Re: Adobe CQ / Day CRX

[David Fifield <david () bamsoftware com>]

On Thu, Jan 10, 2013 at 08:43:23PM +0000, Chris Wallis wrote:
> I've recently gained some experience with Adobe CQ and Day CRX (related web
> application frameworks currently gaining popularity), and found that Nmap
> does not correctly identify the services in certain cases.

Thanks for sending in these fingerprints. The best way to send them in
is to use the submission form at http://nmap.org/submit/. I've submitted
your two fingerprints.

> Also something interesting about CQ and CRX is that by default they have a
> Webdav server listening on the same interface as the HTTP server. This is a
> security risk and should be flagged by Nmap, but at the moment the webdav
> element is not being recognised on CQ, and on CRX the service is not even
> being recognised as HTTP.
>
> I have a CRX fingerprint to submit and I was wondering - as Webdav is an
> extension to HTTP, and the service does not exclusively handle Webdav,
> would it be correct to just submit it under the 'http' category?

It looks like we mostly list WebDAV as http in nmap-service-probes.

> I have also developed two scripts which I think may be useful in flagging
> insecure installations of CQ and CRX. One which detects webdav enabled on
> the http service or ports used by CQ/CRX, and another which checks for the
> default accounts. They could probably both be expanded upon but I thought
> it would be interesting to get some feedback from the Nmap dev community
> before I did any more work on them.

My impression is that adobecq-webdav-discovery is far too specific for
what it does. It might be nicer to have a script that detects any
installation of WebDAV, even if it's not CQ/CRX. http-options already
does this in a generic way, marking WebDAV methods as "potentially
risky."

The check for WebDAV seems a bit strange to me too; it checks for a 401
response, and then checks three different things to give a confidence
score. Do you ever expect the confidence to be anything other than 0% or
100%? Is there a benefit to having multiple tests? The script gives a
false positive when I run it against my router, which returns a 401 for
a simple request:

$ ./nmap --script=adobecq-webdav-discovery 192.168.0.1 -p80 -d
80/tcp open  http    syn-ack
| adobecq-webdav-discovery:
|_  Adobe CQ/Day CRX WebDAV enabled (0% confidence). Consider running adobecq-webdav-default-creds.nse

I don't think this script is useful on its own. The default credentials,
on the other hand, may be. However the default credentials script should
be a brute script, and should be written along the lines of the various
other *-brute scripts, using the brute library. I'd also be tempted to
just add the short list of credentials to http-brute, because people are
more likely to run that than something more specialized.

Do you have a link to documentation showing what the default passwords
are? How did you come up with the list?

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/