Some plugin of openvas scanner lead to a vulnerable host

Question

Some plugin of openvas scanner lead to a vulnerable host

montjoie opened this issue a year ago · comments

Hello

After some openvas scan, I found a report on one of my host:
Linux Home Folder Accessible (HTTP)

An httpd binary was running on my system and exporting my /root folder.
We have lot of time trying to find how we were compromise but in fact it was openvas which bring up this.

The httpd binary is the busybox httpd version and is present on a docker image. (So reachable via a long /var/lib/docker/xxx path)

One openvas plugin seems to "find" all httpd binary everywhere and grab their version by running httpd -v.
BUT busybox httpd do not print version via -v, -v enabling -verbose in that case.
Since openvas is logging as root for the local vuln scan, the httpd is ran from /root exposing publicly .bash_history, .ssh etc..

For verifying this theory, I created a fake /usr/bin/httpd shell script which dump arguments and parent process.
I started an openvas scan on this machine and saw that soon after, my binary was ran.
The /proc/x/cmdline of the parent is /bin/sh-cLANG=C; LC_ALL=C; /usr/bin/httpd -v

Funny that scanning for vulnerabilities lead to starting a new one.

Corentin Labbe · Answer 1 · Fri Sep 29 2023 16:46:42 GMT+0800 (China Standard Time)

This happen with the full and fast default scan

Christian Fischer · Answer 2 · Fri Oct 06 2023 18:49:27 GMT+0800 (China Standard Time)

Some discussion around this happened now here:

https://forum.greenbone.net/t/the-gb-apache-http-server-xxx-plugin-lead-to-vulnerable-host/15856

As this is not an issues within the scanners (notus-scanner or openvas-scanner) this could be closed.