PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-18 21:49:01 +00:00
Code Issues Projects Releases Wiki Activity

Adds http-vuln-cve2013-0156.nse: Detects Ruby on Rails servers vulnerable to object injection, remote

Browse Source 
command executions and denial of service attacks. (CVE-2013-0156)
This commit is contained in:
paulino
2013-04-25 03:15:33 +00:00
parent aa76963dcd
commit 70dfe708e9
2 changed files with 123 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

121
scripts/http-vuln-cve2013-0156.nse Normal file
View File

@@ -0,0 +1,121 @@
description = [[
Detects Ruby on Rails servers vulnerable to object injection, remote command executions and denial of service attacks. (CVE-2013-0156)
All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable. This script
sends 3 harmless yaml payloads to detect vulnerable installations. If the malformed object receives a status 500 response, the server
is processing YAML objects and therefore is likely vulnerable.
References:
* https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
* https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
* http://cvedetails.com/cve/2013-0156/
TODO:
* Add argument to exploit cmd exec vuln
]]
---
-- @usage
-- nmap -sV --script http-vuln-cve2013-0156 <target>
-- nmap -sV --script http-vuln-cve2013-0156 --script-args uri="/test/" <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-vuln-cve2013-0156:
-- | VULNERABLE:
-- | Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)
-- | State: VULNERABLE
-- | Risk factor: High
-- | Description:
-- | All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks.
-- | The attackers don't need to be authenticated to exploit these vulnerabilities.
-- |
-- | References:
-- | https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ
-- | https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156
-- |_ http://cvedetails.com/cve/2013-0156/
--
-- @args http-vuln-cve2013-0156.uri Basepath URI (default: /).
---
author = "Paulino Calderon <calderon@websec.mx>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit","vuln"}
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
portrule = shortport.http
local PAYLOAD_OK = [=[<?xml version="1.0" encoding="UTF-8"?>
<probe type="string"><![CDATA[
nmap
]]></probe>]=]
local PAYLOAD_TIME = [=[<?xml version="1.0" encoding="UTF-8"?>
<probe type="yaml"><![CDATA[
--- !ruby/object:Time {}
]]></probe>]=]
local PAYLOAD_MALFORMED = [=[<?xml version="1.0" encoding="UTF-8"?>
<probe type="yaml"><![CDATA[
--- !ruby/object:^@
]]></probe>
]=]
---
--detect(host, port, uri)
--Sends 3 payloads where one of them is malformed. Status 500 indicates that yaml parsing is enabled.
---
local function detect(host, port, uri)
local opts = {header={}}
opts["header"]["Content-type"] = 'application/xml'
local req_ok = http.post(host, port, uri, opts, nil, PAYLOAD_OK)
local req_time = http.post(host, port, uri, opts, nil, PAYLOAD_TIME)
stdnse.print_debug(2, "%s:First request returned status %d. Second request returned status %d", SCRIPT_NAME, req_ok.status, req_time.status)
if req_ok.status == 200 and req_time.status == 200 then
local req_malformed = http.post(host, port, uri, opts, nil, PAYLOAD_MALFORMED)
stdnse.print_debug(2, "%s:Malformed request returned status %d", SCRIPT_NAME, req_malformed.status)
if req_malformed.status == 500 then
return true
end
end
return false
end
---
--MAIN
action = function(host, port)
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
local vuln_table = {
title = "Parameter parsing vulnerabilities in several versions of Ruby on Rails allow object injection, remote command execution and Denial Of Service attacks (CVE-2013-0156)",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
All Ruby on Rails versions before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 are vulnerable to object injection, remote command execution and denial of service attacks.
The attackers don't need to be authenticated to exploit these vulnerabilities.
]],
references = {
'https://community.rapid7.com/community/metasploit/blog/2013/01/10/exploiting-ruby-on-rails-with-metasploit-cve-2013-0156',
'https://groups.google.com/forum/?fromgroups=#!msg/rubyonrails-security/61bkgvnSGTQ/nehwjA8tQ8EJ',
'http://cvedetails.com/cve/2013-0156/',
}
}
if detect(host,port,uri) then
stdnse.print_debug(1, "%s:Received status 500 as expected in vulnerable installations. Marking as vulnerable...", SCRIPT_NAME)
vuln_table.state = vulns.STATE.VULN
local report = vulns.Report:new(SCRIPT_NAME, host, port)
return report:make_output(vuln_table)
end
return nil
end

2
scripts/script.db
View File

@@ -179,6 +179,7 @@ Entry { filename = "http-put.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "http-qnap-nas-info.nse", categories = { "discovery", "safe", } } Entry { filename = "http-qnap-nas-info.nse", categories = { "discovery", "safe", } }
Entry { filename = "http-rfi-spider.nse", categories = { "intrusive", } } Entry { filename = "http-rfi-spider.nse", categories = { "intrusive", } }
Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "http-robots.txt.nse", categories = { "default", "discovery", "safe", } }
Entry { filename = "http-robtex-reverse-ip.nse", categories = { "discovery", "external", "safe", } }
Entry { filename = "http-robtex-shared-ns.nse", categories = { "discovery", "external", "safe", } } Entry { filename = "http-robtex-shared-ns.nse", categories = { "discovery", "external", "safe", } }
Entry { filename = "http-sitemap-generator.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-sitemap-generator.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "http-slowloris-check.nse", categories = { "safe", "vuln", } } Entry { filename = "http-slowloris-check.nse", categories = { "safe", "vuln", } }
@@ -200,6 +201,7 @@ Entry { filename = "http-vuln-cve2010-2861.nse", categories = { "intrusive", "vu
Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", } }
Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } }
Entry { filename = "http-vuln-cve2013-0156.nse", categories = { "exploit", "vuln", } }
Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusive", } }