Nmap Development mailing list archives
Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal)
From: Ron <ron () skullsecurity net>
Date: Sat, 13 Feb 2010 00:22:14 -0600
On Fri, 12 Feb 2010 20:10:47 -0700 David Fifield <david () bamsoftware com> wrote:
Is this different enough from http-passwd to justify a separate script? Could they be combined into one http-traversal?
That's a good question and, to be honest, I hadn't thought of it. That being said, my reasons against would be: - This script checks for a specific named/numbered vulnerability, and is one that people would frequently want to run alone (I've used it several times against our network) - This script exploits said vulnerability in a specific way (dumping the list of hosts on the VMWare server), and can be improved to gather more information in the future if somebody requires - This script requires a certain path (/sdk) that would have to be checked (not a big deal, of course) - I'm hoping to update http-passwd in the future, once we have a good http-spider script, to do a lot more checking, which will take a lot more time than one simple check I admit that none of those reasons are show stoppers, but I'm a fan of keeping it separate.
I don't like "safe", "default" for this script. It's not all that intrusive, but it will run against every open port 80, most of which won't be ESX.
I can go both ways on that one, I meant to bring up as a discussion point from the start.
FOR making it 'default':
- It's a single very fast check (one web request/response)
- Virtually no chance of false positives/low chance of false negatives
- It's an incredibly nasty vulnerability if it's exposed
AGAINST making it 'default':
- It'll run against every HTTP server, 99.99% of which won't be VMWare
- It can easily be flagged by IDS ('../' is dead obvious)
I'm really ok with going either way, although I personally lean toward making it 'default'.
David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 09)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Feb 10)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 10)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Fyodor (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Feb 17)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Mar 04)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) rilian4 rilian4 (Feb 10)