View Issue Details

IDProjectCategoryView StatusLast Update
0007485Kali LinuxKali Package Bugpublic2022-01-06 14:14
Reporteradrian.vollmer Assigned Tosbrun  
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2021.3 
Fixed in Version2022.1 
Summary0007485: changeme can't handle relative paths
Description

If you try to pass a file to changeme using a relative path, it interprets the path as a hostname because it thinks the path doesn't exist.

In Kali, changeme is called using this wrapper script:

#!/bin/sh

set -e

cd /usr/share/changeme
exec ./changeme.py "$@"

As you can see, the directory is changed, which is why relative paths won't work anymore.

It's better to call it like this:

#!/bin/sh

set -e

export PYTHONPATH=/usr/share/changeme
exec /usr/share/changeme/changeme.py "$@"
Steps To Reproduce

Call changeme with a file in another directory using a relative paths:

$ changeme ../nmap/synscan.xml

 #####################################################
#       _                                             #
#   ___| |__   __ _ _ __   __ _  ___ _ __ ___   ___   #
#  / __| '_ \ / _` | '_ \ / _` |/ _ \ '_ ` _ \ / _ \  #
# | (__| | | | (_| | | | | (_| |  __/ | | | | |  __/  #
#  \___|_| |_|\__,_|_| |_|\__, |\___|_| |_| |_|\___|  #
#                         |___/                       #
#  v1.2.3                                             #
#  Default Credential Scanner by @ztgrace             #
 #####################################################

Loaded 123 default credential profiles
Loaded 397 default credentials

No default credentials found

After my proposed patch, it looks like this:

$ changeme ../nmap/synscan.xml

 #####################################################
#       _                                             #
#   ___| |__   __ _ _ __   __ _  ___ _ __ ___   ___   #
#  / __| '_ \ / _` | '_ \ / _` |/ _ \ '_ ` _ \ / _ \  #
# | (__| | | | (_| | | | | (_| |  __/ | | | | |  __/  #
#  \___|_| |_|\__,_|_| |_|\__, |\___|_| |_| |_|\___|  #
#                         |___/                       #
#  v1.2.3                                             #
#  Default Credential Scanner by @ztgrace             #
 #####################################################

Loaded 123 default credential profiles
Loaded 397 default credentials

[13:54:44] [+] Found Apache Tomcat default cred XXXX:XXXX at http://XXXXXXXXX:8080/manager/html

Activities

adrian.vollmer

adrian.vollmer

2021-12-13 13:22

reporter   ~0015505

A better step to reproduce, in case you don't have a vulnerable server:

nmap -X ../test <someserver>
changeme -v ../test.xml

If working correctly, you should be seeing a line like this:

[14:17:46] Loaded 730 hosts from ../nmap/synscan.xml

With the current behavior, you will not see such a line.

sbrun

sbrun

2022-01-06 14:14

manager   ~0015598

thanks for the report.

it's fixed in version 1.2.3-3.

Issue History

Date Modified Username Field Change
2021-12-13 12:55 adrian.vollmer New Issue
2021-12-13 13:22 adrian.vollmer Note Added: 0015505
2021-12-29 13:25 sbrun Assigned To => sbrun
2021-12-29 13:25 sbrun Status new => assigned
2022-01-06 14:14 sbrun Status assigned => resolved
2022-01-06 14:14 sbrun Resolution open => fixed
2022-01-06 14:14 sbrun Fixed in Version => 2022.1
2022-01-06 14:14 sbrun Note Added: 0015598