Nmap Development mailing list archives
Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal)
From: Fyodor <fyodor () insecure org>
Date: Mon, 15 Feb 2010 12:47:12 -0800
On Sat, Feb 13, 2010 at 12:22:14AM -0600, Ron wrote:
On Fri, 12 Feb 2010 20:10:47 -0700 David Fifield <david () bamsoftware com> wrote:I don't like "safe", "default" for this script. It's not all that intrusive, but it will run against every open port 80, most of which won't be ESX.I can go both ways on that one, I meant to bring up as a discussion point from the start. FOR making it 'default': - It's a single very fast check (one web request/response) - Virtually no chance of false positives/low chance of false negatives - It's an incredibly nasty vulnerability if it's exposed AGAINST making it 'default': - It'll run against every HTTP server, 99.99% of which won't be VMWare - It can easily be flagged by IDS ('../' is dead obvious) I'm really ok with going either way, although I personally lean toward making it 'default'.
I agree that it is an important script, and it is a tough call, but people who want a vuln assessment should really be doing "--script vuln". Given that the script does a specialized web request and that the vast majority of web servers aren't vulnerable, I'd say we should take it out of default. If the request was just getting "/", I'd argue for keeping it in since it is more likely to be in the cache (or to be used from the cache by other scripts during execution). One thing I thought about was that it could probably stay in default if it was converted to only run if VMWare was detected by version detection. I imagine that the vulnerable servers have easily recognizeable Server headers? But on the other hand, there is a risk that the Server line might be stripped for some reason, so the script would be faster and more stealthy, but not quite as reliable.
Is this different enough from http-passwd to justify a separate script? Could they be combined into one http-traversal?That's a good question and, to be honest, I hadn't thought of it. That being said, my reasons against would be:
I can see both advantages and disadvantages of keeping it separate, so I don't really have a preference between those two options. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 09)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Feb 10)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 10)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Fyodor (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Feb 17)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Mar 04)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) rilian4 rilian4 (Feb 10)