Vulnerabilities > CVE-2007-4061 - Multiple vulnerability in Nessus vulnerability Scanner 3.0.6

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
nessus
critical
nessus
exploit available

Summary

Directory traversal vulnerability in a certain ActiveX control in Nessus Vulnerability Scanner 3.0.6 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the argument to the saveNessusRC method, which writes text specified by the addsetConfig method, possibly related to the SCANCTRL.ScanCtrlCtrl.1 ActiveX control in scan.dll. NOTE: this can be leveraged for code execution by writing to a Startup folder.

Vulnerable Configurations

Part Description Count
Application
Nessus
1

Exploit-Db

descriptionNessus Vulnerability Scanner 3.0.6 ActiveX Command Exec Exploit. CVE-2007-4031,CVE-2007-4061,CVE-2007-4062. Remote exploit for windows platform
fileexploits/windows/remote/4237.html
idEDB-ID:4237
last seen2016-01-31
modified2007-07-27
platformwindows
port
published2007-07-27
reporterh07
sourcehttps://www.exploit-db.com/download/4237/
titleNessus Vulnerability Scanner 3.0.6 - ActiveX Command Exec Exploit
typeremote

Nessus

NASL familyWindows
NASL idNESSUS_SCANCTRL_ACTIVEX_FILE_DELETION.NASL
descriptionThe remote host contains the ScanCtrl ActiveX control, a part of Nessus for Windows. The version of the ScanCtrl ActiveX control, installed as part of Nessus for Windows on the remote host, fails to validate input to several methods. If an attacker can trick a user on the affected host into visiting a specially crafted web page, this issue could be leveraged to delete or write to arbitrary files or even execute arbitrary code on the host subject to the user
last seen2020-06-01
modified2020-06-02
plugin id25799
published2007-07-28
reporterThis script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/25799
titleNessus Windows < 3.0.6.1 ScanCtrl ActiveX Multiple Method File Manipulation
code
#
#  (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25799);
  script_version("1.21");

  script_cve_id("CVE-2007-4031", "CVE-2007-4061", "CVE-2007-4062");
  script_bugtraq_id(25088);
  script_xref(name:"EDB-ID", value:"4230");
  script_xref(name:"EDB-ID", value:"4237");

  script_name(english:"Nessus Windows < 3.0.6.1 ScanCtrl ActiveX Multiple Method File Manipulation");
  script_summary(english:"Checks versions of ScanCtrl ActiveX control");

 script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an ActiveX control that is affected by
multiple issues." );
 script_set_attribute(attribute:"description", value:
"The remote host contains the ScanCtrl ActiveX control, a part of
Nessus for Windows.

The version of the ScanCtrl ActiveX control, installed as part of
Nessus for Windows on the remote host, fails to validate input to
several methods. If an attacker can trick a user on the affected host
into visiting a specially crafted web page, this issue could be
leveraged to delete or write to arbitrary files or even execute
arbitrary code on the host subject to the user's privileges." );

 script_set_attribute(attribute:"solution", value:
"Upgrade to Nessus for Windows version 3.0.6.1 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_cwe_id(22);

 script_set_attribute(attribute:"plugin_publication_date", value: "2007/07/28");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/07/28");
 script_cvs_date("Date: 2018/08/22 16:49:14");
 script_set_attribute(attribute:"plugin_type", value:"local");
 script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");
  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);
  exit(0);
}

#

include("global_settings.inc");
include("smb_func.inc");
include("smb_activex_func.inc");


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Locate files used by the controls.
if (activex_init() != ACX_OK) exit(0);

clsid = "{A47D5315-321D-4DEE-9DB3-18438023193B}";
file = activex_get_filename(clsid:clsid);
if (file)
{
  ver = activex_get_fileversion(clsid:clsid);
  if (ver && activex_check_fileversion(clsid:clsid, fix:"3.0.6.321") == TRUE)
  {
    report = string(
      "Version '", ver, "' of the vulnerable control is installed as :\n",
      "\n",
      "  ", file
      );
    security_hole(port:kb_smb_transport(), extra:report);
  }
}
activex_end();