Re: [NSE] jboss-vuln-cve2010-0738.nse

[Tiago Natel de Moura <tiago4orion () gmail com>]

Hi Patrik,

I already knew the script http-method-tamper and I agree with your
opinion to make it more generic. I also liked your idea of putting a
check in the script in a non-intrusive way and exploit the vulnerability
only if the options for reverse shell are present. I can do that and
also add support to exploit using SSL.

About the script:
1 - Ok, I'll modify to use the http headers instead of the product
information. Do you really think a good idea to let this test in action?
This not affect performance of nmap?
2 - Regarding the shell, I think the only safe way to automatically
choose the shell in the script-side is using the nmap version OS
detection (-O). The script already has the "cmd" in the command line if
"-O" is not used. Leave this task to the uploaded java code is also a
good idea.

Thanks for the programming tips, but I usually declare variables at the
beginning because of the influence of ANSI C ;)  I will improve it.

About the sleep, is because after the upload of java, JBoss will deploy
the file in a directory (it will run the steps that are in the variable
in bsh_script) and this can take some seconds depending on server load.

Thanks, I'm glad that the script can be useful.

[]'s
i4k
BugSec Team

On 06/16/2012 05:53 AM, Patrik Karlsson wrote:
> Hi Tiago,
>
> This seems to be a very useful script! Thanks for taking the time to
> write it!
> We do have an existing, more generic, script that checks whether a
> resource could be retrieved using different HTTP methods.
> It defaults to the jmx-console and first tries a GET and then a HEAD.
> The script also provides the possibility to change the path to
> something else to test other servers than jboss for the same
> vulnerability. The name of the script is http-method-tamper.
> I'm not sure what to do here but I suggest the following, but would
> like comments from others before we decide how to procede.
> - We keep the http-method-tamper as a generic way for testing method
> tampering.
> - We extend the http-method-tamper script with spidering capabilities
> and remove the connection it has to jboss.
> - We add code to this new script that allows to do the check in a less
> intrusive manner, in the same way as the http-method-tamper does.
> - The check is default unless the reverse_host and revers_port
> arguments are given, at which point the script does exploitation
>
> Now for some comments on the script;
>
> I would recommend not doing the product checks in the portrule. The
> reason being that those fields are only populated if a version scan
> has been run. My guess is that they are fetched from the http headers
> and it would therefore be better to perform this check within the
> action method. This way the script would always run, regardless if a
> version scan was selected or not and you would be able to bail if you
> detect it not to be the product you expect in the action method. Also,
> I think it might be worth continuing when the product cannot be
> determined as this http header could simply have been removed on valid
> targets.
>
> This also applies for the OS check and determining of the appropriate
> shell to use. Is there another way of doing it, that doesn't require
> the version scan to be run? Ideally it would be determined from a http
> request to the server. An alternative would be allowing the user to
> specify the shell in an argument or in some way automatically try
> both. I guess the Runtime.getRuntime().exec section of the Java code
> could be put in a loop first trying cmd.exe and then /bin/sh and
> testing whether an instance was properly created?
>
> I think it would be a good idea to explain either in the comments of
> the script, or as part of the result, that there is new code deployed
> to the server and where. My reasoning behind this is that if you're
> doing a pentest you would most likely want to inform you client of the
> change to the app server to give them a chance to clean it up.
>
> In general, you should declare parameters when they're used in favor
> of putting them all on top initialized with nil.
> Out of curiosity, what purpose does the sleep(5) call have, except for
> waiting 5 seconds?
>
> Thanks,
> Patrik
> -- 
> Patrik Karlsson
> http://www.cqure.net
> http://twitter.com/nevdull77


-- 

Tiago Natel de Moura
Consultor de Segurança da Informação
http://www.linkedin.com/in/tiagonatel
http://www.secplus.com.br/
http://github.com/tiago4orion
http://code.google.com/p/bugsec
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/