Nmap Development mailing list archives
[NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal)
From: Ron <ron () skullsecurity net>
Date: Tue, 9 Feb 2010 22:13:32 -0600
Hey list (and Tony/Justin), I'm attaching an Nmap script to detect and exploit CVE-2009-3733, which is a dead simple vulnerability in VMWare Server/ESX/ESXi that Justin and Tony presented as Shmoocon this past weekend. Basically, you are able to exploit a server just by adding ../ to your URL. Oops? :) Anyways, this script downloads the VMWare configuration file and parses it for the virtual machines. Here is some sample output: | http-vmware-path-vuln: | VMWare path traversal (CVE-2009-3733): VULNERABLE | /vmware/Windows 2003/Windows 2003.vmx | /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx | /vmware/Pentest/Pentest - Windows/Windows 2003.vmx | /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx | /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx | /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx |_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx If 'verbose' isn't set, only the first line is returned. I can go deeper and download each of these .vmx files, but I'm not sure how far we want to go. I'm attaching a sample .vmx so you can see what they look like. I can also give a URL to download them that the user can copy/paste to his/her browser. The program Tony/Justin released at Shmoocon would download the entire VMWare harddrive, but that's way further than an Nmap script should go. There's one little issue, though: because it's often hard to detect false positives on HTTP servers, since 200 OK can't always be trusted, I assume the server is not vulnerable if it contains no virtual machine entries. That may not be 100% accurate, but it is very unlikely to have false positives this way. Thoughts? For now, I put it in vuln/safe/default -- any feelings about that? All it does is download a single URL, and it won't break anything (but could be noisy on an IDS, since it contains ../ -- but, then, so does this email). -- Ron Bowes http://www.skullsecurity.org
Attachment:
http-vmware-path-vuln.nse
Description:
Attachment:
Windows 2003.vmx
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 09)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Feb 10)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 10)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 12)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Fyodor (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Ron (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 15)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Feb 17)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) Richard Miles (Mar 04)
- Re: [NSE] detector/exploit for CVE-2009-3733 (VMWare Path Traversal) David Fifield (Feb 12)