL.ScanCtrlCtrl.1 ActiveX control in scan.dll. NOTE: this can be leveraged for code execution by writing to a Startup folder.

Vulnerable Configurations

Part	Description	Count
Application	Nessus Nessus Vulnerability Scanner 3.0.6	1

Exploit-Db

description	Nessus Vulnerability Scanner 3.0.6 ActiveX Command Exec Exploit. CVE-2007-4031,CVE-2007-4061,CVE-2007-4062. Remote exploit for windows platform
file	exploits/windows/remote/4237.html
id	EDB-ID:4237
last seen	2016-01-31
modified	2007-07-27
platform	windows
port
published	2007-07-27
reporter	h07
source	https://www.exploit-db.com/download/4237/
title	Nessus Vulnerability Scanner 3.0.6 - ActiveX Command Exec Exploit
type	remote

Nessus

NASL family	Windows
NASL id	NESSUS_SCANCTRL_ACTIVEX_FILE_DELETION.NASL
description	The remote host contains the ScanCtrl ActiveX control, a part of Nessus for Windows. The version of the ScanCtrl ActiveX control, installed as part of Nessus for Windows on the remote host, fails to validate input to several methods. If an attacker can trick a user on the affected host into visiting a specially crafted web page, this issue could be leveraged to delete or write to arbitrary files or even execute arbitrary code on the host subject to the user
last seen	2020-06-01
modified	2020-06-02
plugin id	25799
published	2007-07-28
reporter	This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/25799
title	Nessus Windows < 3.0.6.1 ScanCtrl ActiveX Multiple Method File Manipulation
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25799); script_version("1.21"); script_cve_id("CVE-2007-4031", "CVE-2007-4061", "CVE-2007-4062"); script_bugtraq_id(25088); script_xref(name:"EDB-ID", value:"4230"); script_xref(name:"EDB-ID", value:"4237"); script_name(english:"Nessus Windows < 3.0.6.1 ScanCtrl ActiveX Multiple Method File Manipulation"); script_summary(english:"Checks versions of ScanCtrl ActiveX control"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has an ActiveX control that is affected by multiple issues." ); script_set_attribute(attribute:"description", value: "The remote host contains the ScanCtrl ActiveX control, a part of Nessus for Windows. The version of the ScanCtrl ActiveX control, installed as part of Nessus for Windows on the remote host, fails to validate input to several methods. If an attacker can trick a user on the affected host into visiting a specially crafted web page, this issue could be leveraged to delete or write to arbitrary files or even execute arbitrary code on the host subject to the user's privileges." ); script_set_attribute(attribute:"solution", value: "Upgrade to Nessus for Windows version 3.0.6.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(22); script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/28"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/07/28"); script_cvs_date("Date: 2018/08/22 16:49:14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } # include("global_settings.inc"); include("smb_func.inc"); include("smb_activex_func.inc"); if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); # Locate files used by the controls. if (activex_init() != ACX_OK) exit(0); clsid = "{A47D5315-321D-4DEE-9DB3-18438023193B}"; file = activex_get_filename(clsid:clsid); if (file) { ver = activex_get_fileversion(clsid:clsid); if (ver && activex_check_fileversion(clsid:clsid, fix:"3.0.6.321") == TRUE) { report = string( "Version '", ver, "' of the vulnerable control is installed as :\n", "\n", " ", file ); security_hole(port:kb_smb_transport(), extra:report); } } activex_end();

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References