From e67ee3337a6adcd84e62b53b1c881110bddf5391 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Wed, 22 Oct 2025 14:38:54 +0530 Subject: [PATCH 1/2] Added CVE-2021-27877 + fixed cvnd templates --- http/cnvd/2022/CNVD-2022-36985.yaml | 1 - http/cnvd/2023/CNVD-2023-48562.yaml | 1 - network/cves/2021/CVE-2021-27877.yaml | 141 ++++++++++++++++++++++++++ 3 files changed, 141 insertions(+), 2 deletions(-) create mode 100644 network/cves/2021/CVE-2021-27877.yaml diff --git a/http/cnvd/2022/CNVD-2022-36985.yaml b/http/cnvd/2022/CNVD-2022-36985.yaml index 7111b26b639..34364260613 100644 --- a/http/cnvd/2022/CNVD-2022-36985.yaml +++ b/http/cnvd/2022/CNVD-2022-36985.yaml @@ -13,7 +13,6 @@ info: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cwe-id: CWE-89 - cnvd-id: CNVD-2022-36985 cpe: cpe:2.3:a:wuzhicms:wuzhicms:*:*:*:*:*:*:*:* metadata: verified: true diff --git a/http/cnvd/2023/CNVD-2023-48562.yaml b/http/cnvd/2023/CNVD-2023-48562.yaml index 4ce524bb3c3..ad27948ec44 100644 --- a/http/cnvd/2023/CNVD-2023-48562.yaml +++ b/http/cnvd/2023/CNVD-2023-48562.yaml @@ -10,7 +10,6 @@ info: - https://peiqi.wgpsec.org/wiki/webapp/%E7%94%A8%E5%8F%8B/%E7%94%A8%E5%8F%8B%20%E7%95%85%E6%8D%B7%E9%80%9AT+%20GetStoreWarehouseByStore%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.html - https://github.com/MrWQ/vulnerability-paper/blob/7551f7584bd35039028b1d9473a00201ed18e6b2/bugs/%E7%95%85%E6%8D%B7%E9%80%9A%20T%2B%20%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md classification: - cnvd-id: CNVD-2023-48562 metadata: verified: true max-request: 1 diff --git a/network/cves/2021/CVE-2021-27877.yaml b/network/cves/2021/CVE-2021-27877.yaml new file mode 100644 index 00000000000..32e21ee1036 --- /dev/null +++ b/network/cves/2021/CVE-2021-27877.yaml @@ -0,0 +1,141 @@ +id: CVE-2021-27877 + +info: + name: Veritas Backup Exec - Broken Authentication + author: pussycat0x,DhiyaneshDK + severity: high + description: | + An issue was discovered in Veritas Backup Exec before 21.2. It supports multiple authentication schemes- SHA authentication is one of these. This authentication scheme is no longer used in current versions of the product, but hadn't yet been disabled. An attacker could remotely exploit this scheme to gain unauthorized access to an Agent and execute privileged commands. + reference: + - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N + cvss-score: 8.2 + cve-id: CVE-2021-27877 + epss-score: 0.0097 + epss-percentile: 0.75585 + cpe: cpe:2.3:a:veritas:backup_exec:*:*:*:*:*:*:*:* + metadata: + verified: true + vendor: veritas + product: backup_exec + shodan-query: product:"Veritas Backup Exec" + tags: cve,cve2021,network,js,tcp,passive,kev + +javascript: + - pre-condition: | + isPortOpen(Host,Port); + + code: | + let packet = bytes.NewBuffer(); + const c = require("nuclei/net"); + const cmd = "80000018000000010000000000000000000001080000000000000000" + packet.WriteString(cmd) + let conn = c.Open('tcp', `${Host}:${Port}`); + conn.SendHex(packet); + const result = conn.RecvFullString(); + + // Function to extract ASCII strings from various formats + function extractAsciiStrings(data) { + let asciiStrings = []; + let currentString = ''; + + + // Check if data contains \x format + if (data.includes('\\x')) { + // Split by \x and process each part + const parts = data.split('\\x'); + + for (let i = 1; i < parts.length; i++) { // Skip first empty part + const part = parts[i]; + + if (part.length === 0) continue; + + // Handle single character + if (part.length === 1) { + const charCode = part.charCodeAt(0); + if (charCode >= 32 && charCode <= 126) { // Printable ASCII + currentString += part; + } else { + // End current string if we hit non-printable + if (currentString.length > 0) { + asciiStrings.push(currentString); + currentString = ''; + } + } + } else if (part.length === 2) { + // Try to parse as hex + const hexValue = parseInt(part, 16); + if (!isNaN(hexValue) && hexValue >= 32 && hexValue <= 126) { + currentString += String.fromCharCode(hexValue); + } else { + // End current string if we hit non-printable + if (currentString.length > 0) { + asciiStrings.push(currentString); + currentString = ''; + } + } + } else { + // Multiple characters - process each + for (let j = 0; j < part.length; j++) { + const charCode = part.charCodeAt(j); + if (charCode >= 32 && charCode <= 126) { + currentString += part[j]; + } else { + // End current string if we hit non-printable + if (currentString.length > 0) { + asciiStrings.push(currentString); + currentString = ''; + } + } + } + } + } + } else { + // If not \x format, process as raw string + for (let i = 0; i < data.length; i++) { + const charCode = data.charCodeAt(i); + if (charCode >= 32 && charCode <= 126) { // Printable ASCII + currentString += data[i]; + } else { + // End current string if we hit non-printable + if (currentString.length > 0) { + asciiStrings.push(currentString); + currentString = ''; + } + } + } + } + + // Add final string if exists + if (currentString.length > 0) { + asciiStrings.push(currentString); + } + + // Filter out empty strings and return non-empty ones + return asciiStrings.filter(s => s.length > 0); + } + + const asciiStrings = extractAsciiStrings(result); + const cleanResult = asciiStrings.join(' '); + + Export(ToString(cleanResult)); + + args: + Host: "{{Host}}" + Port: 10000 + + matchers: + - type: dsl + dsl: + - "success == true" + - "compare_versions(version, '< 9.3')" + condition: and + + extractors: + - type: regex + part: response + group: 1 + name: version + regex: + - 'Remote Agent for NT ([0-9.]+)' \ No newline at end of file From 1b0977c6e15e643f378b47abf700f8bcd02b131c Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 22 Oct 2025 14:49:19 +0530 Subject: [PATCH 2/2] Refactor extractAsciiStrings function for clarity --- network/cves/2021/CVE-2021-27877.yaml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/network/cves/2021/CVE-2021-27877.yaml b/network/cves/2021/CVE-2021-27877.yaml index 32e21ee1036..6d053677f23 100644 --- a/network/cves/2021/CVE-2021-27877.yaml +++ b/network/cves/2021/CVE-2021-27877.yaml @@ -34,23 +34,21 @@ javascript: let conn = c.Open('tcp', `${Host}:${Port}`); conn.SendHex(packet); const result = conn.RecvFullString(); - + // Function to extract ASCII strings from various formats function extractAsciiStrings(data) { let asciiStrings = []; let currentString = ''; - - - // Check if data contains \x format + if (data.includes('\\x')) { // Split by \x and process each part const parts = data.split('\\x'); - + for (let i = 1; i < parts.length; i++) { // Skip first empty part const part = parts[i]; - + if (part.length === 0) continue; - + // Handle single character if (part.length === 1) { const charCode = part.charCodeAt(0); @@ -106,19 +104,19 @@ javascript: } } } - + // Add final string if exists if (currentString.length > 0) { asciiStrings.push(currentString); } - + // Filter out empty strings and return non-empty ones return asciiStrings.filter(s => s.length > 0); } - + const asciiStrings = extractAsciiStrings(result); const cleanResult = asciiStrings.join(' '); - + Export(ToString(cleanResult)); args: @@ -138,4 +136,4 @@ javascript: group: 1 name: version regex: - - 'Remote Agent for NT ([0-9.]+)' \ No newline at end of file + - 'Remote Agent for NT ([0-9.]+)'