[Plugins-writers] prado_viewstate.nasl - test for PRADO viewstate vulnerability

From: Hubert Seiwert (hubert@private)
Date: Fri May 06 2005 - 10:00:11 PDT


Hi,

I've written a test for the VIEWSTATE vulnerability reported in the 
PRADO Component Framework
(http://www.xisc.com/forum/viewtopic.php?t=1477, 
http://secunia.com/advisories/15220/)

The script first of all tries to confirm that the site being checked was 
generated by PRADO by looking
for the hidden __VIEWSTATE form control. It then does a POST containing 
a VIEWSTATE with
an invalid HMAC. Patched Prado versions (2.0.1+) will reject this with a 
"ViewState data is corrupted"
error, whereas vulnerable versions (which do not use any HMAC 
verification) will report an unserialize()
error.

Does anybody have any suggestions as to how this script and others like 
it could be applied against
pages other than the server root, that is to other pages found while 
spidering the server?

Any comments are welcome...

Regards,

Hubert Seiwert, Internet Security Specialist
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031


#
# Script to detect PRADO 2.0.0 and below VIEWSTATE vulnerability
# by Hubert Seiwert, hubert_at_westpoint.ltd.uk
# www.westpoint.ltd.uk
#

if(description)
{
 script_id(90910);
 
 name["english"] = "PRADO component framework VIEWSTATE vulnerability";

 script_name(english:name["english"]);

 desc["english"] = "Script to detect PRADO 2.0.0 and below VIEWSTATE vulnerability";

 script_description(english:desc["english"]);

 # Summary
 summary["english"] =

"Tests for improper handling of the VIEWSTATE form
variable (no HMAC verification) in PRADO 2.0.0 and
below, which may be exploitable for arbitrary code
execution";

 script_summary(english:summary["english"]);

 # Category
 script_category(ACT_MIXED_ATTACK);

 # Family
 family["english"] = "CGI abuses";
 script_family(english:family["english"]);

 # Copyright
 script_copyright(english:"This script is Copyright (C) 2005 Westpoint");

 script_require_ports("Services/www", 80);
 exit(0);
}

debug_level = 1;

include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);

url = '/';

#url = '/prado200/examples/helloworld.php';
#url = '/prado201/examples/phonebook.php';
#url = '/prado201/examples/blog.php';
#url = '/prado200/examples/wizard.php';
#url = '/prado200/examples/hangman.php';

req = http_get(port:port, item:url);

get_response = http_keepalive_send_recv(port:port, data:req);

if(egrep(pattern:'input type="hidden" name="__VIEWSTATE"', string:get_response))
{
if (debug_level)display("Found page possibly generated by PRADO\n");

data = string(
"POST ",url," HTTP/1.0\r\n",
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.7) Gecko/20050414 Firefox/1.0.3\r\n",
"Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n",
"Referer: http://risk/prado201/examples/hangman.php\r\n",
"Content-Type: multipart/form-data; boundary=---------------------------97582422118588\r\n",
"Content-length: 840\r\n",
"Connection: Keepalive\r\n",
"\r\n",
"-----------------------------97582422118588\r\n",
'Content-Disposition: form-data; name="__VIEWSTATE"',"\n\n",
"eJyt1tFS4jAUBuBXiXmAHUph1XCxA4iggqAgijc7oQTI0jZO06qdnb77Jm1x56CwnlnvoD3znT9pZk6cqlsbMsdhtBlFPB3OfwkvpsxhvzWrMbpUUUAbHxTUbIFTYVTHPIpHPBT+h3V1W3fKqOA67YvnPVWmnWSVBi/ZqnmdxGqkdNzi3oY25sxp5Ew3UsnTNQ8ENf/rjPoFmWediNfY/nSPGe2YdmRl6hokVQnhkSDc99WLWBCnQgKptdDfbLGpba+FtxGLokuW6TxeIBYyCT6RuFou8FPJThgd5PCebPW/0WwQw655tPjiFDWj9Ay7k0GFfvoWxH0X5OeklcSxCp3DQbYHZ9vMZBj5PD0qnLcD04kiFR2W3B3JNdTMZA0SHRNvrZQ2+0YWcrmUXuLHKcnXelQ2HcepbzahDGQeeMq3HY3DaGS/dpZ//KnUcm4r56Zpts24SoTW+w919QQs9x2j2ffSaOJ2yxYWO7UFWmigBYE2GmhD4AwNnEGggwY6EDhHA+cQ6KKBLgR6aKAHgQs0cAGBSzRwCYErNHAFgT4a6ENggAYGELhGA9cQGKKBIQRGaGAEgRs0cAOBWzRwC4ExGhhDYIIGJhC4QwN3EJiigSkE7tHAPQQe0MADBGZoYAaBRzTwWI5g187yvgw3xTyv4yBzg+nKZ0GSpx+0mJfmyYsMDwzLf83K3UTHyKXZI2rvFKS54jIsU5kbi29uCF8Y6/T/Y2XZHyArhGM="
);

post_response = http_keepalive_send_recv(port:port, data:data);

if (debug_level)display("---Sent form post:\n",data);

if (debug_level)display("---Response:\n",post_response);

if (egrep(pattern:'unserialize()', string:post_response) )
{
if (debug_level)display("\nVulnerable PRADO found!\n");
security_hole(port);
}

if (egrep(pattern:'Exception: ViewState data is corrupted.', string:post_response) )
{
if (debug_level)display("\nPatched PRADO (probably 2.0.1+) found, not vulnerable\n");
}

}



_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2.1.3 : Sat May 07 2005 - 05:25:24 PDT