Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: hexify() problem in http-passwd.nse
From: Joao Correa <joao () livewire com br>
Date: Sun, 31 May 2009 17:49:17 -0300

Thanks a lot Brandon!

Your 30 seconds answer was loud and clear!

On Sun, May 31, 2009 at 5:11 PM, Brandon Enright <bmenrigh () ucsd edu> wrote:
Hash: SHA1

On Sun, 31 May 2009 16:47:31 -0300 or thereabouts Joao Correa
<joao () livewire com br> wrote:

Kris, thanks for you answer and for the reference.

My doubt is if, with the http-passwd.nse script, you are trying to
retrieve the passwd file directly, or if it is used to retrieve the
file as a parameter for the web application, just like descripted in

Considering the source code I can only think about the first option,
but in this case we fall on the problem descripted on my first e-mail
(I´ve tried to reproduce the scenario here, but the hexed chars were
not decoded by the Apache, leading to failure). As mentioned before,
when I have removed the hexify function and sent the dir function
without special encoding, it worked fine. I don´t think it is the
expected behavior.

Since the script dates from 2007 and the mentioned RFC dates from
2005, I don´t believe that it is a problem of lost compatibility due
to Apache getting fit to the RFC.

Have you used the script recently? Which web servers have you tried
to exploit?

Thanks a lot,
João Correa

Hey João, sorry that I only have about 30 seconds to reply.  The
directory transversal script really isn't targeted at mainstream
webserver like Apache and IIS.  In some really heinous cases I suspect
it would work against either, but it works pretty well against all of
the hundreds of obscure webservers out there.

For example, the ../../../etc/password works against the embedded HTTP
server on many HTTP printers.  Nevermind that it might violate RFC and
best practices, it works on lots of servers.

We might think of expanding the script beyond just /etc/password
though.  I've seen a number attacks recently that check for directory
transversal by going after /proc/self/cmdline which seems to be more
reliable than things like /etc/password


Version: GnuPG v2.0.11 (GNU/Linux)


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]