Script http-vuln-cve2013-7091

Script types: portrule
Categories: exploit, vuln, intrusive
Download: https://svn.nmap.org/nmap/scripts/http-vuln-cve2013-7091.nse

Script Summary

An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.

The vulnerability is a local file inclusion that can retrieve any file from the server.

Currently, we read /etc/passwd and /dev/null, and compare the lengths to determine vulnerability.

TODO: Add the possibility to read compressed file. Then, send some payload to create the new mail account.

Script Arguments

http-vuln-cve2013-7091.uri

URI. Default: /zimbra

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV --script http-vuln-cve2013-7091 <target>
nmap -p80 --script http-vuln-cve2013-7091 --script-args http-vuln-cve2013-7091=/ZimBra <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2013-7091:
|   VULNERABLE:
|   Zimbra Local File Inclusion and Disclosure of Credentials
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2013-7091
|     Description:
|       An 0 day was released on the 6th December 2013 by rubina119.
|       The vulnerability is a local file inclusion that can retrieve the credentials of the Zimbra installations etc.
|       Using this script, we can detect if the file is present.
|       If the file is present, we assume that the host might be vulnerable.
|
|       In future version, we'll extract credentials from the file but it's not implemented yet and
|       the detection will be accurate.
|
|       TODO:
|       Add the possibility to read compressed file (because we're only looking if it exists)
|       Then, send some payload to create the new mail account
|     Disclosure date: 2013-12-06
|     Extra information:
|       Proof of Concept:/index.php?-s
|     References:
|_      http://www.exploit-db.com/exploits/30085/

Requires


Authors:

  • Paul AMAR <aos.paul@gmail.com>
  • Ron Bowes

License: Same as Nmap--See https://nmap.org/book/man-legal.html