The attacker would then have to send a carefully crafted request to the vulnerable Tenable.sc instance. When the server received the request, it would check the request against its blacklist configuration and if the request matched any of the blacklisted file types, it would respond with a 403 Unauthorized error code. The attacker could then send a modified request to the vulnerable instance, which would be accepted if the server was configured to allow the file type. If the server was configured to block the file type, the server would respond with an error code of 404 Not Found. The attacker would then receive a response containing arbitrary system commands that could be executed by the server.
The vulnerable package is Tenable.sc, which is a software package that allows enterprises to manage and access their infrastructure remotely.
The vulnerable endpoint was the Tenable.sc instance that received the request and responded with a 403 Unauthorized error code.
If the vulnerable instance is configured to block the file type, it would respond with an error code of 404 Not Found. The attacker would then receive a response containing arbitrary system commands that could be executed by the server.
One of the key components in testing a vulnerability is being able to confirm that the vulnerability is present. In order to do so, it is important to verify that the vulnerable instance will accept a malicious request and execute any system commands.
A vulnerable package and an endpoint are identified. A methodology for testing is laid out that includes identifying vulnerable packages, testing them, and compiling a list of vulnerable endpoints.