Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Identify RomPager rom-0 vulnerabilities

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 6 Jan 2016 15:00:32 -0600
Oops, neglected to put in my footnote. The issue I was referring to is
#267, "Improve http-fingerprints.lua format and organization"

https://github.com/nmap/nmap/issues/267

Also, the NSEdoc page for the script has been generated:
https://nmap.org/nsedoc/scripts/http-vuln-cve2013-6786.html

Dan

On Wed, Jan 6, 2016 at 2:52 PM, Daniel Miller <bonsaiviking () gmail com>
wrote:


Vlatko,

Thanks for these scripts! I converted the rom-0 script into a fingerprint
in http-fingerprints.lua, and I hope we will be able to make improvements
to that database and the http-enum script that will make vuln scanning
easier [1].

The http-rompager-xss script I added as http-vuln-cve2013-6786, since that
CVE has been assigned according to the reference you listed. It seems
general enough of a check that I think it is likely to turn up "false"
positives: other software or websites that are vulnerable to the same
thing, though they may not be RomPager. I put a note to that effect in the
description.

Thanks for the contributions again!

Dan

On Sun, Jul 5, 2015 at 9:40 AM, Vlatko Kosturjak <kost () linux hr> wrote:


Hello!

These NSE scripts identify simple, but dangerous vulnerabilities
present on many network devices which are using RomPager Embedded Web
Server.

Attacker is able to get your ISP password, wireless password and other
sensitive information by issuing single HTTP GET request to ‘/rom-0′ URI.
Mentioned information disclosure is present in RomPager Embedded Web
Server. Affected devices include ZTE, TP-Link, ZynOS, Huawei and many
others. Vulnerability was published in 2014 (by looking at CVE), but I
see lot of people don’t know about it: mainly because there was no hype
about it and most of the popular vulnerability scanners failed in
identifying it.

So, I hope this vulnerability will get better treatment after these
NSE scripts.

NSE scripts are also available here:
https://github.com/kost/nmap-nse/tree/master/scripts

You can read more about vulnerability and exploitation here:

https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/

Take care,
--
Vlatko Kosturjak - KoSt

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/





_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: