Timbuktu Pro < 8.6.7 PlughNTCommand Named Pipe Remote Stack Buffer Overflow - Nessus

Critical   Plugin ID: 39563

This page contains detailed information about the Timbuktu Pro < 8.6.7 PlughNTCommand Named Pipe Remote Stack Buffer Overflow Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 39563
Name: Timbuktu Pro < 8.6.7 PlughNTCommand Named Pipe Remote Stack Buffer Overflow
Filename: timbuktu_867.nasl
Vulnerability Published: N/A
This Plugin Published: 2009-06-28
Last Modification Time: 2018-11-15
Plugin Version: 1.17
Plugin Type: local
Plugin Family: Windows
Dependencies: smb_hotfixes.nasl
Required KB Items [?]: SMB/Registry/Enumerated

Vulnerability Information

Severity: Critical
Vulnerability Published: N/A
Patch Published: N/A
CVE [?]: CVE-2009-1394
CPE [?]: N/A

Synopsis

The remote Windows host contains a program that is prone to a remote buffer overflow attack.

Description

The remote Windows host contains a version of Motorola Inc.'s Timbuktu Pro that is earlier than 8.6.7. Timbuktu Pro allows remote access to a computer's desktop, and versions before 8.6.7 reportedly contain a stack-based buffer overflow that can be triggered when the 'PlughNTCommand' named pipe receives an overly large character string. An unauthenticated, remote attacker can leverage this issue to crash the affected application or to execute arbitrary code with SYSTEM privileges.

Solution

Upgrade to Timbuktu Pro for Windows version 8.6.7 or later.

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Timbuktu Pro < 8.6.7 PlughNTCommand Named Pipe Remote Stack Buffer Overflow vulnerability:

  1. Metasploit: exploit/windows/smb/timbuktu_plughntcommand_bof
    [Timbuktu PlughNTCommand Named Pipe Buffer Overflow]
  2. Exploit-DB: exploits/windows/remote/16370.rb
    [EDB-16370: Timbuktu 8.6.6 - PlughNTCommand Named Pipe Buffer Overflow (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.3 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.3 (High)

Go back to menu.

Plugin Source

This is the timbuktu_867.nasl nessus plugin source code. This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(39563);
  script_version("1.17");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id("CVE-2009-1394");
  script_bugtraq_id(35496);

  script_name(english:"Timbuktu Pro < 8.6.7 PlughNTCommand Named Pipe Remote Stack Buffer Overflow");
  script_summary(english:"Checks version of tb2pro.exe");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a program that is prone to a remote
buffer overflow attack.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host contains a version of Motorola Inc.'s Timbuktu
Pro that is earlier than 8.6.7. Timbuktu Pro allows remote access to a
computer's desktop, and versions before 8.6.7 reportedly contain a
stack-based buffer overflow that can be triggered when the
'PlughNTCommand' named pipe receives an overly large character string.
An unauthenticated, remote attacker can leverage this issue to crash
the affected application or to execute arbitrary code with SYSTEM
privileges.");
  # http://www.verisigninc.com/en_US/cyber-security/security-intelligence/vulnerability-reports/articles/index.xhtml?id=809
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?34edc10d");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/504554/30/0/threaded");
  # ftp://ftp-xo.netopia.com/evaluation/docs/timbuktu/win/867/relnotes/TB2Win867Evalrn.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?41cf5a58");
  script_set_attribute(attribute:"solution", value:"Upgrade to Timbuktu Pro for Windows version 8.6.7 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Timbuktu PlughNTCommand Named Pipe Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(119);

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


include("global_settings.inc");
include("smb_func.inc");
include("audit.inc");


# Connect to the appropriate share.
if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);
name    =  kb_smb_name();
port    =  kb_smb_transport();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();



if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  exit(1, "Can't connect to IPC$ share.");
}


# Connect to remote registry.
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
  NetUseDel();
  exit(1, "Can't connect to remote registry.");
}


# Check whether it's installed.
path = NULL;

key = "SOFTWARE\Netopia\Timbuktu Pro";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (!isnull(key_h))
{
  value = RegQueryValue(handle:key_h, item:"InstallPath");
  if (!isnull(value))
  {
    path = value[1];
    path = ereg_replace(pattern:"^(.+)\\$", replace:"\1", string:path);
  }

  RegCloseKey(handle:key_h);
}
RegCloseKey(handle:hklm);
if (isnull(path))
{
  NetUseDel();
  exit(0, "Timbuktu Pro is not installed.");
}


# Check the version of the main exe.
share = ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:path);
exe =  ereg_replace(pattern:"^[A-Za-z]:(.*)", replace:"\1\tb2pro.exe", string:path);
NetUseDel(close:FALSE);
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(1, "Can't connect to "+share+" share.");
}

fh = CreateFile(
  file:exe,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);
ver = NULL;
if (!isnull(fh))
{
  ver = GetFileVersion(handle:fh);
  CloseFile(handle:fh);
}
NetUseDel();


