Insecure feature: Download Windows Executable

[bananabr]

Expected behavior

• Once created/updated a credentials' password should not be recoverable.
• The downloaded windows executable should not be able to do anything other than creating the intended user.

Actual behavior

• When executing the credential-{GUID}.exe downloaded file the credential's username and password are shown on the screen.
• A non-privileged user can prevent the AddUser.bat from being deleted from the disk and get access to the credentials' username and password
• A non-privileged user can craft an AdminGroupName.txt file for privilege-escalation/UAC bypass purposes.

Steps to reproduce

• When executing the credential-{GUID}.exe downloaded file the credential's username and password are shown on the screen.

1. Download the latest virtual appliance from https://files.greenbone.net/download/VM/gsm-ce-6.0.7.iso
2. Create a Username + Password credential as according to https://docs.greenbone.net/GSM-Manual/gos-6/en/scanning.html#creating-a-credential
3. Click on the Download Windows Executable icon associated with the new credential
4. Run the downloaded executable as an administrator user using any screen recorder software (set to 100fps or more) to record the installer execution.
5. Review the recording contents and see the username and password displayed above the installer progress bar.

• A non-privileged user can prevent the AddUser.bat from being deleted from the disk and get access to the credentials' username and password

1. Download the latest virtual appliance from https://files.greenbone.net/download/VM/gsm-ce-6.0.7.iso
2. Create a Username + Password credential as according to https://docs.greenbone.net/GSM-Manual/gos-6/en/scanning.html#creating-a-credential
3. Click on the Download Windows Executable icon associated with the new credential
4. Before running the downloaded installer create a file named AddUser.bat in the %TEMP% directory
5. Open the file in any text editor and leave it open
6. Run the installer
7. Review the contents of the text file and get access to the credentials' username and password

• A non-privileged user can craft an AdminGroupName.txt file for privilege-escalation/UAC bypass purposes.

1. Download the latest virtual appliance from https://files.greenbone.net/download/VM/gsm-ce-6.0.7.iso
2. Create a Username + Password credential as according to https://docs.greenbone.net/GSM-Manual/gos-6/en/scanning.html#creating-a-credential
3. Click on the Download Windows Executable icon associated with the new credential
4. Before running the downloaded installer create a file named AdminGroupName.txt in the %TEMP% directory
5. set the contents file to be something like:
   {administrator's group name} {hostname}{credential username} /add & mshta vbscript:Execute("msgbox ""I could use this for privesc =]"":close") & echo
   A real example would be:
   Administrators MY-DESKTOP\test /add & mshta vbscript:Execute("msgbox ""I could use this for privesc =]"":close") & echo
6. Set the read-only attribute in the AdminGroupName.txt file (attrib +R %TEMP%\AdminGroupName.txt)
7. Run the installer and see a message box pop up.

GVM versions

gsa: (gsad --version)

gvm: (gvmd --version)

openvas: (openvas --version)

gvm-libs:

openvas-smb:

I couldn't run the recommended commands to get the versions.

Environment

Operating system:

DISTRIB_ID="Greenbone OS"
DISTRIB_RELEASE="6.0"
DISTRIB_CODENAME="mephisto"
DISTRIB_DESCRIPTION="Greenbone OS 6.0"
Linux gsm 4.19.0-0.bpo.8-amd64 greenbone/openvas-scanner#1 SMP Debian 4.19.98-1~bpo9+1 (2020-03-09) x86_64 GNU/Linux

Installation method / source: https://files.greenbone.net/download/VM/gsm-ce-6.0.7.iso

[bjoernricks]

Fixed with #1226, #1254 and #1253