Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapDuarte Silva <[email protected]>NMAP:HTTP-VULN-CVE2011-3192.NSE
HistoryAug 29, 2011 - 9:42 p.m.

http-vuln-cve2011-3192 NSE Script

2011-08-2921:42:57
Duarte Silva <[email protected]>
nmap.org
1097

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page.

References:

See also:

Script Arguments

http-vuln-cve2011-3192.path

Define the request path

http-vuln-cve2011-3192.hostname

Define the host name to be used in the HEAD request sent to the server

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script http-vuln-cve2011-3192.nse [--script-args http-vuln-cve2011-3192.hostname=nmap.scanme.org] -pT:80,443 &lt;host&gt;

Script Output

Host script results:
| http-vuln-cve2011-3192:
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-3192  BID:49303
|     Description:
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://seclists.org/fulldisclosure/2011/Aug/175
|       https://www.tenable.com/plugins/nessus/55976
|       https://www.securityfocus.com/bid/49303
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

Requires

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local vulns = require "vulns"

description = [[
Detects a denial of service vulnerability in the way the Apache web server
handles requests for multiple overlapping/simple ranges of a page.

References:
* https://seclists.org/fulldisclosure/2011/Aug/175
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
* https://www.tenable.com/plugins/nessus/55976
]]

---
-- @see http-slowloris-check.nse
-- @see http-slowloris.nse
--
-- @usage
-- nmap --script http-vuln-cve2011-3192.nse [--script-args http-vuln-cve2011-3192.hostname=nmap.scanme.org] -pT:80,443 <host>
--
-- @output
-- Host script results:
-- | http-vuln-cve2011-3192:
-- |   VULNERABLE:
-- |   Apache byterange filter DoS
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2011-3192  BID:49303
-- |     Description:
-- |       The Apache web server is vulnerable to a denial of service attack when numerous
-- |       overlapping byte ranges are requested.
-- |     Disclosure date: 2011-08-19
-- |     References:
-- |       https://seclists.org/fulldisclosure/2011/Aug/175
-- |       https://www.tenable.com/plugins/nessus/55976
-- |       https://www.securityfocus.com/bid/49303
-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
--
-- @args http-vuln-cve2011-3192.hostname  Define the host name to be used in the HEAD request sent to the server
-- @args http-vuln-cve2011-3192.path  Define the request path

-- changelog
-- 2011-08-29 Duarte Silva <[email protected]>
--   - Removed the "Accept-Encoding" HTTP header
--   - Removed response header printing
--   * Changes based on Henri Doreau and David Fifield suggestions
-- 2011-08-20 Duarte Silva <[email protected]>
--   * First version ;)
-- 2011-11-07 Henri Doreau
--   * Use the vulns library to report results
-----------------------------------------------------------------------

author = "Duarte Silva <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}


portrule =  shortport.http

action = function(host, port)
  local vuln = {
    title = 'Apache byterange filter DoS',
    state = vulns.STATE.NOT_VULN, -- default
    IDS = {CVE = 'CVE-2011-3192', BID = '49303'},
    description = [[
The Apache web server is vulnerable to a denial of service attack when numerous
overlapping byte ranges are requested.]],
    references = {
      'https://seclists.org/fulldisclosure/2011/Aug/175',
      'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192',
      'https://www.tenable.com/plugins/nessus/55976',
    },
    dates = {
      disclosure = {year = '2011', month = '08', day = '19'},
    },
  }
  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
  local hostname, path = stdnse.get_script_args('http-vuln-cve2011-3192.hostname',
    'http-vuln-cve2011-3192.path')

  if not path then
    path = '/'

    stdnse.debug1("Setting the request path to '/' since 'http-vuln-cve2011-3192.path' argument is missing.")
  end

  -- This first request will try to get a code 206 reply from the server by
  -- sending the innocuous header "Range: byte=0-100" in order to detect
  -- whether this functionality is available or not.
  local request_opts = {
    header = {
      Range = "bytes=0-100",
      Connection = "close"
    },
    bypass_cache = true
  }

  if hostname then
    request_opts.header.Host = hostname
  end

  local response = http.head(host, port, path, request_opts)

  if not response.status then
    stdnse.debug1("Functionality check HEAD request failed for %s (with path '%s').", hostname or host.ip, path)
  elseif response.status == 206 then
    -- The server handle range requests. Now try to request 11 ranges (one more
    -- than allowed).
    -- Vulnerable servers will reply with another code 206 response. Patched
    -- ones will return a code 200.
    request_opts.header.Range = "bytes=1-0,0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"

    response = http.head(host, port, path, request_opts)

    if not response.status then
      stdnse.debug1("Invalid response from server to the vulnerability check")
    elseif response.status == 206 then
      vuln.state = vulns.STATE.VULN
    else
      stdnse.debug1("Server isn't vulnerable (%i status code)", response.status)
    end
  else
    stdnse.debug1("Server ignores the range header (%i status code)", response.status)
  end
  return vuln_report:make_output(vuln)
end

Related

nmap 199
nmap
nmap
hadoop-namenode-info NSE Script
2011-11-08 16:00:16
broadcast-networker-discover NSE Script
2012-02-25 16:06:30
impress-remote-discover NSE Script
2017-03-04 19:54:56

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON
Related for NMAP:HTTP-VULN-CVE2011-3192.NSE
nmap199