code | #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(68929);
script_version("1.9");
script_cvs_date("Date: 2018/11/15 20:50:26");
script_cve_id("CVE-2013-3349");
script_bugtraq_id(61039);
script_name(english:"Adobe ColdFusion 9/9.0.1/9.0.2 On JRun DoS (APSB13-19) (credentialed check)");
script_summary(english:"Checks for hotfix");
script_set_attribute(attribute:"synopsis", value:
"A web-based application running on the remote Windows host is affected
by a denial of service vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is running a version of ColdFusion that is
affected by an unspecified denial of service vulnerability. A remote
attacker can exploit this without authentication.");
script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb13-19.html");
script_set_attribute(attribute:"solution", value:"Apply the relevant hotfix referenced in Adobe advisory APSB13-19.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/09");
script_set_attribute(attribute:"patch_publication_date", value:"2013/07/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:coldfusion");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
script_dependencies("coldfusion_win_local_detect.nasl");
script_require_keys("SMB/coldfusion/instance");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("coldfusion_win.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");
include("smb_hotfixes_fcheck.inc");
include("byte_func.inc");
include("bsal.inc");
include("zip.inc");
##
# Checks if the JRun hotfix is missing
#
# @anonparam cfroot path to the ColdFusion root directory
# @return plugin output if Nessus believes the hotfix is missing,
# NULL otherwise
##
function _check_hotfix(type)
{
local_var cfroot, update_dir, jar_filename, jar_path, share, rc, fh, class_file, report;
cfroot = _FCT_ANON_ARGS[0];
report = NULL;
# add a trailing path if necessary
if (cfroot[strlen(cfroot) - 1] != "\")
cfroot += "\";
if(!isnull(type) && type == "Multiserver")
update_dir = cfroot + "servers\lib\";
else update_dir = cfroot + "runtime\servers\lib\";
jar_filename = "jrun-hotfix-3329722.jar";
jar_path = update_dir + jar_filename;
share = hotfix_path2share(path:jar_path);
rc = NetUseAdd(login:kb_smb_login(), password:kb_smb_password(), domain:kb_smb_domain(), share:share);
if (rc != 1)
{
NetUseDel(close:FALSE);
return NULL;
}
fh = CreateFile(
file:substr(jar_path, 2), # strip the drive from the beginning of the path
desired_access:GENERIC_READ,
file_attributes:FILE_ATTRIBUTE_NORMAL,
share_mode:FILE_SHARE_READ,
create_disposition:OPEN_EXISTING
);
# file not found (hotfix missing)
if (isnull(fh))
{
report =
'\n Update directory : ' + update_dir +
'\n Missing hotfix : ' + jar_filename + '\n';
}
else
{
class_file = zip_parse(smb:fh, 'jrun/servlet/JRunResponse.class');
CloseFile(handle:fh);
# this method was added to JRunResponse.class in jrun-hotfix-3329722.jar
if ('writeError' >!< class_file)
{
report =
'\nThe following file was found, but does not appear to contain' +
'\nthe hotfix provided in Adobe bulletin APSB13-19 :\n\n' +
jar_path + '\n';
}
}
NetUseDel(close:FALSE);
return report;
}
versions = make_list('9.0.0', '9.0.1', '9.0.2');
instances = get_coldfusion_instances(versions); # this exits if it fails
# Check the hotfixes and cumulative hotfixes installed for each
# instance of ColdFusion.
info = NULL;
# a connection needs to be made to the system in order to read the hotfix jar file
port = kb_smb_transport();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
report = NULL;
foreach name (keys(instances))
{
cfroot = get_kb_item('SMB/coldfusion/' + name + '/cfroot');
if (isnull(cfroot)) continue; # sanity checking (this should never be NULL)
type = get_kb_item('SMB/coldfusion/' + name + '/type');
if(isnull(type)) continue; # should never be NULL
if(type == "Multiserver")
{
jrun_home = get_kb_item('SMB/coldfusion/' + name + '/jrun_home');
if(isnull(jrun_home)) continue; # should never be NULL
info = _check_hotfix(jrun_home, type:type);
}
else
info = _check_hotfix(cfroot, type:type);
if (isnull(info)) continue; # the hotfix is present
report += info;
}
NetUseDel();
if (isnull(report))
exit(0, "No vulnerable instances of Adobe ColdFusion were detected.");
if (report_verbosity > 0)
security_warning(port:port, extra:report);
else
security_warning(port);
|