# Check the version number.
if (!isnull(ver))
{
  version = string(ver[0], ".", ver[1], ".", ver[2]);

  fix = split("8.6.7.1379", sep:'.', keep:FALSE);
  for (i=0; i<max_index(fix); i++)
    fix[i] = int(fix[i]);

  for (i=0; i<max_index(ver); i++)
    if ((ver[i] < fix[i]))
    {
      if (report_verbosity > 0)
      {
        report = string(
          "\n",
          "  Version : ", version, "\n",
          "  Path    : ", path, "\n"
        );
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else if (ver[i] > fix[i])
      break;

  exit(0, "Timbuktu Pro version "+version+" is installed and not vulnerable.");
}
else exit(1, "Couldn't get file version of '"+exe+"'.");

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/timbuktu_867.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\timbuktu_867.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/timbuktu_867.nasl

Go back to menu.

How to Run

Here is how to run the Timbuktu Pro < 8.6.7 PlughNTCommand Named Pipe Remote Stack Buffer Overflow as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select Timbuktu Pro < 8.6.7 PlughNTCommand Named Pipe Remote Stack Buffer Overflow plugin ID 39563.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl timbuktu_867.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a timbuktu_867.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - timbuktu_867.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state timbuktu_867.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: CWE | Common Weakness Enumeration:
  • CWE-119 (Weakness) Improper Restriction of Operations within the Bounds of a Memory Buffer
See also: Similar and related Nessus plugins:
  • 33227 - Novell iPrint Client for Windows ienipp.ocx ActiveX Multiple Variable Overflow
  • 33484 - Sony ImageStation AxRUploadServer.AxRUploadControl ActiveX (AxRUploadServer.dll) SetLogging Method Overflow
  • 33859 - WebEx Meeting Manager WebexUCFObject ActiveX Control Buffer Overflow
  • 34021 - Anzio Web Print Object (WePO) ActiveX mainurl Parameter Buffer Overflow
  • 34412 - MS08-059: Microsoft Host Integration Server (HIS) SNA RPC Request Remote Overflow (956695) (uncredentialed check)
  • 34471 - mIRC PRIVMSG Handling Remote Buffer Overflow
  • 34472 - LPViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities
  • 34490 - Trend Micro OfficeScan HTTP Request Remote Buffer Overflow
  • 34730 - VLC Media Player 0.5.0 to 0.9.5 Stack-Based Buffer Overflows
  • 35608 - UltraVNC Viewer < 1.0.5.4 Multiple Integer Overflows
  • 35702 - TightVNC Viewer < 1.3.10 Multiple Integer Overflows
  • 35788 - Winamp < 5.55 AIFF File Handling Overflow
  • 38734 - Microsoft Whale Client Components ActiveX (WhlMgr.dll) Multiple Method Overflows
  • 38858 - Winamp < 5.552 Modern Skins Support Module (gen_ff.dll) MAKI File Handling Overflow
  • 38951 - ImageMagick < 6.5.2-9 magick/xwindow.c XMakeImage() Function TIFF File Handling Overflow
  • 38977 - IBM Access Support ActiveX Control GetXMLValue Method Overflow
  • 38985 - Apple iTunes < 8.2 itms: URI Handling Overflow (credentialed check)
  • 39809 - eEye Retina Wireless Scanner .rws Handling Buffer Overflow
  • 40333 - Wyse Device Manager Buffer Overflow
  • 40617 - SAP SAPgui MDrmSap ActiveX (mdrmsap.dll) Buffer Overflow
  • 41060 - Apple iTunes < 9.0.1 PLS File Buffer Overflow (credentialed check)
  • 41958 - Google Chrome < 3.0.195.24 dtoa Implementation Remote Overflow
  • 42372 - Altiris ConsoleUtilities 'BrowseAndSaveFile()' ActiveX Control Buffer Overflow
  • 42977 - Altiris ConsoleUtilities ActiveX RunCmd Method Overflow
  • 43060 - Novell iPrint Client < 5.32 Multiple Overflows
  • 44338 - Wireshark / Ethereal Dissector LWRES Multiple Buffer Overflows
  • 45593 - HP Operations Manager SourceView ActiveX LoadFile / SaveFile Stack Overflows
  • 46733 - SyncBack Profile File Remote Buffer Overflow
  • 47701 - Xftp < 3.0 Build 242 LIST Response Buffer Overflow
  • 48323 - QuickTime < 7.6.7 QuickTimeStreaming.qtx SMIL File Debug Logging Overflow (Windows)
  • 50382 - Firefox < 3.5.15 Buffer Overflow
  • 50383 - Firefox 3.6 < 3.6.12 Buffer Overflow
  • 50384 - Mozilla Thunderbird < 3.0.10 Buffer Overflow
  • 50385 - Mozilla Thunderbird 3.1 < 3.1.6 Buffer Overflow

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file timbuktu_867.nasl version 1.17. For more plugins, visit the Nessus Plugin Library.

Go back to menu.