Re: http-passwd Result

[Zack Dela <ny101880 () yahoo com>]

Thanks David.. I will check the fixed version of this NSE script.
Im currently using the 5.35DC1 release.

I believe it was a false positive also.. (Ron have replied also to me on this.)

Cheers!!!




________________________________
From: David Fifield <david () bamsoftware com>
To: Ron <ron () skullsecurity net>
Cc: Zack Dela <ny101880 () yahoo com>; nmap-dev () insecure org
Sent: Wed, November 17, 2010 3:42:46 AM
Subject: Re: http-passwd Result

On Tue, Nov 16, 2010 at 09:40:17AM -0600, Ron wrote:
> On Mon, 15 Nov 2010 05:28:07 -0800 (PST) Zack Dela <ny101880 () yahoo com> wrote:
> > I would like to get some light on the result of the script. I wonder
> > how to manually go to that directory (I mean what parameter I will
> > put in the URL to find the vulnerability manually)
> > Im confused of the result and how to actually browse the site and
> > traverse to it.
> > The site is something like this https://x.x.x.x/
> >
> >
> > Command 1 (Machine A):
> > nmap -sV -p 80,443 -d --script http-passwd x.x.x.x
> >
> > Result:
> > 443/tcp open  ssl/http syn-ack Serv-U httpd x.x.x.x
> > | http-passwd: Directory traversal found.
> > | Payload: "%2F%2Fetc%2Fpasswd"
> > | Printing first 250 bytes:
> > |_<!DOCTYPE HTML PUBLIC "-//W3C//
> >
> >
> >
> > Command 2 (Machine B):
> > nmap -sV -p 80,443 -d --script http-passwd x.x.x.x
> >
> > Result:
> > 443/tcp open  ssl/http syn-ack VMware View Manager httpd
> > | http-passwd: Directory traversal found.
> > | Payload: "%2F%2Fetc%2Fpasswd"
> > | Printing first 250 bytes:
> > | 
> > | 
> > | 
> > | <html>
> > |  <head>
> > |   <title>VMware View Portal</title>
> > |   <link rel=stylesheet href="/styles/default/style.css"
> > type="text/css" /> |  
> > |    <script type="text/javascript" language="JavaScript" 
> > src="/styles/default/cookieFunctions.js">
> > |_   </script>
> >
> >
> > Hoping anyone can help. I just wanted to see if the machine is
> > vulnerbale or not.
>
> Looks like you aren't vulnerable. The page is returning an HTTP page,
> not the passwd file. 

I think this is a false positive that is fixed in the latest version of
the script at http://nmap.org/svn/scripts/http-passwd.nse. The script
does a simple check on the returned document to see if it looks like a
passwd or boot.ini file. But there was bug in the matching code that was
fixed in r20378. Anyone familiar with Lua patterns should be able to see
what was going wrong:

-if response.body:match("^[^:]+:[^:]*:[0-9]+:[0-9]+:") or 
response.body:match("\[boot loader\]") then
+if response.body:match("^[^:]+:[^:]*:[0-9]+:[0-9]+:") or 
response.body:match("%[boot loader%]") then

The first pattern was matching against the character class [abdelort ],
not the literal string "[boot loader]".

David Fifield



      
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/