Nmap Development mailing list archives
Re: [NSE] Created NSE script to detect Zimbra 0 day
From: Robin Wood <robin () digininja org>
Date: Thu, 19 Dec 2013 18:33:05 +0000
On 19 Dec 2013 19:10, "Ron" <ron () skullsecurity net> wrote:
It works if I switch out the string.match() with "==". I don't know why, though! Ron
Does lua have data types like Ruby? You might be comparing the text string to something that displays as a string when printed but is actually an object Just a guess based on similar "bugs" I've had in Ruby apps. Robin
On 2013-12-19 11:57, Ron wrote:It is indeed returning that value. The string.match() doesn't seem to be working, though I don't understand why. If I change the code to this: if string.match(escape(detection_session.header['content-type']),
"application/x-javascript") then
stdnse.print_debug(1, "The website may be vulnerable to the Zimbra
0-day.")
vuln.state = vulns.STATE.EXPLOIT return vuln_report:make_output(detection_session.body) else stdnse.print_debug(1, " \n'" ..
escape(detection_session.header['content-type']) .. "' !=\n'application/x-javascript'")
stdnse.print_debug(1, "Bad content-type for the resource : " ..
detection_session.header['content-type'])
return end It prints this: NSE: GET
/zimbra/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
NSE: 'application/x-javascript' != 'application/x-javascript' Which makes absolutely no sense. Thoughts? Ron On 2013-12-19 18:46, Paul AMAR wrote:Hi Ron, First of all, thanks for the feedback. Can you add : stdnse.print_debug(1, detection_session.header['content-type']) ? What is the value ? For me, the value is : application/x-javascript. So, it's really
weird..
Thanks for the feedback. Paul 2013/12/19 Ron <ron () skullsecurity net>Actually, I'm not sure if this script will work at all. I ran it
against
a patched machine and got this: NSE: GET
/zimbra/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
NSE: Bad content-type for the resource : application/x-javascript I don't have a vuln machine to test on anymore, but I can't imagine
the
content-type is different on a vulnerable host. Ron On 2013-12-19 11:34, Ron wrote:A strategy that might would would be to request a small file (like /dev/null) and a large file (I'm blanking out on what would be
best),
then check the sizes returned. If the sizes are quite a bit
different,
that confirms that the host is vulnerable. The newest version of Zimbra shouldn't be vulnerable, I think
they fixed
it. The file is still there, and you'll still get a big .gz file,
but
the file no longer contains the local file. Ron On 2013-12-19 09:44, Paul AMAR wrote:Hi, @George, thanks for adding the script. @Ron, I'm thinking about adding gzip support, I guess I might
work on
thiswhen I'll have time. And you're definitely right, I'll add the choice for the file
(as an
argument). Thanks for the feedback ;-) Paul 2013/12/19 Ron <ron () skullsecurity net>It'd be cool if you could give the filename to read as an
argument
(defaulting to the config file)! If Nmap doesn't have gzip
support,
thiswould be a *great* reason to add it! The issue with the script as-is is, once the vuln is patched,
it'll
keepreporting it's vulnerable, I think, unless they just delete
the
file. ifyou try to grab a "bad" file (like /etc/shadow), everything
seem to
workfine. Ron On 2013-12-14 13:14, Paul AMAR wrote:Hello all, I developed a NSE script that detects if the host is
vulnerable to
Zimbra 0day which has been released few days (week) ago (exploit
here :
http://www.exploit-db.com/exploits/30085/). The script detects if the file is present (http status code
200)
with agood content-type (application/x-javascript) and give the
URL to
try itbyyourself. Don't hesitate if you have any feedback. To try this, I had a vulnerable environment with some old
VMs
runningZimbra. *./nmap -p80 --script http-vuln-0-day-lfi-zimbra
192.168.56.101 -d*
Regards, Paul_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Dec 14)
- Re: [NSE] Created NSE script to detect Zimbra 0 day George Chatzisofroniou (Dec 18)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Ron (Dec 18)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Ron (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Ron (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Ron (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Ron (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Daniel Miller (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Robin Wood (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Dec 19)
- <Possible follow-ups>
- Re: [NSE] Created NSE script to detect Zimbra 0 day Ron (Dec 19)
- Re: [NSE] Created NSE script to detect Zimbra 0 day Paul AMAR (Dec 20)