Flaw in Nessus under Windows puts pentesters at risk
The maker of vulnerability scanner Nessus has released version 3.0.6.1 for Windows, which fixes a bug which could have opened the penetration tester itself to penetration. Two exploits for the application have been published on Milw0rm. According to Tenable, under Windows the Nessus GUI (scan.dll) registers an ActiveX control which includes the functions addsetConfig, deleteReport and saveNessusRC, which can be controlled remotely. This can be exploited to create or delete files on a PC and to pass commands to the Windows shell and execute them. The latter requires just three lines of JavaScript:
<script language="javascript">
obj.addsetConfig('shutdown -t 1000 -s -c "hello world ;]" && pause', '', '');
</script>
The attack does, however, require the user to visit a prepared web page. All versions of Nessus 3.0.x for Windows are affected. Users are urgently recommended to update to the new version.
- Nessus Vulnerability Scanner 3.0.6 ActiveX 0day Remote Code Execution Exploit, security advisory from Krystian Kloskowski
- Nessus Vulnerability Scanner 3.0.6 ActiveX deleteReport() 0day Remote Delete File Exploit, security advisory from Krystian Kloskowski
(mba)