Nmap afp-path-vuln NSE Script
This page contains detailed information about how to use the afp-path-vuln NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/afp-path-vuln.nse
Script categories: exploit, intrusive, vuln
Target service / protocol: tcp
Target network port(s): 548
List of CVEs: CVE-2010-0533
Script Description
The afp-path-vuln.nse script detects the Mac OS X AFP directory traversal vulnerability, CVE-2010-0533.
This script attempts to iterate over all AFP shares on the remote host. For each share it attempts to access the parent directory by exploiting the directory traversal vulnerability as described in CVE-2010-0533.
The script reports whether the system is vulnerable or not. In addition it lists the contents of the parent and child directories to a max depth of 2. When running in verbose mode, all items in the listed directories are shown. In non verbose mode, output is limited to the first 5 items. If the server is not vulnerable, the script will not return any information.
For additional information:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0533
- http://www.cqure.net/wp/2010/03/detecting-apple-mac-os-x-afp-vulnerability-cve-2010-0533-with-nmap
- http://support.apple.com/kb/HT1222
Afp-path-vuln NSE Script Arguments
This is a full list of arguments supported by the afp-path-vuln.nse script:
afp.passwordThe password to use for authentication.
afp.usernameThe username to use for authentication.
vulns.shortIf set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE ones. By default the library will only report the VULNERABLE entries: VULNERABLE, LIKELY VULNERABLE, VULNERABLE (DoS) and VULNERABLE (Exploitable). This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=afp-path-vuln --script-args afp.password=value,afp.username=value <target>Afp-path-vuln NSE Script Example Usage
Here's an example of how to use the afp-path-vuln.nse script:
nmap --script=afp-path-vuln <target>
Afp-path-vuln NSE Script Example Output
Here's a sample output from the afp-path-vuln.nse script:
PORT STATE SERVICE
548/tcp open afp
| afp-path-vuln:
| VULNERABLE:
| Apple Mac OS X AFP server directory traversal
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2010-0533
| Risk factor: High CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
| Description:
| Directory traversal vulnerability in AFP Server in Apple Mac OS X before
| 10.6.3 allows remote attackers to list a share root's parent directory.
| Disclosure date: 2010-03-29
| Exploit results:
| Patrik Karlsson's Public Folder/../ (5 first items)
| .bash_history
| .bash_profile
| .CFUserTextEncoding
| .config/
| .crash_report_checksum
| References:
| http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0533
| http://support.apple.com/kb/HT1222
|_ http://www.cqure.net/wp/2010/03/detecting-apple-mac-os-x-afp-vulnerability-cve-2010-0533-with-nmap
Afp-path-vuln NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Author
- Patrik Karlsson
References
- https://nmap.org/nsedoc/scripts/afp-path-vuln.html
- https://github.com/nmap/nmap/tree/master/scripts/afp-path-vuln.nse
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0533
- http://www.cqure.net/wp/2010/03/detecting-apple-mac-os-x-afp-vulnerability-cve-2010-0533-with-nmap
- http://support.apple.com/kb/HT1222
See Also
Related NSE scripts to the afp-path-vuln.nse script:
Visit Nmap NSE Library for more scripts.
The afp-path-vuln.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
Login failed
Here is a relevant code snippet related to the "Login failed" error message:
174: status, response = afp_helper:Login(username, password)
175: else
176: status, response = afp_helper:Login(nil, nil)
177: end
178: if ( not(status) ) then
179: stdnse.debug1("Login failed")
180: stdnse.debug3("Login error: %s", response)
181: return
182: end
183:
184: status, shares = afp_helper:ListShares()
Login error: %s
Here is a relevant code snippet related to the "Login error: %s" error message:
175: else
176: status, response = afp_helper:Login(nil, nil)
177: end
178: if ( not(status) ) then
179: stdnse.debug1("Login failed")
180: stdnse.debug3("Login error: %s", response)
181: return
182: end
183:
184: status, shares = afp_helper:ListShares()
185:
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
