Open tarunKoyalwar opened 3 months ago
looks like we can already achieve this using dsl helper function but for some reason this doesn't work
id: CVE-2015-2080
info:
name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
author: pikpikcu
severity: high
description: Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header.
remediation: |
Upgrade to a version of Eclipse Jetty that is higher than 9.2.9.v20150224 to mitigate this vulnerability.
reference:
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-2080
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2015-2080
cwe-id: CWE-200
epss-score: 0.95465
epss-percentile: 0.99329
cpe: cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: fedoraproject
product: fedora
tags: cve2015,cve,jetty,packetstorm,fedoraproject
http:
- raw:
- |+
POST / HTTP/1.1
Host: {{Hostname}}
Referer: {{hex_decode("00")}}
Connection: close
matchers-condition: and
unsafe: true
matchers:
- type: word
part: body
words:
- "Illegal character 0x0 in state"
- type: status
status:
- 400
nuclei -t a.yaml -u http://localhost:8080 -debug -v
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.8
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 62
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2015-2080] Dumped HTTP request for http://localhost:8080/
POST / HTTP/1.1
Host: localhost:8080
Referer:
Connection: close
[VER] [CVE-2015-2080] Sent HTTP request to http://localhost:8080/
[DBG] [CVE-2015-2080] Dumped HTTP response http://localhost:8080/
HTTP/1.1 400 Illegal character 0x0
Connection: close
Server: Jetty(9.2.30.v20200428)
Content-Length: 0
[INF] No results found. Better luck next time!
id: CVE-2015-2080
info:
name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
author: pikpikcu
severity: high
description: Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header.
remediation: |
Upgrade to a version of Eclipse Jetty that is higher than 9.2.9.v20150224 to mitigate this vulnerability.
reference:
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-2080
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2015-2080
cwe-id: CWE-200
epss-score: 0.95465
epss-percentile: 0.99329
cpe: cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: fedoraproject
product: fedora
tags: cve2015,cve,jetty,packetstorm,fedoraproject
javascript:
- code: |
let m = require('nuclei/net');
let address=Host+':'+Port;
let conn = m.Open('tcp', address);
conn.Send('GET / HTTP/1.1\r\nHost: '+address+'\r\n');
conn.Send('Referer: ');
conn.SendHex('00'); // null byte
conn.Send('\r\nConnection: close\r\n\r\n');
resp = conn.RecvString();
args:
Host: "{{Host}}"
Port: '8080' # hardcoded port
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'contains(response, "Illegal character 0x0 in state")'
- 'contains(response, "HTTP/1.1 400")'
extractors:
- type: dsl
dsl:
- response
nuclei -t b.yaml -u http://localhost:8080 -debug -v
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.8
projectdiscovery.io
[VER] Started metrics server at localhost:9092
[INF] Current nuclei version: v3.2.8 (latest)
[INF] Current nuclei-templates version: v9.8.7 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 62
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2015-2080] Sent Javascript request to localhost:8080
[DBG] [CVE-2015-2080] Dumped Javascript request for localhost:8080:
Variables:
1. Host => localhost
2. Port => 8080 address=localhost:8080
[DBG] [CVE-2015-2080] Javascript Code:
let m = require('nuclei/net');
let address = Host + ':' + Port;
let conn = m.Open('tcp', address);
conn.Send('GET / HTTP/1.1\r\nHost: ' + address + '\r\n');
conn.Send('Referer: ');
conn.SendHex('00'); // null byte
conn.Send('\r\nConnection: close\r\n\r\n');
resp = conn.RecvString();
[DBG] [CVE-2015-2080] Dumped Javascript response for localhost:8080:
1. response => HTTP/1.1 400 Illegal char .... tty(9.2.30.v20200428)
2. success => true address=localhost:8080
[CVE-2015-2080:dsl-1] [javascript] [high] localhost:8080 ["HTTP/1.1 400 Illegal character 0x0\r\nContent-Length: 0\r\nConnection: close\r\nServer: Jetty(9.2.30.v20200428)"]
cc: @ehsandeep
Nuclei version:
main | latest
Current Behavior:
template https://cloud.projectdiscovery.io/public/CVE-2015-2080 is not working because the null byte in hex encoded format
\x00
is being treated as a string instead of actual null byte , this seems to be happening with both simple http and raw http requests . While one way to fix this is write template in javascript but it introduces another set of challenges i.e we should add a utility to interpret hex encoded data in stringsExpected Behavior:
working template
Steps To Reproduce:
Anything else: