Script http-vuln-cve2010-2861

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2010-2861.nse

Script Summary

Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.

See also:

• http-adobe-coldfusion-apsa1301.nse
• http-coldfusion-subzero.nse
• http-vuln-cve2009-3960.nse

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script http-vuln-cve2010-2861 <host>

Script Output

80/tcp open  http
| http-vuln-cve2010-2861:
|   VULNERABLE:
|   Adobe ColdFusion enter.cfm Traversal password.properties Information Disclosure
|     State: VULNERABLE
|     IDs:  CVE:CVE-2010-2861  BID:42342
|     Description:
|       Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion
|       9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter
|     Disclosure date: 2010-08-10
|     Extra information:
|
|   ColdFusion8
|   HMAC: d6914bef568f8931d0c696cd5f7748596f97db5d
|   Salt: 1329446896585
|   Hash: 5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8
|
|     References:
|       http://www.blackhatacademy.org/security101/Cold_Fusion_Hacking
|       https://www.tenable.com/plugins/nessus/48340
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-2861
|       https://nvd.nist.gov/vuln/detail/CVE-2010-2861
|_      https://www.securityfocus.com/bid/42342


This script relies on the service being identified as HTTP or HTTPS. If the
ColdFusion server you run this against is on a port other than 80/tcp or 443/tcp
then use "nmap -sV" so that nmap discovers the port as an HTTP server.

Requires

• http
• nmap
• shortport
• stdnse
• table
• vulns
• openssl

---

Author:

• Micah Hoffman

License: Same as Nmap--See https://nmap.org/book/man-legal.html