Intel Common Base Agent CreateProcessA() Function Remote Command Execution - Nessus

Critical   Plugin ID: 38664

This page contains detailed information about the Intel Common Base Agent CreateProcessA() Function Remote Command Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 38664
Name: Intel Common Base Agent CreateProcessA() Function Remote Command Execution
Filename: landesk_cba_createprocessa_cmd_exec.nasl
Vulnerability Published: N/A
This Plugin Published: 2009-05-03
Last Modification Time: 2022-04-11
Plugin Version: 1.17
Plugin Type: remote
Plugin Family: Windows
Dependencies: find_service2.nasl

Vulnerability Information

Severity: Critical
Vulnerability Published: N/A
Patch Published: N/A
CVE [?]: CVE-2009-1429
CPE [?]: N/A

Synopsis

The remote service seems to allow execution of arbitrary commands.

Description

The remote host seems to be running a version of the Intel LANDesk Common Base Agent (CBA) that allows the contents of a specially crafted packet to be passed as an argument to 'CreateProcessA()' to be executed on the remote host with SYSTEM privileges.

Solution

If using Symantec AntiVirus Corporate Edition, Symantec Client Security, or Symantec Endpoint Protection, apply the appropriate update as described in Symantec's advisory referenced above.

Otherwise, contact the application's vendor for an update.

Public Exploits

Target Network Port(s): 12174
Target Asset(s): Services/unknown
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Intel Common Base Agent CreateProcessA() Function Remote Command Execution vulnerability:

  1. Metasploit: exploit/windows/antivirus/ams_xfr
    [Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution]
  2. Exploit-DB: exploits/windows/remote/17699.rb
    [EDB-17699: Symantec System Center Alert Management System - 'xfr.exe' Arbitrary Command Execution (Metasploit)]
  3. Immunity Canvas: D2ExploitPack

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.3 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.3 (High)
STIG Severity [?]: I
STIG Risk Rating: High

Go back to menu.

Plugin Source

This is the landesk_cba_createprocessa_cmd_exec.nasl nessus plugin source code. This script is Copyright (C) 2009-2022 Tenable Network Security, Inc. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(38664);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2009-1429");
  script_bugtraq_id(34671);
  script_xref(name:"EDB-ID", value:"17699");
  script_xref(name:"IAVA", value:"2009-A-0037");
  script_xref(name:"SECUNIA", value:"34856");

  script_name(english:"Intel Common Base Agent CreateProcessA() Function Remote Command Execution");

  script_set_attribute(attribute:"synopsis", value:
"The remote service seems to allow execution of arbitrary commands.");
  script_set_attribute(attribute:"description", value:
"The remote host seems to be running a version of the Intel LANDesk
Common Base Agent (CBA) that allows the contents of a specially
crafted packet to be passed as an argument to 'CreateProcessA()' to be
executed on the remote host with SYSTEM privileges.");
  # https://support.symantec.com/en_US/article.SYMSA1175.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3015d3c7");
  script_set_attribute(attribute:"solution", value:
"If using Symantec AntiVirus Corporate Edition, Symantec Client
Security, or Symantec Endpoint Protection, apply the appropriate
update as described in Symantec's advisory referenced above. 

Otherwise, contact the application's vendor for an update.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
  script_cwe_id(94);

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/05/03");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2022 Tenable Network Security, Inc.");

  script_dependencies("find_service2.nasl");
  script_require_ports("Services/unknown", 12174);

  exit(0);
}


include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");


# nb: the service is currently not detected by Nessus.
if (
  thorough_tests &&
  !get_kb_item("global_settings/disable_service_discovery")
)
{
  port = get_unknown_svc(12174);
  if (!port) exit(0);
  if (!silent_service(port)) exit(0); 
}
else port = 12174;
if (known_service(port:port)) exit(0);
if (!get_tcp_port_state(port)) exit(0);


soc = open_sock_tcp(port);
if (!soc) exit(0);


# Try to exploit the issue.
#
# nb: we don't see the output of the command so we'll just try to control
#     the exit code. If you have local access to a host that you suspect
#     is vulnerable, you could try running simply "calc" and seeing if it
#     gets launched.
set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);

magic = 0xdeadbeef;
cmd = string("cmd /C exit ", magic);
# cmd = "calc";
cmd += mkbyte(0);

req = mkdword(0) + mkword(strlen(cmd)) + cmd;
send(socket:soc, data:req);
res = recv(socket:soc, length:4096, min:0x14);
close(soc);
if (isnull(res)) exit(0);


# There's a problem if...
if (
  # it looks like a valid response and...
  strlen(res) == 0x14 &&
  getdword(blob:res, pos:0) == 0 &&
  # we are able to run our command and control the exit code.
  getdword(blob:res, pos:0x10) == magic
)
{
  security_hole(port);

  # Let's register it too.
  register_service(port:port, proto:"landesk-cba");
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/landesk_cba_createprocessa_cmd_exec.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\landesk_cba_createprocessa_cmd_exec.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/landesk_cba_createprocessa_cmd_exec.nasl

Go back to menu.

