1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
|
#
# This script was written by Drew Hintz ( http://guh.nu )
#
# It is based on scripts written by Renaud Deraison and HD Moore
#
# See the Nessus Scripts License for details
#
if(description)
{
script_id(10811);
script_cve_id("CAN-2001-0815");
name["english"] = "ActivePerl perlIS.dll Buffer Overflow";
script_name(english:name["english"]);
desc["english"] = "
An attacker can run arbitrary code on the remote computer.
This is because the remote IIS server is running a version of
ActivePerl prior to 5.6.1.630 and has the Check that file
exists option disabled for the perlIS.dll.
Solution: Either upgrade to a version of ActivePerl more
recent than 5.6.1.629 or enable the Check that file exists option.
To enable this option, open up the IIS MMC, right click on a (virtual)
directory in your web server, choose Properties,
click on the Configuration... button, highlight the .plx item,
click Edit, and then check Check that file exists.
More Information: http://www.securityfocus.com/bid/3526
Risk factor: High";
script_description(english:desc["english"]);
summary["english"] = "Determines if arbitrary commands can be executed thanks to ActivePerl's perlIS.dll";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2001 H D Moore & Drew Hintz ( http://guh.nu )");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "http_version.nasl");
script_require_keys("www/iis");
script_require_ports("Services/www", 80);
exit(0);
}
port = get_kb_item("Services/www");
if(!port)port = 80;
function check(req)
{
soc = open_sock_tcp(port);
if(soc)
{
req = http_get(item:req, port:port);
send(socket:soc, data:req);
r = recv(socket:soc, length:1024);
close(soc);
pat = "The remote procedure call failed."; #string returned by webserver if it's vulnerable
if(pat >< r) {
security_hole(port:port);
return(1);
}
}
return(0);
}
dir[0] = "/scripts/";
dir[1] = "/cgi-bin/";
dir[2] = "/";
for(d=0;dir[d];d=d+1)
{
url = string(dir[d], crap(660), ".plx"); #by default perlIS.dll handles .plx
if(check(req:url))exit(0);
url = string(dir[d], crap(660), ".pl");
if(check(req:url))exit(0);
}
|