Merge pull request #13682 from projectdiscovery/Added-CVE-2021-27877

Added CVE-2021-27877 + fixed cvnd templates

http/cnvd/2022/CNVD-2022-36985.yaml

@@ -13,7 +13,6 @@ info:
     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
     cvss-score: 10
     cwe-id: CWE-89
-    cnvd-id: CNVD-2022-36985
     cpe: cpe:2.3:a:wuzhicms:wuzhicms:*:*:*:*:*:*:*:*
   metadata:
     verified: true

http/cnvd/2023/CNVD-2023-48562.yaml

@@ -10,7 +10,6 @@ info:
     - https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html
     - https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md
   classification:
-    cnvd-id: CNVD-2023-48562
   metadata:
     verified: true
     max-request: 1

network/cves/2021/CVE-2021-27877.yaml

@@ -0,0 +1,139 @@
+id: CVE-2021-27877
+
+info:
+  name: Veritas Backup Exec - Broken Authentication
+  author: pussycat0x,DhiyaneshDK
+  severity: high
+  description: |
+    An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes- SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands.
+  reference:
+    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
+    cvss-score: 8.2
+    cve-id: CVE-2021-27877
+    epss-score: 0.0097
+    epss-percentile: 0.75585
+    cpe: cpe:2.3:a:veritas:backup_exec:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    vendor: veritas
+    product: backup_exec
+    shodan-query: product:"Veritas Backup Exec"
+  tags: cve,cve2021,network,js,tcp,passive,kev
+
+javascript:
+  - pre-condition: |
+      isPortOpen(Host,Port);
+
+    code: |
+      let packet = bytes.NewBuffer();
+      const c = require("nuclei/net");
+      const cmd = "80000018000000010000000000000000000001080000000000000000"
+      packet.WriteString(cmd)
+      let conn = c.Open('tcp', `${Host}:${Port}`);
+      conn.SendHex(packet);
+      const result = conn.RecvFullString();
+
+      // Function to extract ASCII strings from various formats
+      function extractAsciiStrings(data) {
+        let asciiStrings = [];
+        let currentString = '';
+
+        if (data.includes('\\x')) {
+          // Split by \x and process each part
+          const parts = data.split('\\x');
+
+          for (let i = 1; i < parts.length; i++) { // Skip first empty part
+            const part = parts[i];
+
+            if (part.length === 0) continue;
+
+            // Handle single character
+            if (part.length === 1) {
+              const charCode = part.charCodeAt(0);
+              if (charCode >= 32 && charCode <= 126) { // Printable ASCII
+                currentString += part;
+              } else {
+                // End current string if we hit non-printable
+                if (currentString.length > 0) {
+                  asciiStrings.push(currentString);
+                  currentString = '';
+                }
+              }
+            } else if (part.length === 2) {
+              // Try to parse as hex
+              const hexValue = parseInt(part, 16);
+              if (!isNaN(hexValue) && hexValue >= 32 && hexValue <= 126) {
+                currentString += String.fromCharCode(hexValue);
+              } else {
+                // End current string if we hit non-printable
+                if (currentString.length > 0) {
+                  asciiStrings.push(currentString);
+                  currentString = '';
+                }
+              }
+            } else {
+              // Multiple characters - process each
+              for (let j = 0; j < part.length; j++) {
+                const charCode = part.charCodeAt(j);
+                if (charCode >= 32 && charCode <= 126) {
+                  currentString += part[j];
+                } else {
+                  // End current string if we hit non-printable
+                  if (currentString.length > 0) {
+                    asciiStrings.push(currentString);
+                    currentString = '';
+                  }
+                }
+              }
+            }
+          }
+        } else {
+          // If not \x format, process as raw string
+          for (let i = 0; i < data.length; i++) {
+            const charCode = data.charCodeAt(i);
+            if (charCode >= 32 && charCode <= 126) { // Printable ASCII
+              currentString += data[i];
+            } else {
+              // End current string if we hit non-printable
+              if (currentString.length > 0) {
+                asciiStrings.push(currentString);
+                currentString = '';
+              }
+            }
+          }
+        }
+
+        // Add final string if exists
+        if (currentString.length > 0) {
+          asciiStrings.push(currentString);
+        }
+
+        // Filter out empty strings and return non-empty ones
+        return asciiStrings.filter(s => s.length > 0);
+      }
+
+      const asciiStrings = extractAsciiStrings(result);
+      const cleanResult = asciiStrings.join(' ');
+
+      Export(ToString(cleanResult));
+
+    args:
+      Host: "{{Host}}"
+      Port: 10000
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "success == true"
+          - "compare_versions(version, '< 9.3')"
+        condition: and
+
+    extractors:
+      - type: regex
+        part: response
+        group: 1
+        name: version
+        regex:
+          - 'Remote Agent for NT ([0-9.]+)'