The attacker would then have to send a carefully crafted request to the vulnerable Tenable.sc instance. When the server received the request, it would check the request against its blacklist configuration and if the request matched any of the blacklisted file types, it would respond with a 403 Unauthorized error code. The attacker could then send a modified request to the vulnerable instance, which would be accepted if the server was configured to allow the file type. If the server was configured to block the file type, the server would respond with an error code of 404 Not Found. The attacker would then receive a response containing arbitrary system commands that could be executed by the server.

Vulnerable Package

The vulnerable package is Tenable.sc, which is a software package that allows enterprises to manage and access their infrastructure remotely.

Vulnerable endpoint

The vulnerable endpoint was the Tenable.sc instance that received the request and responded with a 403 Unauthorized error code.

CVE-2023-0131

If the vulnerable instance is configured to block the file type, it would respond with an error code of 404 Not Found. The attacker would then receive a response containing arbitrary system commands that could be executed by the server.

Testing Methodology:

One of the key components in testing a vulnerability is being able to confirm that the vulnerability is present. In order to do so, it is important to verify that the vulnerable instance will accept a malicious request and execute any system commands.

Conclusion

A vulnerable package and an endpoint are identified. A methodology for testing is laid out that includes identifying vulnerable packages, testing them, and compiling a list of vulnerable endpoints.

Timeline

Published on: 01/14/2022 20:15:00 UTC
Last modified on: 01/22/2022 01:42:00 UTC

References