Detections
Analytics

Narcissus backend.php release Parameter Remote Command Execution

high Nessus Plugin ID 63111

Language:

Synopsis

The remote web server hosts a PHP script that allows arbitrary command execution.

Description

The remote web server hosts Narcissus, an online tool for the Angstrom distribution, used to create 'rootfs' images for embedded devices.

The version of Narcissus hosted on the remote web server fails to properly sanitize user-supplied input in a POST request to the 'release' parameter of the 'backend.php' script, when 'action' is set to 'configure_image', before using it in a call to PHP's 'passthru()' function. An unauthenticated, remote attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges of the web server user.

Solution

Apply the vendor-supplied patch from the referenced URL.

See Also

http://www.nessus.org/u?7a08415b

Plugin Details

Severity: High

ID: 63111

File Name: angstrom_narcissus_backend_cmd_exec.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 11/30/2012

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: x-cpe:/a:angstrom:narcissus

Required KB Items: www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/15/2012

Vulnerability Publication Date: 11/14/2012

Exploitable With

Metasploit (Narcissus Image Configuration Passthru Vulnerability)

Elliot (Narcissus RCE)

Reference Information

BID: 56511