diff --git a/CHANGELOG b/CHANGELOG index 00dfa60fe..bd8331359 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] Add Cisco Anyconnect library and scripts http-cisco-anyconnect, + http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and + http-vuln-cve2014-2129. [Patrik Karlsson] + o [NSE] Add enip-info script to get device information from SCADA/ICS devices via EtherNet/IP [Stephen Hilt] diff --git a/nselib/anyconnect.lua b/nselib/anyconnect.lua new file mode 100644 index 000000000..d0eb2b55b --- /dev/null +++ b/nselib/anyconnect.lua @@ -0,0 +1,146 @@ +--- +-- This library implements HTTP requests used by the Cisco AnyConnect VPN Client +-- +-- @author "Patrik Karlsson " +-- +-- @args anyconnect.group AnyConnect tunnel group (default: VPN) +-- @args anyconnect.mac MAC address of connecting client (default: random MAC) +-- @args anyconnect.version Version of connecting client (default: 3.1.05160) +-- @args anyconnect.ua User Agent of connecting client (default: AnyConnect Darwin_i386 3.1.05160) + +local http = require('http') +local stdnse = require('stdnse') +local url = require('url') +local math = require('math') +local table = require('table') +local os = require('os') +local string = require('string') + +local args_group= stdnse.get_script_args('anyconnect.group') or "VPN" +local args_mac= stdnse.get_script_args('anyconnect.mac') +local args_ver = stdnse.get_script_args('anyconnect.version') or "3.1.05160" +local args_ua = stdnse.get_script_args('anyconnect.ua') or ("AnyConnect Darwin_i386 %s"):format(args_ver) + +_ENV = stdnse.module("anyconnect", stdnse.seeall) + +Cisco = { + + Util = { + + generate_mac = function() + math.randomseed(os.time()) + local mac = {} + for i=1,6 do + mac[#mac + 1] = (("%x"):format(math.random(255))):gsub(' ', '0'); + end + return table.concat(mac,':') + end, + + }, + + AnyConnect = { + + new = function(self, host, port) + local o = { host = host, port = port } + setmetatable(o, self) + self.__index = self + return o + end, + + -- generate a random hex-string of length 'length' + -- + generate_random = function(length) + local rnd = "" + + for i=1, length do + rnd = rnd .. string.format("%.2X", math.random(255)) + end + return rnd + end, + + connect = function(self) + args_mac = args_mac or Cisco.Util.generate_mac() + local headers = { + ['User-Agent'] = args_ua, + ['Accept'] = '*/*', + ['Accept-Encoding'] = 'identity', + ['X-Transcend-Version'] = 1, + ['X-Aggregate-Auth'] = 1, + ['X-AnyConnect-Platform'] = 'mac-intel' + } + + local data = ([[ + +%s +mac-intel + +%s +%s +https://%s:%s +]]):format(args_ver, self.generate_random(64), args_mac, args_group, self.host.ip, self.port.number) + + local options = { header=headers , no_cache=true, redirect_ok = function(host,port) + local c = 5 + return function(url) + if ( c==0 ) then return false end + c = c - 1 + return true + end + end + } + + + local response = http.head(self.host, self.port, '/', options) + -- account for redirects + if not response.status == 200 then + return false, "Failed to connect to SSL VPN server" + elseif response.location then + local u = url.parse(response.location[#response.location]) + self.host = u.host + end + + response = http.post(self.host, self.port, '/', options, nil, data) + + if response.status ~= 200 or response.body == nil then + return false, "Error in SSL VPN server response" + end + + local xmltags = { + 'version', + 'tunnel-group', + 'group-alias', + 'config-hash', + 'host-scan-ticket', + 'host-scan-token', + 'host-scan-base-uri', + 'host-scan-wait-uri', + 'banner' + } + + self.conn_attr = {} + for _, tag in ipairs(xmltags) do + local body = response.body:gsub('\r?\n', '') + local filter = ("<%s.->(.*)"):format(tag:gsub('-', '%%-'), tag:gsub('-', '%%-')) + local m = body:match(filter) + if m then + self.conn_attr[tag] = m + end + end + -- in case we were redirected + self.conn_attr['host'] = stdnse.get_hostname(self.host) + return true + end, + + --- + -- Returns the version of the remote SSL VPN concentrator + -- @return table containing major, minor and rev numeric values + get_version = function(self) + local ver = {} + ver['major'], ver['minor'], ver['rev'] = self.conn_attr['version']:match('^(%d-)%.(%d-)%((.*)%)$') + return ver + end + + } +} + +return _ENV \ No newline at end of file diff --git a/scripts/http-cisco-anyconnect.nse b/scripts/http-cisco-anyconnect.nse new file mode 100644 index 000000000..ce900506e --- /dev/null +++ b/scripts/http-cisco-anyconnect.nse @@ -0,0 +1,59 @@ +local anyconnect = require('anyconnect') +local stdnse = require('stdnse') +local shortport = require('shortport') +local nmap = require('nmap') +local sslcert = require('sslcert') + +description = [[ +Connect as Cisco AnyConnect client to a Cisco SSL VPN and retrieves version +and tunnel information. +]] + +--- +-- @usage +-- nmap -p 443 --script http-cisco-anyconnect +-- +-- @output +-- PORT STATE SERVICE REASON +-- 443/tcp open https syn-ack +-- | http-cisco-anyconnect: +-- | version: 9.1(5) +-- | tunnel-group: VPN +-- | group-alias: vpn +-- | config-hash: 7328433471719 +-- |_ host: vpn.example.com +-- +-- @xmloutput +-- 9.1(5) +-- VPN +-- vpn +-- 7328433471719 +-- vpn.example.com +-- + +author = "Patrik Karlsson " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"default", "discovery", "safe"} + +portrule = function(host, port) + return shortport.ssl(host, port) or sslcert.isPortSupported(port) +end + +action = function(host, port) + local ac = anyconnect.Cisco.AnyConnect:new(host, port) + local status = ac:connect() + if status then + local o = stdnse.output_table() + local xmltags = { 'version', 'tunnel-group', 'group-alias', + 'config-hash', 'host-scan-ticket', 'host-scan-token', + 'host-scan-base-uri', 'host-scan-wait-uri', 'host' } + + -- add login banner if running in debug mode + if nmap.verbosity() > 2 then xmltags[#xmltags] = 'banner' end + + for _, tag in ipairs(xmltags) do + o[tag] = ac.conn_attr[tag] + end + return o + end +end diff --git a/scripts/http-vuln-cve2014-2126.nse b/scripts/http-vuln-cve2014-2126.nse new file mode 100644 index 000000000..d0492704d --- /dev/null +++ b/scripts/http-vuln-cve2014-2126.nse @@ -0,0 +1,81 @@ +local anyconnect = require('anyconnect') +local stdnse = require('stdnse') +local shortport = require('shortport') +local vulns = require('vulns') +local sslcert = require('sslcert') + +description = [[ +Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA ASDM Privilege Escalation Vulnerability (CVE-2014-2126). +]] + +--- +-- @usage +-- nmap -p 443 --script http-vuln-cve2014-2126 +-- +-- @output +-- PORT STATE SERVICE +-- 443/tcp open https +-- | http-vuln-cve2014-2126: +-- | VULNERABLE: +-- | Cisco ASA ASDM Privilege Escalation Vulnerability +-- | State: VULNERABLE +-- | Risk factor: High CVSSv2: 8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C) +-- | Description: +-- | Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47), 8.4 before 8.4(7.5), 8.7 before 8.7(1.11), 9.0 before 9.0(3.10), and 9.1 before 9.1(3.4) allows remote authenticated users to gain privileges by leveraging level-0 ASDM access, aka Bug ID CSCuj33496. +-- | +-- | References: +-- | http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa +-- |_ http://cvedetails.com/cve/2014-2126/ + + +author = "Patrik Karlsson " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +portrule = function(host, port) + return shortport.ssl(host, port) or sslcert.isPortSupported(port) +end + +action = function(host, port) + local vuln_table = { + title = "Cisco ASA ASDM Privilege Escalation Vulnerability", + state = vulns.STATE.NOT_VULN, + risk_factor = "High", + scores = { + CVSSv2 = "8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C)", + }, + description = [[ +Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47), 8.4 before 8.4(7.5), 8.7 before 8.7(1.11), 9.0 before 9.0(3.10), and 9.1 before 9.1(3.4) allows remote authenticated users to gain privileges by leveraging level-0 ASDM access, aka Bug ID CSCuj33496. + ]], + + references = { + 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa', + 'http://cvedetails.com/cve/2014-2126/' + } + } + + local vuln_versions = { + ['8'] = { + ['2'] = 5.47, + ['4'] = 7.5, + ['7'] = 1.11, + }, + ['9'] = { + ['0'] = 3.10, + ['1'] = 3.4, + }, + } + + local report = vulns.Report:new(SCRIPT_NAME, host, port) + local ac = anyconnect.Cisco.AnyConnect:new(host, port) + local status = ac:connect() + if status then + local ver = ac:get_version() + if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then + if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then + vuln_table.state = vulns.STATE.VULN + end + end + end + return report:make_output(vuln_table) +end \ No newline at end of file diff --git a/scripts/http-vuln-cve2014-2127.nse b/scripts/http-vuln-cve2014-2127.nse new file mode 100644 index 000000000..e2acfde01 --- /dev/null +++ b/scripts/http-vuln-cve2014-2127.nse @@ -0,0 +1,81 @@ +local anyconnect = require('anyconnect') +local stdnse = require('stdnse') +local shortport = require('shortport') +local vulns = require('vulns') +local sslcert = require('sslcert') + +description = [[ +Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Privilege Escalation Vulnerability (CVE-2014-2127). +]] + +--- +-- @usage +-- nmap -p 443 --script http-vuln-cve2014-2127 +-- +-- @output +-- PORT STATE SERVICE +-- 443/tcp open https +-- | http-vuln-cve2014-2127: +-- | VULNERABLE: +-- | Cisco ASA SSL VPN Privilege Escalation Vulnerability +-- | State: VULNERABLE +-- | Risk factor: High CVSSv2: 8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C) +-- | Description: +-- | Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099. +-- | +-- | References: +-- | http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa +-- |_ http://cvedetails.com/cve/2014-2127/ + +author = "Patrik Karlsson " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +portrule = function(host, port) + return shortport.ssl(host, port) or sslcert.isPortSupported(port) +end + +action = function(host, port) + local vuln_table = { + title = "Cisco ASA SSL VPN Privilege Escalation Vulnerability", + state = vulns.STATE.NOT_VULN, + risk_factor = "High", + scores = { + CVSSv2 = "8.5 (HIGH) (AV:N/AC:M/AU:S/C:C/I:C/A:C)", + }, + description = [[ +Cisco Adaptive Security Appliance (ASA) Software 8.x before 8.2(5.48), 8.3 before 8.3(2.40), 8.4 before 8.4(7.9), 8.6 before 8.6(1.13), 9.0 before 9.0(4.1), and 9.1 before 9.1(4.3) does not properly process management-session information during privilege validation for SSL VPN portal connections, which allows remote authenticated users to gain privileges by establishing a Clientless SSL VPN session and entering crafted URLs, aka Bug ID CSCul70099. + ]], + + references = { + 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa', + 'http://cvedetails.com/cve/2014-2127/' + } + } + + local vuln_versions = { + ['8'] = { + ['2'] = 5.48, + ['3'] = 2.40, + ['4'] = 7.9, + ['6'] = 