summaryrefslogtreecommitdiffstats
path: root/scripts/http-vuln-cve2010-0738.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/http-vuln-cve2010-0738.nse')
-rw-r--r--scripts/http-vuln-cve2010-0738.nse79
1 files changed, 79 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2010-0738.nse b/scripts/http-vuln-cve2010-0738.nse
new file mode 100644
index 0000000..d9d4161
--- /dev/null
+++ b/scripts/http-vuln-cve2010-0738.nse
@@ -0,0 +1,79 @@
+description = [[
+Tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738).
+
+It works by checking if the target paths require authentication or redirect to a login page that could be
+bypassed via a HEAD request. RFC 2616 specifies that the HEAD request should be treated exactly like GET but
+with no returned response body. The script also detects if the URL does not require authentication at all.
+
+For more information, see:
+* CVE-2010-0738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
+* http://www.imperva.com/resources/glossary/http_verb_tampering.html
+* https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_%28OWASP-CM-008%29
+
+]]
+
+---
+-- @usage
+-- nmap --script=http-vuln-cve2010-0738 --script-args 'http-vuln-cve2010-0738.paths={/path1/,/path2/}' <target>
+--
+-- @output
+-- PORT STATE SERVICE
+-- 80/tcp open http
+-- | http-vuln-cve2010-0738:
+-- |_ /jmx-console/: Authentication bypass.
+--
+-- @args http-vuln-cve2010-0738.paths Array of paths to check. Defaults
+-- to <code>{"/jmx-console/"}</code>.
+
+author = "Hani Benhabiles"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"safe", "auth", "vuln"}
+
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+
+portrule = shortport.http
+
+action = function(host, port)
+ local paths = stdnse.get_script_args(SCRIPT_NAME..".paths")
+ local result = {}
+
+ -- convert single string entry to table
+ if ( "string" == type(paths) ) then
+ paths = { paths }
+ end
+
+ -- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests
+ local status_404, result_404, _ = http.identify_404(host,port)
+ if ( status_404 and result_404 == 200 ) then
+ stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number)
+ return nil
+ end
+
+ -- fallback to jmx-console
+ paths = paths or {"/jmx-console/"}
+
+ for _, path in ipairs(paths) do
+ local getstatus = http.get(host, port, path).status
+
+ -- Checks if HTTP authentication or a redirection to a login page is applied.
+ if getstatus == 401 or getstatus == 302 then
+ local headstatus = http.head(host, port, path).status
+ if headstatus == 500 and path == "/jmx-console/" then
+ -- JBoss authentication bypass.
+ table.insert(result, ("%s: Vulnerable to CVE-2010-0738."):format(path))
+ elseif headstatus == 200 then
+ -- Vulnerable to authentication bypass.
+ table.insert(result, ("%s: Authentication bypass possible"):format(path))
+ end
+ -- Checks if no authentication is required for Jmx console
+ -- which is default configuration and common.
+ elseif getstatus == 200 then
+ table.insert(result, ("%s: Authentication was not required"):format(path))
+ end
+ end
+
+ return stdnse.format_output(true, result)
+end