diff --git a/CHANGELOG b/CHANGELOG index 0e9de633f..88a69d363 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,8 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] New script http-vuln-cve2017-1001000 detects a privilege escalation + vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE2017-1001000) [Vinamra Bhatia] + o [NSE] New script smb-vuln-ms17-010 detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The script also reports patched systems. [Paulino Calderon] diff --git a/scripts/http-vuln-cve2017-1001000.nse b/scripts/http-vuln-cve2017-1001000.nse new file mode 100755 index 000000000..4446dc60a --- /dev/null +++ b/scripts/http-vuln-cve2017-1001000.nse @@ -0,0 +1,128 @@ +local http = require "http" +local shortport = require "shortport" +local string = require "string" +local stdnse = require "stdnse" +local url = require "url" +local vulns = require "vulns" +local json = require "json" + +description = [[ +Attempts to detect a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 that +allows unauthenticated users to inject content in posts. + +The script connects to the Wordpress REST API to obtain the list of published posts and +grabs the user id and date from there. Then it attempts to update the date field in the +post with the same date information we just obtained. If the request doesn’t return an +error, we mark the server as vulnerable. + +References: +https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html + + ]] + +--- +-- @usage +-- nmap --script http-vuln-cve2017-1001000 --script-args http-vuln-cve2017-1001000="uri" +-- nmap --script http-vuln-cve2017-1001000 +-- +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-vuln-cve2017-1001000: +-- | VULNERABLE: +-- | Content Injection in Wordpress REST API +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2017-1001000 +-- | Risk factor: Medium CVSSv2: 5.0 (MEDIUM) +-- | The privilege escalation vulnerability in WordPress REST API allows +-- | the visitors to edit any post on the site +-- | Versions 4.7.0 and 4.7.1 are known to be affected +-- | +-- | References: +-- |_ https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html +-- +-- @xmloutput +-- +-- Content Injection in Wordpress REST API +-- VULNERABLE (Exploitable) +--
+-- CVE:CVE-2017-1001000 +--
+-- +-- 5.0 (MEDIUM) +--
+-- +-- The privilege escalation vulnerability in WordPress REST API allows the visitors to edit +-- any post on the site. Versions 4.7.0 and 4.7.1 are known to be affected +-- +--
+-- +-- https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html +--
+-- +-- +-- @args http-vuln-cve2017-1001000.uri Wordpress root directory on the website. Default: / +--- + +author = "Vinamra Bhatia" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +portrule = shortport.http + +action = function(host, port) + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/' + uri = uri .. 'index.php/wp-json/wp/v2/posts/' --Uri is appended to get the JSON data + + local response = http.get(host, port, uri, nil) + + if response.status and response.status == 200 then + local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port) + local vuln_table = { + title = 'Content Injection Vulnerability in Wordpress REST API', + state = vulns.STATE.NOT_VULN, --default Non Vulnerable State + IDS = {CVE = 'CVE-2017-1001000'}, + risk_factor = "Medium", + scores = { + CVSSv2 = "5.0 (MEDIUM)", + }, + description = [[ +The privilege escalation vulnerability in WordPress REST API allows +the visitors to edit any post on the site . +Versions 4.7.0 and 4.7.1 are known to be affected. + ]], + references = { + 'https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html' + }, + } + + local status, json_data = json.parse(response.body) + + --Parsing the json_data to get the ID of the first post and the date. + local id=json_data[1].id + local content=json_data[1].date + + if(id==nil or content==nil) then + return vulnReport:make_output(vuln_table) + end + + --Modifying the uri and checking for response. + --Date modification request is being sent. + uri = uri ..id..'/'..'?id=' .. id ..'abc'..'&date='..content + + local request_opts = { + header = { + }, + } + + request_opts["header"]["Content-type"] = 'application/json' + local response1 = http.post(host, port, uri, request_opts) + + --If response is correct, means the site allowed the modification + --of the post and it is vulnerable. + if(response1.status and response1.status==200) then + vuln_table.state = vulns.STATE.VULN + end + return vulnReport:make_output(vuln_table) + end +end diff --git a/scripts/script.db b/scripts/script.db index 6dfe1214d..e706b3fb8 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -262,6 +262,7 @@ Entry { filename = "http-vuln-cve2014-3704.nse", categories = { "exploit", "intr Entry { filename = "http-vuln-cve2014-8877.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2015-1427.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln", } } +Entry { filename = "http-vuln-cve2017-1001000.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-cve2017-5638.nse", categories = { "vuln", } } Entry { filename = "http-vuln-cve2017-5689.nse", categories = { "auth", "exploit", "vuln", } } Entry { filename = "http-vuln-misfortune-cookie.nse", categories = { "intrusive", "vuln", } }