Nmap Development mailing list archives
Re: Checking for jboss authentication bypass
From: Martin Holst Swende <martin () swende se>
Date: Tue, 06 Dec 2011 13:34:34 +0100
Here's a patch which checks if the status response from the head -request differs from the get-request. For jboss this approach works, but I guess that services where the HEAD is disallowed, it would not work as well, since that may also affect the http response status. Options: 1) Check difference as in the patch 2) Make a special case for jboss, and check for 500 3) Make the jboss-check against /web-console, which is not exactly the same as /jmx-console/, but usually there aswell. 4) Check if head-response is any of 2XX or 5XX. /Martin On 12/06/2011 01:13 PM, Martin Holst Swende wrote:
On 12/06/2011 01:12 PM, Martin Holst Swende wrote:Hm. Looking at it though, it seems not to work against jboss servers. A vulnerable (jboss) server will respond with http 500, as described in http://www.mindedsecurity.com/MSA030409.html and which I have verified on a live server. However, the script only triggers when head-response is 200. /Martinps. It probably would work as intended if /web-console/ was used instead.On 12/06/2011 01:05 PM, Hani Benhabiles wrote:Hi Martin, Check out the scripts/http-method-tamper.nse which defaults to checking CVE-2010-738 and the discussion [1] we had about it. [1] http://seclists.org/nmap-dev/2011/q4/225 Cheers, Hani. On Tue, Dec 6, 2011 at 12:46 PM, Martin Holst Swende <martin () swende se>wrote:Hi list, I threw together a script to check if a server is vulnerable to jboss authentication bypass. It makes a get request to /jmx-console first to see if it is a jboss and whether it requires authentication. If it is and does, it tries a head-request. A http 500 response means it is vulnerable. As I wrote it, I copy-pasted a bit from other http-scripts. I was wondering; is this the correct way to do it if I want it to be able to work also against http or http-alt tunneled over https ? Regards, Martin Holst Swende _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Attachment:
diff.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Checking for jboss authentication bypass Martin Holst Swende (Dec 06)
- Re: Checking for jboss authentication bypass Hani Benhabiles (Dec 06)
- Re: Checking for jboss authentication bypass Martin Holst Swende (Dec 06)
- Re: Checking for jboss authentication bypass Martin Holst Swende (Dec 06)
- Re: Checking for jboss authentication bypass Martin Holst Swende (Dec 06)
- Re: Checking for jboss authentication bypass Hani Benhabiles (Dec 06)
- Re: Checking for jboss authentication bypass Patrik Karlsson (Dec 08)
- Re: Checking for jboss authentication bypass Martin Holst Swende (Dec 06)
- Re: Checking for jboss authentication bypass Hani Benhabiles (Dec 06)