Acunetix WVS 10 – Remote command execution SYSTEM privilege

– Author: Daniele Linguaglossa

Overview
=========
Acunetix WVS 10 [1] is an enterprise web vulnerability scanner developer by Acunetix Inc.

Two major flaws exists in the last version of Acunetix, these bug allow a remote attacker,
to execute command in the context of application with SYSTEM privilege.

Details
==========
A first flaw exists in the way Acunetix render some html elements inside gui, in fact it
uses jscript.dll without any concert about unsafe ActiveX object such as WScript.shell.
If acunetix trigger a vulnerability during a scan session it saves a local html with the
content of html page, so is possibile to trigger a fake vulnerability and insert a js
which trigger the remote command execution.

The second flaw it’s about the Acunetix scheduler [2], the scheduler just allow to scan
websites programmatically without any user interaction, is possible to schedule scan
via the web interface on 127.0.0.1:8183 .
like any scan Acunetix, will perform some tests on the targeted Host before real scan,
these test are executed upon some script into folder

C:ProgramDataAcunetix WVS 10DataScripts

icacls show a bad privileges in this folder, so any user (even guest) will be able to
replace these custom checks with own ones (Remember first flaw with jscript.dll) 😀

C:ProgramDataAcunetix WVS 10Data>icacls Scripts
Scripts Everyone:(OI)(CI)(M)
Everyone:(I)(OI)(CI)(M)
NT AUTHORITYSYSTEM:(I)(OI)(CI)(F)
BUILTINAdministrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTINUsers:(I)(OI)(CI)(RX)
BUILTINUsers:(I)(CI)(WD,AD,WEA,WA) <—- UNSAFE [3]

Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file

C:ProgramDataAcunetix WVS 10Data>

With this two flaws in mind i wrote a small exploit which is able to obtain RCE via
a meterpreter shell, anyway there are some requirement:

1) Target must have VBS script interpreter
2) Target must have the scheduler service
3) Target must be Windows

Exploit
==========

https://github.com/dzonerzy/acunetix_0day

https://www.youtube.com/watch?v=gWcRlam59Fs (video proof)

Solution
==========

Jscript should be used with limited ActiveX, and permission on C:ProgramDataAcunetix WVS 10Data
must be fixed!

Footnotes
_________

[1] http://www.acunetix.com/
[2] http://www.acunetix.com/support/docs/wvs/scheduling-scans/
[3] https://support.microsoft.com/it-it/kb/919240
”’

 

原文链接:,转发请注明来源!

发表评论

要发表评论,您必须先登录