Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Created NSE script to detect Zimbra 0 day
From: Ron <ron () skullsecurity net>
Date: Thu, 19 Dec 2013 12:10:20 -0600

It works if I switch out the string.match() with "==".

I don't know why, though!

Ron

On 2013-12-19 11:57, Ron wrote:
It is indeed returning that value. The string.match() doesn't seem to be
working, though I don't understand why.

If I change the code to this:

if string.match(escape(detection_session.header['content-type']), "application/x-javascript") then
  stdnse.print_debug(1, "The website may be vulnerable to the Zimbra 0-day.")
  vuln.state = vulns.STATE.EXPLOIT
  return vuln_report:make_output(detection_session.body)
else
  stdnse.print_debug(1, " \n'" .. escape(detection_session.header['content-type']) .. "' 
!=\n'application/x-javascript'")
  stdnse.print_debug(1, "Bad content-type for the resource : " .. detection_session.header['content-type'])
  return
end

It prints this:

NSE: GET 
/zimbra/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
NSE:
'application/x-javascript' !=
'application/x-javascript'

Which makes absolutely no sense.

Thoughts?

Ron

On 2013-12-19 18:46, Paul AMAR wrote:
Hi Ron,

First of all, thanks for the feedback.

Can you add : stdnse.print_debug(1,
detection_session.header['content-type']) ?

What is the value ?
For me, the value is : application/x-javascript. So, it's really weird..

Thanks for the feedback.

Paul


2013/12/19 Ron <ron () skullsecurity net>

Actually, I'm not sure if this script will work at all. I ran it against
a patched machine and got this:

NSE: GET
/zimbra/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
NSE: Bad content-type for the resource : application/x-javascript

I don't have a vuln machine to test on anymore, but I can't imagine the
content-type is different on a vulnerable host.

Ron

On 2013-12-19 11:34, Ron wrote:
A strategy that might would would be to request a small file (like
/dev/null) and a large file (I'm blanking out on what would be best),
then check the sizes returned. If the sizes are quite a bit different,
that confirms that the host is vulnerable.

The newest version of Zimbra shouldn't be vulnerable, I think they fixed
it. The file is still there, and you'll still get a big .gz file, but
the file no longer contains the local file.

Ron

On 2013-12-19 09:44, Paul AMAR wrote:
Hi,

@George, thanks for adding the script.

@Ron, I'm thinking about adding gzip support, I guess I might work on
this
when I'll have time.
And you're definitely right, I'll add the choice for the file (as an
argument).

Thanks for the feedback ;-)

Paul


2013/12/19 Ron <ron () skullsecurity net>

It'd be cool if you could give the filename to read as an argument
(defaulting to the config file)! If Nmap doesn't have gzip support,
this
would be a *great* reason to add it!

The issue with the script as-is is, once the vuln is patched, it'll
keep
reporting it's vulnerable, I think, unless they just delete the
file. if
you try to grab a "bad" file (like /etc/shadow), everything seem to
work
fine.

Ron

On 2013-12-14 13:14, Paul AMAR wrote:
Hello all,

I developed a NSE script that detects if the host is vulnerable to
Zimbra 0
day which has been released few days (week) ago (exploit here :
http://www.exploit-db.com/exploits/30085/).

The script detects if the file is present (http status code 200)
with a
good content-type (application/x-javascript) and give the URL to
try it
by
yourself.

Don't hesitate if you have any feedback.
To try this, I had a vulnerable environment with some old VMs
running
Zimbra.

*./nmap -p80 --script http-vuln-0-day-lfi-zimbra 192.168.56.101 -d*

Regards,
Paul


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault