New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added check and response for CVE-2017-12149 in jboss_vulnscan.rb #10352
Added check and response for CVE-2017-12149 in jboss_vulnscan.rb #10352
Conversation
I know it's an issue with the original module, rather than your update, however, rather than wrapping everything in a conditional like this: def check_app(app)
res = send_request_cgi({
'uri' => app,
'method' => 'GET',
'ctype' => 'text/plain'
})
if res
case
when res.code == 200
print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")
when res.code == 403
print_status("#{rhost}:#{rport} #{app} restricted (403)")
when res.code == 401
print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")
bypass_auth(app)
basic_auth_default_creds(app)
when res.code == 404
print_status("#{rhost}:#{rport} #{app} not found (404)")
when res.code == 301, res.code == 302
print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
else
if res.code == 500 && app == "/invoker/readonly"
print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")
end
print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")
end
else
print_status("#{rhost}:#{rport} #{app} not found")
end
end This is better: def check_app(app)
res = send_request_cgi({
'uri' => app,
'method' => 'GET',
'ctype' => 'text/plain'
})
unless res
print_status("#{rhost}:#{rport} #{app} not found")
return
end
case
when res.code == 200
print_good("#{rhost}:#{rport} #{app} does not require authentication (200)")
when res.code == 403
print_status("#{rhost}:#{rport} #{app} restricted (403)")
when res.code == 401
print_status("#{rhost}:#{rport} #{app} requires authentication (401): #{res.headers['WWW-Authenticate']}")
bypass_auth(app)
basic_auth_default_creds(app)
when res.code == 404
print_status("#{rhost}:#{rport} #{app} not found (404)")
when res.code == 301, res.code == 302
print_status("#{rhost}:#{rport} #{app} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
else
if res.code == 500 && app == "/invoker/readonly"
print_good("#{rhost}:#{rport} #{app} responded (#{res.code})")
end
print_status("#{rhost}:#{rport} Don't know how to handle response code #{res.code}")
end
end |
… branch. (as of suggestion by bcoles)
Thanks for taking the time for the code improvement suggestions. They are now implemented. |
Fixed a paste error, or sneaked in character in the app url.
I tested the changes on versions 5.2 and 7.1. Here's the output for the instances:
|
Release NotesThis adds an additional vulnerability check to the jboss_vulnscan auxiliary module. The module now checks for a deserialization RCE vulnerability referenced in CVE-2017-12149. |
This change adds an additional vulnerability check to auxiliary/scanner/http/jboss_vulnscan
The addition was a check for CVE-2017-12149, a deserialization RCE vulnerability in Red Hat JBoss EAP 5.
Changes made:
Added the URL to check
print_good() in case of the URL is accessible
Verification
List the steps needed to make sure this thing works
msfconsole
use auxiliary/scanner/http/jboss_vulnscan
[+] 192.168.0.244:8080 /invoker/readonly responded (500)
is displayed[*] 192.168.0.244:8080 /invoker/readonly not found (404)
is displayed