diff --git a/CHANGELOG b/CHANGELOG index 0501145d5..6495d8834 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Added the http-method-tamper script that detects authentication bypass + vulnerabilities using the http HEAD method as reported in CVE-2010-738. + [Hani Benhabiles] + o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it finds packets not only from or to the scanning host. [David] diff --git a/scripts/http-method-tamper.nse b/scripts/http-method-tamper.nse new file mode 100644 index 000000000..6de0fc25f --- /dev/null +++ b/scripts/http-method-tamper.nse @@ -0,0 +1,70 @@ +description = [[ +Checks if a JBoss target is vulnerable to jmx console authentication bypass. + +It works by checking if the target paths require authentication or redirect to a login page that could be +bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly like GET but +with no returned response body. The script also detects if the URL does not require authentication at all. + +For more information, see: +* CVE-2010-738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738 +* http://www.imperva.com/resources/glossary/http_verb_tampering.html +* https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29 + +]] + +--- +-- @usage +-- nmap --script=http-method-tamper --script-args 'http-method-tamper.paths={/path1/,/path2/}' +-- +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- | http-method-tamper: +-- |_ /jmx-console/: Authentication bypass. +-- +-- @args http-method-tamper.path Array of paths to check. Defaults +-- to {"/jmx-console/"}. + +author = "Hani Benhabiles " + +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" + +categories = {"safe", "auth"} + +require 'shortport' +require 'http' +require 'stdnse' + +portrule = shortport.http + +action = function(host, port) + local paths = stdnse.get_script_args("http-method-tamper.paths") + local result = {} + + -- convert single string entry to table + if ( "string" == type(paths) ) then + paths = { paths } + end + + -- fallback to jmx-console + paths = paths or {"/jmx-console/"} + + for _, path in ipairs(paths) do + local getstatus = http.get(host, port, path).status + + -- Checks if HTTP authentication or a redirection to a login page is applied. + if getstatus == 401 or getstatus == 302 then + local headstatus = http.head(host, port, path).status + if headstatus == 200 then + -- Vulnerable to authentication bypass. + table.insert(result, ("%s: Authentication bypass possible"):format(path)) + end + -- Checks if no authentication is required for Jmx console + -- which is default configuration and common. + elseif getstatus == 200 then + table.insert(result, ("%s: Authentication was not required"):format(path)) + end + end + + return stdnse.format_output(true, result) +end diff --git a/scripts/script.db b/scripts/script.db index d615cfad7..5c02ca7ed 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -101,6 +101,7 @@ Entry { filename = "http-joomla-brute.nse", categories = { "brute", "intrusive", Entry { filename = "http-litespeed-sourcecode-download.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-majordomo2-dir-traversal.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-malware-host.nse", categories = { "malware", "safe", } } +Entry { filename = "http-method-tamper.nse", categories = { "auth", "safe", } } Entry { filename = "http-methods.nse", categories = { "default", "safe", } } Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "safe", } } Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }