Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal)

From: David Fifield <david () bamsoftware com>
Date: Fri, 12 Feb 2010 20:10:47 -0700
On Wed, Feb 10, 2010 at 10:06:45AM -0600, Ron wrote:

On Tue, 9 Feb 2010 22:13:32 -0600 Ron <ron () skullsecurity net> wrote:

Hey list (and Tony/Justin),

I'm attaching an Nmap script to detect and exploit CVE-2009-3733,
which is a dead simple vulnerability in VMWare Server/ESX/ESXi that
Justin and Tony presented as Shmoocon this past weekend.  Basically,
you are able to exploit a server just by adding ../ to your URL.
Oops? :)

Anyways, this script downloads the VMWare configuration file and
parses it for the virtual machines. Here is some sample output:

| http-vmware-path-vuln:
|   VMWare path traversal (CVE-2009-3733): VULNERABLE
|     /vmware/Windows 2003/Windows 2003.vmx
|     /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
|     /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
|     /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
|     /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
|     /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
|_    /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx

If 'verbose' isn't set, only the first line is returned.


Attached is an updated version:
- Commented out some currently unused code
- Properly detect servers with no virtual machines


Is this different enough from http-passwd to justify a separate script?
Could they be combined into one http-traversal?

I don't like "safe", "default" for this script. It's not all that
intrusive, but it will run against every open port 80, most of which
won't be ESX.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: