Re: [NSE] http-vuln-cve2009-0580

[Patrik Karlsson <patrik () cqure net>]

On Mon, Mar 19, 2012 at 12:15 PM, M. Hani Benhailes <kroosec () gmail com>wrote:

> Hi list,
>
> description = [[
> Tries to exploit cve-2009-0580 also known as Apache Tomcat user enumeration
> with FORM authentication.
>
> This vulnerability permits to enumerate (brute force) valid Apache tomcat
> server users via requests to /j_security_check with malformed URL encoding
> of
> passwords. It is present in versions 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and
> 4.1.0 to 4.1.39
>
> For more information, see:
> * https://cve.mitre.org/cgi-bin/**cvename.cgi?name=2009-0580<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0580>
> * http://www.osvdb.org/55055
> * http://www.securityfocus.com/**bid/35196<http://www.securityfocus.com/bid/35196>
> ]]
>
> --@output
> -- PORT   STATE SERVICE
> -- 80/tcp open  http
> --| http-vuln-cve2009-0580:
> --|   VULNERABLE:
> --|   Apache Tomcat user enumeration with FORM authentication
> --|     State: VULNERABLE (Exploitable)
> --|     IDs:  CVE:CVE-2009-0580
> --|     Risk factor: Low  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
> --|     Description:
> --|       Permits to enumerate Apache Tomcat users remotely and is present
> in
> --|       Apache Tomcat 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and 4.1.0 to
> 4.1.39
> --|     Disclosure date: 2009-06-14
> --|     Exploit results:
> --|       admin
> --|       tomcat
> --|     References:
> --|       
> http://cve.mitre.org/cgi-bin/**cvename.cgi?name=CVE-2009-0580<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580>
> --|_      http://www.osvdb.org/55055
>
> Cheers,
> Hani.
>
> --
> M. Hani Benhabiles
> OWASP Algeria Student Chapter: Founder/President.
> http://www.owaspalgeriasc.org
> https://www.owasp.org/index.**php/Algeria_Student_Chapter<https://www.owasp.org/index.php/Algeria_Student_Chapter>
> Email: hani.benhabiles () owasp org
>
> Twitter: https://twitter.com/#!/kroosec
> Blog: http://kroosec.blogspot.com
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

Hi Hani,

I've been trying to test this script against a vulnerable version
configured to use form based authentication but can't get it to work. What
happens is that it reports all accounts as valid ones, even though they're
not.
I'm seeing a 200 OK and a cookie being set in all responses. Could you
share the configuration your using so that I can test the script?

Also, I'm guessing the script needs some additional check to make sure it's
not hitting an error page returning a 200 OK as this would also report all
accounts as valid. One way of doing this is to check one or two random
username and make sure that they're not detected as valid.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/