1 files changed, 79 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2010-0738.nse b/scripts/http-vuln-cve2010-0738.nse
new file mode 100644
index 0000000..d9d4161
--- /dev/null
+++ b/scripts/http-vuln-cve2010-0738.nse
@@ -0,0 +1,79 @@
+description = [[
+Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
+
+It works by checking if the target paths require authentication or redirect to a login page that could be
+bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly like GET but
+with no returned response body. The script also detects if the URL does not require authentication at all.
+
+For more information, see:
+* CVE-2010-0738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
+* http://www.imperva.com/resources/glossary/http_verb_tampering.html
+* https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
+
+]]
+
+---
+-- @usage
+-- nmap --script=http-vuln-cve2010-0738 --script-args 'http-vuln-cve2010-0738.paths={/path1/,/path2/}' <target>
+--
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | http-vuln-cve2010-0738:
+-- |_  /jmx-console/: Authentication bypass.
+--
+-- @args http-vuln-cve2010-0738.paths Array of paths to check. Defaults
+-- to <code>{"/jmx-console/"}</code>.
+
+author = "Hani Benhabiles"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"safe", "auth", "vuln"}
+
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+
+portrule = shortport.http
+
+action = function(host, port)
+  local paths = stdnse.get_script_args(SCRIPT_NAME..".paths")
+  local result = {}
+
+  -- convert single string entry to table
+  if ( "string" == type(paths) ) then
+    paths = { paths }
+  end
+
+  -- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
+  local status_404, result_404, _ = http.identify_404(host,port)
+  if ( status_404 and result_404 == 200 ) then
+    stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number)
+    return nil
+  end
+
+  -- fallback to jmx-console
+  paths = paths or {"/jmx-console/"}
+
+  for _, path in ipairs(paths) do
+    local getstatus = http.get(host, port, path).status
+
+    -- Checks if HTTP authentication or a redirection to a login page is applied.
+    if getstatus == 401 or getstatus == 302 then
+      local headstatus = http.head(host, port, path).status
+      if headstatus == 500 and path == "/jmx-console/" then
+        -- JBoss authentication bypass.
+        table.insert(result, ("%s: Vulnerable to CVE-2010-0738."):format(path))
+      elseif headstatus == 200 then
+        -- Vulnerable to authentication bypass.
+        table.insert(result, ("%s: Authentication bypass possible"):format(path))
+      end
+      -- Checks if no authentication is required for Jmx console
+      -- which is default configuration and common.
+    elseif getstatus == 200 then
+      table.insert(result, ("%s: Authentication was not required"):format(path))
+    end
+  end
+
+  return stdnse.format_output(true, result)
+end