How to Run

Here is how to run the Intel Common Base Agent CreateProcessA() Function Remote Command Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Intel Common Base Agent CreateProcessA() Function Remote Command Execution plugin ID 38664.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl landesk_cba_createprocessa_cmd_exec.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a landesk_cba_createprocessa_cmd_exec.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - landesk_cba_createprocessa_cmd_exec.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state landesk_cba_createprocessa_cmd_exec.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: IAVA | Information Assurance Vulnerability Alert:
  • 2009-A-0037
Secunia Advisory: CWE | Common Weakness Enumeration:
  • CWE-94 (Weakness) Improper Control of Generation of Code ('Code Injection')
See also: Similar and related Nessus plugins:
  • 25085 - LANDesk Management Suite Alert Service (aolnsrvr.exe) Remote Overflow
  • 103870 - Intel Wireless Driver Wi-Fi Protected Access II (WPA2) Multiple Vulnerabilities (KRACK)
  • 136670 - Intel® PROSet/Wireless WiFi Software x < 21.70.0 Multiple Vulnerabilities
  • 97997 - Intel Management Engine Insecure Read / Write Operations RCE (INTEL-SA-00075)
  • 104741 - Intel Management Engine Unspecified Multiple Vulnerabilities (INTEL-SA-00086)
  • 105151 - Intel Management Engine Multiple WPA2 Vulnerabilities (INTEL-SA-00101)
  • 137657 - Intel Converged Security Management Engine (CSME) Active Management Technology (AMT) Multiple Vulnerabilities (INTEL-SA-00295)
  • 97999 - Intel Management Engine Authentication Bypass (INTEL-SA-00075) (remote check)
  • 97998 - Intel Management Engine Insecure Read / Write Operations RCE (INTEL-SA-00075) (remote check)
  • 150859 - Intel Server Board M10JNP2SB Advisory (INTEL-SA-00474)
  • 125149 - Intel Microcode Updates for Windows 10 / Windows Server 2016 / Windows Server 2019 (May 2019) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
  • 24012 - Acer LunchApp.APlunch ActiveX Arbitrary Command Execution
  • 34393 - CA BrightStor ARCserve Backup RPC Interface (asdbapi.dll) Traversal Arbitrary Command Execution
  • 62392 - Flexera AdminStudio LaunchProcess Function ActiveX Control Remote Command Execution
  • 80306 - Git for Windows .git/config Command Execution
  • 102494 - Git for Windows 2.7.x < 2.7.6 / 2.8.x < 2.8.6 / 2.9.x < 2.9.5 / 2.10.x < 2.10.4 / 2.11.x < 2.11.13 / 2.12.x < 2.12.4 / 2.13.x < 2.13.5 / 2.14.x < 2.14.1 Malicious SSH URL Command Execution
  • 80202 - GitHub for Windows < 2.6.5 .git/config Command Execution
  • 35689 - Google Chrome < 1.0.154.48 Cross-browser Command Execution
  • 57713 - McAfee Security-as-a-Service (SaaS) mcCIOScn.dll ShowReport Method Remote Command Execution
  • 102355 - McAfee Security Scan Plus < 3.11.587.1 Protection Level UI Element Download MitM Command Execution (TS102714)
  • 61719 - McAfee Virtual Technician ActiveX Control GetObject() Method Remote Command Execution (SB10028)
  • 66840 - Siemens Solid Edge WPHelper ActiveX Control OpenInEditor Method Arbitrary Command Execution
  • 80333 - Microsoft Visual Studio .gitconfig Command Execution
  • 44959 - Symantec Alert Management System 2 RCE (SYM09-007)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file landesk_cba_createprocessa_cmd_exec.nasl version 1.17. For more plugins, visit the Nessus Plugin Library.

Go back to menu.