1.13, + }, + ['9'] = { + ['0'] = 4.1, + ['1'] = 4.3, + }, + } + + local report = vulns.Report:new(SCRIPT_NAME, host, port) + local ac = anyconnect.Cisco.AnyConnect:new(host, port) + local status = ac:connect() + if status then + local ver = ac:get_version() + if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then + if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then + vuln_table.state = vulns.STATE.VULN + end + end + end + return report:make_output(vuln_table) +end \ No newline at end of file diff --git a/scripts/http-vuln-cve2014-2128.nse b/scripts/http-vuln-cve2014-2128.nse new file mode 100644 index 000000000..e4134976b --- /dev/null +++ b/scripts/http-vuln-cve2014-2128.nse @@ -0,0 +1,82 @@ +local anyconnect = require('anyconnect') +local stdnse = require('stdnse') +local shortport = require('shortport') +local vulns = require('vulns') +local sslcert = require('sslcert') + +description = [[ +Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability (CVE-2014-2128). +]] + +--- +-- @usage +-- nmap -p 443 --script http-vuln-cve2014-2127 +-- +-- @output +-- PORT STATE SERVICE +-- 443/tcp open https +-- | http-vuln-cve2014-2128: +-- | VULNERABLE: +-- | Cisco ASA SSL VPN Authentication Bypass Vulnerability +-- | State: VULNERABLE +-- | Risk factor: Medium CVSSv2: 5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N) +-- | Description: +-- | The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555. +-- | +-- | References: +-- | http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa +-- |_ http://cvedetails.com/cve/2014-2128/ + +author = "Patrik Karlsson " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +portrule = function(host, port) + return shortport.ssl(host, port) or sslcert.isPortSupported(port) +end + +action = function(host, port) + local vuln_table = { + title = "Cisco ASA SSL VPN Authentication Bypass Vulnerability", + state = vulns.STATE.NOT_VULN, + risk_factor = "Medium", + scores = { + CVSSv2 = "5.0 (MEDIUM) (AV:N/AC:L/AU:N/C:P/I:N/A:N)", + }, + description = [[ +The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.47, 8.3 before 8.3(2.40), 8.4 before 8.4(7.3), 8.6 before 8.6(1.13), 9.0 before 9.0(3.8), and 9.1 before 9.1(3.2) allows remote attackers to bypass authentication via (1) a crafted cookie value within modified HTTP POST data or (2) a crafted URL, aka Bug ID CSCua85555. + ]], + + references = { + 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa', + 'http://cvedetails.com/cve/2014-2128/' + } + } + + local vuln_versions = { + ['8'] = { + ['2'] = 5.47, + ['3'] = 2.40, + ['4'] = 7.3, + ['6'] = 1.13, + ['7'] = 1.11, + }, + ['9'] = { + ['0'] = 3.8, + ['1'] = 3.2, + }, + } + + local report = vulns.Report:new(SCRIPT_NAME, host, port) + local ac = anyconnect.Cisco.AnyConnect:new(host, port) + local status = ac:connect() + if status then + local ver = ac:get_version() + if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then + if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then + vuln_table.state = vulns.STATE.VULN + end + end + end + return report:make_output(vuln_table) +end \ No newline at end of file diff --git a/scripts/http-vuln-cve2014-2129.nse b/scripts/http-vuln-cve2014-2129.nse new file mode 100644 index 000000000..75f843539 --- /dev/null +++ b/scripts/http-vuln-cve2014-2129.nse @@ -0,0 +1,79 @@ +local anyconnect = require('anyconnect') +local stdnse = require('stdnse') +local shortport = require('shortport') +local vulns = require('vulns') +local sslcert = require('sslcert') + +description = [[ +Detects whether the Cisco ASA appliance is vulnerable to the Cisco ASA SIP Denial of Service Vulnerability (CVE-2014-2129). +]] + +--- +-- @usage +-- nmap -p 443 --script http-vuln-cve2014-2127 +-- +-- @output +-- PORT STATE SERVICE +-- 443/tcp open https +-- | http-vuln-cve2014-2129: +-- | VULNERABLE: +-- | Cisco ASA SIP Denial of Service Vulnerability +-- | State: VULNERABLE +-- | Risk factor: High CVSSv2: 7.1 (HIGH) (AV:N/AC:M/AU:N/C:N/I:N/A:C) +-- | Description: +-- | The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.48), 8.4 before 8.4(6.5), 9.0 before 9.0(3.1), and 9.1 before 9.1(2.5) allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted SIP packets, aka Bug ID CSCuh44052. +-- | +-- | References: +-- | http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa +-- |_ http://cvedetails.com/cve/2014-2129/ + +author = "Patrik Karlsson " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +portrule = function(host, port) + return shortport.ssl(host, port) or sslcert.isPortSupported(port) +end + +action = function(host, port) + local vuln_table = { + title = "Cisco ASA SIP Denial of Service Vulnerability", + state = vulns.STATE.NOT_VULN, + risk_factor = "High", + scores = { + CVSSv2 = "7.1 (HIGH) (AV:N/AC:M/AU:N/C:N/I:N/A:C)", + }, + description = [[ +The SIP inspection engine in Cisco Adaptive Security Appliance (ASA) Software 8.2 before 8.2(5.48), 8.4 before 8.4(6.5), 9.0 before 9.0(3.1), and 9.1 before 9.1(2.5) allows remote attackers to cause a denial of service (memory consumption or device reload) via crafted SIP packets, aka Bug ID CSCuh44052. + ]], + + references = { + 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa', + 'http://cvedetails.com/cve/2014-2129/' + } + } + + local vuln_versions = { + ['8'] = { + ['2'] = 5.48, + ['4'] = 6.5, + }, + ['9'] = { + ['0'] = 3.1, + ['1'] = 2.5, + }, + } + + local report = vulns.Report:new(SCRIPT_NAME, host, port) + local ac = anyconnect.Cisco.AnyConnect:new(host, port) + local status = ac:connect() + if status then + local ver = ac:get_version() + if vuln_versions[ver['major']] and vuln_versions[ver['major']][ver['minor']] then + if vuln_versions[ver['major']][ver['minor']] > tonumber(ver['rev']) then + vuln_table.state = vulns.STATE.VULN + end + end + end + return report:make_output(vuln_table) +end \ No newline at end of file diff --git a/scripts/script.db b/scripts/script.db index 1880fa81c..9e854ba63 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -144,6 +144,7 @@ Entry { filename = "http-barracuda-dir-traversal.nse", categories = { "auth", "e Entry { filename = "http-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "http-cakephp-version.nse", categories = { "discovery", "safe", } } Entry { filename = "http-chrono.nse", categories = { "discovery", "intrusive", } } +Entry { filename = "http-cisco-anyconnect.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "http-coldfusion-subzero.nse", categories = { "exploit", } } Entry { filename = "http-comments-displayer.nse", categories = { "discovery", "safe", } } Entry { filename = "http-config-backup.nse", categories = { "auth", "intrusive", } } @@ -226,6 +227,10 @@ Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vu Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2013-0156.nse", categories = { "exploit", "vuln", } } Entry { filename = "http-vuln-cve2013-7091.nse", categories = { "exploit", "intrusive", "vuln", } } +Entry { filename = "http-vuln-cve2014-2126.nse", categories = { "safe", "vuln", } } +Entry { filename = "http-vuln-cve2014-2127.nse", categories = { "safe", "vuln", } } +Entry { filename = "http-vuln-cve2014-2128.nse", categories = { "safe", "vuln", } } +Entry { filename = "http-vuln-cve2014-2129.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } }