nmap: CVE-2013-4885: Arbitrary file upload flaw in http-domino-enum-passwords NSE script

Debian Bug report logs - #719289
nmap: CVE-2013-4885: Arbitrary file upload flaw in http-domino-enum-passwords NSE script

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: nmap: CVE-2013-4885: Arbitrary file upload flaw in http-domino-enum-passwords NSE script

Date: Sat, 10 Aug 2013 11:18:47 +0300

[Message part 1 (text/plain, inline)]

Package: nmap
Version: 6.25-0.2
Severity: important
Tags: security

Advisory: http://seclists.org/fulldisclosure/2013/Aug/67

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.9-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages nmap depends on:
ii  libc6        2.17-92
ii  libgcc1      1:4.8.1-8
ii  liblinear1   1.8+dfsg-1
ii  liblua5.2-0  5.2.2-1
ii  libpcap0.8   1.4.0-2
ii  libpcre3     1:8.31-2
ii  libssl1.0.0  1.0.1e-3
ii  libstdc++6   4.8.1-8
ii  python       2.7.5-3

nmap recommends no packages.

nmap suggests no packages.

-- no debconf information

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 719289@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: Henri Salo <henri@nerv.fi>

Cc: 719289@bugs.debian.org

Subject: Re: Bug#719289: nmap: CVE-2013-4885: Arbitrary file upload flaw in http-domino-enum-passwords NSE script

Date: Sat, 10 Aug 2013 10:56:02 +0200

Control: tags -1 patch

* Henri Salo:

> Advisory: http://seclists.org/fulldisclosure/2013/Aug/67

Thank you for spotting this.

The issue has been fixed in r31576 in the upstream SVN repository. The
patch is attached below.

nmap 6.40 is not vulnerable.

Cheers,
-Hilko

r31576 | fyodor | 2013-07-29 08:19:24 +0200 (Mon, 29 Jul 2013) | 13 lines

o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts.
  If you ran the (fortunately non-default) http-domino-enum-passwords
  script with the (fortunately also non-default)
  domino-enum-passwords.idpath parameter against a malicious server,
  it could cause an arbitrarily named file to to be written to the
  client system.  Thanks to Trustwave researcher Piotr Duszynski for
  discovering and reporting the problem.  We've fixed that script, and
  also updated several other scripts to use a new
  stdnse.filename_escape function for extra safety.  This breaks our
  record of never having a vulnerability in the 16 years that Nmap has
  existed, but that's still a fairly good run. [David, Fyodor]

Index: scripts/http-domino-enum-passwords.nse
===================================================================
--- scripts/http-domino-enum-passwords.nse	(revision 31575)
+++ scripts/http-domino-enum-passwords.nse	(revision 31576)
@@ -315,9 +315,10 @@
 				http_response = http.get( vhost or host, port, u_details.idfile, { auth = { username = user, password = pass }, no_cache = true })	
 
 				if ( http_response.status == 200 ) then
-					local status, err = saveIDFile( ("%s/%s.id"):format(download_path, u_details.fullname), http_response.body )
+					local filename = download_path .. "/" .. stdnse.filename_escape(u_details.fullname .. ".id")
+					local status, err = saveIDFile( filename, http_response.body )
 					if ( status ) then
-						table.insert( id_files, ("%s ID File has been downloaded (%s/%s.id)"):format(u_details.fullname, download_path, u_details.fullname) )
+						table.insert( id_files, ("%s ID File has been downloaded (%s)"):format(u_details.fullname, filename) )
 					else
 						table.insert( id_files, ("%s ID File was not saved (error: %s)"):format(u_details.fullname, err ) )
 					end
Index: scripts/stuxnet-detect.nse
===================================================================
--- scripts/stuxnet-detect.nse	(revision 31575)
+++ scripts/stuxnet-detect.nse	(revision 31576)
@@ -81,7 +81,7 @@
 
 		fmt = save:gsub("%%h", host.ip)
 		fmt = fmt:gsub("%%v", version)
-		file = io.open(fmt, "w")
+		file = io.open(stdnse.filename_escape(fmt), "w")
 		if file then
 			stdnse.print_debug(1, "Wrote %d bytes to file %s.", #result.arguments, fmt)
 			file:write(result.arguments)
Index: scripts/http-config-backup.nse
===================================================================
--- scripts/http-config-backup.nse	(revision 31575)
+++ scripts/http-config-backup.nse	(revision 31576)
@@ -209,7 +209,7 @@
       if (response.status == 200) then
         -- check it if is valid before inserting
         if cfg.check(response.body) then
-          local filename = ((host.targetname or host.ip) .. url_path):gsub("/", "-");
+          local filename = stdnse.escape_filename((host.targetname or host.ip) .. url_path)
 
           -- save the content
           if save then
Index: scripts/hostmap-bfk.nse
===================================================================
--- scripts/hostmap-bfk.nse	(revision 31575)
+++ scripts/hostmap-bfk.nse	(revision 31576)
@@ -68,7 +68,7 @@
 
 local HOSTMAP_SERVER = "www.bfk.de"
 
-local filename_escape, write_file
+local write_file
 
 hostrule = function(host)
   return not ipOps.isPrivate(host.ip)
@@ -106,7 +106,7 @@
 
   local filename_prefix = stdnse.get_script_args("hostmap-bfk.prefix")
   if filename_prefix then
-    local filename = filename_prefix .. filename_escape(host.targetname or host.ip)
+    local filename = filename_prefix .. stdnse.filename_escape(host.targetname or host.ip)
     local status, err = write_file(filename, hostnames_str .. "\n")
     if status then
       output_tab.filename = filename
@@ -118,13 +118,6 @@
   return output_tab
 end
 
--- Escape some potentially unsafe characters in a string meant to be a filename.
-function filename_escape(s)
-  return string.gsub(s, "[\0/=]", function(c)
-    return string.format("=%02X", string.byte(c))
-  end)
-end
-
 function write_file(filename, contents)
   local f, err = io.open(filename, "w")
   if not f then
Index: scripts/domino-enum-users.nse
===================================================================
--- scripts/domino-enum-users.nse	(revision 31575)
+++ scripts/domino-enum-users.nse	(revision 31576)
@@ -103,7 +103,7 @@
 		helper:disconnect()
 		
 		if ( status and data and path ) then
-			local filename = ("%s/%s.id"):format(path, username )
+			local filename = path .. "/" .. stdnse.filename_escape(u_details.fullname .. ".id")
 			local status, err = saveIDFile( filename, data )
 			
 			if ( status ) then
Index: scripts/ms-sql-dump-hashes.nse
===================================================================
--- scripts/ms-sql-dump-hashes.nse	(revision 31575)
+++ scripts/ms-sql-dump-hashes.nse	(revision 31576)
@@ -119,7 +119,7 @@
 				local filename
 				if ( dir ) then
 					local instance = instance:GetName():match("%\\+(.+)$") or instance:GetName()
-					filename = ("%s/%s_%s_ms-sql_hashes.txt"):format(dir, host.ip, instance)
+					filename = dir .. "/" .. stdnse.filename_escape(("%s_%s_ms-sql_hashes.txt"):format(host.ip, instance))
 					saveToFile(filename, instanceOutput[1])
 				end				
 			end
Index: scripts/snmp-ios-config.nse
===================================================================
--- scripts/snmp-ios-config.nse	(revision 31575)
+++ scripts/snmp-ios-config.nse	(revision 31576)
@@ -184,7 +184,7 @@
 			result = ( infile and infile:getContent() )
 			
 			if ( tftproot ) then
-				local fname = tftproot .. host.ip .. "-config"
+				local fname = tftproot .. stdnse.filename_escape(host.ip .. "-config")
 				local file, err = io.open(fname, "w")
 				if ( file ) then
 					file:write(result)
Index: scripts/hostmap-ip2hosts.nse
===================================================================
--- scripts/hostmap-ip2hosts.nse	(revision 31575)
+++ scripts/hostmap-ip2hosts.nse	(revision 31576)
@@ -53,7 +53,7 @@
 local HOSTMAP_BING_SERVER = "www.ip2hosts.com"
 local HOSTMAP_DEFAULT_PROVIDER = "ALL"
 
-local filename_escape, write_file
+local write_file
 
 hostrule = function(host)
   return not ipOps.isPrivate(host.ip)
@@ -99,7 +99,7 @@
   output_tab.hosts = hostnames
   --write to file
   if filename_prefix then
-    local filename = filename_prefix .. filename_escape(host.targetname or host.ip)
+    local filename = filename_prefix .. stdnse.filename_escape(host.targetname or host.ip)
     hostnames_str = stdnse.strjoin("\n", hostnames)
     local status, err = write_file(filename, hostnames_str)
     if status then
@@ -112,13 +112,6 @@
   return output_tab
 end
 
--- Escape some potentially unsafe characters in a string meant to be a filename.
-function filename_escape(s)
-  return string.gsub(s, "[%z/=]", function(c)
-    return string.format("=%02X", string.byte(c))
-  end)
-end
-
 function write_file(filename, contents)
   local f, err = io.open(filename, "w")
   if not f then
Index: CHANGELOG
===================================================================
--- CHANGELOG	(revision 31575)
+++ CHANGELOG	(revision 31576)
@@ -19,6 +19,18 @@
   redirecting all stdin and stdout operations to the socket connection. 
   [Jacek Wielemborek]
 
+o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts.
+  If you ran the (fortunately non-default) http-domino-enum-passwords
+  script with the (fortunately also non-default)
+  domino-enum-passwords.idpath parameter against a malicious server,
+  it could cause an arbitrarily named file to to be written to the
+  client system.  Thanks to Trustwave researcher Piotr Duszynski for
+  discovering and reporting the problem.  We've fixed that script, and
+  also updated several other scripts to use a new
+  stdnse.filename_escape function for extra safety.  This breaks our
+  record of never having a vulnerability in the 16 years that Nmap has
+  existed, but that's still a fairly good run. [David, Fyodor]
+
 o [NSE] Added teamspeak2-version.nse by Marin Maržić.
 
 o Nmap's routing table is now sorted first by netmask, then by metric.
Index: nselib/stdnse.lua
===================================================================
--- nselib/stdnse.lua	(revision 31575)
+++ nselib/stdnse.lua	(revision 31576)
@@ -1195,4 +1195,36 @@
   return aux(obj, "")
 end
 
+-- This pattern must match the percent sign '%' since it is used in
+-- escaping.
+local FILESYSTEM_UNSAFE = "[^a-zA-Z0-9._-]"
+---
+-- Escape a string to remove bytes and strings that may have meaning to
+-- a filesystem, such as slashes. All bytes are escaped, except for:
+-- * alphabetic <code>a</code>-<code>z</code> and <code>A</code>-<code>Z</code>, digits 0-9, <code>.</code> <code>_</code> <code>-</code>
+-- In addition, the strings <code>"."</code> and <code>".."</code> have
+-- their characters escaped.
+--
+-- Bytes are escaped by a percent sign followed by the two-digit
+-- hexadecimal representation of the byte value.
+-- * <code>filename_escape("filename.ext") --> "filename.ext"</code>
+-- * <code>filename_escape("input/output") --> "input%2foutput"</code>
+-- * <code>filename_escape(".") --> "%2e"</code>
+-- * <code>filename_escape("..") --> "%2e%2e"</code>
+-- This escaping is somewhat like that of JavaScript
+-- <code>encodeURIComponent</code>, except that fewer bytes are
+-- whitelisted, and it works on bytes, not Unicode characters or UTF-16
+-- code points.
+function filename_escape(s)
+  if s == "." then
+    return "%2e"
+  elseif s == ".." then
+    return "%2e%2e"
+  else
+    return (string.gsub(s, FILESYSTEM_UNSAFE, function (c)
+      return string.format("%%%02x", string.byte(c))
+    end))
+  end
+end
+
 return _ENV;

Message #19 received at 719289@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Hilko Bengen <bengen@debian.org>

Cc: Henri Salo <henri@nerv.fi>, 719289@bugs.debian.org

Subject: Re: Bug#719289: nmap: CVE-2013-4885: Arbitrary file upload flaw in http-domino-enum-passwords NSE script

Date: Mon, 12 Aug 2013 08:02:31 +0200

On Sat, Aug 10, 2013 at 10:56:02AM +0200, Hilko Bengen wrote:
> Control: tags -1 patch
> 
> * Henri Salo:
> 
> > Advisory: http://seclists.org/fulldisclosure/2013/Aug/67
> 
> Thank you for spotting this.
> 
> The issue has been fixed in r31576 in the upstream SVN repository. The
> patch is attached below.
> 
> nmap 6.40 is not vulnerable.

stable is affected, oldstable is not.

The impact is low, this doesn't warrant a DSA. Hilko, can you fix this
in stable through a point update?

http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
        Moritz

Message #24 received at 719289@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>

Cc: Hilko Bengen <bengen@debian.org>, Henri Salo <henri@nerv.fi>, 719289@bugs.debian.org

Subject: Re: Bug#719289: nmap: CVE-2013-4885: Arbitrary file upload flaw in http-domino-enum-passwords NSE script

Date: Mon, 12 Aug 2013 17:54:56 +0200

* Moritz Muehlenhoff:

> stable is affected, oldstable is not.
>
> The impact is low, this doesn't warrant a DSA. Hilko, can you fix this
> in stable through a point update?

Will do.

-Hilko

Message #29 received at 719289@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 719289@bugs.debian.org

Subject: Re: Bug#719289: nmap: CVE-2013-4885: Arbitrary file upload flaw in http-domino-enum-passwords NSE script

Date: Mon, 12 Aug 2013 23:45:15 +0200

I have just uploaded 6.40-0.1 to DELAYED/5.

Cheers,
-Hilko

Message #34 received at 719289-close@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 719289-close@bugs.debian.org

Subject: Bug#719289: fixed in nmap 6.00-0.3+deb7u1

Date: Thu, 15 Aug 2013 21:02:28 +0000

Source: nmap
Source-Version: 6.00-0.3+deb7u1

We believe that the bug you reported is fixed in the latest version of
nmap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719289@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated nmap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 12 Aug 2013 23:07:29 +0200
Source: nmap
Binary: nmap zenmap
Architecture: source amd64
Version: 6.00-0.3+deb7u1
Distribution: stable
Urgency: high
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description: 
 nmap       - The Network Mapper
 zenmap     - The Network Mapper Front End
Closes: 719289
Changes: 
 nmap (6.00-0.3+deb7u1) stable; urgency=high
 .
   * Backport fix for CVE-2013-4885 (remote arbitrary file creation
     vulnerability) from upstream SVN repository, r31576 (Closes: #719289).
     The fix has been implemented by adding a filename_escape() function to
     the stdnse.lua standard library. The following NSE scripts have been
     modified to use it:
 .
     - domino-enum-users.nse
     - hostmap-bfk.nse
     - http-config-backup.nse
     - http-domino-enum-passwords.nse
     - ms-sql-dump-hashes.nse
     - snmp-ios-config.nse
     - stuxnet-detect.nse
Checksums-Sha1: 
 719790fa3954127ceba69838ce8f58e9b9e404f2 1310 nmap_6.00-0.3+deb7u1.dsc
 8911e937b2506c39bd9589c5b1b5e43a3842aebe 28031 nmap_6.00-0.3+deb7u1.diff.gz
 5626fcc5946eb7e7780487845faa881afa941305 3717692 nmap_6.00-0.3+deb7u1_amd64.deb
 3f247224cb7906ef228e108060fc8cad652e66b4 548604 zenmap_6.00-0.3+deb7u1_amd64.deb
Checksums-Sha256: 
 193cc3b832df2506edd82a15783e1dae2e943eaaa411561f0b36a49056249625 1310 nmap_6.00-0.3+deb7u1.dsc
 2593c56198855c183402f5ec6ce60a5fe3459c6f0bcf5bb5c266f141fc27082f 28031 nmap_6.00-0.3+deb7u1.diff.gz
 ddec66359fc9a9d993785a86b8d4f2f065d494cd83f638c413ef115cfd0b29d6 3717692 nmap_6.00-0.3+deb7u1_amd64.deb
 bb5cea0d87280cd2e4fc74b27cd40b76a0f42b4d31957ec211017259325b8cde 548604 zenmap_6.00-0.3+deb7u1_amd64.deb
Files: 
 2ad427934e1bb97211f097217c80a1c5 1310 net extra nmap_6.00-0.3+deb7u1.dsc
 8e5ec61f8a68d8d53ff8cfb2478dce7a 28031 net extra nmap_6.00-0.3+deb7u1.diff.gz
 e64545424da15dec9cc733f31e0eccc0 3717692 net extra nmap_6.00-0.3+deb7u1_amd64.deb
 4d4d85674ada9c25cfd689473783b66b 548604 net extra zenmap_6.00-0.3+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIJVPIACgkQUCgnLz/SlGiMAACfShTct9zw92BJKo322XZxlf9V
ts4An3IRdPiwnAnqqgt5bhjFCRX/NssE
=URj7
-----END PGP SIGNATURE-----

Message #39 received at 719289-close@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>

To: 719289-close@bugs.debian.org

Subject: Bug#719289: fixed in nmap 6.40-0.1

Date: Sat, 17 Aug 2013 21:21:43 +0000

Source: nmap
Source-Version: 6.40-0.1

We believe that the bug you reported is fixed in the latest version of
nmap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719289@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated nmap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 12 Aug 2013 21:36:10 +0200
Source: nmap
Binary: nmap zenmap
Architecture: source all amd64
Version: 6.40-0.1
Distribution: unstable
Urgency: low
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description: 
 nmap       - The Network Mapper
 zenmap     - The Network Mapper Front End
Closes: 719289
Changes: 
 nmap (6.40-0.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * New upstream version
     - Contains fix for CVE-2013-4885 (Closes:  #719289)
Checksums-Sha1: 
 3e540dcf90968bb38bffe9a7cdcd7362cb5affb1 1283 nmap_6.40-0.1.dsc
 284d4819dd4523054fba9d2c5d8545bc28247c9d 9638479 nmap_6.40.orig.tar.gz
 a2238ecf9138d3c6d06230550113b2e34146c5f5 13747 nmap_6.40-0.1.diff.gz
 68e58756b1fcca82cae86a2973414cf80c73b48a 662644 zenmap_6.40-0.1_all.deb
 5320f9cd03cfaf3a3509bbafebc2fd6f5eb8ef7b 4048986 nmap_6.40-0.1_amd64.deb
Checksums-Sha256: 
 b93dd47c3d0c48893152b3a940a78e5ef82d389042a86c7e32f42398a1d98b28 1283 nmap_6.40-0.1.dsc
 ceb8bfd138006719443689787d71b3323b126491f6abda1d0a0d7f3d4f037b4b 9638479 nmap_6.40.orig.tar.gz
 996570837b57c35096e39d8c4aef01e5023f5fcf36f7e6653dd74f8de1d96337 13747 nmap_6.40-0.1.diff.gz
 66f6019a2907ade23f67c7e9b3aa9e7683bfbc42e651be8a69703cbdae0bda46 662644 zenmap_6.40-0.1_all.deb
 45a7197619e6a8a32604849f38cc9c3fb6349bdfe790eaea665bf9aec664c5fc 4048986 nmap_6.40-0.1_amd64.deb
Files: 
 2705756ca87307eaf95405d6bcd87b3a 1283 net extra nmap_6.40-0.1.dsc
 df4a22c283574ff970b60e822661e286 9638479 net extra nmap_6.40.orig.tar.gz
 40a23ef50ab839b111d93e8701abdb2c 13747 net extra nmap_6.40-0.1.diff.gz
 97cea4cd608a8e25f33bea6c0f804f65 662644 net extra zenmap_6.40-0.1_all.deb
 65447e2e34fa46c3121752d35857aafe 4048986 net extra nmap_6.40-0.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iEYEARECAAYFAlIJTHUACgkQUCgnLz/SlGiA/QCfTUHgulZ3eUepw+Sz0IQt/ye5
5YQAn0fbFyzhlT+mGv1bqGIp5t2G70Cu
=4K/J
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.