Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Identify RomPager rom-0 vulnerabilities

From: Paulino Calderon <paulino () calderonpale com>
Date: Wed, 6 Jan 2016 15:56:12 -0500
Oh, that’s a great addition to http-enum. I just published some stats about wifi networks in México [1] and the most 
popular vendor is Huawei. Tons of vulnerable devices over here.

[1] http://www.websec.mx/blog/ver/infografia-seguridad-wifi-mexico-2015

Cheers.


On Jan 6, 2016, at 3:52 PM, Daniel Miller <bonsaiviking () gmail com> wrote:

Vlatko,

Thanks for these scripts! I converted the rom-0 script into a fingerprint in http-fingerprints.lua, and I hope we 
will be able to make improvements to that database and the http-enum script that will make vuln scanning easier [1].

The http-rompager-xss script I added as http-vuln-cve2013-6786, since that CVE has been assigned according to the 
reference you listed. It seems general enough of a check that I think it is likely to turn up "false" positives: 
other software or websites that are vulnerable to the same thing, though they may not be RomPager. I put a note to 
that effect in the description.

Thanks for the contributions again!

Dan

On Sun, Jul 5, 2015 at 9:40 AM, Vlatko Kosturjak <kost () linux hr <mailto:kost () linux hr>> wrote:
Hello!

These NSE scripts identify simple, but dangerous vulnerabilities
present on many network devices which are using RomPager Embedded Web
Server.

Attacker is able to get your ISP password, wireless password and other
sensitive information by issuing single HTTP GET request to ‘/rom-0′ URI.
Mentioned information disclosure is present in RomPager Embedded Web
Server. Affected devices include ZTE, TP-Link, ZynOS, Huawei and many
others. Vulnerability was published in 2014 (by looking at CVE), but I
see lot of people don’t know about it: mainly because there was no hype
about it and most of the popular vulnerability scanners failed in
identifying it.

So, I hope this vulnerability will get better treatment after these
NSE scripts.

NSE scripts are also available here:
https://github.com/kost/nmap-nse/tree/master/scripts <https://github.com/kost/nmap-nse/tree/master/scripts>

You can read more about vulnerability and exploitation here:
https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/ 
<https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/>

Take care,
--
Vlatko Kosturjak - KoSt

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev <https://nmap.org/mailman/listinfo/dev>
Archived at http://seclists.org/nmap-dev/ <http://seclists.org/nmap-dev/>

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: