Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] http-vuln-cve2009-0580

From: David Fifield <david () bamsoftware com>
Date: Tue, 1 May 2012 09:41:44 -0700
On Fri, Mar 23, 2012 at 10:06:53AM -0400, Patrik Karlsson wrote:

On Mon, Mar 19, 2012 at 12:15 PM, M. Hani Benhailes <kroosec () gmail com>wrote:


Hi list,

description = [[
Tries to exploit cve-2009-0580 also known as Apache Tomcat user enumeration
with FORM authentication.

This vulnerability permits to enumerate (brute force) valid Apache tomcat
server users via requests to /j_security_check with malformed URL encoding
of
passwords. It is present in versions 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and
4.1.0 to 4.1.39

For more information, see:
* 
https://cve.mitre.org/cgi-bin/**cvename.cgi?name=2009-0580<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0580>
* http://www.osvdb.org/55055
* http://www.securityfocus.com/**bid/35196<http://www.securityfocus.com/bid/35196>
]]

--@output
-- PORT   STATE SERVICE
-- 80/tcp open  http
--| http-vuln-cve2009-0580:
--|   VULNERABLE:
--|   Apache Tomcat user enumeration with FORM authentication
--|     State: VULNERABLE (Exploitable)
--|     IDs:  CVE:CVE-2009-0580
--|     Risk factor: Low  CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
--|     Description:
--|       Permits to enumerate Apache Tomcat users remotely and is present
in
--|       Apache Tomcat 6.0.0 to 6.0.18, 5.5.0 to 5.5.27 and 4.1.0 to
4.1.39
--|     Disclosure date: 2009-06-14
--|     Exploit results:
--|       admin
--|       tomcat
--|     References:
--|       
http://cve.mitre.org/cgi-bin/**cvename.cgi?name=CVE-2009-0580<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580>
--|_      http://www.osvdb.org/55055


Hi Hani,

I've been trying to test this script against a vulnerable version
configured to use form based authentication but can't get it to work. What
happens is that it reports all accounts as valid ones, even though they're
not.
I'm seeing a 200 OK and a cookie being set in all responses. Could you
share the configuration your using so that I can test the script?

Also, I'm guessing the script needs some additional check to make sure it's
not hitting an error page returning a 200 OK as this would also report all
accounts as valid. One way of doing this is to check one or two random
username and make sure that they're not detected as valid.


What has happened with this script? Did you guys find out why it wasn't
working for Patrik?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: